LWN.net Weekly Edition for May 7, 2009 [LWN.net]

Updating and rebuilding Android

By Jonathan Corbet
May 6, 2009

This is one in a series of articles on working with the Android Developer Phone (ADP1) device. In the previous episode, your editor went through the process of updating the software on the ADP1. This time around, we'll look at the latest software builds, then take a beginning look at the process of actually building new software for the device.

Your editor started by testing out the Android 1.5 images provided by HTC, the manufacturer of the ADP1. The provision of these images is a nice step forward by HTC; thus far, ADP1 owners have felt somewhat left out when new versions of the firmware have been released. This time around, they have the new software at about the same time as everybody else. The 1.5 update is done in the usual way: use the "adb" tool to copy it to /sdcard/update.zip on the phone, then reboot into the recovery image to actually install the new code. Two such iterations are required this time around; there is an update to the (closed-source) radio code which must be applied first.

Sidebar: USB cables

If, in the process of pushing updates to the ADP1, you get failures with "protocol error" messages, you're not alone. It turns out that the device is sensitive to noise introduced by low-quality USB cables; one needs a well-built cable for this task. Note: the cable packed with the ADP1 does not qualify as "well-built."

So what's new in Android 1.5? The biggest user-visible feature is almost certainly the on-screen keyboard. It's no longer necessary to open the keyboard to send a quick text message. The on-screen keyboard is somewhat painful for your fat-fingered editor to use when the phone is in the portrait orientation, but it works better in the landscape mode. One has to wonder, though, what inspired the Android developers to dedicate a significant chunk of scarce screen space to a "smiley" key. There are plenty of characters which would have been rather more useful in that position.

Beyond that, the 1.5 release includes "Latitudes" support for those of you who want to continuously report your real-world location to the Google mother ship. There are simple screen effects which come into play when switching between applications and orientations. Holding the power button gives quick access to "airplane mode." The camera is quite a bit more responsive. The zoom icons are smaller and more discrete. GPS acquisition is said to be faster; your editor has not had a chance to test that claim, but it would certainly be a welcome improvement. The orientation-awareness (turn the phone on its side and the display switches to landscape mode) that has been a feature of the JesusFreke builds for a while is now part of the core platform. And so on. Mostly small stuff, but it's enough to make for a nicer feel to the platform overall.

Speaking of the JesusFreke builds, the JFv1.50 build, based on 1.5, is also available; your editor promptly installed it. This build is basic Android 1.5 with a number of additions, including multitouch support, tethering support, an augmented init daemon, a whole set of busybox-based command-line utilities, and more; see the full list for the details. As usual, these builds add a number of nice features to the phone; anybody who is interested in really playing with the device will likely prefer the JF version of the software.

Remaking JF builds

Playing with new builds is fun, but this is free software. The real fun comes from rebuilding the software from the source, perhaps with specific changes. There are two levels at which this can be done. The first is to use the JesusFreke "build environments." Essentially, the build environment is a tarball containing the modifications made to create the JF image, along with the necessary scripts. There's a new kernel containing multitouch and unionfs support, along with the patches needed to create it. Busybox is found there, as are a number of other useful diagnostic tools, an ssh client, and more.

To create a new build, it is necessary to get the associated official build, place it within the build environment, then run make. With any luck, the end result is an update.zip file ready to be flashed into the phone.

One of the interesting things your editor learned from looking at the images (and from talking to Mr. Freke) is that the JF builds do not actually involve rebuilding much of the Android system. It's mostly a matter of unpacking an official build and making a few creative substitutions. The kernel has been remade, as has the browser application (to support multitouch zooming). Everything else is just a matter of shuffling files around. So the JF build environments can be useful for somebody else wanting to do the same kind of manipulations, but more extensive changes require building the system at a lower level.

Building Android from source

Remaking Android from the source code turns out to be a bit of a challenge. What follows here is a brief set of instructions derived from the Android "building for Dream" page, some hints helpfully provided by GeunSik Lim, and a fair amount of painful experience. In summary: most of the code needed to rebuild the platform is available, but (1) it's not a quick or simple process, and (2) there are a few pieces missing.

There's a number of tools which must be installed on a Linux system to rebuild the Android platform. These include flex, bison, git, and the Sun Java system. Beyond that, one must grab the repo tool. Repo is Google's answer to the problem of managing a whole set of related repositories; essentially it is a tool which sits on top of git and manages a whole set of git repositories in parallel. Once repo has been installed, the meta-repository is set up with a command like:

    repo init -u git://android.git.kernel.org/platform/manifest.git

This command pulls down the manifest file describing all the repositories needed to build the platform. Note that if a branch other than the trunk is desired, it must be obtained during this stage with the -b option; repo apparently cannot switch branches in an existing source tree.

One then obtains the code by running "repo sync" and going out for coffee.

Incidentally, when you go out for coffee, you need not hurry back. It's entirely possible to fly to a different continent, harvest the coffee by hand (after waiting for it to reach the perfect ripeness), fly home, and roast it yourself. You'll still probably have time for a second cup before the downloading of the source is complete. You are, after all, not just downloading a huge pile of source files. You are, instead, downloading over 100 independent git repositories, each containing a long trail of history - about 2.4GB worth of stuff. It takes a while. And, needless to say, some disk space.

To make things worse, you still don't have all the source; there are a few components of the binary platform for the ADP1 which have not been released as free software. You cannot download those binary components from anywhere; instead, what's needed is to obtain them from a working phone. To that end, the file vendor/htc/dream/extract-files.sh contains a script which will pull the needed components from a USB-connected ADP1 device. These components vary from files containing mixer settings to programs for controlling Bluetooth, the GPS receiver, firmware for the wireless network adapter, a camera control library, and more. The dream directory also contains a binary driver module (wlan.ko) for the WIFI adapter, despite the fact that said driver is open source and included in the distribution.

After that, it's a matter of copying build/buildspec.mk.default to buildspec.mk in the top-level directory, editing it to set TARGET_PRODUCT to htc_dream, and typing make. And going out for more coffee, of course. At the end of the process, with luck (a fair amount of luck may be required), there will be new system and boot images which can be flashed into the phone with the fastboot tool. A reboot will run the new code.

At that point, of course, there are some surprises to be found. One is that the newly built software is lacking a number of features found in an official build. The reason for this is simple: several of the applications which run on Android phones are not open source. These include the Gmail client (which your editor will happily do without), Maps (which cannot be done without, at least until AndNav progresses a little further), and more. These applications can generally be recovered by grabbing the associated package files from an official build and slipping them into the build environment. See this article for a terse description of how that is done.

It took your editor a little while to figure out another little surprise: despite the fact that the Android source tree includes a kernel repository, the build process does not actually build the kernel. One might think that it would be hard to miss something the size of a kernel build, but ... did your editor mention that the Android source tree is big? The Android build system which goes with this source tree is quite a piece of work; there must be people working full time on it, and they probably hate their lives.

Trying to figure out what is happening in an Android build requires digging through many thousands of lines of makefile rules. What your editor finally discovered is that the build system simply pulls a binary kernel from a special "prebuilt" repository (that repository also contains a cross-compiling toolchain for the creation of ARM executables). The kernel source tree, seemingly, is just there for show. Using something other than the prebuilt kernel requires making it separately and pointing a build-system variable at the location of the result.

[PULL QUOTE: It's clear that even people who remake Android are not, in general, expected to remake the kernel. END QUOTE] It's clear that even people who remake Android are not, in general, expected to remake the kernel. The kernel repository pulled down by the repo command does contain the Android-specific patches, but it lacks nice things like branches (even "master" is missing) or tags. There are some remote branches with names like korg/android-msm-2.6.27 which contain lines of development for various kernel versions; the 2.6.27 one appears to be, as of this writing, the one which is best supported on real hardware. But, within those branches, there are (unlike the situation with the rest of the Android code) no tags associated with releases. Nothing in the repository will tell a developer which kernel was shipped with a given version of Android.

So it's hard to build a kernel which corresponds to the one found within an official release. But not impossible: most of the official releases include the git commit ID in the kernel version. So by digging down into the settings menus, your editor was able to determine that the HTC 1.5 build came from commit 8312baf. After checking out that commit, one can do a make msm_defconfig to configure the kernel properly. Then it's just a matter of setting the ARCH and CROSS_COMPILE environment variables and doing the build. If you have a 32-bit Linux environment, the prebuilt ARM toolchain provided with the Android source does the job just fine.

Once the kernel build is done, it's possible to build a new set of firmware images which can be loaded into the device with fastboot. That's easy to say, but it can be harder to do; the sources from the repository often do not build, and it's not always easy to get all the pieces together to make a working image for the ADP1. Making it possible for people outside of the core Android project to build and install the platform appears to be an afterthought, at best.

Android and the ADP1

In truth, Google does not really support the ADP1 as a system people can develop and run on; this situation was somewhat explained by Jean-Baptiste Queru, who is easily the most helpful Google developer on the mailing lists:

Yes, the ADP1 situation is currently unfortunate. We've had to pick priorities, the priority went to open-sourcing code out of Google, as that's something that only Googlers can do.

The truth is, ADP1 isn't a phone from Google. While Google has some influence on it (and provides a number of proprietary apps), It's neither manufactured nor distributed by Google, and that puts limits on the ways Google can support it (and espcially on how Google can not redistribute some of the ADP1-specific files).

So, while the ADP1 is one of the most open cellular phone platforms yet to appear, it does not, yet, represent a fully-open system in the way the OpenMoko phone does. Most people wanting to do things with this device are likely to end up starting with the official, binary builds and tweaking things around the edges, much like as has been done with the JF builds.

That said, there is a lot of fun to be had with this device. It's fully hackable at the kernel level now, and more hardware information is becoming available, which raises the hope of gaining more control over the low-level system in time. About the time the ADP1 becomes fully obsolete and unobtainable, we should have it figured out pretty well. With any luck at all, at least one of the devices which replaces it will be more open from the outset.

Comments (24 posted)

Unladen swallow: accelerating Python

May 6, 2009

This article was contributed by Nathan Willis

Google uses Python for many of its engineering projects, from internal server monitoring and reporting to outward-facing products like Google Groups, so it is no surprise that the company wants to improve Python application performance. A group of Google developers is working on a new optimization branch of Python dubbed Unladen Swallow, with the goal of a five-fold speed increase over the trunk. It will achieve that goal by adding just-in-time compilation and a new virtual machine design, all while retaining source compatibility for Python application developers.

Unladen Swallow's lead developers Collin Winter, Jeffrey Yasskin, and Thomas Wouters have long been core developers for the CPython project, the reference implementation and most widespread interpreter for the Python language. All three are Google employees, and others contribute their "twenty percent time" to Unladen Swallow, but the group insists that it is a Python project, not an effort owned by Google.

Winter said the origin of the idea dates back to his work on the web-based code review tool Mondrian, when the team's attempts at optimization repeatedly hit limitations in CPython, such as the Global Interpreter Lock (GIL), the mutex that prevents concurrency on multiprocessor or multi-core machines. While researching potential speed-ups and changes, Winter and the other Google engineers eventually decided that the long-range ideas they had in mind were significant enough to warrant making a separate branch. Plus, doing so would give them the chance to stress-test their ideas before trying to roll them back into CPython.

The Concept: a bird's eye view

The core of the Unladen Swallow team's planned improvements is to remove performance bottlenecks in the Python virtual machine (VM) design, leaving the rest of the interpreter — not to mention the substantial runtime library — relatively untouched. The long-term plan is to replace CPython's existing stack-based VM with a register-based VM built with code from the Low Level Virtual Machine (LLVM) project, and to add a just-in-time compiler (JIT) on top of the new VM. Other performance-based improvements are welcome at the same time, and the team has several in store based on their talks with heavy Python users.

Using a JIT will speed up execution by compiling to machine code, thus eliminating the overhead of fetching, decoding, and dispatching Python opcodes. "In CPython," Winter explained, "this overhead is significant; some minor tweaks were made to CPython 2.7 that netted a 15% speed-up with relatively little work."

Adding the JIT presents a good opportunity to switch from a stack-based VM to LLVM's register-based design, which Winter said will net its own performance benefits. The merits of stack- versus register-based VMs is an ongoing debate, but Winter cites a 2005 study [PDF] from the Lua project showcasing the empirical benefits of the register-based design.

Unladen Swallow is based on Python 2.6.1, which is not the most recent release. Python 3.0 was released in December of 2008, implementing the backward-incompatible 3.0 version of Python. Because the majority of Python code in the wild — and in use at Google — is still written for Python 2.x, the Unladen Swallow team decided to focus its efforts on the earlier version where more benefits would be felt. By using the CPython source as its base, Python users can expect Unladen Swallow to retain 100% source compatibility.

Still, Winter said, the team does keep in close contact with Python designer Guido van Rossum (himself a Google employee) and other members of the CPython team. "In our discussions with Guido and others about how and where to merge our changes back into CPython, the idea has been proposed that Unladen Swallow should merge into 3.x. 3.x is the future of the language, and if 3.x is significantly faster than 2.x, that's an obvious incentive to port applications and libraries to 3.x. None of that is set in stone, and Guido may well change his mind."

Recent sightings

The team has set a tight development schedule for Unladen Swallow, making quarterly milestone releases. The first release, 2009Q1, was limited in scope, aiming for a 25 to 35% speed increase over vanilla CPython by making less than drastic changes to the code. The changes include a new eval loop reimplemented using vmgen, several improvements to the garbage collector — better tracking long-lived objects so that the garbage collection can make fewer collection runs — and to the data serialization module cPickle, which the developers said will benefit web applications in particular. Several obscure Python opcodes were also removed and replaced with functionally-equivalent Python functions, which reduces code size without affecting performance.

Unladen Swallow 2009Q1 is available as source code only for the time being, and can be checked out as a branch from the project's public Subversion repository. No specific compilation instructions are provided because this release closely follows the upstream CPython, but the developers do recommend building in 64-bit mode in order to take the fullest advantage of the performance increases.

Since speed of execution is the goal, the team performs regular benchmarks on the code. The thirteen benchmark tests in the suite are based on real-world performance tests designed to highlight practical application tasks, particularly for web applications. The results of the tests on Unladen Swallow 2009Q1 versus CPython 2.6.1 are posted on the project wiki; Unladen Swallow ranges from 7.43% faster to 157.17% faster, beating CPython on every benchmark.

Work is underway now on Unladen Swallow 2009Q2, which will focus on replacing the existing CPython VM with an equivalent built using LLVM.

Elsewhere in the ecosystem

Other open source projects have sought to improve Python application execution using some of the same ideas. Psyco was an earlier JIT for Python, but which was later superseded by the PyPy project. PyPy's primary goal is not performance, though, rather it is to build a Python implementation in Python itself. Stackless Python implements concurrency through the use of its own scheduler and special primitives called "tasklets." Finally, the Parrot project is implementing Python on its own register-based VM.

In some ways, Unladen Swallow is more ambitious than these other projects, particularly when you consider the rapid pace of development laid out in the road map. On the other hand, Unladen Swallow starts from the CPython 2.6.1 code base, and incorporates many CPython developers, which greatly improves the chances that its changes will one day be blessed as the official CPython release. Many of the 2009Q1 changes have already been sent upstream to CPython, and the door is still wide open for the 3.0 series should the JIT and VM performance deliver real-world performance increases anywhere close to the expected 400 percent.

Comments (18 posted)

Tomboy, Gnote, and the limits of forks

By Jonathan Corbet
May 1, 2009

Your editor has long been a user of the Tomboy note-taking tool. Tomboy makes it easy to gather thoughts, organize them, and pull them up on demand; it is, beyond doubt, a useful productivity tool. But all is not perfect with Tomboy. Some people have complained about its faults for a while; Hubert Figuiere, instead, chose to do something about it in the form of the Gnote utility. So now, of course, people are complaining about Gnote instead.

So what are the problems with Tomboy? For your editor, at least, the biggest issue is the simple sluggishness of the tool. It is a large program which takes quite some time to start up. If one tries to bring up a note on a system which has been used for other things, there can be a lengthy delay before the menu from the taskbar icon appears. Rightly or wrongly, users blame this fundamental slowness on Tomboy's use of the Mono platform. Now, of course, use of Mono brings in a whole host of other complaints, but we need not consider those here. The simple fact is that Mono adds a great deal of baggage to what should be a small and simple application. A basic note-taking tool should not be a heavyweight program.

Gnote is a reimplementation of Tomboy's functionality using C++ and GTK+. In a sense, though, it is not an independently-developed application. Instead, Gnote is a straightforward port of the original C# code to C++. So it's not just a Tomboy work-alike; it's a true clone. There are advantages to this approach; it makes use of the experience which has gone into Tomboy development, and compatibility with the Tomboy file format is not a problem. This approach enabled Hubert to put together a working application in a relatively short time.

Some distributors (Fedora, at least) have made Gnote packages available. Your editor played with the Rawhide version of Gnote for a bit; it is, in general, indistinguishable from Tomboy. It does seem more responsive, especially when the system is under some memory pressure. Annoyingly, it does not (unlike Tomboy) dismiss notes when the escape key is hit. Beyond that, though, Tomboy users (at least those who do not use plugins) will be hard-put to tell the difference between the two.

It is said that imitation is the sincerest form of flattery; if that is true, one would expect the Tomboy developers to be flattered indeed. But a web log entry about the Tomboy 0.14.1 release made it clear that "flattered" may not be the operative word in the Tomboy camp:

Our stance on Gnote is that it is counterproductive to maintain identical software in two languages. It will be harmful to the community, especially as these two apps inevitably diverge. It will result in duplication of effort, duplication of bugs, and a lot of wasted time for those who are trying to add value to the user experience.

Tomboy is not going away, and it will continue to be developed on the extremely productive Mono/GTK# language platform. Anyone thinking about distributing Gnote should consider the impact on users and their data. When we develop, we should always be asking ourselves, "is this adding value for our users?"

It should not come as a surprise that this language inspired a lot of responses, on the original site and elsewhere. Reading through the discussions, your editor has come to a couple of conclusions:

The Tomboy development community obviously sees Gnote as a threat. It's not entirely clear why that should be. If these developers are paying attention to what they are doing, and if the Mono platform is as "extremely productive" as they say, they should have no trouble staying ahead of Gnote. Beyond that, the existence of other, interoperable applications should serve to grow the community as a whole.
Gnote clearly has added value for some users. There is a significant community out there which does not want to have Mono on its systems. One may or may not agree with their reasoning, but one cannot argue with the fact that these users exist; simply dismissing their concerns is unlikely to change their minds. Mono-free, Tomboy-like functionality adds value for those users.

It is evident that some developers and users in the Tomboy camp think that the creation of Gnote is an improper thing to do. The creation of a new application by translating code into another language seems unoriginal at best, and a misappropriation of the code at worst. The fact that the code has been relicensed (from LGPL 2+ to GPLv3) in the translation process has not helped. But it should be remembered that both the translation and the relicensing are acts which are allowed by the license chosen by the Tomboy developers. The LGPL license text packaged with the Tomboy code reads:

You may opt to apply the terms of the ordinary GNU General Public License instead of this License to a given copy of the Library.

Other parts of Tomboy carry GPLv2+ or BSD licenses; it's actually quite a mixture, but they all allow conversion to GPLv3. So Hubert has only done what the original developers explicitly allowed him to do; about the only complaint one might make is that he appears to not have carried the copyright attributions over into his translated code. That, probably, is an omission which needs to be fixed; it would be hard to argue that Gnote is not derived from Tomboy.

Beyond that, there are concerns that Gnote will take developer attention away from Tomboy. That could be true, but chances are that any developers working on Gnote (and it's not clear that there are any, beyond Hubert) are unlikely to have been working on Tomboy previously. There is also concern about what happens if and when Tomboy and Gnote diverge from each other. That could well happen; Hubert does not appear to have promised to mirror Tomboy forever. Should things go that way, Gnote really just becomes another fork; it will live or die on its own merits.

It will take time to know whether hacking on Gnote is a wise use of Hubert's time. But it is a clear example of what is good about free software: a developer with a specific itch was able to scratch it (for himself and for others) without having to start from the beginning. Criticisms of Gnote would seem to be misplaced, and attempts to suppress it (and telling distributors that distributing Gnote is a threat to their users' data can only be seen as such an attempt) even more so. Free software means letting others take your code in directions you may not always approve of.

Comments (120 posted)

The Firefox extension war

By Jake Edge
May 6, 2009

By now, the escalating battle between the NoScript and Adblock Plus Firefox extensions is fairly well-publicized. In fact, the LWN comment thread on the topic has attracted an enormous number of comments—though many are rather tangential to the actual issue. While the original dispute has been settled, there are still a few issues to ponder from that incident.

For those who didn't follow the dispute, a review is probably in order. Both NoScript and Adblock Plus are meant to assist users in controlling the content that their browsers display. As their names imply, NoScript is focused on blocking things like Javascript, Flash, and the like, whereas Adblock Plus blocks advertisements. There is some overlap between the two, of course, because much of the advertising on the web is served via Javascript and/or contains Flash content.

NoScript's author, Giorgio Maone, uses advertising on the NoScript web pages to help fund development of the extension, which is part of why the frequently-updated extension opens a tab on the release notes page after an update. This particular feature—which can be disabled fairly easily—is quite annoying to some. Part of that annoyance may be because of the ads on that page. In late April, Adblock Plus added the NoScript site to its filter list so that its users would no longer see the ads. That led to an arms race.

The NoScript and Adblock Plus developers went back and forth, with NoScript circumventing the filters and Adblock Plus adding new filters to block the ads. This continued until the Adblock Plus filter fundamentally broke the NoScript site so that users could no longer even see the links to download NoScript. This sent Maone around the bend, evidently, as his next step was to add obfuscated code—though the extent of the obfuscation is disputed—to NoScript that disabled the Adblock Plus filter for his site.

At that point, Adblock Plus author Wladimir Palant wrote a blistering blog post about the dispute, which brought it to the attention of many. Maone quickly backed down, offering a detailed and seemingly heartfelt apology. In the meantime, though, the folks at addons.mozilla.org (AMO) noticed the problem and are considering changes to their policy on legitimate extension behavior.

It should be noted that AMO did not review the NoScript changes (or, presumably, the Adblock Plus filter changes) before the updates were made available to users. As Maone explains, once an extension reaches a certain level of trust, the AMO reviewers do not check updates—they are approved automatically. It is unclear how that process works exactly, but given the number of escalating changes both extensions were making over a short period of time, some kind of minimal oversight might have noticed that something was amiss.

For someone of malicious intent, as opposed to someone just exhibiting some incredibly bad judgment, a Firefox extension makes a pretty tempting target. Much of what goes on inside the browser involves sensitive information which users do not wish to have exposed (passwords, browsing history, etc.). If an extension can get to the point where it can push out "trusted" updates, without any review, that seems rather troubling.

Some distributions—Debian at least—package Firefox extensions for their users. Though it isn't a foolproof solution, it does add a level of review to the code before it gets installed. It probably makes sense for other distributions to consider doing that as well. Changing the AMO policy is certainly a good idea, but it will hardly protect against attackers of various sorts.

While there is nothing wrong with supporting development via advertising, clearly Maone crossed the line. Adblock Plus users specifically want ad blocking, so turning that functionality off, even "just" for one site, is plain wrong. Maone seems to recognize that now and this dispute will hopefully serve as a warning to other extension authors before they allow their anger to get in the way of their good sense. For the rest of us, though, it serves as a reminder that we are sometimes, perhaps even frequently, installing software in our browsers that has had little or no oversight.

Comments (3 posted)

apache: information leak

Package(s):

apache

CVE #(s):

CVE-2009-1191

Created:

May 1, 2009

Updated:

December 7, 2009

Description:

From the Mandriva advisory: mod_proxy_ajp.c in the mod_proxy_ajp module in the Apache HTTP Server 2.2.11 allows remote attackers to obtain sensitive response data, intended for a client that sent an earlier POST request with no request body, via an HTTP request.

Alerts:

Mandriva	MDVSA-2009:323	apache	2009-12-07
Fedora	FEDORA-2009-8812	httpd	2009-08-20
Slackware	SSA:2009-214-01	httpd	2009-08-03
Gentoo	200907-04	apache	2009-07-12
Ubuntu	USN-787-1	apache2	2009-06-12
Mandriva	MDVSA-2009:102	apache	2009-04-30

Comments (none posted)

Apport: arbitrary file removal

Package(s):

Apport

CVE #(s):

CVE-2009-1295

Created:

April 30, 2009

Updated:

May 13, 2009

Description:

From the Ubuntu alert: Stephane Chazelas discovered that Apport did not safely remove files from its crash report directory. If Apport had been enabled at some point, a local attacker could remove arbitrary files from the system.

Alerts:

SuSE	SUSE-SR:2009:010	firefox apport evolution freetype2 java_1_4_2-ibm kdegraphics3 libopenssl libsoup xulrunner opensc python-crypto unbound xpdf	2009-05-12
Ubuntu	USN-768-1	Apport	2009-04-29

Comments (none posted)

bash-completion: incorrect metacharacter quoting

Package(s):

bash-completion

CVE #(s):

Created:

May 4, 2009

Updated:

May 6, 2009

Description:

From the Red Hat bugzilla:

An old Debian bug report (http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=259987) indicates that some bash completions fail to properly quote or escape special characters like ' and &. Most bash completions are escaped fine, but certain ones (such as aspell) do not.

Alerts:

Fedora	FEDORA-2009-3639	bash-completion	2009-04-14
Fedora	FEDORA-2009-3640	bash-completion	2009-04-14

Comments (none posted)

clamav: incorrect ownership

Package(s):

clamav

CVE #(s):

Created:

May 5, 2009

Updated:

May 6, 2009

Description:

From the Ubuntu advisory: A flaw was discovered in the clamav-milter initscript which caused the ownership of the current working directory to be changed to the 'clamav' user.

Alerts:

Ubuntu

USN-770-1

clamav

2009-05-04

Comments (none posted)

drupal: multiple vulnerabilities

Package(s):

drupal

CVE #(s):

CVE-2008-3661

Created:

May 4, 2009

Updated:

May 6, 2009

Description:

From the Drupal advisory:

Certain byte sequences that are valid in the UTF-8 specification are potentially dangerous when interpreted as UTF-7. Internet Explorer 6 and 7 may decode these characters as UTF-7 if they appear before the tag that specifies the page content as UTF-8, despite the fact that Drupal also sends a real HTTP header specifying the content as UTF-8. This behaviour enables malicious users to insert and execute Javascript in the context of the website if site visitors are allowed to post content.

In addition, Drupal core also has a very limited information disclosure vulnerability under very specific conditions. If a user is tricked into visiting the site via a specially crafted URL and then submits a form (such as the search box) from that page, the information in their form submission may be directed to a third-party site determined by the URL and thus disclosed to the third party. The third party site may then execute a CSRF attack against the submitted form.

Alerts:

Debian	DSA-1792-1	drupal6	2009-05-06
Fedora	FEDORA-2009-4175	drupal	2009-05-02
Fedora	FEDORA-2009-4203	drupal	2009-05-02

Comments (none posted)

gpdf: buffer overflows

Package(s):

gpdf

CVE #(s):

CVE-2009-0195

Created:

May 1, 2009

Updated:

August 18, 2010

Description:

From the Red Hat advisory: Multiple buffer overflows in JBIG2 decoder (setBitmap, readSymbolDictSeg).

Alerts:

Gentoo	201310-03	poppler	2013-10-06
Ubuntu	USN-973-1	koffice	2010-08-17
CentOS	CESA-2010:0400	tetex	2010-05-28
Mandriva	MDVSA-2010:096	tetex	2010-05-17
CentOS	CESA-2010:0399	tetex	2010-05-08
Red Hat	RHSA-2010:0400-01	tetex	2010-05-06
Red Hat	RHSA-2010:0399-01	tetex	2010-05-06
Mandriva	MDVSA-2010:087	poppler	2010-04-29
Mandriva	MDVSA-2009:282-1	cups	2009-12-07
Mandriva	MDVSA-2009:283	cups	2009-10-19
Mandriva	MDVSA-2009:282	cups	2009-10-19
CentOS	CESA-2009:0480	poppler	2009-05-15
Red Hat	RHSA-2009:0480-01	poppler	2009-05-13
CentOS	CESA-2009:0458	gpdf	2009-05-03
Red Hat	RHSA-2009:0458-01	gpdf	2009-04-30

Comments (none posted)

kernel: denial of service

Package(s):

linux-2.6.24

CVE #(s):

CVE-2008-5701

Created:

May 4, 2009

Updated:

May 7, 2009

Description:

From the Debian advisory:

Vlad Malov reported an issue on 64-bit MIPS systems where a local user could cause a system crash by crafing a malicious binary which makes o32 syscalls with a number less than 4000.

Alerts:

Debian	DSA-1794-1	linux-2.6	2009-05-06
Debian	DSA-1787-1	linux-2.6.24	2009-05-02

Comments (none posted)

kernel: multiple vulnerabilities

Package(s):

linux-2.6.24

CVE #(s):

CVE-2009-1192 CVE-2009-1242 CVE-2009-1265 CVE-2009-1337 CVE-2009-1338 CVE-2009-1439

Created:

May 4, 2009

Updated:

November 16, 2009

Description:

From the Debian advisory:

CVE-2009-1192: Shaohua Li reported an issue in the AGP subsystem they may allow local users to read sensitive kernel memory due to a leak of uninitialized memory.

CVE-2009-1242: Benjamin Gilbert reported a local denial of service vulnerability in the KVM VMX implementation that allows local users to trigger an oops.

CVE-2009-1265: Thomas Pollet reported an overflow in the af_rose implementation that allows remote attackers to retrieve uninitialized kernel memory that may contain sensitive data.

CVE-2009-1337: Oleg Nesterov discovered an issue in the exit_notify function that allows local users to send an arbitrary signal to a process by running a program that modifies the exit_signal field and then uses an exec system call to launch a setuid application.

CVE-2009-1338: Daniel Hokka Zakrisson discovered that a kill(-1) is permitted to reach processes outside of the current process namespace.

CVE-2009-1439: Pavan Naregundi reported an issue in the CIFS filesystem code that allows remote users to overwrite memory via a long nativeFileSystem field in a Tree Connect response during mount.

Alerts:

SuSE	SUSE-SA:2009:055	kernel	2009-11-12
Red Hat	RHSA-2009:1211-01	kernel	2009-08-13
SuSE	SUSE-SA:2009:056	kernel	2009-11-16
SuSE	SUSE-SA:2009:054	kernel	2009-11-11
Ubuntu	USN-793-1	linux, linux-source-2.6.15	2009-07-02
Red Hat	RHSA-2009:1132-01	kernel	2009-06-30
CentOS	CESA-2009:1106	kernel	2009-06-19
Mandriva	MDVSA-2009:135	kernel	2009-06-17
Red Hat	RHSA-2009:1106-01	kernel	2009-06-16
CentOS	CESA-2009:1550	kernel	2009-11-04
Red Hat	RHSA-2009:1550-01	kernel	2009-11-03
SuSE	SUSE-SA:2009:033	kernel	2009-06-16
SuSE	SUSE-SA:2009:032	kernel	2009-06-09
SuSE	SUSE-SA:2009:031	kernel	2009-06-09
SuSE	SUSE-SA:2009:030	kernel	2009-06-08
Red Hat	RHSA-2009:1081-01	kernel-rt	2009-06-03
Red Hat	RHSA-2009:1077-01	kernel	2009-06-02
Fedora	FEDORA-2009-5383	kernel	2009-05-25
Fedora	FEDORA-2009-5356	kernel	2009-05-25
SuSE	SUSE-SA:2009:028	kernel	2009-05-20
Mandriva	MDVSA-2009:119	kernel	2009-05-19
Debian	DSA-1800-1	linux-2.6	2009-05-15
Red Hat	RHSA-2009:1024-01	kernel	2009-05-18
rPath	rPSA-2009-0084-1	kernel	2009-05-15
CentOS	CESA-2009:0473	kernel	2009-05-07
Red Hat	RHSA-2009:0473-01	kernel	2009-05-07
Debian	DSA-1794-1	linux-2.6	2009-05-06
Debian	DSA-1787-1	linux-2.6.24	2009-05-02

Comments (none posted)

libwmf: pointer use-after-free flaw

Package(s):

libwmf

CVE #(s):

CVE-2009-1364

Created:

May 1, 2009

Updated:

December 3, 2009

Description:

From the Red Hat advisory: A pointer use-after-free flaw was found in the GD graphics library embedded in libwmf. An attacker could create a specially-crafted WMF file that would cause an application using libwmf to crash or, potentially, execute arbitrary code as the user running the application when opened by a victim.

Alerts:

Arch Linux	ASA-201701-1	libwmf	2017-01-01
openSUSE	openSUSE-SU-2015:1134-1	libwmf	2015-06-24
Mandriva	MDVSA-2009:106-1	libwmf	2009-12-03
Gentoo	200907-01	libwmf	2009-07-02
SuSE	SUSE-SR:2009:011	java, realplayer, acroread, apache2-mod_security2, cyrus-sasl, wireshark, ganglia-monitor-core, ghostscript-devel, libwmf, libxine1, net-snmp, ntp, openssl	2009-06-09
Fedora	FEDORA-2009-5518	libwmf	2009-05-27
Fedora	FEDORA-2009-5524	libwmf	2009-05-27
Fedora	FEDORA-2009-5517	libwmf	2009-05-27
Debian	DSA-1796-1	libwmf	2009-04-07
Mandriva	MDVSA-2009:106	libwmf	2009-05-05
Ubuntu	USN-769-1	libwmf	2009-05-04
CentOS	CESA-2009:0457	libwmf	2009-05-03
Red Hat	RHSA-2009:0457-01	libwmf	2009-04-30

Comments (none posted)

memcached: information leak

Package(s):

memcached

CVE #(s):

CVE-2009-1255 CVE-2009-1494

Created:

May 4, 2009

Updated:

August 11, 2009

Description:

From the Mandriva advisory:

The process_stat function in Memcached prior 1.2.8 discloses memory-allocation statistics in response to a stats malloc command, which allows remote attackers to obtain potentially sensitive information by sending this command to the daemon's TCP port (CVE-2009-1255, CVE-2009-1494).

Alerts:

SuSE	SUSE-SR:2009:013	memcached, libtiff/libtiff3, nagios, libsndfile, gaim/finch, open-, strong, freeswan, libapr-util1, websphere-as_ce, libxml2	2009-08-11
Fedora	FEDORA-2009-4542	memcached	2009-05-08
Fedora	FEDORA-2009-4199	memcached	2009-05-02
Mandriva	MDVSA-2009:105	memcached	2009-05-04

Comments (none posted)

moin: cross-site scripting

Package(s):

moin

CVE #(s):

CVE-2009-1482

Created:

May 6, 2009

Updated:

May 11, 2009

Description:

From the Debian advisory:

It was discovered that the AttachFile action in moin, a python clone of WikiWiki, is prone to cross-site scripting attacks when renaming attachements or performing other sub-actions.

Alerts:

Ubuntu	USN-774-1	moin	2009-05-11
Debian	DSA-1791-1	moin	2009-05-06

Comments (none posted)

pam_ssh: information (user account existence) leak

Package(s):

pam_ssh

CVE #(s):

CVE-2009-1273

Created:

May 4, 2009

Updated:

May 6, 2009

Description:

From the Red Hat bugzilla:

A security flaw was found in PAM module, providing user authentication based on SSH keys. A remote attacker could use this flaw to recognize, if some username/login belongs to set of user accounts, existing on the system, and subsequently perform dictionary based password guess attack.

Alerts:

Fedora	FEDORA-2009-3500	pam_ssh	2009-04-13
Fedora	FEDORA-2009-3627	pam_ssh	2009-04-13

Comments (none posted)

prelude-manager: database password in world-readable configuration

Package(s):

prelude-manager

CVE #(s):

Created:

May 4, 2009

Updated:

May 6, 2009

Description:

From the Fedora advisory:

The configuration file of prelude-manager contains a database password and is world readable. This update restricts permissions to the root account.

Alerts:

Fedora	FEDORA-2009-3931	prelude-manager	2009-04-27
Fedora	FEDORA-2009-4044	prelude-manager	2009-04-27

Comments (none posted)

quagga: improper assertion

Package(s):

quagga

CVE #(s):

Created:

May 5, 2009

Updated:

May 6, 2009

Description:

From the Debian advisory: It was discovered that Quagga, an IP routing daemon, could no longer process the Internet routing table due to broken handling of multiple 4-byte AS numbers in an AS path. If such a prefix is received, the BGP daemon crashes with an assert failure, leading to a denial of service.

Alerts:

Debian

DSA-1788-1

quagga

2009-05-04

Comments (none posted)

ruby: denial of service

Package(s):

ruby

CVE #(s):

Created:

May 1, 2009

Updated:

May 6, 2009

Description:

From the ruby advisory: There is a DoS vulnerability in the REXML library included in the Ruby Standard Library. A so-called "XML entity explosion" attack technique can be used for remotely bringing down (disabling) any application which parses user-provided XML using REXML.

Alerts:

Slackware

SSA:2009-120-01

ruby

2009-05-01

Comments (none posted)

Kernel release status

The current 2.6 development kernel is 2.6.30-rc4, released by Linus (who has reverted to the old "just after LWN goes out" schedule) on April 29. Changes this time around include Tux's return as the kernel mascot and a whole bunch of fixes. Plus the code name for this release has been changed to "Vindictive Armadillo." Full details can be found in the long-format changelog.

Patches continue to flow into the mainline repository; they are almost all fixes, including one from LWN editor Jake Edge addressing some of the address space randomization problems covered on last week's Security Page.

No stable 2.6.29 updates have been made in the last week. We did see the release of the 2.6.27.22 and 2.6.28.10 updates on May 2. They contain fixes all over the tree (58 and 88 patches respectively); several have CVE numbers associated with them, so users are encouraged to upgrade. Also: "NOTE, this is the LAST update of the 2.6.28 kernel series, so all users are very strongly encouraged to upgrade to the 2.6.29 series at this point in time!" 2.6.27 will continue to be maintained by the stable folks for quite some time to come.

Comments (4 posted)

Quotes of the week

We were able to shave 400 milliseconds off the shutdown time by slightly trimming the WAV file shutdown music.

-- John Curran (Microsoft); boot time is no longer the battleground.

Tools Are Not Deities To Be Appeased. Subject saying in effect "$TOOL is upset!!!" is bloody useless.

-- Al Viro

From the few reports I have heard that the actual bug is not in the linux kernel code but rather it sounds like a denial of service attack against the implementation of http://uscode.house.gov/. With the attackers being able to inject a few bogus values, and cause lots of mayhem.

Now in the linux kernel we work around lots of bugs from lots of different sources, and this may be a place to work around someone else's bug. This does not appear to be a context where anyone is concerned about a 0 day exploit, so we don't need to rush. Further the functionality has been the same in the same in all places for a long time, and all of the pieces are at least in theory open to public review. So this should be a reasonable context for a public discussion.

The only reason I can see for not ultimately talking about things publicly is if this is one company making shady deals with another company in which case I do not see why the maintenance burden for those decision should fall on the linux community as a whole.

-- Eric Biederman

Comments (6 posted)

The LKML Summary Podcast

Jon Masters is experimenting with the idea of creating a short podcast with a summary of discussions on the linux-kernel mailing list. The initial installment [MP3] is just under four minutes long; it includes brief summaries of discussions about DRBD, GFP_PANIC, file descriptor abuse, and more. "I am hoping this of use to some people who can't read LKML every day. Yesterday took 15-20 minutes to put together, and that's doable on a regular basis, subject to it being of use to anyone. I figured I'm reading LKML whether I do I summary recording or not. If it takes off, then I'll try forming a small team to share the effort out."

Full Story (comments: 19)

The return of devfs

By Jake Edge
May 6, 2009

The drive for faster boot times has led to a number of changes in the kernel. Some, like the parallelization of USB initialization we looked at last week, have caused disruptions for some users. But others, like the recently proposed devtmpfs, have a different set of challenges. While it may provide a good solution to reducing boot times, devtmpfs faces some fairly stiff resistance, at least partially because it reminds some folks of a feature previously excised from the kernel, namely devfs.

The basic idea is to create a tmpfs early in the kernel initialization before the driver core has initialized. Then, as each device registers with the driver core, its major and minor numbers and device name can be used to create an entry in that filesystem. Eventually, the root filesystem will be mounted and the populated tmpfs can be mounted at /dev.

This has a number of benefits, all of which derive from the fact that no user-space support is required to have a working /dev directory. With the current udev-based approach, there is a need for a reasonably functional user-space environment for udev to operate in. For simplified booting scenarios—like rescue tools or using the init=/bin/sh kernel boot parameter—a functional /dev directory is needed, in particular because of dynamic device numbers. It would also be useful for embedded devices that do not need or want a full-featured user space.

Andrew Morton's immediate reaction was amusement: "Lol, devfs." Greg Kroah-Hartman, who authored the patch along with Kay Sievers and Jan Blunck, admitted that it was a kind of devfs: "Well, devfs 'done right' with hopefully none of the vfs problems the last devfs had. :)" But Morton is somewhat concerned that "devfs2", as he calls it, is just going over old ground:

I think Adam Richter's devfs rewrite (which, iirc, was tmpfs-based) would have fixed up these things. But it was never quite completed and came when minds were already made up.

I don't understand why we need devfs2, really. What problems are people having with [the] existing design?

Though the other advantages are important, Kroah-Hartman replied with the crux of the argument for devtmpfs:

Boot speed, boot speed, boot speed.

Oh, and reduction in complexity in init scripts, and saving embedded systems a lot of effort to implement a dynamic /dev properly (have you _seen_ what Android does to keep from having to ship udev? It's horrible...)

But Alan Cox is not so sure. His argument is that moving this functionality (back) into the kernel, just papers over a user-space problem, while increasing kernel, thus not pageable, memory usage. Others think that the kernel should just buffer uevents—the messages generated by the kernel to send to udev on device state changes—until udevd is started. But, that doesn't solve the synchronization problem: user space must still wait for a populated /dev hierarchy.

A problem with the current scheme is that it essentially does the device enumeration twice—once in the kernel as devices are registered and once in user space by udevd, when it gets started. The device information that was gathered by the kernel is lost. When udevd initializes, it walks the /sys directory to find devices, then creates device nodes for them. That can take 1-2 seconds on a complex system—on the order of twice the kernel boot time—but worse still, no other user-space processes can start until this "coldplug" pass has completed. Using devtmpfs, there will be a working /dev that other user-space code can use, so that the udev coldplug pass can be done in parallel.

Several alternate methods of solving the problem were proposed in the thread, but, by and large, Sievers was able to show why they didn't actually solve the problem. In some cases, the behavior of devfs is being incorrectly attributed to devtmpfs, but the two are quite different. The new scheme would create root-owned device nodes, with fixed 0600 permissions, for each device. It would avoid much of complexity of devfs. As Sievers puts it:

We are not implementing anything crazy here like devfs did, including the later versions - there is no modprobe behind your back, no lookup hooks, no stupid new naming scheme, no new filesystem type to register.

Christoph Hellwig objected to the proposal as well. Part of his complaint is how quickly devtmpfs was added to the linux-next tree, but he also sees it as adding devfs back into the kernel:

It basically does re-introduce devfs under a different name, and from looking at the implementation it might not be quite as bad a Gooch's original, but it's certainly worse than Adam Richters rewrite the we never ended up merging.

Now we might want to revisit the decision to leave all the device name handling to a userspace daemon, because it [proved] to be quite fragile under certain circumstances, and you apparently see performance issues.

Sievers outlines the differences between devtmpfs and Adam Richter's proposal from 2003. It mostly boils down to complexity; devtmpfs is a much simpler scheme, which really adds very little to the kernel. The implementation is around 300 lines of code, in comparison to roughly 3600 for devfs and 600 for an early version of Richter's mini-devfs.

Anticipating the next complaint, Sievers also points out that the device naming policy is already in the kernel, but that udev can override the kernel-supplied values if need be. From his perspective this has already occurred, making that an invalid argument against devtmpfs:

The kernel carries the policy today for 98% of the devices, if you change any driver given name, it will no longer show up in /dev with the current name. That's the reality since years, and will not be different anytime soon, there is no real naming policy besides the current kernel supplied names.

It is clear that the devtmpfs developers have put a fair amount of thought into just what was needed, and how it could work with existing code—both inside and outside the kernel. It is also clear that there is some resistance to returning to anything even remotely reminiscent of devfs. Because devtmpfs is really quite different, and has a nice effect on boot speed, one would think that it is likely to find its way into the mainline sooner or later. If no further objections are raised, and the linux-next trials go well, 2.6.31 may very well be the release that sees the inclusion of devtmpfs.

Comments (33 posted)

Long discussions about long names

By Jonathan Corbet
May 4, 2009

When Microsoft filed its lawsuit against TomTom, it named two patents which cover the VFAT filesystem. That, naturally, led to a renewed push to either (1) get those patents invalidated, or (2) move away from VFAT altogether. But some participants have advocated a third approach: find a way to work around the patents which retains most of the VFAT filesystem functionality while, with luck, avoiding any potential infringement of the claims of the patent. But, as a recently-posted patch and the ensuing discussion show, workarounds are not a straightforward solution even after the lawyers have been satisfied.

The patch (written by Andrew Tridgell, but posted by Dave Kleikamp), comes with this changelog:

Add CONFIG_VFAT_NO_CREATE_WITH_LONGNAMES option

When this option is enabled the VFAT filesystem will refuse to create new files with long names. Accessing existing files with long names will continue to work.

Note that the changelog gives no clue as to why one might want this particular configuration option. What it probably comes down to is this: all of the claims in the VFAT patent refer to the creation of long file names. Reading filesystems with such names is not addressed by the patent. So the apparent thinking is that, even if the named patents really read on the Linux VFAT implementation, they will not read on a version which cannot create files with long names.

It looks like a reasonable hack. Interoperability with all existing VFAT filesystems is retained, as long as one does not need to create files with long names on the Linux side. But systems which run kernels with this option enabled have a much lower probability of being found to infringe on the VFAT patents. It could, maybe, be an optimal solution.

That said, the patch has been poorly received in the kernel development community. One of the reasons for this chilly reception, certainly, is general hostility to the software patent system and an associated lack of willingness to capitulate to it. Add in a generous helping of contempt for the VFAT patents - and their owner - in particular, and it is not surprising that some developers would rather not entertain "solutions" to this problem.

The bigger issue, though, is that the patch does not describe the real problem that it is trying to solve. There has been a lot of fairly weaselly discussion from IBM developers on the lists, but none of them are willing to just come out and say what is going on. The closest, perhaps, is this message from Tridge:

However, if you are willing to concede that there are good non-technical arguments for wanting to "get the VFAT out" then choosing the best way to achieve that is most definitely a technical decision, and that is what we can discuss here.

Unfortunately I am unable to discuss any of the non-technical reasons for why "get the VFAT out" might be a good idea in the first place. That is damn frustrating, but it is just how things are.

All of this talk creates a certain feeling of patches being sent out to the list from some smoke-filled room deep within IBM headquarters. But, more importantly, the lack of information makes it impossible for the development community to determine whether the patch works. To make that decision, developers need to know what problem is being solved, and how the proposed solution makes the problem go away. But they don't have that information; instead, they simply have a patch which makes it possible to remove some functionality from the kernel.

The subtext of the conversation is that some lawyers at IBM have, presumably, determined that a potential problem exists. That problem could be as simple as "this feature may attract infringement suits," independently of whether the patents are valid or whether Linux infringes on them. For any number of Linux users, the simple fact that the probability of being sued might go up is enough to inspire a search for alternatives. Also, presumably, these same lawyers have concluded that this particular workaround can resolve these worries. So now they believe it should be a part of the Linux kernel.

But if the lawyers have really come to these conclusions, they are not saying so in any public forum. So the kernel developers are left wondering what is really going on. Are there really lawyers involved, or is this patch the work of a couple of programmers who have tried to create a solution (to a problem perceived by them) on their own? Why can't a company like TomTom just patch out the long-name functionality on their own if they are truly worried about it? Might the inclusion of this patch open the kernel up to other potential legal difficulties that we don't know about?

Tridge's suggestion is that a prominent kernel developer needs to have a conversation with a lawyer before making the decision on this patch. That approach might lead to a correct outcome, but it will still leave most of the community in the dark and unhappy about it.

It would appear that a better way is required. Currently, it is difficult for developers to determine whether a patent really applies to an algorithm in the kernel or not. If they conclude that there is a patent problem, these same developers are poorly placed to figure out what a minimal workaround might be. We need some help in this area. This particular problem is likely to come up again in other contexts; if we can put some sort of process in place for addressing legal issues, life will be easier in the future.

IBM is said to have extensive documentation on the process of working around patents; for some strange reason, this information has never been released to the public. Unfortunately, determinations by lawyers are also unlikely to be released to the public, for any number of reasons. But developers need all of this information to respond properly to legal problems. There may be no alternative to some sort of process where a limited group of developers is given access to information under non-disclosure agreements. Such processes are distasteful, but they also are fairly common; many device drivers are created under non-disclosure agreements.

The Linux Foundation currently has an NDA program intended to connect developers with hardware documentation. Perhaps a similar program (under the auspices of the Linux Foundation, or of another group like the Software Freedom Law Center or the Open Invention Network) could be created for access to legal information. As it is, we have a situation where some developers are talking to their employers' lawyers and nobody else has any real idea of what is going on. That will lead to slow, loud, and contentious attempts to solve legal problems. Given that we're almost certain to have more of these problems in the future, we might want to put some thought into finding a better way.

Comments (50 posted)

The two sides of reflink()

By Jonathan Corbet
May 5, 2009

One of the discussions your editor missed at the recent Linux Storage and Filesystem workshop covered the proposed reflink() system call. Fortunately, the filesystem developers have now filled in the relevant information with a detailed email exchange, complete with patches. We now have a proposed system call which has created more open questions than answers. The creation of a new core system call requires a lot of thought, so a close look at these questions would seem to be called for.

The proposed system calls are pretty simple:

    int reflink(const char *oldname, const char *newname);

    int reflinkat(int old_dir_fd, const char *oldname,
                  int new_dir_fd, const char *newname, int flags);

These system calls function much like link() and linkat() but with an important exception: rather than create a new link pointing to an existing inode, they create a new inode which happens to share the same disk blocks as the existing file. So, at the conclusion of a reflink() call, newname looks very much like a copy of oldname, but the actual data blocks have not been duplicated. The files are copy-on-write, though, meaning that a write to either file will cause some or all of the blocks to be duplicated. A change to one of the files will thus not be visible in the other file. In a sense, a reflink() call behaves like a low-cost file copy operation, though how copy-like it will be remains to be seen.

The first question to arise was: does the kernel really need to provide both the reflink() and reflinkat() system calls? Most of the other *at() calls are paired with the non-at versions because the latter came first. Since Unix-like systems have had link() for a long time, it cannot be removed without breaking applications. So linkat() had to go in as a separate call. But reflink() is new, so it can just as easily be implemented in the C library as a wrapper around reflinkat(). That is how things will probably be done in the end.

The deeper discussion, though, reveals that there are two fundamentally different views of how this system call should work. Joel Becker, who posted the reflink() patch, sees it as a new variant of the link() system call. Others, though, would like it to behave more like a file copy operation. If you see reflink() as being a type of link(), then certain implications emerge:

The reflink-as-link view requires that the new file have (to the greatest extent possible) the same metadata as the old one; in particular, it must have (at the end of the reflink() system call) the same owner, just like hard links do.
Creating low-level snapshots of filesystems (or portions thereof) is straightforward and easy. Reflinked files look just like the originals; in particular, they have (mostly) the same metadata and can share the same security context.
Disk quotas are a problem. Should a reflinked file count against the owner's disk quota, even though little or no extra storage is actually used? If so, the system must take extra steps to keep users from creating a reflink to a file they do not own; otherwise one user could exhaust another user's quota. If, instead, storage is charged against the quota of the user who created the reflink, complicated structures will be needed to track usage associated with files owned by others.
What happens if the new file's metadata - permissions or owner - are changed? In some scenarios, depending on the underlying filesystem implementation, it seems that a metadata change could require a copy-on-write of the whole file. That would turn a command like chmod into a rather heavy-weight operation.

On the other hand, if a reflink is like making a copy, the situation changes somewhat:

Security becomes a rather more complicated affair. Making a hard link doesn't require messing with SELinux security contexts, but a reflink-as-copy would require that. Permission checks (again, including security module checks) would have to become more elaborate; it would have to be clear that the user making the reflink had read access to the file.
The quota problem goes away. If a reflink is essentially a copy, then the resulting link should be owned by the user who creates it, rather than the owner of the original file. The only course which makes sense is to charge both users for the full size of the file. There are no concerns about one user exhausting another's disk quota, and there are no real difficulties with keeping disk usage information current.
Metadata changes are handled naturally, since the files are completely separate from each other.
Reflinks are no longer true snapshots; they will not work to represent the state of the filesystem at a given time. For a user whose real interest is low-level snapshotting, reflink-as-copy will not work.

On the other hand, reflink-as-copy could be used in a lot of other interesting situations; the cp command could create reflinks by default when the destination file is on the same filesystem. That would turn "cp -r" into a fast and efficient operation. They could also be used to share files between virtualized guests.

What it comes down to is that there are real uses for both the reflink-as-link and reflink-as-copy modes of operation. So the right solution may well be to implement both modes. The flags parameter to reflinkat() can be used to distinguish between the two. Implementing both behaviors will complicate the implementation somewhat, and it muddies up what is otherwise a conceptually clean system call. But that's what happens, sometimes, when designs encounter the real world.

Comments (86 posted)

Linus Torvalds Linux 2.6.30-rc4 ?

Greg KH Linux 2.6.28.10 ?

Greg KH Linux 2.6.27.22 ?

Tobias Doerffel Specific support for Intel Atom architecture ?

Masami Hiramatsu x86 instruction decoder with userspace test code ?

Alok Kataria x86: Reduce the default HZ value ?

Rik van Riel x86: 46 bit PAE support ?

Steven Rostedt updated version of streamline_config.pl ?

David VomLehn [PATCH 1/5] KERNEL: Support asynchronously-discovered boot devices, v4 (resend) ?

Paul E. McKenney v4 RCU: the bloatwatch edition ?

Arve Hjønnevåg Suspend block api (version 2) ?

Nigel Cunningham TuxOnIce ?

Frederic Weisbecker tracing/workqueue: events support/enhancements, worklets tracing, fixes ?

Subrata Modak The Linux Test Project has been Released for APRIL 2009 ?

Clark Williams version 0.37 of rt-tests available ?

Kay Sievers driver-core: devtmpfs - driver core maintained /dev tmpfs ?

David VomLehn [PATCH 1/5] initdev:kernel: Asynchronously-discovered device synchronization, v5 ?

Ben Hutchings MDIO and ethtool enhancements ?

Jean Delvare i2c: Get rid of the legacy binding model ?

Linus Walleij ST DDC I2C bus driver v1 ?

Jason Wessel usb_debug driver improvements ?

Jason Baron add tracepoints docbook (take #2) ?

Philipp Reisner DRBD: a block device for HA clusters ?

Jan Kara A new way of attaching information to inodes ?

Andrew Tridgell Add CONFIG_VFAT_NO_CREATE_WITH_LONGNAMES option ?

Matthew Wilcox New TRIM/UNMAP tree published (2009-05-02) ?

Andrea Righi cgroup: io-throttle controller (v16) ?

Tejun Heo block,scsi,ide: unify sector and data_len, take#2 ?

Joel Becker The reflink(2) system call. ?

Matt Helsley Add checkpoint file operations ?

Vivek Goyal IO scheduler based IO Controller V2 ?

Dave Hansen consolidate pte mapping functions across all architectures ?

Thomas Gleixner Remove obsolete genirq defines and typedefs [Resend] ?

Cyrill Gorcunov introducing __GFP_PANIC ?

Tom Herbert Receive Packet Steering ?

Lennert Buytenhek generic skb recycling ?

Jake Edge [PATCH] proc: avoid leaking eip, esp, or wchan to non-privileged processes ?

Gregory Haskins irqfd ?

Gregory Haskins generic hypercall support ?

Kyle Moffett Generic LRU cache built on a kmem_cache and a "struct shrinker" ?

Jon Masters ANNOUNCE: module-init-tools 3.8 release ?

Karel Zak util-linux-ng v2.15 (stable) ?

Greg KH usbutils 0.82 release ?

NetBSD 5.0

May 6, 2009

This article was contributed by Koen Vervloesem

After more than two years of development, NetBSD 5.0 was released at the end of April. The thirteenth release of this derivative of UC Berkeley's 386BSD boasts improved performance and scalability on modern multiprocessor and multicore systems. This is the result of a lot of rewritten code: a new threading subsystem based on a 1:1 threading model, new kernel synchronization primitives, kernel preemption, a rewritten scheduler and real-time scheduler extensions.

The improvements in the areas of scheduling and threading are reviewed in a short document [PDF] written by NetBSD developer Mindaugas Rasiukevicius. NetBSD 5.0 provides some soft real-time extensions, which means that it doesn't meet latency requirements unconditionally, but tries to minimize the latencies. Rasiukevicius performed a latency test with two threads with a POSIX SCHED_FIFO (First in, first out) real-time scheduling policy when the system was under heavy load. This showed that NetBSD 5.0 with kernel preemption tends to respond within 5 microseconds on a modern pc, which is similar to other real-time operating systems. The details of the test and the different scheduling policies can be consulted in the document written by Rasiukevicius.

NetBSD 5.0 also has processor sets: the possibility to exclusively dedicate specific (groups of) processors to processes or threads. The API is expected to be nearly compatible with Solaris and HP-UX processor set interfaces. According to the NetBSD developers, almost all core kernel subsystems, including virtual memory, memory allocators and file system frameworks, were audited and overhauled to shift to a fine-grained locking model, which allows multiple processors to execute kernel code simultaneously.

Much of the development in the areas of SMP (symmetrical multi-processing) performance and scalability has been sponsored by the 2007 fundraising campaign that pretty much exactly met its targeted USD 50,000. NetBSD developer Andrew Doran was sponsored for parts of 2007 and 2008 to work full time on improving SMP in NetBSD, and later to help to get the NetBSD 5.0 beta in shape.

But improved performance is not the only difference with the previous major release: a number of NetBSD ports (platforms) now finally use X.Org instead of XFree86, a step that virtually all Linux distributions made years ago. The file system FFS (Fast File System) has a preview of metadata journaling, known as WAPBL (Write Ahead Physical Block Logging), which makes file system consistency checking after an unclean shutdown much faster. And one thing many laptop users will love to hear: ACPI suspend and resume now should be working on many computers.

What didn't change so much is NetBSD's installer, sysinst. This is still rather basic, but it does its job. One especially good thing is that sysinst doesn't let the user create an insecure password. There is no shortage of password enforcement tools on Linux, but it's nice to see this enforced by default in NetBSD.

Unit tests for an operating system

Also new is the Automated Testing Framework (ATF), a collection of libraries and utilities designed to ease unattended testing of applications. ATF provides the means to create test suites composed of multiple test programs, which in turn are a collection of test cases. When a test case detects an error, ATF provides as much information as possible about the failure.

ATF started as a Google Summer of Code 2007 project mentored by The NetBSD Foundation. Its original goal was to provide a testing framework for NetBSD, but it grew into an independent project because the framework could be made platform-independent. At the moment, only a few NetBSD-specific tests are available as ATF-based tests, but these are a good preview of what NetBSD 6.0 will have: many more test cases.

ATF is not only for developers. In fact, the NetBSD developers encourage all users to run the test suites themselves. They do not need to have development tools installed or source trees available to certify that a certain application works as advertised. This is the main difference from other test frameworks, which ship as part of a source package and are only run by developers after the program is built. Then the end user, who uses binary packages, never sees these tests or the results.

During the installation of NetBSD 5.0, the user sees ATF as a new tests.gz distribution set. If he chooses to install it, sysinst will populate /usr/tests with a collection of ATF test programs. Once installed, the user edits /etc/atf/NetBSD.conf to suit his system preferences and then runs atf-run | atf-report in the directory /usr/tests. At the end, the program gives a summary with the number of passed and failed test cases. If all test cases ran successfully, the user is sure the tested software behaves as it should on his hardware.

Of course it runs NetBSD.

Although NetBSD is one of the most portable operating systems (the NetBSD motto is "Of course it runs NetBSD.", your author had a fair amount of problems installing it. A physical install didn't work out because NetBSD doesn't recognize the keyboard of his Dell laptop, and resorting to virtualization proved problematic too. Only Xen seems to like NetBSD, and fortunately this process is explained well in the NetBSD Xen Guide [PDF].

What did impress your author is the cross-compiling framework: this allows a user to build a complete NetBSD distribution from another system, which could be on a different architecture or even running a different operating system. The only requirement is that the host operating system has a POSIX environment and C/C++ compiler. Because your author is generally suspicious of such claims, he put it to the test in Ubuntu 9.04 and OpenSolaris build 111 (2009.06), and the process worked flawlessly in both cases. After downloading and extracting the NetBSD sources, a simple

./build.sh -U -m i386 release iso-image

This article was contributed by Bruce Byfield

As SchoolTool's founder, Mark Shuttleworth, once said, the goal of the project is "a common information systems platform for school administration from California to Calcutta." This was an original and ambitious goal when first announced in 2000. However, it is far less so in 2009, when content managers like Drupal and Joomla! include most of the functionality of student information systems (SIS). Perhaps that is why, although SchoolTool recently reached version 1.0, the project and online help sites sound mildly apologetic in places. Where a free software SIS once seemed visionary, it now seems commonplace, and SchoolTool's first release is more of a solid basis for future expansion than state-of-the-art.

Part of the reason for the delay in version 1.0's arrival are the many changes in the project. To start with, the project has undergone several changes in leadership, the most famous being Shuttleworth's own departure from hands-on management. Even more importantly, the software has transitioned from the original Java to Python and Zope, and finally to a calendar-based system. In the last few years, as well, the project's software has been extensively tested, particularly in Virginia, culminating in a six month beta program. In addition, the project's documentation is unusually complete by free software standards, although it is still being updated to reflect the new release.

As you might expect in a project sponsored by the Shuttleworth Foundation, both binary and source code is available on Launchpad, packaged for recent Ubuntu releases. Once you install, you can access SchoolTool by opening http://localhost:7080 in your browser, with the default user name "manager" and the default password "schooltool".

Setup and configuration

SchoolTool is not difficult to use. If you have ever used any form of online content management, you should be able to orient yourself quickly. If content management systems are new to you, then the simplicity of the organization should have you up and running almost as quickly.

All the same, SchoolTool is large, and needs to be set up methodically. For these reasons, you should set up SchoolTool with the Initial Setup Process pages of the online help open in another tab — if only for a checklist. Going through the setup will help you get a sense of how SchoolTool is organized, although you can always import sample data right away and skip directly to using SchoolTool as an ordinary user.

To set up SchoolTool, log in as the Manager, and select Manage from the top menu to open the sub-menu. Configuring SchoolTool is largely a matter of defining the start and end of the school year, then working systematically from top to bottom of the school years' sub-menu, starting with terms — semesters or whatever other divisions the school has — and working downwards. Creating different groups for the users, adding the names attached to data in the application, defining the school timetable for the system, and creating courses and course sections — all these follow in orderly progression. You have little chance to deviate from the set order, because most items are only definable after you finish with those earlier on the list.

Once you have completed these details, the next step is to add groups if the default ones such as teachers, administrators and students are not enough, and to add people to these groups, particularly students. These groups are used mainly for determining what each type of user can do, so that administrators can assign grades if you choose, and all users can change their own passwords.

Only those who are actually going to log on to the system need passwords — which generally excludes students — but you do have the option of adding contact information and other information about them. You may also want to add lists of resources, such as projectors, so that they can be booked for specific classes.

If you prefer, you can use a spreadsheet as a form for entering information quickly, then convert it to a CSV file to add multiple people in a single batch. One time-saving suggestion from the online help is to use the sample data file as a template, erasing the sample data but leaving the header columns before entering your own data.

After SchoolTool is set up for general use, administrators might also want to spend some time with the Administrators' Handbook section of the online help. This section concisely explains where the database is located on your Ubuntu system, how to backup and restore the database, and some rudimentary troubleshooting.

Daily use of SchoolTool

Administrators are some of the main users of an SIS, which is why I've devoted so much space to configuration. But what is SchoolTool like for an everyday user, such as a teacher? The short answer is: adequate — but a little sparse in features.

To login to SchoolTool, you need not only to be added to the database, but to have a password assigned to you by the administrator as well.

The default page is a calendar view of events — generally, classes — for the current user. Click an event, and you can see the resources booked for it, such as the room and a projector. In the left pane is a summary of tomorrow's events, and controls for setting what events appear on the calendar, and seeing how resources are allocated throughout the school term. Using the calendar, you can create one-time or recurring events.

So far, so useful. However, while sections of a class share the same color code, you cannot choose the colors assigned to a class. Nor can you use a class's color to signify that another event might be related to it. For example, you cannot assign a class's color to an interview with a student from that class. Similarly, the calendar does not allow you to define or assign types of events, so that you can differentiate between lectures, seminars, and appointments. You can use the calendar to assign each event, but have no way of showing at a glance how they are related.

A similarly adequate, but limited, choice of features appear in SchoolTool's Journal for attendance and its Gradebook. In the Journal, you can add brief codes beside each students' name, such as "a" for absent or "t" for tardiness, but cannot enhance the code with your own abbreviations, or write notes beside a name, let alone set up an automatic calculation for a participation grade. Nor can you access your attendance records from the Gradebook except by flipping back and forth between views.

As for the Gradebook, you can create assignments and grading criteria, but only in a narrow range of non-customizable categories, and on a scale of 100. While the scale is mitigated partly by the fact that you can assign different weights to each assignment for the final grade, you cannot assign a letter grade, or a score on any different scale. Some, too, might appreciate a few basic functions for calculating medians, maximum and minimum scores, and other statistics.

The overall impression SchoolTool leaves is that, while all the basic features are available, advanced features and customization are lacking in many places. Admittedly, in many cases, you or the SchoolTool administrator might be able to find a kludge to let you do what you want. However, if you want anything out of the ordinary, you may find yourself fighting SchoolTool and paying it more attention than the tasks for which you are using it.

Future Plans

SchoolTool is not a lesson planning or presentation application, and, so far, the project has no immediate interest in adding such functionality. Instead, the project has been testing a competency tracking system called Can Do in Arlington, Virginia for the last five years. It is also testing a student intervention tracking system in Philadelphia. Both these modules are scheduled for next years' release.

Other features in the next release might include a module for sharing information between different SchoolTool installations, and another for sharing information with civic authorities.

Meanwhile, the documentation is blunt about the current state of the project. "If you currently are using another mature, full-featured web-based SIS, SchoolTool will probably feel like a step down for your school. If you are running the school using paper, a hodgepodge of spreadsheets and Access databases, or a badly implemented commercial SIS, SchoolTool should be a step up for you."

Version 1.5.0 of python-graph has been announced. "Changes in this release: * Added Critical Path Algorithm and Transitive Edge Identification; * A few bugs were fixed."

Full Story (comments: none)

GNOME Software Announcements

The following new GNOME software has been announced this week:

Accerciser 1.7.1 (bug fixes and translation work)
Anjuta and Gdl 2.27.1 (new features and bug fixes)
Cheese 2.27.1 (new features, bug fixes and translation work)
Deskbar-Applet 2.27.1 (bug fixes and translation work)
Eye of GNOME 2.27.1 (code cleanup, bug fixes and translation work)
GCalctool 5.27.1 (bug fixes and translation work)
GLib 2.21.0 (new features, bug fixes and translation work)
gnome-applets 2.27.1 (new features, code cleanup and translation work)
gnome-games 2.27.1 (new features, bug fixes and translation work)
GNOME Media 2.27.1 (bug fixes and translation work)
gnome-settings-daemon 2.27.1 (bug fixes and translation work)
GOK 2.27.1 (bug fixes and translation work)
gscan2pdf 0.9.28 (bug fixes and translation work)
GTK+ 2.17.0 (new features, bug fixes and translation work)
krb5-auth-dialog 0.9.1 (new features and bug fixes)
Lasem 0.1.0 (unspecified)
mousetweaks 2.27.1 (code cleanup, documentation and translation work)
Nemiver release 0.6.7 (bug fixes, code cleanup and translation work)
Orca 2.27.1 (new features, bug fixes and translation work)
Paperbox 0.4.2 (new features, code cleanup and translation work)
PyGobject 2.17.0 (new features, bug fixes and documentation work)
PyGTK 2.15.0 (new features and bug fixes)
rep-gtk 0.18.5 (new features and bug fixes)
seahorse 2.27.1 (bug fixes and translation work)
seahorse-plugins 2.27.1 (code cleanup and translation work)
Seed 0.6 (new features, code cleanup, build fixes)
Tomboy 0.15.0 (new features, bug fixes and translation work)

You can find more new GNOME software releases at gnomefiles.org.

The following event listing is taken from the LWN.net Calendar.

Date(s)	Event	Location
May 13 May 15	FOSSLC Summercamp 2009	Ottawa, Ontario, Canada
May 15 May 16	CONFidence 2009	Krakow, Poland
May 15	Firebird Developers Day - Brazil	Piracicaba, Brazil
May 16 May 17	YAPC::Russia 2009	Moscow, Russia
May 18 May 19	Cloud Summit 2009	Las Vegas, NV, USA
May 19 May 22	PGCon PostgreSQL Conference	Ottawa, Canada
May 19	Workshop on Software Engineering for Secure Systems	Vancouver, Canada
May 19 May 22	php\|tek 2009	Chicago, IL, USA
May 19 May 21	Where 2.0 Conference	San Jose, CA, USA
May 19 May 22	SEaCURE.it	Villasimius, Italy
May 21	7th WhyFLOSS Conference Madrid 09	Madrid, Spain
May 22 May 23	eLiberatica - The Benefits of Open Source and Free Technologies	Bucharest, Romania
May 23 May 24	LayerOne Security Conference	Anaheim, CA, USA
May 25 May 29	Ubuntu Developers Summit - Karmic Koala	Barcelona, Spain
May 27 May 28	EUSecWest 2009	London, UK
May 28	Canberra LUG Monthly meeting - May 2009	Canberra, Australia
May 29 May 31	Mozilla Maemo Mer Danish Weekend	Copenhagen, Denmark
May 31 June 3	Techno Security 2009	Myrtle Beach, SC, USA
June 1 June 5	Python Bootcamp with Dave Beazley	Atlanta, GA, USA
June 2 June 4	SOA in Healthcare Conference	Chicago, IL, USA
June 3 June 5	LinuxDays 2009	Geneva, Switzerland
June 3 June 4	Nordic Meet on Nagios 2009	Stockholm, Sweden
June 6	PgDay Junín 2009	Buenos Aires, Argentina
June 8 June 12	Ruby on Rails Bootcamp with Charles B. Quinn	Atlanta, GA, USA
June 10 June 11	FreedomHEC Taipei	Taipei, Taiwan
June 11 June 12	ShakaCon Security Conference	Honolulu, HI, USA
June 12 June 13	III Conferenza Italiana sul Software Libero	Bologna, Italy
June 12 June 14	Writing Open Source: The Conference	Owen Sound, Canada
June 13	SouthEast LinuxFest	Clemson, SC, USA
June 14 June 19	2009 USENIX Annual Technical Conference	San Diego, USA
June 17 June 19	Open Source Bridge	Portland, OR, USA
June 17 June 19	Conference on Cyber Warfare	Tallinn, Estonia
June 20 June 26	Beginning iPhone for Commuters	New York, USA
June 22 June 24	Velocity 2009	San Jose, CA, USA
June 22 June 24	YAPC\|10	Pittsburgh, PA, USA
June 24 June 27	LinuxTag 2009	Berlin, Germany
June 24 June 27	10th International Free Software Forum	Porto Alegre, Brazil
June 26 June 28	Fedora Users and Developers Conference - Berlin	Berlin, Germany
June 26 June 30	Hacker Space Festival 2009	Seine, France
June 28 July 4	EuroPython 2009	Birmingham, UK
June 29 June 30	Open Source China World 2009	Beijing, China
July 1 July 3	OSPERT 2009	Dublin, Ireland
July 1 July 3	ICOODB 2009	Zurich, Switzerland
July 2 July 5	ToorCamp 2009	Moses Lake, WA, USA
July 3 July 11	Gran Canaria Desktop Summit (GUADEC/Akademy)	Gran Canaria, Spain
July 3	PHP'n Rio 09	Rio de Janeiro, Brazil
July 4	Open Tech 2009	London, UK
July 6 July 10	Python African Tour : Sénégal	Dakar, Sénégal
July 7 July 11	Libre Software Meeting	Nantes, France

If your event does not appear here, please tell us about it.

ESP launches en.swpat.org: a wiki for anti-software patent campaigns

End Software Patents (ESP) has announced a new wiki to document the case against software patents at en.swpat.org. "ESP's executive director Ciaran O'Riordan explains: 'So far, we have articles about the case law, legislation, and patent office behavior in various countries. We have articles about economic studies, about related books, about the various ways to fight software patents, about each of the arguments against software patents, and most importantly, the evidence for each argument. [...]'" Click below for the full announcement.

Full Story (comments: 3)

My developerWorks: 6 ways to build your technical skills and your professional network (developerWorks)

IBM has launched My developerWorks, a social networking site. "It may look small at first: just sticking "My" in front of developerWorks. But what those characters represent is huge: You can now interact with developerWorks' how-to content and with your peers on a personal level—by personalizing and customizing your view of developerWorks content so you see just the information that's pertinent to you. My developerWorks makes it easy. It also gives you a window into the ways your peers are using, tagging, and contributing to the knowledge base, so you can learn from each other while building your skills and your professional network at the same time."

Comments (3 posted)

LWN.net Weekly Edition for May 7, 2009

Remaking JF builds

Building Android from source

Android and the ADP1

The Concept: a bird's eye view

Recent sightings

Elsewhere in the ecosystem

Security

New vulnerabilities

apache: information leak

Apport: arbitrary file removal

bash-completion: incorrect metacharacter quoting

clamav: incorrect ownership

drupal: multiple vulnerabilities

gpdf: buffer overflows

kernel: denial of service

kernel: multiple vulnerabilities

libwmf: pointer use-after-free flaw

memcached: information leak

moin: cross-site scripting

pam_ssh: information (user account existence) leak

prelude-manager: database password in world-readable configuration

quagga: improper assertion

ruby: denial of service

Kernel development

Brief items

Kernel development news

Patches and updates

Kernel trees

Architecture-specific

Build system

Core kernel code

Development tools

Device drivers

Documentation

Filesystems and block I/O

Janitorial

Memory management

Networking

Security-related

Virtualization and containers

Miscellaneous

Distributions

News and Editorials

Unit tests for an operating system

Of course it runs NetBSD.

Towards NetBSD 6.0

Conclusion

New Releases

Distribution News

Debian GNU/Linux

Fedora

Gentoo Linux

Mandriva Linux

Distribution Newsletters

Newsletters and articles of interest

Development

Setup and configuration

Daily use of SchoolTool

Future Plans

System Applications

Database Software

Interoperability

LDAP Software

Miscellaneous

Desktop Applications

Audio Applications

Data Visualization

Desktop Environments

Educational Software

Electronics

Games

Music Applications

Office Suites

Miscellaneous

Languages and Tools

C

Caml

Python

Editors