LWN.net Weekly Edition for August 27, 2009
Pyjamas: writing AJAX applications in Python
Maintaining a complex web application that uses a lot of Javascript for client-side, "AJAX"-style interactivity is rather difficult. The clumsiness of the Javascript language itself, as well as the various tricks needed to make an application work consistently across multiple browsers, all of which must be wrapped up inside HTML, makes for a jumble of issues for the application developer. Pyjamas is meant to ease that development, by allowing client-side applications to be written in Python, then translating that code to Javascript for use by the browser.
Pyjamas is a port of the Google Web Toolkit (GWT), which pioneered the technique, but GWT uses Java instead of Python. For developers who prefer Python, pyjamas provides an environment that almost completely insulates them from the code that actually runs in the user's browser. As described on the home page:
Also, the AJAX library takes care of all the browser interoperability issues on your behalf, leaving you free to focus on application development instead of learning all the "usual" browser incompatibilities.
Essentially, a developer uses the pyjamas-supplied libraries that provide
user interface widgets and Document Object Model (DOM) control from Python.
This code is then combined with a library that implements various
Javascript language features in Python—an impedance-matching layer between the
two languages called pyjslib—and turned into Javascript and
HTML that can be loaded into a browser. The pyjs program
"translates Python code to Javascript by walking the Python abstract
syntax tree and generating Javascript
".
But, using pyjamas is not at all like "normal" web programming. As the web site and FAQ are quick to point out, pyjamas is not just another AJAX (Asynchronous Javascript and XML) framework, it is more akin to writing a desktop program that is translated into web application. In fact, Pyjamas-Desktop allows the same code that is developed for the web application to be run, unmodified, on the desktop. The same Python source that gets fed into the translator can, instead, be run, and, more importantly, debugged, on the developer's desktop.
The tool is best suited to writing one-page web applications that rely entirely on AJAX techniques to do their job—things like Gmail, Mozilla's Bespin, and many others. Each page load in a pyjamas application requires loading all of the Javascript that makes up the application. That includes code generated from the application as well as pyjamas libraries, so, ideally, that would only be done once. That is quite a contrast from the traditional, multi-page-oriented web application, but is certainly in keeping with the direction of web interaction.
The key to understanding pyjamas is to note that, unlike AJAX frameworks, it is not meant to add a bit of interactivity, or some desktop-like features, to an existing web application. Instead, the entire application is written in Python, likely debugged on the desktop, and then turned into a big blob (or, really, blobs) of Javascript for deployment. The application code will look very familiar to Python GUI developers. For example, the canonical "Hello World" program—which does a bit more than Kernighan and Ritchie's original C program—looks like:
import pyjd # this is dummy in pyjs.
from pyjamas.ui.RootPanel import RootPanel
from pyjamas.ui.Button import Button
from pyjamas.ui.HTML import HTML
from pyjamas.ui.Label import Label
from pyjamas import Window
import pygwt
def greet(fred):
print "greet button"
Window.alert("Hello, AJAX!")
if __name__ == '__main__':
pyjd.setup("public/Hello.html?fred=foo#me")
b = Button("Click me", greet, StyleName='teststyle')
h = HTML("<b>Hello World</b> (html)", StyleName='teststyle')
l = Label("Hello World (label)", StyleName='teststyle')
base = HTML("Hello from %s" % pygwt.getModuleBaseURL(),
StyleName='teststyle')
RootPanel().add(b)
RootPanel().add(h)
RootPanel().add(l)
RootPanel().add(base)
pyjd.run()
Running the build.sh script on that example, as described on the "getting started" page, creates output and public directories that hold the generated code. There is a tiny bit of HTML and CSS, along with roughly 9,000 lines of Javascript that implement the example. Much of that is likely boilerplate code to implement pyjamas itself. A better example might be something like TimeSheet, which implements a more realistic application, and weighs in around 23,500 lines.
There are numerous examples on the pyjamas web page, many of which were ported from GWT. Both the source code and the running application are available, so one can get a sense for how much code it takes to create the examples—as well as use them as templates for other applications. There is quite a bit of documentation, though the FAQ would indicate that there have been complaints about that, on the site as well, including the in-progress Pyjamas Book (which is implemented as a pyjamas book reader application).
The project has just released version 0.6 of the tool, with many new features outlined in the CHANGELOG. There are some 140 changes from the version 0.5, including a rework of pyjs to make more Python features available (multiple inheritance and superclasses are specifically mentioned) and bringing Pyjamas-Desktop into the standard distribution. The pace of development is relatively quick; 0.5 was released in March, and 0.6 adds quite a bit of functionality on top of that.
Pyjamas is definitely worth a look for anyone considering building a new-style web application, and who would rather use Python than Java. Because GWT was released as free software, Pyjamas could leverage much of that work to give developers another language choice. Writing—and worse, debugging—complex Javascript applications is a major chore, so any tools that make that easier should be quite welcome. Those that just want a bit more interactivity in their existing web applications, though, might find the Pyjamas (and GWT) approach to be too heavy-handed for their needs.
Bespin adds collaborative features
Mozilla released version 0.4 of its online code editor Bespin last week, debuting integrated collaboration features that include project sharing and real-time live collaborative editing. Bespin is an in-browser web application, making it available from anywhere, but the "social coding" features are what really separates it from other collaborative editing solutions.
Welcome to Bespin
A Mozilla Labs project, Bespin is a free web service to which users can connect from any supported browser. The main Bespin server on which new official releases are rolled out is bespin.mozilla.com; to use it one must register a free Bespin server account. The client side of the editing environment runs entirely within the page: no extensions or other add-ons are required. Source code to the server is available under the Mozilla Public License version 1.1, and instructions for installing and running Bespin on a private server are provided on the Mozilla wiki.
Bespin was first unveiled in February of 2009, and is described as a code editor for web developers, built with web technologies. It supports line numbering, syntax highlighting (for HTML, CSS, and JavaScript by default), multiple projects, version control with Mercurial, cut-copy-paste with a clipboard, search, undo and redo, and previewing on the web. Code projects are stored on the server, but the editor can upload zipped or gzipped archives as well as clone existing Mercurial projects into the user's Bespin server account.
![[Bespin command line]](https://static.lwn.net/images/bespin-commandline_sm.png)
Once logged into their Bespin server account, users can begin using Bespin immediately. Bespin's editor takes up the entire window, save for a thin toolbar at the top that displays the current project and file and a few basic buttons. The other major mode provided by the program is the Bespin command line, which can be activated from the toolbar or by hitting Ctrl-j (which toggles between the editor and command line). The command line allows the user to create new projects, change interface settings, open files, and more. Command completion, history, and tooltip-style help assist new users in getting up to speed with the command set. For opening files and examining projects, a graphical file browser is also provided, which mimics the left-to-right navigation panes of Mac OS X's Finder rather than a more traditional Unix-like folder tree.
The Bespin editor is rendered inside of an HTML5 canvas
element, so a canvas-supporting browser is required. Currently, this
includes all recent versions of Firefox, Chrome/Chromium, Opera, and
WebKit/Safari. The canvas is used to render the entire editing environment
— window panes, menus, buttons, scroll bars, even the cursor —
with JavaScript. Developer Ben Galbraith described
the use of canvas as a superior alternative to building on top of the
textarea tag or contentEditable
property and native user interface widgets because canvas allows better
flexibility to adapt the UI to users' personal preferences, better
accessibility, and better performance and compatibility when editing large
files. He also offered a caveat in his explanation, noting that
"there may very well be a more effective way to do what we've done
than with canvas. I'm not saying this is the best way to do it; I just want
to explain why we did it.
"
One outcome from the decision to use canvas is that the Bespin team developed its own UI toolkit, which it plans to spin off into a reusable code project called Thunderhead. Likewise, the editing component itself could be easily reused in other Web applications, so it will eventually be separated out into a stand-alone, reusable component, too.
Bespin is designed to be adjustable to the individual tastes of the user, so it provides user-configurable settings. In addition to basic configuration options like auto-indentation and "strict lines" mode, each Bespin server account automatically includes a BespinSettings project that contains a config.js file for tweaking Bespin with JavaScript. Users can write their own commands, using the same syntax as Mozilla Labs' Ubiquity project, and Bespin has a plugin API which is still undergoing development.
Collaborate
![[Bespin collaboration]](https://static.lwn.net/images/bespin-collaborate_sm.png)
The 0.4 release added some niceties to the existing feature set —
such as argument completion for commands and the addition of Subversion as the second supported
version control system — but the most exciting new addition is a
built-in framework for sharing and live collaboration. Users must activate
the collaborative features by executing set collaborate on
from the Bespin command line.
The new "share" command allows users to mark projects as visible to other users on the Bespin server, as individuals, groups, or globally. Projects can be shared in read-only or read/write mode. Executing:
share add projectname user1
shares the project in read-only mode, while
share add projectname user1 edit
activates read-write permission. For sharing to work, the user on the receiving end of the shared project must explicitly accept shared code from the originating user with:
follow username
This mechanism prevents spamming innocent users by sharing
scores of unwanted projects with them. Substituting the string
everyone for a username shares the project with everyone on
the server who chooses to follow the project owner.
Other users' shared projects appear in the Bespin file browser just like locally-owned projects. If a project is shared in read-write mode, all users with access to it can edit a file simultaneously. Edits and text selection are visible in real time to all who have the file open in the editor. A collaboration window showing which users are currently editing the file appears in the upper right-hand corner of the editor window.
"Groups" in Bespin collaboration are strictly a private user-defined convenience, not a social feature; adding other people to a group simply saves keystrokes by permitting the user to type:
share add myproject mygroup
instead of:
share add myproject user1
share add myproject user2
...
To define a group, just execute:
group add groupname user1 user2 ... userN
Bespin uses Mobwrite to handle synchronization and conflict resolution between user edits. The system uses differential synchronization to keep copies of the file in sync. This algorithm is symmetric, repeatedly calculating the differences between each editing session's copy of the document and a previously-updated "shadow" copy, then relaying patches to every other session. Since every session receives every other session's updates, there is no "master" copy responsible for merging all of the changes and potentially creating bottlenecks. Unlike "event passing" synchronization, diffs automatically catch all changes, whether originating from typing, cut-and-paste, undo, or search-and-replace. Developer Dion Almaer said that the team has successfully tested Bespin with 30 concurrent users and 100,000-line files, making it significantly more robust than other online sharing tools.
Currently, sharing and collaborative editing are only possible between
users on the same Bespin server, but Almaer said that the team very much
wants to include support for federation in the future. "We want to
create a compelling, fun, productive social editing experience for as many
people as possible,
" he said. Joe Walker, who added the
collaboration support to 0.4, commented
that the Bespin team hopes to enable collaborative sessions between Bespin
and other editors capable of collaboration, such as GEdit, Eclipse, and
Emacs.
The future of Bespin will include more features to enhance this social dimension, Almaer explained:
Likewise, the Bespin team encourages users to add new features via JavaScript and the plugin API. Outside contributors have already added syntax highlighting support for Ruby and Arduino code. Almaer said that the initial feature set of the editor focuses on web technologies merely because the web is Mozilla's focus and the team has limited resources. If the Bespin development community wants to expand the scope of the project, it will.
Collaborative editing is possible in several other open source applications, from word processors like Abiword to text editors like Gobby, and via plugins for many more applications — even popular development tools like Emacs, gVim, and Eclipse. At first glance, Bespin seems to sport the same feature set as most of these other options, but it has two distinctive qualities that users may find attractive.
First, as pointed out in the initial release announcement, Bespin is available everywhere, on every platform with a modern web browser. The alternatives require installation, and in many cases are dependent on specific versions of the application for compatibility. Some are limited to specific operating systems because they rely on underlying packages like Telepathy.
Second and more importantly, Bespin is pushing the "social" nature of coding itself as the key feature, not just synchronization of files. The concepts of sharing projects and following individuals are the beginnings of a social graph implementation that could extend the concept beyond simple text changes. As Almaer hinted, and as shown in the project's roadmap and in various demo videos, more is on the way, such as a "heatmap" that graphically depicts where a codebase is changing and a dashboard that tracks what other users are doing.
Bespin 0.4 is stable and responsive enough that the Bespin team uses it for Bespin development. It should prove to be a valuable asset to remote development teams, particularly (in the short term) for those working in the core web technologies that remain its focus. Looking further out, the social coding concepts Bespin explores could significantly improve on the traditional distributed version control systems most developers use today.
SCO: not dead yet?
Back in 2007, it seemed like the SCO nightmare was done; the company had suffered a summary judgment depriving it of its claim to the Unix copyrights and it had gone into bankruptcy proceedings. In the latter half of 2009, though, SCO is still here. Now, an appeals court has ruled [PDF] that part of the 2007 judgment was erroneous and must be reconsidered; some worry that SCO could come back, zombie-like, to terrorize again. The real threat may not be SCO, though, but what comes after.The agreement between Novell and the Santa Cruz Operation was a mess which never clearly spelled out what was being sold. It is far from surprising that Novell and the company now known as the SCO Group disagree on its particulars. The lawyers involved in making that agreement, quite simply, did not do their job. Even so, the district court, in 2007, was able to obtain enough clarity from this document to conclude that there was no question at all of whether the Unix copyrights had been transferred to SCO. The result was a summary judgment throwing out SCO's claims regarding those copyrights. That judgment was welcomed in the community, but there may be justice to SCO's claim that it was a little too hasty.
The appeals court took that view of the district court ruling, finding SCO's arguments sufficiently credible to create some doubt as to the facts in the case. As the ruling states:
It is worth noting that the appeals court did not rule that the copyrights do, in fact, belong to SCO. In fact, the ruling reads:
All the court has said is that there is enough doubt here that a full trial is needed to resolve the question. The end result could well be the same - Novell could still win - but SCO has created enough uncertainty to gain its full day in court.
SCO did not prevail in all of its appeals, though. The district court had ruled that SCO had converted ("stolen") $2.5 million in licensing revenue from Sun which, by the asset purchase agreement, truly belonged to Novell. The appeals court agreed with this part of the summary judgment and left SCO on the hook. This ruling has led some observers to believe that SCO may now head quickly into Chapter 7 bankruptcy, resulting in the liquidation of the company. Should that happen, it is said, the SCO zombie will truly be gone forever.
Unfortunately, the end of the SCO Group would not necessarily mean the end of the troubles it has created. Chapter 7 bankruptcy would result in the sale of SCO's remaining assets to pay the claims of the company's creditors. Those assets are likely to include office chairs belonging to both remaining employees, a storage locker full of unsold Caldera OpenLinux boxes, Darl McBride's bullhorn, a few SCO Mobile Server manuals - and the claimed ownership of the Unix copyrights. The bankruptcy trustee's job will be to sell all of these assets for the highest price possible.
The Unix copyright "asset" is an uncertain value, to say the least; it could evaporate entirely when SCO v. Novell runs its full course. But SCO v. Novell was always a sideshow; the real game is the multi-billion dollar claims against IBM. Who would be willing to bet that no trolls willing to try for that payoff exist? Instead, such trolls must certainly exist, and some of them will be well funded. One of them could come out of the bankruptcy process owning these "assets" and the related lawsuits.
What we could see then is a new push on these claims, with more money behind it and, possibly, less buffoonery as well. The new owner might just succeed in establishing ownership of the Unix copyrights - that agreement is, as was stated previously, a mess - and carry the IBM case forward. The fact that SCO's original claims against IBM are still without merit offers little comfort; we could be in for another extended period of FUD and bad press before the courts finally come to that conclusion.
Things need not go that way, of course. Should SCO go into chapter 7, we might see Novell and/or IBM hold their noses and buy the Unix claims themselves, putting an end to the entire affair. It could be the cheapest way for them to go. One assumes that lawyers in those companies are thinking about their options at this point; they, too, must be tired of this whole circus by now.
Security
Firefox extension vulnerabilities
Browser extensions, or add-ons, typically provide extra functionality, beyond that which the browser provides, but that comes with a price: increased vulnerability potential. The recent disclosure of five separate vulnerabilities in Firefox extensions serves as a reminder that extensions occupy a privileged position within the browser. That position makes flaws in extensions particularly dangerous, as they generally will allow an attacker's code to run with all the privileges of the user running the browser.
The vulnerabilities were disclosed by Nick Freeman and Roberto Suggi Liverani of Security-Assessment.com, a New Zealand-based web and network security firm. In doing research for a DEFCON presentation [PDF], they found flaws in the following Firefox extensions: Feed Sidebar, ScribeFire, WizzRSS, CoolPreviews, and Update Scanner. The flaws were found between February and June of this year, and the presentation lists three more that have yet to be disclosed.
All five of the flaws have something in common: in one way or another, they take content from a remote site and handle it incorrectly within the privileged Mozilla "chrome" context. For example, the Feed Sidebar extension incorrectly handles the RSS <description> tags, such that a malicious site could do cross-site scripting (XSS) or HTML injection into the chrome trusted zone. That would allow the remote site to potentially perform any action the browser could: access the filesystem, retrieve web site passwords, execute programs, and so on.
The presentation has several proof-of-concept examples; the one associated with Feed Sidebar steals all of the login credentials and sends them off to a remote site. Another example using the ScribeFire extension sets up a reverse VNC session so that an attacker could view the desktop of the browser user. Yet another uses XSS to send a copy of /etc/passwd off to a remote site. These are all very potent exploits that could be used to seriously compromise users' privacy and security.
There are certainly more of these problems out there (beyond even the
three undisclosed, thus presumably unpatched, vulnerabilities). Part of
the problem is that the "Mozilla extension security model is
nonexistent
", according to Freeman and Liverani's presentation. All
extensions are treated as completely trusted code by Firefox. In addition,
there are no security boundaries between the extensions, so one can quietly
modify another. They also note that other Mozilla applications that allow
extensions (e.g. Thunderbird) are also susceptible to these kinds of
vulnerabilities.
Many Firefox extensions are available through addons.mozilla.org (AMO), but the researchers point out that extension developers, and the AMO reviewers, are not necessarily security experts, so bugs like these may slip through. They also note that the NoScript extension, with its XSS protection, may be giving a false sense of security. NoScript whitelists chrome: URLs, which means that it provides no protection against malicious or buggy extensions.
In many ways, it should come as no surprise that there are bugs—and security holes—in Firefox extensions, but it is a problem that has largely flown under the radar. Malicious extensions, downloaded from sites other than AMO, are a fairly well-understood vector for attack—at least to users who are somewhat security-conscious. Extensions that have, or appear to have, the "blessing" of AMO are a bit of a different story. Many users, even those who pay attention to security issues, may well expect that those extensions are rigorously vetted, which seems not to be the case.
There is no reason to believe that these vulnerabilities were anything other than "standard" programming errors, but those with a malicious intent probably could sneak vulnerabilities into AMO extensions—perhaps they have already done so. The presentation lists two plausible scenarios for how malware authors might get vulnerabilities introduced into extensions, particularly popular or recommended extensions.
This research gives us yet another attack vector to be worried about, but there is also some useful information on what to look for in extensions that could lead to these kinds of flaws. With luck, that will help reduce the number of extensions with holes. That still leaves us with the worry about malicious extension authors. Without a more rigorous review of extensions—even that won't find every flaw—there is little that can be done. It is a problem that will likely be with us for quite some time.
Brief items
Walsh: Secure Virtualization Using SELinux (sVirt)
Red Hat SELinux hacker Dan Walsh writes about Secure Virtualization (sVirt) on his web log. The basic idea is to leverage SELinux to isolate virtual machines from each other and from the host. "After virtualization, we have multiple services running on the same host. If a virtual machine is broken into, the cracker just needs to break though the hypervisor. If a hypervisor vulnerability exists, the cracker can take over all of the virtual machines on the host. He can even write into any virtual host images that are accessible from the host machine. [...] This is very scary stuff. The question is not 'if', but 'when'. Hacker/cracker conventions are already examining hypervisor vulnerabilities. Crackers have already broken though the xen hypervisor, as I documented in one of my previous blogs."
New vulnerabilities
buildbot: cross-site scripting
| Package(s): | buildbot | CVE #(s): | |||||||||
| Created: | August 24, 2009 | Updated: | August 26, 2009 | ||||||||
| Description: | From the buildbot advisory: In addition to the XSS vulnerability announced on August 12, several other such vulnerabilities were discovered in other portions of the Buildbot web status, by Nicolas Sylvain and Nicolás Alvarez. The severity of these vulnerabilities is no different that that announced on August 12, except that the vulnerabilities are not limited to the waterfall view. | ||||||||||
| Alerts: |
| ||||||||||
expat: denial of service
| Package(s): | expat | CVE #(s): | CVE-2009-2625 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | August 24, 2009 | Updated: | June 13, 2011 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Gentoo bug report: Apache Xerces2 Java, as used in Sun Java Runtime Environment (JRE) in JDK and JRE 6 before Update 15 and JDK and JRE 5.0 before Update 20, and in other products, allows remote attackers to cause a denial of service (infinite loop and application hang) via malformed XML input, as demonstrated by the Codenomicon XML fuzzing framework. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
gnutls: certificate spoofing vulnerability
| Package(s): | gnutls12, gnutls13, gnutls26 | CVE #(s): | CVE-2009-2730 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | August 20, 2009 | Updated: | February 16, 2010 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the National Vulnerability Database
entry:
"libgnutls in GnuTLS before 2.8.2 does not properly handle a '\0' character in a domain name in the subject's Common Name (CN) or Subject Alternative Name (SAN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority." | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
kernel: privilege escalation
| Package(s): | kernel | CVE #(s): | CVE-2009-2698 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | August 24, 2009 | Updated: | March 21, 2011 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Red Hat advisory: a flaw was found in the udp_sendmsg() implementation in the Linux kernel when using the MSG_MORE flag on UDP sockets. A local, unprivileged user could use this flaw to cause a local denial of service or escalate their privileges. (CVE-2009-2698, Important) | ||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||
kernel: multiple vulnerabilities
| Package(s): | linux-2.6 | CVE #(s): | CVE-2009-2846 CVE-2009-2847 CVE-2009-2848 CVE-2009-2849 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | August 25, 2009 | Updated: | October 8, 2010 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Debian advisory:
Michael Buesch noticed a typing issue in the eisa-eeprom driver for the hppa architecture. Local users could exploit this issue to gain access to restricted memory. (CVE-2009-2846) Ulrich Drepper noticed an issue in the do_sigalstack routine on 64-bit systems. This issue allows local users to gain access to potentially sensitive memory on the kernel stack. (CVE-2009-2847) Eric Dumazet discovered an issue in the execve path, where the clear_child_tid variable was not being properly cleared. Local users could exploit this issue to cause a denial of service (memory corruption). (CVE-2009-2848) Neil Brown discovered an issue in the sysfs interface to md devices. When md arrays are not active, local users can exploit this vulnerability to cause a denial of service (oops). (CVE-2009-2849) | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
libneon: man in the middle attack
| Package(s): | libneon0.27 | CVE #(s): | CVE-2009-2474 | ||||||||||||||||||||||||||||
| Created: | August 25, 2009 | Updated: | December 4, 2009 | ||||||||||||||||||||||||||||
| Description: | From the Mandriva advisory: neon before 0.28.6, when OpenSSL is used, does not properly handle a '\0' (NUL) character in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408 | ||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||
neon: denial of service, man in the middle attack
| Package(s): | neon | CVE #(s): | CVE-2009-2473 | ||||||||||||||||||||||||||||||||||||||||
| Created: | August 21, 2009 | Updated: | January 17, 2013 | ||||||||||||||||||||||||||||||||||||||||
| Description: | From the Fedora advisory: There are two security issues in neon: the "billion laughs" attack against expat could allow a Denial of Service attack by a malicious server. (CVE-2009-2473), and an embedded NUL byte in a certificate subject name could allow an undetected MITM attack against an SSL server if a trusted CA issues such a cert. | ||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||
ocsinventory: SQL injection
| Package(s): | ocsinventory | CVE #(s): | |||||||||
| Created: | August 21, 2009 | Updated: | August 26, 2009 | ||||||||
| Description: | SQL injection vulnerabiltiy found in GUI V.1.02 | ||||||||||
| Alerts: |
| ||||||||||
php5: remote denial of service
| Package(s): | php5 | CVE #(s): | CVE-2009-2687 | ||||||||||||||||||||||||||||||||||||||||
| Created: | August 25, 2009 | Updated: | February 23, 2010 | ||||||||||||||||||||||||||||||||||||||||
| Description: | From the Ubuntu advisory: It was discovered that PHP did not properly handle certain malformed JPEG images when being parsed by the Exif module. A remote attacker could exploit this flaw and cause the PHP server to crash, resulting in a denial of service. | ||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||
pidgin: "crash" from crafted URL
| Package(s): | pidgin | CVE #(s): | |||||||||
| Created: | August 24, 2009 | Updated: | August 26, 2009 | ||||||||
| Description: | From the Fedora advisory: 2.6.1 fixes an issue where pidgin can crash if you are sent a certain type of URL over Yahoo. | ||||||||||
| Alerts: |
| ||||||||||
squirrelmail: cross-site request forgery
| Package(s): | squirrelmail | CVE #(s): | |||||||||
| Created: | August 21, 2009 | Updated: | August 26, 2009 | ||||||||
| Description: | From the Red Hat bugzilla: It was reported that SquirrelMail did not implement protections against cross-site request forgery (CSRF) attacks. This can be exploited to e.g. change user preferences, delete emails, and potentially send emails when a logged-in user visits a malicious web page. | ||||||||||
| Alerts: |
| ||||||||||
wordpress: multiple vulnerabilities
| Package(s): | wordpress | CVE #(s): | CVE-2009-2854 CVE-2009-2851 CVE-2009-2853 | ||||||||
| Created: | August 24, 2009 | Updated: | August 28, 2009 | ||||||||
| Description: | From the Debian advisory: CVE-2009-2854: It was discovered that wordpress lacks authentication checks in various actions, thus allowing remote attackers to produce unauthorised edits or additions. CVE-2009-2851: It was discovered that the administrator interface is prone to a cross-site scripting attack. CVE-2009-2853: It was discovered that remote attackers can gain privileges via certain direct requests. | ||||||||||
| Alerts: |
| ||||||||||
xerces-c27: stack consumption vulnerability
| Package(s): | xerces-c27 | CVE #(s): | CVE-2009-1885 | ||||||||||||||||||||||||||||
| Created: | August 25, 2009 | Updated: | December 4, 2009 | ||||||||||||||||||||||||||||
| Description: | From the CVE entry: Stack consumption vulnerability in validators/DTD/DTDScanner.cpp in Apache Xerces C++ 2.7.0 and 2.8.0 allows context-dependent attackers to cause a denial of service (application crash) via vectors involving nested parentheses and invalid byte values in "simply nested DTD structures," as demonstrated by the Codenomicon XML fuzzing framework. | ||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||
Page editor: Jake Edge
Kernel development
Brief items
Kernel release status
The current development kernel is 2.6.31-rc7, released on August 21. "But apart from a couple of bigger ones (OMAP GPIO/UART fixes and the radeon/kms changes), it's really pretty small. The bulk of those 290 files changed are basically few-liners in 213 commits (shortlog below), and in general we should have cut down the regression list another tiny bit.". The short format changelog is in the announcement, along with some other descriptions of changes and areas that need testing.
The current unresolved regression count stands at 26, out of a total reported of 108.
Kernel development news
Quotes of the week
+ if (iommu->cap == (uint64_t)-1 && iommu->ecap == (uint64_t)-1) {
+ /* Promote an attitude of violence to a BIOS engineer today */
In brief
What is direct I/O, really? Linux, like many operating systems, supports direct I/O operations to block devices. But how, exactly, should programmers expect direct I/O to work? As a recent document posted by Ted Ts'o notes, there is no real specification for what direct I/O means:
Ted's document is an attempt to better specify what is really going on when a process requests a direct I/O operation. It is currently focused on the ext4 filesystem, but the hope is to forge a consensus among Linux filesystem developers so that consistent semantics can be obtained on all filesystems.
Can you thaw out TuxOnIce? TuxOnIce is the perennially out-of-tree hibernation implementation. It has a number of nice features which are not available with the mainstream version; these features have never managed to get into a form where they could be merged. TuxOnIce developer Nigel Cunningham has recently concluded that it looks like this merger is not going to happen because the relevant people are simply too busy. He says:
In response, he is now actively looking for developers who would like to take on the task of getting TuxOnIce (or, at least, parts of it) into the mainline. He has put together a "todo" list for potentially interested parties.
Lazy workqueues. Kernel developers have been concerned for years that the number of kernel threads was growing beyond reason; see, for example, this article from 2007. Jens Axboe recently became concerned himself when he noticed that his system (a modest 64-processor box) had 531 kernel threads running on it. Enough, he decided, was enough.
His response was the lazy workqueue concept. As might be expected, this patch is an extension of the workqueue mechanism. A "lazy" workqueue can be created with create_lazy_workqueue(); it will be established with a single worker thread. Unlike single-threaded workqueues, though, lazy workqueues still try to preserve the concept of dedicated, per-CPU worker threads. Whenever a task is submitted to a lazy workqueue, the kernel will direct it toward the thread running on the submitting CPU; if no such thread exists, the kernel will create it. These threads will exit if they are idle for a sufficient period.
The end result was a halving of the number of kernel threads on Jens's system. That still seems like too many threads, but it's a good step in the right direction.
Embedded x86. Thomas Gleixner started his patch series with a note that the "embedded nightmare" has finally come to the x86 architecture. The key development here is a new set of patches intended to support Intel's new "Moorestown" processor series; these patches added a bunch of code to deal with the new quirks in this processor. Rather than further clutter the x86 architecture code, Thomas decided that it was time for a major cleanup.
The result is a new, global platform_setup structure designed to tell the architecture code how to set up the current processor. It includes a set of function pointers which handle platform-specific tasks like locating BIOS ROMs, setting up interrupt handling, initializing clocks, and much more; it is a 32-part patch in all. This new structure is able to encapsulate many of the initialization-time differences between the 32-bit and 64-bit x86 architectures, the new "Moorestown" architecture, and various virtualized variants as well. It is also runtime-configurable, so a single kernel should be able to run efficiently on any of the supported systems.
O_NOSTD. Longstanding Unix practice dictates that applications are started with the standard input, output, and error I/O streams on file descriptors 0, 1, and 2, respectively. The assumption that these file descriptors will be properly set up is so strong that most developers never think to check them. So interesting things can happen if an application is run with one or more of the standard file descriptors closed.
Consider, for example, running a program with file descriptor 2 closed. The next file the program opens will be assigned that descriptor. If something then causes the program to write to (what it thinks is) the standard error stream, that output will, instead, go to the other file which had been opened, probably corrupting that file. A malicious user can easily make messes this way; when setuid programs are involved, the potential consequences are worse.
There are a number of ways to avoid falling into this trap. An application can, on startup, ensure that the first three file descriptors are open. Or it can check the returned file descriptor from open() calls and use dup() to change the descriptor if need be. But these options are expensive, especially considering that, almost all of the time, the standard file descriptors are set up just as they should be.
Eric Blake has proposed a new alternative in the form of the O_NOSTD flag. The semantics are simple: if this flag is provided to an open() call, the kernel will not return one of the "standard" file descriptors. If this patch goes in (and there does not seem to be any opposition to that), application developers will be able to use it to ensure that they are not getting any file descriptor surprises without additional runtime cost.
There is a cost, of course, in the form of a non-standard flag that will not be supported on all platforms. One could almost argue that it would be better to add a specific flag for cases where a file descriptor in the [0..2] range is desired. But that would be a major ABI change to say the least; it's not an idea that would be well received.
Linux-ARM mailing lists. Russell King has announced that the ARM-related mailing lists on arm.linux.kernel.org will be shut down immediately. He is, it seems, not happy about some of the criticism he has received about the operation of those lists. So the lists will be moving, though exactly where is not entirely clear. David Woodhouse has created a new set of lists on infradead; he appears to have moved the subscriber lists over as well. There is also a push to move the list traffic to vger, but the preservation of the full set of lists and their subscribers suggests that the infradead lists are the ones which will actually get used.
Page-based direct I/O
An "address space" in kernel jargon is a mapping between a range of addresses and their representation in an underlying filesystem or device. There is an address space associated with every open file; any given address space may or may not be tied to a virtual memory area in a process's virtual (memory) address space. In a typical process, a number of address spaces will exist for mappings of the executable being run, files the process has open, and ranges of anonymous user memory (which use swap as their backing store). There are a number of ways for processes to operate on their address spaces, one of the stranger of which being direct I/O. A new patch series from Jens Axboe looks to rationalize the direct I/O path a bit, making it more flexible in the process.The idea behind direct I/O is that data blocks move directly between the storage device and user-space memory without going through the page cache. Developers use direct memory for either (or both) of two reasons: (1) they believe they can manage caching of file contents better than the kernel can, or (2) they want to avoid overflowing the page cache with data which is unlikely to be of use in the near future. It is a relatively little-used feature which is often combined with another obscure kernel capability: asynchronous I/O. The biggest consumers, by far, of this functionality are large relational database systems, so it is not entirely surprising that a developer currently employed by Oracle is working in this area.
When the kernel needs to do something with an address space, it usually looks into the associated address_space_operations structure for an appropriate function. So, for example, normal file I/O are handled with:
int (*writepage)(struct page *page, struct writeback_control *wbc);
int (*readpage)(struct file *filp, struct page *page);
As with the bulk of low-level, memory-oriented kernel operations, these functions operate on page structures. When memory is managed at this level, there is little need to worry about whether it is user-space or kernel memory, or whether it is in the high-memory zone. It's all just memory. The function which handles direct I/O looks a little different, though:
ssize_t (*direct_IO)(int rw, struct kiocb *iocb, const struct iovec *iov,
loff_t offset, unsigned long nr_segs);
The use of the kiocb structure shows the assumption that direct I/O will be submitted through the asynchronous I/O path. Beyond that, though, the iovec structure pointing to the buffers to be transferred comes directly from user space, and it contains user-space addresses. That, in turn implies that the direct_IO() function must itself deal with the process of getting access to the user-space buffers. That task is generally handled in VFS-layer generic code, but there's another problem: the direct_IO() function cannot be called on kernel memory.
The kernel does not normally need to use the direct I/O paths itself, but there is one exception: the loopback driver. This driver allows an ordinary file to be mounted as if it were a block device; it can be most useful for accessing filesystem images stored within disk files. But files accessed via a loopback mount may well be represented in the page cache twice: once on each side of the loopback mount. The result is a waste of memory which could probably be put to better uses.
It would, in summary, be nice to change the direct_IO() interface to avoid this memory waste, and to make it a little bit more consistent with the other address space operations. That is what Jens's patch does. With that patch, the interface becomes:
struct dio_args {
int rw;
struct page **pages;
unsigned int first_page_off;
unsigned long nr_segs;
unsigned long length;
loff_t offset;
/*
* Original user pointer, we'll get rid of this
*/
unsigned long user_addr;
};
ssize_t (*direct_IO)(struct kiocb *iocb, struct dio_args *args);
In the new API, many of the relevant parameters have been grouped into the dio_args structure. The memory to be transferred can be found by way of the pages_array. The higher-level VFS direct I/O code now handles the task of mapping user-space buffers and creating the pages array.
The impact on the code is, for the most part, small; it's mostly a matter of moving the location where the translation from user-space address to page structures is done. The current code does have a potential problem in that it only processes one I/O segment at a time, possibly creating performance problems for some kinds of applications. That mode of operation is not really wired into the system, though, and can presumably be fixed at some point.
The only other objection came from Andrew
Morton, who does not like the way Jens implemented the process of working
through the array of page structures. The index into this array
(called head_page) is built into struct dio and hidden
from the code which is actually working through the pages; that leads to
potential confusion, especially if the operation aborts partway through.
Andrew called it "a disaster waiting to happen
" and
recommended that indexing be made explicit where the pages array
is processed.
That is a detail, though - albeit a potentially important one. The core goals and implementation appear to have been received fairly well. It seems highly unlikely that this code could be ready for the 2.6.32 merge window, but we might see it aiming for the mainline in a subsequent development cycle.
Development statistics for 2.6.31
The Linux Foundation recently announced the release of an updated version of its kernel authorship report, co-written by LWN editor Jonathan Corbet. The information there is interesting, but, since it stops with the 2.6.30 kernel, it also is ancient history at this point. 2.6.30 came out two full months ago, after all. LWN readers, certainly, are used to more current information. Since 2.6.31 is getting close to ready, it seems like the right time to look at this development cycle and see where the code came from.As of this writing (just after the release of 2.6.31-rc7), the 2.6.31 development cycle had seen the incorporation of 10,663 non-merge changesets from 1,146 individual developers. These patches added almost 903,000 lines of code and removed just over 494,000 lines, for a net growth of just over 408,000 lines. According to Rafael Wysocki's August 25 report, this work introduced 108 regressions into the kernel, 26 of which still lack a resolution.
The largest individual contributors in the 2.6.31 development cycle were:
Most active 2.6.31 developers
By changesets Ingo Molnar 276 2.6% Peter Zijlstra 260 2.4% Paul Mundt 204 1.9% Takashi Iwai 150 1.4% Bartlomiej Zolnierkiewicz 149 1.4% Steven Rostedt 139 1.3% Tejun Heo 134 1.3% Johannes Berg 133 1.2% Magnus Damm 119 1.1% Mike Frysinger 115 1.1% roel kluin 105 1.0% Greg Kroah-Hartman 101 0.9% Erik Andrén 100 0.9% Paul Mackerras 85 0.8% Mark Brown 85 0.8% Bill Pemberton 82 0.8% Jaswinder Singh Rajput 79 0.7% Ben Dooks 72 0.7% Joe Perches 72 0.7% Alexander Beregalov 71 0.7%
By changed lines Bartlomiej Zolnierkiewicz 220749 18.3% Jerry Chuang 78441 6.5% Forest Bond 50834 4.2% David Daney 40052 3.3% Jerome Glisse 38604 3.2% Vlad Zolotarov 23260 1.9% Ingo Molnar 22614 1.9% James Smart 19209 1.6% Bill Pemberton 17249 1.4% dmitry pervushin 14532 1.2% Greg Kroah-Hartman 13234 1.1% Wai Yew CHAY 12741 1.1% Michael Chan 11887 1.0% Linus Walleij 11626 1.0% Paul Mundt 10735 0.9% Peter Zijlstra 10202 0.8% Zhu Yi 10197 0.8% Ben Dooks 10150 0.8% Johannes Berg 9532 0.8% Kalle Valo 9263 0.8%
Ingo Molnar always shows up near the top of the changeset statistics. He has, as usual, contributed work all over the core kernel and x86 architecture code, but the bulk of his work this time is in the performance counters code; most of Peter Zijlstra's contributions were also in this area. The merging of this fast-changing subsystem caused those two developers to be responsible for 5% of the patches going into the 2.6.31 release. Paul Mundt wrote a vast number of Super-H architecture patches, and Takashi Iwai contributed large numbers of ALSA patches.
#5 on the changesets list is Bartlomiej Zolnierkiewicz, who also comes out on top in terms of the number of lines changed. He contributed a few IDE patches, despite having handed off responsibility for that subsystem, but most of his work went into the cleaning-up of Ralink wireless drivers in the staging tree. This cleanup resulted in the removal of an amazing 208,000 lines of code. Jerry Chuang added the RealTek RTL8192SU wireless driver (to staging), Forest Bond added the VIA Technologies VT6655 driver (to staging), David Daney did a bunch of MIPS work (including adding the Octeon Ethernet driver to the staging tree), and Jerome Glisse added kernel mode setting support for Radeon graphics chipsets.
As we have seen in the past few development cycles, the staging tree is the source of much of the change in the kernel tree. The nature of that change is, itself, changing, though. The rush of adding out-of-tree drivers to the staging tree has slowed considerably; we're starting to see more work dedicated to fixing up the code which is already there.
The developers contributing to 2.6.31 were supported by a minimum of 194 employers. The most active of those were:
Most active 2.6.31 employers
By changesets (None) 1704 16.0% Red Hat 1587 14.9% Intel 878 8.2% (Unknown) 846 7.9% IBM 667 6.3% Novell 614 5.8% Renesas Technology 345 3.2% Fujitsu 223 2.1% (Consultant) 212 2.0% Analog Devices 212 2.0% Oracle 175 1.6% Nokia 131 1.2% AMD 129 1.2% Atheros Communications 118 1.1% MontaVista 104 1.0% Xelerated AB 100 0.9% (Academia) 92 0.9% NetApp 91 0.9% HP 86 0.8% Wolfson Microelectronics 85 0.8%
By lines changed (None) 311803 25.8% Red Hat 124831 10.3% Realtek 78441 6.5% Intel 62559 5.2% Broadcom 51806 4.3% Logic Supply 51401 4.3% (Unknown) 47165 3.9% Cavium Networks 40086 3.3% IBM 39991 3.3% Novell 31979 2.6% Renesas Technology 31674 2.6% (Consultant) 23659 2.0% Emulex 19209 1.6% University of Virginia 17607 1.5% Nokia 16234 1.3% Embedded Alley Solutions 15229 1.3% Creative Technology 12741 1.1% Oracle 11704 1.0% Analog Devices 10760 0.9% Texas Instruments 10639 0.9%
The top group in either category is developers working on their own time, followed by Red Hat, which merged a few large chunks of code this time around.
A look at non-author signoffs (a hint as to which subsystem maintainers admitted the patches into the mainline) shows a continuation of recent trends:
Top non-author signoffs in 2.6.31
Individuals David S. Miller 964 10.1% Ingo Molnar 948 9.9% Greg Kroah-Hartman 582 6.1% John W. Linville 575 6.0% Andrew Morton 569 6.0% Mauro Carvalho Chehab 535 5.6% Linus Torvalds 254 2.7% James Bottomley 237 2.5% Benny Halevy 191 2.0% Paul Mundt 159 1.7%
Employers Red Hat 3686 38.7% Novell 1061 11.1% Intel 829 8.7% 572 6.0% (None) 422 4.4% IBM 383 4.0% Linux Foundation 254 2.7% Oracle 228 2.4% Panasas 193 2.0% (Consultant) 168 1.8%
49.8% of the patches going into the mainline for 2.6.31 passed through the hands of developers working for just two companies: Red Hat and Novell. Linux kernel developers work for a large number of companies, but subsystem maintainers are increasingly concentrated in a very small number of places.
In summary, it is a fairly typical development cycle for the kernel in recent times. The number of changes is high (but not a record), as is the number of developers. The transient effect of the staging tree is beginning to fade; it is becoming just another path for drivers heading into the mainline. As a whole, the process seems to be functioning in a smooth and robust manner.
(As always, your editor would like to thank Greg Kroah-Hartman for his assistance in the preparation of these statistics.)
HWPOISON
One downside to the ever-increasing memory size available on computers is an increase in memory failures. As memory density increases, error rates also rise. To offset this increased error rate, recent processors have included support for "poisoned" memory, an adaptive method for flagging and recovering from memory errors. The HWPOISON patch recently developed by Andi Kleen and Fengguang Wu provides the Linux kernel support for memory poisoning. Thus, when HWPOISON is coupled with the appropriate fault-tolerant processors, Linux users can enjoy systems that are more tolerant to memory errors in spite of increased memory densities.
Memory errors are classified as either soft (transient) or hard (permanent). In soft errors, cosmic rays or random errors can toggle the state of a bit in a SRAM or DRAM memory cell. In hard errors, memory cells become physically degraded. Hardware can detect - and automatically correct - some of these errors via Error Correcting Codes (ECC). While single bit data errors can be corrected via ECC, multi-bit data errors cannot. For these uncorrectable errors, the hardware typically generates a trap which, in turn, causes a kernel panic.
The blanket action of crashing the machine for all uncorrected soft and hard memory errors is sometimes over-reactive. If the detected memory error never actually corrupts executing software, then ignoring or isolating the error is the most desirable action. Memory "poisoning", with its delayed handling of errors, allows for a more graceful recovery from and isolation of uncorrected memory errors rather than just crashing the system. However, memory poisoning requires both hardware and kernel support.
The HWPOISON patch is very timely: Intel's recent preview of its Xeon processor (codenamed Nehalem-EX) promises support for memory poisoning. Intel has included its Machine Check Abort (MCA) Recovery architecture in Nehalem-EX. Originally developed for ia64 processors, Intel's MCA Recovery architecture supports memory poisoning and various other hardware failure recovery mechanisms. While, HWPOISON adopted Intel's usage of the term "poisoning", this should not be confused with the unrelated Linux kernel concept of poisoning: writing a pattern to memory to catch uninitialized memory.
While the specifics of how hardware and the kernel might implement memory poisoning varies, the general concept is as follows. First, hardware detects an uncorrectable error from memory transfers into the system cache or on the system bus. Alternatively, memory may be occasionally "scrubbed." That is, a background process may initiate an ECC check on one or more memory pages. In either case, the hardware doesn't immediately cause a machine check but rather flags the data unit as poisoned until read (or consumed). Later, when erroneous data is read by executing software, a machine check is initiated. If the erroneous data is never read, no machine check is necessary. For example, a modified cache line written back to main memory may have a data word error that is marked as poisoned. Once the poisoned data is actually used (loaded into a processor register, etc.), a machine check occurs, but not before. Thus, any poisoning machine check event may happen long after the corresponding data error event.
HWPOISON is a poisoned data handler invoked by the low-level Linux machine check code. Where possible, HWPOISON attempts to gracefully recover from memory errors, and contain faulty hardware to prevent future errors. At first glance, an obvious solution for the poison handler would focus on the specific process and memory address(es) associated with the data error. However, this is infeasible for two reasons. First, the offending instruction and process cannot be determined due to delays between the data error consumption and execution of the poison handler. These delays include asynchronous hardware reporting of the machine check event, and delayed execution of the handler via a workqueue. Thus, a different process may be executing by the time the HWPOISON handler is ready to act. Second, bad-memory containment must be done at a level where the kernel actually manages memory. Thus, HWPOISON focuses on memory containment at the page granularity rather than the low granularity supported by Intel's MCA Recovery hardware.
HWPOISON finds the page containing the poisoned data and attempts to isolate this page from further use. Potentially corrupted processes can then be located by finding all processes that have the corrupted page mapped. HWPOISON performs a variety of different actions. Its exact behavior depends upon the type of corrupted page and various kernel configuration parameters.
To enable the HWPOISON handler, the kernel configuration parameter MEMORY_FAILURE must be set. Otherwise, hardware poisoning will cause a system panic. Additionally, the architecture must support data poisoning. As of this writing, HWPOISON is enabled for all architectures to make testing on any machine possible via a user-mode fault injector, which is detailed below.
The handler must allow for multiple poisoning events occurring in a short time window. HWPOISON uses a bit in the flags field of a struct page to mark and lock a page as poisoned. Since page flags are currently in short supply, this choice was not made without consternation and debate by kernel hackers. See this LWN article for further details about this issue. In any case, this bit allows previously poisoned pages to be ignored by the handler.
The handler ignores the following types of pages: 1) pages that have been previously poisoned, 2) pages that are outside of kernel control (an invalid page frame number), 3) reserved kernel pages, and 4) pages with usage count of zero, which implies either a free or higher order kernel page. The poisoned bit in the flags field serves as a lock allowing rapid-fire poisoning machine checks on the same page to be handled only once by ignoring subsequent calls to the handler. Reserved kernel pages and zero count pages are ignored with the peril of a system panic. However, these pages containing critical kernel data cannot be isolated. Thus, HWPOISON has no useful options for recovery.
In addition to ignoring pages, possible HWPOISON actions include recovery, delay, and failure. Recovery means HWPOISON took action to isolate a page. Ignore, failure, and delay are all similar in that the page was not completely isolated, except for flagging the page as poisoned. With delay, handling can be safely postponed until a later time when the page might be referenced. By delaying, some transient errors may not reoccur or may be irrelevant. HWPOISON delays any action on kernel slab or buddy allocator pages or free pages. With failure, HWPOISON could, but does not support handling the page. HWPOISON takes an action of failure on unknown or huge pages. Huge pages fail since reverse mapping is not supported to identify the process which owns the page.
Clean pages in either the swap or page cache can be easily recovered by invalidating the cache entry for these pages. Since these pages have a duplicate backing copy on disk, the in-memory cache copy can be invalidated. Unlike clean pages, dirty pages in these caches have differences between the memory and disk copies. Thus, poisoned dirty pages may have important data corruption. However, dirty pages in the page cache are recovered by invalidation of the cache. Additionally, a page error is set for the dirty page cache page so subsequent user system calls on the file associated with the page will return an I/O error. Dirty pages in the swap cache are handled in a delayed fashion. The dirty flag is cleared for the page and the page swap cache entry is maintained. On a later page fault the associated application will be killed.
To recover from poisoned, user-mapped pages, HWPOISON first finds all user processes which mapped the corrupted page. For clean pages with backing store, HWPOISON need not take recovery action since the process does not need to be killed. Dirty pages are unmapped from all associated processes, which are subsequently killed. Two VM sysctl parameters are supported by HWPOISON with respect to killing user processes: vm.memory_failure_early_kill and vm.memory_failure_recovery. Setting the vm.memory_failure_early_kill parameter causes an immediate SIGBUS to be sent to the user process(es). The kill is done using a catchable SIGBUS with BUS_MCEERR_AO. Thus, processes can decide how they want to handle the data poisoning. The vm.memory_failure_recovery parameter delays the killing: the page is merely unmapped by HWPOISON. When this unmapped page is actually referenced at a later time then a SIGBUS will be sent.
An HWPOISON patch git repository is available at
git://git.kernel.org/pub/scm/linux/kernel/git/ak/linux-mce-2.6.git hwpoison
Since faulty hardware that supports data poisoning is not easy to come by, a fault injection test harness mm/hwpoison-inject.c has also been developed. This simple harness uses debugfs to allow failures at an arbitrary page to be injected.
While HWPOISON was developed for x86-based machines, interest has been expressed by supporters of other Linux server architectures, such as ia64 and sparc (discussed here). Thus, the patch may proliferate on future Linux server distributions, allowing users of future Linux servers to enjoy increased fault tolerance. Now that Intel is supporting MCA Recovery on x86 machines, some desktop users may also enjoy its benefits in the near future.
Patches and updates
Kernel trees
Architecture-specific
Core kernel code
Development tools
Device drivers
Documentation
Filesystems and block I/O
Memory management
Networking
Virtualization and containers
Benchmarks and bugs
Miscellaneous
Page editor: Jonathan Corbet
Distributions
News and Editorials
Test driving pre-releases of Ubuntu and openSUSE
In this article we will look at pre-releases of Ubuntu and openSUSE. The latest versions at the time were Ubuntu 9.10 Alpha 4 and openSUSE 11.2 Milestone 6. We will look at the planned features and see how each one is stacking up.
Ubuntu Karmic Alpha 4
Back in February, Mark Shuttleworth announced Karmic Koala and
revealed the plans for an even speedier boot process, a new look, and new
applications for cloud computing. "During the Karmic cycle we want
to make it easy to deploy applications into the cloud, with ready-to-run
appliances or by quickly assembling a custom image.
" Since then the
blueprints for Karmic have been updated with the plans for new
features.
So far Alpha 4 looks much the same as 9.04, with minor changes in the GDM login screen and a new default wallpaper. According to the release schedule, the artwork deadline won't be until September 24, 2009, so while the Karmic incoming artwork page shows a lot of activity, we'll have to wait to see the final choices for the new appearance.
Alpha 4 enables GRUB 2 by default for new installations. Overall, testing this new feature was painless. The boot loader found and listed all operating systems on the test machine, just like GRUB 1 did. The setup on the test machine is plain, however, without LVM or password protection, which is noted not to work in the Alpha 4 release announcement. For more detailed information please refer to the GRUB 2 testing wiki page, which contains the results of the community testing.
Ubuntu 9.10 targets the 2.6.31 Linux kernel, so the current alpha ships a kernel based on 2.6.31-rc5. HAL deprecation, which started in Alpha 1, moves storage device and hotkey handling over to the DeviceKit subsystem. Again, the transition went relatively smoothly, since the hotkeys and disks were managed almost as well as in 9.04. The wireless key now switches on wifi and bluetooth together.
The Intel video driver architecture is being moved from EXA to UXA during the Karmic release cycle, which should solve the performance regressions in Jaunty. Unfortunately, the test machine we used is based on Nvidia graphics, so we couldn't test this. According to this Phoronix article, the problem wasn't solved in Alpha 3:
Ext4 is now the default filesystem for new installations. This gives a performance boost to Karmic, at least my system seemed faster than it did using 9.04 on ext3 partitions.
Like Alpha 3, Alpha 4 ships GNOME 2.27.4, which introduced a default instant messaging application transition from Pidgin to Empathy. It seems that Ubuntu developers were thinking only about the technical benefits, since there is no tool for account and data migration. Other Ubuntu applications are shipped with new versions, like OpenOffice 3.1.1 RC1 and Firefox 3.5.2. Ubuntu One, Canonical's cloud computing storage service is enabled by default during Karmic development, providing the company's service out of the box. That's not all, Alpha 4 introduces Karmic Amazon EC2 test images, as mentioned in the original announcement.
Over in Kubuntu land, KDE 4.3 is still being integrated into Alpha 4. This release continues Kubuntu's Netbook effort, with the Plasma Netbook shell addition. Netbook shell is planned for Kubuntu 4.4, but thanks to the cooperation between Kubuntu and KDE developers, it is planned to be integrated in Karmic. The Kubuntu Netbook Remix is very nice, stable and fast, with some interesting ideas and concepts. At the same time, this effort depends on the Intel video driver subsystem progress. A full list of new features in the latest Kubuntu Alpha is available here.
Ubuntu Alpha 4 is interesting release. Fresh software, GRUB 2, Ext4, Empathy and Ubuntu One by default, and the Kubuntu Netbook remix are some of the new features already implemented. We will have to wait for the beta release to see the new look, even faster boot times and GRUB2 optimizations. The performance improvements we experienced during the test are mostly related to the filesystem speed up and the SQLite performance regression that was solved in the latest kernel releases.
openSUSE 11.2 Milestone 6
The latest openSUSE 11.2 milestone was released just after two important announcements. It was decided that KDE would be the default desktop in 11.2 and newer releases, as proposed in openSUSE's openFATE feature tracking system. Also openSUSE 11.2 and beyond will be supported 18 months after the release (2 release cycles plus 2 months). Previous releases received updates for 24 months.
According to the roadmap, features were frozen at Milestone 5. Patches for software on the DVD will still be accepted during Milestone 6, but this pre-release is feature complete. From here on its bug fixes and some spit and polish.
All the planned features were working during the installation process. OpenSUSE has finished it's ext4 transition, marking it as a default for new installations. A new partition interface is there too. 11.2 will be based on the 2.6.31 kernel, so Milestone 6 uses the 2.6.31-rc6 "desktop flavor." Milestone 5 introduced the desktop kernel flavor by default, optimized for desktop and laptop machines.
The first testing steps in the freshly-installed Milestone 6 system revealed a bug. For some reason, KnetworkManager failed to connect to the wireless network, without any error or notification. I eventually used the terminal to connect to the internet. Ubuntu accomplished this task flawlessly.
The new YaST QT4 interface was speedy and well organized, and showed improved package and repository management. The package management system distribution upgrade feature (like Debian's dist/full-upgrade) will be supported officially from 11.2 and on.
11.2 ships with KDE 4.3 which provided a smooth, fast and elegant desktop experience. The new default desktop theme is Air. The GNOME desktop is also shipped with a new appearance, named Sonar. GNOME 2.28 is targeted for 11.2 so v2.27 ships with Milestone 6. The latest versions of other popular programs are on the DVD and live ISOs, including Firefox 3.5 and OpenOffice 3.1. There is also social networking support on the desktop in the form of a microblogging plasmoid and applications including Kopete and Pidgin, Facebook support, KDE Twitter and the Identica client Choqok). GIMP is available on the KDE live CD, showing an effort into integrating GTK applications in KDE4. OpenOffice comes with the KDE4 theme and file choosing dialogs, Firefox is shipped with the Oxygen theme.
Nearly all of the planned features for 11.2 are present and working, so Milestone 6 is quite close to what the final 11.2 will look like, which is promising overall. YaST seems to be faster than it was in the past, desktops and applications run faster thanks to ext4 and improvements in the new releases. The only problem we had was the previously mentioned connectivity issue. According to the 11.2 roadmap, the remaining milestones and release candidates will focus on bug squashing, polishing and localization. The final release is expected in November so openSUSE 11.2 should be a very good release indeed.
New Releases
CentOS-4.8 released
The long-awaited CentOS 4.8 release is available. "This release corresponds to the upstream vendor U8 release. Also released in the updates repository for CentOS-4.8 are all updates through August 20th, 2009."
Fedora 12 Alpha released
The Fedora 12 alpha release is out. There's a lot of stuff in this release; see the announcement for the list. "Automatic Bug Reporting Tool - This release provides ABRT, a service that automatically reports application crashed to Fedora, without requiring the end user to have any special knowledge on error reporting."
Mandriva Linux 2010 beta version is available
Mandriva has announced the release of Mandriva Linux 2010 Beta for 32 and 64 bit systems. "These isos are hybrid isos which means you can dump it on an USB key to install it. Use Mandriva-seeds, it's as easy as a click! This beta version comes with many major updates and new exciting stuff..."
Moblin v2.0 beta refresh for netbooks
A refresh of the Moblin v2.0 beta for Netbooks is available for download and testing. There are no new features, just lots of bug fixes and tweaks.openSUSE 11.2 Milestone 6 Released
The openSUSE Project has announced that openSUSE 11.2 Milestone 6 (M6) is available. This release includes new packages on the GNOME and KDE live CDs, Python 3.1, and Linux kernel 2.6.31-rc6. Click below for more information.
Distribution News
Debian GNU/Linux
Bits from the release team: Release goals, schedule, state of the union
In these bits from the Debian release team (click below) you can find out more about Release Goals, Release planning, Release state, and Release preparations. "The current state of unstable and testing isn't very good and we would like to change this with your help."
Mini-DebConf in Taiwan
There will be a mini-DebConf in Taiwan at ICOS (International Conference on Open Source) in Taipei, Taiwan; September 26-27, 2009. (Thanks to Paul Wise)
Mandriva Linux
Noteworthy Mandriva Cooker changes
Frederik Himpe takes a look at some recent changes in Mandriva Cooker. "Mandriva's boot splash is now provided by Plymouth, the same technology used by Fedora. Together with kernel mode setting (currently enabled for Intel graphics chipsets in the standard Mandriva kernel), this will provide a high resolution boot splash and high resolution virtual consoles and seamless switching between virtual consoles and X."
SUSE Linux and openSUSE
openSUSE to default to KDE
openSUSE board chair Michael Löffler has announced that openSUSE will be defaulting to the KDE desktop starting with openSUSE 11.2. LWN looked at the discussion two weeks ago, and now a decision has been made. "We want to make clear that both desktops are considered equal citizens within the openSUSE Project, and this will not have any impact on the quality of the GNOME desktop within openSUSE. GNOME will continue to be offered as a top- level installation choice, and we will continue to strive to provide the best GNOME and KDE desktop experience." Click below for the full announcement.
Ubuntu family
Minutes from the Ubuntu Technical Board meeting
Click below for the minutes from the August 25, 2009 meeting of the Ubuntu Technical Board. Topics include a Review of outstanding actions, Developer Membership Board, Archive reorganisation, Check up on community bugs, Drivers for Ubuntu, and Base-2 prefix names.
Distribution Newsletters
DistroWatch Weekly, Issue 317
The DistroWatch Weekly for August 24, 2009 is out. "Despite the ever increasing power of modern computer hardware, lightweight distributions designed for older or underpowered systems continue to flourish. One of them, Puppy Linux, has become a rather popular choice in recent years, mainly due to its optimised performance and careful choice of integrated applications. This week's issue of DistroWatch weekly takes a look at the latest release of Puppy Linux, version 4.2.1. In the news section, the openSUSE project has decided to return to its roots and make KDE the default desktop on its installation media once again, Novell continues to promote SUSE Studio as the best tool for creating custom Linux-based appliances, Mandriva integrates Plymouth into its boot process and removes all traces of KDE 3 from its distribution, and Sabayon Linux launches the first development build of its upcoming 5.0 release in the form of an internal test. Finally, take a critical look at the updated layout of our distribution pages - as always, any feedback and suggestions are most welcome! Happy reading!"
Fedora Weekly News 190
The Fedora Weekly News for August 23, 2009 is out. "This issue kicks off with an announcement of the next FUDCon, to be held in Toronto, Canada, in early December, along with update on the Fedora 12 release schedule. In Marketing news, Fedora Insight will be launched along with the Fedora 12 beta timeframe, and a test version of zikula is now available. Highlights from the most recent Test day and Fit and Finish meeting, along with much detail on work towards Fedora 12 is covered in the Quality Assurance beat. In Translation news, updates from the Fedora Localization Project, including new FLP members, freeze break requests for comps and initscripts, as well as updated Fedora 12 translation schedule. In Art/Design news, coverage of recent discussion on design schedule, generally speaking. Also news of a new icon artist who has joined the Design team. Our issue rounds out with virtualization news, with updates on Fedora virtualization for Fedora 12, and also detail on recent discussion regarding the Dom0 kernel under Xen on Fedora 11. We hope you enjoy this issue of FWN!"
OpenMoko Community Updates
The OpenMoko Community Updates for August 19, 2009 covers Qalee, VisualBoyAdvance 1.7.2, PISI 0.4, and much more.OpenSUSE Weekly News/85
This issue of the OpenSUSE Weekly News covers Change in Maintenance for openSUSE 11.2 and Future Versions, Joe Brockmeier: OpenSource World, Ian MacGregor: Finding files on the command line, Lydia Pintscher: Social Media Guide for free Software Projects, ITManagement/Bruce Byfield: OpenOffice.org and the 'Ribbons' Interface Brouhaha, and more.Ubuntu Weekly Newsletter #156
The Ubuntu Weekly Newsletter for August 22, 2009 is out. "In this issue we cover: Ubuntu Developer Week, Karmic UNR packages now open for translation, Another reason to become an Official Ubuntu Member, Next Ubuntu Global Jam, Free Art of Community Book for Approved LoCo teams, Ubuntu Arizona Team Installfest, Launchpad screencasts, Ubuntu Forums Community Interview, Computers without internet are no fun, One Hundred Paper Cuts Round 7, Support the Ubuntu Global Jam, and much, much more!"
Distribution reviews
Fedora 12 Alpha to bring many Linux desktop improvements (Phoronix)
Phoronix has posted a short review of Fedora 12 Alpha. "Like all Fedora releases, Fedora 12 will contain a number of new (mostly updated) upstream packages from KDE 4.3 to GNOME 2.28 on the desktop to the Linux 2.6.31 kernel underneath. Fedora 12 will also be shipping with all of the latest X bits, which by the time of its release come in November, hopefully will mean an official X.Org 7.5 / X Server 1.7 build, but for the Fedora 12 Alpha there are already development snapshots in place of the major components."
Page editor: Rebecca Sobol
Development
A look at Robot OS
Robot OS (or ROS) is
described as:
"an
open-source, meta-operating system for your robot. It provides the services
you would expect from an operating system, including hardware abstraction,
low-level device control, implementation of commonly-used functionality,
message-passing between processes, and package management.
" It also
provides tools and libraries for software development, along with some
applications that should be common to all robots.
There has not been much collaboration in the robot world, according to this New Scientist article:
![[ROS.org]](https://static.lwn.net/images/ns/ROSlogo.png){kind=small}
ROS got its start as an open source project developed by Willow Garage and Stanford University. Now Willow Garage is focusing on ROS and has started the ROS wiki to further collaborative efforts among other robot developers. ROS is all about reusing code as much as possible among robots. While ROS is implemented in Python and C++, there are also experimental libraries written in Lisp, Octave and Java. ROS is a developer framework but people using other developer frameworks can use ROS libraries and package repositories. In fact, ROS has been integrated with other robot software frameworks such as Player and Orca.
The Robot OS
Concepts
document explains how the project is organized.
"ROS has three levels of concepts: the Filesystem level, the Computation Graph level, and the Community level.
"
The Filesystem level contains the resources that are stored on disk.
"The Computation Graph is the peer-to-peer network of ROS processes that are processing data together. The basic Computation Graph concepts of ROS are Nodes, Master, Parameter Server, Messages, Services, Topics, and Bags, all of which provide data to the Graph in different ways.
"
The ROS Community level includes the online Wiki, the code repository and
other networked resources.
ROS code can be installed on a variety of Linux distributions including Debian, Ubuntu, Fedora and Arch. There is also an experimental Mac OS X port. After installing the ROS packages the developer can use the rosconfig tool to install a configuration of ROS on their machine. The ROS configuration can also be shared on multiple machines.
The rosconfig documentation explains the utility:
Robot OS includes an extensive package list that includes documented development tools, libraries, drivers and applications. In some ways ROS may be thought of as both a software development kit and an "app store". The ROS wiki also includes developer documentation and tutorials. For additional information you can also join the ROS users mailing list or browse the archives. Bugs in the core software or feature requests can be filed on the ROS bug tracker.
If the robotics community can come together around ROS, it will allow developers to improve and perfect the common robotics functions instead of simply reinventing them. New and interesting robotics innovations should come about as developers build higher level software on top of the underlying platform.
On properly packaging perl
The perl5-porters recently saw a rather acrimonious discussion on how the Red Hat and Fedora distributions choose to package the Perl language and associated modules. Things have calmed down (the parties have essentially agreed to disagree), but an interesting issue remains: what can development projects do if they're unhappy with how distributors are treating their code?When Tom Christiansen gets irritated with somebody, one can generally be assured that they will know about it. In this case, Tom let the world know that he was not happy with the way Red Hat packages and distributes Perl. The complaint is that, if one installs "perl," one does not get the entire Perl 5.10 distribution. Tom says:
As it happens, it is possible to get the entire 5.10 distribution; one simply needs to install "perl-core" instead of plain "perl." Tom asserts that this arrangement is confusing; "perl-core" should not be a superset of "perl"; the package called simply "perl" (which is what most users will install) should be the thing that the Perl developers shipped. He says that Red Hat's arrangement causes confusion, with users not knowing if they actually have "Perl" or not.
Beyond that, it goes against the developers' intent, which included providing users with all the basic modules they needed from the outset. Many users, it seems, will not (or cannot) add extension modules to their systems; the Perl developers tried to ensure that these users would have a minimally-functioning system available to them. But, alas:
Tom "spot" Callaway explained Red Hat's packaging decisions:
Tom says that the package naming could be changed, but that would have a number of unfortunate effects on users. That said, there are some possibilities for improving the situation, but the best course is not entirely clear. Tom Christiansen was not completely happy with the explanation, but he also seemed to understand the pressures which led to Red Hat's way of doing things.
In the near term, it looks like things will not change a whole
lot be changing; see this comment for details. But
we're likely to see this kind of debate come back in the future. Distributors
serve as a sort of middleman, tweaking and refining upstream packages in
ways which they think improve things - either for their users or for themselves.
Distributor changes can include splitting up the package (as with Perl),
removing user-unfriendly messages (as has happened with cdrtools), making
the software more consistent with the rest of the distribution, fixing
security problems, removing software seen as legally problematic, and so
on. It's part of what distributors do, and users generally appreciate the
effort.
Upstream developers are harder to convince; they have released the software in the form that they think is best, so it can be discouraging to see others messing with it. Most developers suffer in stoic silence, taking comfort in the fact that their software is finding a wider audience. But others have taken various types of action in an attempt to influence how distributors treat their code.
Consider some examples. The kernel developers changed their release process dramatically with the (successful) goal of reducing the number of patches applied by distributors. Some developers do their own packaging. Jeff Waugh has suggested that much of the packaging role of distributions could be "disintermediated" entirely, with users routinely getting their software directly from its developers. Jörg Schilling inserted (widely ignored) statements into his code stating the alteration of some parts of the program would be a copyright violation. Firefox makes aggressive use of its trademarks to control the changes made by distributors. Daniel Bernstein took things to a (non-free) extreme, only allowing qmail to be distributed if it had not been modified at all; this restriction inhibited qmail development for years until the code was finally released into the public domain.
In the end, releasing code under a free license means giving up control over what is done with it. So free software developers will always be at the mercy of distributors, who will always have the right to make the changes they think are necessary. The occasional grumble notwithstanding, the system works pretty well; all of the parties involved share an interest in having the software work as well as possible for their users.
System Applications
Audio Projects
Rivendell 1.5.2 released
Version 1.5.2 of the Rivendell radio station automation system has been announced. "This is a maintenance release of Rivendell. The following issues have been corrected: Fixed problems with build the Rivendell Pluggable Authentication Module (PAM) plug-in. Fixed problems with hard-start events in RDAirPlay. Added checks in rddbcheck(8) to verify cart/cut/audio consistency. Fixed a regression that caused audio exports to fail when the path contained one or more spaces."
Database Software
Benetl 3.0 released
Version 3.0 of Benetl, an ETL tool for files using postgreSQL and MySQL, has been announced. "This new version is correcting several bugs: - a bug with entities groups names - a bug (since 2.7) with creation script - a bug in labels for connection trouble".
MySQL Community Server 5.0.85 released
Version 5.0.85 of MySQL Community Server has been announced, it includes numerous bug fixes. "MySQL Community Server 5.0.85, a new version of the popular Open Source Database Management System, has been released. This and future releases in the MySQL Community Server 5.0 series share version numbers with their MySQL Enterprise Server counterparts."
PostgreSQL 8.5alpha1 released
The PostgreSQL project is trying something new by releasing 8.5alpha1 - the first alpha release they have ever done. "We've started doing alpha releases on the 'release early, release often' principle, so that our advanced users will try new features and new code as early as possible and get back to us with adjustments and problems. These alphas are not stable and should never be used in production; they are for developers to try new features only." See the release notes for information on what will be in 8.5.
PostgreSQL Weekly News
The August 23, 2009 edition of the PostgreSQL Weekly News is online with the latest PostgreSQL DBMS articles and resources.
Embedded Systems
BusyBox 1.15.0 (unstable) released
Unstable version 1.15.0 of BusyBox, a collection of command line utilities for embedded systems, is out. "Changes since previous release: New applets: * beep: new applet by Bernhard * dnsdomainname: new applet - the alias to "hostname -d" * flash_lock, flash_unlock: new applets by Thierry Reding (thierry.reding AT avionic-design.de) * ifplugd: new applet by Maksym Kryzhanovskyy (xmaks AT email.cz) * scriptreplay: new applet * volname: new applet".
Web Site Development
Django 0.96.5 released
Version 0.96.5 of the Django web development platform has been announced. "The recent security-oriented releases of Django included what was intended to be the final supported release in the Django 0.96 series. However, an issue was discovered with the patch applied to the 0.96 release branch; a portion of the updated code was not correctly applied, and as a result the runserver command no longer functioned at all. To remedy this, tonight we have issued Django 0.96.5, which includes the full corrected code."
luban 0.2a1 released
Version 0.2a1 of luban has been announced. "The luban package is a python-based, cross- platform user interface builder. It provides UI developers a generic language to describe the user interface, and then render that description as web or native interfaces."
Desktop Applications
Audio Applications
Ardour Shortcut Cheatsheets available
The first edition of the Ardour Shortcut Cheatsheets have been announced. "I'm happy to release an initial version of the Ardour shortcut cheatsheet - a handy 2-sided tri-fold guide to almost every shortcut in Ardour. There is one version for X Window (Linux, FreeBSD, etc) and another for OS X (reflecting different conventions about modifier keys in both systems.) These cheatsheets will hopefully convey a lot of Ardour's power that is generally hidden to most users."
Data Visualization
Python cgkit 2.0.0 alpha 9 released
Version 2.0.0 alpha 9 of Python cgkit has been announced, it includes new capabilities and bug fixes. "The Python Computer Graphics Kit is a collection of utilities and Python modules that simplify working with 3D data of any kind. The provided functionality can be used in domains such as scientific visualization, Virtual Reality, VFX, animation or even games. Currently, the package is implemented in Python and C++ where the C++ part is wrapped and made available in Python."
Desktop Environments
GNOME 2.28.0 beta 2 (2.27.91) released
Version 2.28.0 beta 2 of the GNOME desktop has been announced. "This is the seventh development release, and the second beta, towards our 2.28 release that will happen in September 2009. By now most things are in place, and your mission is easy: Go download it. Go compile it. Go test it. And go hack on it, document it, translate it, fix it. With this release we are now string frozen".
GNOME Software Announcements
The following new GNOME software has been announced this week:- Accerciser 1.7.91 (bug fix and translation work)
- at-spi 1.27.91 (bug fixes and translation work)
- Brasero 2.27.91 (new features, bug fixes and translation work)
- Cheese 2.27.91 (new features, bug fixes and translation work)
- couchdb-glib 0.4.4 (new features)
- couchdb-glib 0.4.5 (new features)
- Deskbar-Applet 2.27.91 (bug fixes and translation work)
- Empathy 2.27.91 (new features, bug fixes, documentation and translation work)
- Empathy 2.27.91.1 (bug fixes)
- EOG Plugins 2.27.91 (new features)
- Eye of GNOME 2.27.91 (bug fixes and translation work)
- F-Spot 0.6.1.0 (bug fixes)
- Flickr Remote Organizer for GNOME 0.1.1 (initial release)
- gbrainy 1.12 (bug fixes and translation work)
- GCalctool 5.27.91 (documentation and translation work)
- GDM2 2.27.90 (new features, bug fixes and documentation work)
- gjs 0.4 (new features and bug fixes)
- GLib 2.21.5 (new features, bug fixes and translation work)
- glibmm 2.21.4 (bug fix and translation work)
- gnome-applets 2.27.91 (bug fixes and translation work)
- gnome-control-center 2.27.91 (new features, bug fixes and translation work)
- GNOME DVB Daemon 0.1.9 (bug fixes)
- GNOME PackageKit 2.27.91 (new features, bug fixes and translation work)
- GNOME Power Manager 2.27.91 (bug fixes and translation work)
- gnome-settings-daemon 2.27.91 (new features and translation work)
- gnome-system-tools 2.27.3 (new features, bug fixes and translation work)
- gobject-introspection 0.6.4 (new features and bug fixes)
- GOK 2.27.91 (bug fixes and translation work)
- gstreamermm-0.10.3 (new features and bug fixes)
- GTK+ 2.17.9 (new features, bug fixes and translation work)
- gtkmm 2.17.9 (new features and bug fixes)
- gtranslator 1.9.6 (bug fixes and translation work)
- Lasem 0.1.2 (new features and bug fixes)
- libchamplain 0.3.91 (bug fixes)
- Libgda 4.0.3 (bug fixes and documentation work)
- Libgda 4.1.1 (new features, bug fixes and translation work)
- libgnomekbd 2.27.91 (bug fixes and translation work)
- librep 0.90.1 (new features and bug fixes)
- librep 0.90.2 (bug fixes)
- libsigc++ 2.2.4 (new feature and documentation work)
- libslab 2.27.91 (bug fixes and translation work)
- LibUnique 1.1.2 (new features and build improvements)
- libvtemm-1.2 0.20.4 (bug fixes and documentation work)
- Mistelix 0.30 (new features and bug fixes)
- mm-common 0.6.1 (documentation work)
- mousetweaks 2.27.91 (new feature and translation work)
- Orca 2.27.91 (bug fixes and translation work)
- PDF Mod 0.6 (new features and bug fixes)
- PyGTK 2.16.0 (new features, bug fixes and documentation work)
- rhythmbox 0.12.4 (new features, bug fixes and translation work)
- Sabayon 2.27.91 (bug fixes and translation work)
- Smuxi 0.6.4 (new features, bug fixes and translation work)
- Tomboy 0.15.6 (bug fixes and translation work)
Simon - speech activated user interface for KDE (KDE.News)
KDE.News has a look at simon, which is a speech-activated interface for KDE. It looks like an interesting project, but, unfortunately, may suffer from some licensing snags: "HTK, the toolkit responsible for the HMM [Hidden Markov Model] evaluation is distributed under GPL-incompatible, restrictive license that prevents redistribution. In order to install simon, one must separately download HTK from their website which requires registration. The source is available, and they encourage you to modify and contribute to it, but it cannot be redistributed. [...] Additionally, Julius, used for the voice recognition has an attribution clause which causes problems with the GPL in a way that is reminiscent of the old-style BSD license (the one with the advertising clause). Any research conducted with simon would thereby require a reference to the Julius authors in the bibliography."
KDE Software Announcements
The following new KDE software has been announced this week:- 2ManDVD 0.9.6 (bug fixes)
- 2ManDVD 0.9.7 (bug fixes)
- AutoKey 0.60.3 (unspecified)
- cpdu 0.3.82b (new feature)
- FlashQard 0.14.0 (new features and bug fixes)
- KMyMoney 1.0.0 (stable release)
- KPS 0.9.2 (KDE 4.2 support)
- KrcStat 0.6 (KDE 4 support)
- KRepton 4.1 (new features and bug fixes)
- KryoMol 0.6.7 (new features and bug fix)
- OpenOffice.org Thumbnail plugin 0.0.1 (initial release)
- QTads 1.8 (bug fixes)
- Qwit 1.0-alpha (new features)
- rekonq Web Browser 0.2.0 (new features and bug fixes)
- Simutrans Starter 2 1.99.5 (new features and translation work)
- SMILE 0.9.11 (new features and bug fixes)
- SMILE 0.9.12 (new features and bug fixes)
- Wally 2.1.0 (new features and bug fixes)
Xorg Software Announcements
The following new Xorg software has been announced this week:- inputproto 1.9.99.902 (code cleanup and documentation work)
- libXi 1.2.99.4 (code cleanup and documentation work)
- libXScrnSaver 1.2.0 (bug fixes and documentation work)
- libXtst 1.0.99.2 (bug fixes and code cleanup)
- recordproto 1.13.99.1 (packaging changes)
- resourceproto 1.1.0 (packaging changes)
- scrnsaverproto 1.2.0 (packaging changes)
- xcb-util 0.3.6 (new features and bug fixes)
- xextproto 7.1.1 (bug fix)
- xf86-input-evdev 2.2.5 (bug fix)
- xf86-video-intel 2.8.1 (bug fixes)
- xorg-server 1.6.3.901 (bug fixes)
Desktop Publishing
LyX 1.6.4 released
Version 1.6.4 of LyX, a GUI front-end to the TeX typesetter, has been announced. "This is the fourth maintenance release in the 1.6.x series. This release covers, amongst many minor improvements, fixes to some rather severe issues".
Financial Applications
KMyMoney 1.0 released
The long-awaited KMyMoney 1.0 release is out. "Over 2 years of development have resulted in the addition of budgets, a forecast feature, many new reports, report charts, a complete redesign of the import feature, which allows for a much easier migration from other application and a swifter synchronization with online banking." This release was reviewed in the August 20 LWN Weekly Edition.
Graphics
pycairo release 1.8.8 is available
Version 1.8.8 of pycairo, a set of Python bindings for the Cairo multi-platform 2D graphics library, has been announced. "General Changes: Pycairo 1.8.8 requires cairo 1.8.8 (or later). Move from CVS to git. Add support for the waf build tool. Updated methods The PDF/PS/SVGSurface constructors now accept None as a filename."
Interoperability
Wine 1.1.28 announced
Version 1.1.28 of Wine has been announced. Changes include: "- Support for IRDA protocol. - Faster initial wineprefix creation. - Axis remapping with evdev joysticks. - More image formats in WindowsCodecs. - Various bug fixes."
Music Applications
Simple Sysexxer 0.2 beta released
Version 0.2 beta of Simple Sysexxer, a MIDI utility, has been announced. "I have completely rewritten Simple Sysexxer. As I need feedback how it copes with various MIDI devices, here's a first public beta release."
Miscellaneous
Transifex 0.7 released
Version 0.7 of Transifex has been announced, it includes new features and bug fixes. "Indifex and the Transifex Community are proud to announce the newest version of their flagship Open Translation Platform, Transifex 0.7 codenamed "Pyro". Transifex is a web application that gives translators a simple yet featureful web interface to manage translations for multiple remotely-hosted projects. Files to be translated can be translated straight from the user's browser or retrieved for offline translation, and various translation statistics can be read at a glance."
Languages and Tools
Assembly Language
Linux_Logo in assembly language 0.40 released
Vince Weaver has released version 0.40 of his Linux_Logo in assembly language has been announced. "This is a port of my linux_logo program to use raw assembly language. By using assembly and syscalls, you can have extremely fast and small binaries that don't use libc at all! So far I have 6502, 8086, alpha, arm, arm_thumb, avr32, crisv32, ia64, m68k, m88k, microblaze, mips, parisc, pdp-11, ppc, s390, sh3, sparc, vax, x86, x86_64, and z80 versions."
C
GCC 4.4.2 Status Report
The August 20, 2009 edition of the GCC 4.4.2 Status Report has been published. "The 4.4 branch is open for commits under the usual release branch rules. The timing of the 4.4.2 release (at least two months after the 4.4.1 release, at a point when there are no P1 regressions open for the branch) has yet to be determined."
GCC 4.5.0 Status Report
The August 23, 2009 edition of the GCC 4.5.0 Status Report has been published. "The trunk is in Stage 1. As previously stated, we expect that Stage 1 will last through at least the end of August. In my opinion, the single hardest issue we face with respect to 4.5 is how to handle the VTA branch. I've consulted with various people who have a lot of experience with GCC and the opinions on this work seem to be quite mixed. I've looked at the branch myself and can't seem to form a firm opinion. The problem it's setting out to solve is definitely important, but the scope of this particular solution frightens me. On the other hand, I can't see a viable better solution. So, I'd be very interested in further comments on this topic."
Caml
Caml Weekly News
The August 25, 2009 edition of the Caml Weekly News is out with new articles about the Caml language.
Perl
Perl 5.10.1 is released
Version 5.10.1 of Perl has been announced. For change information, see the Use Perl RC2 release announcement.Rakudo Perl 6 development release #20 (use Perl)
use Perl has published the announcement for Rakudo Perl 6 development release #20, an implementation of Perl 6 on the Parrot Virtual Machine. "Beginning with this release, Rakudo Perl builds from an "installed Parrot" instead of using Parrot's build tree. This release of Rakudo requires Parrot 1.5.0. For the latest information on building and using Rakudo Perl, see the README file section titled "Building and invoking Rakudo"."
Python
pyxser 1.2r released
Version 1.2r of pyxser has been announced, the main change is support for encoded serialization of Unicode strings. "I'm pleased to announce pyxser-1.2r, a Python-Object to XML serializer and deserializer. This module package it's completely written in C and licensed under LGPLv3."
Python-URL! - weekly Python news and links
The August 23, 2009 edition of the Python-URL! is online with a new collection of Python article links.
Tcl/Tk
Tcl-URL! - weekly Tcl news and links
The August 19, 2009 edition of the Tcl-URL! is online with new Tcl/Tk articles and resources.
Debuggers
Valgrind 3.5.0 is available
Version 3.5.0 of Valgrind has been announced. "Valgrind is an open-source suite of simulation based debugging and profiling tools. With the tools that come with Valgrind, you can detect many memory management and threading bugs. You can also perform detailed time and space profiling to help speed up and slim down your programs. 3.5.0 is a feature release with many significant improvements and the usual collection of bug fixes."
IDEs
Pydev 1.4.8 released
Version 1.4.8 of Pydev and Pydev Extensions have been announced, changes include new features and bug fixes. "PyDev is a plugin that enables users to use Eclipse for Python, Jython and Iron Python development -- making Eclipse a first class Python IDE -- It comes with many goodies such as code completion, syntax highlighting, syntax analysis, refactor, debug and many others."
Version Control
GIT 1.6.4.1 released
Version 1.6.4.1 of the GIT distributed version control system has been announced, it includes numerous bug fixes and documentation work.
Page editor: Forrest Cook
Linux in the news
Recommended Reading
40 years of Unix (BBC)
The BBC covers the history of Unix, which celebrates its 40th anniversary. "The computer world is notorious for its obsession with what is new - largely thanks to the relentless engine of Moore's Law that endlessly presents programmers with more powerful machines. Given such permanent change, anything that survives for more than one generation of processors deserves a nod. Think then what the Unix operating system deserves because in August 2009, it celebrates its 40th anniversary. And it has been in use every year of those four decades and today is getting more attention than ever before." (Thanks to Paul Sladen).
Linux Needs Open Multimedia on the Web (Linux Magazine)
Christopher Smart comments on the state of Linux and web media in a Linux Magazine article. "The situation on the Linux desktop is particularly horrible. Thanks to the lack of a free and open framework for multimedia, users need closed source applications and patent encumbered codecs to view content on the web. This is outrageous! Imagine if sending an email required a proprietary application which had to be compatible with the recipients system? What if to view a plain HTML website one had to pay royalties? Imagine further that these were controlled by a single company. If such a world had existed in the past, then the Internet would not have become the useful medium that it is today. We must make sure this doesnt happen in the future."
The SCO Problem
SCO v. Novell appellate decision: $$ from Sun deal affirmed as Novell's; rest remanded for jury trial (Groklaw)
Groklaw has a report on SCO's appeal of the summary judgment for Novell. It was a partial victory for SCO, remanding the issue of the UNIX copyright ownership back to the court in Utah to be decided by a jury. "The issue was whether it is appropriate to decide matters on summary judgment, and this court thought the APA was complex enough and ambiguous enough that a jury trial is more appropriate. Here's the heart of it all: 'But so long as sufficient evidence could lead a rational trier of fact to resolve the dispute in favor of either party, granting either party's dueling motions for summary judgment would be inappropriate.'" It would seem that the bankruptcy trustee for SCO, who has not yet been appointed, will get to decide where things go from here, but we haven't heard the last of this case.
Companies
Updegrove: So What About Those XML Patents, Anyway?
Andy Updegrove writes about the XML patents owned by Microsoft and i4i. "As always, we come back to the usual elephant in the software bedroom. Do patents really do any good, or only harm in the marketplace? They didn't help little i4i much. Microsoft apparently destroyed its business despite it's patent application, and i4i hasn't received a dime yet. Would i4i have launched its business around its technology even if it hadn't been able to get a patent? Of course it would have. Another new software company (if not more) makes a similar decision every day. Always has, and always will."
Analysis: How Moonlight 2.0 Fits into Novell's Linux and Open Source Plans (Linux.com)
Over at Linux.com, Todd R. Weiss analyzes Moonlight, looking at how it fits into Novell's (and Microsoft's) plans. "Creating an open source version of Silverlight became important to Novell two years ago, said Joseph Hill, Novell's product manager for the Mono and Moonlight 2.0 projects. That's when Microsoft announced that it would be using its .Net development environment to create Silverlight content, Hill said. That was important to Novell, he said, because millions of .Net developers were already out there and could then use Silverlight to add rich Web features. That scenario meant that Linux desktop users would ultimately be left in the cold because all of that .Net-created content wouldn't be optimized to give them the same rich experiences. And when Microsoft said it wouldn't build Silverlight and .Net tools for Linux, Novell worked out an arrangement with Microsoft to provide those pieces, by creating the Moonlight project."
Legal
Public Citizen: Federal court using scare tactics to block sharing of public records
Public Citizen looks at the response of the U.S. federal court system to the Firefox "RECAP" extension, which enables sharing of court documents. "Please be aware that RECAP is 'open-source' software, which means it can be freely obtained by anyone with Internet access and could possibly be modified for benign or malicious purposes. This raises the possibility that the software could be used for facilitating unauthorized access to restricted or sealed documents." Of course, the courts could nullify this "threat" by simply making public documents, well, public.
Interviews
On the PySide - interview (KDEDot)
Jos Poortvliet talks with Matti Airas about PySide. "I'm having the time of my life being able to work in Nokia's Maemo division, surrounded with top-notch talents and a can-do atmosphere. :-) I've been working with the PySide project from the very beginning and am now acting as a "liaison officer" between Nokia and INdT, helping them with the PyMaemo and PySide efforts. I've been a Linux user since, what, 1997 and have contributed to various FOSS projects. I did a PhD on speech processing (go figure!) before joining the Nokia Python team."
Reviews
64-bit Chrome takes centre stage in Linux land (The Register)
The Register takes a look at a 64-bit Linux port for the Chrome browser. "Google engineers have been beavering away at a 64-bit version of the company's Chrome browser for the Linux platform. According to Chrome developer Dean McNamee, Mountain View's V8 team has been tinkering with a Chromium Linux 64-bit for several weeks now. V8, in case you were wondering, is the web kingpin's JavaScript engine."
Introducing Guitarix (Linux Journal)
Dave Phillips takes a look at Guitarix. "According to its developers Guitarix is a monaural amplifier designed for creating the distorted sounds typical of thrash, heavy metal, blues, and other rock guitar styles. In fact, Guitarix is capable of much more than distortion sounds. In this article I'll remove the software speaker grill and pull out the virtual chassis to take a closer look at the sonic possibilities of this "simple mono amplifier"."
Health Check: Mono (The H)
Over at The H, there is a look at the Mono project, including its history and current status. "And much of the current controversy around de Icaza and Mono surrounds the adoption, or proposed adoption, of Mono as a framework for the rapid development of applications for GNOME, and the proprietorial nature of the technologies that Mono uses. The story is rife with irony, not least because .NET was Microsoft's attempt to undermine Java, and the free software movement had its own issues with the proprietorial nature of Java."
Page editor: Forrest Cook
Announcements
Non-Commercial announcements
FSF launches campaign against Microsoft and proprietary software
The Free Software Foundation has launched a public awareness campaign entitled Windows 7 Sins that protests against Microsoft and proprietary software. "The campaign outlines seven major areas where proprietary software in general and Microsoft Windows in particular hurt all computer users: invading privacy, poisoning education, locking users in, abusing standards, leveraging monopolistic behavior, enforcing Digital Restrictions Management (DRM), and threatening user security."
Become a GNOME Ambassador
The GNOME Press Team has been announced. "The GNOME Marketing team is pleased to announce the creation of the GNOME Press Team. The Press Team is a subset of the Marketing team, with a focus on tracking GNOME events worldwide, and communicating and engaging with journalists all over the world to help spread GNOME news."
Commercial announcements
Tuxera signs up with Microsoft
Tuxera, a company based around the NTFS-3G filesystem project, seems to have come up with a new line of business based on the recent FAT patent scare: they have signed a deal with Microsoft and are offering proprietary "exFAT" filesystem drivers for Linux. "As an open source company, we feel excited to sign an intellectual property agreement with Microsoft. They are a great partner, and I am confident that our agreements, and this collaboration, will ensure a bright future for file system interoperability and data portability that benefits device manufacturers and consumers alike."
Wing IDE 3.2 released
Wingware has announced the release of Wing IDE 3.2.0, a commercial Python IDE. Features include: "* Support for Python 3.0 and 3.1 * Rewritten version control integration with support for Subversion, CVS, Bazaar, git, Mercurial, and Perforce * Added 64-bit Debian, RPM, and tar file installers for Linux * File management in Project view * Auto-completion in the editor obtains completion data from live runtime when the debugger is active * Perspectives: Create and save named GUI layouts and optionally automatically transition when debugging is started * Improved support for Cython and Pyrex (*.pyx files) * Added key binding documentation to the manual * Added Restart Debugging item in Debug menu and tool bar".
New Books
O'Reilly publishes book excerpts
O'Reilly has published some new book excerpts: Benchmarking - Algorithms in a Nutshell, Epilogue - Algorithms in a Nutshell and An Incredibly Brief Introduction to Ruby - Learning Rails.O'Reilly publishes Perl tutorials
O'Reilly has published the following new tutorials: The Eight-Minute XML Tutorial, The 10-Minute XPath Tutorial, The 10-Minute LDAP Tutorial, The 15-Minute SQL Tutorial, The Five-Minute RCS Tutorial, The Two-Minute VBScript-to-Perl Tutorial and The 20-Minute SNMP Tutorial. All are excerpts from the book Automating System Administration with Perl by David N. Blank-Edelman.The CSS Anthology, Third Edition--New from SitePoint
SitePoint has published the book The CSS Anthology, Third Edition by Rachel Andrew.
Education and Certification
Linux Professional Institute events at LinuxCon
The Linux Professional Institute has announced its LinuxCon events. The conference takes place on September 21-23 in Portland, Oregon. "The Linux Professional Institute (LPI), the world's premier Linux certification organization, announced that they will offer LPI exams at the first annual LinuxCon on Monday, September 21, 2009 in Portland, Oregon. During LinuxCon LPI will also host a community consultation on their Linux certification program on Tuesday September 22, 2009."
Calls for Presentations
CONFidence 2009 cfp
A call for participation has gone out for CONFIdence 2009, submissions are due by September 15. "Calling all practitioners in the field of IT security! The 6th edition of CONFIdence 2009 2.0, is taking place in Warsaw on November 19/20, 2009."
Upcoming Events
Libre Graphics Meeting 2010 in Brussels Announced
The 2010 Libre Graphics Meeting has been scheduled for May 26-29 in Brussels, Belgium. "The Libre Graphics Meeting exists to unite and accelerate the efforts behind Free, Libre and Open Source creative software. Since 2006, this annual meeting is the premiere conference for developers, users and supporters of projects such as GIMP, Inkscape, Blender, Krita, Scribus, Hugin, the Open Clipart Library, and the Open Font Library gather to work on interoperability, shared standards, and new ideas. Work at prior LGMs has pushed the state of the art in important areas such as color management, cross-application sharing of assets, and common formats." Click below for the full announcement.
Announcing the Ubuntu Global Jam
The Ubuntu Global Jam has been announced. "The Ubuntu Global Jam is an incredible opportunity for the Ubuntu community to unite together around the weekend of 2nd - 4th Oct 2009 to work together to improve Ubuntu. Everyone is able to contribute to the Jam, and everyone is welcome and encouraged to get involved. Curious about how to make a real difference to Ubuntu? This is a great chance to make that difference."
PyCon Argentina 2009
PyCon Argentina 2009 takes place in Buenos Aires, Argentina on September 4-5. "The first national Python conference in Argentina "PyCon Argentina 2009", also the first PyCon at a Spanish-speaking country, will be held on Buenos Aires next month. There are more than 30 programmed talks covering many different subjects, short lightning talks, and two special speakers: Collin Winter (Unladen Swallow) and Jacob Kaplan-Moss (Django)."
FSF to host a mini-summit on Women in Free Software
The Free Software Foundation (FSF) will be hosting a mini-summit on "Women in Free Software" on September 19. Participants will include Deborah Nicholson of the FSF, Stormy Peters of the GNOME Foundation, and Hillary Rettig, free software activist and author of The Lifelong Activist, along with a small group of other women to discuss how to increase and sustain participation by women in free software. "Historically, women have been underrepresented in the technology and free software communities, and despite recent increases in the adoption of free software, the situation has not significantly improved. Deborah Nicholson said, 'At the summit, we will discuss existing entry points, why women don't always feel invited, and when they do, why they don't always stay. Individual projects have found ways to make women welcome and we will look at some of these examples and discuss how to build on those successes. We will also identify new strategies and tactics to help create a balanced community.'" Click below for the full announcement.
Events: September 3, 2009 to November 2, 2009
The following event listing is taken from the LWN.net Calendar.
| Date(s) | Event | Location |
|---|---|---|
| August 31 September 4 |
Ubuntu Developer Week | Internet, Internet |
| September 1 September 4 |
JBoss World Chicago | Chicago, IL, USA |
| September 1 September 4 |
Red Hat Summit Chicago | Chicago, IL, USA |
| September 1 September 5 |
DrupalCon | Paris, France |
| September 4 September 5 |
PyCon 2009 Argentina | Buenos Aires, Argentina |
| September 7 September 11 |
XtreemOS summer school | Oxford, UK |
| September 7 September 8 |
FRHACK.ORG IT Security Conference | Besançon, France |
| September 8 September 12 |
DjangoCon '09 | Portland, OR, USA |
| September 10 September 11 |
Fedora Developer Conference 2009 | Brno, Czech Republic |
| September 12 | Evil Robot Conference (Free Conference, Free Software) | Raleigh, NC, USA |
| September 14 September 18 |
Django Bootcamp at the Big Nerd Ranch | Atlanta, Georgia, USA |
| September 15 September 17 |
International Conference on IT Security Incident Management and IT Forensics | Stuttgart, Germany |
| September 17 September 18 |
Internet Security Operations and Intelligence 7 | San Diego, CA, USA |
| September 17 September 20 |
openSUSE Conference | Nuremberg, Germany |
| September 18 September 19 |
BruCON | Brussels, Belgium |
| September 18 September 20 |
EuroBSDCon 2009 | Cambridge, UK |
| September 19 | Atlanta Linux Fest 2009 | Atlanta, Georgia, USA |
| September 19 | Beijing Perl Workshop | Beijing, China |
| September 19 | Software Freedom Day | Worldwide |
| September 20 | SELinux Developer Summit 2009 @ LinuxCon | Portland, Oregon, USA |
| September 21 September 23 |
LinuxCon 2009 | Portland, OR, USA |
| September 21 September 25 |
Ruby on Rails Bootcamp with Charles B. Quinn | Atlanta, USA |
| September 23 September 25 |
Linux Plumbers Conference | Portland, Oregon, USA |
| September 23 September 25 |
Recent Advances in Intrusion Detection | Saint-Malo, Brittany, France |
| September 23 September 25 |
OpenSolaris Developer Conference 2009 | Hamburg, Germany |
| September 23 | Bacula Conference 2009 | Cologne, Germany |
| September 24 September 26 |
Joomla! and Virtue Mart Day Germany | Bad Nauheim, Germany |
| September 25 September 27 |
International Conference on Open Source | Taipei, Taiwan |
| September 25 September 27 |
Ohio LinuxFest | Columbus, Ohio, USA |
| September 26 September 27 |
PyCon India 2009 | Bengaluru, India |
| September 26 | Open Source Conference 2009 Okinawa | Ginowan City, Okinawa, Japan |
| September 26 September 27 |
Mini-DebConf at ICOS | Taipei, Taiwan |
| September 28 September 30 |
Real time Linux workshop | Dresden, Germany |
| September 28 September 30 |
X Developers' Conference 2009 | Portland, OR, USA |
| September 28 October 2 |
Sixteenth Annual Tcl/Tk Conference (2009) | Portland, OR 97232, USA |
| September 30 | HCC!Linux Theme Day | Houten, Netherlands |
| October 1 October 2 |
Open World Forum | Paris, France |
| October 2 October 4 |
7th International Conference on Scalable Vector Graphics | Mountain View, CA, USA |
| October 2 | LLVM Developers' Meeting | Cupertino, CA, USA |
| October 2 October 4 |
Linux Autumn (Jesien Linuksowa) 2009 | Huta Szklana, Poland |
| October 2 October 4 |
Ubuntu Global Jam | Online, Online |
| October 2 October 3 |
Open Source Developers Conference France | Paris, France |
| October 2 | Mozilla Public DevDay/Open Web Camp 2009 | Prague, Czech Republic |
| October 3 October 4 |
T-DOSE 2009 | Eindhoven, The Netherlands |
| October 3 October 4 |
EU MozCamp 2009 | Prague, Czech Republic |
| October 7 October 9 |
Jornadas Regionales de Software Libre | Santiago, Chile |
| October 8 October 10 |
Utah Open Source Conference | Salt Lake City, Utah, USA |
| October 9 October 11 |
Maemo Summit 2009 | Amsterdam, The Netherlands |
| October 10 October 12 |
Gnome Boston Summit | Cambridge, MA, USA |
| October 10 | OSDN Conference 2009 | Kiev, Ukraine |
| October 12 October 14 |
Qt Developer Days | Munich, Germany |
| October 15 October 16 |
Embedded Linux Conference Europe 2009 | Grenoble, France |
| October 16 October 17 |
Pycon Poland 2009 | Ustron, Poland |
| October 16 October 18 |
Pg Conference West 09 | Seattle, WA, USA |
| October 16 October 18 |
German Ubuntu conference | Göttingen, Germany |
| October 18 October 20 |
2009 Kernel Summit | Tokyo, Japan |
| October 19 October 22 |
ZendCon 2009 | San Jose, CA, USA |
| October 21 October 23 |
Japan Linux Symposium | Tokyo, Japan |
| October 22 October 24 |
Décimo Encuentro Linux 2009 | Valparaiso, Chile |
| October 23 October 24 |
Ontario GNU Linux Fest | Toronto, Ontario, Canada |
| October 23 October 24 |
PGCon Brazil 2009 | Sao Paulo, Brazil |
| October 24 October 25 |
PyTexas | Fort Worth, TX, USA |
| October 24 October 25 |
FOSS.my 2009 | Kuala Lumpur, Malaysia |
| October 24 | Florida Linux Show 2009 | Orlando, Florida, USA |
| October 24 | LUG Radio Live | Wolverhampton, UK |
| October 25 | Linux Outlaws and Ubuntu UK Podcast OggCamp | Wolverhampton, UK |
| October 26 October 28 |
Techno Forensics and Digital Investigations Conference | Gaithersburg, MD, USA |
| October 26 October 28 |
GitTogether '09 | Mountain View, CA, USA |
| October 26 October 28 |
Pacific Northwest Software Quality Conference | Portland, OR, USA |
| October 27 October 30 |
Linux-Kongress 2009 | Dresden, Germany |
| October 28 October 30 |
Hack.lu 2009 | Luxembourg |
| October 28 October 30 |
no:sql(east). | Atlanta, USA |
| October 29 | NLUUG autumn conference: The Open Web | Ede, The Netherlands |
| October 30 November 1 |
YAPC::Brasil 2009 | Rio de Janeiro, Brazil |
| October 31 | Linux theme day with ubuntu install party | Ede, Netherlands |
| November 1 November 6 |
23rd Large Installation System Administration Conference | Baltimore, MD, USA |
If your event does not appear here, please tell us about it.
Page editor: Forrest Cook