User: Password:
Subscribe / Log in / New account Weekly Edition for November 19, 2009

Btrfs for Rawhide users?

By Jonathan Corbet
November 18, 2009
Your editor stopped using Rawhide (the Fedora development distribution) after things melted down spectacularly back in July. Since then, problems have been scarce but all that stability on the desktop has proved to be seriously boring. Additionally, running a stable distribution can make it harder to test leading-edge project releases. So your editor has been looking to return to a development distribution on the desktop as soon as time allows and things look safe enough. Rawhide's worst problems are far behind it for now; it might just be safe to go back into the water, though the beginning of the Fedora 13 development cycle could add some excitement. As an added incentive, the Fedora developers now are considering mixing in Btrfs snapshots as an optional feature; use of an experimental filesystem might not seem like the way to improve stability, but Btrfs could, in fact, make life easier for Rawhide testers.

It is worth noting at the outset that Fedora is not, yet, considering using Btrfs in Rawhide by default. What has been proposed, instead, is the implementation of a "system rollback" feature for Rawhide users who are crazy enough to install on Btrfs despite its young and immature state. If this feature works out, it could remove much of the risk of tracking Rawhide and begin the exploration of a new capability which could prove highly useful for Linux users in general in the future.

One of the many features provided by Btrfs is copy-on-write snapshots. At any time, it is possible to freeze an image of the state of the filesystem. Snapshots are cheap - at creation time, their cost is almost zero. As changes are made to the filesystem, copies will be made of modified blocks while the snapshot remains unchanged. One can certainly fill a filesystem through use of the snapshot facility - and filling Btrfs filesystems remains a bit of a hazardous thing to do - but Btrfs will share data between snapshots for as long as possible.

The value of snapshots to system administrators is fairly obvious: a snapshot can be taken immediately prior to an operating system upgrade. Should that upgrade turn out to be less of a step forward than had been hoped, the filesystem can simply be reverted back to its pre-upgrade state. The days of digging around for older versions of a broken packages - perhaps with the assistance of a rescue disk - should be long gone.

That said, there are a number of details which need to be worked out before snapshots can be made ready even for Rawhide users, much less the wider user community. Perhaps the biggest problem is that Btrfs snapshots cover the entire filesystem, so reverting to an older state will lose all changes made to the filesystem in the meantime. If a system update fails to boot, dumping the update seems like a straightforward choice - there will be no other changes to lose. But going back to a snapshot after the system has been running for a while could lose a fair amount of work, log data, etc. along with the unwelcome changes. One can always cherry-pick changed files after reverting to the snapshot, but that would be a tedious and error-prone process.

There are a lot of user interface details to take care of as well. Tools need to be created to allow administrators to look at existing snapshots, mount them for examination, clean them up, and so on. Btrfs will probably have to be extended with a concept of a user-selectable "default" snapshot for each filesystem. Grub needs some work for boot-time snapshot selection. There is also talk of eventually adding snapshot-browsing support to Nautilus as well.

Snapshots will clearly be a useful feature for Linux in the future. Back in your editor's system administration days, backup tapes were occasionally used to recover from disk disasters, but much more frequently used to help users recover from "fat-finger" incidents. Snapshots are not true backups, but they should certainly be useful as a quick error-recovery mechanism. Your editor is looking forward to the day when his system always supports a series of snapshots allowing the recent state of the filesystem to be recovered.

A snapshot is a heavyweight tool for dealing with system upgrade problems, though. In the longer term, it would make sense to have better rollback support built into the package management system itself. Interestingly, Yum and RPM have had some rollback support in the past, but that feature does not seem to be well supported now. Providing rollback support at this level is a hard problem, to say the least, but solving that problem would put a powerful tool into the hands of Linux system administrators.

In the absence of this feature, filesystem-level snapshots will have to do; certainly they are a major improvement over what we have now. In the short term, potential users should remain aware that Btrfs is a very young filesystem, and that snapshots may not be a viable recovery mechanism if the filesystem itself gets corrupted. In the longer term, though, there will be a day when we will wonder how we ever used our systems without this feature. The work being done by the Fedora developers is an important step in that direction.

Comments (22 posted)

Reducing HTTP latency with SPDY

November 18, 2009

This article was contributed by Nathan Willis

Google unveiled an experimental open source project in early November aimed at reducing web site load times. SPDY, as it is called, is a modification to HTTP designed to target specific, real-world latency issues without altering GET, POST, or any other request semantics, and without requiring changes to page content or network infrastructure. It does this by implementing request prioritization, stream multiplexing, and header compression. Results from tests on a SPDY-enabled Chrome and a SPDY web server show a reduction in load times of up to 60%.

SPDY is part of Google's "Let's make the web faster" initiative that also includes projects targeting JavaScript speed, performance benchmarking, and analysis tools. Mike Belshe and Roberto Peon announced SPDY on November 11 on both the Chromium and Google Research blogs, noting that "HTTP is an elegantly simple protocol that emerged as a web standard in 1996 after a series of experiments. HTTP has served the web incredibly well. We want to continue building on the web's tradition of experimentation and optimization, to further support the evolution of websites and browsers."

Finding the latency in HTTP

The SPDY white paper details the group's analysis of web latency, beginning with the observation that although page requests and responses rely on both HTTP as the application-layer protocol and TCP as the transport-layer protocol, it would be infeasible to implement changes to TCP. Experimenting on HTTP, on the other hand, requires only a compliant browser and server and can be tested on real network conditions.

The group found four factors to be HTTP's biggest sources of latency. First, relying on a single request per HTTP connection makes inefficient use of the TCP channel and forces browsers to open multiple HTTP connections to send requests, adding overhead. Second, the size of uncompressed HTTP headers, which comprise a significant portion of HTTP traffic because of the large number of HTTP requests in a single page. Third, the sending of redundant headers — such as User-Agent and Host — that remain the same for a session. Finally, the exclusive reliance on the client to initiate all HTTP requests, when there are cases where the server knows that related content will be requested, but cannot push it to the client.

SPDY tackles these weaknesses by multiplexing an unlimited number of concurrent streams over a single TCP connection, by allowing the client to assign priorities to HTTP requests in order to avert channel congestion, and by compacting HTTP request and response headers with gzip compression and omitting the redundant transmission of headers. The SPDY draft specification also includes options for servers to initiate content delivery. The available methods are "server push," in which the server initiates transmission of a resource via an X-Associated-Content header, and "server hint," in which the server only suggests related resources to the client with X-Subresources.

In addition, SPDY is designed to run on top of SSL, because the team decided it was wiser to build security into its implementation now than to add it later. Also, because SPDY requires agents to support gzip compression for headers, it compresses the HTTP data with gzip too.

The important thing to note is that SPDY's changes affect only the manner in which data is sent over the wire between the client and the server; there are no changes to the existing HTTP protocol that a web page owner would notice. Thus, SPDY is not a replacement for HTTP so much as a set of possible enhancements to it.

Comments on the blog posts indicate that although most readers see the value in header compression and request prioritization, some are skeptical of the need to multiplex HTTP requests over a single TCP connection. Other alternatives have been tried in the past, notably HTTP pipelining and the Stream Control Transmission Protocol (SCTP).

The white paper addresses both. SCTP, it says, is a transport-layer protocol designed to replace TCP, and although it may offer some improvements, it would not fix the problems with HTTP itself, which SPDY attempts to do. Implementing SCTP would also require large changes to client and server networking stacks and web infrastructure. The latter is also true for similar transport-layer solutions like Structured Stream Transport (SST), intermediate-layer solutions like MUX, and HTTP-replacements like Blocks Extensible Exchange Protocol (BEEP).

The problem with pipelining, it says, is that even when multiple requests are pipelined into one HTTP connection, the entire connection remains first-in-first-out, so a lost packet or delay in processing one request results in the delay of every subsequent request in the pipeline. On top of that, HTTP pipelining is difficult for web proxies to implement, and remains disabled by default in most browsers. The fully multiplexed approach taken by SPDY, however, allows multiple HTTP requests and responses to be interleaved in any order, more efficiently filling the TCP channel. A lost packet would still be retransmitted, but other requests could continue to be filled without pausing to wait for it. A request that requires server-side processing would form a bottleneck in an HTTP pipeline, but SPDY can continue to answer requests for static data over the channel while the server works on the slower request.

Implementation and test results

The development team wrote a SPDY web server and added client support in a branch of the Chrome browser, then ran tests serving up "top 100" web site content over simulated DSL and cable home Internet connections. The test included SSL and non-SSL runs, single-domain and multiple-domain runs, and server push and server hint runs. The resulting page load times were smaller in every case, ranging from 27.93% to 63.53% lower.

The team's stated goal is a 50% reduction in load time; the average of the published tests in all of their variations is 48.76%. Though it calls the initial results promising, the team also lists several problems — starting with the lack of well-understood models for real world packet loss behavior.

SPDY remains an experiment, however, and the team solicits input on a number of open questions, including dealing with the latency introduced by SSL handshakes, recovering from a lost TCP connection, and how best to implement the server-side logic to truly take advantage of server push and server hint. Interested people are encouraged to join the mailing list and download the code.

So far, only the modified Chrome client code is available, and that from the public Subversion repository, not binary downloads. Peon said that the server release is coming soon, and the project page says that the test suite and benchmarking code used in Google's test will be released under an open source license as well.

A 50% reduction in page load times is nothing to sneer at, particularly when all of the gains come from tweaking HTTP's connection and data transfer behavior. Header compression alone gives noticeable savings; the white paper states that it resulted in an "~88% reduction in the size of request headers and an ~85% reduction in the size of response headers." The future of the web may indeed include new protocols like SCTP and BEEP, but SPDY is already demonstrating that there is plenty of room for improvement without drastically altering the protocol stack.

Comments (61 posted)

Notes from the LF End User Summit

By Jonathan Corbet
November 13, 2009
To many, the Linux development community appears to be highly open, with access to developers only an email away. To much of the user community, though, the situation looks different, with core developers seemingly as distant and inaccessible as they would be if they were doing proprietary code. Bridging the gap between users and developers is one of the tasks the Linux Foundation has set for itself; the annual End User Summit is intended to help toward that goal.

The End User Summit draws a different crowd than any other event. Well-known Linux developers are present, certainly, but they do not form the majority of the crowd; they are, instead, strongly outnumbered by representatives of banks, insurance companies, and financial firms. Old conference T-shirts are far outnumbered by suits and ties in this crowd. The End User Summit, in other words, caters to enterprise distribution customers and others who are using Linux in high-stakes situations - even a major stock exchange which has based its operation on Gentoo. It makes for an interesting combination of people and a unique set of conversations.

One speaker was Brian Clark from the New York Stock Exchange. NYSE's systems run under high pressure and tight constraints. They process some three billion transactions per day - more than Google does - and those transactions need to execute in less than one millisecond. Customers can switch to competing exchanges instantly and for almost no cost, so if NYSE's systems are not performing, its customers will vanish. A typical trading day involves the processing of 1.5TB of data; some 8 petabytes of data are kept online. And this whole operation runs on Linux.

NYSE is highly concerned with software quality and security; they are subject to thousands of attacks every day. Downtime is to be limited to 90 seconds per year. All told, Linux has worked very well in this setting. NYSE had some requests, though, including the increasingly common desire for a way to move everything except a specific application off of a given core. Brian requested a way to lock a process's memory in place - a functionality which mlock() would appear to have provided for many years. He would also like a non-disruptive way to measure latencies, especially in the network stack.

In the end, he says, NYSE likes Linux because of the community which stands behind it - an interesting position given NYSE's rather low profile in that community. One place where it was suggested NYSE could help would be to advise the developers on the best placement of tracepoints into the network stack to yield the sort of latency measurements they would like to see.

Al Gillen of IDC is a common presence at this sort of event; he gave a chart-heavy talk on how IDC expects things to go in the server marketplace. The outlook for Linux server shipments would appear to be bright. One interesting tidbit from the talk: Linux server shipments will be growing strongly in the coming years, while Unix will be declining. That means that, in 2013, the Linux market looks likely to reach half the revenue value of the Unix server market. Unix may be suffering, but there's still a lot of money being spent on it.

Anthony Golia of Morgan Stanley discussed the use of Linux there; Morgan Stanley has been heavily using the operating system for several years now, and is running it on tens of thousands of systems. It was, he says, a bit of a rough start, but Morgan Stanley learned that the community "lends itself well to partnership." The company figured out how to send fixes back upstream and has experience the "warm fuzzy feeling" that comes with getting fixes merged. In recent times they are finding far fewer bugs and are quite happy with the choice to go with Linux.

Anthony had some requests too, beginning with support for TCP offload engines. What Morgan Stanley really needs, though, is shorter network latencies. Trades are dependent on getting orders in quickly in response to events, and latencies work against that goal. They would like a way to generate long-term statistics of a process's memory use, mostly as a way of knowing whether it's safe to load more work onto a specific server. There was also a request for better coordination between distributors and hardware manufacturers, yielding support for new hardware as soon as that hardware is available.

Jeffrey Birnbaum of the Bank of America led a session on shortcomings he sees with Linux at this time. In particular, Jeffrey anticipates a future dominated by increasing availability of fast CPUs and the growing influence of solid-state storage devices. The world is changing, and he worries that Linux is not changing quickly enough to keep up with it. Technology is improving quickly, he says, and the kernel is holding users back.

Specific problems include latency in the network stack and the ability of networking to make use of large numbers of CPUs. TCP, he says, is not scalable, but it wasn't clear where the problems are. One request that was clear was a means by which messages could be sent to multiple destinations with a single system call - something akin to the proposed sendmmsg() system call. He suggested that the time has come to move beyond POSIX interfaces - he is a fan of Ulrich Drepper's event interface proposal - and that the use of protocols like SATA to talk to solid-state storage is a mistake. There was also some discussion about difficulties getting a scalability problem with the epoll_wait() system call fixed.

Perhaps the clearest point to emerge from this session is that users like Jeffrey need a solid channel to communicate with the development community about their needs and frustrations. One would think that this would be an ideal role for enterprise distribution vendors to fill; indeed, in the following session, Novell's Carlos Montero-Luque described the session as a great advertisement for commercial distributions. But, for whatever reason, those distributions do not appear to be filling that role in this case.

Carlos, along with Red Hat's Brian Stevens, talked about the future as the distributors see it. There was lots of talk on the value of Linux on mainframes, which seems to be of great interest to this user community currently. Interestingly, Brian noted that Red Hat is not entirely sure that the success which has been achieved with Linux can be replicated at other levels; the JBoss development community, for example, is nearly 100% Red Hat employees.

On the subject of unpaid Linux, Brian claimed that these deployments were "fantastic." Anything which grows the overall market can only be good for the participants therein. Carlos had some darker comments about how unpaid Linux is not "free," and that it will always be paid for in some other way.

Everybody was afraid of being sued and ending up on the front page of the Wall Street Journal, so outright prohibitions on the use of open source were common. Tim Golden is a manager at a high-profile American bank; in his talk on "the changing role of enterprise open source," though, he was clear to point out that he was speaking only for himself. This talk started with the relatively early days, when companies like banks saw open source as being far too risky to use. Everybody was afraid of being sued and ending up on the front page of the Wall Street Journal, so outright prohibitions on the use of open source were common.

There were a couple of intermediate steps, including one where managers came to the radical conclusion that the submission of bug fixes did not deprive a company of its Valuable Intellectual Property. During this time, fears about the use of open source faded considerably, and companies increasingly decided that they could tolerate whatever risk remained - at least in "high value" situations.

The current situation is heavily affected by the financial crisis; financial companies have realized that they must find a way to be competitive with far less money. This understanding has helped to usher in the "open source software as a strategy" era, with companies setting up formalized management programs for open source. An interesting thing is happening in some companies as they go through this process, though: executives are figuring out that it's hard to drive open-source projects from the back seat. They are also coming to the conclusion that participation in development projects is not as disruptive as they had once thought.

So now these companies are beginning to dip their toes in the water and look at ways to participate. There are lots of options, ranging from simple cash contributions - which don't create any real linkage with the community - through to investments in companies and "intellectual property contributions." Eventually, says Tim, we'll start to see something that was once unthinkable: development projects being run by end users.

That last statement maybe reveals something about how these companies see free software. To them, projects run by end users are a new, scary, and exotic thing. But your editor would submit that almost every development project of interest is run by end users. The developers who came together to create the Linux kernel weren't working for others. The group that pulled together their patches and released "a patchy" server were planning to deploy that server (now "Apache") themselves. As end users in the financial industry start to run projects aimed at meeting their own needs, some of those projects, at least, should prove equally successful.

There is no need to convince the financial industry that free software can benefit its operation; they have understood that for a few years now. Convincing this industry that contributing to the software it uses makes sense has been somewhat harder. It would appear that this message is starting to be heard, and companies in this industry are beginning to look for ways to reach out to the development community. Events like the End User Summit seem like an ideal way to facilitate communication between the existing development community and its future members; it is a learning experience for everybody involved.

Comments (36 posted)

The Weekly Edition will be early next week

Thursday, November 26, is the U.S. Thanksgiving holiday. LWN's editors fully intend to spend that holiday eating far too much food; to make that possible, we'll be publishing the Weekly Edition on November 25. LWN will return to its regular schedule the following week.

Comments (1 posted)

Page editor: Jonathan Corbet


TLS renegotiation vulnerability

By Jake Edge
November 18, 2009

Transport Layer Security (TLS), and its predecessor Secure Sockets Layer (SSL), are commonly used protocols for encrypting internet traffic, so TLS vulnerabilities can potentially affect a wide range of internet services. A recently disclosed flaw in the TLS protocol—though there is some dispute whether TLS is at fault—allows an "injected plaintext" attack against an encrypted session. This allows a "man in the middle" (MITM) attacker to prefix a victim's request with their own data, which gets interpreted by the server as if it came from the victim.

The flaw was disclosed on the Internet Engineering Task Force (IETF) TLS mailing list by Martin Rex of SAP on November 4, but it had actually been discovered two months earlier. Marsh Ray of PhoneFactor, Inc. discovered the problem in early August, but kept it quiet while alerting the IETF and various TLS developers and vendors. Those organizations came together as "Project Mogul" to find a solution to the problem. But once Rex had posted publicly about a possible MITM attack—independently discovered—against TLS (specifically Microsoft's IIS), Ray and his colleague Steve Dispensa released additional information showing that it was a pervasive problem for TLS (including Apache web servers, OpenSSL, GNUTLS, and others).

TLS allows clients and servers to renegotiate various session parameters within the TLS connection. When the renegotiation is done, however, TLS applications still accept data that came in before the renegotiation as if it were in the new security context. That hole allows a MITM attack. By arranging that the last data received is from the attacker, then causing a renegotiation with the victim, the attack effectively prepends the attacker's payload to the victim's request.

While it may sound rather theoretical, there is already a proof of concept (PoC) program available, and that has been adapted into a way to steal Twitter credentials. Other kinds of attacks are possible as well, some of which may exploit other internet protocols that use TLS, for example: SMTP (email), FTP, XMPP (Jabber), and some VPN implementations. Exploiting the vulnerability requires the attacker to control some node in between the client and server, which is not that difficult to do these days because of pervasive WiFi. Users are accustomed to using any available access point—especially if they use encrypted connections for their web/email/etc. connections—and that access point could be compromised.

Injecting the attacker's text into an existing TLS session may not seem like a particularly potent attack, but there are several examples of how it could work. Rex's original disclosure was related to web servers configured to require client certificates for some resources, and not for others, which will often lead to renegotiation. That led some to believe that this relatively rare configuration was required, but subsequent examples and explanations make it clear that there are other ways to cause, and exploit, renegotiation.

To attack a web-based application, the attacker typically would send their prefix to the server, then cause the renegotiation to occur. That renegotiation would actually be done between the victim's client and the server (with the MITM attacker just proxying the traffic). Due to the bug, the server would process the prefix in the new security context that gets established via the renegotiation. So, neither the client nor the server have any idea that this has occurred, and the attacker gets to insert his payload into the the client's secure session.

Eric Rescorla is one of those working on a long-term fix, but he also has a fairly straightforward example of the plaintext injection:

E.g., the attacker would send:
    GET /pizza?toppings=pepperoni;address=attackersaddress HTTP/1.1 
And leave the last line empty without a carriage return line feed. Then when the client makes his own request
    GET /pizza?toppings=sausage;address=victimssaddress HTTP/1.1 
    Cookie: victimscookie
the two requests get glued together into:
    GET /pizza?toppings=pepperoni;address=attackersaddress HTTP/1.1 
    X-Ignore-This: GET /pizza?toppings=sausage;address=victimssaddress HTTP/1.1 
    Cookie: victimscookie
And the server uses the victim's account to send a pizza to the attacker.

The Twitter attack uses a similar scheme, but exploits the REST-based API for Twitter. In that case, the attacker's Twitter feed shows the victim's server request, which includes the base64-encoded username and password of the victim. In Thierry Zoller's "TLS/SSLv3 renegotiation vulnerability explained" [PDF]—a comprehensive guide to the problem—there is an example of hijacking email traffic using a similar technique: the attacker prepends SMTP commands to send an email to himself, then leaves the DATA command unterminated, effectively capturing the victim's outgoing email message.

Shortly after the initial disclosure, OpenSSL released a workaround that disabled renegotiation. According to Rescorla, almost all servers could disable renegotiation without impacting any needed functionality, but that doesn't fix the problem on the client side. Clients cannot detect whether the server allows renegotiation because the attacker could always fake a rejection of the renegotiation request.

A more long-term fix has been proposed—that site, ironically, has an invalid SSL certificate—by Rescorla, Ray, Dispensa, and Nasko Oskov of Microsoft. Their proposal would extend TLS to add information to each renegotiation about the previous renegotiation. In that way, clients could detect that their connection is not being negotiated for the first time, which would mean that a MITM had done a TLS negotiation already.

While TLS is the right place to make the fix, Adam Langley is unhappy that TLS is being blamed for the problem. His contention is that the applications are making unwarranted assumptions about what TLS provides. While that may be true, "every single protocol that is layered on top of TLS got this wrong", as Ben Laurie points out.

Zoller's paper also has a good summary of other protocols and programs that use TLS, along with their vulnerability status. It may be a hard vulnerability to exploit, because it requires a MITM position along with an ability to predict the client's traffic, but it is rather serious. As Rescorla and others note, though, MITM attacks simply using an attacker's certificate are generally fairly successful because users are willing to accept any certificate presented to them. It really isn't necessary to go to the lengths that are required to exploit this vulnerability until that changes.

[ Thanks to Tzvetan Mikov who suggested this as a topic shortly after it was made public. ]

Comments (23 posted)

New vulnerabilities

apache-conf: cross-site scripting

Package(s):apache-conf CVE #(s):CVE-2009-2823
Created:November 16, 2009 Updated:January 7, 2010

From the Mandriva advisory:

The Apache HTTP Server enables the HTTP TRACE method per default which allows remote attackers to conduct cross-site scripting (XSS) attacks via unspecified web client software (CVE-2009-2823).

Mandriva MDVSA-2009:300-1 apache-conf 2010-01-07
Mandriva MDVSA-2009:300-2 apache-conf 2010-01-07
Mandriva MDVSA-2009:300 apache-conf 2009-11-15

Comments (none posted)

asterisk: access control violation

Package(s):asterisk CVE #(s):
Created:November 16, 2009 Updated:November 18, 2009
Description: From the Asterisk advisory:

A missing ACL check for handling SIP INVITEs allows a device to make calls on networks intended to be prohibited as defined by the "deny" and "permit" lines in sip.conf. The ACL check for handling SIP registrations was not affected.

Fedora FEDORA-2009-10861 asterisk 2009-10-29

Comments (none posted)

cups: denial of service

Package(s):cups CVE #(s):CVE-2009-3553
Created:November 18, 2009 Updated:March 2, 2011

From the Red Hat advisory:

A use-after-free flaw was found in the way CUPS handled references in its file descriptors-handling interface. A remote attacker could, in a specially-crafted way, query for the list of current print jobs for a specific printer, leading to a denial of service (cupsd crash). (CVE-2009-3553)

Gentoo 201207-10 cups 2012-07-09
Debian DSA-2176-1 cups 2011-03-02
Mandriva MDVSA-2010:073-1 cups 2010-04-14
Mandriva MDVSA-2010:073 cups 2010-04-14
SuSE SUSE-SR:2010:007 cifs-mount/samba, compiz-fusion-plugins-main, cron, cups, ethereal/wireshark, krb5, mysql, pulseaudio, squid/squid3, viewvc 2010-03-30
CentOS CESA-2010:0129 cups 2010-03-12
Fedora FEDORA-2010-3761 cups 2010-03-06
Ubuntu USN-906-1 cups, cupsys 2010-03-03
Red Hat RHSA-2010:0129-01 cups 2010-03-03
SuSE SUSE-SR:2009:020 apache2-mod_jk, cacti, cups, expat, finch/pidgin, htmldoc, kdelibs3/kdelibs4, libpoppler/poppler, lighttpd, opera, perl-HTML-Parser, pyxml, seamonkey, wireshark/ethereal, xntp, zope/zope3 2010-01-12
Fedora FEDORA-2009-12652 cups 2009-12-04
Fedora FEDORA-2009-11314 cups 2009-11-11
CentOS CESA-2009:1595 cups 2009-11-24
Red Hat RHSA-2009:1595-01 cups 2009-11-18
Fedora FEDORA-2009-10891 cups 2009-10-29

Comments (none posted)

ffmpeg: denial of service

Package(s):ffmpeg CVE #(s):CVE-2008-3230
Created:November 16, 2009 Updated:December 7, 2009

From the Mandriva advisory:

The ffmpeg lavf demuxer allows user-assisted attackers to cause a denial of service (application crash) via a crafted GIF file (CVE-2008-3230)

Mandriva MDVSA-2009:297-1 ffmpeg 2009-12-05
Mandriva MDVSA-2009:297 ffmpeg 2009-11-13

Comments (none posted)

gimp: integer overflow

Package(s):gimp CVE #(s):CVE-2009-1570
Created:November 13, 2009 Updated:September 28, 2012
Description: From the Mandriva advisory: Integer overflow in the ReadImage function in plug-ins/file-bmp/bmp-read.c in GIMP 2.6.7 might allow remote attackers to execute arbitrary code via a BMP file with crafted width and height values that trigger a heap-based buffer overflow.
Gentoo 201209-23 gimp 2012-09-28
CentOS CESA-2011:0837 gimp 2011-06-01
CentOS CESA-2011:0838 gimp 2011-05-31
Red Hat RHSA-2011:0838-01 gimp 2011-05-31
Red Hat RHSA-2011:0837-01 gimp 2011-05-31
Mandriva MDVSA-2009:332-1 gimp 2010-04-28
SuSE SUSE-SR:2010:009 viewvc, krb5, pango, gimp, kdebase3, kde4-kdm 2010-04-14
Ubuntu USN-880-1 gimp 2010-01-07
Slackware SSA:2009-345-01 gimp 2009-12-14
Mandriva MDVSA-2009:296-1 gimp 2009-12-11
Mandriva MDVSA-2009:332 gimp 2009-12-11
Mandriva MDVSA-2009:296 gimp 2009-11-13

Comments (none posted)

java: remote file creation and modification

Package(s):java CVE #(s):CVE-2009-2676
Created:November 12, 2009 Updated:November 18, 2009
Description: From the National Vulnerability Database entry:

Unspecified vulnerability in JNLPAppletlauncher in Sun Java SE, and SE for Business, in JDK and JRE 6 Update 14 and earlier and JDK and JRE 5.0 Update 19 and earlier; and Java SE for Business in SDK and JRE 1.4.2_21 and earlier; allows remote attackers to create or modify arbitrary files via vectors involving an untrusted Java applet that accesses an old version of JNLPAppletLauncher.

Red Hat RHSA-2009:1582-01 java-1.6.0-ibm 2009-11-12
Gentoo 200911-02 sun-jre-bin 2009-11-17

Comments (none posted)

java: multiple vulnerabilities

Package(s):java CVE #(s):CVE-2009-2716 CVE-2009-2718 CVE-2009-2719 CVE-2009-2720 CVE-2009-2721 CVE-2009-2722 CVE-2009-2723 CVE-2009-2724
Created:November 18, 2009 Updated:November 18, 2009

From the CVE entries:

CVE-2009-2716: The plugin functionality in Sun Java SE 6 before Update 15 does not properly implement version selection, which allows context-dependent attackers to leverage vulnerabilities in "old zip and certificate handling" and have unspecified other impact via unknown vectors.

CVE-2009-2718: The Abstract Window Toolkit (AWT) implementation in Sun Java SE 6 before Update 15 on X11 does not impose the intended constraint on distance from the window border to the Security Warning Icon, which makes it easier for context-dependent attackers to trick a user into interacting unsafely with an untrusted applet.

CVE-2009-2719: The Java Web Start implementation in Sun Java SE 6 before Update 15 allows context-dependent attackers to cause a denial of service (NullPointerException) via a crafted .jnlp file, as demonstrated by the jnlp_file/appletDesc/index.html#misc test in the Technology Compatibility Kit (TCK) for the Java Network Launching Protocol (JNLP).

CVE-2009-2720: Unspecified vulnerability in the javax.swing.plaf.synth.SynthContext.isSubregion method in the Swing implementation in Sun Java SE 6 before Update 15 allows context-dependent attackers to cause a denial of service (NullPointerException in the Jemmy library) via unknown vectors.

CVE-2009-2721: Multiple unspecified vulnerabilities in the Provider class in Sun Java SE 5.0 before Update 20 have unknown impact and attack vectors, aka BugId 6406003.

CVE-2009-2722: Multiple unspecified vulnerabilities in the Provider class in Sun Java SE 5.0 before Update 20 have unknown impact and attack vectors, aka BugId 6429594. NOTE: this issue exists because of an incorrect fix for BugId 6406003.

CVE-2009-2723: Unspecified vulnerability in deserialization in the Provider class in Sun Java SE 5.0 before Update 20 has unknown impact and attack vectors, aka BugId 6444262.

CVE-2009-2724: Race condition in the java.lang package in Sun Java SE 5.0 before Update 20 has unknown impact and attack vectors, related to a "3Y Race condition in reflection checks."

Gentoo 200911-02 sun-jre-bin 2009-11-17

Comments (none posted)

kernel: denial of service

Package(s):kernel CVE #(s):CVE-2009-3726
Created:November 16, 2009 Updated:March 21, 2011

From the SUSE advisory:

CVE-2009-3726: The nfs4_proc_lock function in fs/nfs/nfs4proc.c in the NFSv4 client in the allows remote NFS servers to cause a denial of service (NULL pointer dereference and panic) by sending a certain response containing incorrect file attributes, which trigger attempted use of an open file that lacks NFSv4 state.

Mandriva MDVSA-2011:051 kernel 2011-03-18
CentOS CESA-2010:0474 kernel 2010-08-27
CentOS CESA-2010:0474 kernel 2010-08-23
Red Hat RHSA-2010:0474-01 kernel 2010-06-15
Debian DSA-2004-1 linux-2.6.24 2010-02-27
Debian DSA-2003-1 linux-2.6 2010-02-22
SuSE SUSE-SA:2010:012 kernel 2010-02-15
SuSE SUSE-SA:2009:064 kernel 2009-12-22
CentOS CESA-2009:1670 kernel 2009-12-17
Red Hat RHSA-2009:1670-01 kernel 2009-12-15
SuSE SUSE-SA:2009:061 kernel 2009-12-14
Mandriva MDVSA-2009:329 kernel 2009-12-09
Ubuntu USN-864-1 linux, linux-source-2.6.15 2009-12-05
Red Hat RHSA-2009:1635-01 kernel-rt 2009-12-03
SuSE SUSE-SA:2009:060 kernel 2009-12-02
Mandriva MDVSA-2009:301 kernel 2009-11-20
SuSE SUSE-SA:2009:056 kernel 2009-11-16

Comments (none posted)

openjdk: arbitrary code execution

Package(s):openjdk-6 CVE #(s):CVE-2009-3885
Created:November 16, 2009 Updated:April 28, 2010

From the Ubuntu advisory:

Multiple flaws were discovered in JPEG and BMP image handling. If a user were tricked into loading a specially crafted image, a remote attacker could crash the application or run arbitrary code with user privileges. (CVE-2009-3873, CVE-2009-3874, CVE-2009-3885)

Mandriva MDVSA-2010:084 java-1.6.0-openjdk 2010-04-28
Ubuntu USN-859-1 openjdk-6 2009-11-13

Comments (none posted)

openldap: man in the middle attack

Package(s):openldap CVE #(s):CVE-2009-3767
Created:November 12, 2009 Updated:July 22, 2010
Description: From the Ubuntu alert:

It was discovered that OpenLDAP did not correctly handle SSL certificates with zero bytes in the Common Name. A remote attacker could exploit this to perform a man in the middle attack to view sensitive information or alter encrypted communications.

Gentoo 201406-36 openldap 2014-06-30
CentOS CESA-2010:0543 openldap 2010-07-21
Red Hat RHSA-2010:0543-01 openldap 2010-07-20
Red Hat RHSA-2010:0198-04 openldap 2010-03-30
Mandriva MDVSA-2010:026 openldap 2010-01-26
Debian DSA-1943 openldap 2009-12-02
Fedora FEDORA-2010-0752 openldap 2010-01-19
Ubuntu USN-858-1 openldap2.2 2009-11-12

Comments (none posted)

qt: multiple vulnerabilities

Package(s):qt CVE #(s):CVE-2009-3384 CVE-2009-2816
Created:November 16, 2009 Updated:January 25, 2011

From the Red Hat bugzilla [1, 2]:

CVE-2009-3384: Multiple security flaws (integer underflow, invalid pointer dereference, buffer underflow and a denial of service) were found in the way WebKit's FTP parser used to process remote FTP directory listings. If a remote FTP server issued a specially-crafted FTP command, it could lead to disclosure of sensitive information, denial of service (application crash) or, potentially to execution of arbitrary code, once the command was parsed.

CVE-2009-2816: A security flaw was found in the WebKit's Cross-Origin Resource Sharing (CORS) implementation. Quoting exact details from the WebKit advisory: Before allowing a page from one origin to access a resource in another origin, WebKit sends a preflight request, to determine if the origin server for the resource being accessed will allow the resource to be shared. WebKit includes custom HTTP headers specified by the requesting page in the preflight request. This can result in unexpected actions being initiated on the cross-origin site without user consent. This issue is addressed by dropping custom HTTP headers from preflight requests.

SUSE SUSE-SR:2011:002 ed, evince, hplip, libopensc2/opensc, libsmi, libwebkit, perl, python, sssd, sudo, wireshark 2011-01-25
openSUSE openSUSE-SU-2011:0024-1 webkit 2011-01-12
Fedora FEDORA-2009-11487 qt 2009-11-14
Fedora FEDORA-2009-11491 qt 2009-11-14
Fedora FEDORA-2009-11488 qt 2009-11-14

Comments (none posted)

texlive: buffer overflow

Package(s):texlive CVE #(s):CVE-2009-1284
Created:November 13, 2009 Updated:June 26, 2012
Description: From the CVE entry: Buffer overflow in BibTeX 0.99 allows context-dependent attackers to cause a denial of service (memory corruption and crash) via a long .bib bibliography file.
Gentoo 201206-28 texlive-core 2012-06-25
Fedora FEDORA-2010-8273 texlive 2010-05-10
Mandriva MDVSA-2010:096 tetex 2010-05-17
Mandriva MDVSA-2010:094 tetex 2010-05-12
Ubuntu USN-937-1 texlive-bin 2010-05-06
Fedora FEDORA-2009-10857 texlive 2009-10-27
Fedora FEDORA-2009-10730 texlive 2009-10-27

Comments (none posted)

wordpress: multiple vulnerabilities

Package(s):wordpress CVE #(s):
Created:November 18, 2009 Updated:November 18, 2009

From the Wordpress release notes:

2.8.6 fixes two security problems that can be exploited by registered, logged in users who have posting privileges. If you have untrusted authors on your blog, upgrading to 2.8.6 is recommended.

The first problem is an XSS vulnerability in Press This discovered by Benjamin Flesch. The second problem, discovered by Dawid Golunski, is an issue with sanitizing uploaded file names that can be exploited in certain Apache configurations. Thanks to Benjamin and Dawid for finding and reporting these.

Fedora FEDORA-2009-11710 wordpress 2009-11-18
Fedora FEDORA-2009-11693 wordpress 2009-11-18
Fedora FEDORA-2009-11687 wordpress 2009-11-18

Comments (none posted)

Page editor: Jake Edge

Kernel development

Brief items

Kernel release status

The current development kernel is 2.6.32-rc7, released on November 12. "Most of the commits are the kinds I like at this stage: one-liners and few-liners, but I have to admit that there's some bigger-than-I-would-have-liked patches to the Radeon KMS driver." The short-form changelog is in the announcement, or see the full changelog for all the details.

The 2.6.32-rc7 regression list shows a total of 41 unresolved regressions - a high number for this stage in the development cycle. So we may be a couple weeks away from the final 2.6.32 release yet.

Comments (none posted)

Quotes of the week

Well the purpose of the kernel isn't to provide an idiot filter, that is what the security policies and not giving people root is for.
-- Alan Cox

The lesson learnt here? Panic makes for poor decisions. I sent one patch what looked great at the time but have found out in the last few hours that it really sucks. While figuring this out for sure, I have to wait looking at a screen to painfully slowly update. To help the waiting, I found some beer, it's the Irish thing to do. Wonder what the rest of ye do.
-- Mel Gorman

Or to say in a more sarcastic way: the most visible effect the extra code you have to write for making things OOM-safe will be that due to higher memory/address space consumption the OOM situation will be coming earlier then without it.
-- Lennart Poettering

Yes, I realize it's ugly voodoo magic but dammit, it used to work!
-- Pekka Enberg

Comments (2 posted)

Some approaches to parallelism avoidance

By Jonathan Corbet
November 17, 2009
What do you do if you have a group of processes, but only want one of them to run at any given time? This kind of workload is not that uncommon; it appears in user-space threading applications, asynchronous I/O applications, and in applications which have background processing tasks. Stijn Devriendt has such a problem; he recently proposed a solution in the form of a new system call:

    int sched_wait_block(pid_t pid, struct timespec *uts);

This call would put the process to sleep until the process indicated by pid blocked, at which point the calling process would go back onto the run queue. It would thus allow a sort of "only run me when process pid is sleeping" semantic.

Ingo Molnar responded with a suggestion for a very different approach; to him, this problem is another nail for the "perf events" hammer. An interested process could sign up for "parallelism" events, then receive notifications when specific processes sleep or become runnable. He sees some real benefits from such a capability:

This would make a very powerful task queueing framework. It basically allows a 'lazy' user-space scheduler, which only activates if the kernel scheduler has run out of work.

Linus, though, had a very different suggestion: rather than create this whole framework, just add a relatively stupid "only run one of this group of threads at a time" mode to the scheduler. This mode, which could be specified with a new clone() flag, seems like it could solve most of the problems in this area without adding a new set of complicated interfaces.

As of this writing, only sched_wait_block() has an actual patch associated with it, and nobody has committed to writing any others. So the eventual outcome - if any - from this conversation is unclear at best, but it's an interesting exploration of approaches in any case.

Comments (4 posted)


By Jonathan Corbet
November 18, 2009
Developers working to implement a checkpoint/restart capability for Linux want the ability to create a new process with a specific process ID. In the absence of that feature, restarted processes will suddenly find themselves with different PIDs, which can only lead to confusion. To implement explicit PID selection, the checkpoint/restart developers have proposed various extensions to the clone() system call with names like clone_with_pids() and clone_extended(). No version has yet been merged, and the proposed API continues to evolve.

The latest proposal is called eclone(); it looks like this:

    int eclone(u32 flags_low, struct clone_args *args, int args_size,
	       pid_t *pids);

The flags_low argument corresponds to the flags argument to the existing clone() call, which is running out of space for new flags. The pids argument is an optional list of PIDs to apply to the new child process, one for each namespace in which the process appears. Everything else goes into args:

    struct clone_args {
	u64 clone_flags_high;
	u64 child_stack_base;
	u64 child_stack_size;
	u64 parent_tid_ptr;
	u64 child_tid_ptr;
	u32 nr_pids;
	u32 reserved0;
	u64 reserved1;

A number of these fields (child_stack_base, child_stack_size, parent_tid_ptr, child_tid_ptr) correspond to existing clone() arguments. clone_flags_high allows the addition of more flags; no new flags are defined in the eclone() proposal, though. The length of the pids array is given by nr_pids, and the reserved fields are there for future expansion.

Comments on the new proposal have been scarce; it may be that the development community has gotten a little tired of seeing these patches over and over. The silence could also mean that there are no objections to this proposal. One big obstacle could remain to the merging of this system call, though: it is there to support the checkpoint/restart facility, which is definitely not ready for merging into the mainline. Getting checkpoint/restart to a completed and maintainable state is likely to take some time; until then, there may be reluctance to add a new system call which does not, yet, have any real-world users.

Comments (9 posted)

Van de Ven: Some PowerTOP updates

Arjan van de Ven reports on new PowerTOP features on his blog. The new features live in the PowerTOP git repository and require small kernel patches that will likely end up in 2.6.33. The features look at audio and SATA power management as well as "who is spinning up my disk": "Using the perf kernel infrastructure, the git version of PowerTOP now has included the equivalent of the blockdump feature, and will report disk-waking application both in the regular interactive view as well as in the diagnostic 'dump' mode."

Comments (1 posted)

Kernel development news

High-order GFP_ATOMIC allocation trouble

By Jonathan Corbet
November 17, 2009
On its face, memory management would appear to be a straightforward task. When memory gets tight, the VM code need only evict the pages which will be unused for the longest time, making that memory available for shorter-term use. The hard part, of course, is identifying those pages. In the absence of perfect predictions of future memory use, the VM subsystem must rely upon a set of heuristics to make a set of (hopefully) reasonable choices. The design of heuristics which can handle most workloads is tricky, and even subtle code changes can lead to big changes in system behavior.

Since the beginning of the 2.6.31 development cycle, some users have been complaining about an increase in kernel memory allocation failures, leading to log messages, failed applications, and the occasional unwelcome appearance of the out-of-memory killer. Various bugs have been filed (see #14141 and #14265, for example) and a fair amount of head-scratching has gone on. But few developers really know where to start when looking at this kind of problem, and, of those who do, some have been content to write off the problem as being caused by higher-order allocations. So progress has been slow.

High-order (multi-page) allocations are a perennial problem on Linux systems; as memory fragments, it gets increasingly hard to find groups of physically-contiguous pages to satisfy higher-order allocation requests. Whenever possible, kernel code is written to avoid high-order allocations, but there are times when that is difficult. Many of the recently-reported problems seemingly have to do with certain not-top-of-the-line wireless network adapters which require contiguous memory chunks to operate. Fixing the problem is important - users of cheap network interfaces want to run Linux too - but there are also reports of single-page allocation failures.

Fortunately, Mel Gorman is not afraid to wander into that part of the kernel; he has been putting some serious time into reproducing the problem and trying to understand what has gone wrong since 2.6.30. Mel has posted a five-part patch series which tries to make allocation failures less likely again. Looking at what Mel has done provides a good lesson on just how subtle this kind of programming can be.

When looking at this code, it's worth bearing in mind that the kernel has two fundamental mechanisms for recovering memory when it is needed for new allocations. Direct reclaim is active memory cleaning done at allocation time; when an allocation falls short, the process trying to allocate the memory will go off and try to free some memory elsewhere in the system. Direct reclaim has the advantages of immediacy - reclaim work happens right away when memory pressure hits - and of dumping the work into processes which are allocating memory, but there are limits to how long any one process can spend reclaiming memory without introducing unacceptable latencies. So more extensive cleaning is pushed off to the kswapd kernel thread, which is dedicated to that task.

Current mainline kernels do not wake up kswapd from the direct reclaim code if the direct reclaim operation fails to get the job done. But if memory is that tight, kswapd should be running, especially if high-order allocations are needed. So the first patch in Mel's series is a simple one-liner which causes kswapd to be waked on direct allocation failure and, perhaps, to work harder on recovering higher-order chunks as well. That change brings behavior back to something closer to what older kernels did.

Patch #2 is a simple tweak which keeps realtime interrupt handlers from driving the memory allocation code too hard. Again, this is a reversion to behavior seen back in the 2.6.30 days.

The third patch is a bit more subtle. Direct reclaim will, if it is successful, result in the creation of I/O operations to write dirty pages to their backing store. There are limits to the number of block I/O operations which can be outstanding, though; once that limit is hit the underlying device is said to be "congested" and the task performing reclaim is forced to wait until things clear out a bit. This "congestion wait" keeps the system from filling up with pending I/O operations and serves to throttle processes performing memory allocations.

As it happens, there are actually two "wait for congestion" queues - one each for synchronous and asynchronous requests. "Synchronous" requests are those for which a process is actively waiting - read requests, usually - while asynchronous requests are those which do not have active waiters. In current kernels, direct reclaim waits on the asynchronous queue, while older kernels used the synchronous queue instead. Moving back to the synchronous queue makes a number of problems go away, but Mel sees that fix as being workload-specific. Instead, he has changed the direct reclaim code to make it wait for congestion to clear on both queues.

Why does this help? It seems to be a matter of letting kswapd get its job done. Kswapd, too, must wait when queues become congested; if direct reclaimers are frequently filling the I/O queues, kswapd will stall more often. It turns out that better results are had if kswapd is allowed to run for longer periods of time. Making direct reclaimers wait until both queues have cleared allows kswapd to get some real work done once it gets going. That is good for the creation of high-order chunks and the performance of the system in general.

Patch #4 also relates to kswapd's duty cycle. Kswapd will stop working and go to sleep once it decides that it has done enough; one definition of "enough" is when the amount of free memory reaches an upper watermark value. But if kswapd is running, chances are good that there is unmet demand for memory in the system; in that situation, the amount of free memory may not stay above the high watermark for very long. Mel's patch has kswapd start with a catnap rather than a real sleep; after 0.1 sec., kswapd wakes back up and reassesses the situation. If the amount of free memory has fallen below the high watermark in that time, kswapd goes back to work; otherwise it goes to sleep for real. In this way, kswapd will continue to work to free memory if the system is consuming it quickly.

The final patch touches on another aspect of waiting for congestion. When block devices become congested, kswapd waits for things to clear. But, Mel notes, that may not be the right thing to do in all situations:

However, on systems with large numbers of high-order atomics due to crappy network cards, it's important that kswapd keep working in parallel to save their sorry ass.

In the original version of the patch, kswapd would become increasingly resistant to waiting for congestion as the situation got worse. Motohiro Kosaki suggested an alternative approach, though, wherein kswapd simply refuses to wait as long as the high watermark is not reached, and Mel adopted it.

Mel's patch posting includes a fair amount of information on how he has tested it and what the results are. With the patch set applied, allocation failures are fewer, and system throughput improves as well. The sad truth about memory management patches, though, is that a change which improves one workload may worsen another. So these changes really need some widespread testing, especially since there is some interest in getting them into 2.6.32.

Comments (none posted)

Receive packet steering

By Jonathan Corbet
November 17, 2009
Contemporary networking hardware can move a lot of packets, to the point that the host computer can have a hard time keeping up. In recent years, CPU speeds have stopped increasing, but the number of CPU cores is growing. The implication is clear: if the networking stack is to be able to keep up with the hardware, smarter processing (such as generic receive offload) will not be enough; the system must also be able to distribute the work across multiple processors. Tom Herbert's receive packet steering (RPS) patch aims to help make that happen.

From the operating system's point of view, distributing the work of outgoing data across CPUs is relatively straightforward. The processes generating data will naturally spread out across the system, so the networking stack does not need to think much about it, especially now that multiple transmit queues are supported. Incoming data is harder to distribute, though, because it is coming from a single source. Some network interfaces can help with the distribution of incoming packets; they have multiple receive queues and multiple interrupt lines. Others, though, are equipped with a single queue, meaning that the driver for that hardware must deal with all incoming packets in a single, serialized stream. Parallelizing such a stream requires some intelligence on the part of the host operating system.

Tom's patch provides that intelligence by hooking into the receive path - netif_rx() and netif_receive_skb() - right when the driver passes a packet into the networking subsystem. At that point, it creates a hash from the relevant protocol data (IP addresses and port numbers, in particular) and uses it to pick a CPU; the packet is then enqueued for the target CPU's attention. By default, any CPU on the system is fair game for network processing, but the list of target CPUs for any given interface can be configured explicitly by the administrator if need be.

The code is relatively simple, but it succeeds in distributing the load of receive processing across the system. The use of the hash is important: it ensures that packets for the same stream of data end up on the same processor, increasing cache locality (and, thus, performance). This scheme is also nice in that it requires no driver changes at all, so it can be deployed quickly and with minimal disruption.

There is one place where drivers can help, though. The calculation of the hash requires accessing data from the packet header. That access will necessarily involve one or more cache misses on the CPU running the steering code - that data was just put there by the network interface and thus cannot be in any CPU's cache. Once the packet has been passed over to the CPU which will be doing the real work, that cache miss overhead is likely to be incurred again. Unnecessary cache misses are the bane of high-speed network processing; quite a bit of work has been done to eliminate them wherever possible. Adding a new cache miss for every packet in the steering code would be counterproductive.

It turns out that a number of network interfaces can, themselves, calculate a hash value for incoming packets. That processing comes for free, and it could eliminate the need to calculate that hash (and suffer the overhead of accessing the data) on the dispatching processor. To take advantage of this capability, the RPS patch adds a new rxhash field to the sk_buff (SKB) structure. Drivers which are able to obtain hash values from the hardware can place them in the SKB; the network stack will then skip the calculation of its own hash value. That should keep the packet's data out of the dispatching CPU's cache entirely, speeding processing.

How well does this work? The patch included some benchmark results using the netperf tool. An 8-core server with a tg3-based network interface went from 90,000 transactions per second to 285,000; an e1000-based adapter on the same system went from 90,000 to 292,000. Similar results are obtained for nForce and bnx2x chipsets on 16-core servers. It would appear that this patch does succeed in making networking processing faster on multi-core systems.

The patch, incidentally, comes from Google, which has a bit of experience with network processing. It has, evidently, been running on Google's production servers for a while. So the RPS patch is, hopefully, an early component of what will be a broad stream of contributions from Google as that company tries to work more closely with the mainline. It seems like a good start.

Comments (6 posted)

SamyGO: replacing television firmware

By Jake Edge
November 14, 2009

While it is quite common for consumer electronics—TVs, DVRs, and the like—to be running Linux these days, it is less common to see projects geared towards replacing and upgrading the Linux firmware in that class of devices. But that is exactly what the SamyGO project is doing for Samsung televisions. By using the source provided by Samsung, along with quite a bit of ingenuity, SamyGO allows users to telnet into their television—an amusing concept—but also to enable functionality beyond that which ships with the device.

The SamyGO wiki lists several modifications that can be made to the TV firmware. One of the main modifications seems to be enabling NFS or SMB/CIFS support so that media files from servers on the network can be played. The TVs already support getting media from the local network using Digital Living Network Alliance (DLNA) protocols, but there are restrictions on the audio and video formats and some playback functionality (pause, forward, rewind) depending on the DLNA server. By using NFS or CIFS, all of the formats and features available for USB-based playback are also available across the network.

Obviously, these are fairly high-end TVs, with both Ethernet connectivity and USB ports. The devices "supported" by SamyGO are LCD models in the LE-32-55Bxxx series and LED models from the UE-xx-B70xx series. The USB ports are available for viewing/playing additional media or for games. Using the "Games" menu with programs stored on a USB stick is one of the ways to run programs on the TV.

The USB ports are also used for a Samsung-branded WiFi "dongle" that owners can buy to avoid the wiring hassle of Ethernet. But, Linux supports far more wireless devices than just the Samsung devices, so SamyGO developers are working to enable others as well. In fact, the Ralink rt73 and rt2870 drivers have been modified in the kernel source supplied by Samsung to remove many additional device IDs, so that only the Samsung devices will work. There are now drivers available without that restriction.

The early efforts have been to get telnet working so that the TV filesystem could be explored. This is done by patching the firmware binaries provided by Samsung and then using the TV's firmware upgrade mechanism to install them on the device. The aptly named "Warning : Read Me First or Brick Your TV!" message in the SamyGO forum outlines the dangers of upgrading the firmware. For those that just want to try this all out, without upgrading any firmware, a safer method is also described, which masquerades as a game on a USB stick to enable telnet.

The kernel is 2.6.18-based with the addition of Samsung's Robust FAT File System (RFS), which is a filesystem for NAND flash devices. As the name would indicate, it is also FAT compatible. It is not in the mainline, however, nor have the SamyGO developers gotten it working for desktop distributions. For that reason, they have resorted to binary patching of the firmware.

Samsung has also released RFS source, along with a Linux porting guide that should be helpful in those efforts. Once RFS can be built for recent kernels, or a utility to create RFS images is made, developers will be able to build their own firmware images for these TVs. [ Update: see the comments below, there is no source RFS release. ]

The kernel source is available, but the project has not yet released any kernels built from it. The Ralink drivers were rebuilt after modifying the device IDs, though, so they can be inserted into the system. The kernel itself has been patched, adding OMAP architecture and sound support among other things, but there has been no mention of binary drivers on the forum, so it should be possible to build the released kernel—or something more recent.

So far, Samsung doesn't seem to have reacted to the project, either positively or negatively. Some concern has been expressed in the forum that working around the WiFi restrictions might raise the company's ire. But one would guess that the number of folks willing to risk bricking an expensive TV in order to use a cheaper WiFi dongle is relatively small—likely to go unnoticed by Samsung.

In the meantime, if the SamyGO hackers add other functionality that might be interesting to customers—there has been talk of web browsers for example—Samsung might just adopt it themselves. Either way, the code is out there for those who might want to give it a try.

Comments (46 posted)

Patches and updates

Kernel trees


Build system

Core kernel code

Development tools

Device drivers

Filesystems and block I/O


Memory management

Virtualization and containers

Benchmarks and bugs


Page editor: Jonathan Corbet


News and Editorials

openSUSE 11.2

November 18, 2009

This article was contributed by Susan Linton

Right behind Mandriva and Ubuntu, openSUSE 11.2 arrived as scheduled after almost a year of development. This incremental version increase has enough new features to warrant a closer look. Sometimes adding so many new features between minor versions can backfire. Is that what happened this time with openSUSE 11.2? Or are we seeing some early effects of the newly sanctioned community contributions?

So What's New?


The first thing anyone might notice is the new theme. Developed by KDE's Nuno Pinheiro, it has a very "Airy" look and feel to it. I say theme, but I really mean the background and application graphics because KDE still hasn't offered a decent window decoration for KDE 4 and openSUSE 11.2 is using KDE's default. I don't want to spend too much time on appearances, but while most have found the desktop unattractive, I have seen a few positive remarks for the olive and peridot greens.

Speaking of KDE 4, KnetworkManager recently received an overhaul and the bulk of the work was done by openSUSE developer Will Stephenson, with contributions from Fedora, Kubuntu, and other developers. This rewrite has been in the works for quite a while and it is still not fully completed now. Struggles with the interface plagued development and improvements sit at the top of the todo list for future releases. As it is, it's built with QT4 and fits in with the KDE Plasma desktop adequately. The current interface hides most available wireless connections detected from the default view, instead only listing those previously used. Other little goodies include setting custom icons on a per connection basis, configurable tooltips, one-click connects, and the option of forcing password input on each connect for users.

The YaST Control Center has been ported to QT4 for the KDE desktop as well. It still resembles the GTK version for GNOME quite a bit and is said to be more consistent with KDE System Settings, but somehow it doesn't feel very polished. The fonts are atrocious, and I had to configure some of my hardware (scanner and TV card) more than once for it to actually take effect. This is very uncharacteristic for openSUSE and I have to wonder what happened. Also new this time is WebYaST, an easy-to-use remote management and administration interface.


The YaST2 Software Manager also saw a few tweaks for this release. The GUI features a new View tab that's actually a drop down menu containing various package viewing choices. Underneath, Zypper now functions a bit faster and includes the option of downloading only. Also new for this release is openSUSE's equivalent to a dist-upgrade. A live update can be performed from the GUI or command line, although reports have stated that the command line route is more reliable at this point.

The Firefox KDE integration has received quite a bit of publicity during the development cycle. Basically, that consists of setting Firefox as the default KDE browser and calling KDE applications when a trigger is clicked. For example, Firefox will open Okular when a PDF link is clicked. This ties in with file dialogs and application selection screens, mimetype and protocol handling (such as mailto), and proxy settings. It also uses KDE icons and widgets and can add RSS feeds to Akregator. Several other distributions have switched their KDE default browser to Firefox recently as well, but openSUSE is the only one to try and integrate it so completely. More features are being planned in this area for future releases. As in many distributions, "check for updates" is disabled, but this is the only time I can really see a good reason why.

Some changes can be seen in the installer as well. KDE has been returned to the default desktop choice of the install DVD. GNOME is listed first, but KDE is ticked. Apparently this was done to lessen the number of choices a new user might have to make during the install process. Ext4 is the new default filesystem and Btrfs is available for particularly brave souls. Full disk encryption is now available for the security minded. And for netbook users, the live CDs can be copied to and booted from USB memory sticks.

At the desktop, KDE's Strigi and Nepomuk are disabled by default to lessen system requirements and improve performance. In contrast to KDE, the new GNOME theme is receiving quite a bit of praise. Pidgin remains the included instant messenger for GNOME instead of migrating to Empathy like some others, and new microblogging clients were added for the two major desktops, Gwibber and Choqok. The primary desktops are KDE 4.3.1, GNOME 2.28, Xfce 4.6.1, and Enlightenment 1.0. has been upgraded to 3.1.1, Firefox to 3.5.4, and GIMP 2.6.7. Under the hood is Linux kernel, Xorg X Server 1.6.5, and GCC 4.4.1.


Issues Encountered

openSUSE has traditionally been a very polished and professional system; rock solid underneath with pretty GUIs on top. However, 11.2 has slipped some. After installation, the fonts were very ugly and distracting. I've seen complaints in the past about openSUSE fonts, but I've never personally been affected. But with 11.2, my desktop was almost unusable until I tweaked the fonts. However, try as I might, I still could not bring openSUSE 11.2 fonts up to par with my other systems.

It's not uncommon for sound to only emit from my two rear speakers in some Linux distributions. I don't consider this a problem, really, since the front is usually a mirror of the rear with my card, but when sound only comes from one of the rear speakers, then I've got to say that something is wrong somewhere. My sound card is detected with similar output as in other distributions, the same ALSA modules are used, and the mixer channels were thoroughly reviewed. So, at this point, it's a mystery why this old and usually well supported card went oblong in this release.

I've also had real issues with Akregator in KDE. Admittedly, it's always been unstable in KDE 4, but I've been experiencing more frequent crashes in openSUSE. It seems to crash, taking the rest of Kontact with it, five or six times a day. Sometimes it loses all the articles pulled in previously making it quite a chore to continue using it.

KDE settings, in general, have been acting strangely too. For example, losing settings between openings, settings that never take or change the behavior, and settings that won't change - they appear to change, but don't take effect and when I check back, the original settings are depicted in the input box as if I'd never touched them.

As far as performance, which seems to be a hot topic this year, 11.2 does seem to boot faster, but I'm not seeing anything impressive in its KDE. Many issues found might have been lessened if KDE had been updated to one of the newer releases, because 4.3.1 (even with some 4.3.2 backports) still has many performance and functionality issues.


Overall this version of openSUSE acts more like a point-0 release or even a release candidate. Everything feels rough around the edges and as though lots more work is needed. There's no dispute that openSUSE developers are the most aggressive between minor version releases, but this is the most dramatic effect I've witnessed from them. Polish and excellence have always been trademarks of openSUSE, so much so that I've come to expect only that. So, it's shocking to have seen an openSUSE released in such rough condition.

Having said that, I still look forward to 11.3 and have confidence that it will be up to openSUSE's usual standards. In Linux, developers are always fighting "the damned if you do and damned if you don't" paradox. If they don't release when users expect, then they risk losing lots of momentum, much like PCLinuxOS experienced in 2008 and early 2009. Or on the other hand, if they release on time, even though they know there are issues, they risk the bad press and decreased user confidence like that seen with the latest release (or two) of Ubuntu.

I would like to give openSUSE the benefit of the doubt but my best recommendation is for folks to wait for the next release, especially if they are KDE users. GTK/GNOME users might have better luck. However, overall, 11.2 isn't the best example of its work and we should wait for the next release so that it can sand down the rough edges.

Comments (13 posted)

New Releases

Fedora 12 released

Fedora 12 is out. See the announcement (click below) for an impressively long list of new features, the feature list for even more information, or the one-page release notes for the executive summary.

Full Story (comments: 20)

Fedora 12 LXDE Spin withdrawn (for now)

It seems that the Fedora 12 LXDE spin does not behave quite as expected: "The problem is a crash in lxde-settings-daemon that triggers abrt, the automatic bug reporting tool. Because lxde-settings-daemon gets restarted by lxsession the bug reporting tool goes into an infinite loop, consumes all CPU power and makes the computer crash when the overlay image of the live OS is filled up." On the notion that this behavior is not desirable, the images have been removed for now. Those who have already downloaded a copy might want to wait for the update before attempting an install (or just install LXDE on top of a regular F12 system).; ..

Full Story (comments: 3)

Knoppix 6.2 arrives (The H Open)

The H covers the release of Knoppix 6.2. "The Knoppix developers have released version 6.2 of their popular Linux distribution. Knoppix is a bootable CD distribution of Linux incorporating automatic hardware detection and can be used to demo Linux, as an educational CD, a rescue system, etc. Knoppix uses on-the-fly decompression so it can have up to 2 GB of data and software installed on a distribution CD. The latest release is based on the "Testing" and "Unstable" branch of Debian and includes several bug fixes and updates."

Comments (none posted)

openSUSE 11.2 is out

Version 11.2 of openSUSE has been announced. "openSUSE 11.2 includes new versions of GNOME, KDE,, Firefox, the Linux kernel, and many, many more updates and improvements. In 11.2 you'll find more than 1,000 open source desktop applications. openSUSE also includes a full suite of server software and a rich selection of open source development tools."

Full Story (comments: 6)

Ubuntu Studio 9.10 Karmic Koala

The Ubuntu Studio team has announced the release of Ubuntu Studio 9.10 "Karmic Koala". "With this release, which you can download in a 1.4GB DVD, Ubuntu Studio offers a pre-made selection of packages, targeted at audio producers, video producers and graphic designers. Ubuntu Studio greatly simplifies the Linux-based multimedia workstation."

Full Story (comments: none)

Vector Linux 6.0 Kde Classic

The VectorLinux crew has announced the final release of VL6.0-KDE-CLASSIC. "This release is not about bleeding edge technology. On the other hand, it is not about nostalgia either. KDE 3.5.10 gets the job done. It is a mature and solid product with a large user base. Many of us are comfortable with it, and are not yet ready to leave it behind. We thought it only right to make a robust system with KDE 3.5.10 at the helm."

Comments (none posted)

XtreemOS 2.0 released

XtreemOS 2.0 has been announced; it is a grid-oriented distribution developed with support from the European Union. One of the core components appears to be the XtreemFS distributed filesystem. "XtreemOS brings new capabilties to Grids, such as easing job submission and monitoring, while providing a comprehensive security implementation and virtual organization management."

Comments (3 posted)

Announcing Fedora Electronic Lab 12

Fedora Electronic Lab team has announced the release of the Fedora Electronic Lab 12 LiveDVD. "This release highlights Fedora's commitment in strengthening the electronic hardware communities with an advanced Electronic Design Automation (EDA) environment."

Full Story (comments: none)

Fedora-ARM 12

Fedora 12 for ARM is now available. "The following package groups are available: Base, Core, Base-X, GNOME-Desktop, XFCE-Desktop, Java, Java-Development, Admin-Tools, System-Tools, Web Server, and commonly used embedded packages."

Full Story (comments: none)

Distribution News

Debian GNU/Linux

Bits from the FTPMaster meeting

The Debian FTP Team has a report from a meeting during the last week of October. "During this meeting more than half of our codebase got changed and multiple outstanding and intrusive patches got merged. We also discussed various outstanding topics, a few of which we can report about already, a few others where we still have to gather more information. This process, either asking our lawyers or various other people, has already been started."

Full Story (comments: none)


RPM Fusion repositories for Fedora 12 now available

The RPM Fusion team has announced the public availability of its free and nonfree package repositories for Fedora 12 (Constantine). "The repositories contain multimedia applications, kernel drivers, games and other software the Fedora Project doesn't want to ship for various reasons."

Full Story (comments: none)

Mandriva Linux

Mandriva 2010 Spring development has begun

Frederik's Blog takes a look at Mandriva 2010.1 development. "One week ago, Mandriva Cooker, which will lead to version 2010 Spring in about 6 months was opened again. In 8 days, this has resulted in almost 1100 package updates." Updates include 7.5, QT 4.6.0 and KDE 4.4, Firefox 3.6 beta 2, and more.

Comments (none posted)

SUSE Linux and openSUSE

openSUSE board meetings to be public

The openSUSE board meetings will now be open to the public. The meetings will be held in IRC on a moderated meeting channel; questions will be allowed at the end of meeting. "The openSUSE Board has decided to open up its bi-weekly IRC meeting to the public. The meeting will be held in the #opensuse-project channel on The openSUSE Board will meet after each openSUSE Project meeting, every other Wednesday, to discuss topics concerning the project. This includes governance issues, strategy for the project, and membership requests."

Comments (none posted)

What does the openSUSE Board do?

Michael Löffler covers the functions of the openSUSE board. "As we're facing upcoming openSUSE Board election I'd like to share with you what the current Board normally does. This is especially for people which may run for a Board seat and so might know better what they can expect and how much time is needed for that. But for everybody else it should help to make a picture what those Board members are doing. Currently we do have bi-weekly meetings in IRC which are scheduled for 2 hours. In average I'd say we need those 2 hours. Apart of this fixed meeting we Board Members communicate ongoing via emails or IRC."

Comments (none posted)

Ubuntu family

Minutes from the Ubuntu Technical Board meeting

Click below for the minutes of the November 17, 2009 meeting of the Ubuntu Technical Board. Topics include Archive reorganization, Units Policy, Ubuntu Translations permission policy, 10.04 LTS release plan, Ubuntu Licensing Policy, and Execute Permission Policy.

Full Story (comments: none)

Developer Membership Board public meeting: 2009-11-24 15:00 UTC

There will be a public meeting of the Ubuntu Developer Membership Board on Tuesday, November 24, 2009 on IRC. "Everyone is welcome to attend. If you have a pending application to main upload privileges, it would be appreciated if you could participate."

Full Story (comments: none)

Distribution Newsletters

DistroWatch Weekly, Issue 329

The DistroWatch Weekly for November 16, 2009 is out. "openSUSE 11.2, one of the oldest and most popular Linux distributions, has kept many users on Linux web sites throughout the past week. What are the new features? How does it perform? Does it come with any major innovations? What packages does it ship with? For answers to all these and other questions please read our feature article - a first-look review of openSUSE 11.2. In the news section, Fedora developers give a green light to the release of version 12 later this week, openSUSE announces an upcoming release of a special edition for children and educational establishments, Mandriva moves swiftly to update a vast number of packages in its "Cooker" development branch, and pfSense celebrates its fifth birthday with a launch of a book dedicated to the FreeBSD-based firewall distribution. Finally, if you are wondering why the latest Ubuntu fails the Shields up port scanning test then read on - there is an easy fix. All this and more in this week's issue of DistroWatch Weekly, happy reading!"

Comments (none posted)

Fedora Weekly News 202

The Fedora Weekly News for November 15, 2009 is out. "In Announcements, the always-popular name selection process for the next Fedora release is underway, and nominations are open for December's Fedora elections. Planet Fedora contributes a look at the new Fedora Community site, some benchmarks of improbably large filesystems and a guide to using the Sugar desktop on Fedora. From Quality Assurance we hear about some more AutoQA improvements and the last stretch of the Fedora 12 release process. The Design team has been working on media art and website banners for the Fedora 12 release. Security Advisories summarizes the security patches released for Fedora 10 and 11 over the past week. In Virtualization, we discuss creating network bridges for virtual machines when using NetworkManager, and a new release of libguestfs. There's also news on the state of Xen support in Fedora 12. Finally, the KDE section brings us up to date on some new backends for the Nepomuk semantic desktop system, and the replacement of gtk-qt-engine with kcm-gtk for Fedora 12. Enjoy the read!"

Full Story (comments: none)

OpenSUSE Weekly News/97

This issue of the OpenSUSE Weekly News covers openSUSE 11.2 Released!, Launch Party Locations, KDE.NEWS/Will Stephenson: Introducing KDE 4 KNetworkManager, Joe Brockmeier: Microblogging with Choqok in openSUSE 11.2, h-online/Thorsten Leemhuis: Kernel Log: Coming in 2.6.32 (Part 2) - Graphics, and more.

Comments (none posted)

Ubuntu Weekly Newsletter #168

The Ubuntu Weekly Newsletter for November 14, 2009 is out. "In this issue we cover: UDS: How to participate even if you aren't attending, Lucid translation imports are now active, New Ubuntu Developers, New York State Release Celebration, The Planet: Dustin Kirkland, Shane Fagan, Arkeia Releases Free Network Backup Software for Ubuntu, Canonical and Creative Commons Meet Donations Target, and much, much more!"

Full Story (comments: none)

Distribution reviews

Fedora 12 Linux Tackles Virtualization (

InternetNews has a look at Fedora 12 virtualization features, including libguestfs, huge page support, and kernel shared memory: "Frields noted that a key new feature is the ability of the virtualization hypervisor to understand duplicate pages across guests. [...] 'So if, for example, you're running a host that has ten or twelve instances of the same operating system ... a large number of their memory pages might actually be duplicated across guests,' Frields said. 'So the system has the ability to find those pages and simply point them to one page on the host's memory. So the actual memory used drops by quite a bit.'"

Comments (none posted)

New Ubuntu OS Features Create Good Karma (LinuxInsider)

LinuxInsider reviews Ubuntu 9.10 (Karmic Koala). "Perhaps the most significant enhancement for the typical Ubuntu user is the new Software Center application. The previous software manager app, Add/Remove Applications, is still available. You can also find thousands of free and open source software packages using three or four other download engines once you add them. However, the Software Center gives more details on thousands of free and open source applications. Clicking on a "next page" arrow opens an install or remove option. Categories include Education, Games, Sound and Video, Graphics, Programming and Office."

Comments (none posted)

Fedora 11 is almost awesome (Rubenerd Blog)

Rubénerd Blog has a review of Fedora 11. "Aside from the standby issue, so far so good. I've got the OpenSolaris Nimbus theme installed for a change (look at that, my ThinkPad looks like the computers at uni!) and am finding it to be a productive environment to work in. From my experience I reckon Fedora and Slackware with the Slackbook are the the closest any Linux distribution has come to the FreeBSD Handbook. Fedora's online documentation is excellent, and their wiki contains a ton of useful information." Thanks to Rahul Sundaram

Comments (none posted)

Page editor: Rebecca Sobol


Officeshots: making ODF truly interoperable

November 18, 2009

This article was contributed by Koen Vervloesem

Complex file formats, such as those used for office documents, inevitably lead to differences in interpretation by application developers. If a user sends a document to someone else who views it in a different application or version, chances are that the output shows some subtle differences or, by bad luck, that the formatting is completely munged. For people that give presentations regularly, this is a constant nightmare: they have to hope that the office application on the conference laptop is able to show the presentation without mangling the slides. These problems are not tied to proprietary file formats: open standards such as ODF (Open Document Format) also have interoperability issues.

[Upload screen]

A web service, Officeshots, was recently launched to remedy this problem. The project is in public beta and users can register for free to upload their ODF documents. The web site then generates the output of the document using various office applications, which enables the user to check for interoperability issues. The launch of the public beta took place during the second ODF plugfest in Orvieto, Italy on November 2nd and 3rd. A lot of vendors and developers using ODF in their software gathered in Orvieto, such as IBM, Google,, Novell, KOffice, AbiWord, and Microsoft.

Officeshots is a project by NOiV (Netherlands in Open Connection), a Dutch government program to promote the use of open standards and open source, in collaboration with the OpenDoc Society and NLnet Foundation, a Dutch non-profit organization that financially supports contributors to an open information society. LWN talked to Sander Marechal, who developed the bulk of the Officeshots code and is the project leader. He owns Lone Wolves, a small non-profit open source development company based in The Netherlands.

In June 2008, Sander was invited by Michiel Leenaars (of OpenDoc Society and NLnet) to give a talk at Sun Microsystems in Hamburg about another Lone Wolves project, ODF-XSLT. Sander drove to Hamburg with Michiel and the two talked about their mutual interests. That car drive started the ball rolling:

Later in November, Michiel came back to me with the idea of Officeshots, inspired by the Browsershots web service that makes screenshots of a web site in different browsers. In the world of office software, such a service didn't seem to exist. We looked at what we needed for such a project. After I checked if it was actually possible to develop, I did a project proposal to NLnet and they found it a good idea. That's when Officeshots really started, and I started programming, funded by NLnet Foundation, OpenDoc Society and NOiV.

As the director strategy for NLnet and member of the OpenDoc Society, Michiel Leenaars had a lot of contacts with office software vendors, both open source and proprietary, including Sun, Novell, and Google. He got them interested in the Officeshots project and talked with other developers. During the recent plugfest, the project even got some Microsoft Office licenses as a gift.

Document factories

The Officeshots web site has a very simple user interface: the user submits a document, and the site delivers a PDF export, a screenshot, or a round-trip ODF file produced by the applications the user selects. A round-trip ODF means that an application opens the ODF document and then saves it again. So if the user chooses round-trip ODF as the output format, he gets an ODF document back. What's the point of this? Sander explains the importance:

Roundtripping ODF documents through various office applications is the main point of interoperability testing. You want your ODF documents to come out well, even if you use a different office application that your coworkers, clients or boss, who all collaborate with you on your documents.

[Download screen]

Currently supported applications are different versions of AbiWord, Gnumeric, EuroOffice, Go-oo, Corel WordPerfect, KOffice,, StarOffice, TextMaker, and PlanMaker, in Linux/BSD as well as in Windows. Supported document formats are Open Document texts, spreadsheets, and presentations. The user can also create a public gallery to show conversion errors to others. A simple test using some ODF files in the example content that comes with Ubuntu definitely shows interoperability issues.

Under the hood, the user's uploaded file gets distributed to rendering servers hosted by vendors and the community. The Officeshots project calls each server that is producing output a factory. Most of the factories are run by the Officeshots project, which has a couple of virtual machines running on the Xen hypervisor to guarantee that the service is always able to produce some output.

Other factories are run by people from AbiWord, Gnumeric, and other projects, and a couple are run by volunteers. Sander highlights the first two projects:

The AbiWord and Gnumeric factories are really interesting because they provide the development trunk versions of their applications to Officeshots. We hope to convince other application developers (e.g. Sun) to do the same in the future.

The Officeshots project has a list of factories (currently 14) and a list of active factories (at the moment of writing 5). At this moment, the project is waiting for a new server that will host virtual machines with various Linux distributions, as well as Windows with Microsoft Office.

Contribute to Officeshots

The Officeshots project not only provides the free online web service, but also provides the code for the underlying framework (Affero GPLv3-licensed). While Sander admits that there haven't been that much external code contributions yet, he points out that there are a lot of other means by which one can contribute to the project: people can run a factory, translate Officeshots to their language, or donate hardware or software licenses.

People who want to run their own factory should contact Officeshots and consult the manual. The code can be downloaded from the Officeshots Subversion repository. The manual also explains how to implement a backend for a not-yet-supported application. The simplest way is if the application offers command-line conversion functionality. This led at least one team to implement this feature into their office application, Sander remarks:

Ganesh Paramasivam from the KOffice 2 team made some changes to KOffice to make it easier to hook into Officeshots. His patches made it possible to do document conversion from the command line using KOffice 2. That way we could use the existing CLI backend of our rendering factory to support KOffice 2.

But actually, one doesn't have to go that far to give a helping hand to the project's mission: if a user detects interoperability issues thanks to Officeshots and reports the problem to the relevant office applications, then the project has succeeded.

New functionality

The Officeshots developers have a couple of ideas to implement in the future. Of course they will add new backends. For example, Sander has already written a backend for an older version of Microsoft Word using the Sun ODF plugin, so when the Windows virtual machines are ready, a new Microsoft Office backend will be one of the possibilities. They will also add backends for the office viewer of Symbian S60 smartphones.

But other than new backends, the project has some additional new features in the pipeline. One notable feature is an ODF diff tool. "We are looking at a commercial tool by, which is very useful because normal XML diffs generate too much noise," Sander explains. "Using it shows clearly that Microsoft Office replaces formulas and charts when saving." Another feature in the pipeline is a service running the ODF Validator against an uploaded document. "But we are also looking into ODF validators that can generate messages a normal human being can understand, instead of throwing cryptic XML exceptions like most XML validators do." Another plan is to integrate the complete ODF 1.0 test suite into Officeshots. A factory could then be periodically offered a set of hundreds of documents to automate parts of the test suite.


The project is also seeking some ways to protect the user's privacy. If users upload documents with sensitive information, they should know that Officeshots and the factories can read this information. At the moment, the project asks their users to have trust in the Officeshots project and third-party factories. Sander adds:

All traffic between the web service and the factories is already encrypted with SSL using client certificates and we check everyone that wants to run a factory, but we want to do more to protect the privacy of our users. We'll add a ODF anonymizer on our server, a script written by J. David Ibáñez from itools that replaces all text by nonsense text, that replaces metadata, and that changes images to placeholders. Doing this, the script takes pains to keep the same structure and formatting of the document, so people can upload documents without fear of leaking information, while still being able to check for interoperability issues in the output. This tool is ready, we only have to integrate it in the online web service, which will happen before the end of the year.

Because the anonymizer will run on the Officeshots server, the factories receive the modified text, so that users don't have to trust the third-party factories. But it still asks users to trust the people of the Officeshots server which runs the code that anonymizes the uploaded document. Concerned people can install itools locally (it is packaged in a couple of Linux distributions) and use the script (added in itools 0.60.3) to anonymize their documents before uploading them. For very sensitive documents, it is possible to run a local copy of the Officeshots web service and backends, but that takes time to install and configure.


The Officeshots web site is a handy service for users that are evaluating which office application to migrate to. Thanks to the project, they don't have to install each application locally to check for interoperability issues. With the web service, they can easily check if each application does what it says. Also consider template designers and people creating documents for public release. With Officeshots, they can easily check if their documents work everywhere. Last but not least, it is also a helpful tool for the office software vendors who can spot errors in their ODF support. In these ways, the Officeshots project should accelerate interoperability in the office software market.

Comments (1 posted)

System Applications

Audio Projects

JACK 0.118.0 + D-Bus released

Version 0.118.0 of the JACK Audio Connection Kit has been announced. "D-Bus modifications add optional autodetected support for the D-Bus based server control system. D-Bus is object model that provides IPC mechanism. D-Bus supports autoactivation of objects, thus making it simple and reliable to code a "single instance" application or daemon, and to launch applications and daemons on demand when their services are needed."

Full Story (comments: none)

PulseAudio 0.9.20 released

Version 0.9.20 of the PulseAudio sound server has been announced. "This is mostly a bug fix release and includes a few new translations." See the changes document for details.

Comments (none posted)

Database Software

Elixir 0.7.1 released

Version of has been announced, it adds some new features and bug fixes. "Elixir is a declarative layer on top of the SQLAlchemy library. It is a fairly thin wrapper, which provides the ability to create simple Python classes that map directly to relational database tables (this pattern is often referred to as the Active Record design pattern), providing many of the benefits of traditional databases without losing the convenience of Python objects."

Full Story (comments: none)

MySQL Community Server 5.1.41 has been released

Version 5.1.41 of MySQL Community Server has been announced. "MySQL Community Server 5.1.41, a new version of the popular Open Source Database Management System, has been released. MySQL 5.1.41 is recommended for use on production systems. For an overview of what's new in MySQL 5.1, please see".

Full Story (comments: none)

PostgreSQL Weekly News

The November 15, 2009 edition of the PostgreSQL Weekly News is online with the latest PostgreSQL DBMS articles and resources.

Full Story (comments: none)

Device Drivers

libshcodecs 0.9.8 released

Version 0.9.8 of libshcodecs, a library for controlling SH-Mobile hardware codecs, has been announced. "This release adds the shcodecs-record tool, which encodes a video stream from camera with a simultaneous preview to the framebuffer. shcodecs-record supports V4L2 streaming I/O (USERPTR) mode for zero-copy access to image data captured via the SH-Mobile CEU."

Full Story (comments: none)

Mail Software

Exim 4.70 released

Version 4.70 of the Exim mail transfer agent has been announced. "This release is a combination feature and bug fix release. The major new features are:- * Native DKIM support without an external library. * Experimental DCC support via dccifd (contributed by Wolfgang Breyha)."

Full Story (comments: none)

Networking Tools

gevent 0.11.1 released

Version 0.11.1 of gevent has been announced, it includes bug fixes and other improvements. "gevent is a coroutine-based Python networking library that uses greenlet to provide a high-level synchronous API on top of libevent event loop."

Full Story (comments: none)

Web Site Development

Midgard2 9.09 "Mjolnir" released

Version 9.09 of the Midgard2 web development platform has been announced. "In this release we provide Content Repository API bindings for the following programming languages: C, Python, PHP and Objective-C. D-Bus signals are used to inform different Midgard2 applications about things happening in the repository, enabling for example a PHP website and a Python background process to communicate with each other."

Full Story (comments: none)

nginx 0.7.64 announced

Version 0.7.64 of the nginx web server has been announced, it includes bug and security fixes. See the CHANGES document for more information.

Comments (none posted)

Desktop Applications

Audio Applications

Ardour 2.8.4 released

Version 2.8.4 of the Ardour multi-track audio workstation has been announced. "Ardour 2.8.4 is here! It has been a month of mostly bug fixing activity, but some nice fixes they certainly are and we've included a couple of new features just to keep you all interested and paying attention. If you use BWF files for anything, this update is critical, because we have fixed a very serious error in the way we generate the header for such files. As of this writing, this is planned to be the last release of Ardour 2.X before 3.0alpha is announced (unless there are any critical breakages in this release)."

Comments (none posted)

Desktop Environments

Erlandsen: What We Talk About When We Talk About Zeitgeist

On his blog, Mikkel Kamstrup Erlandsen gives a technical overview of GNOME Zeitgeist. Zeitgeist essentially stores events using a Nepomuk ontology (formal data description) and allows those events to be queried. "There is a tangible confusion around as to what Zeitgeist is and what it isn't; what it can do and what it can't do. This is partly our own fault because we could have communicated this whole thing better, for instance we have some very outdated wiki pages lying around that you should probably stay away from until we updated them. In this post I aim to give a semi technical run down of the core Zeitgeist functionality and how we expose it for you to work with."

Comments (3 posted)

GNOME Software Announcements

The following new GNOME software has been announced this week: You can find more new GNOME software releases at

Comments (none posted)

KDE Software Announcements

The following new KDE software has been announced this week: You can find more new KDE software releases at

Comments (none posted)

Xorg Software Announcements

The following new Xorg software has been announced this week:
  • xinit 1.2.0 (new features, bug fixes and code cleanup)
More information can be found on the X.Org Foundation wiki.

Comments (none posted)


XCircuit 3.6.163 released

Version 3.6.163 of XCircuit, an electronic circuit drawing program, has been announced. "As of November 6, 2009, I have changed version 3.6 to stable, and version 3.7 is the new development version. The stable release will only be updated with bug fixes, while all new development and experimental stuff will go into the development release."

Comments (none posted)


Wine 1.1.33 announced

Version 1.1.33 of Wine has been announced. Changes include: "- Gecko now installed at wineprefix creation time. - Better support for certificates in crypt32. - Improved sound support in mciwave. - Some more Direct3D 10 functions. - Many cleanups for issues spotted by Valgrind. - Various bug fixes."

Comments (5 posted)

Mail Clients

The notmuch mail client

Noting that "it’s a sad commentary on the Linux desktop that the most important feature for many people using Linux has no credible GUI application," Keith Packard and Carl Worth have announced the existence of "notmuch," a fast, search-oriented mail client. It appears to be in an early-adopter stage at this point, but it bears watching.

Comments (53 posted)

Sylpheed 3.0beta2 (development) released

Development version 3.0beta2 of the Sylpheed mail client has been announced. "Since this release fixes many important bugs related to multi-threading, it is highly recommended for 3.0beta1 users to upgrade to this version."

Comments (none posted)


Amarok 2.2.1 released

Version 2.2.1 of the Amarok media player has been announced. "It includes improvements to podcasts, collection scanning, automatic script updating and much more. Find out more at".

Full Story (comments: none)

Music Applications

BigBand - compose music for small ensembles

Version 1.0 of BigBand has been announced. "BigBand is a program to compose real music for real musicians."

Full Story (comments: none)

FluidSynth 1.1.0 released

Version 1.1.0 of FluidSynth has been announced. "On behalf of the FluidSynth development team, I'm happy to announce the release of FluidSynth 1.1.0 "A More Solid Fluid". This is the result of a 6 month development cycle and is the most significant release since 1.0.0. FluidSynth is a software wavetable synthesizer based on the SoundFont 2 specification."

Full Story (comments: none)

Office Applications

YaMA 1.6.4 released

Version 1.6.4 of YaMA has been announced. "Yet Another Meeting Assistant (YaMA), will help you with the Agenda, Meeting Invitations, Minutes of a Meeting as well as Action Points. If you are the assigned minute taker at any meeting, this tool is for you. Whats New in version 1.6.4 : 1. Interoperability enhancements: export Action Points to Wiki and CSV formats 2. Minor Bug Fixes".

Full Story (comments: none)

Video Applications

De Icaza: The future of Moonlight

On his blog, Miguel de Icaza writes about Moonlight's future. As it approaches the 2.0 release (which has feature parity with Silverlight 2.0 along with some 3.0 features), he has ideas on areas that could be explored using Moonlight. "I think of the Moonlight relationship to Silverlight as the Firefox relationship to IE four years ago. It is a chance to try out new ideas in the Silverlight-o-sphere, we can try those ideas out, and if the ideas have merit, they could become part of the official Silverlight."

Comments (49 posted)

Web Browsers

Firefox 3.6 Beta 3 is available

Version 3.6 Beta 3 of Firefox has been announced. "Last night the Mozilla community released Firefox 3.6 Beta 3, and issued an update for all Firefox 3.6 beta users. This update contains over 80 fixes from the last Firefox 3.6 beta, containing many improvements for web developers, Add-on developers, and users. More than half of the thousands of Firefox Add-ons have now been upgraded by their authors to be compatible with Firefox 3.6 Beta. If your favorite Add-on isn't yet compatible, you can also download and install the Add-on Compatibility Reporter from - your favorite Add-on author will appreciate it!"

Full Story (comments: none)

Languages and Tools


Caml Weekly News

The November 17, 2009 edition of the Caml Weekly News is out with new articles about the Caml language.

Full Story (comments: none)


IcedTea7 1.12 (Milestone 5) released

Version 1.12 of IcedTea7 has been announced, it adds many security patches, bug fixes and new capabilities. "The IcedTea project provides a harness to build the source code from OpenJDK7 using Free Software build tools. It also includes the only Free Java plugin and Web Start implementation, and support for additional architectures over and above x86, x86_64 and SPARC via the Zero assembler port."

Full Story (comments: none)


Parrot 1.8.0 released

Version 1.8.0 of Parrot has been announced, it includes numerous additions and improvements. "On behalf of the Parrot team, I'm proud to announce Parrot 1.8.0 "Zygodactyly". Parrot,, is a virtual machine aimed at running all dynamic languages."

Full Story (comments: none) redesigned (use Perl)

use Perl has an announcement about the redesign of the site. "This is a complete redesign and content review. Hopefully it's cleaner and easier for people to actually get the information they are after."

Comments (1 posted)


ftputil 2.4.2 released

Version 4.2 of ftputil has been announced, it includes several bug fixes and an installation improvement. "ftputil is a high-level FTP client library for the Python programming language. ftputil implements a virtual file system for accessing FTP servers, that is, it can generate file-like objects for remote files."

Full Story (comments: none)

Urwid 0.9.9 released

Version 0.9.9 of Urwid, a console-based user interface library for Python, has been announced. "This release includes many new features developed since the last major release. Urwid now supports 256 and 88 color terminals. A new MainLoop class has been introduced to tie together widgets, user input, screen display and an event loop. Twisted and GLib-based event loops are now supported directly. A new AttrMap class now allows mapping any attribute to any other attribute. Most of the code base has been cleaned up and now has better documentation and testing."

Full Story (comments: none)

Python-URL! - weekly Python news and links

The November 16, 2009 edition of the Python-URL! is online with a new collection of Python article links.

Full Story (comments: none)


Tcl-URL! - weekly Tcl news and links

The November 13, 2009 edition of the Tcl-URL! is online with new Tcl/Tk articles and resources.

Full Story (comments: none)


Pydev 1.5.1 released

Version 1.5.1 of Pydev, an Eclipse plugin for Python, has been announced. "Release Highlights: * Improvements in the AST rewriter * Improvements on the refactoring engine: o No longer using BRM o Merged with the latest PEPTIC o Inline local available o Extract method bug-fixes o Extract local on multi-line o Generating properties using coding style defined in preferences o Add after current method option added to extract method o A bunch of other corner-case situations were fixed".

Full Story (comments: none)

Version Control

GIT released

Version of the GIT distributed version control system has been announced, it includes numerous bug fixes and other improvements.

Full Story (comments: none)

Mercurial 1.4 released

Version 1.4 of the Mercurial source code management system has been announced, it includes new functionality and bug fixes. See the release notes for more details.

Full Story (comments: none)


GNU patch 2.6 released

Version 2.6b of GNU patch has been announced. "The last release dates back to June 2004 with version 2.5.9. A new Savannah project has been created with the new code repository and the bug-patch mailing list archive at:".

Full Story (comments: none)

Page editor: Forrest Cook


Commercial announcements

Android Dev Phone 2 available

There is a new, fully-open Android Dev Phone offering available; this one is based on the no-keyboard HTC "Sapphire" platform. Information is available on the Brightstar ADP2 page, but one has to go through the process of getting an Android Market publisher account first.

Comments (16 posted)

Astaro offers free firewall for SMBs

Astaro has announced the release of a free (of charge) firewall package. "Astaro Corporation, a leading network security vendor, today announced the launch of the Essential Firewall edition of its flagship security solution Astaro Security Gateway, available for free to all organizations worldwide. The Essential Firewall edition includes all the necessary functionality that all organizations need to secure their networks and operate a successful business."

Full Story (comments: none)

Chumby Guts!--New Product from The Maker Shed Store

Chumby is a compact consumer Internet device that enables people to receive a constant personalized broadcast of their favorite parts of the Web. It is now available in kit form. "Produced by Chumby Industries for Maker Shed, and coined "Chumby Guts" by the store's staff, the kit includes everything a tech enthusiast needs to build their own Chumby--either in the classic Chumby form or a form factor of their own design."

Full Story (comments: none)

MontaVista's Montebello Stack Incorporated in Dell Latitude ON

MontaVista has announced that the company worked with Dell to develop the software stack for Latitude ON - Dell's instant, always on connection to email, Web, contacts and calendar. "Built on the MontaVista Montabello MID platform, the software stack provides the advanced power management, fast startup, and connectivity management required by Latitude ON users."

Full Story (comments: none)

PyIMSL Studio 1.5 now available at no charge

Visual Numerics has announced a freely downloadable release of PyIMSL Studio. "Visual Numerics, a Rogue Wave Software Company, is making PyIMSL Studio 1.5 available for download at no charge for non-commercial use or for commercial evaluation. PyIMSL Studio contains both open source and proprietary components that create a fully supported and documented platform for analytic prototyping and production development."

Full Story (comments: none)

Rev 4.0 Released

Runtime Revolution Ltd. has announced the release of Revolution 4.0 "Software development company Runtime Revolution Ltd introduced today Revolution 4.0 for application and Web development, available for the first time in a free version. Rev 4.0 brings the ability to deploy your application straight to the web, without recoding or writing a line of html. Just select "Build for Web" from the file menu and exactly the same application as you previously deployed on the desktop can run in any standard web browser. And on Mac, Windows and Linux."

Full Story (comments: none)

Articles of interest

Microsoft Patents Sudo?!! (Groklaw)

Groklaw reports on a new software patent issued to Microsoft. "Lordy, lordy, lordy. They have no shame. It appears that Microsoft has just patented sudo, a personalized version of it. Here it is, patent number7617530. Thanks, USPTO, for giving Microsoft, which is already a monopoly, a monopoly on something that's been in use since 1980 and wasn't invented by Microsoft." Computerworld's IT Blogwatch covers blog reactions to the issue.

Comments (21 posted)

Lenovo returns to the Linux desktop (ComputerWorld)

Steven J. Vaughan-Nichols takes a look at the upcoming Lenovo smartbook. "Lenovo might not describe their return to the Linux desktop like that, but that's what they're doing. Yesterday, November 12th, Qualcomm CEO Paul Jacobs gave the world a sneak peak at the Lenovo ARM Snapdragon-powered smartbook, a cross between a smartphone and a netbook. Jacobs added that Lenovo Linux-based smartbook would make its debut at January's CES (Computer Electronics Show).

Comments (4 posted)

New Linux-Based PCs Encourage Seniors To Learn The Internet (redOrbit)

redOrbit looks at a Linux PC that is aimed at senior citizens. "A new computer called SimplicITy has been aimed at people over the age of 60 who have never before used PCs or the Internet, BBC News reported. The simplified desktop has just six buttons directing users to basic tasks such as e-mail and chat and each machine is pre-loaded with 17 video tutorials from television presenter Valerie Singleton. The SimplicITy computer has no login screen when started up, and contains no drop-down menus."

Comments (21 posted)

Nicaragua Builds An Innovative Agricultural Information System Using Open Source Software (Linux Journal)

Linux Journal covers the creation of an open source solution for displaying agricultural data for Nicaragua. "An experiment in Nicaragua shows just how powerful Open Source software can be in leveling the playing field. The second poorest country of the Americas now has one of the best software solutions for displaying agricultural data in the western hemisphere."

Comments (1 posted)

The Future of Linux is Google (PCWorld)

PCWorld looks at Google's success with Linux. "Google's migration into the operating system business has been so gradual that many industry watchers have shrugged it off. When the company announced its Android OS for phones, it looked interesting. There was nothing new about the idea of using Linux on a handset, and (apart from Google's involvement) little reason to expect it would carve out substantial market share in the competitive smartphone arena. But, with about 20 distinct Android handsets in the hands of more than three million users worldwide--and about 30 more devices expected to roll out in 2010--Google's mobile OS is now looking like a force to be reckoned with."

Comments (60 posted)

Legal Announcements

EFF obtains behind-the-scenes FISA records

The Electronic Frontier Foundation has obtained documents that detail the behind-the-scenes negotiations between US government agencies regarding illegal telecom surveillance. "The documents include drafts of legislation and communications between Congress and the Department of Justice (DOJ) and the Office of the Director of National Intelligence (ODNI) about amendments to the Foreign Intelligence Surveillance Act (FISA). They were released as a result of litigation that started back in 2007, when Congress first debated granting immunity to the telecommunications companies for taking part in massive, unchecked surveillance of Americans' telephone and Internet communications."

Full Story (comments: none)

The Open Web Foundation Agreement

The Open Web Foundation has announced the availability of the Open Web Foundation Agreement. This agreement is meant to cover web-related specifications, ensuring that developers can implement those specifications with minimal fear of copyright or patent suits. "This reusable agreement is designed to be easily adopted by a wide range of specification communities and organizations as an alternative to the challenging -- and costly -- process of negotiating new licensing agreements every time. Specifications made available under the Open Web Foundation Agreement may include everything from small ad-hoc formats sketched out among friends to large multi-corporation collaborations that ultimately grow into international recognized standards with the help of formal standards setting organizations."

Comments (1 posted)

New Books

Hello, Android, Second Edition--New from Pragmatic Bookshelf

Pragmatic Bookshelf has published the book Hello, Android, Second Edition by Ed Burnette.

Full Story (comments: none)


FSFE Newsletter

The October, 2009 edition of the FSFE Newsletter is online. Topics include: "1. FSFE suggests to make MySQL independent as solution for Oracle/Sun deal 2. Announcing FSFE's new Finnish country team 3. Fellowship meetings in Frankfurt, Berlin and Vienna 4. Windows 7 to hit consumers with known security problem 5. New Fellowship jabber server 6. Welcome to Alina Mierlus as intern".

Full Story (comments: none)

Linux Foundation Newsletter

The November, 2009 edition of the Linux Foundation Newsletter has been published. "In this month's Linux Foundation newsletter: * Second Annual End User Summit Connects IT Leaders, Linux Developers * Japan Linux Symposium Videos Available * New Members Elected to Linux Foundation Technical Advisory Board * New Perks for Individual Members Very Popular * Linux Foundation in the News * From the Foundation: Cloud Computing Too Costly in the Long Term?"

Full Story (comments: none)


Poll on PyPI rating system

The developers behind the PyPI Python software catalog are trying to decide whether to keep the package rating system, which is not universally loved. "PyPI recently got a rating system which includes the option of posting comments about a package release also. Several people have expressed a strong dislike of that system and want to see it changed or removed. In order to find out what the community thinks, we are now performing a poll, at ".

Full Story (comments: none)

Education and Certification

LPI Affiliate promotes Linux education in Middle East

The Linux Professional Institute has announced an affiliate education program in the Middle East. "The Linux Professional Institute (LPI), the world's premier Linux certification organization, announced that its affiliate, LPI-Middle East, had signed an agreement with Ma3bar initiative to promote the adoption of Free and Open Source software throughout the Arab world. Ma3bar is an Arab Support Centre for Free and Open Source Software established by the United Nations Development Program (UNDP), the United Nations Educational, Scientific and Cultural Organization (UNESCO), and the University of Balamand, Al-Kurah, Lebanon."

Full Story (comments: none)

UKUUG and O'Reilly announce Training Days

The UKUUG and O'Reilly have announced two new training events. "3rd February 2010, 'Practical Erlang Programming' - Tutor: Francesco Cesarini Venue: Imperial Hotel, Russell Square, London. also in our schedule: 27th January 2010 'Zenoss Introduction Workshop' by Jane Curry"

Full Story (comments: none)

Upcoming Events

PyCon talks announced

The PyCon speakers have been announced, PyCon takes place on February 17-25 in Atlanta, Georgia. "The PyCon program committee has announced an unprecedented program of 95 talks for PyCon 2009. Talk abstracts can be browsed at"

Full Story (comments: none)

Events: November 26, 2009 to January 25, 2010

The following event listing is taken from the Calendar.

November 25
November 27
Open Source Developers Conference 2009 Brisbane, Australia
November 27
November 29
Ninux Day 2009 Rome, Italy
December 1
December 5
FOSS.IN/2009 Bangalore, India
December 4 Italian PostgreSQL Day 2009 Pisa, Tuscany, Italy
December 5
December 7
Fedora Users and Developers Conference Toronto, Canada
December 7
December 11
Annual Computer Security Applications Conference Honolulu, HI, USA
December 7
December 13
Make Art 2009 Poitiers, France
December 12
December 13
Django Development Sprint Dallas, TX, USA
December 12
December 17
SciPy India 2009 Kerala, India
December 12 BSD community day Utrecht, The Netherlands
December 19 New Mexico Linux Fest Albuquerque, NM, USA
December 27
December 30
26th Chaos Communication Congress Berlin, Germany
January 13
January 15
Foundations of Open Media Software Wellington, New Zealand
January 15
January 22
Camp KDE 2010 San Diego, CA, USA
January 18
January 23 Wellington, New Zealand
January 23 Workshop on GCC Research Opportunities Pisa, Italy
January 23
January 24
DrupalSouth Wellington 2010 Wellington, New Zealand

If your event does not appear here, please tell us about it.

Web sites

EFF: International Activists Launch New Website to Gather and Share Copyright Knowledge

The Electronic Frontier Foundation (EFF), Electronic Information for Libraries (, and other international copyright experts have joined together to launch Copyright Watch -- a public website created to centralize resources on national copyright laws at "Copyright Watch is the first comprehensive and up-to-date online repository of national copyright laws. To find links to national and regional copyright laws, users can choose a continent or search using a country name. The site will be updated over time to include proposed amendments to laws, as well as commentary and context from national copyright experts. Copyright Watch will help document how legislators around the world are coping with the challenges of new technology and new business models."

Full Story (comments: 3)

planet LAD launched

planet LAD has been launched, check it out for the latest Linux Audio Development news. " make it easy to keep up on what people are up to in general and you can browse the planet to see who you'd like to follow..

Full Story (comments: none)

Page editor: Forrest Cook

Copyright © 2009, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds