LWN.net Weekly Edition for April 23, 2009
Faster updates with yum-presto
Keeping up with an active distribution like Fedora consumes a fair amount of time, but also bandwidth. Depending on the frequency that a yum update is performed, hundreds of megabytes—or even gigabytes—can be required to bring the system up to date. A recent experiment in rawhide uses deltarpms and the yum Presto plugin to significantly reduce the size of the packages that needed to be retrieved. The experiment looks to be largely successful which means that Fedora will likely make the deltarpm files available more widely as part of Fedora 11.
The idea behind deltarpms is not a particularly new one, but the visibility has been raised by the recent Fedora Presto test day. The tools to build deltarpms were originally created by Michael Schröder of SUSE and have been around for a few years. Basically, the tools generate a binary difference (i.e. diff) between the new and old rpm files and create an rpm that just contains the differences (a drpm). Because package changes are typically fairly small and localized, the size difference between the new rpm and the drpm can be quite substantial.
The deltarpm tools do not require that the old rpm be present on the system when installing, instead they can reconstruct the state of the old rpm from the installation itself. As long as there is a drpm corresponding to the difference between the version currently installed and the version that needs to be installed, Presto will choose the more bandwidth-efficient package to download. If the deltarpm tools are unable to reconstruct the new rpm from the installed files and drpm—due to a local configuration file change for example—Presto will fall back to downloading the full rpm of the updated package.
For rawhide users, trying Presto out is quite simple:
yum install yum-presto
which will install and enable the Presto plugin. Using it to update
rawhide on April 22 would normally have required 68M, but using the
drpms available (20 of 21 packages that needed updating) reduced that
to 23M for a 66% reduction. There is a substantial pause after the
packages have been downloaded while the deltarpm tools rebuild the rpms
from drpms—in this case something on the order of one to two minutes.
For someone at the end of a low-medium bandwidth link (or someone who pays by
the the amount transferred), that tradeoff is likely to be a good one.
There are still a few infrastructure glitches on the Fedora side. Part of the reason for the test day and publicizing the new feature was to find and fix those problems before Fedora 11 ships. Because of the way the deltarpm tools work—reading both rpms into memory before doing the diff—and how the Fedora infrastructure builds rpms for all architectures in parallel, only packages smaller than 200M are currently turned into drpms. There are also questions about whether it makes sense to build source and debuginfo drpms. Those types of packages are not widely used so spending repository space and build resources on drpm versions may not be warranted. From a user perspective, though, it all works quite smoothly: install a package and get a lot of bandwidth savings.
SUSE has been using drpms for some time, at least since SUSE Linux 9.3 was released in 2005. Users automatically get drpms when using the zypper tool for package updates and drpms are created for all package updates as long as the diff is smaller than the full rpm. For users that would rather get the full rpm when doing updates, drpms can be disabled in /etc/zypp/zypp.conf.
Presto development is, unsurprisingly, a Fedora Hosted project with a Trac page and Git repository. It would seem that there has been some collaboration with the openSUSE folks on the drpm format and tools so that yum and zypper will interoperate. Given that both are rpm-based tools, it is good to see the two distributions working together.
One could argue, as some have, that there is too much package churn in Fedora. On the other hand, Fedora users do tend to expect very recent, often bleeding-edge, packages. Since that is unlikely to change, Presto will be very welcome for folks whose bandwidth is limited in some way—those who are unconcerned, need not install it. Meanwhile, with less fanfare, SUSE users have been getting those savings for some time.
Oracle: SELECT * FROM Sun
Despite a steady stream of rumors, IBM did not, in the end, buy Sun Microsystems. But, on April 20, Oracle did. This acquisition could have some interesting implications for the Linux community. Your editor, while not really knowing more than anybody else, suspects that the outcome could be mostly positive. What follows, here, is some wild speculation on where this could all go.Some months ago, your editor posted a slightly tongue-in-cheek article on a serious topic: what would happen if Sun Microsystems were to undergo a change in management which rendered the company far less friendly toward free software? It now appears that there will, indeed, be a management change. One might well worry what changes we might see in the newly-acquired company's attitude; Oracle is not always seen as the friendliest company in general. But Oracle, while being very much a proprietary software company, does seem to have a supportive approach toward free software. Your editor was reasonably well impressed by the talk given by Oracle "Chief Corporate Architect" Edward Screven at the recent Linux Foundation Collaboration Summit. At some levels of the software stack, at least, Oracle seems genuinely interested in working with and growing the development community.
There are a number of specific topics of interest when speculating on what could happen; your editor will visit a few of them below.
MySQL. This project, of course, can be seen as being in direct competition with Oracle's flagship offering. So, unsurprisingly, a number of people have speculated that Oracle will not encourage its further growth. So, perhaps, Oracle will de-emphasize the project or "return it to the community." But that is not necessarily how things will go.
One should remember that this isn't the first time Oracle has been seen to threaten MySQL through acquisition. Back in 2005, Oracle bought Innobase, the creator of the InnoDB storage engine used by MySQL. The MySQL project wisely branched away from InnoDB, but the fact of the matter is that this code is still free software, and InnoDB releases continue to happen. The sky did not fall after all.
Beyond that, there is the simple matter that MySQL appears to earn money. This acquisition could well be an opportunity for Oracle to gain revenue from customers who, for whatever reason, are not interested in buying Oracle licenses. It broadens the company's database product line and might provide the opportunity to encourage some customers to move toward the more expensive, proprietary offerings.
Most interesting, though, will be to see what happens with the MySQL development community. Oracle still does not have vast amounts of experience running large, community-oriented projects, but it seems to be learning. The MySQL community is not in top condition, currently; it has suffered from Sun's legendary heavy hand, leading to a fair amount of developer unhappiness. There are currently a few active forks out there, raising the possibility that control over the "real" MySQL could move out of Sun's hands altogether. Oracle could, just maybe, woo these developers back into a core MySQL project which was managed in a more community-oriented manner. If that were to happen, it would be hard to conclude that this acquisition was anything but good for MySQL.
Solaris. This operating system is said, in the press release, to be one of the core justifications for the acquisition. Oracle sells a fair number of licenses for deployments on Solaris; it cannot be unhappy with the idea of gaining control over the full platform. The real question here, perhaps, is whether Oracle sees Solaris as a system with a long future ahead of it, or whether Solaris becomes a legacy platform which will be supported for some time, but which will not see a great deal of development.
There have been suggestions for a while that Sun is reconsidering its licensing choices. A GPL-licensed Solaris was not entirely out of the question before the acquisition; quite possibly, those chances have improved now. A relicensed Solaris, preferably combined with some clarity on patent licensing, could make it possible for technologies like ZFS and Dtrace to move into Linux. Whether Linux would want them is a separate discussion, though.
There is an alternative, of course: Oracle could decide to promote Solaris as an (incompatibly-licensed) competitor to Linux and reduce its involvement on the Linux side. Your editor, perhaps naively, sees this outcome as unlikely. Oracle has invested heavily enough in Linux to create a real impression of believing in the platform. Oracle has not invested in Solaris (which is also free software, remember) at anything close to the same level. If Oracle were to to try to push Solaris as a better alternative to Linux, it would really just be continuing Sun's strategy. Presumably there are people in Oracle smart enough to wonder why Oracle would have any more success with that approach than Sun did.
Btrfs. Edward Screven claimed that Oracle was pursuing Btrfs because it likes the technology better than it likes ZFS. Ownership of ZFS could well put that claim to the test, but there does not appear to be any reason to believe that it was not sincere. The early word from Oracle is that plans for Btrfs have not changed, and that the resources put into that project will not decrease.
Java. The press release states that Java "is the most
important software Oracle has ever acquired.
" Much Oracle-based
software is written in Java, so there are clear advantages in having
control over that part of the software stack. Increasingly, customers can
just go to Oracle and get support for most of the major components they use
from a single source. That, presumably, will help make some money for
Oracle.
OpenOffice.org. This project looks like a bit of a strange fit in Oracle, which is not really a desktop software company. Still, Oracle may see value in keeping this project going as a way to encourage corporate desktop users away from Microsoft products. With any luck at all, Oracle will work to turn OpenOffice.org into a more community-oriented project. By making participation in OpenOffice.org so hard, Sun has spurned the offers of assistance which have come from around the community. Maybe Oracle will be a bit smarter and will realize that, by opening things up a bit, it can speed the development of OpenOffice.org without really having to invest more into the project. One can always hope.
What it comes down to is that just about anything could happen. It could be that this acquisition is part of a long-term plan by Oracle to acquire just enough of the free software community to neutralize any threats it sees. Now that this hypothetical plan is coming to fruition (lacking, perhaps, just the occasionally-rumored acquisition of Red Hat), Oracle can proceed to move away from Linux, turn things proprietary, and generally prepare itself for the Final Battle. This would not be a good outcome for the Linux community, though we would, as usual, end up stronger once the dust had settled.
Alternatively, Oracle may have understood that truly free software can help to turn its competitors' products into commodities while enabling Oracle to provide a solid offering around its own products. This company, which has already become one of the top Linux kernel contributors, could become the top contributor to free software projects as a whole (a title which Sun has already claimed). If Oracle sustains Sun's projects in a more community-oriented mode, we may well conclude, one year from now, that this acquisition was a good thing indeed.
A look at the MySQL forks
Sun's sudden acquisition by Oracle triggered a deluge of speculation about the future of the company's free software projects: Java, OpenOffice, VirtualBox, OpenSolaris, and, most of all, MySQL. Will Oracle kill it? Spin it off? Keep its hands off? In light of this uncertainty, the discussion soon shifted to the trickier question of what branch constitutes the MySQL. The project has been forked multiple times — several even in the past year. Considering that each competitor is led by a heavyweight MySQL developer and has its own goals, how is a humble database administrator supposed to choose?
Patch sets and proto-forks
The seeds of this confusion predate MySQL's acquisition by Sun, when MySQL developers began to lose patience with MySQL AB's governance of the project. Management had announced two branches, "enterprise" and "community," in 2006, but soon began to miss scheduled binary and source releases of the community branch. Worse still, community developers complained that the company was trying to hide the enterprise branch code — changing the release location between iterations.
In 2007, Jeremy Cole of Proven Scaling took matters into his own hands, and set up a public mirror of the official "enterprise" releases as they appeared. Cole does not make changes to the code released by Sun, although Proven Scaling does publicly maintain its own set of patches and tools for MySQL — as do several other database consulting firms and MySQL users, including Google.
Percona
One of those consulting firms is Percona, a web-development consulting business that emphasizes its expertise in MySQL. Percona develops a pluggable storage engine for MySQL called XtraDB. XtraDB is an enhancement to the popular InnoDB engine, designed to work as a drop-in replacement. It adds the ability to scale better on multi-core hardware, use memory more efficiently, and adds more tune-ability and metrics.
Percona's MySQL releases do not remove InnoDB to replace it with XtraDB, but do include patches to InnoDB. They also incorporate patches from other sources, including Proven Scaling, Google, and Open Query. Source and binary releases, as well as RPMs for Red Hat Enterprise Linux, are available for MySQL 5.0 and MySQL 5.1.
Percona's patch set is documented on the company's wiki. The patches include changes that add status variables, more configuration parameters, additional I/O settings, dynamic memory allocation, and alters mutexes and locks to improve performance on SMP systems.
OurDelta
OurDelta was launched in October of 2008 by former MySQL employee Arjen Lentz (now at Open Query), and describes its mission as providing "enhanced" MySQL builds for common production platforms. Its releases build on Percona's, adding additional patches (some from Google and other third-parties, some original work) and including additional storage engines.
OurDelta maintains two builds, one stable and one bleeding-edge. All stable releases so far have been for MySQL 5.0, and include the full-text-search-capable Sphinx storage engine. Upcoming work for MySQL 5.1 and MySQL 6.0 will add an enhanced version of InnoDB from Innobase, PBXT, and FederatedX storage engines. OurDelta makes source code releases available as tar archives, and runs binary repositories for Red Hat Enterprise Linux and CentOS, Debian, and Ubuntu.
OurDelta also documents its significant patches. In addition to the Percona patch set, OurDelta includes activity monitoring and reporting (per table, index, account, and machine), improved logging, an option to kill idle database connections, the ability to temporarily freeze InnoDB for backup purposes, and improvements to speed up failover.
MariaDB
MySQL founder Michael "Monty" Widenius started his own fork in February of 2009 after leaving Sun. At the time, he said his reason for departing was dissatisfaction with Sun's development and community processes for MySQL, which was not "a true open development environment" that encouraged outside participation.
Widenius's fork is called MariaDB, and the only major change is that it uses the Maria storage engine, which is the focus of development. The rest of the code is regularly synchronized with MySQL releases from Sun, and is intended to be one hundred percent interoperable.
The Maria storage engine is an evolution of MySQL's default MyISAM storage engine, and is designed to duplicate the features found in InnoDB, notably crash recovery and full transactional support. Maria and MariaDB are being developed against MySQL 5.1. Widenius expects the Maria engine to be a standard part of Sun's MySQL 6.0 releases, but intends to keep developing MariaDB even after MySQL 6.0 is stable. So far, the project has released source code packages and generic x86 binaries for Linux.
Widenius maintains a wiki page documenting the advantages of MariaDB over Sun's unmodified MySQL, focusing on the features of the Maria storage engine. Aside from the larger goals of crash-safety and transactional support, he notes that using Maria as a storage engine should speed up complex queries. In addition, MariaDB contains speed improvements, the ability to use a pool of threads to handle queries (rather than one thread per connection), and bugfixes not accepted by Sun.
Drizzle
Drizzle is the most distinctive MySQL fork, perhaps better described as a complete refactoring. Drizzle is the work of Brian Aker, long a preeminent MySQL developer. He announced the project in July of 2008, saying that he disliked many of the changes made to MySQL after version 4.1, and felt that there was a large market of users that did not want them. Despite launching the fork, Aker continues to work in the MySQL group at Sun.
Drizzle cuts the core of MySQL down to the bare minimum, using a microkernel-and-modules approach. The goal is to create a slimmed-down, optimized database targeting web infrastructure and cloud components.
Aker said that Drizzle will question the foundations of database design, and is not intended to be SQL compliant. The FAQ emphasizes a "look forward, not back" philosophy. For example, Drizzle targets modern, multi-core hardware, modern compilers, and modern operating systems. Similarly, the development team is not interested in feature requests or in adding excised MySQL features back in. Thus far, the project had made only source code releases, and has noted that they are not yet stable for production use.
Conclusion
The major Linux distributions all package Sun's "community" version of MySQL. Sun itself provides free downloads of the community edition from the web, evidently having learned a lesson from the 2007 uproar. Sun's official packages are likely to be newer, given the release cycles of most distributions, and to its credit Sun makes binary builds available for a wide variety of processor architectures and distributions, including older releases of those distributions. For most users, such a supported build is usually the best choice. The Percona and OurDelta packages represent the work of in-the-field MySQL consultants, and MariaDB is focused on the Maria engine, but only experienced database administrators are likely to be able to take advantage of the additional features they offer.
Still, it is telling that so much of the work done by the forks centers around the InnoDB storage engine: the patches written by Percona and OurDelta, Percona's replacement engine XtraDB, and MariaDB's replacement engine Maria. InnoDB is GPLv2-licensed, but the copyright is owned by ... Oracle. Oracle acquired InnoDB's creator Innobase in 2005. That acquisition sparked a flurry of concern that the database giant would kill the product, take it proprietary, or somehow use it against MySQL — many of the same nightmare scenarios now speculated about the Sun purchase. It is worth noting that in the intervening years two things have occurred: Oracle has not killed or maimed InnoDB, and the open source community has preemptively created its own innovative solutions, thereby insulating open source users and customers from disaster should Oracle take a step in the wrong direction.
The real question is not which fork is the MySQL, but whether the multiple patch sets and forks indicate sickness or health for MySQL as a whole. Excluding Drizzle, all of the projects were started because someone who cared a great deal about the future of MySQL saw something wrong with MySQL's development process (and for its part, Drizzle was spawned by even deeper dissatisfaction with the technical direction of MySQL). Surely that much concern on the part of the community signifies health. There is no telling which forks will prosper and which will fizzle out, but that depends to a large degree on Oracle, and how it governs the project in the future.
Security
A privilege escalation flaw in udev
A vulnerability in udev, the user-space tool that manages the Linux /dev tree, has left unpatched systems vulnerable to a local root privilege escalation. Exploits are already circulating on the full-disclosure mailing list, so it is rather important for users and administrators to update their systems. The problem was caused by the way udev processes the messages it receives—certain kinds of messages, which could be generated by user processes, were not considered. That oversight led to the vulnerability.
The ever-expanding nature of the /dev tree, along with the rise of more dynamic hardware environments, led to the creation of udev in 2003. It replaced the devfs filesystem that was an earlier attempt to solve those problems. Unfortunately, devfs codified device naming policy into the kernel—something the kernel hackers try to avoid. By moving those decisions to user space with udev, that problem—along with a number of others—was resolved.
In order for udevd (the udev daemon) to do its job, it needs a way to be informed by the kernel when devices come and go—typically because the user attached or detached some device. A standard Linux way to send messages between the kernel and user space is via a netlink socket. Netlink sockets are an inter-process communication (IPC) mechanism that is geared for kernel to user space (and vice versa) IPC. It provides the well-understood sockets API to user space programs and is a much more flexible IPC mechanism than other possible choices.
One of the nice features of netlink sockets is the ability to multicast messages (i.e. a message sent to multiple recipients). Each netlink protocol type can have up to 32 multicast groups associated with it. Typically, multicast messages can only be sent and received by root, though some netlink protocol types will allow non-root processes to send and/or receive multicast messages. In fact, a recent change to the kernel allows non-root processes to receive—but not send—the udev multicast messages (which are also known as uevents).
Since only root processes can send the multicast uevents, it would seem there is no hole to exploit. Unfortunately, no one considered unicast messages. Any process can send a unicast netlink message to any other process, just by addressing it to a particular pid. It is up to the recipient to decide whether to accept and process the message. Because these unicast messages fell through the cracks, udevd would happily process them—creating devices as specified by a potentially malicious user. One of the more obvious exploits would be to create world-writeable block device corresponding to the root filesystem—other, nastier exploits are likely possible as well.
The fix was straightforward: enabling credentials (a header placed on each message by the kernel that includes the uid and pid of the sender) for the netlink socket, then requiring that all messages received have a uid of zero, which Kay Sievers added on April 8. Scott James Remnant added some additional checks shortly thereafter, requiring that messages received are not unicast and have been sent by the kernel.
Sievers says that either
patch "alone would be sufficient
" to fix the problem and that
doing both is, in
some sense, defensive programming. The credentials check is needed for
upcoming changes, he said, and Remnant's checks will take care of a
theoretical concern: "a confined
root process inside SELinux or AppArmor jail, which in fact is not
root in the usual sense, has no privileges, but could have the uid
0
". While Sievers didn't think the theory was particularly viable,
checking for a sender pid of zero (as Remnant's change does) will
take care of that problem as well.
This vulnerability illustrates a fairly common mistake: not considering all of the ways that input can reach a program. Every input mechanism factors into the "attack surface" of a program (or system). In this case, messages that—up until very recently at least—couldn't even be seen by non-root processes, could be sent by them. It is not uncommon for developers to focus on the "normal" usage of an input mechanism and miss a lesser, but still valid, use.
It is interesting to see that this vulnerability has a strange overlap with the capabilities flaw we reported on last week. In both cases, an exploit would use a device node created by mknod(), which is, itself, an uncommonly-used system call. These are the kinds of places that attackers are likely to focus their efforts. One hopes that other users of netlink sockets—routing daemons, netfilter, firewall applications, and others—have examined their code for similar problems.
Brief items
The voting machine industry looks at open source
Here is a report from the Election Technology Council [PDF] giving the voting machine industry's view of open source software. It's ... interesting. "The level of accountability present within an open source product offering is weakened due to its diffuse contributor base and lack of clear liability. Public oversight is arguably just as diminished in an open source environment since the layperson is unable to read and understand software source code adequately enough to ensure total access and comprehension. If a third party is charged with this oversight function to remedy this situation, this is would be no different than any other regulatory process that institutionalizes an oversight function." (Seen on Freedom To Tinker, where Dan Wallach adds several comments of his own).
The details on loading rootkits via /dev/mem
For the curious, here is the paper describing rootkit injection via /dev/mem [PDF]. As expected, there's not a whole lot that's truly new, though there are some clever techniques for getting the kernel to allocate memory for the injected code. The authors note that, indeed, the STRICT_DEVMEM configuration option will block this attack. "Until recently there was no protection inside the kernel main- line, although SELinux has limited seeks above the first megabyte of memory for a few years. Users of RHEL and other distributions have been safe for some time now."
New vulnerabilities
apt: return code not checked
| Package(s): | apt | CVE #(s): | CVE-2009-1300 | ||||||||
| Created: | April 21, 2009 | Updated: | April 27, 2009 | ||||||||
| Description: | From the Ubuntu advisory: Alexandre Martani discovered that the APT daily cron script did not check the return code of the date command. If a machine is configured for automatic updates and is in a time zone where DST occurs at midnight, under certain circumstances automatic updates might not be applied and could become permanently disabled. | ||||||||||
| Alerts: |
| ||||||||||
clamav: multiple vulnerabilities
| Package(s): | clamav | CVE #(s): | CVE-2008-6680 CVE-2009-1270 | ||||||||||||||||
| Created: | April 16, 2009 | Updated: | December 8, 2009 | ||||||||||||||||
| Description: | Clamav has three vulnerabilities, from the Debian alert:
CVE-2008-6680 Attackers can cause a denial of service (crash) via a crafted EXE file that triggers a divide-by-zero error. CVE-2009-1270 Attackers can cause a denial of service (infinite loop) via a crafted tar file that causes (1) clamd and (2) clamscan to hang. (no CVE Id yet) Attackers can cause a denial of service (crash) via a crafted EXE file that crashes the UPack unpacker. | ||||||||||||||||||
| Alerts: |
| ||||||||||||||||||
cups: integer overflow
| Package(s): | cups | CVE #(s): | CVE-2009-0163 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | April 17, 2009 | Updated: | March 15, 2010 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Debian advisory: It was discovered that the imagetops filter in cups, the Common UNIX Printing System, is prone to an integer overflow when reading malicious TIFF images. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
cups: multiple vulnerabilities
| Package(s): | cups | CVE #(s): | CVE-2009-0146 CVE-2009-0147 CVE-2009-0166 CVE-2009-0799 CVE-2009-0800 CVE-2009-1179 CVE-2009-1180 CVE-2009-1181 CVE-2009-1182 CVE-2009-1183 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | April 17, 2009 | Updated: | August 18, 2010 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Red Hat advisory:
Multiple buffer overflow flaws were found in the CUPS JBIG2 decoder. An attacker could create a malicious PDF file that would cause CUPS to crash or, potentially, execute arbitrary code as the "lp" user if the file was printed. (CVE-2009-0146, CVE-2009-1182) Multiple integer overflow flaws were found in the CUPS JBIG2 decoder. An attacker could create a malicious PDF file that would cause CUPS to crash or, potentially, execute arbitrary code as the "lp" user if the file was printed. (CVE-2009-0147, CVE-2009-1179) Multiple flaws were found in the CUPS JBIG2 decoder that could lead to the freeing of arbitrary memory. An attacker could create a malicious PDF file that would cause CUPS to crash or, potentially, execute arbitrary code as the "lp" user if the file was printed. (CVE-2009-0166, CVE-2009-1180) Multiple denial of service flaws were found in the CUPS JBIG2 decoder. An attacker could create a malicious PDF file that would cause CUPS to crash when printed. (CVE-2009-0799, CVE-2009-1181, CVE-2009-1183) Multiple input validation flaws were found in the CUPS JBIG2 decoder. An attacker could create a malicious PDF file that would cause CUPS to crash or, potentially, execute arbitrary code as the "lp" user if the file was printed. (CVE-2009-0800) | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
firefox: multiple vulnerabilities
| Package(s): | firefox | CVE #(s): | CVE-2009-0652 CVE-2009-1302 CVE-2009-1303 CVE-2009-1304 CVE-2009-1305 CVE-2009-1306 CVE-2009-1307 CVE-2009-1308 CVE-2009-1309 CVE-2009-1310 CVE-2009-1311 CVE-2009-1312 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | April 22, 2009 | Updated: | September 14, 2009 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | Firefox prior to the 3.0.9 release contains a list of vulnerabilities of varying severity. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
git-core: privilege escalation
| Package(s): | git-core | CVE #(s): | |||||
| Created: | April 21, 2009 | Updated: | April 22, 2009 | ||||
| Description: | From the Debian advisory: Peter Palfrader discovered that in the Git revision control system, on some architectures files under /usr/share/git-core/templates/ were owned by a non-root user. This allows a user with that uid on the local system to write to these files and possibly escalate their privileges. | ||||||
| Alerts: |
| ||||||
kernel: privilege escalation
| Package(s): | kernel | CVE #(s): | CVE-2009-1072 | ||||||||||||||||||||||||||||||||||||||||||||
| Created: | April 16, 2009 | Updated: | July 2, 2009 | ||||||||||||||||||||||||||||||||||||||||||||
| Description: | The kernel has a privilege escalation vulnerability.
From the SUSE alert:
nfsd in the Linux kernel does not drop the CAP_MKNOD capability before handling a user request in a thread, which allows local users to create device nodes, as demonstrated on a filesystem that has been exported with the root_squash option. | ||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||
mpg123: user-assisted execution of arbitrary code
| Package(s): | mpg123 | CVE #(s): | CVE-2009-1301 | ||||||||||||
| Created: | April 17, 2009 | Updated: | December 8, 2009 | ||||||||||||
| Description: | From the Gentoo advisory: The vendor reported a signedness error in the store_id3_text() function in id3.c, allowing for out-of-bounds memory access. A remote attacker could entice a user to open an MPEG-1 Audio Layer 3 (MP3) file containing a specially crafted ID3 tag, possibly resulting in the execution of arbitrary code with the privileges of the user running the application. | ||||||||||||||
| Alerts: |
| ||||||||||||||
phpMyAdmin: insufficient output sanitizing
| Package(s): | phpMyAdmin | CVE #(s): | CVE-2009-1285 | ||||||||
| Created: | April 16, 2009 | Updated: | April 22, 2009 | ||||||||
| Description: | phpMyAdmin has a vulnerability involving insufficient output sanitizing.
The phpMyAdmin
security report states:
Setup script used to generate configuration can be fooled using a crafted POST request to include arbitrary PHP code in generated configuration file. Combined with ability to save files on server, this can allow unauthenticated users to execute arbitrary PHP code. This issue is on different parameters than PMASA-2009-3 and it was missed out of our radar because it was not existing in 2.11.x branch. | ||||||||||
| Alerts: |
| ||||||||||
poppler: multiple vulnerabilities
| Package(s): | poppler | CVE #(s): | CVE-2009-1187 CVE-2009-1188 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | April 17, 2009 | Updated: | May 24, 2010 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the rPath advisory: Previous versions of poppler contain multiple vulnerabilities, the most serious of which could allow an attacker to cause a denial of service or execute arbitrary code as the user executing the application. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
slurm-llnl: privilege escalation
| Package(s): | slurm-llnl | CVE #(s): | |||||
| Created: | April 21, 2009 | Updated: | April 22, 2009 | ||||
| Description: | From the Debian advisory: It was discovered that the Simple Linux Utility for Resource Management (SLURM), a cluster job management and scheduling system, did not drop the supplemental groups. These groups may be system groups with elevated privileges, which may allow a valid SLURM user to gain elevated privileges. | ||||||
| Alerts: |
| ||||||
udev: multiple vulnerabilities
| Package(s): | udev | CVE #(s): | CVE-2009-1185 CVE-2009-1186 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | April 16, 2009 | Updated: | December 3, 2009 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | udev has two vulnerabilities, from the Debian alert:
Sebastian Kramer discovered two vulnerabilities in udev, the /dev and hotplug management daemon. CVE-2009-1185 udev does not check the origin of NETLINK messages, allowing local users to gain root privileges. CVE-2009-1186 udev suffers from a buffer overflow condition in path encoding, potentially allowing arbitrary code execution. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
xine-lib: integer overflow
| Package(s): | xine-lib | CVE #(s): | CVE-2009-0698 | ||||||||||||||||||||
| Created: | April 21, 2009 | Updated: | June 1, 2010 | ||||||||||||||||||||
| Description: | From the CVE entry: Integer overflow in the 4xm demuxer (demuxers/demux_4xm.c) in xine-lib 1.1.16.1 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a 4X movie file with a large current_track value, a similar issue to CVE-2009-0385. | ||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||
Page editor: Jake Edge
Kernel development
Brief items
Kernel release status
The current 2.6 development kernel is 2.6.30-rc3, released on April 21. "The diffstat really shows lots of small one-liners and two-liners, although there are areas that are getting bigger patches (ignoring the bulky but uninteresting arm defconfig updates): some x86 updates, some block IO scheduling fixes, splice cleanups and fixes, and a number of driver changes (sound, networking, staging, usb)." The short-form changelog is in the announcement, or see the full changelog for all the details.
The current stable 2.6 release remains 2.6.29.1; there have been no stable 2.6 updates since April 2.
For the fans of extreme stability, though, 2.4.37.1 was released on
April 19. "Most of these fixes concern minor
security issues which have been backported from 2.6 (mostly local DoSes).
In my opinion, only people with local users might consider upgrading, if
those people still exist!
"
Kernel development news
Quotes of the week
In search of the perfect changelog
When kernel developers engage in an extended discussion on the writing of changelogs for patches, one might well conclude that they have run out of useful things to do. But arguments over changelogs are not the same as spelling or grammar flames. In an environment where 10,000 or so changes are merged in every three-month development cycle, developers need all the help they can get to understand what is going into the kernel. Poorly-described patches are harder to understand, and harder to find when searching the history for something specific. So getting changelogs right helps the development process - and the kernel - as a whole.It all started innocently enough; Linus was engaging in a routine patch flaming when he encountered one of the "Impact:" tags that some developers (especially those working with Ingo Molnar's trees) have adopted in recent months:
Impact: clarify and extend confusing API
Suffice to say that he was not much impressed with it:
From there, the extended conversation focused on two related topics: the value of "impact" tags and how to write better changelogs in general. On the former, the primary (but not only) proponent of these tags is Ingo Molnar, who cites several benefits from their use. Using these tags, he claims, forces developers to write smaller patches which can be adequately described in a single line. They give subsystem maintainers an easy way to assess the changes made by a set of patches and their associated risk; they also make it easier to review a patch against its declared "impact." These tags are also said to force a certain clarity of thought, making developers think through the consequences of a change.
Most of these arguments leave "Impact:" detractors unmoved, though. Rather than add yet another tag to a patch, they would prefer to see developers just write better changelogs from the outset. In a properly-documented patch, the new tag is just irrelevant. Andrew Morton said:
Ingo disputed that claim at length, needless to say. But he takes things further by stating that, while better changelogs would certainly be desirable, they are not a practical goal. According to Ingo, most developers are simply not capable of writing good changelogs. Language barriers and such often are part of this problem, but it goes deeper: most developers simply lack the writing skills needed to write clear and concise changelogs. This fact of life, as Ingo sees it, cannot really be changed, but most developers can, at least, be trained to write a reasonable impact tag.
It is probably fair to say that most developers do not see themselves as being disabled in this way. That said, it is also fair to say that a lot of patches go into the mainline with unhelpful changelogs. That can probably be changed - to an extent at least - through pressure from maintainers and a better understanding of what makes a good changelog. In an attempt to help, your editor has proposed a brief addition to Documentation/development-process:
To that end, the summary line should describe the effects of and motivation for the change as well as possible given the one-line constraint. The detailed description can then amplify on those topics and provide any needed additional information. If the patch fixes a bug, cite the commit which introduced the bug if possible. If a problem is associated with specific log or compiler output, include that output to help others searching for a solution to the same problem. If the change is meant to support other changes coming in later patch, say so. If internal APIs are changed, detail those changes and how other developers should respond. In general, the more you can put yourself into the shoes of everybody who will be reading your changelog, the better that changelog (and the kernel as a whole) will be.
Other possible additions have been proposed by Ted Ts'o and Paul Gortmaker. Of course, all of these patches are based on the optimistic notion that developers will actually read the documentation.
One could argue that the kernel community is rather late in getting around to this kind of discussion. That could be said to be par for the course; in the pre-BitKeeper era (i.e. up to February, 2002), there was almost no tracking of individual changes into the kernel at all. That the fine points of changelogging are being discussed a mere seven years later suggests things are going in the right direction. The level of professionalism in the kernel community has been on the rise for a long time; this process is likely to continue. Whether or not some variant on the impact tag is used in the future, one can assume that the quality of changelogs will, as a whole, be better.
The slow work mechanism
Many years ago, your editor heard Van Jacobson state that naming an algorithm "slow start" was one of the biggest mistakes he had ever made. The name refers to the technique of ramping up transmit rates slowly until the carrying capacity of the connection is determined. But others just saw "slow" and complained that they didn't want their connections to be slow. The fact that "slow start" made the net faster was lost on them. One might wonder if David Howells's "slow work" mechanism - merged for 2.6.30 - could run into similar problems; no kernel developer wants things to run slowly. But, as with slow start, running things slowly is not the point.Slow work is a thread pool implementation - yet another thread pool, one might say. The kernel already has workqueues and the asynchronous function call infrastructure; the distributed storage (DST) module added to the -staging tree for 2.6.30 also has a thread pool hidden within it. Each of these pools is aimed at a different set of uses. Workqueues provide per-CPU threads dedicated to specific subsystems, while asynchronous function calls are optimized for specific ordering of tasks. Slow work, instead, looks like a true "batch job" facility which can be used by kernel subsystems to run tasks which are expected to take a fair amount of time in their execution.
A kernel subsystem which wants to run slow work jobs must first declare its intention to the slow work code:
#include <linux/slow-work.h>
int slow_work_register_user(void);
The call to slow_work_register_user() ensures that the thread pool is set up and ready for work - no threads are created before the first user is registered. The return value will be either zero (on success) or the usual negative error code.
Actual slow work jobs require the creation of two structures:
struct slow_work;
struct slow_work_ops {
int (*get_ref)(struct slow_work *work);
void (*put_ref)(struct slow_work *work);
void (*execute)(struct slow_work *work);
};
The slow_work structure is created by the caller, but is otherwise opaque. The slow_work_ops structure, created separately, is where the real work gets done. The execute() function will be called by the slow work code to get the actual job done. But first, get_ref() will be called to obtain a reference to the slow_work structure. Once the work is done, put_ref() will be called to return that reference. Slow work items can hang around for some time after they have been submitted, so reference counting is needed to ensure that they are freed at the right time. The implementation of get_ref() and put_ref() functions is not optional.
In practice, kernel code using slow work will create its own structure which contains the slow_work structure and some sort of reference-counting primitive. The slow_work structure must be initialized with one of:
void slow_work_init(struct slow_work *work, const struct slow_work_ops *ops);
void vslow_work_init(struct slow_work *work, const struct slow_work_ops *ops);
The difference between the two is that vslow_work_init() identifies the job as "very slow work" which can be expected to run (or sleep) for a significant period of time. The documentation suggests that writing to a file might be "slow work," while "very slow work" might be a sequence of file lookup, creation, and mkdir() operations. The slow work code actually prioritizes "very slow work" items over the merely slow ones, but only up to the point where they use 50% (by default) of the available threads. Once the maximum number of very slow jobs is running, only "slow work" tasks will be executed.
Actually getting a slow work task running is done with:
int slow_work_enqueue(struct slow_work *work);
This function queues the task for running. It will succeed unless the associated get_ref() function fails, in which case -EAGAIN will be returned.
Slow work tasks can be enqueued multiple times, but no count is kept, so a task enqueued several times before it begins to execute will only run once. A task which is enqueued while it is running is indeed put back on the queue for a second execution later on. The same task is guaranteed to not run on multiple CPUs simultaneously.
There is no way to remove tasks which have been queued for execution, and there is no way (built into the slow work mechanism) to wait for those tasks to complete. A "wait for completion" functionality can certainly be created by the caller if need be. The general assumption, though, seems to be that slow work items can be outstanding for an indefinite period of time. As long as tasks with a non-zero reference count exist, any resources they depend on need to remain available.
There are three parameters for controlling slow work which appear under /proc/sys/kernel/slow-work: min-threads (the minimum size of the thread pool), max-threads (the maximum size), and vslow-percentage (the maximum percentage of the available threads which can be used for "very slow" tasks). The defaults allow for between two and four threads, 50% of which can run "very slow" tasks.
The only user of slow work in the 2.6.30 kernel is the FS-Cache file caching subsystem. There is a clear need for thread pool functionality, though, so it would not be surprising to see other users show up in future releases. What might be more surprising (though desirable) would be a consolidation of thread pool implementations in a future development cycle.
DRBD: a distributed block device
The three R's of high availability are Redundancy, Redundancy and Redundancy. However, on a typical setup built with commodity hardware, it is not possible to add redundancy beyond a certain limit to increase the number of 9's after your current uptime percentage (ie 99.999%). Consider a simple example: an iSCSI server with the cluster nodes using a distributed filesystem such as GFS2 or OCFS2. Even with redundant power supplies and data channels on the iSCSI storage server, there still exists a single point of failure: the storage.The Distributed Replicated Block Device (DRBD) patch, developed by Linbit, introduces duplicated block storage over the network with synchronous data replication. If one of the storage nodes in the replicated environment fails, the system has another block device to rely on, and can safely failover. In short, it can be considered as an implementation of RAID1 mirroring using a combination of a local disk and one on a remote node, but with better integration with cluster software such as heartbeat and efficient resynchronization with the ability to exchange dirty bitmaps and data generation identifiers. DRBD currently works only on 2-node clusters, though you could use a hybrid version to expand this limit. When both nodes of the cluster are up, writes are replicated and sent to both the local disk and the other node. For efficiency reasons, reads are fetched from the local disk.
The level of data coupling used depends on the protocol chosen:
- Protocol A: Writes are considered to complete as soon as the local disk writes have completed, and the data packet has been placed in the send queue for the peers. In case of a node failure, data loss may occur because the data to be written to remote node disk may still be in the send queue. However, the data on the failover node is consistent, but not up-to-date. This is usually used for geographically separated nodes.
- Protocol B: Writes on the primary node are considered to be complete as soon as the local disk write has completed and the replication packet has reached the peer node. Data loss may occur in case of simultaneous failure of both participating nodes, because the in-flight data may not have been committed to disk.
- Protocol C: Writes are considered complete only after both the local and the remote node's disks have confirmed the writes are complete. There is no data loss, so this is a popular schema for clustered nodes, but the I/O throughput is dependent on the network bandwidth.
DRBD classifies the cluster nodes as either "primary" or "secondary." Primary nodes can initiate modifications or writes whereas secondary nodes cannot. This means that a secondary DRBD node does not provide any access and cannot be mounted. Even read-only access is disallowed for cache coherency reasons. The secondary node is present mainly to act as the failover device in case of an error. The secondary node may become primary depending on the network configuration. Role assignment and designation is performed by the cluster management software.
There are different ways in which a node may be designated as primary:
- Single Primary: The primary designation is given to one cluster member. Since only one cluster member manipulates the data, this mode is useful with conventional filesystems such as ext3 or XFS.
- Dual Primary: Both cluster nodes can be primary and are allowed to modify the data. This is typically used in cluster aware filesystems such as ocfs2. DRBD for the current release can support a maximum of two primary nodes in a basic cluster.
Worker Threads
A part of the communication between nodes is handled by threads to avoid deadlocks and complex design issues. The threads used for communication are:
- drbd_receiver: handles incoming packets. On the secondary node, it allocates buffers, receives data blocks and issues write requests to the local disk. If it receives a write barrier, it sleeps until all pending write requests have been finished.
- drbd_sender: Sender thread for data blocks in response to a read request. This is done in a thread other than drbd_receiver, to avoid distributed deadlocks. If a resynchronization process is running, its packets are generated by this thread.
- drbd_asender: Acknowledgment sender. Hard drive drivers are informed of request completions through interrupts. However, sending data over the network in an interrupt callback routine may block the handler. So, the interrupt handler places the packet in a queue which is picked up by this thread and sent over the network.
Failures
DRBD requires a small reserve area for metadata, to handle post failure operations (such as synchronization) efficiently. This area can be configured either on a separate device (external metadata), or within the DRBD block device (internal metadata). It holds the metadata with respect to the disk including the activity log and the dirty bitmap (described below).
Node Failures
If a secondary node dies, it does not affect the system as a whole because writes are not initiated by the secondary node. If the failed node is primary, the data yet to be written to disk, but for which completions are not received, may get lost. To avoid this, DRBD maintains an "activity log," a reserved area on the local disk which contains information about write operations which have not completed. The data is stored in extents and is maintained in a least recently used (LRU) list. Each change of the activity log causes a meta data update (single sector write). The size of the activity log is configured by the user; it is a tradeoff between minimizing updates to the meta data and the resynchronization time after the crash of a primary node.
DRBD maintains a "dirty bitmap" in case it has to run without a peer node or without a local disk. It describes the pages which have been dirtied by the local node. Writes to the on-disk dirty bitmap are minimized by the activity log. Each time an extent is evicted from the activity log, the part of the bitmap associated with it which is no longer covered by the activity log is written to disk. The dirty bitmaps are sent over the network to communicate which pages are dirty should a resynchronization become necessary. Bitmaps are compressed (using run-length encoding) before sending on the network to reduce network overhead. Since most of the of the bitmaps are sparse, it proves to be pretty effective.
DRBD synchronizes data once the crashed node comes back up, or in response to data inconsistencies caused by an interruption in the link. Synchronization is performed in a linear order, by disk offset, in the same disk layout as the consistent node. The rate of synchronization can be configured by the rate parameter in the DRBD configuration file.
Disk Failures
In case of local disk errors, the system may choose to deal with it in one of the following ways, depending on the configuration:
- detach: Detach the node from the backing device and continue in diskless mode. In this situation, the device on the peer node becomes the main disk. This is the recommended configuration for high availability.
- pass_on: Pass the error to the upper layers on a primary node. The disk error is ignored, but logged, when the node is secondary.
- call-local-io-error: Invokes a script. This mode can be used to perform a failover to a "healthy" node, and automatically shift the primary designation to another node.
Data Inconsistency issues
In the dual-primary case, both nodes may write to the same disk sector, making the data inconsistent. For writes at different offset, there is no synchronization required. To avoid inconsistency issues, data packets over the network are numbered sequentially to identify the order of writes. However, there are still some corner-case inconsistency problems the system can suffer from:
- Simultaneous writes by both nodes at the same time. In such a situation, one of the node's writes are discarded. One of the primary nodes is marked with the "discard-concurrent-writes" flag, which causes it to discard write requests from the other node when it detects simultaneous writes. The node with discard-concurrent-writes flag set, sends a "discard ACK" to other nodes informing them that the write has been discarded. The other node, on detecting the discard ACK, writes the data from first node to keep the drives consistent.
- Local request while remote request in flight This can happen when the disk latency exceeds the network latency. The local node writes to a given block, sending the write operation to the other node. The remote node then acknowledges the completion of the request and sends a new write of its own to the same block - all before the local write has completed. In this case, the local node keeps the new data write request on hold until the local writes are complete.
- Remote request while local request is still pending: this situation comes about if the network reorders packets, causing a remote write to a given block to arrive before the acknowledgment of a previous, locally-generated write. Once again, the receiving node will simply hold the new data until the ACK is received.
Conclusion
DRBD is not the only distributed storage implementation under development. The implementation of Distributed Storage (DST) contributed by Evgeniy Polyakov and accepted in staging tree takes a different approach. DRBD is limited to 2-node active clusters, while DST can have larger numbers of nodes. DST works on client-server model, where the storage is at the server end, whereas DRBD is peer-to-peer based, and designed for high-availability as compared to distributing storage. DST, on the other hand, is designed for accumulative storage, with storage nodes which can be added as needed. DST has a pluggable module which accepts different algorithms for mapping the storage nodes into a cumulative storage. The algorithm chosen can be mirroring which would serve the same basic capability of replicated storage as DRBD.
DRBD code is maintained in the git repository at git://git.drbd.org/linux-2.6-drbd.git, under the "drbd" branch. It contains the minor review comments posted on LKML incorporated after the patchset was released by Philipp Reisner. For further information, see the several PDF documents mention in the DRBD patch posting.
Patches and updates
Kernel trees
Architecture-specific
Core kernel code
Development tools
Device drivers
Documentation
Filesystems and block I/O
Memory management
Networking
Virtualization and containers
Benchmarks and bugs
Miscellaneous
Page editor: Jonathan Corbet
Distributions
News and Editorials
Debian GNU/kFreeBSD: one more step towards a universal operating system
One of the strengths of the Linux ecosystem is freedom of choice. The Debian distribution has given its users one more freedom: to choose between the Linux and FreeBSD kernels under the hood, with the same Debian GNU user space applications whichever is chosen. The idea goes back ten years, but it is finally coming to fruition now that two new architectures, kfreebsd-i386 and kfreebsd-amd64, have been added to the unstable and experimental archives of Debian.
The project was first announced in the Debian Weekly News for February 22nd, 1999:
Shortly thereafter a plain FreeBSD port of Debian was started, with a FreeBSD kernel and FreeBSD libc under a GNU user space. To not diverge too much from the GNU/Linux architecture, the developers of the project used GNU utilities, but they quickly found out that a lot of packages needed patches because the FreeBSD libc did not provide the same extensions as GNU libc.
So after a while came the idea to port GNU libc to the FreeBSD kernel. This was done mostly by Bruno Haible in 2002, which is when the project took the shape (and name) it has now. Port maintainer Aurélien Jarno looks back at this time:
Switching to the GNU libc port has brought better compatibility with the Debian packages and, once that happened, a lot of packages were able to be built without any changes. The project got the name Debian GNU/kFreeBSD. To summarize, Debian GNU/kFreeBSD is a port that consists of a GNU user space using the GNU C library and Debian package management and system tools on top of FreeBSD's kernel. The latest Debian GNU/kFreeBSD is based on the upstream FreeBSD 7.1 kernel with a few patches.
GNU and BSD: a strange marriage
But why have the developers made such a strange chimera, a combination of a BSD kernel and a GNU user space? Is this a "because we can" project? Obviously, the developers have heard this question countless times, and the wiki lists some valid reasons why a user could prefer Debian GNU/kFreeBSD to FreeBSD or Debian GNU/Linux.
The "why" question breaks down into two questions. First, why would a user prefer Debian GNU/kFreeBSD to Debian GNU/Linux? First, the FreeBSD kernel has some nice and useful features, like the OpenBSD "pf" packet filter and "jails", a system-level virtualization feature. The developers also list cleaner kernel interfaces than Linux as an advantage, pointing to a single /dev implementation via devfs, as well as using OSS as the default sound system as examples.
Drivers can be another advantage. For example, the FreeBSD kernel has
support for Windows NDIS drivers in the mainline kernel, whereas the NDISwrapper project
will not likely make it into the mainline Linux kernel. The developers add:
"The FreeBSD kernel might support some hardware which Linux does not
support and/or the FreeBSD kernel support might be better (fewer
bugs).
" But, of course, this is a double-edged sword: Linux supports
a lot of devices for which FreeBSD has no drivers yet.
Another interesting issue lies on the filesystem front: the Debian GNU/kFreeBSD developers say that due to licensing and patent issues, Sun's filesystem ZFS is unlikely to appear in the Linux kernel. However, now that Oracle is buying Sun, chances have improved that ZFS will get GPL-licensed. But whatever will happen, ZFS is also being ported to FreeBSD, so Debian GNU/kFreeBSD users will definitely see support for this interesting filesystem in the future.
Some of the reasons the developers give are less convincing. For example, they say: "kFreeBSD offers an alternative in case Linux is branded illegal by the SCO case or other threats. In legal terms, Linux sources are like a minefield. kFreeBSD is much less vulnerable to such attacks because of its less bazaar-like development model.
" Your author thinks this is very unlikely to happen.
The second part of the "why" question is: why would a user prefer Debian GNU/kFreeBSD to FreeBSD? This really comes down to preferences. Maybe the user likes the Debian package system more than FreeBSD ports, or prefers the GNU user space to the BSD world. The GNU versions of many commands are known to have more features. And at the non-technical level: Debian GNU/kFreeBSD follows the Debian Free Software Guidelines, whereas FreeBSD uses some non-free, binary-only drivers such as the ath driver for Atheros wireless chipsets. But all of this will most likely not convince BSD users to switch.
Working with Debian GNU/kFreeBSD
This all sounds interesting, but does it work in practice? The base system is fully functional and users can install Debian GNU/kFreeBSD by using the install notes. An ISO file for an install CD is available. Currently this is a version from January 2009, but users can add a Lenny-based snapshot to /etc/apt/sources.list.
The current installation CD is based on a hacked FreeBSD sysinstall, so at this moment, the installation is not straightforward for users without any FreeBSD experience. Moreover, this only works more or less correctly for standard installations. This is a temporary solution until the debian-installer is fully ported to Debian GNU/kFreeBSD. Luca Favatella, a computer engineering student at the University of Catania in Italy, will implement this as part of Google Summer of Code 2009. As part of his proposal, which has been accepted at GSOC, he will not only port debian-installer to GNU/kFreeBSD, but he will also make debian-installer less dependent on Linux: at this moment it uses many Linux-specific constructs (e.g. udev) or assumes Linux structures (e.g. setting up partitions with LVM).
Most of the core packages in Debian unstable are ported to Debian
GNU/kFreeBSD. Looking at all of the architecture-independent source
packages, the developers have currently ported over 80% of the 7800 source
packages. Of course not all of them have been tested. There is still a
large amount of packages that need fixing. The developers have a list of
common
practices and problems found when porting to GNU/kFreeBSD. According to
Jarno, a lot of porting is rather simple (but boring). For example, support
for detecting GNU/kFreeBSD was added more than six years ago to autotools,
but a lot of software is still using an older version. He adds: "Also
a lot of software is using #ifdef __linux__ to detect if they are using a
GNU libc. This is clearly wrong, and this is also one of the more
repetitive changes to make.
"
Several high-profile packages aren't ported yet. For example, OpenOffice.org is missing. But Jarno sees no fundamental problems for this port to happen: "There is no reason it would not work, but it is a huge task given the size of Openoffice.org sources. All the build dependencies are available, so it's mainly about tweaking the hundreds of autodetection scripts that do not know about GNU/kFreeBSD.
"
Wireless networking works in Debian GNU/kFreeBSD, but there are no tools to scan for networks yet. The problem is that NetworkManager is really tightly coupled to HAL, which was not available on FreeBSD. Jarno explains: "Though it has been originally designed for being portable across operating systems, a lot of kernel-specific code had to be written.
" However, now that HAL has been ported to FreeBSD, it should not be a big deal to get NetworkManager working. As upstream FreeBSD is doing the porting work (as a Google Summer of Code project), Debian GNU/kFreeBSD will surely get NetworkManager support in the near future.
There is a core of about 5 to 8 developers working on the Debian GNU/kFreeBSD port, but as with any open source project a lot of other people are also helping to a smaller extent. That includes package maintainers who want their package to work on the system. The project provides Debian Developer accessible machines running GNU/kFreeBSD for this purpose. Jarno estimates that about 50 people are using Debian GNU/kFreeBSD almost daily, and that a lot of people are following the development more or less closely: "We hope to see this number increasing now that it is being integrated as an official Debian architecture.
"
With Debian GNU/kFreeBSD, the Debian project has taken one more step towards its vision as a universal operating system. It's unique to have a platform supporting two different kernels, while the user space remains largely unchanged. Of course there's also Debian GNU/Hurd, but this still has not been officially released, and the Hurd kernel itself is still relatively immature. Debian GNU/NetBSD is still in an early stage of development. The ultimate aim is Debian GNU/Any, where the user space is abstracted completely from the running kernel with glibc. When this is possible, Debian binaries would be binary compatible with any kernel supported on Debian GNU/Any through the glibc abstraction. This total decoupling of user space and kernel will give users even more choice.
Annual Distribution List update
It's time for our annual update on the state of the LWN Distributions List. The last update was April 17, 2008. Since then we've added 54 distributions and deleted 52 distributions.
Last year we had 485 active distributions and 58 in the historical section for a total of 543 distributions. Historical distributions are no longer actively developed, but some source code should be available. There are usually quite a few historical distributions in the active sections, though. Sometimes it's hard to tell.
Link checking is a slow process and a low priority task. This year you should find the front part of the List, Leading through the Country-specific sections to be fairly up-to-date. The Embedded through the end of the list are moldier. So this year we see an increase in the historical distributions now at 85, compared to 460 active distributions for a total of 545 distributions currently on the list.
The distributions removed in the last year are (in no particular order): Tao Linux, Cobind Desktop, BearOps, Linare Linux OS, Santa Fe Linux, SLYNUX, Underground Desktop, WinLinux, RedIce-Linux, EtLinux, Tynux, RedBlue Linux, QiLinux, Aurox Linux, Buffalo Linux, DCC Alliance, UserLinux, Arabian Linux, Eadem Enterprise Linux, FullPliant, GenieOS, MitraX, Nitix, NixOS, OEone HomeBase, Peachtree Linux, Tomahawk Desktop, Xline, College Linux, Eagle Linux, elpicx, kmLinux, Tadpole Linux, tuXlab GNU/Linux, APLINUX.com.br Mail server, Console Linux, SACIX, Chinese 2000 Linux, ThizLinux, Tom Linux, XTeamLinux, Resala Linux, Echelon Linux, PunLinux, HOLON Linux, LASER5, WOWLinux, MCNLive, Pingwinek GNU/Linux, Castle, Linux ESware, and LinEspa.
Our list only includes distributions using a Linux kernel. There are no BSD or OpenSolaris based projects, even though we do cover these distributions on this page. As always, let us know if you encounter dead links or would like a project to be added to the list.
New Releases
Announcing the Release Candidate for Ubuntu 9.04
The release candidate for Ubuntu 9.04 has been announced. "The Ubuntu team is pleased to announce the Release Candidate for Ubuntu 9.04 Desktop and Server editions and Ubuntu Netbook Remix. Codenamed "Jaunty Jackalope", 9.04 continues Ubuntu's proud tradition of integrating the latest and greatest open source technologies into a high-quality, easy-to-use Linux distribution. We consider this release candidate to be complete, stable, and suitable for testing by any user."
Announcing the Release Candidate for Ubuntu 9.04 on ARM
The Ubuntu team has announced the Release Candidate for Ubuntu 9.04 (Jaunty Jackalope) Desktop edition for the ARM architecture. "This first, community-supported ARM release of Ubuntu targets the i.MX51 Babbage development board and is suitable for use by developers wishing to bring the same high-quality Ubuntu desktop to an even wider range of energy-efficient systems."
Announcing Sugar on a Stick Beta 1
The SoaS team has announced the release of Sugar on a Stick Beta-1. "There has been impressive progress over the last few weeks; many thanks all the people who contributed their time and effort." Click below for more information.
Fedora Unity Releases F10 Re-spins
The Fedora Unity Project has announced the release of new ISO Re-Spins of Fedora 10. These Re-Spin ISOs are based on the officially released Fedora 10 installation media and include all updates released as of April 14, 2009.
Distribution News
Debian GNU/Linux
Bits from the (re-elected) DPL: delegation
Steve McIntyre, re-elected Debian Project Leader, looks at delegations for the coming year. "So, onto the boring stuff. I hereby formally delegate Luk to be assistant DPL this year while I'm DPL. As far as is practical, we will share all the DPL's duties and responsibilities; we will both receive leader@ mail, and we both get to see all tickets in rt.debian.org. We intend to work as a team, but I'll get to have the last say and take the blame for any mistakes we make."
Bits from the 2nd Debian Groupware Meeting
Last year the Debian Groupware Meeting was held in the LinuxHotel, Essen, Germany. Click below for a short summary what happened during the weekend.
Gentoo Linux
Gentoo Council Summary
Click below for a summary of the April 9, 2009 meeting of the Gentoo Council. Topics include Migration of KEYWORDS out of ebuilds, EAPI 3 features block, and EAPI 3 updates.
SUSE Linux and openSUSE
openSUSE Google Summer of Code Accepted Projects Announced
Google has announced the accepted projects for all of the Google Summer of Code organizations. The openSUSE Project has nine projects that were accepted for the Summer of Code 2009. Click below for openSUSE's list.openSUSE Community Week Coming May 11 through May 17
openSUSE Community Week has been announced. Community Week aims to show users in the openSUSE community how they can become contributors, and to help existing contributors become more effective.
Distribution Newsletters
DistroWatch Weekly, Issue 299
The DistroWatch Weekly for April 20, 2009 is out. "It's the Ubuntu release week (or Ubuntu "circus", as some prefer to call it), a major event in the calendar of many open source software enthusiasts. What will the distribution's 10th official release be like? And will the download servers cope with the expected heavy demand? We'll have to wait until Thursday to find out; in the meantime, read below for a quick tip on reverting to an older kernel under Ubuntu and visit Canonical's ShipIt service to order your free CDs. In the news section, Mandriva gains support for hardware database known as Smolt, Easy Peasy ponders a few ideas concerning the distro's default user interface, and Fedora's Ricky Zhou points out the importance of innovation in Red Hat's community distribution. Finally, don't miss our feature article which calls for an implementation of a centralised bug-tracking database for all open source software projects. Happy reading!"
Fedora Weekly News #172
The Fedora Weekly News for the week ending April 19, 2009 is out. "This week Announcements rubs its hands with glee over the "Fedora 11" freeze. Similarly Artwork enthuses about "Fedora 11 Landing" with great Leonidas themes including a surprise for wide-screen setups. Developments gushes about "Presto and DeltaRPM Status" and SecurityWeek asks the interesting question "Who in the Linux World Would be Responsible for a Worm?". SecurityAdvisories faithfully lists updates that might just help avoid that worm. With a red face we draw your attention with an Erratum to last week's missing QualityAssurance beat. This week's QualityAssurance beat "Test Days" advertizes the upcoming minimal installation testing and reports in "Weekly meetings" that PulseAudio issues with snd-intel-hda and snd-intel8x0 are resolved. Translation reports on the availability of a bulky "Fedora 11 Installation Guide Ready for Translation". The FedoraWeeklyWebcomic joins us again and Ambassadors shares a neat list of LinuxFestNorthWest talks by Fedora folk."
The Mint Newsletter - issue 81
This issue of the Mint Newsletter covers the release of Mint 6 KDE and Fluxbox Community editions, the special Google search in Mint will be tweaked - it is a major source of income and a minor source of irritation so we will do something about it and Twitter for Linux Mint (quick news).OpenSUSE Weekly News/68
The issue of the OpenSUSE Weekly News covers Call for Participations: openSUSE Summit 2009, openSUSE at LinuxFest Northwest, People of openSUSE: Jean-Daniel Dodin, Google Summer of Code Status Update, Bryen Yunashko: Accessible Appreciation: The Sequel, and more.Ubuntu Weekly Newsletter #138
The Ubuntu Weekly Newsletter for the week ending April 18, 2009 is out. "In this issue we cover: Announcing Ubuntu 9.04 RC, Announcing Ubuntu 9.04 RC for ARM, Packaging Training Session Update, Announcing Ubuntu Open Week, New Ubuntu Members, Japanese Team release party, Philippine Ubuntu Release Party, Launchpod #18, Karma: Where did mine go, Ubuntu Forums Interview: Codename, Jorge Castro: Support your LoCo economy, Sayak Banerjee: KDE Brainstorm - 30 Days, 700 ideas, Ubuntu-UK podcast: The Waking Ally, Systerm76: Ubuntu PC Maker's revenue up 61 Percent, Open-source server distro that builds on Ubuntu, Server Meeting Minutes: April 14th, and much, much more!"
Distribution meetings
openSUSE Summit CFP Announced
The openSUSE Project has opened the call for participation in the openSUSE Summit 2009, to be held September 17 through 20 in Nuremberg, Germany. "We're looking for contributors to openSUSE, upstream projects, and members of the openSUSE community to participate." All proposals must be submitted by May 20, 2009.
Interviews
Interview with Ricky Zhou - Fedora Project (How Software is Built)
How Software is Built talks with Ricky Zhou. "I'm currently a freshman at Carnegie Mellon University. I've been contributing to Fedora since about March of my junior year. I'm mostly involved with the infrastructure team, which runs the servers that run Fedora and I'm kind of the leader of the website team, which is where I started out. I also do some packaging, among other things."
Distribution reviews
The five best, new things in Ubuntu Linux 9.04 (ComputerWorld)
Stephen J. Vaughan-Nichols reviews Ubuntu Linux 9.04 on ComputerWorld. "1) X.Org server 1.6/GNOME 2.26. The first part gives you peppier video performance, while the second gives you a really, nice integrated desktop. Particularly nice features include the integration of the Brasero CD/DVD burner with all other Gnome applications and improvements with both audio, PulseAudio, and multiple monitors control and support."
Page editor: Rebecca Sobol
Development
GCC reaches the 4.4.0 release
The Gnu Compiler Collection
(GCC) is likely the most popular
compiler that runs under Linux:
"The GNU Compiler Collection includes front ends for C, C++, Objective-C, Fortran, Java, and Ada, as well as libraries for these languages (libstdc++, libgcj,...).
"
The GCC project has
announced
the release of GCC version 4.4.0.
"This release is a major release, containing new features (as well as many other improvements) relative to GCC 4.3.x.
"
It also marks the first version in the GCC 4.4 release series.
The changes document details the many modifications that have been made for this new branch.
![[GCC]](https://static.lwn.net/images/ns/gcc.png)
Some of the broader changes in version 4.4.0 include a number of improvements to the optimizer, the following new command line switches have been added:
- -findirect-inlining: makes inliner inline indirect calls that have known targets.
- -ftree-switch-conversion: if possible, turns simple initializations of scalar variables in switch statements into static array initializations.
- -ftree-builtin-call-dce: eliminates unnecessary calls to some builtin functions when the return value is not used.
- -fconserve-stack: minimizes stack usage even at the expense of slower code.
- -fno-dwarf2-cfi-asm: tells the assembler to ignore .cfi directives.
- -Wframe-larger-than=NUMBER: warn if any stack frame is larger than NUMBER bytes.
- -Wno-mudflap: disable warnings about constructs which can not be instrumented when using -fmudflap.
C language improvements include:
- a new optimize attribute allows setting the optimize level on a per-function basis.
- uninitialized warnings now work without enabling optimizations.
- -Wparentheses can now warn about expressions such as (!x | y).
- -Wsequence-points can now warn within if, while, do while and for blocks.
- The new -dU option allows preprocessor macro definitions to be dumped.
C++ language improvements include:
- experimental ISO C++0x standard support has been added.
- -fdiagnostics-show-option reports errors that can be downgraded to warnings via -fpermissive.
- -Wconversion has improved warnings for invalid enumeral types.
- -Wuninitialized has improved warnings for non-static reference and const ants for classes without constructors.
- value-initialization has been improved for objects with an empty initializer.
FORTRAN language improvements include:
- The libcpp preprocessor is now built-in and available by default.
- The new -Warray-temporaries option is available for warning about array temporaries.
- The new -fcheck-array-temporaries option notifies when an array temporary had to be created.
- The DWARF debugging model symbol generation has been improved.
- Intrinsics now default to external declarations.
- The new -falign-commons flag is available for aligning variables in COMMON blocks.
- Fortran 2003 support has been extended.
- Fortran 2008 support has been added.
libstdc++ Runtime Library improvements include:
- experimental support has been added for non-standard pointer types in containers.
- libstdc++ bug 30928 (add casts to libc overloads) has been fixed for targets running glibc 2.10 or later.
- Many other bugs have been fixed, especially in <locale>.
Target-specific improvements include:
- ARM: support is added for three new processors as well as other improvements.
- AVR: support has been added for 25 new devices.
- IA-32/x86-64: support has been added for more built-in functions, better optimization and float128.
- M68K/ColdFire: adds instruction scheduling support and more.
- MIPS: includes efficiency improvements, new options, and support for several new processors.
- picochip: an initial C-only language port has been done.
- Power Architecture and PowerPC: support for several new processors has been added.
- S/390, zSeries and System z9/z10: includes support for a new processor.
The GCC project continues to keep up with the changing processor landscape and new language standards as they evolve. Meanwhile, GCC progress marches on, as documented in the GCC 4.4.1 and GCC 4.5.0 status reports.
System Applications
Database Software
MySQL Community Server 5.1.34 has been released
Version 5.1.34 of MySQL Community Server has been announced. "MySQL Community Server 5.1.34, a new version of the popular Open Source Database Management System, has been released. MySQL 5.1.34 is recommended for use on production systems. MySQL 5.1.34 will be the final release of MySQL 5.1 for AIX 5.2, which will be EOL'd from 30th April 2009."
PostgreSQL Weekly News
The April 19, 2009 edition of the PostgreSQL Weekly News is online with the latest PostgreSQL DBMS articles and resources.
Filesystem Utilities
TestDisk and PhotoRec 6.11 released
Version 6.11 of TestDisk and PhotoRec, utilities for recovering data from damaged disks, have been announced. "Both utilities are faster than previous versions. TestDisk 6.11 can undelete files from NTFS partition and recover deleted exFAT. Over 50 file types have been added to PhotoRec."
Interoperability
Samba 3.2.11 maintenance release is available
Maintenance release 3.2.11 of Samba has been announced. "This is the latest bug fix release for Samba 3.2 and is the version recommended for all production Samba servers running this release series."
Package Management
RPM 4.7.0 released
Version 4.7.0 of RPM has been announced. "We're pleased to announce the availability of RPM release 4.7.0. Download instructions and more detailed information are available from: http://rpm.org/wiki/Releases/4.7.0"
Printing
CUPS 1.3.10 released
Version 1.3.10 of CUPS has been announced. "The new release fixes 3 minor security issues as well as several printing and web interface bug fixes."
Web Site Development
Midgard2 9.03.0 RC2 released
Version 9.03.0 RC2 of the Midgard2 web framework has been announced. "In this release we provide Content Repository API bindings for the following programming languages: C, Python, PHP and Objective-C. D-Bus signals are used to inform different Midgard2 applications about things happening in the repository, enabling for example a PHP website and a Python background process to communicate with each other."
Miscellaneous
Octopussy: 0.9.9.2 released (SourceForge)
Version 0.9.9.2 of Octopussy has been announced. "Logs Analyzer, Alerter & Reporter with a Web Interface. * Better reports with Open Flash Chart ! * RRD taxonomy bug fixed (ID: 2659959) * Minor Bugfixes/Improvements"
skpd: A tool to dump processes to executable ELF files
The initial release of skpd has been announced. "I just developed a tool for dump a running process, to an executable ELF file. This tool works on GNU/Linux, and has been tested on systems like U[b]untu 8.10, Gentoo, Debian lenny, Debian etch, etc. Fell free to send me bugs, comments, and patches."
Desktop Applications
Audio Applications
Audacious 2.0-alpha1 released
Version 2.0-alpha1 of the Audacious media player has been announced. "Audacious is an advanced audio player. It is free, lightweight, based on GTK2, runs on Linux and many other *nix platforms and is focused on audio quality and supporting a wide range of audio codecs. Its advanced audio playback engine is considerably more powerful than GStreamer. Audacious is a fork of Beep Media Player (BMP), which itself forked from XMMS."
CAD
Wings 3D: New feature and bug fixes in wings 0.99.55 (SourceForge)
Version 0.99.55 of Wings 3D has been announced. "Wings 3D is a subdivision modeller with an user interface that is easy to use for both beginners and advanced users (inspired by Nendo and Mirai from Izware). More Magnet Mask tools to further improve usability including the ability to Invert masked and unmasked areas and toggle the mask on/off. Some important bug fixes are included in this release, so upgrading is recommended."
Desktop Environments
GNOME Software Announcements
The following new GNOME software has been announced this week:- Evince 2.26.1 (bug fixes and translation work)
- Glade 3.6.2 (bug fixes and translation work)
- GNOME Power Manager 2.26.1 (bug fixes and translation work)
- Libgda 4.0.2 (bug fixes)
- Libgda 4.1.0 (new features, bug fixes and translation work)
- osm-gps-map 0.3 (new features and performance improvements)
- Planner 0.14.4 (new features and bug fixes)
- Seed 0.5 (new features and bug fixes)
- Tomboy 0.14.1 (new features and bug fixes)
- Vala 0.7.1 (new features and bug fixes)
KDE Software Announcements
The following new KDE software has been announced this week:- 2ManDVD 0.7.8 (new features, bug fixes and translation work)
- FlvToMp3 1.1.3 (new features and translation work)
- Image Commander 1.2 (new features)
- GamCat 0.30 (bug fixes and code cleanup)
- KBlogger 1.0-alpha3 (new features and bug fixes)
- KDE-Mastermind 0.1 (initial release)
- kdesvn 1.3.0 (bug fixes)
- K Menu Gnome 1.0.0 (new features and code cleanup)
- kmj 0.1 (initial release)
- KRadio4 4.0.0-rc3 (bug fixes)
- Krusader 2.0.0 (new features, bug fixes and translation work)
- lrcShow-X 1.0.0 (unspecified)
- PokerTH 0.7-beta1 (bug fixes)
- QTrans 0.2.1.6 (unspecified)
- simon 0.2 rc1 (bug fixes)
- SMILE 0.9.2 (new features and bug fixes)
- SMILE 0.9.3 (new features)
- Wiper 0.1 (initial release)
- yape 2.1.2 (bug fix)
Xfce 4.6.1 released
Version 4.6.1 of Xfce, a lightweight desktop environment, has been announced. "The first bugfix-release of xfce 4.6 has been released. Thanks to all the people who have been using xfce 4.6 and took the time and effort to submit bugreports for stuff that wasn't quite working the way it is supposed to. We have been able to fix several issues during the past few weeks."
Xorg Software Announcements
The following new Xorg software has been announced this week:- dri2proto 2.0 (code cleanup and documentation work)
- xf86-video-intel 2.7.0 (bug fixes)
Multimedia
Elisa Media Center 0.5.36 released
Version 0.5.36 of Elisa Media Center has been announced. "This release is a lightweight release, meaning it is pushed through our automatic plugin update system. Additionally a windows installer is available for download on our website. This installer fixes various crashers."
Music Applications
Announcing jMax Phoenix: Call for developers
A call for developers has gone out for jMax Phoenix, a visual programming environment for real-time music and multimedia. "The reports of the jMax death have been greatly exaggerated. Free software never dies, it just sleeps for some time. Almost nine years after the release of the project under a free license, and six years after the end of the developments by the institution that created it, some of the original project developers decided to revive it from its ashes: jMax Phoenix was born."
Web Browsers
Firefox 3.0.9 released
Firefox 3.0.9 is out. The release notes contain the details; as might be expected, the real reason for this release is to fix yet another pile of security problems.
Miscellaneous
JavaTerminal: Version 3.0 (SourceForge)
Version 3.0 of JavaTerminal has been announced. "This version is a "hard coded" TELNETBBS/ANSIBBS terminal client. Programmable extensibility has been removed and replaced by final method invocations to increase performance. The future of this project is uncertain, this may be the final version."
Languages and Tools
C
GCC 4.4.1 Status Report
The April 21, 2009 edition of the GCC 4.4.0 Status Report has been published. "GCC 4.4.0 has been built and uploaded today and 4.4 branch is open under release branch rules for regression and documentation fixes leading to the 4.4.1 release; the release will be announced once time has been allowed for mirrors to pick up the files. It is likely that 4.4.1 will be released in about two months' time."
GCC 4.5.0 Status Report
The April 21, 2009 edition of the GCC 4.5.0 Status Report has been published. "Trunk is in Stage 1. It is expected that Stage 1 will last at least four months (so ending no earlier than 27 July) and will be followed by Stage 3 (bug-fix-only mode); whether it ends on 27 July may depend on whether there remain unmerged features at that date that we wish to merge for 4.5 and that seem sufficiently close to being ready to merge to make it worth delaying the end of Stage 1."
Caml
Caml Weekly News
The April 21, 2009 edition of the Caml Weekly News is out with new articles about the Caml language.
Python
itools 0.60.0 released
Version 0.60.0 of itools has been announced. "itools is a Python library, it groups a number of packages into a single meta-package for easier development and deployment. The itools.vfs package has been rewritten to use gio, the virtual file system from the glib project. The web server (itools.web) now uses the glib event loop. Extracting text from office formats is in general much faster. Command line utilities have been replaced by libraries; for instance, now we use 'xlrd' instead of 'xlhtml' to extract text from Excel files."
Python-on-a-chip releases PyMite r08
Release 8 of PyMite has been announced. "The Python-on-a-chip Project is pleased to announce the eighth release of PyMite. PyMite is a flyweight Python VM written from scratch to execute on 8-bit and larger microcontrollers with resources as limited as 64 KB of program memory (flash) and 4 KB of RAM. PyMite supports a subset of the Python 2.5 syntax and can execute a subset of the Python 2.5 bytecodes. PyMite can also be compiled, tested and executed on a desktop computer."
pyparsing 1.5.2 released
Version 1.5.2 of pyparsing, a pure-Python class library for developing recursive-descent parsers, has been announced. "Well, it has been about 6 months since the release of pyparsing 1.5.1, and there have been no new functional enhancements to pyparsing. I take this as a further sign that pyparsing is reaching a development/ maturity plateau. With the help of the pyparsing community, there are some compatibility upgrades, and few bug fixes."
Python 2.6.2 released
Version 2.6.2 of Python has been announced. "This is the latest production-ready version in the Python 2.6 series. Dozens of issues have been fixed since Python 2.6.1 was released back in December."
Python-URL! - weekly Python news and links
The April 16, 2009 edition of the Python-URL! is online with a new collection of Python article links.relatorio 0.5.1 released
Version 0.5.1 of relatorio has been announced, it includes some new features and bug fixes. "Relatorio is a templating library which provides a way to easily output several kinds of files (odt, ods, png, svg, ...). Support for more filetypes can be easily added by creating plugins for them. Relatorio also provides a report repository allowing you to link python objects and report together, find reports by mimetype/name/python object."
XML
pyxser 0.2r released
Version 0.2r of pyxser has been announced, it includes a number of bug fixes. "I'm pleased to announce pyxser-0.2r, a Python-Object to XML serializer and deserializer. This package it's complet[e]ly written in C and licensed under LGPLv3."
Libraries
What's coming in glibc 2.10
Ulrich Drepper has posted a list of some of the changes which will appear in glibc 2.10. "The new malloc_info function therefore does not export a structure. Instead it exports the information in a self-describing data structure. Nowadays the preferred way to do this is via XML. The format can change over time (it's versioned), some fields will stay the same, other will change. No breakage. The reader just cannot assume that all the information will forever be available in the same form. There is no reader in glibc. This isn't necessary, it's easy enough to write outside glibc using one of the many XML libraries."
Announcing the port of glibc to Google Native Client
The glibc library has been ported to Google Native Client. "Some background: Native Client (NaCl for short) is a sandboxing system for running a subset of x86 code on Linux, Windows and Mac OS X. It is proposed as a way of running native code inside web apps. Native Client is a hack to get around the lack of sandboxing facilities on these OSes. It uses x86 segmentation to constrain memory accesses, and it has a verifier for x86 code which disallows instructions that would be unsafe, such as syscalls."
Test Suites
Mock 0.5.0 released
Version 0.5.0 of Mock has been announced. "mock provides a core mock.Mock class that is intended to reduce the need to create a host of trivial stubs throughout your test suite. After performing an action, you can make assertions about which methods / attributes were used and arguments they were called with. You can also specify return values and set specific attributes in the normal way."
Version Control
GIT 1.6.2.4 released
Version 1.6.2.4 of the GIT distributed version control system has been announced. "This contains bunch of fixes that have already been merged to the master branch in preparation for 1.6.3."
Miscellaneous
Jason: 1.3 released (SourceForge)
Version 1.3 of Jason has been announced. "Jason is a fully-fledged interpreter for an extended version of AgentSpeak, a BDI agent-oriented logic programming language, and is implemented in Java. Using SACI or JADE, a multi-agent system can be distributed over a network effortlessly. This version fixes some bugs in the previous version, adds new examples, and has the following main new features: performance improvements and plan as terms."
Page editor: Forrest Cook
Linux in the news
Recommended Reading
Meta-cycles: 2-3 year major cycles for free software? (Here Be Dragons)
It is well known that Mark Shuttleworth is a proponent of six-month development cycles. However, in this blog post he considers the larger changes which cannot be done in six months. "Six-month cycles are great. Now let's talk about meta-cycles: broader release cycles for major work. I'm very interested in a cross-community conversation about this, so will sketch out some ideas and then encourage people from as many different free software communities as possible to comment here. I'll summarise those comments in a follow-up post, which will no doubt be a lot wiser and more insightful than this one :-)"
Companies
Alcatel-Lucent Networking Embraces Linux, NAC (internetnews.com)
internetnews.com reports that Alcatel-Lucent will switch its networking products' operating system from VxWorks to Linux. "AOS itself sits on top of an embedded operating system that Alcatel-Lucent uses on its switching gear. Currently, that operating system is VxWorks from Wind River, though that's set to change. Minka Nikolova, senior product manager at Alcatel-Lucent, told InternetNews.com that the plan is to shift from VxWorks to Linux by early next year. Nikolova argued that from a user point of view, customers won't know the difference, as the operating system underneath AOS will be transparent. That said, she did note that Linux will bring some new opportunities to AOS."
Linux Adoption
Android destined for a set-top box? (LinuxDevices)
LinuxDevices looks at the expansion of Android into set-top boxes. "The Android version of the Au Box is destined for an October launch by Japanese carrier KDDI, and is supported by a new Japan-based Open Embedded Software Foundation (OESF) organization, according to a story in EETimes. The Au Box STB "will allow users to take their music and video content with them on the go by connecting to a handset or portable player," says the story. EETimes also reports that JVC is considering the development of a TV set based on the open-source, Linux/Java-based Android distribution."
Resources
Running Linux Under Windows (LinuxLinks)
LinuxLinks takes a look at applications which let users run Linux and Windows at the same time on a single Windows machine. "Virtualization is the current boom in the software field. Each virtual machine has its own share of CPU, memory, network interfaces etc which is isolated from other virtual machines. This article selects the best no-charge virtualization software." (Thanks to Steve Emms)
Reviews
Burning the Ships: A Review (Linux Journal)
Linux Journal has a review of the book Burning the Ships: Intellectual Property and the Transformation of Microsoft by David Kline. "In a world where distinctions between open source and proprietary software are becoming increasingly irrelevant, what role can IP [Intellectual Property] play in facilitating greater collaboration with the industry for the benefit of business and customers alike? (167) While this quote appears near the end of Marshall Phelps and David Klines new book Burning the Ships: Intellectual Property and the Transformation of Microsoft, it does sum up nicely the thread that weaves through the book, a case study of how Microsoft reinvented itself and began leveraging its Intellectual Property for good (collaboration) instead of evil (punishment). Putting aside the rah rah Microsoft tone of the book for a moment, it is a good case study of how a company can leverage its IP successfully."
OLPC XO 1.5 Laptop gets a new VIA processor (The H)
The H takes a look at the XO 1.5 laptop from the One Laptop Per Child project. "The current OLPC, the XO-1, uses an x86 Geode chip from Advanced Micro Devices (AMD). The XO-1.5 is based on the design of the XO-1, but will use a new VIA C7-M processor with clock ranges from 400MHz to 1GHz. The OLPC Tech Team's goal with the re-design is to match the XO-1 power consumption. The refreshed model will use the new VIA VX855 chipset that includes the memory interface, 3D graphics engine, USB, SDIO and video decoder on a single chip. The memory in the XO-1.5 has been increased to 1 GB of RAM and 4GB of flash storage, with an option for 8 GB."
rBuilder Aims Cloud Computing Tool At Enterprise (InformationWeek)
InformationWeek covers the release of rBuilder v5. "RBuilder combines an application with an optimized version of its operating system and converts them into a set of virtual files. RBuilder has been used as a free online tool at the rPath site to build many Amazon Machine Images, the virtual file formats that run in Amazon's EC2 cloud, which uses the Xen open source hypervisor."
Real-Time Messaging Middleware Integrated with Secure Linux (Embedded.com)
Embedded.com takes a look at Real-Time Innovations' RTI Data Distribution Service, real-time messaging middleware with Security-Enhanced Linux (SELinux). "According to Karl MacMillan, director of Core Technology at Tresys, this combination provides real-time and high-performance distributed applications with the ability to securely distribute data by combining RTI's high-performance network communications with the extremely flexible Mandatory Access Control (MAC) facilities of SELinux."
Miscellaneous
Health Check: openSUSE - Then and now
The H looks at the health of the openSUSE distribution. "Through all these vicissitudes the openSUSE community has continued to produce a high class Linux distribution, which continues to receive plaudits, and appears to support a thriving and enthusiastic community, with busy forums and its own weekly news bulletin, which is widely read. The traditions of SuSE continue against the tide."
Page editor: Forrest Cook
Announcements
Non-Commercial announcements
Changes to the GNOME System Administration Team
The GNOME Foundation has announced the creation of a formal system administration team with a paid part-time sysadmin. "In order to continue our current community plans and hire a system administrator, we'd like to raise $50,000 through Friends of GNOME. Thanks to our generous community members we have already received over $5,000 this year. In addition, Google has put in $5,000 and Canonical has offered to match the next $10,000. So we are 40% of the way there already!"
What the Oracle Acquisition of Sun Means for Linux (LinuxFoundation)
The Linux Foundation's Jim Zemlin discusses Oracle's purchase of Sun Microsystems. "Its no surprise that the executive director of the Linux Foundation would see good news for Linux in the unexpected announcement this morning of Oracles acquisition of Sun Microsystems, but I do feel it necessary to shed some light on how it may or may not affect Linux. - Oracle is strategically aligned with Linux: Oracle is a Linux distributor, and all its products are developed and run on Linux. As Edward Screven, chief architect of Oracle, said in a keynote at our Collaboration Summit two weeks ago, entering the Linux market was the right choice for Oracle. They are also a major user: Oracles entire enterprise runs on Linux, and they are major contributors to the Linux kernel among other Linux projects."
SFLC: A Wake-Up Call for GPLv3 Migration
The Software Freedom Law Center's Bradley Kuhn uses the TomTom case to advocate for greater adoption of GPLv3. "Were Linux under GPLv3 (but not GPLv2), these terms, particularly those in the second paragraph, would clearly and unequivocally prohibit TomTom from entering into any arrangement with Microsoft that doesn't grant a license to any Microsoft patent that reads on Linux. Indeed, even what has been publicly said about this agreement seems to indicate strongly that this deal would violate GPLv3. While the Novell/Microsoft deal was grandfathered in (via the date above), this new agreement is not. Yet, the most frustrating aspect of the press coverage of this deal is that few have taken the opportunity to advocate for GPLv3 adoption by more projects. I hope now that we're a few weeks out from the coverage, project leaders will begin again to consider adding this additional patent protection for their users and redistributors."
Commercial announcements
Linux Integration Components for Windows Server 2008 Hyper-V
Microsoft has announced Linux Integration Components for Windows Server 2008 Hyper-V. "When installed in a supported Linux virtual machine running on Hyper-V, the Linux Integration Components provide. Driver support for synthetic devices: The Linux integration components include support for both the synthetic network controller and synthetic storage controller that have been developed specifically for Hyper-V. These components take advantage of the new high-speed bus, VMBus, which was developed for Hyper-V."
Danger with NVIDIA drivers 180.29
LWN does not normally carry announcements for proprietary driver releases, but... the NVIDIA driver 180.51 release is worthy of note. It fixes a problem with the 180.29 release (packaged by RPMFusion, at least) which can brick certain Fujitsu notebook systems. Anybody running the older drivers should probably upgrade, just to be sure.Oracle buying Sun
Here's the press release: Oracle will be buying Sun Microsystems. "The Sun Solaris operating system is the leading platform for the Oracle database, Oracle's largest business, and has been for a long time. With the acquisition of Sun, Oracle can optimize the Oracle database for some of the unique, high-end features of Solaris. Oracle is as committed as ever to Linux and other open platforms and will continue to support and enhance our strong industry partnerships." (Thanks to Emmanuel Seyman).
New Books
Gray Hat Python--New from No Starch Press
No Starch Press has published the book Gray Hat Python by Justin Seitz.Intel(r) G45 Programmer's Reference Manual
The Intel(r) G45 Programmer's Reference Manual is available for download. "We are pleased to announce that the Intel(r) G45 Express Chipset [Graphics and Memory Controller Hub-GMCH] Programmer's Reference Manual (PRM) is now publicly available!"
Resources
Red Hat's open source activity map
Red Hat has posted a JavaScript-heavy map claiming to show the relative level of open source activity in 75 countries. It seems that France is ranked #1 overall. There are links to various PDF files describing how the rankings were derived; suffice to say, it's not a simple algorithm.
Calls for Presentations
IMF 2009 - 2nd Call for Papers
The second call for papers has gone out for IMF 2009. "5th International Conference on IT Security Incident Management & IT Forensics September 15th - 17th, 2009 Stuttgart, Germany" Submissions are due by June 1.
Linux Plumbers Conference 2009 Call For Proposals
The call for proposals for the 2009 Linux Plumbers Conference (September 23 to 25, Portland) has gone out. "The perfect Plumbers topic would feature a real problem whose solution requires the relevant community members to get together face to face, preferably producing a solution during the conference itself." Submissions are due by June 15.
openSUSE Summit 2009 Call for Participation
A call for participation has gone out for the openSUSE Summit 2009. "The openSUSE Project is opening the call for participation in the openSUSE Summit 2009, to be held September 17 through 20 in Nuremberg, Germany. We're looking for contributors to openSUSE, upstream projects, and members of the openSUSE community to participate. The summit will be an opportunity to bring the openSUSE contributor community together to share ideas, experience, hack, and help guide the direction of the project."
Upcoming Events
LinuxCon keynote speaker announcement
The keynote speakers have been announced for LinuxCon. "The conference takes place September 21 - 23, 2009 in Portland, Oregon at the Marriott Downtown Waterfront, and is co-located with the Linux Plumbers Conference. The LinuxCon keynotes represent both community and industry in keeping with the audience." Confirmed keynote speakers include Joe "Zonker" Brockmeier, Bdale Garbee, Mark Shuttleworth and Bob Sutor.
Linux Vacation / Eastern Europe 2009: registration started
Registration is open for the Linux Vacation / Eastern Europe 2009. "The 5th International conference of developers and users of free / open source software "Linux Vacation / Eastern Europe" (LVEE 2009) will take place on July 02-05 near Grodno (Belarus). The event combines both communication and rest of the enthusiasts of free software, including GNU/Linux platform, but not limited to it. LVEE 2009 is organized by Minsk Linux Users Group with support of the open source community active members from Grodno and Brest."
NLUUG spring conference time schedule online
The schedule for the NLUUG spring conference is online. "The keynote at the conference will be given by Ted Ts'o, famous ext4 hacker and CTO at Linux Foundation. Other subjects at the conference will be ZFS, LogFS, DRBD, LVM, desktop search and many more. The complete program and registration form can be found at: http://www.nluug.nl/events/vj09/index.html"
OpenSource World schedule announced
The OpenSource World Conference schedule has been announced, registration is open. The event takes place in San Francisco, CA on August 12-13, 2009.X Developers' Conference 2009
The X Developers' Conference 2009 has been announced. "The 2009 X Developers' Conference will be held at Portland State University (PSU) in Portland, Oregon, from Monday September 28 through Wednesday September 30. PSU is within walking distance of Portland's downtown area and a wide variety of dining, lodging, and public transportation options. The conference is scheduled to follow directly after Linux Plumbers Conference 2009 so that people attending both LPC and XDC can do that with a single trip."
Events: April 30, 2009 to June 29, 2009
The following event listing is taken from the LWN.net Calendar.
| Date(s) | Event | Location |
|---|---|---|
| April 25 May 1 |
Ruby & Ruby on Rails Bootcamp | Atlanta, Georgia, USA |
| May 4 May 8 |
JavaScript/Ajax Bootcamp at the Big Nerd Ranch | Atlanta, Georgia, USA |
| May 4 May 7 |
RailsConf 2009 | Las Vegas, NV, USA |
| May 4 May 6 |
EuroDjangoCon 2009 | Prague, Czech Republic |
| May 4 May 6 |
SYSTOR 2009---The Israeli Experimental Systems Conference | Haifa, Israel |
| May 5 | Linuxwochen Austria - Salzburg | Salzburg, Austria |
| May 6 May 9 |
Libre Graphics Meeting 2009 | Montreal, Quebec, Canada |
| May 6 May 8 |
Embedded Linux training | Maynard, USA |
| May 7 | NLUUG spring conference | Ede, The Netherlands |
| May 8 May 10 |
PyCon Italy 2009 | Florence, Italy |
| May 8 May 9 |
Linuxwochen Austria - Eisenstadt | Eisenstadt, Austria |
| May 8 May 9 |
Erlanger Firebird Conference 2009 | Erlangen-Nürnberg, Germany |
| May 11 | The Free! Summit | San Mateo, CA, USA |
| May 13 May 15 |
FOSSLC Summercamp 2009 | Ottawa, Ontario, Canada |
| May 15 May 16 |
CONFidence 2009 | Krakow, Poland |
| May 15 | Firebird Developers Day - Brazil | Piracicaba, Brazil |
| May 16 May 17 |
YAPC::Russia 2009 | Moscow, Russia |
| May 18 May 19 |
Cloud Summit 2009 | Las Vegas, NV, USA |
| May 19 May 22 |
PGCon PostgreSQL Conference | Ottawa, Canada |
| May 19 | Workshop on Software Engineering for Secure Systems | Vancouver, Canada |
| May 19 May 22 |
php|tek 2009 | Chicago, IL, USA |
| May 19 May 21 |
Where 2.0 Conference | San Jose, CA, USA |
| May 19 May 22 |
SEaCURE.it | Villasimius, Italy |
| May 21 | 7th WhyFLOSS Conference Madrid 09 | Madrid, Spain |
| May 22 May 23 |
eLiberatica - The Benefits of Open Source and Free Technologies | Bucharest, Romania |
| May 23 May 24 |
LayerOne Security Conference | Anaheim, CA, USA |
| May 25 May 29 |
Ubuntu Developers Summit - Karmic Koala | Barcelona, Spain |
| May 27 May 28 |
EUSecWest 2009 | London, UK |
| May 28 | Canberra LUG Monthly meeting - May 2009 | Canberra, Australia |
| May 29 May 31 |
Mozilla Maemo Mer Danish Weekend | Copenhagen, Denmark |
| May 31 June 3 |
Techno Security 2009 | Myrtle Beach, SC, USA |
| June 1 June 5 |
Python Bootcamp with Dave Beazley | Atlanta, GA, USA |
| June 2 June 4 |
SOA in Healthcare Conference | Chicago, IL, USA |
| June 3 June 5 |
LinuxDays 2009 | Geneva, Switzerland |
| June 3 June 4 |
Nordic Meet on Nagios 2009 | Stockholm, Sweden |
| June 6 | PgDay Junín 2009 | Buenos Aires, Argentina |
| June 8 June 12 |
Ruby on Rails Bootcamp with Charles B. Quinn | Atlanta, GA, USA |
| June 10 June 11 |
FreedomHEC Taipei | Taipei, Taiwan |
| June 11 June 12 |
ShakaCon Security Conference | Honolulu, HI, USA |
| June 12 June 13 |
III Conferenza Italiana sul Software Libero | Bologna, Italy |
| June 12 June 14 |
Writing Open Source: The Conference | Owen Sound, Canada |
| June 13 | SouthEast LinuxFest | Clemson, SC, USA |
| June 14 June 19 |
2009 USENIX Annual Technical Conference | San Diego, USA |
| June 17 June 19 |
Open Source Bridge | Portland, OR, USA |
| June 17 June 19 |
Conference on Cyber Warfare | Tallinn, Estonia |
| June 20 June 26 |
Beginning iPhone for Commuters | New York, USA |
| June 22 June 24 |
Velocity 2009 | San Jose, CA, USA |
| June 22 June 24 |
YAPC|10 | Pittsburgh, PA, USA |
| June 24 June 27 |
LinuxTag 2009 | Berlin, Germany |
| June 24 June 27 |
10th International Free Software Forum | Porto Alegre, Brazil |
| June 26 June 28 |
Fedora Users and Developers Conference - Berlin | Berlin, Germany |
| June 26 June 30 |
Hacker Space Festival 2009 | Seine, France |
| June 28 July 4 |
EuroPython 2009 | Birmingham, UK |
If your event does not appear here, please tell us about it.
Page editor: Forrest Cook