LWN.net Weekly Edition for June 19, 2003
Software patents in Europe
Europeans, like citizens of much of the "free world," have a certain tendency toward smugness when software patents are discussed. Software patents, after all, are an American problem. Unfortunately, the U.S. is quite good at exporting its problems. Software patents in Europe took another step toward reality this week when the Legal Affairs Committee of the European Parliament voted in favor of an EU-wide software patent scheme. The 20-8 committee vote adopted the proposed directive, as written by the European Commission, almost without changes.The proposal is said to be more restrictive than the American version of software patents. Patentable technologies would have to be useful in a particular setting and application; simply having a program is not enough. And business models still would not be subject to patents. But the proposed directive is still enough to raise widespread concern throughout Europe. The Greens were quite clear on what they think:
There is also this release from the Foundation for a Free Information Infrastructure, which contains quotes from a number of European business figures.
The sad truth is that software patents have done great harm in the U.S., and they are unlikely to be more beneficial in Europe. This is one import the EU could do without.
All SCO, all the time
One of these days we'll manage to keep SCO off the front page. Not this week. The next two articles cover a couple of important issues in this whole mess - the breathtaking scope of SCO's claims and a look inside the company as revealed in its latest 10Q filing. Both articles, we think, give some insight into just what the Linux community is up against.During the last week the read-copy-update (RCU) technology has been singled out as one of IBM's contributions that SCO objects to. We ran an article looking into the origins of RCU and concluding that SCO had nothing to do with the creation of RCU. The article is a bit dated (already) but it still gives an overview of the RCU situation; a number of the reader comments are well worth reading too. In the end, however, origins matter little; SCO believes it owns everything that was ever part of a Unix system.
The company has filed a new version of its complaint against IBM, upping the damages demanded and changing many points. See this LWN article for a brief summary, a pointer to the document, and numerous comments.
Finally, should all this not be enough on SCO, the SCOvsIBM Wiki maintained by Karsten Self is exhaustive and exhausting.
SCO owns the World?
According to some opponents of free software, users of that software are taking grave risks. The GPL, it is said, is "viral" and can cause the loss of a company's intellectual property. And free software users are exposed to the possibility that somebody, somewhere, may have incorporated tainted code, exposing users and distributors to unexpected liabilities. The solution to these problems, of course, is to simply stick with safe, licensed, proprietary software. It costs, and you sign away a lot of rights, but the warm, fuzzy feeling that comes from signing that license agreement is worth it.Except it's increasingly clear that things are not that way. We all owe SCO a debt of gratitude for showing us how unsafe proprietary software can be. That company is using proprietary licensing to press a truly staggering set of claims over the work of others and power to disrupt organizations worldwide.
Consider first the issue of intellectual property. SCO CEO Darl McBride recently gave an interview which provided a clear picture of how he sees the ownership of proprietary Unix systems:
Off the tree trunk, you have a number of branches, and these are the various flavors of Unix. HP-UX, IBM's AIX, Sun Solaris, Fujitsu, NEC--there are a number of flavors out there. SCO has a couple of flavors, too, called OpenServer and UnixWare. But don't confuse the branches with the trunk. The System 5 source code, that is really the area that gives us incredible rights, because it includes the control rights on the derivative works that branch off from that trunk.
These "control rights" are at the core of the IBM lawsuit. SCO is claiming that any work any vendor has ever put into a Unix system is subject to SCO's control. Chris Sontag, the head of SCOsource, is even more direct:
SCO, it would seem, owns everything. Compared to that claim, the allegedly "viral" nature of the GPL (if you distribute something derived from a GPL-licensed product, the derived product must also be licensed under the GPL) seems weak indeed. SCO is laying claim to decades of work done by dozens of proprietary Unix vendors, and that's just the starting point.
Does this claim have any basis in reality? SCO has posted the relevant agreements on its IBM lawsuit page, so this sort of thing can be checked - at least, for the IBM case. The basic software agreement ("Exhibit A") states (in section 2.01):
Since the agreement on the original "SOFTWARE PRODUCT" includes prohibitions on disclosure, this language would seem to back up SCO's claim. Thus, technologies like read-copy-update, which were never part of any SCO product, could be said to come under this agreement and be prohibited from disclosure. In fact, the language could even be read to transfer ownership of any modifications to SCO, except that IBM caught that and forced a change ("Exhibit C"):
So IBM owns its changes. But the company might have signed away its right to disclose its changes to others or deploy them in other contexts. Other vendors with less-aware lawyers may well have signed away all ownership to their Unix work. So much for the safety of intellectual property in the proprietary environment.
Of course, all this is IBM's problem. As SCO and others have stated, customers are better off with licensed, proprietary software, since it is warranted against intellectual property problems. Sun Microsystems plans to press this point to its advantage. The only problem is that, once again, SCO has shown us that this statement is not true.
SCO is attempting to revoke IBM's license to distribute AIX. This move does not just affect IBM; consider this quote from Chris Sontag, the head of SCOsource:
All of those AIX customers did exactly what they are supposed to do: they signed a proprietary license, paid their fees, and went off with the idea that they had bought the right to use the system on their machines. Now it appears that Unix users, at SCO's whim, can be deprived of the software upon which they have built their businesses. Proprietary Unix, it would seem, is a foundation built upon sand. Given that Microsoft felt the need to buy a Unix license from SCO, it is not clear that Windows users are in any better shape. One might assume that SCO would not try to pull the plug on Windows, but the possibility exists regardless. We look forward to the forthcoming warning from the Gartner Group.
SCO's actions have pointed out the very real possibility for trouble resulting from the incorporation of proprietary code into a free product. This is an issue that should probably be taken more seriously throughout the free software community in the future. But SCO has also made it painfully clear that the proprietary world, too, has its traps, and those traps are at least as frightening as any faced by free software users. Taken to their extreme, the proprietary rights claimed by SCO give that company ownership and control over most computing systems on the planet. It is a frightening thing to contemplate.
SCO's quarterly report
SCO's Form 10-Q filing, summarizing the company's operations for the quarter ending April 30, is now available. These reports always have some interesting tidbits for those who are patient enough to wade through them, and SCO's is no exception.SCO claims a profit of $4.5 million for the quarter - the first in the company's history. (Bear in mind that "the company" is the one formerly known as Caldera). Based on that figure, SCO management has made much noise about how strong SCO is. A look at the figures tells a different story.
Products revenue was $11 million - down 12% from one year ago. Services
revenue was $2 million, down 30% from one year ago. SCO would have
racked up a significant loss in this quarter if it weren't for SCOsource,
which brought in $8.3 million. Even after they spent over
$2 million in legal expenses and such, that money was enough to put
SCO into a position of profit for the quarter. That makes for a nice
one-time bottom line, but, as SCO says, "SCOsource licensing revenue
is unlikely to produce stable, predictable revenue for the foreseeable
future.
"
SCOsource, so far, has exactly two customers. They won't tell us who the first is, saying only:
The second licensee, of course, is Microsoft. We don't know how much each one spent, only that the two add up to $8.3 million.
There are hints of some interesting stuff going on with regard to the sale of these licenses. Consider:
Of course, at today's price for SCO stock, that warrant can be exercised (if the holder moves quickly) for a $1.8 million overnight profit. That, one might suppose, will take a bit of the sting out of paying for a license from SCO. The filing does not say which licensee got this little added gift ("for no consideration") or why, but the wording suggests the lucky recipient was the "long-time licensee," not Microsoft.
The story with Vista.com (covered in the June 12 Weekly Edition) gets more interesting as well. There, Vista founder got 800,000 shares (now going on the market) in exchange for a $1 million note payable by Vista. Vista, however, is in default on some of its other loans from SCO - but was given more money in April anyway. There is no real explanation of why SCO is supporting Vista (and its founder) in this way.
SCO claims to have $10 million in the bank, and another $15 million in various assets. $1 million of that is the dubious note from Vista. In the absence of new investments or SCOsource deals, the company may well burn through that cash pile in two years or less. Participants in the recent rally in SCO's stock price may yet find a reason to wish they had missed out.
Java and Open Source
[This article was contributed by Joe 'Zonker' Brockmeier]
The JavaOne conference was held last week in San Francisco, and as usual there was a barrage of announcements from Sun about new Java-related initiatives and technologies, some of them actually of interest to the Linux and Open Source communities.
One of the big announcements was the launch of Java.net, a cooperative effort with O'Reilly and CollabNet. Java.net seems to be Sun's answer to SourceForge, an Open Source development site but with a specialization in Java and Java-related technologies. The site will include hosting of projects, mailing lists, forums, wikis and blogs (presumably about Java or related technologies). Right now Java.net only boasts a few projects: JXTA, NetBeans, the Javapedia, JAIN and so on.
The NetBeans team announced the NetBeans 3.5 release, including the NetBeans IDE, last week as well. The NetBeans IDE is written, not surprisingly, in Java, so you should be able to run it on Linux or any other platform with decent Java support. However, the NetBeans IDE is not limited to Java development -- it supports C, C++, XML and HTML as well as Java. NetBeans has been available under an Open Source license, the Sun Public License, for three years now.
Sun also announced the Sun ONE Studio 5 IDE, which is based on the NetBeans Platform. This one isn't Open Source, but it does run on Linux and may be of interest to J2SE (Java 2 Standard Edition) and J2EE (Java 2 Enterprise Edition) developers.
Another interesting tidbit announced during the JavaOne timeframe is the Scripting Java Specification Request (JSR), a plan to help scripting languages like PHP and Java interact. Specifically, it's aimed at writing Java classes that can be invoked by a page using PHP, ECMAScript or other scripting languages that are in wide usage. The Scripting JSR seems to be in a formative stage at the moment, but it should be interesting to see what the group comes up with in the long term. The initial members of the group are Sun, Macromedia, Zend and Oracle.
Open Source gamers might be pleased to learn that Sun has diverted work on some gaming APIs from the Java Community Process to Java.net as well. However, this probably has more to do with the fact that Sun doesn't see much profitability in gaming APIs for Java than any major commitment to the Open Source philosophy.
Sun also touted a "simplified" Java Research License (JRL). The JRL is supposed to "simplify and relax" the research section of Sun's Sun Community Source License (SCSL). This allows some limited development for research and development, but anyone hoping to distribute a project will have to go to Sun for a commercial agreement and meet Java compatibility requirements. In other words, it still is not a free license.
What are the prospects of Sun making Java itself Open Source? It's probably not going to happen anytime soon, but there are folks at Sun who'd are in favor of making Java, or parts of it, Open Source. James Gosling, the guy responsible for Java, is in favor of releasing Java according to this Computerworld article:
Slowly but surely, Sun seems to be moving towards a more open stance with Java, but the company is still retaining very tight control on the core Java technologies.
Security
Brief items
Some goodies from OpenWall
Solar Designer has sent out an announcement of a new set of security-oriented releases from OpenWall. These components are, of course, integrated into Openwall Linux, but they are available separately for integration into other distributions as well.Here's what's available:
- A patch for the 2.4.21
kernel fixing problems and adding a number of security features.
You can now use 2.4.21 in Openwall Linux, though, in true conservative
form, they still recommend sticking with 2.2 for now.
- msulogin, a version of
the "sulogin" program (which is normally used to control access to a
system in single-user mode). The twist offered by msulogin is that it
can handle multiple root accounts.
- tcb, an alternative shadow password implementation. The difference is that tcb implements separate shadow files for each user. This technique allows group permissions to be used to implement password policies, and it allows the entire password subsystem to work with no need for root privileges.
These tools and patches can be used as components in a more secure Linux system, and that can only be a good thing.
June CRYPTO-GRAM newsletter
Bruce Schneier's CRYPTO-GRAM newsletter for June is out; it looks at cyberterrorism, teaching virus writing, attacking virtual machines with memory errors, and fun with expired domains (beyond the usual trick of pointing them at porn sites): "Step 1: Buy an expired domain. Step 2: Watch all the spam come in, and figure out what e-mail accounts were active for that domain's previous owner. Step 3: Go to an account-based site -- eBay, Amazon, etc. -- and request that the password be sent to those accounts. If the people with those accounts didn't bother to change their e-mail address when the domain expired, you can collect their passwords."
New vulnerabilities
BitchX: Denial of service vulnerability
| Package(s): | BitchX | CVE #(s): | CAN-2003-0334 | ||||
| Created: | June 17, 2003 | Updated: | June 17, 2003 | ||||
| Description: | A Denial Of Service (DoS) vulnerability was discovered in BitchX that would allow a remote attacker to crash BitchX by changing certain channel modes. Read more here and here. | ||||||
| Alerts: |
| ||||||
ethereal: buffer and integer overflows
| Package(s): | ethereal | CVE #(s): | CAN-2003-0356 CAN-2003-0357 | ||||||||||||
| Created: | June 12, 2003 | Updated: | June 18, 2003 | ||||||||||||
| Description: | Timo Sirainen discovered several vulnerabilities in ethereal, a network traffic analyzer. These include one-byte buffer overflows in the AIM, GIOP Gryphon, OSPF, PPTP, Quake, Quake2, Quake3, Rsync, SMB, SMPP, and TSP dissectors, and integer overflows in the Mount and PPP dissectors. | ||||||||||||||
| Alerts: |
| ||||||||||||||
gnocatan: buffer overflows, denial of service
| Package(s): | gnocatan | CVE #(s): | CAN-2003-0433 | ||||||||
| Created: | June 12, 2003 | Updated: | June 28, 2003 | ||||||||
| Description: | Bas Wijnen discovered that the gnocatan server is vulnerable to several buffer overflows which could be exploited to execute arbitrary code on the server system. | ||||||||||
| Alerts: |
| ||||||||||
lyskom-server: denial of service
| Package(s): | lyskom-server | CVE #(s): | CAN-2003-0366 | ||||
| Created: | June 13, 2003 | Updated: | June 17, 2003 | ||||
| Description: | Calle Dybedahl discovered a bug in lyskom-server which could result in a denial of service where an unauthenticated user could cause the server to become unresponsive as it processes a large query. | ||||||
| Alerts: |
| ||||||
man: format string exploit
| Package(s): | man | CVE #(s): | |||||
| Created: | June 16, 2003 | Updated: | June 17, 2003 | ||||
| Description: | Versions of man 1.5l and below contain a format string vulnerability. The vulnerability occurs when man uses an optional catalog file, supplied by the NLSPATH/LANG environmental variables. See the full advisory for more details. | ||||||
| Alerts: |
| ||||||
mikmod: buffer overflow
| Package(s): | mikmod | CVE #(s): | CAN-2003-0427 | ||||||||||||||||||||
| Created: | June 16, 2003 | Updated: | June 16, 2005 | ||||||||||||||||||||
| Description: | Ingo Saitz discovered a bug in mikmod whereby a long filename inside an archive file can overflow a buffer when the archive is being read by mikmod. | ||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||
noweb: insecure temporary files
| Package(s): | noweb | CVE #(s): | CAN-2003-0381 | ||||||||
| Created: | June 17, 2003 | Updated: | June 28, 2003 | ||||||||
| Description: | Jakob Lell discovered a bug in the 'noroff' script included in noweb whereby a temporary file was created insecurely. During a review, several other instances of this problem were found and fixed. Any of these bugs could be exploited by a local user to overwrite arbitrary files owned by the user invoking the script. | ||||||||||
| Alerts: |
| ||||||||||
radiusd-cistron: possible remote system compromise
| Package(s): | radiusd-cistron | CVE #(s): | CAN-2003-0450 | ||||||||||||||||
| Created: | June 13, 2003 | Updated: | July 11, 2003 | ||||||||||||||||
| Description: | The package radiusd-cistron is an implementation of the RADIUS protocol. Unfortunately the RADIUS server handles large NAS numbers incorrectly. This leads to overwriting internal memory of the server process and may be abused to gain remote access to the system the RADIUS server is running on. | ||||||||||||||||||
| Alerts: |
| ||||||||||||||||||
webmin: session ID spoofing
| Package(s): | webmin | CVE #(s): | CAN-2003-0101 | ||||||||
| Created: | June 13, 2003 | Updated: | November 18, 2003 | ||||||||
| Description: | miniserv.pl in the webmin package does not properly handle metacharacters, such as line feeds and carriage returns, in Base64-encoded strings used in Basic authentication. This vulnerability allows remote attackers to spoof a session ID, and thereby gain root privileges. | ||||||||||
| Alerts: |
| ||||||||||
Xpdf - command execution vulnerability
| Package(s): | Xpdf | CVE #(s): | CAN-2003-0434 | ||||||||||||||||||||||||||||||||
| Created: | June 18, 2003 | Updated: | July 24, 2003 | ||||||||||||||||||||||||||||||||
| Description: | Xpdf suffers from the same sort of "execute arbitrary code embedded in a malicious document" vulnerability that is so widespread in other PostScript and PDF interpreters. | ||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||
Resources
Linux Advisory Watch
The June 13 Linux Advisory Watch newsletter from LinuxSecurity.com is available.
Page editor: Jonathan Corbet
Kernel development
Brief items
Kernel release status
The current development kernel is 2.5.72, which was released by Linus on June 16. This relatively small patch contains an x86-64 merge, a partial reversion of the IDE taskfile switchover, a PA-RISC update, and various fixes and cleanups. The long-format changelog has the details.Linus had released the 2.5.71 ("sticky turtle") kernel only two days before. This long-awaited patch included a fair amount of driver model work, some extensive PCI bus cleanups (dealing with potential race conditions there), the big IDE changeover to taskfile I/O, a new /proc/kallsyms file, support for per-CPU variables in modules, a change the kmalloc_percpu() interface, an Atmel at76c50x wireless driver, a long-sought fix for hanging TCP sessions, an improved slab allocator which performs better in busy, multi-processor situations, some kbuild tweaks, an ALSA update, a set of hash function changes to deal with algorithmic complexity attacks, a FAT filesystem rework (if you have been waiting to be able to create FAT partitions greater than 128GB, this patch is for you), a v850 subarchitecture merge, a RAID update, the removal of the long-deprecated callout TTY device (/dev/cua) support, numerous architecture updates, and several other fixes and updates. As always, the long-format changelog has the gory details.
Linus's BitKeeper tree contains an extensive ext3 and JBD rework (see below), an OProfile update, some NFS server fixes, and a few other fixes and updates.
With the 2.5.72 announcement, Linus announced that he is taking a leave of
absence from Transmeta to go work at the Open Source Development Lab.
"Transmeta has always been very good at letting me spend even an
inordinate amount of time on Linux, but as a result I've been feeling a
little guilty at just how little 'real work' I got done lately. To fix
that, I'll instead be working at OSDL, finally actually doing Linux as my
main job.
"
The current stable kernel is 2.4.21, released, at last, on June 13. There were no changes since -rc8.
No 2.4.22 prepatches have come out yet. Marcelo's plan, at this point, is to have 2.4.22 contain an updated aic7xx driver and the current ACPI tree (both items that people had wanted in 2.4.21), along with some interactivity and memory management fixes.
Kernel development news
What's needed to fix user-space device enumeration?
Back in April, LWN looked at udev, a simple user-space daemon which handles the dynamic creation and removal of device nodes. Udev is an answer to devfs which uses hotplug events and sysfs to manage the device tree in user space. Things have been fairly quiet on the udev front - at least, on the public lists. That changed, however, when Steven Dake posted a patch aimed at fixing some problems he sees with how udev works. At that point, it become clear that an off-list discussion has been going on for some time.Mr. Dake has a list of four problems that he is trying to fix with his patch, which creates an event queue within the kernel and a virtual device for retrieving events from that queue. These problems are:
- The current implementation (which invokes /sbin/hotplug for
each device event) has performance problems when the number of devices
is large.
- There is no policy controlling how many /sbin/hotplug
processes can be created simultaneously, a shortcoming which can lead
to out-of-memory situations.
- /sbin/hotplug is not available during the early part of
the system initialization process, so early device enumeration is
not possible.
- Hotplug events can be processed out of order, leading to device directory corruption.
The posting elicited some strongly-worded responses. The general view is that the first three of the problems listed above do not actually exist. The cost of /sbin/hotplug is small relative to the cost of device probing and initialization, so, in the real world, system load and performance are not problems. Early initialization can be handled with initramfs or by reconstructing things in user space from the sysfs tree. The hotplug developers thus feel no pressure to "fix" any of those problems. Linus also chimed in with a condemnation of event daemon schemes.
When the dust settled, however, the problem of event reordering remained. Device events can come quickly, and the vagaries of scheduling, page faults, etc. can cause them to be processed in an order different from that in which they were generated. Some fairly complicated schemes were presented for dealing with this problem, but they were set aside when Andrew Morton suggested the (in retrospect) obvious: add a sequence number to hotplug events. With a unique, increasing sequence number, it is simple for a user-space process to detect (and fix) misordered events. Problem solved.
Avoiding sysfs surprises
One of the nice (and increasingly important) features of the 2.5 device model is sysfs. This virtual filesystem exports a view of the system's structure to user space; it also provides a nice control interface - and /proc replacement - by allowing attributes to be attached to sysfs entries. Sysfs is not without its traps, however, and many kernel developers are just now beginning to realize the sort of care that is necessary to avoid making mistakes.The hardware supported by Linux is increasingly dynamic; devices can appear and disappear at any time. The sysfs filesystem adjusts itself in response to hardware events by creating and removing directories associated with devices, classes, and other objects. Kernel code typically implements this functionality by allocating (and registering) device structures and other objects when a device is plugged in, and deleting those structures when the device is removed. It tends to work quite well.
But consider the following possible sequence of events:
- A user plugs in a shiny new hotplug PCI frobnicator.
- The driver creates a device structure and registers it; as a result,
the directory /sys/devices/pci0/00:11.0/ (or some such) gets
created and filled with attributes.
- A user process moves into that directory, opens one of the attribute
files, but doesn't get around to reading it yet.
- The user, having done enough frobnication for one day, unplugs the
device.
- The driver unregisters and frees the device structures.
All seems well, except for the small problem of that user process. By sitting in the directory, it maintains a reference there. The open attribute file is yet another reference. If the driver has truly cleaned up and freed the devices, the user process will be holding structures with pointers into freed memory. An attempt to read the (already open) attribute file at this point is almost certain to crash the system.
The above scenario is not hypothetical; a fair number of such conditions exist in the 2.5 kernel now. That is why this issue (titled "kobject refcounting") appears in the 2.6 must-fix list. It truly must be fixed.
The infrastructure exists to handle these problems, but it must be used properly to be effective. The solution lies in the same place as the problem - the kobject structure. The 2.5.72 version of this structure looks like:
struct kobject {
char name[KOBJ_NAME_LEN];
atomic_t refcount;
struct list_head entry;
struct kobject *parent;
struct kset *kset;
struct kobj_type *ktype;
struct dentry *dentry;
};
Entries in sysfs are closely tied to kobjects; there is a kobject associated with each directory in the filesystem. When a process moves into a sysfs directory or opens a sysfs file, the associated kobject has its refcount field incremented. As long as the reference count is above zero, the kobject cannot be deleted.
The same kobjects, of course, are embedded deeply within the structures used to represent devices and other system objects. So a nonzero reference count in a kobject means that the entire device structure (and, perhaps, the module infrastructure supporting it) is still in use. Safely putting things into sysfs is really just a matter of not deleting objects until their reference counts hits zero.
Of course, that is easily said, but the current mechanism for implementing such a policy is not entirely obvious. An example might help, so we'll look at the block subsystem, which does things right. Disks, within the kernel, are represented by the gendisk structure. The function used to create a gendisk is alloc_disk(), which, after allocating and initializing a gendisk structure (which contains a kobject), executes this mysterious line of code:
kobj_set_kset_s(disk,block_subsys);
This line tweaks the kobject within disk (the gendisk structure) to make it a part of block_subsys. The block subsystem structure, in turn, contains a pointer to a kobj_type structure, which, in this case, looks like:
static struct kobj_type ktype_block = {
.release = disk_release,
.sysfs_ops = &disk_sysfs_ops,
.default_attrs = default_attrs,
};
We'll come back to this structure in a moment. For now, suffice to say that it identifies the kobject (and the gendisk structure that contains it) as something belonging to the block code, and provides some methods implementing the object's operations.
The function which puts a new disk into the system is add_disk(); it creates the associated sysfs structure, and increments the disk's reference count. The disk then goes through its lifecycle, with the reference count going up and down as it is mounted and unmounted, and as its sysfs files are accessed. Should the disk disappear, the driver will do some cleanup and call del_gendisk() to return the gendisk structure to the system.
del_gendisk() does not actually free the structures, however. It removes the sysfs entries and generally shuts things down; it then finishes by decrementing the reference count. That operation releases the reference which was first obtained in add_disk(). The driver also must release its own reference with put_disk(). These operations may drop the reference count to zero - if nobody else is holding a reference to the disk. But there is no way to know ahead of time.
Sooner or later, however, the last reference will go away. The function which actually decrements the count (kobject_put()) tests that count for zero. If no references remain, kobject_put() will go back to the kobj_type structure associated with the kobject (the ktype_block we saw above, in the case of a gendisk) and call the release() method found there. That method, knowing that nobody is referring to the object, can actually remove it from the system.
That is how sysfs objects must be managed. They must have a destructor associated with them, by way of the kobj_type structure, and that destructor must understand the higher-level objects that it is dealing with. With this mechanism in place, objects will continue to exist as long as references to them are held.
Of course, things can get more complicated than that. If, for example, a module adds attributes to sysfs entries, that module cannot be removed until it is certain that all of the relevant references have gone away. It gets even worse if kernel code tries to attach attributes to objects which it does not own; in that case it can be very hard to get everything right. It may eventually prove necessary to rework some of the sysfs interfaces to make it easier to avoid mistakes, but that seems unlikely for 2.5 at this point. In the mean time, connecting the pieces together correctly can be an intimidating task the first time around, but the alternative is to put denial of service vulnerabilities into the kernel.
Big changes to ext3 and journaling
The ext3 filesystem is, for many, the standard journaling filesystem for the Linux kernel. So it has been somewhat embarrassing that ext3 still uses a number of deprecated interfaces, including the big kernel lock and sleep_on(). The big kernel lock (BKL) is a holdover from the initial Linux symmetric multiprocessing implementation, when it was not safe for more than one processor to run in the kernel at the same time. Its presence in ext3 is not just considered archaic and inelegant; it is also a serious performance constraint on larger SMP systems.As of 2.5.73, the BKL has been abolished from ext3, thanks to a lengthy series of patches by Andrew Morton and Alex Tomas. These patches never did show up on linux-kernel, but they have been part of the -mm kernel tree for some time. Says Andrew:
So, as with all development kernels, a bit of caution is called for.
Removing the BKL from ext3 was actually a simple thing to do. That filesystem, itself, had no need for the BKL - it is the generic journaled block device (JBD) layer that required that protection. So the first step was to push the BKL down a layer, and ext3 was BKL-free. Of course, that didn't solve the real problem, but it was a start. While ext3 was being worked on, a few other patches went in:
- Concurrent block and inode allocation, much like ext2 has had for
some time. This patch puts a separate spinlock on each cylinder group
in a filesystem, allowing allocation to happen in multiple groups
simultaneously.
- "Fuzzy counters," which implements approximate counters for free
blocks and inodes using per-CPU variables.
- The ext3 "data=journal" mode has been fixed. This mode, which journals all data written to the disk (rather than just the metadata) has been broken for a long time.
With ext3 done, it was time to fix up the JBD layer. This job was not done halfway - a lengthy series of patches adds several locks and a whole, complicated, fine-grained scheme. Each transaction gets two separate locks (t_handle_lock and t_jcb_lock) controlling access to various data structures. There is another set for the journal: j_state_lock for scalar state information, j_list_lock for lists and buffers, and j_revoke_lock for the list of revoked blocks. Two more locks protect aspects of the buffer head/journal head combination. And, of course, there is a whole set of ordering rules to control which locks must be taken before which others. Believe it or not, there is even a certain amount of documentation in the code comments describing which locks protect which data structures.
The whole body of work clearly needs wider testing (and benchmarking), so it's probably a good time for it to go into the mainline kernel. Hopefully there won't be too many surprises lurking for the unwary (or unbacked-up). As this work stabilizes, however, another big item can be scratched off the "must-fix" list.
Patches and updates
Kernel trees
Architecture-specific
Core kernel code
Development tools
Device drivers
Documentation
Filesystems and block I/O
Networking
Security-related
Miscellaneous
Page editor: Jonathan Corbet
Distributions
News and Editorials
Midori Linux Expands into Asia
[This article was contributed by Ladislav Bodnar]
An unfortunate side effect of the current media frenzy over a certain legal battle is that many interesting development projects get less exposure in the media or get buried in between more "exciting" headlines. Fortunately, there is little doubt that Linux software development continues unabated, despite all the ill-founded attempts to discredit it. Last week's announcement by Transmeta Corporation about an agreement to allow Chinese 2000 Holdings Ltd. to develop and market Midori Linux in Asia might have been one of such missed press releases. But what exactly is Midori Linux and how significant is this announcement?Midori Linux is a Linux-based distribution for small and embedded devices. The name stands for "green" in Japanese, which becomes rather apparent if you visit the project's home page. Little was known about the beginnings of the Midori project before it was been open sourced and released under GPL in March 2001. However, interest by the open source community in further developing the distribution has been limited and the project appeared to be on its way to extinction after the last release of Midori Linux, version 1.0.0-beta3, nearly 2 years ago. The announcement about the Asian involvement in the project is Transmeta's latest attempt at reviving Midori Linux.
Who is Chinese 2000 Holdings? An investigation on the Hong Kong-based company's background reveals some interesting facts. The company was initiated by one Henry Chu (Chu Bang-fu), a name that is unlikely to ring any bells in the minds of most Western readers, but Mr. Chu is a household name in Taiwan and other parts of the Chinese-speaking world. In fact, he is often credited with initiating the Chinese computer revolution by inventing in 1980 a Chinese input method for computers called "Cang Jie". The Cang Jie input enables users to enter Chinese characters based on the character's shape and structural appearance, rather than its pronunciation. This method greatly reduces the number of key strokes required for inputting Chinese and eliminates common typing errors. While many newer input methods, many of them commercial, were invented in later years, Cang Jie still remains a popular input method of professional typists in Taiwan and Hong Kong.
Instead of demanding royalties and enforcing rights, Mr. Chu released his invention into the public domain to be shared without any strings attached. It therefore comes as no surprise that the company Mr. Chu later founded embraced Linux wholeheartedly as a platform for further development. The current range of products developed by Chinese 2000 Holdings include a desktop Linux distribution called Chinese 2000 and various Linux-based electronic devices such as their e-book reader.
This brings us back to Midori Linux and Transmeta's interest to get a foot into the Asian market for embedded devices. While the adoption of embedded devices has been slow in North America and Europe (even the sales of PDAs have reportedly been dropping), Asian consumers appear to be more receptive to these new technologies. More importantly, development of embedded Linux is well advanced in Asia and there are companies in Korea, Taiwan and Japan with many years of experience modifying the Linux Kernel for specialist needs. Korea's Hancom Linux is a prime example; all the latest Linux-based Sharp Zaurus PDAs ship with a modified version of Hancom Office for Zaurus. Many US-based corporations specializing in embedded devices have also been keen on establishing active presence in Asia. MontaVista opened an office in Taiwan in October last year, while RedSonic has set up a substantial network of development offices and distribution partners throughout Taiwan, China, Korea and Japan. If anything, Transmeta's Midori is rather late for the embedded Linux party.
But has the party really started? If it has, it is confined to less visible and specialist applications, perhaps in car manufacturing or medicine, but embedded Linux certainly hasn't had much of an impact on the consumer market. Taiwan's Computex is a good indication of what the Asian hardware manufacturers are up to and the increasing number of e-books, tablet PCs and Internet-enabled mobile telephones over the last two years seem to indicate that these devices are here to stay. Yet, seeing a morning commuter taking out an electronic reading device, instead of a newspaper remains an elusive dream. Take into the account that these types of devices are often expensive, prone to damage, lack common standards and provide limited availability of reading material and it is easy to see why consumers have yet to find compelling reasons to embrace them.
Few will doubt that Linux is an excellent choice for small and embedded electronic devices, capable of providing solutions for specialist needs. But a large scale consumer adoption of electronic devices that many have predicted has yet to happen. Nevertheless, work continues and Midori's latest expansion to Asia is a proof that this field is far from dead.
Distribution News
New mailing list for maintainers of university Linux
Below is a letter from Seth Vidal, at Duke University, who points out that many universities have customized distributions based on Red Hat Linux, Duke included. This mailing list has been set up to facilitate discussion on supporting these systems past Red Hat's end-of-life dates.Debian GNU/Linux
This week's edition of the Debian Weekly News is out, with a look at a survey which demonstrates a high level of interest in PCs preloaded with GNU/Linux across the world; the story of Tux; and much more.Debian Planet has announced the creation of a Debian 10th birthday party coordination page. Debian turns ten on August 16, 2003.
Gentoo Weekly Newletter -- Volume 2, Issue 24
The Gentoo Weekly Newsletter for June 16, 2003 is out. This week's edition looks at Gentoo Linux Enhancement Proposals and a new home for bugs.gentoo.org, plus user stories, Gentoo Linux in production environments, and more.Mandrake Linux
The Mandrake Linux Community Newsletter for June 5, 2003 is out. In this issue: Mandrake in the News -- TweakHound.com, LinuxWorld.com; BizCase of the Week -- Multimedia: Ambitone Oy; Quick Tips -- Mandrake Community TWiki, Easy URPMI Setup; Software Updates -- sb, mozilla, gnupg, more; Headlines from MandrakeClub.com -- Write better PHP code, 101 modules for Advanced Extranet server.MandrakeSoft has announced the immediate availability of The Definitive Guide to Using Mandrake Linux, 2nd Edition which has been thoroughly updated and expanded to cover the recently released Mandrake Linux 9.1.
Here's a bug advisory for qt3, which would cause a crash when XFree86 did not support render.
Slackware Linux
Slackware Linux has some new changes in the slackware-current changelog, including upgrades to Linux kernel 2.4.21.Integrate Lindows into your Windows network
ZDNet picks up an article on easing Lindows OS into an existing network. "When the Lindows OS developers were working with version 1.0 and readying version 2.0, I was extremely skeptical as to whether or not this operating system would find its way into the enterprise. With the release of Lindows OS 3.0, I think they've got a potential winner on their hands as long as it is approached with an open mind. Let's take a look at how you can slowly introduce this Linux-based operating system into your Windows environment without having a major upheaval of your existing infrastructure." (Thanks to Con Zymaris)
New Distributions
Alcolix
Alcolix is a minimal Linux rescue distribution with the goals of being small, compatible, and very usable. It has a cozy shell and a multitude of partition rescue/editing tools, all based on up-to-date releases (e.g., 2.4.x kernel with USB support). It uses cpio.bz2 data disks and has a full GRUB bootloader, memtest86, and more. Version 2.4.20 BETA3 was released June 16, 2003.CERN Linux
CERN Linux is based on Red Hat Linux, with modifications to the kernel (to better support their hardware) and with additional software for High Energy Physics (HEP). It is used mostly at CERN and a few of the smaller HEP institutes worldwide, running on farm machines, servers, desktops and embedded PCs.free-EOS
free-EOS is a French distribution with the aim of being incredibly easy to set up and get a set of services running. Version 1.1 was released June 14, 2003.Linux4Geeks
Linux4Geeks is a collection of GNU-software, several programs and the Linux-kernel. If you want a fast and stable system - this distribution is the right for you! But if you are looking for an easy-to-use operating system - go and get another distribution! Linux4Geeks is based on Linux from Scratch. So if you don't want to compile all needed packages by yourself you can easily take this distribution and start to integrate your needed programs. By the way: To install Linux4Geeks you need a working installation of Linux to make your Linux4Geeks bootable. Version 0.01 was released June 11, 2003.
Minor distribution updates
Adamantix
Adamantix (formerly known as TrustedDebian) has released v1.0.1 with minor feature enhancements. "Changes: In this version all packages are GPG signed, there are random PIDs, the kernel is compiled with SSP, several packages have been fixed, there are several security updates, the PaX functionality test suite was added, PaX, RSBAC, and SSP were updated, and several kernel fixes (mostly security related) were added."
Astaro Security Linux
Astaro Security Linux has released v4.008 with major feature enhancements. "Changes: This ISO adds support for AMD K6, Intel P1, and VIA C3 CPUs, as well as modern boards with dual CPU support and interrupt controller programming (APIC). It also updates all occurrences of glibc (security fix). The new Linux kernel includes the security routing-cache-hash and TCP/IP fragment reassembly handling patch, the TTY expolit patch, an ext3 bugfix, new modules for PPTP, drivers for NICs, support for the Toshiba LCD, and support for Compaq SmartArray 5 and Adaptec I2O RAID. A new exim (SMTP-Proxy) is included for a small AV interaction bugfix."
Freepia
Freepia has released v0.3.6 with major feature enhancements. "Changes: This release supports 5.1 surround sound over S/PDIF (coax). A new graphics driver brings better performance. There is dhcpclient support and smbclient support. Partitions are now autodetected. USB storage supporthas been added to store configuration on USB devices. Kernel 2.4.21-rc2 is now used. rootfs has been shrunken. There is cramfs support for packages, a US keyboard layout, and many bugfixes."
MoviX
MoviX has released v0.8.0rc1 with major feature enhancements. "Changes: The DVD interface has been completed. The VCD, XCD, and AudioCD interfaces were implemented. APIC kernel support was added. A menu entry for filing bug reports was added. A Spanish translation was added. Linux swap partitions are now automatically activated. The DXR3 modules call was fixed, and new DXR3 menu and partitions/net volumes menus were implemented. Support for TrueType fonts and Chinese fonts was added."
MoviX2 has released v0.3.0rc1 with minor
bugfixes. "Changes: Bug fixes were made for the "Error while reading
cmd fd 7 : Success" message, for eject, and for ISA audio cards
bugs. Subtitles with True Type fonts were added. Simplified Chinese
subtitle fonts were added. NVidiaTV label was added. setHardware.pl from
MoviX was synchronized. The default color depth was set to 16bpp for all
cards. Support for Intel video cards was fixed. Minor changes were made to
input.conf and gui.conf. bugReport was improved. Support for Sony remotes
was added. ACPI support was added to the kernel.
"
PLD RescueCD
PLD RescueCD has released v1.01 with minor feature enhancements. "Changes: The kernel was updated to PLD 2.4.20-8. 235 new modules were built (USB serial, irda, mtd, ieee1394, bluetooth, pcmcia, gigabit ethernet). Framebuffer support was added. 115 packages were updated. The following programs were added: diag-ether, fbset, iptstate, mathopd, pound, progsreiserfs, trafshow, and wireless-tools."
Recovery Is Possible!
Recovery Is Possible! (RIP) has released v53 with major feature enhancements. "Changes: All the software and the kernel have been updated."
Rock Linux
Rock Linux has announced v2.0.0.0-beta5 with minor feature enhancements. The Desktop Rock distribution (dRock) has also released v2.0.0-beta5.ThinStation
ThinStation has released v0.92 with major bugfixes. "Changes: The order of downloading thinstation-group-XXX.conf with TFTP was fixed. The XFree 4.2 cursors were tweaked. The thinstation.conf file was cleaned-up."
Distribution reviews
LinuxQuestions.org Distribution review site
LinuxQuestions.org adds a Distribution Review Section to its website. Compare different distributions, read what others like (or don't like), and add comments of your own.
Page editor: Rebecca Sobol
Development
The Q Equational Programming Language
The Q Equational Programming Language is a project that is being worked on by Albert Gräf at the University of Mainz in Germany. The Q language has the following properties:- It is an interpreted language.
- The programs consist of collections of equations.
- It has dynamic object-oriented typing.
- It features exception handling and posix multi-threading.
- It comes with its own standard library.
- It can be extended with C language primitives.
- It runs on a wide variety of operating system platforms.
- An EMACS editor interface is included.
- Performance is similar to that of other interpreted languages.
- It has been released under the GNU General Public License (GPL).
The Q language Documentation explains the language in more detail. An example Huffman encoding program shows the language in use.
Version 4.3 of the Q interpreter has been released, see the NEWS document for the language change history.
Recent additions to the language include new versions of Q-Audio 1.0 and Q-Midi 1.10. Q-Audio adds a language interface to the libsndfile audio libraries, and Q-Midi adds a MIDI interface to the language.
System Applications
Audio Projects
Planet CCRMA additions
The latest additions to the Planet CCRMA audio utility packaging project include new versions of Jack, Rosegarden, Noteedit, MCP LADSPA Plugins, Mammut and Ceres for RedHat 8.0 and 9, Cinerella, Meterbridge, and more.JACK 0.72.4 released
Version 0.72.4 of JACK, the Jack Audio Connection Kit, has been released. This version includes updated documentation, bug fixes, MacOSX support, and more.
Database Software
Common Lisp Prevalence
A new project called Common Lisp Prevalence has been started. It is a lisp implementation of Object Prevalence, a scheme for performing database-like operations in system RAM. "The first public version of Common Lisp Prevalence has been released. The system is a proof of concept implementation of Object Prevalence in Common Lisp. It has been developed with OpenMCL and it is known to run also under CMUCL."
PostgreSQL Weekly News
The June 11, 2003 edition of the PostgreSQL Weekly News is out with the latest PostgreSQL database news. "The biggest change is that 7.4 code freeze and beta testing is being pushed back 2 weeks to account for the cvs downtime. Code freeze will now be July 1st, with beta testing starting July 15th. This should allow everyone enough time to get their patches in and get the currently submitted patches all caught up."
Education
Fle3 version 1.4.3 released (ZopeMembers)
Version 1.4.3 of Fle3 is available. "Version 1.4.3 of Fle3, a server software for computer supported collaborative learning (CSCL), is released. This is a bug fix release that also contains some new features (information graphs in a knowledge building, course resources) and improvements in the user interface."
Electronics
gEDA changes
The latest developments from the gEDA project (GPL'd suite of Electronic Design Automation) include new versions of Icarus Verilog, gnucap, and VBS.
Printing
PyKota 1.08 available
Version 1.08 of PyKota, a print quota system, is available. "Two major bugs were fixed, first one wrt LPRng support and second one wrt increasing or decreasing a user's account balance. Some minor bugs were also fixed. Finally an LDAP schema and sample LDIF file are included, which will serve as the basis for the future LDAP storage support."
Web Site Development
Preview release of JOTWeb 1.11
Sean Reifschneider has released the first public version of JOTWeb. "JOTWeb is a system for developing dynamic web sites using a combination of HTML+TAL/TALES/METAL and Python, with mod_python for integrating with Apache. Benefits include good documentation, a fairly simple and intuitive design, and powerful yet easy to use session and form processing."
mnoGoSearch 3.1.21 released
Version 3.1.21 of the mnoGoSearch web site search engine is available. The changes are mostly related to bug-fixes.Silva 0.9.2 beta released! (ZopeMembers)
A beta release of version 0.9.2 of Silva has been announced. "Silva is a web application (Zope based) for authoring and serving publications for the web, paper, and other media. Content is stored in clean and future-proof formats, independent of layout and presentation, suitable for use in multiple contexts." The release adds a revised user interface, a new metadata architecture, indexing via the Zope catalog, better performance, and more.
Epoz 0.3.0 released (ZopeMembers)
Version 0.3 of Epoz, a wysiwyg editor for Zope and Plone that works with Mozilla, is available. "Epoz is now shipped with a default toolbox for Plone. So you can insert Links and Images simply by navigating your site. With Epoz Plone becomes usable even for unexperienced users...:)"
ZODB 3.2b2 released
Version 3.2b2 of ZODB, the Zope Object Database, has been released. It includes performance improvements, bug fixes, a new ZEO authentication protocol, and the new ZConfig configuration language.Zope Group Calendar 0.3 released (ZopeMembers)
Version 0.3 of Zope Group Calendar, an open-source group calendar, has been released. "A new screen for changing permissions settings was added, the broken week/day view was fixed, and the calendar now shows all event-like objects that have a start and end attribute."
GuardedFile 1.1 (ZopeMembers)
Version 1.1 of GuardedFile is available for Zope. "GuardedFile provides a convenient way to create Zope File objects that are accessible by proxy only."
Documentation
TLDP Weekly News
The June 17, 2003 edition of The Linux Documentation Project weekly news is out. Topics include a history of The LDP, updated documents, and happenings in the LDP world.
Standards
Faster Wireless Standard Approved (PCWorld.com)
According to PCWorld, the 802.11g wireless standard has been approved. "The new standard, 802.11g, lays out the ground rules for wireless LAN gear that is capable of at least 24 megabits per second and up to 54 mbps, while remaining backward compatible with existing 802.11b gear that runs at a maximum 11 mbps. Both standards use radio spectrum in the range of 2.4 GHz. Another standard, 802.11a, defines 54 mbps gear in the 5-GHz range."
Miscellaneous
FreeGIS CD 1.2.3 released
Version 1.2.3 of the FreeGIS CD has been released and contains a collection of mapping applications. "The CD presents a collection of GIS applications, libraries and data sets in current, stable versions. It contains e.g. GRASS, MapServer, gdal, PROJ, GLOBE and the simple viewer Thuban."
PCGen 5.1.6 is available (SourceForge)
A new version of PCGen has been released. "PCGen is a Java-based RPG character generator and maintenance program that works on all platforms (Windows," A number of bugs have been fixed for this release.
Mac OS X, Linux, etc). All datafiles are ASCII so they can be modified by users, and are available through the pcgendm project. An XML conversion is underway.
OptimalGrid -- autonomic computing on the Grid (IBM developerWorks)
IBM's developerWorks has an article on the OptimalGrid project. "In this article, we introduce OptimalGrid, a research prototype from grid researchers at the IBM Almaden Research Center. OptimalGrid is middleware that aims to simplify creating and managing large-scale, connected, parallel grid applications. It optimizes performance and includes autonomic grid functionality. You don't need to be a grid infrastructure expert to use it. You supply the code that represents your basic problem algorithm, and OptimalGrid manages everything else -- problem partitioning, problem piece deployment, runtime management, dynamic level of parallelism, dynamic load balancing, and even system fault tolerance and recovery."
Desktop Applications
Audio Applications
horgand 0.92 released
Another new version of horgand, an organ simulator, has been released. This version adds a reverb preset, real time response for sliders and dials, bug fixes, and more.
Desktop Environments
Gnome-themes-extras 0.1 released (GnomeDesktop)
According to GnomeDesktop.org, the first release of Gnome-themes-extras is available. A new collection of metathemes is now available for the GNOME desktop.KDE-CVS-Digest
The June 13, 2003 edition of the KDE-CVS-Digest is online. "We see new Kontact plugins for summary, notes and newsticker. Koffice has improved import and export filters, plus template loading from the command line. An improvement in speed for Konqueror file and image viewing. Also, KDE crash handler Dr Konqi hooks to Kdevelop for debugging. Improvements to Kdeprint, KGhostview, and user interface cleanups. And numerous bug fixes."
Preliminary KDE 3.2 Release Schedule
KDE.News mentions the publication of the preliminary KDE 3.2 release schedule. KDE developers should take a look and schedule their project releases for inclusion in KDE 3.2.QuickRip needs you, you need QuickRip
KDE.News reports on a DVD backup utility called QuickRip. "Version 0.7 has just been released, bringing the basic list of features close to completion, but we'd like to see more feature requests, bug reports (or less!) and code submissions before we hit the 1.0 milestone to make QuickRip the best DVD backup utility for KDE."
Games
Civil 0.82 released (SourceForge)
Version 0.82 of the game Civil has been announced. "Civil 0.82 was released today. This version includes faster LOS code, support for battles from multiple theatres and numerous bug fixes and enhancements. Civil is a turn-based strategy game about battles in the American Civil War. Features network play, fancy graphics and audio."
Graphics
GIMP 1.2.5 released (GnomeDesktop)
GnomeDesktop has an announcement for version 1.2.5 of the GIMP. "This is a minor bugfix release. Notably the build error in gimp-remote has been fixed."
Gmsh version 1.45 released
Version 1.45 of Gmsh, a three-dimensional finite element mesh generator, has been released. The changes include bug fixes, updated documentation, and more.
GUI Packages
wxWindows 2.4.1 has been released
Version 2.4.1 of the wxWindows cross-platform GUI framework is available. "This contains bug fixes to 2.4.0, including improved behaviour on Windows XP."
Interoperability
Wine Traffic #174
Issue #174 of Wine Traffic is out. Topics include: SuSE Linux Office Desktop, Game Compatibility List, Direct3D To Do List, and Quartz Revisited - New Ideas.
Office Applications
AbiWord Weekly News
Issue #148 of the AbiWord Weekly News is online. "This week, you can learn how to add OTS to your applications, help us develop Windows, see what icons from Jimmac can do to the Abi-Interface and witness the miracle of OpenSource. Also, Marc is still many euros in debt, and we are still without our server."
GNUe Traffic #84
Issue #84 of GNUe Traffic has the latest GNU Enterprise development news. Topics include: Designer's dependencies for Python and wxPython, Bayonne developments, New relase and Debian packaging strategy, SAP-DB and MySQL join forces?, and Arias, fork of NOLA.
Web Browsers
Mozilla 1.4 Release Candidate 2 Out (MozillaZine)
Mozilla 1.4 RC 2 has been announced. See the release notes for a list of changes.Mozilla.org staff meeting minutes
The minutes from two weeks worth of Mozilla.org staff meetings are online. See the minutes from June 2, 2003 and June 9, 2003.Mozilla.org Status Update
The June 13, 2003 Mozilla.org Status Update has been published. "This status update contains news on Mozilla 1.4, Mozilla Thunderbird, Mozilla Calendar, ChatZilla, Linux 1.4 branch builds compiled with GCC 3.2.3, tabbed browsing URL-remembering fixes and more."
Mozilla Independent Status Reports
The June 15, 2003 Mozilla Independent Status Reports are out. Updates include Extension Room, CardGames, Der Tandem Browser, mozdev, Mozile, and Linky.
Miscellaneous
gtranslator 0.99 out! (GnomeDesktop)
According to GnomeDesktop, version 0.99 of gtranslator, a gettext po file editor, has been released. "The new gtranslator 0.99 is out which is the 1st release on the GNOME 2.x platform and features a quite usable and stable subset of the gtranslator functionality - all users and interested people in gtranslator development should try the new release!"
Hylafax 4.1.6 released
Version 4.1.6 of HylaFAX, a fax modem utility, has been released. "A large number of mission-critical bugs are fixed in 4.1.6. Upgrading is recommended for all users." The release also has new features and support for additional modems. New users of HylaFAX should take a look at the How-To Guide. Thanks to Jay R. Ashworth.
Languages and Tools
Caml
Learning OCaml, for C, C++, Perl and Java programmers
Richard Jones has put together a tutorial for learning OCaml. "This is a practical, detailed tutorial for people who already know an imperative or OO-language and wish to learn OCaml."
Caml Weekly News
The June 10-17, 2003 edition of the Caml Weekly News is out with the latest Caml language news.
Java
Cooking with JavaScript and DHTML, Part 6 (O'ReillyNet)
O'Reilly has published another excerpt from the JavaScript & DHTML Cookbook. "In our sixth and final sample recipe from Danny Goodman's JavaScript & DHTML Cookbook, learn how to locate the pixel coordinates of a nonpositioned element that the browser has placed during normal page flow."
JSP Progress Bars
Andrei Cioroianu shows how to code a progress bar with JSP. "Many web and enterprise applications must perform CPU-intensive operations, such as complex database queries or heavy XML processing. These tasks are handled by database systems or middleware components, but the results are presented to the user with the help of JSP. This article shows how to implement the front tier in order to improve the user experience and reduce the server load."
JavaOne 2003: Java roadmap (IBM developerWorks)
Brian Goetz covers the future of Java on IBM's devloperWorks. "As with past JavaOne conferences, the opening keynote looked at the current state of Java technology and presented a roadmap for where it is going in the next year. This year, Sun VP Graham Hamilton and CTO Timothy Lindholm offered some notable changes in direction and focus for Java technology over the next twelve to eighteen months."
Perl
This Week on perl5-porters (use Perl)
The June 9-15, 2003 edition of This Week on perl5-porters is out. "This was a quiet week -- summer approaches -- but a few interesting points were raised. New warnings, portability points, and miscellaneous bugs are covered in this summary."
This week on Perl 6 (O'Reilly)
The June 8, 2003 edition of This week on Perl 6 is out with the latest Perl 6 development news.Perl Design Patterns (O'Reilly)
Phil Crow talks about working with Design Patterns in Perl. "In 1995, Design Patterns was published, and during the intervening years, it has had a great influence on how many developers write software. In this series of articles, I present my take on how the Design Patterns book (the so-called Gang of Four book, which I will call GoF) and its philosophy applies to Perl."
PHP
PHPSurveyor release 0.97 Final (SourceForge)
Version 0.97 Final of PHPSurveyor is available. "PHPSurveyor, a set of PHP Scripts for developing, and publishing online surveys, makes its final 0.97 release. 0.97 concentrated on implementing templates so that users could develop their own 'look and feel' to their surveys. This release includes 3 templates. Releases with the 0.98 moniker will be aimed at implementing localisation for the public survey screens, and some additional features like date/time-stamping of survey responses and a better way of ordering pre-defined answers."
PHP Weekly Summary
The June 16, 2003 PHP Weekly Summary has been published. Topics include: PECL migration, MySQL and OpenSSL, mysql_info() function, mysqli (PHP 5), PHP and System32 on Win32.
Python
Python-dev Summary
The Python-Dev summary for the second half of May is out; it looks at the Python 2.2.3 release, dealing with new-style classes in C, attribute lookup, and several other topics.Dr. Dobb's Python-URL!
The June 16, 2003 edition of Dr. Dobb's Python-URL! has been published with a week's worth of Python projects and news.Daily Python-URL
Take a look at the Daily Python-URL for a long list of Python language articles.Using combinatorial functions in the itertools module
David Mertz discusses combinational iterators in Python on IBM's developerWorks. "Python 2.2 introduced simple generators to the Python language and reconceived standard loops in terms of underlying iterators. With Python 2.3, generators become standard (no need for _future_), and the new module itertools is introduced to work flexibly with iterators. The itertools module is essentially a set of combinatorial higher-order functions, but ones that work with lazy iterators rather than with finite lists. In this installment, David explores the new module, and gives you a sense of the new expressive power available with combinatorial iterators."
Ruby
Ruby Weekly News
The June 16, 2003 edition of the Ruby Weekly News is out. Threads include Description of changes between Ruby versions, High speed String concatenation, and RaaInstall in the standard Ruby distribution.
Tcl/Tk
Dr. Dobb's Tcl-URL!
The June 16, 2003 Dr. Dobb's Tcl-URL! has been published, take a look for the latest Tcl/Tk development news.
XML
XML Data Bindings in Python
Uche Ogbuji writes about XML data binding in Python on O'Reilly. "The XML community of late there has been a lot of talk that there are no really easy and efficient ways of general XML programming. Push processing has the usual rap of being too difficult. It is easy to dismiss this as a problem for amateur programmers who have not properly learned how to code state machines; but let's face it, state machines are hard to code by hand, and the community has been slow to develop more declarative and friendly tools for developing SAX processing stubs, such as LEX and YACC tools for generating parser state machines."
Shortening XSLT Stylesheets
Manfred Knobloch discusses XML stylesheet efficieny on O'Reilly. "XSLT is often considered to be too verbose. As stylesheet code grows, it tends to be unreadable. This is not a fate stylesheet authors have to accept. There are some strategies to keep your XSLT code short. This article proposes some ways of shorten stylesheets without loss of functionality, and throws a glance at XSLT 2.0 user defined functions."
Two modes of implementing an XML-based localization pack: embed and extend (IBM developerWorks)
Bei Shu writes about XML localization techniques on IBM's developerWorks. "In this article, IBM software engineer Bei Shu shows you how to enable multiple language support in your Web applications using different XML technologies from the architect perspective. She presents two approaches to implementing XML-based localization pack managers using XPath and XSLT -- embed and extend."
IDEs
KDevelop Progress: Overview of New Features
KDE.News covers the latest changes from the CVS version of KDevelop. "The CVS version of KDevelop (a.k.a. "Gideon") continues to improve, both stability-wise and in the feature department."
Treebeard version 0.8 released (SourceForge)
SourceForge has an announcement for version 0.8 of Treebeard. "Treebeard is a cross platform XSLT IDE written in Java; it's editor allows the loading and editing of an XML document and an XSLT document at the same time. It can apply the XSLT to the XML and display the output for further editing / saving in XML, HTML or PDF. Treebeard also has a plug-able XML and XSLT parser architecture, and comes bundled with Xalan2.5 and Saxon7.5." A number of new features are included with this release.
Profilers
OProfile 0.5.4 released
Version 0.5.4 of OProfile, a code profiler, has been released. "This a bugfix release; if you're using kernel 2.5.71 or above, upgrading is strongly recommended. A number of other fixes have also been made."
Miscellaneous
The Challenges of Remote Collaboration (O'Reilly)
Mark Murphy writes about some of the issues behind geographically isolated software development. "Remote software development is becoming increasingly important to major technology firms and the IT groups of other large firms. Collaborating in business settings resembles volunteer public collaboration, but it's not identical. It is up to you and your boss to help promote a development model and system that will be effective for everyone."
Page editor: Forrest Cook
Linux in the news
Recommended Reading
SCO's IBM suit triples--seeks $3 billion (ZDNet)
ZDNet discusses SCO's latest moves, which include raising the requested damages to $3 billion. "The suit also adds illegal export issues stemming from the worldwide availability of open-source software. SCO claims IBM has breached its contract by making multiprocessor operating system technology available 'for free distribution to anyone in the world,' including residents of Cuba, Iran, Syria, North Korea and Libya, countries to which the United States controls exports. The open-source technology IBM released 'can be used for encryption, scientific research and weapons research,' the suit said." The new complaint also affirms that read-copy-update is one of SCO's issues; as this LWN article from last week (still subscribers only) showed, that will be a hard one for them to prove.
Rule out Linux on the desktop until 2005, says Giga (vnunet)
Vnunet covers a Giga Information Group pronouncement saying IT decision-makers should rule out Linux on the desktop until at least 2005. "'It's a high risk strategy to make any decisions based on being upset with Microsoft or wanting to give Linux a chance. This is no time for platform religion,' [analyst Rob Enderle] said."
We must protect digital intellectual property to foster innovation (ZDNet)
Here's a fun column in ZDNet on the importance of intellectual property protection. "I think the open source movement does even more damage to the perceived value of bits. By advocating that all software should be basically free and that developers should work in a communal environment for everyones benefit, the open source movement greatly denigrates the publics perception of the value of digital intellectual property."
Trade Shows and Conferences
Meet free software developers at LinuxTag (NewsForge)
This NewsForge article looks at the projects coming to LinuxTag taking place July 10 - 13, 2003 in Karlsruhe, Germany. "LinuxTag, which is itself organised along the lines of a Free Software project, combines a free conference program lasting three entire days, a business congress aiming at professional users and enterprises, a government congress aiming at members of governmental agencies, a workshop program maintained by the attending projects and an exhibition consisting of commercial and non-commercial booths."
Roll up for LinuxUser & Developer Expo (Register)
The Register heads for the LinuxUser & Developer Expo, coming to Birmingham, UK later this month. "Heavyweights in the open source community such as Alan Cox, Jon 'Maddog' Hall and Tim O'Reilly are down to present keynotes at the show, which is part of the Networks for Business 2003 conference taking place at the Birmingham NEC on June 24-26."
Companies
HP sets up separate Linux unit (News.com)
News.com reports that HP has set up a new Linux division. "In his new role as vice president of Linux, Martin Fink will report to both ESS boss Scott Stallard and HP's chief technology officer, Shane Robison. Fink had been a vice president in the company's Business Critical Systems unit before the last reorganization. Within the Linux organization, HP plans to add a director of marketing, director of strategy and a director of engineering, although those positions have not been formally named."
Microsoft to kill popular Linux antivirus product (ComputerWorld)
ComputerWorld looks into Microsoft's latest acquisition; the RAV technology from Romania's GeCAD Software Srl. "GeCAD's RAV AntiVirus for Mail Servers supports a host of e-mail server products, including the free Sendmail, Qmail and Postfix, and is available for a variety of operating systems, including many flavors of Linux and BSD. Pricing per e-mail domain instead of per mailbox is another major draw, experts and users said." Microsoft plans to discontinue the RAV product line. (Thanks to Jay R. Ashworth)
Expect to see more Linux anti-virus products soon (NewsForge)
NewsForge predicts that more anti-virus products for Linux will emerge to replace RAV, and covers the discounts and deals currently available for RAV customers. "Steven Sundermeier, Central Command product manager, says his company is not only not in danger of being bought by Microsoft, but that "Linux is an increasing part of our business. One of the niches of our business plan is the Linux market." To help grow that niche, Central Command is offering RAV users who 'upgrade' to their Vexira product between now and September 30 a 25% discount."
Red Hat Reports Q1 Revenue Of $27.2 Million (ComputerWorld)
ComputerWorld reports on Red Hat's revenue for the first quarter of 2003. "In a statement issued after the close of the U.S. financial markets, the Raleigh, N.C.-based company said it had a net income of $1.5 million for the quarter that ended May 31, compared with a net loss of $273,000 in the previous quarter and a $4.6 million net loss one year ago. Red Hat reports its figures using generally accepted accounting principles." (Thanks to Jay R. Ashworth)
Will SCO's Suit Chill the Penguin? (E-Commerce Times)
E-Commerce Times is running a "special report" on the SCO case. The article is most interesting in that it shows that the wider press is beginning to figure out that there are GPL issues involved in SCO's having distributed the disputed code. "'The GPL issue is something we've just recently been looking at,' SCO spokesperson Blake Stowell told the E-Commerce Times. 'It's been said that maybe we've contributed Unix source code to Linux, because SCO was formerly a distributor of Linux.' However, Stowell said, when the company discovered that its source code had been incorporated into Red Hat Linux, it stopped distributing its own version of Linux and ended any further Linux development. This move, he noted, showed that SCO was acting according to another GPL clause that could shore up its case." It's about time they started thinking about the GPL...
On a similar front, NZheretic's comment to another LWN article is worth a look for those who haven't seen it; there's a great deal of detail regarding SCO's involvement in the Trillian project, which worked to bring Linux to the ia64 processor.
Did SCO open Unix source code? (ZDNet)
ZDNet looks at the implications of SCO having shipped its (claimed) code under the GPL. "The issue isn't as clear-cut as either SCO or its opponents would have it, said John Ferrell, an intellectual-property attorney with Carr and Ferrell. 'If anybody tells you they have the definitive answer, they're crazy,' he said. But he'd give the edge to SCO in the situation, not because of its interpretation of the GPL, but because of a legal principle stemming from the 1887 sale of a pregnant cow in Michigan. That case established the so-called doctrine of mutual mistake, under which a contract can be nullified if two parties--in this case SCO and a company using Linux--misapprehended the true nature of what was in the contract."
SCO cancels IBM Unix license (News.com)
News.com reports that SCO has dropped its bomb. "SCO said that the termination of the AIX license means that all IBM Unix customers also have no license to use the software. 'This termination not only applies to new business by IBM, but also existing copies of AIX that are installed at all customer sites. All of it has to be destroyed,' [SCOsource manager Chris] Sontag said." That should make SCO some more friends, and convince the world of the benefits of proprietary software as well.
What SCO Wants, SCO Gets (Forbes)
Forbes is running an article on the litigious history of SCO, its backers, and its management. "In other words, like many religious folk, the Linux-loving crunchies in the open-source movement are a) convinced of their own righteousness, and b) sure the whole world, including judges, will agree. They should wake up. SCO may not be very good at making a profit by selling software. (Last year the company lost $24.9 million on sales of $64.2 million.) But it is very good at getting what it wants from other companies. And it has a tight circle of friends." (Thanks to "alonzo").
Linux Adoption
The Brazilian Public Sector to Choose Free Software
The Brazilian government is planning to migrate 80% of all state-owned computers from Windows to Linux. HispaLinux covers the announcement (in Spanish). PCLinuxOnline has a translated summary by Gonzalo Porcel. Or read the full Google translation. (Thanks to Leon Brooks)Linux in Europe (IT-Director)
IT-Director looks into Linux adoption in Europe. "Following the recent decision by the City of Munich to opt for Linux on the desktop, it is worth taking stock of the progress of Linux in government circles across Europe. This is, in my view, a determining point in the Linux story, because if European governments move to Linux in a big way, it will boost the momentum for Linux everywhere. We have thus assembled a set of press clippings which chart Linux acceptance in government."
Legal
South Australia urged to drop bill on Open Source software (TheAge)
TheAge reports that South Australia is getting pressure from Microsoft backed Initiative for Software Choice (ISC) over a proposed Open Source software bill. "ISC executive director Bob Kramer said in the letter: "The ISC believes that if this 'preference' legislation were to be enacted it would severely limit software choices for South Australia's government, harming not only its citizens, but also South Australia's vibrant information and communications technology (ICT) industry." You can find a draft of arguments for the bill here, along with a link to the actual bill. (Thanks to James Berry)
Interviews
Interview with Marc-Andre Lemburg (EuroPython)
EuroPython continues a series of interviews with the people who will be speaking at the EuroPython and Zope Conference. This week meet Marc-Andre Lemburg author of mx Extensions for Python. "EuroPython: On which parts of Python are you working as Python developer? Which parts interest you most? MAL: Since I wrote much of Python's Unicode implementation building on an initial prototype written by Fredrik Lundh a few years ago, I still maintain most of it. These days I tend not to have much time to actually do coding work, but I try to overlook the general design and make sure that it stays in line with what the original idea behind the Unicode integration."
Interview with Mike McCormack (Wine HQ)
WineHQ Interviews Mike McCormack. "How many Australian Wine developers live in South Korea and work for an American company? If you said just Mike McCormack then you'd be correct. Mike studied Electrical Engineering and Computer Science at the University of Sydney but now lives in Seoul half the time. The other half he lives in Minneapolis. Full time he's a Wine developer working for CodeWeavers. The arrangement works well for him - he gets to see his girlfriend regularly and has time to concentrate on work too."
The O'Reilly Factor: How Python Grips the Enterprise - Part II
OpenEnterpriseTrends.com has an interview with Alex Martelli. "In Part II of OET's exclusive interview with Alex Martelli, author of O'Reilly's popular Python in a Nutshell and Python Cookbook, we turn to how commercial developers of any stripe (Java, ASP.NET, Win32, C++) can best get started with using the Python scripting language to help their applications share data and business logic. In this discussion, Martelli also includes some great practical tips for your own starter project."
Eight Questions for George Dyson (O'Reilly)
O'Reilly interviews computer historian George Dyson. "One of the first significant expenditures of machine cycles at IAS (second only to thermonuclear bomb calculations and meteorology) was a series of experiments conducted by the viral geneticist Nils Aall Barricelli to see if code could be prompted to evolve, within the "artificial universe" of the von Neumann computer, on its own. All the questions raised by Barricelli are equally applicable and equally instructive with regard to the evolution of software "in the wild" today."
Working smarter, not harder: An interview with Kent Beck (IBM developerWorks)
IBM's developerWorks features an interview with Kent Beck. "Extreme Programming (XP) founder Kent Beck likes to say he made up XP's fundamentals during a particularly troubled project in 1996. While strictly true, from talking to him you sense he'd really been formulating the process for quite some time. Find out what Kent thinks about the contribution of the Java platform to software development's success (or lack thereof) in this exclusive developerWorks interview."
Web services visionary (IBM developerWorks)
IBM's developerWorks has an interview with web services developer Sam Ruby. "Sam Ruby, a member of the IBM Emerging Technologies Group, has become a key part of several Web services-related open source projects over the last three years, including Tomcat and the IBM SOAP stack. He's still contributing both his code and his insight to the community. He spoke with Bob McMillan on a number of topics, including the appeal of open source, the future of Web services, and the power of Web logs."
Resources
Emulate legacy operating systems on Linux (IBM developerWorks)
Here's an article from IBM developerWorks on emulating legacy operating systems on Linux. "One of the best things to do with a Linux box is to run programs for other operating systems on it. It can simplify your life considerably. Companies spend millions on "server consolidation" in hopes of reducing maintenance, administration, and even heat burdens. They're usually just moving between different flavors of UNIX, though. What they often don't realize, however, is that the range and quality of Linux-hosted OS emulations -- some of them rather old, like CP/M, RSX, OpenVMS, and DOS -- are quite high. Moreover, companies don't always understand just how much this software can enhance the convenience of server-room operations."
Keeping the alligators out of your sewer (NewsForge)
NewsForge looks at tools to keep crackers out of your network. "While many vulnerability assessment products can test Linux clients and servers, most run only on Microsoft or, in the case of MacAnalysis, Apple platforms. We've highlighted two that can run on Linux, and one standalone hardware device."
Real-time alerting with Snort, part 1 of 3 (NewsForge)
This NewsForge article contains excerpts from the book Intrusion Detection with Snort by Jack Koziol. "Real-time alerting with Snort is highly customizable. You can pick and choose which alerts to be notified of in real time by assigning a priority to each rule or classification of rule. Each rule can have an individual priority attached to it, and every rule can be included in a classification of rules that has a priority attached to it."
Reviews
Savanna: A User's Perspective on JuK
KDE.News has a review of JuK, an mp3 Jukebox application for KDE. "Okay, I admit it: I'm a blonde who isn't a techie. I'm learning because it is kind of fun, but I'll only go so far. I know most people who will read this will probably chuckle because this is for a techie site, but it is worth noting that I am a user who has switched her desktop from Microsoft to Linux with KDE. That is a pretty big jump."
Mozilla on speed: Firebird 0.6 (MadPenguin)
MadPenguin.org reviews version 0.6 of the Firebird browser. "This browser is the beginning of something wonderful. I say it's the beginning because it is very obvious that it is a work-in-progress and is pre-1.0, but let me tell you it is pretty impressive for such an early build."
Mozilla Firebird Plugin Review (Neowin.net)
Neowin.net reviews a number of Mozilla Firebird plugins. AdBlock, Autoscroll, LiveHTTPHeaders, Popup ALT Attribute, Mycroft, User Agent Switcher, and Web Developer are covered.Review: Pogo Linux StorageWare S212 Server (NewsForge)
NewsForge reviews the new Pogo Linux StorageWare S212 Server. "The server comes with Red Hat Linux 9's three-CD set, plus a Pogo Linux Recovery CD, which contains all the post-install scripts required to bring the box back into factory condition. It includes kits for the 2.4.20-9 kernel, official update RPMs to Red Hat 9 (very handy), and other Pogo Linux personality items like wallpaper and splash screens."
Review of Quanta Plus (ContentPeople)
ContentPeople features a review of Quanta Plus. "In recent times, we have seen the advent of Linux as a prominent web development platform, no doubt as a result of the popular LAMP framework: Linux Apache MySQL PHP. Thanks to its open source nature, it has given everyone access to an enterprise class environment for web applications. The LAMP community has created a variety of supporting text editors, tools and utilities to help you craft your web applications. One of the most popular is the Quanta Plus web development environment."
Slash'EM: The Sum of All NetHacks (O'ReillyNet)
O'ReillyNet takes a look at the game Slash'EM, a variant of NetHack. "Slash'EM is written in C, with its Qt windowing interface in C++. Of course, because of its NetHack lineage, the current release contains lots of code which the present team did not develop originally. Normally, incorporating code from outside a project can be a problem due to incompatibilities among various open source licenses, but things work differently within the NetHack family. J. Ali Harlow, 36, a programmer for the Applied Vision Research Centre of City University in London, England and one of the current maintainers of Slash'EM, says, "There's no such problem with code that has been written to be used with NetHack. We seek to use the best of these whenever possible.""
YALAX: Yet Another Look At Ximian (Tux Reports)
Tux Reports reviews the Ximian Desktop 2. "There are as many different philosophies for the perfect desktop as there are Linux developers and users. Each of us has developed our preferences and opinions. Some of us may perceive Ximian Desktop 2 as nothing more than GNOME with some eye-candy, or an attempt to clone Windows. Others may argue that following the KISS principle, by simplifying the applications, system menus and documentation, avoids overwhelming new users. In other words, one persons opinion is another persons opportunity to complain."
Miscellaneous
One-day Linux project brings Internet to disadvantaged Miami kids (NewsForge)
South Florida area LUG members help inner city kids in this NewsForge article. "11 a.m. - Chris Williams, a Ft. Myers programmer and sysadmin, huddles with Gonzalo. They decide to replace the existing Red Hat installation on the server with Mandrake 9.1 because of its ease of administration, plus the fact that Gonzalo is used to Mandrake, and he's the one who will be responsible for ongoing maintenance of the Center's computers."
Page editor: Forrest Cook
Announcements
Non-Commercial announcements
LJ Readers' Choice Awards
Submissions are open until June 23 for the 2003 Linux Journal Readers' Choice Awards, nominate your favorite applications soon.WeWantLinux.org survey
Responses are being requested for the WeWantLinux.org survey. "The WeWantLinux.org survey shows a high level of interest in computers pre-loaded with GNU/Linux, even among non-Linux users. The WeWantLinux.org survey site continues to gather data on consumer interest in computers pre-loaded with the GNU/Linux operating system. With nearly 1700 survey entries validated, the results show a high level of interest in Linux PCs across the board. The survey site will remain active for the forseeable future, but the interim results are worth noting."
Extremadura, Spain deploys 80,000 GNOME desktops
The Extremadura regional government has announced (at GUADEC in Dublin) the completion of the deployment of 80,000 computers running the LinEx distribution and GNOME in schools. There's now one system available for every two students. "The Junta of Extremadura has also created 33 computing centers for the general population. The centers feature one-on-one computer assistance, so users who are unfamiliar with computers can learn computer and e-mail basics. The centers have drawn citizens of all ages and walks of life. The oldest user of the centers is 99 years old."
The Center of Open Source & Government Endorses South African Open Source Strategy
The Center of Open Source & Government endorses the South African Proposed Strategy for Using Open Source Software in the South African Government by providing rationally defensible policy guidelines. The South African Strategy (PDF format) is a reasonable road map for a viable Open Source Government Policy.Research Predicts Massive Growth in European Linux Server Market
An IDC Research report sponsored by LinuxWorld shows that in 2003 Linux is expected to ship over 162,000 servers in Western Europe, a market worth $621 million. By 2007 this sum is anticipated to have more than doubled in value to $1.9 billion and tripled in volume (203% growth), shipping on almost half a million servers.Opinion on Brazil making Open Source mandatory in government
Tony Stanco has sent us his opinion of Brazil's new open source policy. "While I think that Open Source in government is a good thing and have been working towards that goal for many years, making it mandatory is an industrial policy that may not succeed, which will hurt Open Source in the long run."
Linux Creator Linus Torvalds joins OSDL
Here's a press release from the Open Source Development Lab (OSDL) on the appointment of Linus Torvalds as the first OSDL Fellow. George Weiss, vice president and research director for Gartner, is quoted; "Linus Torvalds adds tremendous credibility to OSDL's efforts to drive the evolution of Linux forward into enterprise computing and carrier environments. The computing market is still questioning how far and how fast Linux can go as an enterprise-ready platform. With Linus at OSDL, many will be looking for leadership from the lab for answers to those questions."
Changing of the Guard at YAS (use Perl)
According to Use Perl, the Perl Foundation has a new president. "In a recent meeting of the board of directors of Yet Another Society (a.k.a. The Perl Foundation), long-standing President Kevin Lenzo decided to step down from his role to pursue other commitments. In his place the board elected a new President, Allison Randal."
Commercial announcements
IBM Comment on SCO Press Release
IBM responds to SCO in a short press release. "Since filing a lawsuit against IBM, The SCO Group has made public statements and accusations about IBM's Unix license and about Linux in an apparent attempt to create fear, uncertainty, and doubt among IBM's customers and the open source community."
Linux Security Cookbook released by O'Reilly
O'Reilly has published the book "Linux Security Cookbook".Upgrade for RAV Antivirus
Central Command is offering a discount to existing RAV Antivirus customers. "With the recent announcement from Microsoft Corporation of the pending acquisition of RAV Antivirus technology the future support of the existing RAV Antivirus product line has caused concern from existing RAV Antivirus customers."
TimeSys-Powered Mars Exploration Rover Demonstrated at JavaOne(SM) Conference
TimeSys Corporation has announced that its TimeSys Linux RTOS (real-time operating system) and JTime real-time Java(TM) virtual machine are driving the Mars Exploration Rover concept vehicle being demonstrated by NASA's Jet Propulsion Laboratory (JPL) and Sun Microsystems' James Gosling at the JavaOne Conference this week in San Francisco.Transmeta Bolsters Commitment to China with Midori Linux Agreement
Transmeta Corporation has announced it has entered into an agreement to allow Chinese 2000 Holdings Ltd. to develop and market Transmeta's Midori(TM) Linux for mobile and embedded devices in China and other countries in the Asia-Pacific region. The collaboration between the two companies on Midori Linux development and marketing focuses on China, Hong Kong, Macau and Taiwan.
Resources
OSDL and SD Times: Linux Survey Results
OSDL and SD Times have released the results of a joint survey on the use of Linux in corporations. "The survey of 8,000* SD Times readers, mostly senior managers at corporations with more than 1,000 employees, showed broad and deep use of Linux in IT shops even though only a third of the companies had adopted the open source operating system as a corporate standard computing platform."
UML 2.0 Standard released
A new UML 2.0 standard was released at the OMG Technical Meeting in Paris.
Upcoming Events
GU4DEC Live
Do you want to see what's going on at GUADEC? Well now you can. Just check out the LIVE GU4DEC site.LinuxWorld Expands Conference Content
An expanded conference program for LinuxWorld Conference & Expo has been announced. "LinuxWorld's CIO Agenda is a new program featuring sessions specifically designed for CIOs who need to be well-versed in the implications of Linux adoption. With topics in business, security, system administration, application development, and emerging technologies, the CIO Agenda will provide CIOs with insights on how Linux and open source can benefit their organizations."
Linux.Conf.Au 2004 call for papers
The 2004 iteration of Linux.Conf.Au is happening January 14 to 17 in Adelaide. The call for papers has just gone out, with abstracts due by August 18. Speakers who have already been confirmed include Keith Packard, Jon 'maddog' Hall, Bdale Garbee, Rusty Russell, and Andrew Tridgell.EducationaLinux 2004, Adelaide
EducationaLinux 2004 will be held on January, 2004 in Adelaide, Australia. "This conference presents an opportunity for anyone who is a part of the education system to get together, share ideas and network with other like-minded individuals using or promoting open source in education."
Events: June 19 - August 14, 2003
| Date | Event | Location |
|---|---|---|
| June 19 - 23, 2003 | Open Source Clinical Application Resource Workshop(OSCAR) | (McMaster University)Ontario, Canada |
| June 19 - 20, 2003 | Infosec 2003 | (UniNet)Online |
| June 21 - 22, 2003 | EuropeanRubyConference | (University of Karlsruhe)Karlsruhe, Germany |
| June 23 - 26, 2003 | ClusterWorld Conference & Expo | (San Jose Convention Center)San Jose, California |
| June 23 - 26, 2003 | Fourth Workshop On UML for Enterprise Applications | (Hyatt Regency San Francisco Airport Hotel)Burlingame, CA |
| June 24 - 26, 2003 | LinuxUser & Developer Expo | (Birmingham National Exhibition Centre)Birmingham, UK |
| June 25 - 27, 2003 | European Python and Zope Conference 2003 | (CEME)Charleroi, Belgium |
| July 7 - 11, 2003 | O'Reilly Open Source Convention 2003(OSCON) | (Portland Marriot)Portland, Oregon |
| July 9 - 12, 2003 | Libre Software Meeting | Metz, France |
| July 10 - 13, 2003 | LinuxTag | Karlsruhe, Germany |
| July 12 - 17, 2003 | Debcamp | Oslo, Norway |
| July 18 - 20, 2003 | Debconf 3 | (The University of Oslo)Oslo, Norway |
| July 23 - 26, 2003 | Ottawa Linux Symposium | Ottawa Canada |
| July 23 - 25, 2003 | YAPC::Europe 2003 | (CNAM Conservatory)Paris, France |
| July 25 - 27, 2003 | Fifth Annual Linux Festival in Kaluga Region | (bank of the river Protva)Kaluga region, Russia |
| July 29 - August 2, 2003 | The 10th Annual Tcl/Tk Conference | Ann Arbor, Michigan |
| July 31 - August 3, 2003 | UKUUG Linux Developers' Conference(LINUX 2003) | (George Watson's College)Edinburgh Scotland |
| August 4 - 7, 2003 | LinuxWorld Conference and Expo 2003 | (Moscone Convention Center)San Francisco, CA |
| August 7 - 10, 2003 | Chaos Communication Camp 2003 | Paulshof, Altlandsberg, Germany |
Web sites
Debug Linux C programs at AskIgor.org
A new debugging server called AskIgor is online. "We're doing a public debugging server - a Web site that accepts buggy Linux C programs and automatically tells you why the program failed. This has been brewing for two years, and is starting to get ready. We'd like any feedback on things people like/dislike about it."
Software announcements
This week's software announcements
Here are the software announcements, courtesy of Freshmeat.net. They are available in two formats:
- Sorted alphabetically,
- Sorted by license.
Page editor: Forrest Cook
Letters to the editor
Nathan Hanks again demonstrates his ignorance of security
| From: | Leon Brooks <leon@cyberknights.com.au> | |
| To: | Continental Airlines <investorrelationsdept@coair.com>, Nathan Hanks <nhanks@coair.com> | |
| Subject: | Nathan Hanks again demonstrates his ignorance of security | |
| Date: | Mon, 16 Jun 2003 08:31:56 +0800 | |
| Cc: | Linux Weekly News Letters <letters@lwn.net> |
Quoting http://www.techweb.com/wire/story/TWB20030603S0012
> But [Hanks] and others said Microsoft is not unique in its
> vulnerabilities. "We have a Linux server that has three times
> the critical updates as our Windows server," he said.
Hanks, your MS-Windows server arrived with maybe half a dozen services
available and probably had all of them running until you shut them off.
If you add a big service, say MS-SQL-Server, you might have the
equivalent of 20 or 30 Linux packages installed on your machine.
I use Mandrake Linux 9.1, which arrives with over 800 packages, zero of
which will be accessible from the Internet after a "kitchen-sink"
install and without the installer switching anything off.
The "critical updates" you speak of cover all 800+ packages on Linux but
only the equivalent of about 20 or 30 on MS-Windows, so in a parity
situation you would expect to see roughly thirty to forty times as many
updates listed. Blow for blow, the Linux server you speak of is ten
time less buggy than your MS-Windows server already.
But the situation is not even blow-for-blow. Microsoft's idea of a
"critical update" is for something like CodeRed, Nimda or Slammer.
At http://www.mandrakesecure.net/en/advisories/updates.php?dis=9.1 (and
look for red padlocks) we see that Mandrake 9.1 has had 45 total patche
releases to date. 5 of them are duplicates because the packages went
out without an encrypted signature, another is a dupe because the
original fix included things that didn't need fixing, leaving 39. 27 of
those are listed as "critical".
Many of those are for such things as (MDKSA-2003:036) fixing maths
errors in image handling. Of the remainder, the vast majority of
vulnerabilities are _potential_ vulnerabilities; that is, they have no
known working exploit, and in many cases have no theoretical exploit
either.
Leaving that aside, many of the remaining vulnerabilities do not involve
any "privilege escalation" - or as CERT Advisory CA-96.13 puts it, the
case where "Non-privileged primitive users can cause the total
destruction of your entire invasion fleet and gain unauthorized
access to files." Most of Microsoft's do.
We're not finished yet. Consider MDKSA-2003:048, which fixes a
vulnerability in EOG. Eye Of Gnome is an image viewer. Would you ever,
let alone regularly, use it on a server? I have seven image viewers
installed (I like to experiment), not counting potential viewers like
graphics editors, scanner/camera managers, the previewers in file
managers, office suites and so on. Odds are therefore 1/7 that I would
use the impacted application even if I did run it on a server. As it
happens, I don't, I prefer Kuickshow in a GUI, or from the command line
the ImageMagick "display" command.
Counting through all of the listed vulnerabilities and picking out the
ones that would impact a default installation to do secure web-enabled
database activities plus email transport, remote administration and a
GUI interface - the equivalent of MS-Windows, IIS, MS SQL Server and
MS-Exchange rolled into one, there are eight. One of them (a kernel
update) requires a reboot after installation.
So... eight actual critical updates, one of them in the OS and one of
them in the webserver. Since the release of Mandrake 9.1 in March,
MS-Windows 2000 and IIS alone have logged patches for three "invasion
fleet" severity patch bundles beyond Service Pack 4, which in itself
rolled in a large number (difficult to assess) of patches.
Over the last year (well, 14 months), Mandrake Linux (from 8.2) has
recorded 2 OS (kernel 2.4) patches (one of which had a simple and
instant no-reboot workaround) and 3 Apache (webserver) patches and zero
PHP (ASP-equivalent) patches. Total "critical updates" potentially
impacting our hypothetical server, about 25.
MS-SQL-Server 2000 Service Pack 3a was also released, but the
description makes it difficult to decide exactly how many patches that
involves - and if you're using the "Desktop Engine (MSDE 2000)" version
there's more bad news confronting you in the form of a pageful of
directions on finding out what to patch and how before you even start.
Each vulnerability that I can find specifies arbitrary code execution
or worse. Compare this with a total of two (related) vulnerabilities in
the last year for PostgreSQL.
The MS-Exchange 2000 "March 2003 Post-SP3 rollup" contains over 70 new
or patched files and requires you to uninstall (yes!) the previous set
of patches before applying it. All the while your email server is down.
Any of the very rare updates for PostFix (a good example of a Linux
MTA; no patches at all in well over a year) typically involves under
half a second of email outage and no reboots.
I don't even understand how to account for the number and complexity of
the Microsoft patches involved here, so I agree that this is a problem,
but to pluck a figure out of the air? Call it 120 individual patches a
year, one every three days on average.
Each of these Microsoft "patches" may roll together work on multiple
vulnerabilities in multiple systems, whereas the Linux patches
typically fix a single vulnerability and by definition do it in a
single system.
How about response time? The KDE developers once took a vulnerability
from bug report to tested deliverable in 95 minutes.
Accountability? You were reportedly "impressed with Microsoft's response
to the [Slammer] problems" but what about their response to the
"Shatter Attacks?" Microsoft may find a way to fix that ongoing
vulnerability in Longhorn, five years down the track, but probably not.
It is a design insecurity right at the core of MS-Windows and there is
no simple way around it. The corresponding insecurity in Linux doesn't
exist, can't exist, because a completely different mechanism occupies
that spot on the flow diagram.
Then we consider the server population. Even for a relatively light
load, Microsoft would recommend that you have a separate server for
MS-Exchange and another for MS-SQL-Server. That's three servers to
maintain and pay for instead of one. And they'd probably also ask you
to add an expensive Cisco router to the collection to firewall it.
There are also a number of features which make individual services much
easier to lock down under Linux than under Windows. Capabilities,
chrooting, chattr and so on within a single OS image. User Mode Linux
for completely partitioned services - it's a simple matter to run any
service under its own specialised UML kernel that has a no-op (or
scream-the-house-down) response to certain OS functions for managing
ownership of files or opening network sockets other than in prescribed
ways. This means that even if an attacker gains total and complete
control of a service, all it does is call attention to his actions and
replace his victim with a fresh, clean copy a few microseconds later.
The final clincher for me is that I have never had an update break a
server. I could have left all of my Linux servers on auto-update for
about the last five years without a care in the world, were I not
naturally suspicious. On the other side of the fence, Microsoft's
updates are reknowned for breaking things.
Back your statement up with specifics, Hanks, or retract it. As it
stands it is at best irresponsible, and certainly looks clumsy and
ill-informed for a "managing director" at a world-reknowned firm.
Cheers; Leon
--
http://cyberknights.com.au/ Modern tools; traditional dedication
http://plug.linux.org.au/ Committee Member, Perth Linux User Group
http://slpwa.asn.au/ Committee Member, Linux Professionals WA
http://linux.org.au/ Committee Member, Linux Australia
Page editor: Jonathan Corbet