LWN.net Weekly Edition for July 30, 2009
GNOME on non-Linux platforms
Supporting multiple platforms in a free software project can be difficult; even more so when the software needs to closely interact with the underlying hardware. The GNOME project is currently struggling with that issue a bit, as some would like to see a definitive statement that the GNOME desktop environment is targeted for Linux exclusively, while others see supporting Solaris and the various flavors of BSD as essential. But, because the majority of GNOME developers are Linux-based, there will always be something of a Linux-bias, as most new features, especially low-level features, get their start on Linux.
We have seen this kind of thing crop up before. The DRI/DRM project for supporting 3D graphics for the X Window system ran into a similar problem last September. When the bulk of the development community is based on just one of the target platforms, it is difficult to fully support the minority targets. For GNOME, that means that the BSDs and Solaris have to play catch-up on some low-level features like HAL or, more recently, things like DeviceKit and PolicyKit.
Christian Schaller started things off with
a request on the gnome-desktop-devel mailing list: "So I would like
to ask the GNOME release team to please come forward
and clearly state that the future of GNOME is to be a linux desktop
system as opposed to a desktop system for any Unix-like system.
"
His point was that it was already a fait accompli, but that the
GNOME community—and release team—should formalize the
decision, rather than just continue to handle things that way.
As one might guess, there was far from uniform agreement with that idea. Sun folks, in particular, were not particularly enamored with officially proclaiming GNOME to be "Linux only". Sun is a long-time contributor to GNOME and would rather see the multi-platform nature of GNOME continue. As Calum Benson put it:
One of the problems with that approach is the testing burden that it causes. Developers would need to check that their code works on multiple different systems, many of which are either not available or not particularly interesting to those developers. Those who want to see GNOME supported on their OS will clearly need to do the bulk of the work to make that happen. But there is an additional problem, as David Zeuthen points out:
In that message, Zeuthen outlined how he had seen several GNOME
features get added to Solaris long after there were Linux implementations,
which resulted in a lot more pain for Solaris. He would much rather see
Sun (and other interested parties) start working on these new features as
they are being developed, so that portability and other problems are
identified earlier and fixed—before they become set in stone. Benson
agreed:
"Oh, there's no doubt Sun and our ilk have to do much better as
well
". Artem Kachitchkine, who did the initial HAL port to Solaris,
also agreed, but thinks that it is still
possible to do timely multi-platform releases:
So from a bystander's point of view, maintaining GNOME's platform neutrality requires effort from both sides: from the ideological leaders, maintaining portability as a core requirement, built in not screwed on; and from interested platforms, continuous participation and timely response.
Though the Sun folks participating in the discussion made it clear they weren't necessarily representing the company's views, the discussion does show that some Sun engineers are aware of the issues—and would like to see them get resolved. On the other hand, no one from the BSD camp spoke up, or provided any glimpse into the thinking of the other main GNOME desktop platforms. If Kachitchkine's vision is to come about, the BSDs would need to get on board as well.
Somewhat ironically, supporting GNOME on Windows and Mac OS X is quite a
bit easier, as they do not require the desktop functionality. As Jason
Clinton points out, those two platforms are
"application target platforms
" as opposed to "desktop
target platforms
" like Solaris, Linux, and the BSDs. He also notes
that the BSD situation is rather different than that for Solaris:
OpenSolaris, however, suffers from a legacy of esoterically cathedral-like design on some fundamental sub-systems. The work to make all the things mentioned above work is so, so much more than any other platform for GNOME.
Clinton floated the idea that Sun should just drop Solaris and move to Linux, though no one really wanted to see yet another Solaris vs. Linux flamewar. But his point about Solaris standing out from the rest of the desktop target platforms rings true, and it will be up to Sun—or the OpenSolaris community—to put the effort into making GNOME work on that platform. The right way to approach that, as Zeuthen and others said, is for Solaris folks to be working with the GNOME community, not just making GNOME work on their OS. Zeuthen cites a specific example of what he means:
In the end, though, it is the evolution of what a "desktop environment" encompasses that underlies much of the difficulty with portability. With desktop environments taking on more and more of the functionality typically handled by the kernel and other low-level plumbing, it will be difficult to keep it easily portable to different platforms. Colin Walters sums it up this way:
Those kinds of problems are only going to be solved—at least in a cross-platform manner—by all of the stakeholders working together, from the outset, on a solution. Currently, that doesn't seem to be happening, so the Linux-oriented solutions dominate. As GNOME continues to move more into the system-level services, which traditionally have been handled by the platform itself, there is clearly a need for the Solaris and BSD communities to get involved. Until that happens, we are likely to continue to see the "Linux first" style of GNOME development, either officially or tacitly.
A new GCC runtime library license snag?
The saga of the GCC runtime library has been covered here a couple of times in the past. The library's license is a legal hack which tries to accomplish a set of seemingly conflicting goals. The GCC runtime library (needed by almost all GCC-compiled programs) is licensed under GPLv3; that notwithstanding, the Free Software Foundation wants this library to be usable by proprietary programs - but only if no proprietary GCC plugins have been used in the compilation process. The runtime library exception published by the FSF appears to have accomplished those objectives. But now it seems that, perhaps, the GCC runtime licensing has put distributors into a difficult position.The problem has to do with programs which are licensed exclusively under version 2 of the GPL. Examples of such programs include git and udev, but there are quite a few more. The GPLv3 licensing of the GCC runtime library (as of version 4.4) would normally make that library impossible to distribute in combination with a GPLv2-licensed program, since the two licenses are incompatible. The runtime library exception is intended to make that problem go away; the relevant text is:
So, as long as the licensing of the "Independent Modules" (the GPLv2-licensed code, in this case) allows it, the GCC runtime library can be distributed in binary form with code under a GPLv3-incompatible license. So there should not be a problem here.
But what if the licensing of the "Independent Modules" does not allow this to happen? That is the question which Florian Weimer raised on the GCC mailing list. The GCC runtime library exception allows that code to be combined with programs incompatible with its license. But, if the program in question is covered by GPLv2, the problem has not been entirely resolved: GPLv2 still does not allow the distribution of a derived work containing code with a GPLv2-incompatible license. The GPLv3 licensing of the runtime library is, indeed, incompatible with GPLv2, so combining the two and distributing the result would appear to be a violation of the program's license.
The authors of version 2 of the GPL actually anticipated this problem; for that reason, that license, too, contains an exception:
This is the "system library" exception; without it, distributing binary copies of GPLv2-licensed programs for proprietary platforms would not be allowed. Even distributing a Linux binary would risk putting the people distributing the program in a position where they would have to be prepared to provide (under a GPLv2-compatible license) the sources for all of the libraries used by the binary. This exception is important; without it, distributing GPLv2-licensed programs in binary form would be painful (at best) or simply impossible.
But note that the exception itself contains an exception: "unless
that component itself accompanies the executable.
" This says that,
if somebody distributes GCC together with a GPLv2-licensed program, the
system library exception does not apply to the code which comes from GCC.
And that includes the GCC runtime library. One might think that tossing a
copy of the compiler into the distribution of a binary program would be a
strange course of action, but that is
exactly what distributors do. So,
on the face of it, distributors like Debian (which, naturally, turned up
this problem) cannot package GPLv2-licensed code with the GCC 4.4 runtime
library without violating the terms of GPLv2.
This is a perverse result that, probably, was not envisioned or desired by the FSF when it wrote these licenses. But Florian reports that attempts to get clarification from the FSF have gone unanswered since last April. He adds:
One could argue that the real problem is with the GPLv2 system library exception-exception. That (legal) code was written in a world where there were no free operating systems or distributors thereof, and where nobody was really thinking that there could be conflicting versions of the GPL. Fixing GPLv2 is not really an option, though; this particular problem will have to be resolved elsewhere. But it's not entirely clear where that resolution could be.
A statement from the FSF that, in its view, distributing GPLv2-licensed binaries with the GPLv3-licensed GCC runtime library is consistent with the requirements of both licenses might be enough. But such a statement would not be binding on any other copyright holders - and it is probable that the bulk of the code which is not making the move to GPLv3 is not owned by the FSF. A loosening of the licensing on the GCC runtime library could help, but this is a problem which could return, zombie-like, every time a body of library code moves to GPLv3. It's a consequence of the fundamental incompatibility between versions 2 and 3 of the license.
This has the look of the sort of problem that might ordinarily be studiously ignored into oblivion. If one avoids the cynical view that the FSF desires this incompatibility as a way of pushing code toward GPLv3, it's hard to see a situation where a copyright holder would actually challenge a distributor for shipping this particular combination. But the Debian Project is not known for ignoring this kind of issue. So we may well be hearing more about this conflict in the coming months.
(Thanks to Brad Hards for the heads-up on this issue).
OSCON 2009: Governments and open source
It is hard to have an overriding "theme" at an event as large as O'Reilly's Open Source Convention (OSCON), but during the 2009 convention, one subject that came up again and again was increasing the number of connections between open source and government. There are three basic facets to the topic: adoption of open source products by government agencies, participation in open source project development by governments and their employees, and using open source to increase transparency and public access to governmental data and resources. Though much of the discussion (particularly in the latter category) sprang from the new Obama administration's interest in open data and government transparency, very few of the issues are US-centric: the big obstacles to government adoption of open source technology are the same around the world, from opaque procurement processes to fears about secrecy and security.
![[Tim O'Reilly]](https://static.lwn.net/images/oscon2009-oreilly_sm.jpg)
O'Reilly CEO Tim O'Reilly was the first to broach the subject, in his Wednesday morning keynote, and over the next three days, no fewer than three talks and three panel discussions dealt with government and open source interaction. The Open Source Initiative's (OSI) Danese Cooper led the "Open Source, Open Government" panel, which addressed all three dimensions of the issue turn by turn. Deborah Bryant of Oregon State University's Open Source Lab (OSL) led the panel discussion "Bureaucrats, Technocrats and Policy Cats: How the Government is turning to Open Source, and Why," which focused on adoption and transparency. Adina Levin of Socialtext led the "Hacking the Open Government" panel in a discussion centering on open data access.
![[Clay Johnson]](https://static.lwn.net/images/oscon2009-johnson_sm.jpg)
Clay Johnson's "Apps for America" session dealt with open source adoption and open data, courtesy of Sunlight Labs' involvement in the US government's Data.gov service. Gunnar Hellekson of Red Hat emphasized government participation in his "Applying Open Source Principles to Federal Government" talk, and the "Computational Journalism" session by Nick Diakopoulos and Brad Stenger dealt with practical examples of turning open access government data into a usable form. Finally, Sunlight Labs led all-day hackathon sessions Wednesday through Friday, helping attendees build applications that use government data sources.
Government usage of open source
The open source community has two reasons to encourage increased usage of open source code by government agencies: because it believes in the inherent value of open source, and because using free software instead of proprietary software means less taxpayer money is spent on IT infrastructure. Several of the OSCON sessions addressed the barriers to entry faced by open source as a product. Some are well-known, such as long-time government contractors' larger presence in the bidding process and the lingering perception that open source code leaves no one to blame when problems arise.
Other issues, however, are less frequently raised but just as real. For example, several panelists at "Open Source, Open Government" agreed that some government entities put up fierce resistance to free software because they do not want to run afoul of ethics laws that prohibit them from accepting gifts — if free software has value, then government officials are not allowed to receive the code without paying for it. That objection elicited a small amount of laughter from the audience, but all on stage agreed that it is a genuine concern.
Solutions to these barriers to entry involve both new ideas and old-fashioned legwork. OSI's Michael Tiemann observed that government's distinctive buying habits permit open source some additional advantages over proprietary software, for those who are looking for them. He cited the example of product retirement: government agencies are often restricted in how and when they can dispose of old technology (for security and budgetary reasons). In contrast, open source products that are deemed failed experiments or simply no longer needed can be disposed of easily. Hellekson concurred, noting that the US Department of Defense has recently acknowledged that breaking projects into smaller, modular chunks is more successful than the traditional large contracts.
As O'Reilly pointed out in his keynote, though, getting open source products considered during the bidding process for most government contracts is primarily a challenge of persistence. There are many people with the skills to navigate the procurement processes, he said, but considering the specialization required, few are able or willing to make selling to a single customer (such as a national government) their entire career.
Government contributions to open source
Once a government agency has adopted an open source package for its own internal use, there is often another battle to get the agency to participate in the open source development model, sending patches or even bug reports back upstream. Digium's John Todd noted that, in his experience with the Asterisk project, public employees often are not permitted to contribute code to open source projects, or they find that there is no process in place to get approval to contribute.
Bryant responded to Todd's story by saying that OSL had some resources that could prove useful in talking to public employees. OSL also hosts the Government Open Source Conference (GOSCON), which emphasizes participation in open source development.
Hellekson cited several examples of government agencies that are participating in open source development, notably NASA's CoLab, the Department of Energy, the US Navy, and the National Consortium for Offender Management Systems, a coalition of state correctional agencies.
Enhancing government with open source
Using open source software to improve government transparency and access was the most popular aspect of the government/open source connection — in large part encouraged by the recent appointment of two open source-friendly people to prominent technology positions in the US government: Aneesh Chopra for Federal Chief Technology Officer and Vivek Kundra for Federal Chief Information Officer.
"Open government" as a political principle is not specific to software, but many of the speakers and panelists at OSCON centered in on the areas where open source software could contribute to the broader goal: namely, making government-produced and government-collected data easier to access and mine, and building mash-ups and other applications on top of government sources that expose new information to the public.
Several of the speakers, including the Sunlight Foundation's Greg Elin, emphasized that the new US administration's present interest in open data is a valuable opportunity to showcase the useful public applications that open source software can produce — but that the window of opportunity will not remain open for long, thanks to re-election cycles and waning interest. By the end of 2009, said Johnson, if open source coders have not build demonstrable success stories on top of the government's open data, it will be harder to persuade Washington D.C. to open up additional data sets.
Sunlight Labs' focus is building applications that take advantage of Data.gov, a new initiative that makes raw data catalogs publicly available in machine- and human-readable form. The initial data sets released are collected from 18 agencies such as the US Geological Survey, Environmental Protection Agency, Patent and Trademark Office, and even the Department of Homeland Security. Sunlight is sponsoring a development contest that will award $25,000 in prizes to open source application developers that use Data.gov.
The various OSCON panels discussed what tools and infrastructure are needed to better take advantage of the data that governments do provide — including query pre-processors to enable better searching, document-to-data conversion utilities, reusable encapsulation APIs in popular languages like Python and Ruby, and good simulation and prediction models to analyze the data itself in more than a historical context.
Hellekson summarized what the open source community can do to better work with government agencies making their first forays into open source collaboration. His three points were to remember that "government agencies" are actually just people, to allow those people to make mistakes and learn from them, and to celebrate their successes.
Hobbyist, to enterprise, to government
From an open source developer's perspective, local, regional, and national governments represent potential users, customers ... and developers. Much of the OSCON discussion about open source and government moved beyond such practical technical considerations to touch on philosophy, too — open content from governments should lead to more transparent processes, greater accountability, and better democracy, so the argument goes.
However one feels about that question, though, working more closely with government agencies can be a huge win for open source projects and communities. Excitement over the possibilities was on display at OSCON; with luck the increased engagement with the public sector will be just as fruitful as it has been with the enterprise sector over the past few years.
Security
A desktop "secrets" API
There is often a fair amount of secret information that a Linux user might store on their computer—things like passwords for sensitive sites, private ssh keys, and Swiss bank account numbers. If multiple applications, typically desktop applications, need to access that information, there are solutions in the form of GNOME Keyring and KDE Wallet, but those solutions are only available to applications written for those specific desktop environments. A new freedesktop.org initiative, started by the developers of those two solutions, aims to create a "Secrets API" that can be used across desktop environments so that users can have access to their secrets from any application, regardless of which desktop it comes from.
The project was announced by KDE Wallet developer Michael Leupold on the XDG mailing list (as well as on his blog). The basic idea is fairly straightforward: users will still run Keyring or Wallet as part of their login session—which will depend on the desktop they use—but there will be an API that allows applications to extract these secrets without caring which secret storage program is providing them.
Not surprisingly, given that it is a cross-desktop API, D-Bus will be used
to implement a protocol for extracting the needed secrets. Applications
will then use the new API so that they are insulated from the underlying
secret storage service. In his blog posting, Leupold notes that he will be
trying to provide backward compatibility: "While I expect a new
client-side API (which I imagine to be more OO style than KWallet::Wallet),
I'll keep an eye on providing something the current class can wrap so even
applications using the old API will be able to use the new system.
"
It seems likely that Stef Walter, the Keyring developer, will do something
similar for GNOME applications.
In the Secrets API, secrets are just arrays of bytes that get transferred, possibly encrypted, between the application and the storage facility. Each secret is associated with a simple dictionary (i.e. set of name, value pairs) called "lookup attributes", which are to be used to find the secret. In addition, secrets have a label and properties associated with them. Secrets can then be grouped into "collections", which more or less correspond to today's keyrings or wallets.
Items and collections can be locked, such that an unlocking process needs to happen before they can be accessed. In practice, that would generally mean that the user was prompted for a password before the item or collection could be retrieved by the application.
Clients can negotiate encryption of the secret information as it is transferred to or from the storage service. While that may seem like a good idea overall, the API documentation comes with some fairly strong caveats:
Many client applications may choose not to make use of the provisions to encrypt secrets in transit. In fact for applications unable to prevent their own memory from being paged to disk (eg: Java, C# or Python apps), [transferring] encrypted secrets would be an [exercise] of questionable value.
There are more details, of course, and the API specification is being discussed and revised on the freedesktop.org Authentication mailing list. In addition, there is discussion of higher-level topics on the list, such as how browsers will identify their secrets so that moving between browsers, while still being able to use the password information stored for the user, is easy. As Leupold notes that is one of the most likely scenarios for users needing the Secrets API.
With this API in place, GNOME users could use Konqueror and still have access to their passwords, and the same goes for KDE users and Epiphany. As Leupold points out in his blog posting, though, Mozilla has not shown any interest, at least yet. Integrating with the Linux desktop has not really ever been a priority for Mozilla, so one might expect Firefox, et al. to lag in this area.
Even for those not running one of the "big two" desktop environments, a suitably configured system—with D-Bus and one of the secret storage services enabled—could take advantage of the Secrets API. Interoperability between desktop environments is a good thing, and not having to store passwords somewhere external, so that one can "browser hop" can only be a good thing as well. As it matures, other applications needing to store secrets will presumably use it too. Having a single, hopefully well-vetted, location for storing this kind of information—encrypted and password-protected—may also lead to better security for users.
Brief items
BIND 9 denial of service being actively exploited
Internet Systems Consortium, the developers of the BIND DNS server, is reporting a denial of service vulnerability that is being actively exploited. "Receipt of a specially-crafted dynamic update message to a zone for which the server is the master may cause BIND 9 servers to exit. Testing indicates that the attack packet has to be formulated against a zone for which that machine is a master. Launching the attack against slave zones does not trigger the assert. [...] This vulnerability affects all servers that are masters for one or more zones it is not limited to those that are configured to allow dynamic updates. Access controls will not provide an effective workaround." ISC is urgently suggesting that everyone upgrade BIND to 9.4.3-P3, 9.5.1-P3, or 9.6.1-P1.
Finding Linux Bugs Before they Become Exploits (internetnews.com)
Over at internetnews.com, there is a look at the role the Coverity scanner played in finding the bad code that allowed the recent kernel NULL pointer exploit. "The issue of patching aside, the public exploit could easily have been a zero day exploit on the Linux kernel itself, were it not for the fact that the bug that enables the exploit was caught by a scan from code scanning vendor Coverity. The Linux kernel has been actively scanned by Coverity since at least 2004 in an effort to find bugs and improve code quality."
New vulnerabilities
bind: denial of service
| Package(s): | bind9 bind | CVE #(s): | CVE-2009-0696 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | July 29, 2009 | Updated: | January 21, 2010 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | Bind 9 fails to validate certain dynamic DNS update packets, causing the server to crash. This vulnerability is being actively exploited. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
bugzilla: privilege escalation
| Package(s): | bugzilla | CVE #(s): | |||||||||
| Created: | July 28, 2009 | Updated: | July 29, 2009 | ||||||||
| Description: | From the bugzilla security advisory: Bug reporters could confirm their bugs and change their bugs' statuses, even if they didn't have the appropriate permissions. | ||||||||||
| Alerts: |
| ||||||||||
compface: buffer overflow
| Package(s): | compface | CVE #(s): | CVE-2009-2286 | ||||
| Created: | July 29, 2009 | Updated: | July 29, 2009 | ||||
| Description: | Compface 1.5.2 contains a buffer overflow which can be exploited to (at least) crash the process. It's worth noting that, while this is a 2009 CVE, Fedora fixed the bug in 2006. | ||||||
| Alerts: |
| ||||||
firefox: denial of service
| Package(s): | firefox | CVE #(s): | CVE-2009-2478 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | July 23, 2009 | Updated: | July 29, 2009 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the National Vulnerability Database
entry:
"Mozilla Firefox 3.5 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via unspecified vectors, related to a "flash bug."" | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
firefox: denial of service
| Package(s): | firefox | CVE #(s): | CVE-2009-2479 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | July 23, 2009 | Updated: | July 29, 2009 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the National Vulnerability Database
entry:
"Mozilla Firefox 3.0.x, 3.5, and 3.5.1 on Windows allows remote attackers to cause a denial of service (uncaught exception and application crash) via a long Unicode string argument to the write method. NOTE: this was originally reported as a stack-based buffer overflow. NOTE: on Linux and Mac OS X, a crash resulting from this long string reportedly occurs in an operating-system library, not in Firefox." | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
firefox: arbitrary code execution
| Package(s): | firefox | CVE #(s): | CVE-2009-2477 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | July 23, 2009 | Updated: | July 29, 2009 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the National Vulnerability Database
entry:
"js/src/jstracer.cpp in the Just-in-time (JIT) JavaScript compiler (aka TraceMonkey) in Mozilla Firefox 3.5 before 3.5.1 allows remote attackers to execute arbitrary code via certain use of the escape function that triggers access to uninitialized memory locations, as originally demonstrated by a document containing P and FONT elements." | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
kdelibs: denial of service
| Package(s): | kdelibs | CVE #(s): | CVE-2009-1725 CVE-2009-2537 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | July 28, 2009 | Updated: | January 25, 2011 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the CVE entries:
WebKit in Apple Safari before 4.0.2 does not properly handle numeric character references, which allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted HTML document. (CVE-2009-1725) KDE Konqueror allows remote attackers to cause a denial of service (memory consumption) via a large integer value for the length property of a Select object, a related issue to CVE-2009-1692. (CVE-2009-2537) | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
kernel: privilege escalation
| Package(s): | kernel | CVE #(s): | CVE-2009-1897 | ||||||||||||||||||||||||||||||||
| Created: | July 27, 2009 | Updated: | October 5, 2009 | ||||||||||||||||||||||||||||||||
| Description: | From the CVE entry: The tun_chr_poll function in drivers/net/tun.c in the tun subsystem in the Linux kernel 2.6.30 and 2.6.30.1, when the -fno-delete-null-pointer-checks gcc option is omitted, allows local users to gain privileges via vectors involving a NULL pointer dereference and an mmap of /dev/net/tun, a different vulnerability than CVE-2009-1894. | ||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||
kernel: privilege escalation
| Package(s): | kernel | CVE #(s): | CVE-2009-1895 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | July 27, 2009 | Updated: | March 21, 2011 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the CVE entry: The personality subsystem in the Linux kernel before 2.6.31-rc3 has a PER_CLEAR_ON_SETID setting that does not clear the ADDR_COMPAT_LAYOUT and MMAP_PAGE_ZERO flags when executing a setuid or setgid program, which makes it easier for local users to leverage the details of memory usage to (1) conduct NULL pointer dereference attacks, (2) bypass the mmap_min_addr protection mechanism, or (3) defeat address space layout randomization (ASLR). | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
kernel: multiple vulnerabilities
| Package(s): | kernel, linux, linux-source-2.6.15 | CVE #(s): | CVE-2009-2287 CVE-2009-2406 CVE-2009-2407 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | July 28, 2009 | Updated: | February 18, 2011 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Ubuntu advisory:
Matt T. Yourst discovered that KVM did not correctly validate the page table root. A local attacker could exploit this to crash the system, leading to a denial of service. Ubuntu 6.06 was not affected. (CVE-2009-2287) Ramon de Carvalho Valle discovered that eCryptfs did not correctly validate certain buffer sizes. A local attacker could create specially crafted eCryptfs files to crash the system or gain elevated privileges. Ubuntu 6.06 was not affected. (CVE-2009-2406, CVE-2009-2407) | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
mysql: denial of service and "unspecified other impact"
| Package(s): | mysql | CVE #(s): | CVE-2009-2446 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | July 27, 2009 | Updated: | March 8, 2010 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Mandriva advisory: Multiple format string vulnerabilities in the dispatch_command function in libmysqld/sql_parse.cc in mysqld in MySQL 4.0.0 through 5.0.83 allow remote authenticated users to cause a denial of service (daemon crash) and possibly have unspecified other impact via format string specifiers in a database name in a (1) COM_CREATE_DB or (2) COM_DROP_DB request. NOTE: some of these details are obtained from third party information (CVE-2009-2446). | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
openexr: several vulnerabilities
| Package(s): | openexr | CVE #(s): | CVE-2009-1720 CVE-2009-1721 CVE-2009-1722 | ||||||||||||||||||||||||||||||||||||
| Created: | July 28, 2009 | Updated: | December 9, 2013 | ||||||||||||||||||||||||||||||||||||
| Description: | From the Debian advisory: Several vulnerabilities have been discovered in the OpenEXR image library, which can lead to the execution of arbitrary code. The Common Vulnerabilities and Exposures project identifies the following problems:
Drew Yao discovered integer overflows in the preview and compression code. (CVE-2009-1720) Drew Yao discovered that an uninitialised pointer could be freed in the decompression code. (CVE-2009-1721) A buffer overflow was discovered in the compression code. (CVE-2009-1722) | ||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||
php: missing input validation
| Package(s): | php | CVE #(s): | |||||
| Created: | July 28, 2009 | Updated: | July 29, 2009 | ||||
| Description: | From the php bug report: There seems to be a problem in exif_read_data(), where some fields representing offsets(?) are taken directly from the file without being validated, resulting in a segmentation fault. | ||||||
| Alerts: |
| ||||||
squid: several vulnerabilities
| Package(s): | squid | CVE #(s): | |||||||||||||
| Created: | July 28, 2009 | Updated: | July 29, 2009 | ||||||||||||
| Description: | From the Mandriva advisory: Multiple vulnerabilities has been found and corrected in squid:
Due to incorrect buffer limits and related bound checks Squid is vulnerable to a denial of service attack when processing specially crafted requests or responses. Due to incorrect data validation Squid is vulnerable to a denial of service attack when processing specially crafted responses. See this Squid advisory for more details. | ||||||||||||||
| Alerts: |
| ||||||||||||||
znc: directory traversal
| Package(s): | znc | CVE #(s): | |||||||||||||
| Created: | July 29, 2009 | Updated: | August 3, 2009 | ||||||||||||
| Description: | A directory traversal vulnerability in znc can enable a remote IRC user, with inadvertent local cooperation, to overwrite local files. | ||||||||||||||
| Alerts: |
| ||||||||||||||
Page editor: Jake Edge
Kernel development
Brief items
Kernel release status
The current development kernel is 2.6.31-rc4, released on July 22. "Ok, that was a fun week. We had a binutils bug, a ccache bug, and a compiler bug. And that was just the bugs that were outside the kernel, but resulted in a broken build." Beyond that, it's mostly just a big pile of fixes, many of which are for newly-discovered NULL pointer problems; see the long-format changelog for full details.
The current stable 2.6 kernel is 2.6.30.3, released (along with 2.6.27.28) on July 24. This is a single-fix update to work around a compiler problem which affected 2.6.30.2 and 2.6.27.27.
The 2.6.30.4 and 2.6.27.29 updates are currently in the review process. These kernels (each containing a long list of assorted fixes) will likely be released sometime on July 30.
For 2.4 users: the 2.4.37.4 update was released on July 26. Among other things, it contains a personality-related security fix; 2.4 maintainer Willy Tarreau would appreciate more eyes on this code to help come up with a proper fix.
Kernel development news
Quotes of the week
In Brief
FAT timestamps. The FAT filesystem has a number of deficiencies. The fact that it cannot record time stamps for the root directory of a filesystem is probably not at the top of most peoples' lists, but Jorg Schummer has put together a patch to provide those time stamps anyway. The patch is a hack which stores the time stamp information in the FAT volume label, essentially hiding it from any system which doesn't know to look for it. This is not a new scheme; Mac OS X does the same thing. There does not seem to be a great clamor for this feature, but it is optional, the implementation is straightforward, and it's off by default. So there is little reason to leave it out either.Remapping ext2/3 UIDs. Another failing of FAT is its inability to associate user or group ownership information with files. One would not normally want to port this "feature" to more complete filesystems, but Ludwig Nussel has noted a problem: a user moving an ext3 filesystem from one system to another will have problems accessing the files if said user's accounts have different user IDs on the two boxes. The solution is to add a uid= mount option to ext2 and ext3; the filesystem will then map between the given user ID (on the running system) and zero (on the filesystem).
There doesn't seem to be a great clamor for this feature either; the use of ext3 on filesystems moved between machines is probably relatively rare. Still, Andreas Dilger indicated that the feature might have its uses, but that some changes would be welcome. The ability to create root-owned setuid files needed to go away, and it would be nice to have a more general "remap UID1 to UID2" capability instead of just mapping to and from the root UID. Andreas also requested an ext4 version of the patch.
Fanotify. Eric Paris has posted a description of the new fanotify API for comments, noting that real patches will follow soon. That API has changed considerably since it was covered here at the beginning of July; the strange use of getsockopt() to get notifications is no more. Instead, a relatively normal socket is created, with read() being used to read notification events. There were a number of comments and suggestions, but the consensus seems to be that things are headed in the right direction.
ABUSE. We have FUSE, which allows the implementation of filesystems
in user space, and CUSE, which does the same for char devices. So why not
do the same thing for block devices? With Zachary Amsden's ABUSE patch, that now becomes
possible. Zachary says: "This device is not about
performance, is it about extending the boundaries of the kernel to the
almost improbable.
" The code commentary notes that the feature can
be "incredibly useful," but it's not clear what use case is being targeted
at the moment.
ABUSE is highly unlikely to be merged, for the simple reason that much of what it does is already doable with the network block device (NBD) driver. Zachary plans to move to NBD for whatever purpose he has in mind. That purpose, apparently, makes it necessary to have access to partitions, which is why FUSE cannot be used.
The partitions topic led to a small side discussion, where Alan Cox suggested that partition support should be removed from the kernel altogether. Instead, the device mapper should be used to implement partitions. There are a lot of advantages - mostly administrative flexibility - which come from the use of the device mapper, but there are users, Linus included, who are not interested in requiring its use. So the kernel's partition code will not be going anywhere anytime soon.
A new book on the way. Man pages maintainer Michael Kerrisk, while writing about a recent release, noted that he is well along in the writing of a new book which extensively documents the Linux kernel's user-space API. It will not be light reading; it looks to end up at about 1500 pages. For the curious, Michael has posted a general description of the book and the table of contents. Publication is expected sometime in the first half of 2010.
Dynamic probes with ftrace
The ftrace tracing infrastructure has only been in the mainline since 2.6.27 - less than one year. During that time, ftrace has seen a great deal of development and has acquired several new capabilities. It now provides many of the features that come with more heavyweight tools like SystemTap, along with some which are unique to ftrace. But there are still capabilities found in "real" tracing utilities which are not present in ftrace. One of the more significant limitations is the lack of dynamic tracing; ftrace can easily trace function calls or use static tracepoints placed in the kernel source, but it cannot add its own tracepoints on the fly. That could change, though, should Masami Hiramatsu's kprobe-based event tracer patch make it into the mainline.The kprobes mechanism has been a part of the kernel for a long time; LWN ran an overview of it back in 2005. Kprobes are, of course, dynamic tracepoints; by use of on-the-fly code patching, the kernel can hook into its own code at any point. Tools like SystemTap use kprobes to implement their dynamic tracing features. With SystemTap, though, these probes are inserted by way of a special kernel module generated on the fly - a bit of a tricky interface. Masami's patch aims to turn the insertion of dynamic probes into something close to a command-line operation.
The patch creates a new debugfs file /sys/kernel/debug/tracing/kprobe_events. A new probe is inserted by appending a line to that file; that line has a somewhat complex format:
p[:EVENT] SYMBOL[+offset|-offset]|MEMADDR [FETCHARGS]
r[:EVENT] SYMBOL[+0] [FETCHARGS]
The first variant will set a probe with the optional name EVENT (if the name isn't supplied, the code makes one up). The probe will be placed at the location of the given SYMBOL, adjusted by the optional offset; an absolute address (MEMADDR) can also be used to locate the probe. The FETCHARGS portion of the line describes the data to be fetched and emitted when the tracepoint is hit; the syntax allows the specification of various types of data, including register contents, stack offsets, absolute addresses, kernel symbols, function arguments, and more. What the code does not currently allow is much in the way of sophisticated formatting of this data; it comes out in straight hexadecimal format.
The second line, above, inserts a "retprobe" instead. Retprobes are fired when the given function (as specified by SYMBOL) returns to its caller; they can capture the function's return value and the address it is returning to.
The patch posting contains an example of a couple of probes placed in do_sys_open(); the commands to do so are:
echo p:myprobe do_sys_open a0 a1 a2 a3 > /sys/kernel/debug/tracing/kprobe_events
echo r:myretprobe do_sys_open rv ra >> /sys/kernel/debug/tracing/kprobe_events
Two probes are placed here. One called myprobe will fire on entry to do_sys_open() and output the values of the four arguments passed to that function. The other, myretprobe, triggers when do_sys_open() returns, fetching the return value and return address in the process.
The output from these tracepoints can be seen by reading /sys/kernel/debug/tracing/trace:
# TASK-PID CPU# TIMESTAMP FUNCTION
# | | | | |
<...>-1447 [001] 1038282.286885: do_sys_open+0x0/0xd6: 0xffffff9c 0x40413c 0x8000 0x1b6
<...>-1447 [001] 1038282.286915: sys_open+0x1b/0x1d <- do_sys_open: 0x3 0xffffffff81367a3a
Here we see a call to do_sys_open() with its four parameters: the directory file descriptor (0xffffff9c), file name pointer (0x40413c), flags (0x8000), and mode (0x1b6). For the curious, the strange file descriptor value is the magic value AT_FDCWD, meaning that the file lookup should begin in the current working directory. There is also a return line (as indicated by the "<-" arrow) showing that the call returned to sys_open(), having opened file descriptor 3.
The patch also provides mechanisms for turning individual probes on and off, filtering probe output, and maintaining profiles of probe hits.
Tracing of function entry and exit as shown above is a useful feature, but the existing ftrace function tracer can do that already. The obvious value in this new patch is the ability to place tracepoints at locations other than function entry and exit points. But that leads to an interesting question: how does the user manage to get tracepoints set in the right locations? Guessing at offsets from function symbols seems like a recipe for trouble, especially given that the placement of a tracepoint in the middle of an instruction is unlikely to lead to pleasant results.
Addressing that last concern is, as it turns out, the job of the bulk of the code in Masami's patch. Placing probes is relatively easy - the code to do that is already in the kernel. But making sure that the probe is in the right place requires the addition of an x86 instruction decoding module. When a probe is requested within a function, the instruction decoder goes to work; it starts at the beginning of the function and decodes instructions until it reaches the probe point. If the probe is located at an instruction boundary, all is well; otherwise the placement of the probe is disallowed.
Actually generating the right offsets for dynamic probes is likely to be a job for user-space software which can parse debugging information and map line numbers onto offsets. A tool like a debugger or SystemTap, for example. It is, in fact, conceivable that tools like SystemTap could move over to this mechanism once it's merged; that would allow SystemTap to share more of the low-level ftrace plumbing and get it closer to working with unpatched mainline kernels.
That's getting a little ahead of the game, though; first the kprobe-based event tracing code needs to be merged. There does not appear to be any real opposition to that merger - but this code has been around for a while and is currently on its 13th revision. The value of getting real dynamic probing support into the kernel seems reasonably evident, though; expect this feature to get in at some point.
Finding buffer overflows with Parfait
Recently, Roel Kluin has been proposing patches to fix a number of buffer overflows in the kernel, some of which he credited to "Parfait". It turns out that Parfait is a static source code checking tool that comes out of Sun Labs in Australia. The project reported 54 buffer overflows to the linux-security mailing list in early July, and Kluin has been going through them to get them fixed.
It is best to treat buffer overflows as potential security vulnerabilities, even though they may be hard—or impossible—to exploit. Various types of these bugs have been thought to be unexploitable along the way, but then were found to be exploitable, so caution is clearly indicated. The full list was sent to the private kernel security alias, and then passed along to Kluin by Andrew Morton. Kluin has then been posting patches to linux-kernel, as well as the netdev mailing list, to fix them. A number of the fixes have already been picked up by subsystem maintainers, and some have made their way into the mainline.
The tool itself is relatively new, first demonstrated as an alpha last October, and takes a multi-layered approach using an "ensemble" of static analysis techniques. Thus the name. One of the goals, from the outset, was to produce something that could analyze a huge codebase—the OpenSolaris or Linux kernel for example—in a matter of minutes rather than the days or weeks that other tools require.
As part of a paper [PDF] presented at the Kernel Conference Australia in mid-July, the Parfait developers reported checking 5.7 million lines of code in the 2.6.29 kernel for buffer overflows in 13 minutes. The times for OpenSolaris and OpenBSD were similar when scaled for the number of lines of code checked.
Unsurprisingly, for all three kernels, the majority of buffer overflows were found in the driver code. For 2.6.29, Parfait found 12 buffer overflows in the Linux core, and 85 in the drivers (which makes up 71% of the codebase). Some of those were false positives, but the paper does not make it clear just how many. Given that 54 were reported to linux-security, though, it would seem that something approaching half were false positives.
Kluin provided an example of the Parfait output:
Bug type: Buffer overflow
File: /usr/src/linux-2.6.29/security/smack/smackfs.c
Line: 777
Function: smk_write_netlbladdr
Code snippet:
0772: if (count < SMK_NETLBLADDRMIN || count > SMK_NETLBLADDRMAX)
0773: return -EINVAL;
0774: if (copy_from_user(data, buf, count) != 0)
0775: return -EFAULT;
0776:
0777: data[count] = '\0';
0778:
0779: rc = sscanf(data, "%hhd.%hhd.%hhd.%hhd/%d %s",
0780: &host[0], &host[1], &host[2], &host[3], &m, smack);
0781: if (rc != 6) {
0782: rc = sscanf(data, "%hhd.%hhd.%hhd.%hhd %s",
Parfait report:
Error: Buffer overflow at
/usr/src/linux-2.6.29/security/smack/smackfs.c:777 in function
'smk_write_netlbladdr' [Symbolic analysis]
In array dereference of data[count] with index 'count'
Array size is 42 bytes, count >= 9 and count <= 42
Comments:
Off-by-one when adding the trailing null on line 777 - data is
declared with size
SMK_NETLBLADDRMAX, and count is allowed to equal SMK_NETLBLADDRMAX
Which shows a buffer overflow that he had already fixed in the kernel prior
to the Parfait report. The paper also describes a GUI tool that collects
up the code and declarations that make Parfait believe there is a problem,
which can help developers determine whether there truly is a problem or not.
Currently, Parfait is not available to those outside of Sun, but a binary
release is planned. According to lead developer Cristina Cifuentes, it
should be available on the web site within the next month or two: "I estimate it will be end of August (to be
optimistic)
before the binary release is out, a more pessimistic estimate is end of
September.
" That release will be available for "use on a
non-commercial basis
", she said. Sun is considering an open source
release, but no decision on that has yet been made.
In an interview on the Sun Labs web site, Cifuentes gives a broader view of where Parfait is headed—more than just looking for buffer overflows:
In many ways, Parfait is similar to the Coverity analysis tool that has been used on the kernel as well as other free software. In both cases, at least for now, the analysis can only be run by the company who owns the tool, or those who have licensed it in the case of Coverity. A free software analysis tool that did these kinds of checks—and didn't depend on the goodwill of various companies—would be a real boon. With luck, perhaps Parfait will some day fill that role.
These source analysis tools clearly find real bugs, though there is some evidence that the bug reports resulting from the scans are not being used to their fullest. The Coverity scanner found the tun.c NULL pointer dereference problem long before it was fixed in the kernel, but the report either went unnoticed or was (incorrectly as it turns out) not seen to be a serious problem. More source code analysis—at least any that isn't plagued by too many false positives—can only be a good thing, but the problems found need to be addressed or the value of the effort drops dramatically. It would be awfully nice to have free versions of these kinds of tools as well.
A tempest in a tty pot
There are dark areas of the kernel where only the bravest hackers dare to tread. Places where the code is twisted, the requirements are complex, and everything depends on ancient code which has seen little change over the years because even the most qualified developers fear the consequences. Arguably, no part of the kernel is darker and scarier than the serial terminal (TTY) code. Recently, this code was getting a much-needed update, but it now appears that a disconnect within the community has brought that work to a halt and thrown TTY back into the "unmaintained" column - at a time when that code has known regressions in the 2.6.31-rc kernel.At a first glance, the TTY layer wouldn't seem like it should be all that challenging. It is, after all, just a simple char device which is charged with transferring byte-oriented data streams between two well-defined points. But the problem is harder than it looks. Much of the TTY code has roots in ancient hardware implementing the RS-232 standard - one of the loosest, most variable standards out there. TTY drivers also have to monitor the data stream and extract information from it; this duty can include ^S/^Q flow control, parity checking, and detection of control characters. Control characters may turn into out-of-band information which must be communicated to user space; ^D may become an end-of-file when the application reads to the appropriate point in the data stream, while other characters map onto signals. So the TTY code has to deal with complex signal delivery as well - never a path to a simple code base. Echoing of data - possibly transforming it in the process - must be handled. With the addition of pseudo terminals (PTYs), the TTY code has also become a sort of interprocess communication mechanism, with all of the weird TTY semantics preserved. The TTY code also needs to support networking protocols like PPP without creating performance bottlenecks.
All told, it's a complicated problem. It is also a problem which seems to interest relatively few developers. The top of drivers/char/tty_io.c still reads "Copyright (C) 1991, 1992, Linus Torvalds." Much of the code is still dependent on the big kernel lock. There are deadlocks and race conditions to be found. Almost nobody wants to touch it, but it still mostly works.
-- Ingo Molnar, July, 2007
At least, that was the case until 2.6.31, where the combination of significant changes and some last-minute tweaks led to regressions. Users started to report that the kdesu application stopped working. The emacs compile mode started losing output. And so on. It turns out that there were a few separate bugs, not all of which were in the tty layer:
- The problem with kdesu appears to be a KDE bug; the application would
read too much data, then wonder why the next read didn't have what it
wanted. This code worked with the older TTY code, but broke with
2.6.31. There is probably no way to fix it which doesn't saddle the
kernel with maintaining weird legacy bug-compatibility code -
something the TTY layer does not need more of.
- The emacs problem is different. In this case, the compile process would finish its work (writing its final output to the PTY) and exit. Emacs would try to read that final output, but would get a failed read resulting from the SIGCHLD signal sent by the exiting compile process. That failure was unexpected and caused emacs to drop the data. In essence, emacs expected that, by the time the compile process had completed its close() of the PTY file descriptor, the data written to that descriptor had been pushed through to the other end and would be available for reading. The 2.6.31 changes broke that assumption.
The second problem results from the complex nature of TTY data processing. It's not just a serial stream of data; instead, there is the line discipline processing in the middle. In 2.6.31, data written to a PTY will have been queued up for line discipline attention by the time a close() is allowed to complete, but there's no assurance that the line discipline code will have actually run and passed the data through to the other end. So the SIGCHLD signal can pass the data and arrive first.
Alan thinks this behavior is reasonable; it complies with the applicable standards and can be implemented in a relatively straightforward way. Making a close() on a PTY block until the other end has received the data might make emacs work better, but it also risks deadlock if both sides write data and close their file descriptors at the same time. Even so, Alan posted a "elegant in all the wrong ways" patch which fixed the problem, but also made it clear that he thought emacs was buggy and that the real fix belonged there.
Linus merged a version of this patch, but he was not happy about it. He believes that emacs is correct in its assumptions, and would like to see a better fix which makes the ordering of events clear and deterministic. He made his frustration clear:
At that point, it was Alan's turn to express frustration; he did not hold back:
However I've had enough. If you think that problem is easy to fix you fix it. Have fun.
The message included a patch removing Alan as the maintainer of the TTY layer.
And that is where things stand, as of this writing. The TTY code is unmaintained again, a promising rework has halted partway through, and the person most qualified to fix the problems has thrown up his hands and left the building (though it should be noted that he is participating in the conversation on how the next maintainer, whoever that might be, can fix things). Kernel development will go on, but development in this area will go rather more slowly; the TTY layer has claimed another victim.
Patches and updates
Kernel trees
Core kernel code
Development tools
Device drivers
Documentation
Filesystems and block I/O
Janitorial
Memory management
Networking
Virtualization and containers
Benchmarks and bugs
Miscellaneous
Page editor: Jonathan Corbet
Distributions
Debian and time-based freezes
On July 29, a surprise announcement heralded a significant change in the way the Debian release process works. Rather than freezing the distribution when it was "ready," the release team will start to impose a scheduled freeze in December of every odd-numbered year, starting with December, 2009. There still will be no scheduled release dates, but the plan is to start the final phase of the development cycle in a scheduled manner.It would appear that much of the Debian development community was as surprised as anybody else; there had been no discussion of this change on any of the project's mailing lists. The press release states:
Many developers did not attend DebConf (which concludes on July 30), and those who were there disagree somewhat with the above description. It seems that some DebConf attendees, at least, feel that all they got was a few hours advance notice; the change was announced to them as something which had already been decided.
It should not be surprising that there is a fair amount of dissent in the ranks. This is Debian, after all. But there seem to be more than the usual number of complaints this time around. The key themes seem to be:
- The change may or may not be good, but the way in which it was done
was wrong. Debian developers should not learn about a major process
change from a press release.
- There is no reason to do a short development period to freeze this
December when a freeze in 2010 would fit the two-year period
perfectly. Shortening the "squeeze" development cycle halfway through
will create havoc with many developers' plans and endanger a number of
the objectives for the squeeze release. A lot of work will have to
be crammed into the remaining time; some minor components,
like the kernel, have not yet been updated.
- Freezing in December will guarantee that Debian will ship obsolete versions of KDE, which releases in January.
The biggest grumble, though, appears to come from a feeling that the Debian project is being asked to change its ways and, arguably, compromise the quality of its releases for the sole purpose of accommodating the Ubuntu release schedule. One might dismiss this idea as overly conspiratorial, but it's worth reading this interview with Mark Shuttleworth, published on July 12:
In other words, Mark Shuttleworth knew about this change before the Debian developers - who are expected to implement it - knew. Given that Debian is supposed to be an open project, something which gives this kind of smoke-filled-room-decision feeling is guaranteed to be received poorly.
There are answers to some of these complaints, of course. Luk Claes, a member of the release team, said:
Even without the dark talk of "consequences," this statement will not have helped the situation; the press release says "Debian decides to adopt time-based release freezes," which is not the normal language used for a proposal. But it is true that the Debian release team is empowered by the project to make decisions like this. Meanwhile, the Debian press team claims that the abrupt announcement was required to keep journalists from mangling the news.
The short cycle is justified this way:
The release team has also promised to talk with the Debian KDE maintainers to see what sort of solution can be worked out there.
But the release team has said nothing about Ubuntu and has not responded to the charges which have been made in that regard. It seems that a good case could be made for closer cooperation between Debian and Ubuntu - in fact, Debian developers have been asking for that for some time. Ubuntu has become a major (if not the major) distribution channel for Debian, increasing Debian's relevance in the process. If the combined distribution channel could be made to work better for everybody involved, the results should be good for both Ubuntu and Debian. It is hard to fault the release team for exploring ways to make Debian's release cycle work better for Ubuntu; one could, indeed, argue that it would be irresponsible for them to do anything else.
So the real question has to be: why has this conversation with Ubuntu been swept under the rug in the release team's communications with the Debian development community? It creates a strong impression of hidden agendas. The Debian project may now head into an extended period of more-than-usually acrimonious debate, dueling general resolutions, and more. An open discussion would not have skipped the acrimonious debate (we're still talking about Debian here), but it may well have led to something very close to what the release team is aiming for with strong buy-in from the development community. What the project will decide to do now is rather less clear; what we may be seeing here is the loss of a great opportunity.
New Releases
Omega (Pug) Release - Fedora Remix
Omega Pug has been released. "Omega is a completely free and open source Linux based operating system and a Fedora remix suitable for desktop and laptop users. It is a installable Live CD for regular PC (i686 architecture) systems. It has all the features of Fedora and number of additional software including multimedia players and codecs by default. Omega plays any multimedia content (including MP3) or commercial DVD's out of the box."
openSUSE 11.2 Milestone 4 Released
The openSUSE team has released openSUSE 11.2 Milestone 4. "Lots of changes since the M3 release! The live CDs can now be deployed using USB sticks -- which is particularly important for netbook computers without CD or DVD drives. The live CDs now contain mc, and the KDE live CDs include YaKuake. And YaST has a new Qt-based Control Center." See the call for testing and consider joining the core test team.
Tin Hat 20090727 is out
A new release of Tin Hat has been announced. "Tin Hat is a fully featured Linux desktop based on Hardened Gentoo which runs purely in RAM. It aims to be very secure, stable, and fast. This release continues the work of hardening the system libraries and binaries begun in the previous release with little changes to the kernel."
Ubuntu Karmic Koala alpha 3 released
The Alpha 3 release of Ubuntu 9.10 (Karmic Koala) has been announced. "Alpha 3 includes a number of software updates that are ready for large-scale testing. This is quite an early set of images, so you should expect some bugs."
Distribution News
Fedora
Brainstorming Session for Fedora Community 2.0
A brainstorming session for Fedora Community 2.0 will be held on Monday, August 3, 2009 at 1500 UTC. "For those of you who haven't no idea what "Fedora Community" is, its our newest Fedora web application, providing a window into the Fedora distribution, and leveraging the power of Fedora's Account System, Bodhi, Bugzilla, Koji, and PackageDB into a single user-friendly website. It is built entirely with Free Software, such as Moksha and Turbogears 2. Fedora Community is designed to simplify Fedora workflows and bring transparency to Fedora processes."
Fedora updates pushing: Behind the scenes
Josh Boyer takes a behind the scenes look at recent problems with Fedora updates. "Just before F11 release, we enabled deltarpms for updates. There were some bumps in the first few days, but we got through it and the people rejoiced. Everyone was happy and the Fedora updates world had a victory in terms of end user gains. Then time went by. Updates kept getting submitted by maintainers, and they noticed they were pushed to users less and less frequently. Some asked on the list, and rel-eng (mostly me) blamed deltarpms. This was not an untruth. Generating deltarpms is a pretty intensive task, and the larger the RPMs in question, the longer it takes to actually generate them. So our illustrious Infrastructure team took note and increase the DRAM and number of CPUs the releng box had. This has proved to be most helpful, and our box no longer gets kernel OOMs if the rawhide and updates mashes happen to be going at the same time. However I still didn't think something was right."
Fedora Board Recap
Click below for a brief recap of the July 23, 2009 meeting of the Fedora Advisory Board. Topics include Russian Fedora Initiative, Extended Life Cycle, Spin Trademarks, and Move to fp.o email.
Gentoo Linux
Gentoo Council meeting summary
A summary of the July 20, 2009 meeting of the Gentoo Council is available. Topics include the meeting format and GLEP 39. The full log is also available.
Mandriva Linux
Code of Conduct and Manifesto
Mandriva has two new wiki documents. There's a Code of Conduct for forums, mailing lists, irc, etc. The Manifesto explains the goals of Mandriva and should help explain the project to new users.
SUSE Linux and openSUSE
openSUSE Board Meeting Minutes, July 1 + July 14
The minutes for two openSUSE board meetings are available. Topics for the July 1 meeting include membership approval, creation of an openSUSE foundation, ambassador program, opening of factory and hack week. Topics for the July 14 meeting include membership approval and openSUSE Foundation.
Ubuntu family
Minutes from the Ubuntu Technical Board meeting
Click below for the minutes of the July meeting of the Ubuntu Technical Board. Topics include a review of outstanding actions, Technical Board nominations, Developer Membership Board, Patent policy, and Governance review.
Distribution Newsletters
DistroWatch Weekly, Issue 313
The DistroWatch Weekly for July 27, 2009 is out. "When you buy a new computer, how do you go about choosing an operating system for it? With today's powerful hardware and specific user requirements, combined with ever-increasing number of excellent free distributions, it is not unusual for many of us to spend weeks on testing and evaluating before we find the ideal match. Read this week's feature story which describes a typical journey of a geek after getting a brand-new, powerful machine. In the news section, Gentoo celebrates its 10th birthday, Rahul Sundaram presents a new release of Omega - a custom Fedora with built-in multimedia support, Linux Mint chooses the newly open-sourced Launchpad for bug tracking, and FreeBSD publishes a paper on its release engineering process. Finally, don't miss any of the regular sections, which include summaries of the five new distributions submitted to DistroWatch last week."
Fedora Weekly News 186
The Fedora Weekly News for July 26, 2009 is out. "In this week's issue, we begin with news from the Fedora Planet, including tips on running Fedora 11 on an Intel Mac, tethering Fedora 11 to an iPhone, and another in the series of XI2 Recipes. Quality Assurance reports on last week's Fit and Finish test day on power management and suspend/resume, as well as much detail on QA-related weekly meetings. Translation brings us detail of the Fedora 12 Translation Schedule, a new Translation Quick Start Guide, as well as new Publican version of some Fedora documentation In Artwork/Design news, testing details of the new gallery and an update on Fedora 12 theming, amongst other topics. This issue rounds out with Fedora virtualization goodness, including details on new versions of libguestfs, virt-what and redesigns of the virt-manager UI, as well as details on how to cluster libvirt hosts."
The Mint Newsletter - issue 89
The Mint Newsletter for July 23, 2009 covers the release of Linux Mint 7 XFCE RC1 and Mint to use Launchpad for translations, bugs, blueprints and github for code hosting and version control.OpenSUSE Weekly News/81
This issue of the openSUSE Weekly covers Call for openSUSE Core Test Team, Hackweek IV, Linux.com/Rob Day: The Kernel Newbie Corner: Building and Running a New Kernel, openSUSE Forums: How to Recover Home Partition?, Ubuntuforums.org/Leif Sandvik: Howto; Firefox profile in RAM for increased speed and stability, and more.Ubuntu Weekly Newsletter #152
The Ubuntu Weekly Newsletter for July 25, 2009 is out. "In this issue we cover: Karmic Alpha 3 released, Launchpad is now open source, Ubuntu-US-NY is now an approved Ubuntu LoCo team, Launchpad 2.2.7: translation sharing, release file, automation and more, Focusing on the Launchpad UI, Ubuntu Forums tutorial of the week, Kubuntu Translation Days, Ubuntu Podcast #31, and much, much more!"
Distribution reviews
Reviewed: Fedora 11 (Tux Radar)
Tux Radar has a review of Fedora 11. "Post-install, things get more interesting, and the first changes appear before you even log in. The boot-up routine is now so smooth that there is no need to hide it from your Mac-appreciating friends. A smooth transition from the PC POST screen takes you to the login screen in 25 seconds or less. Well, it does on our test machine (which takes 31 seconds to get to the same spot in Ubuntu). When you get there you may be confused by the addition of a new widget above the list of login names. That's because Fedora 11 supports fingerprint logins with supported hardware."
Page editor: Rebecca Sobol
Development
Google releases Neatx NX server
On July 7, internet search giant Google not only announced its operating system Google Chrome OS with much fanfare, it also quietly released Neatx, an open source NX server. According to the announcement, Google has been looking at remote desktop technologies for quite a while. While the X Window System has issues with network latency and bandwidth, the NX protocol compresses X requests and reduces round-trips, resulting in much better performance — to the point that it can be used over network connections with low bandwidth.
So with Neatx, users can log in to a remote Linux desktop. Moreover, the session can be suspended and resumed later from another computer, resembling the functionality that GNU screen offers for console sessions. But, unlike screen, a Neatx user has access to the GUI of the remote machine, just as if they were sitting in front of it.
The NX protocol, using SSH as a transport and for authentication, was developed by the Italian company NoMachine, which released the source code of the core NX technology in 2003 under the GPL. NoMachine offers free (as in beer) client and server software for various operating systems, including Linux. It wasn't very long before free-as-in-speech NX clients emerged, then, in 2004, Fabian Franz implemented FreeNX, a GPL implementation of an NX server.
FreeNX development stalls
However, after a number of years the FreeNX project is facing some serious problems. Franz hasn't responded to e-mails on the developer mailing list for a long time and he seems to be the only one able to check code into the repository. As a consequence, the development has stalled for some time. That brought Florian Schmidt to ask about the future:
Because upstream FreeNX development has stalled, downstream
packagers have essentially picked up the development. There is a FreeNX
team that
maintains Debian and Ubuntu
packages. These maintainers push appropriate patches to their branch
and thus have the most up-to-date repository, with some extra features the
official FreeNX server doesn't have, such as shadowing local X sessions and
stubs for guest sessions. Marcelo Boveto Shima, one of the maintainers,
noted
FreeNX problems in a post to
the FreeNX mailing list: "Working on FreeNX is a dead-end and
it is becoming too hackish.
" He decided to write his own FreeNX
server, TaciX. In the meantime,
the Debian/Ubuntu repository has become the "upstream"
for Gentoo's FreeNX package.
A new NX server from scratch
Shima wasn't the only one
disappointed in FreeNX development. According to Google the server was
"written in a mix of several thousand lines of BASH, Expect and C,
making FreeNX difficult to maintain.
" That's why some developers at
Google designed Neatx, a new implementation,
based on NoMachine's
open source NX libraries:
Google implemented Neatx because the company operates a large number of virtualized workstations in clusters [PDF], running on its cluster virtual server management software tool, Ganeti. To be able to log in to the virtual workstation from home or via a wireless connection and work smoothly, X or VNC can't be used. That led Google to turn to the NX protocol. An added bonus is that the protocol allows restoring a session opened at the office from home and vice versa. In the release announcement, the developers noted that Neatx implements some features not found in FreeNX, but also that it lacks some other features that FreeNX has.
Neatx in action
Your author tried both QtNX and NoMachine's NX client to connect to FreeNX 0.7.3 and Neatx on Ubuntu 9.04. Because Neatx has not yet released an official version, your author checked out the latest source code and built it. It turned out QtNX can't connect to Neatx because of a version mismatch, and the Neatx developers seem to test their server software with NoMachine's NX client, so that is the only supported client for now.
![[Neatx]](https://static.lwn.net/images/neatx_sm.png)
Session creation, suspension, resumption, and shutdown all work well in Neatx. Users can choose between Gnome, KDE, Application, and Console sessions, and they can run their session on a virtual desktop or as a floating window. They are also able to set the keyboard preferences, the resolution, and choose full-screen mode. Neatx supports session shadowing, the ability for multiple users to view and collaborate within the same NX session. For the moment that only works with sessions belonging to one user, so it's not that usable yet. Sharing of the X clipboard also works flawlessly.
A couple of things don't work yet. For example, terminating an open session from the session list isn't possible. The user first has to resume the session and then terminate it. Tunneling of sound, printers, and Samba are also not yet implemented. And Neatx doesn't support RDP (the remote desktop protocol for Windows) or VNC sessions, something that FreeNX does support. There are also still some loose ends because the code is still alpha. However, the Neatx Google Group is pretty active and already has some interesting suggestions for further developments, such as a jailed NX, enabling users to NX into a server while not being able to see any other user's data, and printer tunneling.
Although the simultaneous announcements of Google Chrome OS and Neatx seem to be pure coincidence, they both are based on the concept of a thin client. Chrome OS is a perfect operating system for the casual user with a netbook connected to internet, running most of the applications in a web browser. For applications that don't run inside the browser, a Neatx server on Google's or someone else's servers can offer a desktop "in the cloud" which can be accessed from everywhere. Google's own use of Neatx for virtual workstations shows that the thin client concept is reviving. Hopefully it will also revive developer's interest in contributing to a free NX server, which is an essential component for this development.
System Applications
Database Software
MySQL Community Server 5.0.84 has been released
Version 5.0.84 of MySQL Community Server has been announced, it includes a number of bug fixes. "MySQL Community Server 5.0.84, a new version of the popular Open Source Database Management System, has been released. This and future releases in the MySQL Community Server 5.0 series share version numbers with their MySQL Enterprise Server counterparts."
PostgreSQL Weekly News
The July 26, 2009 edition of the PostgreSQL Weekly News is online with the latest PostgreSQL DBMS articles and resources.
LDAP Software
python-ldap 2.3.9 announced
Version 2.3.9 of python-ldap has been announced, it includes code cleanup and new capabilities. "python-ldap provides an object-oriented API to access LDAP directory servers from Python programs. It mainly wraps the OpenLDAP 2.x libs for that purpose. Additionally it contains modules for other LDAP-related stuff (e.g. processing LDIF, LDAPURLs and LDAPv3 schema)."
Security
sqlmap 0.7 released
Version 0.7 of sqlmap has been announced. "sqlmap is an open source command-line automatic SQL injection tool. Its goal is to detect and take advantage of SQL injection vulnerabilities in web applications."
Web Site Development
Django 1.1 released
Version 1.1 of the Django web platform has been announced. "Tonight we're extremely proud to announce the release of Django 1.1, the latest major milestone in Django's development."
Desktop Applications
Desktop Environments
GNOME Software Announcements
The following new GNOME software has been announced this week:- Brasero 2.27.5 (bug fixes, documentation and translation work)
- cb2Bib 1.3.2 (new features and bug fixes)
- Cheese 2.27.5 (new features, bug fixes, documentation and translation work)
- Clutter 1.0.0 (new features, bug fixes and documentation work)
- clutter-gst 0.9.0 (new features, bug fixes and code cleanup)
- Deskbar-Applet 2.27.5 (translation work)
- easygconf 0.01 (initial release)
- Empathy 2.27.5 (bug fixes and translation work)
- Eye of GNOME 2.27.5 (new features, bug fixes and translation work)
- GCalctool 5.27.5 (new features, bug fixes and translation work)
- glibmm 2.21.3 (new features and bug fixes)
- gnome-applets 2.27.4 (bug fixes, code cleanup and translation work)
- gnome-games 2.27.5 (new features, bug fixes and translation work)
- gnome-keyring 2.27.5 (new features, bug fixes and translation work)
- GNOME Media 2.27.5 (new features, bug fixes and translation work)
- gnome-mag 0.15.8 (bug fixes and translation work)
- gnome-settings-daemon 2.27.5 (bug fixes and translation work)
- GNOME System Tools 2.27.2 (bug fixes, code cleanup, documentation and translation work)
- GOK 2.27.5 (bug fixes and translation work)
- GTK+ 2.17.6 (new features, bug fixes and translation work)
- Java ATK Wrapper 0.27.5 (new feature and bug fix)
- mousetweaks 2.27.5 (translation work)
- Orca 2.27.5 (bug fixes and translation work)
- PDF Mod 0.3 (new features and bug fixes)
- seahorse 2.27.5 (new features, bug fixes and translation work)
- Tumblefile 1.0 (initial release)
KDE 4.3 RC3 released (KDEDot)
Version 4.3 RC3 of KDE has been announced. "Even in the hot phase up to KDE 4.3.0, there have been quite a bunch of fixes to KDE's 4.3 branch. The KDE Release Team has decided to err on the safe side and do another release candidate before KDE 4.3.0 comes out. Dirk Müller has rolled tarballs of the current state of KDE 4.3 and put them up for testers, packages for some distributions are already under way. This also means that the release of KDE 4.3.0 has been postponed for one week. The new planned release date is August, 4th 2009."
KDE Software Announcements
The following new KDE software has been announced this week:- 2ManDVD 0.8.8 (beta testing release)
- 2ManDVD 0.9 BETA 1 (beta testing release)
- Association Subscribers Manager 3.0rc1 (new features, bug fixes and translation work)
- digiKam 1.0.0-beta3 (unspecified)
- gambas 2 2.15 (unspecified)
- Kipi-Plugins 0.5.0 (unspecified)
- kmagnet 0.02 (unspecified)
- KMess 2.0 (new features and bug fixes)
Xorg Software Announcements
The following new Xorg software has been announced this week:- fixesproto 4.1 (bug fixes and code cleanup)
- xf86-video-vmware 10.16.7 (bug fixes)
- xorg-server 1.6.2.901 (bug fixes and code cleanup)
Financial Applications
Gnucash 2.3.3 released
Version 2.3.3 of Gnucash has been announced. "The GnuCash development team proudly announces GnuCash 2.3.3, the fourth of several unstable 2.3.x releases of the GnuCash Free Accounting Software which will eventually lead to the stable version 2.4.0. With this new release series, GnuCash can use an SQL database using SQLite3, MySQL or PostgreSQL. It runs on GNU/Linux, *BSD, Solaris, Microsoft Windows and Mac OSX. This release is intended for developers and testers who want to help tracking down all those bugs that are still in there."
Geographical Software
PostGIS 1.4.0 released
Version 1.4.0 of PostGIS, the spatial data extension for PostgreSQL, has been announced. "This new version of PostGIS includes substantial performance enhancements, more detailed reference documentation, new output formats (GeoJSON) and an improved internal testing system. PostGIS 1.4 also supports the recent PostgreSQL 8.4 release."
Music Applications
guitarix 0.05.0-1 released
Version 0.05.0-1 of guitarix, an electric guitar amplifier simulator, has been announced. "Release 0.05.0-1 comes with some major changes: * Completely new source structure by James * add keyboard shortcuts * improved skin handling * add logging window * improved preset handling * add middle tone control * reworked audio engine * add bypass mode * add engine state widget".
Languages and Tools
C
GCC 4.4.1 released
Version 4.4.1 of GCC, the GNU Compiler Collection, has been announced. This release includes a long list of bug fixes. See the changes document for more information on the GCC 4.4 series.GCC 4.3.4 release candidate available
A release candidate of GCC 4.3.4 is available. "I plan to roll out the final release at the beginning of next week if there are no major problems reported."
GCC 4.3.4 Status Report
The July 27, 2009 edition of the GCC 4.3.4 Status Report has been published. "The 4.3 branch is now frozen in preparation for the GCC 4.3.4 release. I am creating a release candidate right now. All patches require release-manager approval."
Perl
Rakudo Perl 6 development release #19
Development release #19 of Rakudo Perl 6, an implementation of Perl 6 on the Parrot Virtual Machine, is available. "Due to the continued rapid pace of Rakudo development and the frequent addition of new Perl 6 features and bugfixes, we continue to recommend that people wanting to use or work with Rakudo obtain the latest source directly from the main repository at github."
Python
argparse 1.0 announced
Version 1.0 of argparse, a command line parsing library for Python, is out with a number of new features.. "The argparse module provides an easy, declarative interface for creating command line tools, which knows how to: * parse the arguments and flags from sys.argv * convert arg strings into objects for your program * format and print informative help messages * and much more..."
Python-URL! - weekly Python news and links
The July 28, 2009 edition of the Python-URL! is online with a new collection of Python article links.
Tcl/Tk
Tcl-URL! - weekly Tcl news and links
The July 23, 2009 edition of the Tcl-URL! is online with new Tcl/Tk articles and resources.
XML
pyxser 1.1r released
Version 1.1r of pyxser has been announced. "I'm pleased to announce pyxser-1.1r, a Python-Object to XML serializer and deserializer. This package it's completely written in C and licensed under LGPLv3. The tested Python versions are 2.5.X and 2.7.X."
Build Tools
ControlTier 3.4.6 released
Version 3.4.6 of ControlTier has been announced, it includes bug fixes. "ControlTier is a cross-platform build and deployment framework and toolkit. ControlTier coordinates service management activities across multiple nodes and application tiers. It supplements and replaces homegrown service management and deployment scripts with a well-defined set of lifecycle commands that abstract the details of various types of deployments."
Editors
emacs 23 is very near (emacs-fu)
The emacs-fu site has a summary of features to be found in the upcoming emacs 23 release. "Emacs's character set is a superset of Unicode, with about four times the space available. That should be enough for the foreseeable future There are also many new character sets available, as well as new language environments, such as Chinese-GB18030, Khmer, Bengali, Punjabi, Gujarati, Oriya, Telugu, Sinhala, and TaiViet." Also pointed out is an implementation of butterfly mode.
Version Control
GIT 1.6.3.4 released
Maintenance release 1.6.3.4 of the GIT distributed version control system has been announced, it includes bug fixes and documentation updates.GIT 1.6.4 released
Version 1.6.4 of the GIT distributed version control system has been announced, it includes many new features and bug fixes. "With the next major release, "git push" into a branch that is currently checked out will be refused by default. You can choose what should happen upon such a push by setting the configuration variable receive.denyCurrentBranch in the receiving repository. To ease the transition plan, the receiving repository of such a push running this release will issue a big warning when the configuration variable is missing."
Mercurial 1.3.1 released
Version 1.3.1 of the Mercurial source code management system has been announced. "This release includes a number of regression fixes and other small fixes against 1.3. I recommend that all 1.3 users upgrade."
Page editor: Forrest Cook
Linux in the news
Recommended Reading
Open-Source Backers March on Washington (New York Times)
The New York Times covers the push behind the recently announced Open Source for America group. "Look out, lobbyists: Here come the open-source zealots. Some of the worlds largest technology companies have banded together in a bid to push open-source software on the United States government. Theyve formed a group called Open Source for America, which seeks to make sure that government agencies at least consider open-source software as an option in their buying decisions. The big, rather timely pitch behind this move is that open-source applications can help save the government money."
Trade Shows and Conferences
Akademy-es 2009 (KDEDot)
KDE.News covers Akademy-es, Akademy for Spanish speakers. "Akademy-es started on Friday 10th with a talk by Cenatic, a governmental foundation with the aim to promote and improve knowledge of free software in public administrations, companies, universities, etc. For that, the foundation is creating and developing different courses both online and at site based on free software. They want to create a specific course for the KDE desktop, so they asked for collaboration from KDE España, the Spanish organisation to support and promote the KDE project in Spain. The president of Cenatic showed his interest in the project and this collaboration will be starting in the coming months."
OSCON 2009: How Intel Designed Netbooks For Fast Starts (InformationWeek)
InformationWeek covers an OSCON talk by Dirk Hohndel. "Dirk Hohndel, chief open source and Linux technologist for Intel, addressed OSCON 2009, an annual convention of open source developers, and said it was a re-architecting of the Linux start up process that gave the netbook one of its most desirable characteristics. "We know, after all, that we're an instant gratification society," he told about 1,000 attendees gathered at the San Jose Convention Center Wednesday. "If it's more than 15 seconds No one wants to wait until they can do something."
Companies
Eyeing Google, Splashtop partners with Yahoo (ComputerWorld)
ComputerWorld investigates a partnership between DeviceVM Inc. and Yahoo. "In a pre-emptive strike against Google Inc.'s Chrome OS, DeviceVM Inc. plans to make Web search the centerpiece of its popular instant-on operating system. Users of the Linux-based Splashtop platform will be able to type in a search query within seconds of turning on their laptop or netbook, said Dave Bottoms, senior director of product management, in an interview. For American and Japanese users, the search query will go to Yahoo Inc. For Chinese searchers, it will go to Baidu. For Russians, it will go to Yandex."
Linux at Work
Open Space (Linux Journal)
Linux Journal looks at NASA's (US National Aeronautics and Space Administration) use of open source software. "In order to coordinate its extensive use of Open Source, the space agency now has its own repo, complete with Open Source-licensed code for many of its projects. There are some esoteric options among the available projects, including the Mission Simulation ToolKit, which helps "facilitate the development of autonomous planetary robotic missions" -- something most of us do on a daily basis, of course."
Interviews
Ten years after: An Interview with MontaVista's Jim Ready (LinuxDevices)
LinuxDevices has an interview with MontaVista founder Jim Ready. "Developers are integrating more and more open source code from multiple sources, and all these pieces are both interdependent and independent. That's breaking all the rules of software engineering. All these components are developed independently of one another and they change all the time, and then there are always some other subsystems that were not built by the same group, so it ends up breaking. The open source process is vibrant and instrumental, but it has these bad properties in some sense."
Resources
The LiVES Video Editor (Linux Journal)
Linux Journal presents two new articles on the LiVES Video Editor: The LiVES Video Editor and VJ Tool Turns 1.0 by LiVES author Gabriel Finch and It LiVES! Video Editing For FOSS Movie Makers, a review by Dave Philips. From the first article: "The LiVES project was started in 2002 by me, the author, and I continue to manage and enhance the project. At the time I had just bought a digital camera that was capable of taking short video clips of 10 seconds or so. Although I could play these clips perfectly well in mplayer, I was unable to find any editor on Linux which was capable of editing this format. So I thought - if I can play the clips, then I should be able to save the frames and edit them. I looked at the manpage for mplayer and noted that it could output multiple image files. From this the LiVES editor was born."
Studio DV, Open Octave, And More (Linux Journal)
Dave Phillips gets into video and looks at the Open Octave Project. "Alex Stone and Chris Cherrett share a vision. Both gentlemen compose music for orchestral ensembles, and both prefer to use Linux as their operating system. After assessing the state of Linux audio software Chris and Alex decided to leverage the power of a suite of programs specially selected for their aptness to the purpose of orchestral composition, arrangement, and recording. They've named this endeavor the Open Octave Project."
Reviews
KDE 4.3 Shaping Up Nicely, KWin Needs Work (OSNews)
OSNews reviews KDE 4.3. "For a very long time now, I've been on the hunt for a distribution that really put a lot of effort into their KDE4 implementation. This has been a frustrating search, full of broken installations, incredibly slow performance, and so many visual artifacts they made my eyes explode. Since KDE 4.3 is nearing release, I had to pick up this quest in order to take a look at where 4.3 stands - and I found a home in the KDE version of Fedora 11. Read on for a look as to where KDE 4.3 currently stands."
The Microsoft Live Services Plug-in for Moodle Debuts (Port25)
Peter Galli covers Microsoft's release of the Live Services Plug-in for Moodle. "Today, Microsoft announced the Live Services Plug-in for Moodle, a free download released under the General Public License v2 that integrates Microsoft's Live@edu services such as email, calendar, instant messaging and search directly into the Moodle experience. What's even better is that this new, integrated experience is accessible via a single sign-on, which lets teachers and students access the resources and services they need to efficiently communicate, collaborate and learn."
rBuilder 5 Streamlines Linux-Based Appliance Deployment (eWeek)
eWeek reviews rBuilder 5. "The 5.0 version of rBuilder boasts several major new features. eWEEK Labs' tests of the platform, through Version 5.2.1, shows that rBuilder makes it easier to churn out virtual machine images for immediate deployment, and that the Web-based management interface that rBuilder pairs with the appliances it creates is handy. However, Labs did run into some configuration issues, as well as some issues with the new Flash-based Web front end."
Page editor: Forrest Cook
Announcements
Non-Commercial announcements
Amazon's CEO Jeff Bezos apologizes for Kindle ebook deletion
The Free Software Foundation has issued a press release covering an apology from Amazon CEO Jeff Bezos, and calls upon Amazon to free the ebook reader. "In a post to the Kindle Community forum on Amazon's Web site, Bezos said: "This is an apology for the way we previously handled illegally sold copies of 1984 and other novels on Kindle. Our "solution" to the problem was stupid, thoughtless, and painfully out of line with our principles. It is wholly self-inflicted, and we deserve the criticism we've received. We will use the scar tissue from this painful mistake to help make better decisions going forward, ones that match our mission.""
JPUG announces 10th anniversary
The Japan PostgreSQL Users Group has announced its 10th anniversary. "Japan PostgreSQL Users Group (JPUG) gave its first cry at the plenary meeting at Makuhari city, ten years before of this date of 23rd July. We are very glad to score a decade length activitywith quite a lot of successful stories. On this memorable date, JPUG wished to deliver everyone who is engaged with PostgreSQL two statements by Mr Tatsuo Ishii, the founding chairman, and Mr Hiroo Kataoka, the current chairman..."
Rock-The-Vote goes open source
Rock-The-Vote has announced a partnership with the OSDV Foundation's TrustTheVote project. "Rock the Vote and Open Source Digital Voting (OSDV) Foundation's TrustTheVote Project are partnering to introduce new online voter registration tools based on open source technology. The TrustTheVote Project will provide its open source technology platform to enable Rock the Vote to streamline and improve the user-facing registration process and help State elections offices process registration forms."
Commercial announcements
Linux Foundation launches affinity credit card
The Linux Foundation has announced it will offer an affinity Visa Platinum credit card for people who want to contribute to advancing the Linux operating system through Linux Foundation initiatives. "The Linux Foundation is partnering with CardPartner, Inc. to offer the affinity Linux credit card through UMB Bank. The Linux Foundation will receive $50 for every activated card as well as a percentage of every purchase made with the credit card. All funds from the Visa card program will go directly towards providing community technical events and travel grants for open source community members in order to accelerate Linux innovation."
NYSE-listed Red Hat Inc. Becomes Newest Component of S&P 500
NYSE Euronext has announced that Red Hat, Inc. has become the newest component of the S&P 500. ""Red Hat's inclusion in the S&P 500 is a significant milestone for the company, and on behalf of NYSE Euronext we want to congratulate Red Hat President and CEO Jim Whitehurst and his team for this accomplishment," said Scott R. Cutler, EVP and Head of Listings, Americas, NYSE Euronext." (Thanks to Scott Bronson)
New Books
Beautiful Data--New from O'Reilly
O'Reilly has published the book Beautiful Data by Toby Segaran and Jeff Hammerbacher.Pro Git book released
Author Scott Chacon has announced that his upcoming book, Pro Git, has been posted under a (noncommercial) Creative Commons license. Interested readers can go to the online version to read the book now, or purchase it in August.Programming Interactivity--New from O'Reilly
O'Reilly has published the book Programming Interactivity by Joshua Noble.
Resources
Documenting barriers to entry into free software projects
Dave Neary has announced a draft version of a document on community barriers to entry [PDF]; the idea is to help projects identify and fix problems which keep their communities from growing. "In many corporate projects, the most damaging dynamic is when a decision gets made by someone not on the developer mailing list, and is thus completely unaccountable to the community for the decision. It is damaging for your community, who feels ignored. In the case where these decisions are unpopular, it is damaging for the morale of your developers, who must defend strategic changes in the product they may not agree with."
Contests and Awards
SourceForge.net Community Choice Awards
The 2009 SourceForge.net Community Choice Awards been announced. The H summarizes the results: "This years winner for the Best Project for Government was OpenOffice.org for its popular fully-featured office suite and Firebird, a relational database management system (RDBMS), won the prize for Best Project for the Enterprise. The Notepad++ source code editor won the Best Tool or Utility for Developers and phpMyAdmin, a MySQL administration tool, was chosen as the Best Tool or Utility for SysAdmins."
Announcing the 2009 White Camel Awards (use Perl)
The 2009 White Camel Awards have been announced. "The White Camel Awards recognize the many significant contributions made by the unsung heros of the Perl community. The efforts of these volunteers collectively make the Perl language and the Perl community better for all of us."
Surveys
What are you doing to help the cause? (Linux Journal)
Linux Journal is conducting a short survey on open-source participation. "The "beer" may be free but it takes more than beer to make a party work. Choose the item that best describes what you're doing to help the open source party, if you do more than one of the items, choose the one that you feel provides the most value."
Calls for Presentations
Linux-Kongress moves, LCA extends deadline
A couple of noteworthy bits of conference-related information:
- Linux-Kongress has
resolved its scheduling conflict with the
Linux Plumbers Conference by shifting its dates to October 27
to 30. The conference has also moved to Dresden. The CFP is open
through the end of August.
- Linux.conf.au has extended its submission
deadline to July 31. "
The success of the papers so far has put us in a very generous mood. So we've decided to give all you slackers out there an extension on the Call for Papers by one week!
"
Upcoming Events
Libre Graphics Meeting announces dates and venue
The 2010 Libre Graphics Meeting has been announced. "Users and developers of Free, Libre and Open Source graphics software will meet in Brussels, Belgium on May 26-29, 2010 at the fifth annual Libre Graphics Meeting (LGM). Held in a historical piano factory, newly renovated into a lively exhibition and work space near Brussels' city center, LGM 2010 offers software developers, artists, designers and other graphics professionals the chance to collaborate and learn from each other. LGM emphasizes the sharing of collective creativity, innovation and ideas and is free for everyone to attend."
LinuxCon discount registration deadline in three weeks
The deadline for LinuxCon discount registration is August 15th. "LinuxCon - The New Technical Conference for All Matters Linux September 21-23, 2009 Portland Marriott Waterfront - Portland, OR. Only three more weeks to register to attend LinuxCon for the reduced fee of $399."
Events: August 6, 2009 to October 5, 2009
The following event listing is taken from the LWN.net Calendar.
| Date(s) | Event | Location |
|---|---|---|
| August 7 August 9 |
UKUUG Summer 2009 Conference | Birmingham, UK |
| August 7 | August Penguin 2009 | Weizmann Institute, Israel |
| August 10 August 14 |
USENIX Security Symposium | Montreal, Quebec, Canada |
| August 11 August 13 |
Flash Memory Summit | Santa Clara, CA, USA |
| August 11 | FOSS Dev Camp - Open Source World | San Francisco, CA, USA |
| August 12 August 13 |
OpenSource World Conference and Expo | San Francisco, CA, USA |
| August 12 August 13 |
Military Open Source Software | Atlanta, Georgia, USA |
| August 13 August 16 |
Hacking At Random 2009 | Vierhouten, The Netherlands |
| August 18 August 23 |
2009 Python in Science Conference | Pasadena, CA, USA |
| August 22 August 23 |
Free and Open Source Conference (FrOSCon) | St. Augustin, Germany |
| August 22 August 23 |
OpenSQL Camp | St. Augustin, Germany |
| August 31 September 4 |
Ubuntu Developer Week | Internet, Internet |
| September 1 September 4 |
JBoss World Chicago | Chicago, IL, USA |
| September 1 September 4 |
Red Hat Summit Chicago | Chicago, IL, USA |
| September 1 September 5 |
DrupalCon | Paris, France |
| September 4 September 5 |
PyCon 2009 Argentina | Buenos Aires, Argentina |
| September 7 September 11 |
XtreemOS summer school | Oxford, UK |
| September 7 September 8 |
FRHACK.ORG IT Security Conference | Besançon, France |
| September 8 September 12 |
DjangoCon '09 | Portland, OR, USA |
| September 10 September 11 |
Fedora Developer Conference 2009 | Brno, Czech Republic |
| September 12 | Evil Robot Conference (Free Conference, Free Software) | Raleigh, NC, USA |
| September 14 September 18 |
Django Bootcamp at the Big Nerd Ranch | Atlanta, Georgia, USA |
| September 15 September 17 |
International Conference on IT Security Incident Management and IT Forensics | Stuttgart, Germany |
| September 17 September 18 |
Internet Security Operations and Intelligence 7 | San Diego, CA, USA |
| September 17 September 20 |
openSUSE Conference | Nuremberg, Germany |
| September 18 September 19 |
BruCON | Brussels, Belgium |
| September 18 September 20 |
EuroBSDCon 2009 | Cambridge, UK |
| September 19 | Atlanta Linux Fest 2009 | Atlanta, Georgia, USA |
| September 19 | Beijing Perl Workshop | Beijing, China |
| September 19 | Software Freedom Day | Worldwide |
| September 20 | SELinux Developer Summit 2009 @ LinuxCon | Portland, Oregon, USA |
| September 21 September 23 |
LinuxCon 2009 | Portland, OR, USA |
| September 21 September 25 |
Ruby on Rails Bootcamp with Charles B. Quinn | Atlanta, USA |
| September 23 September 25 |
Linux Plumbers Conference | Portland, Oregon, USA |
| September 23 September 25 |
Recent Advances in Intrusion Detection | Saint-Malo, Brittany, France |
| September 23 September 25 |
OpenSolaris Developer Conference 2009 | Hamburg, Germany |
| September 23 | Bacula Conference 2009 | Cologne, Germany |
| September 24 September 26 |
Joomla! and Virtue Mart Day Germany | Bad Nauheim, Germany |
| September 25 September 27 |
International Conference on Open Source | Taipei, Taiwan |
| September 25 September 27 |
Ohio LinuxFest | Columbus, Ohio, USA |
| September 26 September 27 |
PyCon India 2009 | Bengaluru, India |
| September 26 | Open Source Conference 2009 Okinawa | Ginowan City, Okinawa, Japan |
| September 26 September 27 |
Mini-DebConf at ICOS | Taipei, Taiwan |
| September 28 September 30 |
Real time Linux workshop | Dresden, Germany |
| September 28 September 30 |
X Developers' Conference 2009 | Portland, OR, USA |
| September 28 October 2 |
Sixteenth Annual Tcl/Tk Conference (2009) | Portland, OR 97232, USA |
| September 30 | HCC!Linux Theme Day | Houten, Netherlands |
| October 1 October 2 |
Open World Forum | Paris, France |
| October 2 October 4 |
7th International Conference on Scalable Vector Graphics | Mountain View, CA, USA |
| October 2 | LLVM Developers' Meeting | Cupertino, CA, USA |
| October 2 October 4 |
Linux Autumn (Jesien Linuksowa) 2009 | Huta Szklana, Poland |
| October 2 October 4 |
Ubuntu Global Jam | Online, Online |
| October 2 October 3 |
Open Source Developers Conference France | Paris, France |
| October 2 | Mozilla Public DevDay/Open Web Camp 2009 | Prague, Czech Republic |
| October 3 October 4 |
T-DOSE 2009 | Eindhoven, The Netherlands |
| October 3 October 4 |
EU MozCamp 2009 | Prague, Czech Republic |
If your event does not appear here, please tell us about it.
Event Reports
EuroSciPy 2009 - first slides
Slides and abstracts from EuroSciPy have been posted. "The first slides for the talks at EuroSciPy are available: http://www.euroscipy.org/presentations/slides/index.html The abstracts of all talks can be found here: http://www.euroscipy.org/presentations/abstracts/index.html."
GCDS Slides and Videos Online (KDEDot)
KDE.News has announced the availability of slides from the recent Gran Canaria Desktop Summit. "The available slides and videos from GCDS are now available for download. Grab the slides to catch up on over 40 of the best talks, and get the videos to over 50 enlightening presentation. Thanks to GeekSoc for hosting and thanks to the team from KDE who manned the cameras."
OSCON keynote: Standing out in the crowd
Kirrily Roberts OSCON keynote on encouraging women in open source has received a number of great reviews. For those who missed it, Kirrily has posted the text and slides from the talk. "The FLOSSPOLS survey asked open source contributors whether they had witnessed sexism, harrassment, or discrimination in our community. Heres what they found: 80% of women had noticed sexism in the open source community. 80% of men never noticed anything. Thats a pretty big gap."
Page editor: Forrest Cook