LWN.net Weekly Edition for December 3, 2009
Between Fedora 12 and 13
In many minds, the Fedora 12 release is likely to remain forever associated with the project's ill-advised decision to allow any local user to install packages without the root password. That mistake is now in the past and, in any case, there is far more to Fedora 12 than this particular problem. In this article, your editor looks at the quality of the Fedora 12 release and ponders what Fedora 13 may bring.The Fedora brand has suffered a bit in recent times; the Fedora 10 and Fedora 11 releases have not proved to be the most stable distributions ever. Some users have begun to lament the passing of the days of Red Hat Linux, when quality control seemingly had a higher priority. Said users may well have never lived through the RHL 4.0 and 5.0 transitions, which were not the most rock-solid systems on the planet. Today's Fedora releases are far larger than Red Hat Linux ever was, and they are more stable than many RHL releases were. We have made progress over time.
Still, recent Fedora releases have had some users wondering if it might not be time to move on to some other distribution. For some of those users, Fedora 12 might be the release which forces the decision one way or another. With this thought in the back of his mind, your editor proceeded to upgrade two systems (one from Fedora 10, the other from 11) to the current release.
As an aside, it should be said that the Fedora "preupgrade" feature is a nice addition. It's still not quite a Debian-style online upgrade, but preupgrade does the work of collecting all the needed package files while the system is operating normally, only requiring that the system be taken down for the actual upgrade operation. No need to burn DVDs. It makes the whole process easier, at least when it works; some users are still reporting problems with preupgrade. It worked flawlessly for your editor, in any case.
Fedora 12, once installed, made an immediate impression: a great many little irritations have gone away. Printing works - every time. The laptop suspends and resumes much more quickly, and it has lost its "you have to resume me twice before I'll stay resumed" behavior. NetworkManager no longer comes up with "network disabled" and it responds far more quickly to network changes. The GNOME desktop even remembered most of its pre-upgrade settings - an unexpected bonus. And so on. From your editor's point of view, the Fedora developers have used the F12 development cycle to fix a big pile of problems, and they would appear to have been kind enough to avoid adding a pile of new problems to replace the old ones. In summary: Fedora 12 is the solid release that this project really needed to create. Compared to that, the new features in F12 (and there are many) are of secondary importance.
While your editor has seen similar comments from others, it's worth noting that not all users are 100% pleased. If people are having trouble with F12, chances are it has to do with graphic adapters. One user went so far as to suggest the cancellation of Fedora 13 so that the developers could work on fixing F12 graphics problems. That seems unlikely to happen, but there is an awareness within the development community that the graphics experience is still not quite what it should be.
Dave Airlie explained the priorities used by the development team when addressing problems. Issues which prevent the system from booting normally are at the top of the list, as are those which keep a normal desktop from working. Unfortunately for certain classes of users, the lowest-priority items are non-GNOME desktops and arbitrary 3D applications. So the above-mentioned user, who was running into trouble getting Blender to work, may have to wait a while for a complete fix. There are also known issues with the Nouveau driver. Users having difficulties with proprietary graphics drivers are, of course, entirely on their own.
In the end, Linux graphics is still a work in progress. There have been a lot of advances in this area, but the job will not be done for a little while yet.
So what comes next? Fedora 13 is tentatively scheduled for release on May 11, 2010. The proposed feature list for this release is just beginning to come together, and some possible features (such as Btrfs-based rollbacks) do not yet appear there. Unsurprisingly, improvements to the Nouveau and Radeon graphics drivers are on the list. Better online telephony support is a possibility for F13 as well.
Another important feature which is likely to appear in Fedora 13 is the Python 3 language. The current plan is to package Python 3 in a way that allows it to be installed alongside Python 2.6 without interference between the two - an important point, since a number of crucial Fedora scripts are written in Python 2. It looks like the only place where non-interference is hard to implement is when attempting to run both within the same address space. That may seem like a strange thing to do - and it is, until you try to run both mod_python and mod_python3 within a web server. Most users are unlikely to notice or install the python3 package with Fedora 13, but it will provide a base for the gradual migration of programs written in Python.
Fedora 13 users can also look forward to RPM 4.8.0, with a long list of new features. The RPM developers are looking for especially brave and well-backed-up testers to help find any remaining problems before inflicting it upon the more cowardly folks who merely run Rawhide.
Finally, the Fedora developers would like F13 to be a higher-quality release than F12, even though F12 is looking good. To that end, they have started a quality assurance retrospective page, reviewing how the QA process went for F12 and how it can be improved the next time around.
There has been speculation that Fedora 12 will be the release picked by Red Hat to serve as the base for Red Hat Enterprise Linux 6. Despite its remaining problems, F12 should serve well in that role; it is one of the best of the recent Fedora offerings. The challenge for the project now, of course, is to carry that success forward into subsequent releases while simultaneously incorporating all of the new software that the development community is so busily producing. Whether 13 will prove to be a lucky number for Fedora remains to be seen, but F12 seems like a good starting point and the project seems determined to do even better the next time around.
UDS from an embedded hacker's perspective
The Ubuntu Developers Summit (UDS), held November 16-20 in Dallas, while kicking off the development cycle for the next Ubuntu release, "Lucid Lynx", had a surprising amount to interest a kernel hacker with embedded tendencies. The Summit covered a wide range of topics from low level kernel details, to best community practices, but the ARM netbook support sessions were particularly interesting. At this UDS, the Ubuntu ARM developers set out to enable support for many ARM machines in a single distribution, a difficult task due to the lack of a standard firmware interface on ARM systems; a familiar problem to embedded developers. This report covers the solutions debated at UDS — including Kexec bootloaders and the flattened device tree — and the choices made for the next Ubuntu release.
Ubuntu has supported the ARM architecture since the 2008 Intrepid Ibex (8.10) release, but the relative lack of consumer hardware has effectively made it interesting only to developers. During the Lucid cycle we can expect that to change as Canonical is working with ARM netbook OEMs to provide full support for the new devices that are widely anticipated to appear on the market in the new year.
However, support for a wide range of ARM devices is complicated by the absence of any form of a firmware interface standard for ARM systems. The vast majority of ARM designs are embedded systems with no expectation that the end user will install their own software. General purpose ARM computers are historical rarities; the notable exceptions being the original Archimedes, and the Corel Netwinder. As such, unlike the x86 architecture where an IBM PC-type BIOS is mostly a given, device manufactures can (and do!) implement whatever firmware interface best meets their needs. Every device has a different method for booting the OS. Additionally, since firmware provides little if any information about the hardware, the kernel must be hard coded with device addresses and configuration information.
The current situation requires a different method for each system to boot an installer and multiple kernel images, each hard coded for a specific machine. For a device vendor who only maintains software loads for a handful of devices this situation is not particularly onerous. For general purpose distributions like Ubuntu it is problematic. The maintenance load of both installer and kernel images for every single hardware platform from every single vendor is completely unmanageable. As such, a number of the sessions in the mobile track at UDS this year were devoted to solving the ARM boot problem.
Bootloaders and Firmware
Getting firmware to behave was the theme behind two sessions on Tuesday. The first covered Oliver Grawert's script for creating a bootable image for a Freescale Babbage i.MX51 board with RedBoot firmware. From a purely pragmatic viewpoint, the script is absolutely necessary to create a usable install image but it certainly is not portable. Every board requires a different script for convincing the firmware to boot from the right place. So while it is a current necessity, it is not a viable solution in the long term.
The ARM Soft Bootloader session led by Michael Casadevall on Tuesday afternoon proposed a more complete solution. Rather than depend on the capabilities of firmware executed by the device at power up, he suggested using a second stage boot loader that is built around the kernel and uses Kexec to boot the real OS image in the manner of Petitboot for the PS3. The idea is that the kernel can be used to sidestep firmware differences and provide a consistent boot interface to the installer. It also eliminates the current need to write device drivers twice; once for the kernel, and a second time for the firmware.
For most developers the firmware is not actually interesting, it is just a necessary hoop to jump through to boot an operating system. By adopting the kernel as the boot loader, it eliminates all the (arguably wasted) effort spent developing drivers for firmware, freeing up time for other development. However, there are concerns about the soft bootloader approach. The most significant of these is how much time booting a second kernel will add to the boot process.
Discussion in the Soft Bootloader session was interesting, and is well summarized in the blueprint. It is worth a read for anyone doing firmware work. At the end of the session it was decided that Soft Bootloader is the preferred approach but it still requires some investigation and engineering. Most likely it will not be ready for the Lucid release but is a Lucid+1 candidate.
Flattened Device Tree
Several sessions discussed the problem of hard coded machine information in the kernel which requires the kernel to be modified for each new device. I was asked to lead two sessions on the Flattened Device Tree (FDT). The first was an overview of the FDT approach — how it is implemented in PowerPC and how it can be used to solve several of Ubuntu's ARM problems. The Flattened Device Tree has been discussed elsewhere with more eloquence, but in brief it is a data structure that is passed to the kernel at boot time which describes the hardware. Instead of relying on hard coded platform device tables, the kernel reads the data structure to determine what devices to register and how they are configured.
While no firm decisions were made in the first session, it was generally agreed that device trees solve the problem at hand and should be pursued. Proof of concept work is proceeding which should demonstrate the device tree on an ARM platform in mid-January.
The overview sparked the scheduling of a second Flattened Device Tree session quite unrelated to ARM platforms. Fixing Hardware Quirks in Device Trees discussed the idea of using the same FDT data structure to capture machine specific quirks that are currently hard coded in the kernel. For example, ALSA codec routing information is wildly different from board to board but changing it (for instance when trying to uncover why sound does not work on a user's brand new machine) requires a kernel recompile. If a binding could be written for the device tree that encodes the codec configuration, then it may be possible to fix non-working audio by dropping a new device tree blob into sysfs somewhere instead of asking the user to replace the kernel. Research is needed to decide if this is a viable approach, but it seems promising. Jeremy Kerr has volunteered to investigate it further during the Lucid cycle.
Other Topics
Other interesting discussions for ARM and kernel developers included Colin Watson's Cross Building Ubuntu session, the decision to drop ARMv6 support to take advantage of the performance gains in ARMv7, and the decision to use the 2.6.32 kernel version with Ext4 remaining as the default filesystem (the exception being the ARM kernels which will be allowed to lag if the vendor supplied trees are not yet at the 2.6.32 baseline).
On the other end of the spectrum, the work going into the Quickly application framework was presented during Monday's plenary session. It is intriguing and appears to be a promising approach to simplify Linux application development.
Summit Organization
Sessions at UDS were limited to small groups and the focus was on discussion and making decisions about the next release. Only a handful of 15 minute time slots per day were devoted to formal presentations during the plenary sessions in the ballroom. Participation was open; and to provide for those who were unable to attend, audio from all the meeting rooms was Icecast to the Internet. One of the two projectors in each room was dedicated to showing an IRC channel, allowing anyone in the world to listen in and participate. The IRC channel worked well for those offsite, but also had advantages for those who were onsite. It was often used as a "back channel" for making comments without interrupting the conversation at hand.
With 12 sessions going at any one time, far more was happening at UDS than any one person could track. This report gives a taste from the embedded Linux perspective, and is not intended to be a complete review. Anyone interested in knowing more about what was discussed at UDS is strongly encouraged to browse through the posted schedule for notes on most sessions' discussion and decisions. In addition video that was taken at the conference has been posted for public access.
New releases from Tomboy and Gnote
The GNOME note-taking utilities Tomboy and Gnote both made releases recently. Tomboy, the older project, released version 1.0.1 and includes some long-awaited online storage features. Gnote, a port of Tomboy to C++ instead of the original C#/Mono, released version 0.6.3, a bugfix release in its own right, but one that put an end to rumors that the project was without a maintainer.
Tomboy meets Ubuntu One
Tomboy has supported online note synchronization via WebDAV and other back-ends for several releases. An announcement in May of 2009 attracted considerable attention to a new option, "Tomboy Online," a Tomboy-specific network service that would allow users to access their notes through a web interface in addition to the desktop clients, and share notes with other users. The software powering Tomboy Online, Snowy, is AGPL-licensed, and built on top of Django. As of December, however, Tomboy Online still has not debuted, and activity slowed down on the Snowy Git repository.
Consequently, it was seen as welcome news by Tomboy fans when the 1.0.1 release added support for a new online service that permits web-based note editing, Canonical's Ubuntu One. Ubuntu One accounts provide 2GB of storage to Ubuntu users, supplying Tomboy with a large base of potential testers. More importantly, Ubuntu One's implementation of online Tomboy synchronization and editing uses the same REST-based API designed for use with Tomboy Online and implemented in Snowy. Ubuntu One's Tomboy service does use OAuth 1.0 Revision A for authentication, while Snowy uses OAuth 1.0, but the newer revision plugs a security hole in the OAuth token approval process, so the likelihood of an update is high.
![[Tomboy online]](https://static.lwn.net/images/tomboy-ubuntu-one-sm.png)
Synchronizing with Ubuntu One is indeed simpler than setting up and using WebDAV. Setup requires only entering the Ubuntu One URL into Tomboy's Synchronization preferences tab; clicking "Connect to Server" then hands off authentication to the browser-based OAuth process. Even more interesting is the possibility of setting up a private Snowy server; the Snowy web page links to instructions for installing the software on the popular Dreamhost web hosting provider, and instructions for configuring Apache with mod_python or mod_wsgi.
Sandy Armstrong's blog announcement also highlighted a new Note Statistics plugin that provides the user with access to line counts, word counts, and character counts, and updates to the Android and Maemo ports of the Tomboy client. The Android application Tomdroid can sync with Ubuntu One's note service in the latest Bazaar branch, and the Maemo application Conboy has work underway but has not yet made a release. Both mobile clients should be able to sync with any server that implements the Tomboy Online REST API.
The latest development release of Tomboy, dubbed 1.1.0, was released at the same time as the stable 1.0.1. For both the stable and development releases, users can download tarballs for generic Linux systems and binary installers for Windows and Mac OS X. OpenSUSE users can install both releases through the package management system, and Ubuntu users can install both via stable and development personal package archives (PPAs).
Gnote meets Fedora
Gnote is a port of the Tomboy desktop application that uses C++ instead of C# and plain GTK+ instead of the Mono stack. The project was started in April of 2009 by Hubert Figuiere as a spare-time effort, but gained a significant following. As always seem to be the case when Mono is involved, the project's existence ignited long standing debates about Mono itself, and when Figuiere decided in late October that he could not continue as maintainer, detractors of Gnote declared it a "victory." The Fedora distribution decided to include Gnote as its default note-taking application starting with Fedora 12, though, and Fedora packager Debarshi Ray stepped up to take over as Gnote maintainer.
Gnote 0.6.3 is Ray's first release as maintainer, and he said he plans to continue tracking Tomboy's feature set. The next major release should add support for synchronization and the Directory Watcher add-in, which will bring the younger application closer to supporting the same online services just announced for Tomboy itself. Gnote has always strived to remain compatible with Tomboy, using the same file format, and it can import users' existing Tomboy notes — although the Gnote team makes it clear that there are no warranties as to whether Tomboy can read notes created with Gnote. Support for Tomboy plugins is spottier, but many are reported to work.
Gnote builds are not provided for Windows or Mac OS X. Linux users on many non-Fedora distributions can find packages through their package management system, including Mandriva, Debian and Ubuntu. Moblin users have expressed interest in Gnote, since the distribution does not include a note-taking application and Gnote would not require building Mono and introducing its corresponding runtime dependency, however Moblin-specific packages are not yet available. Plain Moblin is based on Fedora and Canonical's Ubuntu Moblin Remix is based on Ubuntu; both can run Gnote packages rebuilt from their desktop distributions' respective source packages.
Fedora's decision to include Gnote as its default note-taking application still has its critics, who cite the small development community. It is important to note, though, that Gnote is a direct translation from Tomboy's C# code to C++, not a rewrite, and thus requires considerably less coding effort than either Tomdroid or Conboy.
Gnote's new maintainership and new release is unlikely to change any minds about the project; some will continue to see it as a viable alternative and others as an attack on its parent application Tomboy. What is clear, though, is that neither application is going away soon. Tomboy is poised to finally deliver on the online storage and editing service users have been waiting for, and even if the first service to go live was not the one originally planned, it is probably better in the long run to have multiple, compatible services. The same could be said for Tomboy and Gnote itself.
Security
On the importance of return codes
Just days after FreeBSD 8.0 was released, the FreeBSD developers were undoubtedly unhappy to see a "zero day" exploit posted on the Bugtraq mailing list. The exploit is for a local privilege escalation vulnerability in the runtime loader (rtld) that allows unprivileged users to become root. The vulnerability and patch highlight the need for code—particularly security enforcing code—to check the return values of functions that get called.
The exploit essentially creates a broken environment, such that unsetenv() cannot delete variables from that environment. Because unsetenv() is unable to remove variables like LD_PRELOAD from the environment, rtld fails to do so when running a setuid(0) binary such as ping. But, as the patch shows, rtld could have recognized the situation by checking the return value from unsetenv(). By not doing so, a security feature can easily be circumvented.
LD_PRELOAD allows users to specify libraries they want
loaded before the executable. This is typically used to load previous
versions, debugging aids (like malloc()/free() tracking),
and things of that sort.
Clearly setuid() binaries should not be linked to arbitrary,
user-controlled
libraries at runtime. In the case of the exploit, the shared library used
simply spawns a shell from the _init() call. That shell has the
effective user id of root because the loader kernel has already called
setuid() for the ping binary.
It is common for programmers to ignore return values for functions that "can't fail", but that is a dangerous practice. It is worse when it happens in code that runs with privileges. Something similar occurred with the (badly named) "sendmail capabilities bug", which was really a problem with the Linux kernel capabilities implementation. But, had sendmail been more defensive and checked the return code from setuid() when it was dropping privileges—something that "can't fail"—a much bigger problem would have been averted.
If the person writing the system or library call believed that the call can't fail, they would presumably have made it a void function. That's not to say that those programmers—or committees like POSIX—are immune from bugs or bad decisions, but callers should heed their intent. It's a difficult problem, though, as it is sometimes unclear what the program should do if something that can't fail does fail. Worse yet, without some kind of comprehensive fault-injection framework, those error paths are difficult to test. But, at least for privileged code, the problem can't be ignored.
This particular problem has existed in FreeBSD since version 7.0, released in February 2008. A pre-advisory with the patch was released by FreeBSD within a few hours of the Bugtraq posting. A full advisory and update is expected soon. In the meantime, this should serve as something of an object lesson for others; hopefully that will lead to developers scrutinizing existing code for similar issues, while also helping to remind programmers not to make that kind of mistake in any future code they write.
Brief items
How to vote anonymously under ubiquitous surveillance (Light Blue Touchpaper)
Light Blue Touchpaper previews a paper [PDF] describing the Open Vote Network protocol that would allow anonymous voting under a system of total communications surveillance. "In the Open Vote Network protocol, all communication data is open, and publicly verifiable. The protocol provides the maximum protection of the voter's privacy; only a full collusion can break the privacy. In addition, the protocol is exceptionally efficient. It compares favorably to past solutions in terms of the round efficiency, computation load and bandwidth usage, and has been close to the best possible in each of these aspects."
New vulnerabilities
awstats: missing security key
| Package(s): | awstats | CVE #(s): | |||||||||||||
| Created: | December 1, 2009 | Updated: | December 2, 2009 | ||||||||||||
| Description: | From the Red
Hat bugzilla:
Advanced Web Statistics (awstat) upstream has released new (6.95) version, addressing two security related issues. Quoting from awstats Changelog:
| ||||||||||||||
| Alerts: |
| ||||||||||||||
bind: DNS cache poisoning
| Package(s): | bind | CVE #(s): | CVE-2009-4022 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | November 27, 2009 | Updated: | June 28, 2010 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Mandriva advisory: Unspecified vulnerability in ISC BIND 9.4 before 9.4.3-P4, 9.5 before 9.5.2-P1, 9.6 before 9.6.1-P2, 9.7 beta before 9.7.0b3, and 9.0.x through 9.3.x with DNSSEC validation enabled and checking disabled (CD), allows remote attackers to conduct DNS cache poisoning attacks via additional sections in a response sent for resolution of a recursive client query, which is not properly handled when the response is processed at the same time as requesting DNSSEC records (DO). | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
dovecot: authentication bypass
| Package(s): | dovecot | CVE #(s): | CVE-2009-3897 | ||||||||||||
| Created: | November 30, 2009 | Updated: | January 19, 2010 | ||||||||||||
| Description: | From the Mandriva advisory: Dovecot 1.2.x before 1.2.8 sets 0777 permissions during creation of certain directories at installation time, which allows local users to access arbitrary user accounts by replacing the auth socket, related to the parent directories of the base_dir directory, and possibly the base_dir directory itself (CVE-2009-3897). | ||||||||||||||
| Alerts: |
| ||||||||||||||
dstat: arbitrary code execution
| Package(s): | dstat | CVE #(s): | CVE-2009-3894 | ||||||||||||||||||||||||
| Created: | November 25, 2009 | Updated: | December 28, 2009 | ||||||||||||||||||||||||
| Description: | From the Gentoo advisory: Robert Buchholz of the Gentoo Security Team reported that dstat includes the current working directory and subdirectories in the Python module search path (sys.path) before calling "import". A local attacker could entice a user to run "dstat" from a directory containing a specially crafted Python module, resulting in the execution of arbitrary code with the privileges of the user running the application. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
kdelibs: arbitrary code execution
| Package(s): | kdelibs | CVE #(s): | CVE-2009-0689 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | November 25, 2009 | Updated: | January 14, 2016 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Red Hat advisory: A buffer overflow flaw was found in the kdelibs string to floating point conversion routines. A web page containing malicious JavaScript could crash Konqueror or, potentially, execute arbitrary code with the privileges of the user running Konqueror. (CVE-2009-0689) | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
libtool: privilege escalation
| Package(s): | libtool | CVE #(s): | CVE-2009-3736 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | November 30, 2009 | Updated: | November 19, 2013 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Mandriva advisory: All versions of libtool prior to 2.2.6b suffers from a local privilege escalation vulnerability that could be exploited under certain conditions to load arbitrary code (CVE-2009-3736). | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
php: denial of service, arbitrary code execution
| Package(s): | php5 | CVE #(s): | CVE-2009-4017 CVE-2009-4018 | ||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | November 27, 2009 | Updated: | February 23, 2010 | ||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Ubuntu advisory:
Bogdan Calin discovered that PHP did not limit the number of temporary files created when handling multipart/form-data POST requests. A remote attacker could exploit this flaw and cause the PHP server to consume all available resources, resulting in a denial of service. It was discovered that PHP did not properly enforce restrictions in the proc_open function. An attacker could exploit this issue to bypass safe_mode_protected_env_vars restrictions and possibly execute arbitrary code with application privileges. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||
php: information disclosure
| Package(s): | php5 | CVE #(s): | CVE-2009-2626 | ||||||||||||||||||||||||
| Created: | December 1, 2009 | Updated: | February 23, 2010 | ||||||||||||||||||||||||
| Description: | From the Debian advisory: A flaw in the ini_restore() function could lead to a memory disclosure, possibly leading to the disclosure of sensitive data. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
php-pear-Mail: information disclosure
| Package(s): | php-pear-Mail | CVE #(s): | CVE-2009-4023 CVE-2009-4111 | ||||||||||||||||||||||||||||
| Created: | December 1, 2009 | Updated: | November 3, 2010 | ||||||||||||||||||||||||||||
| Description: | From the Fedora advisory:
PEAR's Mail class did not properly escape content of mail header fields, when using the sendmail backend. A remote attacker could send an email message, with specially-crafted headers to a local user, leading to disclosure of content and potentially, to modification of arbitrary system file, once the email message was processed by the PEAR's Mail class. | ||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||
php-pear-Net-Ping: arbitrary code execution
| Package(s): | php-pear-Net-Ping | CVE #(s): | CVE-2009-4024 | ||||||||||||||||
| Created: | November 25, 2009 | Updated: | December 14, 2009 | ||||||||||||||||
| Description: | From the PHP-PEAR advisory: Multiple remote arbitrary command injections have been found in the Net_Ping and Net_Traceroute. | ||||||||||||||||||
| Alerts: |
| ||||||||||||||||||
php-pear-Net-Traceroute: arbitrary code execution
| Package(s): | php-pear-Net-Traceroute | CVE #(s): | CVE-2009-4025 | ||||||||||||||||
| Created: | November 25, 2009 | Updated: | December 2, 2009 | ||||||||||||||||
| Description: | From the PHP-PEAR advisory: Multiple remote arbitrary command injections have been found in the Net_Ping and Net_Traceroute. | ||||||||||||||||||
| Alerts: |
| ||||||||||||||||||
poppler: multiple vulnerabilities
| Package(s): | poppler | CVE #(s): | CVE-2009-3903 CVE-2009-3904 CVE-2009-3905 CVE-2009-3906 CVE-2009-3907 CVE-2009-3908 CVE-2009-3909 CVE-2009-3938 | ||||||||||||||||||||||||||||||||||||||||
| Created: | December 1, 2009 | Updated: | August 20, 2012 | ||||||||||||||||||||||||||||||||||||||||
| Description: | From the Debian advisory:
Several integer overflows, buffer overflows and memory allocation errors were discovered in the Poppler PDF rendering library, which may lead to denial of service or the execution of arbitrary code if a user is tricked into opening a malformed PDF document. | ||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||
roundcube: cross-site request forgery
| Package(s): | roundcubemail | CVE #(s): | CVE-2009-4076 CVE-2009-4077 | ||||||||
| Created: | December 2, 2009 | Updated: | January 19, 2010 | ||||||||
| Description: | Roundcube suffers from two cross-site request forgery vulnerabilities which enable attackers to hijack authentication credentials from users. | ||||||||||
| Alerts: |
| ||||||||||
wireshark: multiple arbitrary code execution vulnerabilities
| Package(s): | wireshark | CVE #(s): | CVE-2009-3243 CVE-2009-3549 CVE-2009-3551 | ||||||||
| Created: | November 25, 2009 | Updated: | January 12, 2010 | ||||||||
| Description: | Dissector problems in TLS (CVE-2009-3243), Paltalk (CVE-2009-3549), and SMB (CVE-2009-3551). From the Gentoo advisory: A remote attacker could entice a user to open a specially crafted "erf" file using Wireshark, possibly resulting in the execution of arbitrary code with the privileges of the user running the application. A remote attacker could furthermore send specially crafted packets on a network being monitored by Wireshark or entice a user to open a malformed packet trace file using Wireshark, possibly resulting in a Denial of Service. | ||||||||||
| Alerts: |
| ||||||||||
Page editor: Jake Edge
Kernel development
Brief items
Kernel release status
The current development kernel remains 2.6.32-rc8. As of this writing, just over 200 changes have been merged since 2.6.32-rc8, including some significant feature enhancements to the FS-Cache and slow work subsystems. Linus has not told the world whether he thinks that's enough change to justify an -rc9 release or not; stay tuned.Quotes of the week
Now I'd would guess (educated slightly) that the amount of code required to write a full driver stack for a modern GPU has probably gone up 40-50x what used to be required, whereas the number of open source community developers has probably doubled since 2001. Also newer GPU designs have forced us to redesign the Linux GPU architecture, this had to happen in parallel with all the other stuff, again with similiar number of developers. So yes it sucks but it should point out why there is no reason why 3D should really be working on all cards.
Fault injection and unexpected requirement injection
Good developers carefully write their code to handle error conditions which may arise. This code frequently suffers from one problem, though: test coverage is hard. Many of the anticipated errors never come about, so the error-handling code never gets exercised. So when things go wrong for real, recovery does not work as expected. For a few years, the Linux kernel has had a fault injection framework designed to help in the debugging of some types of error-handling code. By forcing specific things (memory allocations in particular) to go wrong, the fault injection framework can help developers ensure that errors are really handled as expected.Sripathi Kodi recently posted a patch adding certain types of futex failures to the fault injection framework. Ingo Molnar responded with a potentially surprising request:
This "unacceptably ugly" interface has existed as part of the fault injection framework since 2006, so it is a little surprising to hear, now, that it cannot be used. Ingo is firm about this point, though, and appears unwilling to back down.
Extending perf events for fault injection might be the right long-term solution. But this situation highlights a trap for developers which certainly acts to make participation in the development process harder. In his travels, your editor has heard complaints from developers who set out to accomplish a specific task, only to be told that they must undertake a much larger cleanup to get their code merged. The topic also came up at the 2009 kernel summit; there, the consensus seemed to be that this kind of request can quickly become unreasonable.
In this case, Sripathi has not been asked to fix the remainder of the fault injection framework code. But adding a new functionality to the perf events subsystem still likely goes rather beyond the scope of the original project. Sripathi has not responded to this request, so it's not clear whether we'll see a futex fault injection mechanism reworked to fit the new requirements, or whether this code will just fade away.
Kernel development news
Another mainline push for utrace
When last we looked in on utrace, back in March, it was being proposed for inclusion into 2.6.30. There were various objections at that time, but the biggest was the lack of a "real" in-kernel user for utrace. It was suggested that providing a real user along with utrace itself would smooth its path into the mainline. Now utrace has returned in the form of a set of patches from Oleg Nesterov (based on Roland McGrath's work), along with a rewrite of the ptrace() system call using the utrace interface. With the 2.6.33 merge window opening soon, the hope is that utrace will, finally, make its way into the mainline.
Utrace provides a means to control user-space threads, which could be used for debugging, tracing, and other tasks like user-mode-linux. SystemTap is one of the biggest current utrace users, as Red Hat and Fedora kernels have had utrace support for several years. Utrace came from a recognition that ptrace() was too limited—and messy—for many of the things folks wanted to use it for. In particular, only allowing one active tracing process for a given thread, as ptrace() requires, was too limiting for various envisioned tracing and control scenarios. Utrace allows multiple tracing "engines" to attach to a thread, list which events they are interested in, and receive callbacks when those events occur.
The interface provided by utrace has not changed enormously since our first look in March 2007. Engines, which are typically implemented as loadable kernel modules, will attach to a given thread by using utrace_attach_task() or utrace_attach_pid() depending on whether they have a struct task_struct or struct pid available. In either case, a struct utrace_engine pointer is returned, which is used to identify the engine in additional calls.
The struct utrace_engine looks like:
struct utrace_engine {
const struct utrace_engine_ops *ops;
void *data;
unsigned long flags;
};
with flags containing an event mask and data used for
engine-specific private data. The most interesting part is the
ops field which points to a set of ten different callback
functions. These functions make up the heart of the tracing engine
functionality.
The function pointers in struct utrace_engine_ops are described in linux/utrace.h. All of the kerneldoc comments are pulled from the source code files into the DocBook documentation that comes with the patchset. The callbacks are made as the traced thread encounters various events. These include signals being delivered, clone() or exec() being called, other system calls as they are entered or exited, thread exit or death, and more. In each case, the callbacks are made for each interested engine in the order in which the engines were attached.
An engine uses the utrace_set_events() (or utrace_set_events_pid()) call to indicate which of the events it is interested in:
int utrace_set_events(struct task_struct *target,
struct utrace_engine *engine,
unsigned long events);
The UTRACE_EVENT() macro is used to turn on the appropriate bits
in the events mask. There must be a callback defined in the
engine->ops table for any events which are enabled.
Once a callback has been invoked, the engine uses utrace_control() (or utrace_control_pid()) to tell the traced thread to do something:
int utrace_control(struct task_struct *target,
struct utrace_engine *engine,
enum utrace_resume_action action);
The action parameter governs what is supposed to happen. Those
actions include things like single-stepping, block-stepping, resuming
execution, detaching from the thread, and so on.
In the only real complaint about the patchset seen so far, Christoph
Hellwig is unhappy that the
ptrace() reimplementation is not supplanting the
current ptrace() code: "One thing I really hate about this
is that it introduces two ptrace implementations by adding the new one
without removing the old one.
" In the patches, the inclusion of
utrace is governed by the CONFIG_UTRACE flag. Since it isn't
optional to have a ptrace() system call, that meant the current
code needed to stay.
What Hellwig suggests, though, is adding utrace support to the two major
architectures that don't have it (arm and mips), then removing the current
ptrace(). He clearly believes it is too late to get utrace into
2.6.33, which would allow time to get utrace support into those—and
hopefully
other, minor architectures—before utrace is merged. "If the
remaining minor architectures don't manage to get their homework done
they're left without ptrace,
" he said.
That didn't sit well with various other kernel hackers. Pavel Machek
said: "I don't think introducing
regressions to force people to rewrite code is a good way to go
".
In addition, Ingo Molnar seems to have warmed up to utrace's inclusion
since it was last proposed. Molnar had many complaints
about utrace last time, but is much more positive this time. He doesn't think adding more architecture support is the
way to go:
Unlike last time, where most of the complaints were not aimed at the code itself, but more at its timing and lack of an in-kernel user, this time there is some code review taking place. Peter Zijlstra has a fairly detailed review of both the code and documentation for example. There is a clear sense that utrace is clearing hurdles that may have held it up in the past.
One of the outcomes from the tracing meetings at the Collaboration Summit in April was to come up with an in-kernel user, and ptrace() seemed like a good candidate. Other ideas were mentioned in those meetings, including adding a gdb "stub" in the kernel to allow debugging of user-space programs. A patch to expose a /proc/PID/gdb interface that implements gdb's remote serial protocol was proposed by Srikar Dronamraju.
That patch is running into more serious difficulty than utrace seems to be. Because kgdb already exposes the remote serial interface for gdb, but for the kernel instead, Zijlstra and Molnar think that the two should be combined. It seems unlikely to get merged until that is resolved.
Some parts of the utrace patchset have spent time in the -mm tree, and utrace has been shipped with every Fedora kernel since FC6. But the utrace-ptrace piece has not done any time in either -mm or -next, which may make it harder to get it in the mainline for 2.6.33. Since utrace is optional, though, there are relatively few risks. McGrath is willing to consider removing the current ptrace() implementation, but its clear that he and Nesterov—maintainers of the current ptrace()—would prefer to get utrace into the mainline now:
Presumably, we will know within the next few weeks whether utrace makes its way into 2.6.33. But, if that doesn't happen, it would seem that one more kernel development cycle is all that it should take.
Eliminating rwlocks and IRQF_DISABLED
Reader-writer spinlocks and interrupt-enabled interrupt handlers both have a long history in the Linux kernel. But both may be nearing the end of their story. This article looks at the push for the removal of a pair of legacy techniques for mutual exclusion in the kernel.Reader-writer spinlocks (rwlocks) behave like ordinary spinlocks, but with some significant exceptions. Any number of readers can hold the lock at any given time; this allows multiple processors to access a shared data structure if none of them are making changes to it. Reader locks are also naturally nestable; a single processor can acquire a given read lock more than once if need be. Writers, instead, require exclusive access; before a write lock can be granted, all read locks must be released, and only one write lock can be held at any given time.
Rwlocks in Linux are inherently unfair in that readers can stall writers for an arbitrary period of time. New read locks are allowed even if a writer is waiting, so a steady stream of readers can block a writer indefinitely. In practice this problem rarely surfaces, but Nick Piggin has reported a case where the right user-space workload can cause an indefinite system livelock. This is a performance problem for specific users, but it is also a potential denial of service attack vector on many systems. In response, Nick started pondering on the challenge of implementing more fair rwlocks which do not create performance regressions.
That is not an easy task. The obvious solution - blocking new readers when a writer gets in line - will not work for the most important rwlock (tasklist_lock) because that lock can be acquired by interrupt handlers. If a processor already holding a read lock on tasklist_lock is interrupted, and the interrupt handler, too, needs that lock, forcing the handler to wait will deadlock the processor. So workable solutions require allowing nested reader locks to be acquired even when writers are waiting, or disabling interrupts when tasklist_lock is held. Neither solution is entirely pleasing.
Beyond that, there has been a general sentiment toward the removal of rwlocks for some years. The locking primitives themselves are significantly slower than plain spinlocks, so any performance gain from allowing multiple readers must be large enough to make up for that extra cost. In many cases, that gain does not appear to actually exist. So, over time, kernel developers have been changing rwlocks to normal spinlocks or replacing them with read-copy-update mechanisms. Even so, a few hundred rwlocks remain in the kernel. Perhaps it would be better to focus on removing them instead of putting a lot of work into making them more fair.
Almost all of those rwlocks could be turned into spinlocks tomorrow and nobody would ever notice. But tasklist_lock is a bit of a thorny problem; it is acquired in many places in the core kernel and it's not always clear what this lock is protecting. This lock is also taken in a number of critical kernel fast paths, so any change has to be done carefully to avoid performance regressions. For these reasons, kernel developers have generally avoided messing with tasklist_lock.
Even so, it would appear that, over time, a number of the structures
protected by tasklist_lock have been shifted to other protection
mechanisms. This lock has also been changed in the realtime preemption
tree, though that code has not yet made it to the mainline. Seeing all
this, Thomas Gleixner decided to try to get rid
of this lock, saying "If nobody beats me I'm going to let sed
loose on the kernel, lift the task_struct rcu free code from -rt and figure
out what explodes.
" As of this writing, the results of this
exercise have not been posted. But Thomas is still active on the mailing
list, so one concludes that any explosions experienced cannot have been
fatal.
If tasklist_lock can be converted successfully to an ordinary spinlock, the conversion of the remaining rwlocks is likely to happen quickly. Shortly after that, rwlocks may go away altogether, simplifying the set of mutual exclusion primitives in Linux considerably.
IRQF_DISABLED
Meanwhile, a different sort of exclusion happens with interrupt handlers. In the early days of Linux, these handlers were divided into "fast" and "slow" varieties. Fast handlers could be run with other interrupts disabled, but slow handlers needed to have other interrupts enabled. Otherwise, a slow handler (perhaps doing a significant amount of work in the handler itself) could block the processing of more important interrupts, impacting the performance of the system.
Over the years, this distinction has slowly faded away, for a number of reasons. The increase in processor speeds means that even an interrupt handler which does a fair amount of work can be "fast." Hardware has gotten smarter, minimizing the amount of work which absolutely must be done immediately on receipt of the interrupt. The kernel has gained improved mechanisms (threaded interrupt handlers, tasklets, and workqueues) for deferred processing. And the quality of drivers has generally improved. So driver authors generally do not really even need to think about whether their handlers run with interrupts enabled or not.
Those authors still need to make that choice when setting up interrupt handlers, though. Unless the handler is established with the IRQF_DISABLED flag set, it will be run with interrupts enabled. For added fun, handlers for shared interrupts (perhaps the majority on most systems) can never be assured of running with interrupts disabled; other handlers running on the same interrupt line might enable them at any time. So many handlers will be running with interrupts enabled, even though that is not needed.
The solution, it would seem, would be to eliminate the IRQF_DISABLED flag and just run all handlers with interrupts disabled. In almost all cases, everything will work just fine. There are just a few situations where interrupt handling still takes too long, or where one interrupt handler depends on interrupts for another device being delivered at any time. Those handlers could be identified and dealt with. "Dealt with" in this case could take a few forms. One would be to equip the driver with a better-written interrupt handler which does not have this problem. Another, related approach would be to move the driver to a threaded handler which, naturally, will run with interrupts enabled. Or, finally, the handler could be set up with a new flag (IRQF_NEEDS_IRQS_ENABLED, perhaps) which would cause it to run with interrupts turned on in the old way.
It's not clear when all this might happen, but it could be that, in the near future, all hard interrupt handlers are expected to run - quickly - with interrupts disabled. Few people will even notice, aside from some maintainers of out-of-tree drivers who will need to remove IRQF_DISABLED from their code. But the kernel as a whole should be faster for it.
Kernel support for infrared receivers
One of the stated goals of the staging tree is to bring widely-used drivers into the mainline kernel tree. This effort has been quite successful; the number of out-of-tree drivers has dropped considerably over the last year or so. There is one high-profile holdout, though: the Linux Infrared Remote Control (LIRC) subsystem. LIRC is used to obtain input events from remote control devices and feed them through to applications; Linux-based digital video recorder systems are heavy LIRC users, but there are others as well. Back in October, Jarod Wilson posted a new version of LIRC for consideration. One month later, the kernel developers have started talking about it; what they lack in punctuality has been more than made up for in volume.One might think that merging this longstanding, heavily-used project into the mainline would not require a great deal of discussion. The problem is that LIRC brings with it a new ABI. Since user-space interfaces must be supported indefinitely, they tend to come under a higher degree of scrutiny than other parts of the code. LIRC has never had to freeze its ABI during its many years of out-of-tree existence, a freedom which has made life easier for its developers. But LIRC in mainline would not have this freedom, so any incompatible ABI changes need to be made prior to merging. And, as it happens, some developers would like to see significant changes.
One would think that an IR receiver would be a simple device; all it must do is report button press and release events, much like a keyboard. Often, it seems, the simplest devices are the most complex to deal with. Some receivers have decoders built into them, allowing them to pass scan codes to the driver, which can then map them onto key codes to pass to applications. But others are simple indeed - they simply report the timing and length of pulses received from the remote. In this case, the driver must filter out glitches and perform protocol processing to get to the point where it can generate scan codes. For extra fun, there are a number of protocols in use, and some manufacturers have wisely decided that life would be much more interesting if they were to make their own versions of the protocols which differ from everybody else's. So the protocol processing can be painful and unpleasant.
LIRC handles this mess by having drivers report "raw" pulse-length information via a special device; a user-space daemon then handles the task of turning that information into something that usefully describes a button-press event. In many cases, the low-level driver runs in user space and does not involve the kernel at all. Distribution of these events is also handled by the LIRC daemon, which can direct specific events to different applications, run programs in response to events, and so on in a flexible, scriptable manner. LIRC works, and some developers would like to see it merged into the mainline more-or-less as it stands now. Others, though, dislike the special-purpose "raw" interface used by LIRC. As Jon Smirl put it:
I'm not in favor of repeating the problems with a device specific user space interface for IR. I believe all new input devices should implement the evdev framework.
In other words, these developers want remote control devices to look like any other input device and generate input events through the same interface. Jon has posted a proposed IR input driver for discussion; it is actually a rework of work first posted one year ago. This code moves all processing into the kernel and provides a flexible mechanism for dealing with multiple remote controls.
As it happens, a number of remote control receivers already work this way, even in the absence of Jon's patch. LIRC is not the sole repository of IR receiver drivers; a fair number of them also live in the mainline kernel already, in the Video4Linux2 subsystem. TV cards often come with a bundled remote control and receiver, so it makes sense to write a driver for the receiver as part of the larger V4L2 driver. These drivers do not use the LIRC interface; instead, they generate input events directly. See the Conexant CX2388x IR driver for an example of what this sort of driver looks like.
The discussion covered various approaches to IR receivers without coming to any real resolution. Jon Smirl's attempt to clarify the goals for in-kernel IR support may have brought some focus, but little in the way of solid conclusions. Even so, there are some points of near consensus; these include:
- There needs to be some sort of API based on the input subsystem, where
applications can obtain processed, high-level keycodes for button
presses. The goal is to have remote-using applications "just work"
whenever possible.
- There probably needs to be a separate interface where special-purpose applications can get raw timing data from the receiver - at least, for receivers without built-in decoders which can provide this information. This interface can be used to reverse-engineer the sequences sent by new remote control units and to deal with pathologically-bad hardware. There is talk of funneling raw data through the input layer as well, but it's not clear that doing so buys anything; it may be that just adopting the existing LIRC interface for raw data is as good an approach as any.
With regard to the keycode interface, there is still a lot of disagreement over where the keycodes should come from. Some developers want all of the IR drivers to be in the kernel, while others are happy with using the LIRC daemon (or something like it) to generate keycodes and push them back into the kernel from user space. In-kernel drivers have the potential to work with no daemon process and they can use the current module loading mechanism. Kernel-based drivers will also have lower response latency than a user-space daemon, saving precious milliseconds for desperate users who want to change channels and evade that "too much information" pharmaceuticals commercial.
On the other hand, in-kernel drivers are kernel code, with the higher level of risk that always implies. Filtering of input sequences and protocol processing can be a significant amount of work that some would rather see done in user space. It may never be possible to support the more problematic hardware in the kernel. Then, there are the truly wild ideas, such as wiring an IR receiver to a sound card's microphone input - something people actually do, evidently. The fact that some IR protocols may be patent-encumbered also needs to be kept in mind.
Another detail worth bearing in mind: a number of IR receivers are also capable of transmitting information. A solution based solely on the input layer will not be able to handle the output case.
There is one final, simple point: the LIRC drivers have seen many years of development, and they work. If LIRC is merged directly, the kernel will benefit from that work and the associated lessons learned. If LIRC is dropped in favor of fully in-kernel drivers, chances are good that some of those lessons will have to be learned anew. If the kernel were to go with a non-LIRC approach to IR drivers, it would probably, eventually, reach a point where it had a more capable and flexible system with wider device support than is available now. But, between here and there would be a period - perhaps a long period - where in-kernel IR support was not as good as LIRC.
Still, that might just be how things go in the end. The kernel development community, always concerned about what it will have to maintain five or ten years in the future, tends not to be in a hurry to merge something now just because it is seen to work. So, while it is yet possible that LIRC could be merged in something close to its current form, it's also possible that it could lurk on the sidelines while something significantly different is created for the mainline.
Patches and updates
Core kernel code
Development tools
Device drivers
Filesystems and block I/O
Networking
Security-related
Virtualization and containers
Miscellaneous
Page editor: Jonathan Corbet
Distributions
News and Editorials
Ubuntu 9.10: the koala is facing the cloud
Ubuntu 9.10, called Karmic Koala, brings a lot of small improvements and a couple of bigger features. GRUB 2 has become the default bootloader in Ubuntu 9.10, at least on a fresh install. Ext4 also got a promotion: it is the default file system now. The audio preferences give access now to the advanced possibilities of PulseAudio, such as an audio volume per application. And then there are prominent new applications like Ubuntu Software Center and Ubuntu One. But most of all, the distribution has shifted its focus to cloud computing: Eucalyptus has grown to maturity.
An encrypted home directory
The Ubiquity installer doesn't show much difference between Karmic and Jaunty, the previous release of Ubuntu. This is a sign of the maturity of Ubiquity, which is one of the most user-friendly operating system installers. But if we look more closely, there are some differences in the details. For example, in one of the last steps, users can enable an option to encrypt their home directory with their user password. This evolved from the Encrypted Private Directory feature in Ubuntu 8.10, which introduced an encrypted directory ~/Private within a user's home directory using eCryptfs. Ubuntu 9.04 extended this feature to cover the entire home directory, but it was only offered as an option in the alternate install CD.
As of Ubuntu 9.10, the option is available in the normal desktop installation as part of the user setup step. During a desktop session, the encryption and decryption of the user's home directory works almost completely transparently. However, there are a few caveats. If the user's encrypted home directory is not already mounted, then ssh public key authentication, cron jobs, and other programs that require access to data in the home directory will fail. Also, the encrypted file system does not yet work on top of a remote network file system such as SSHFS, NFS, or Samba.
A new software installer
A more visible "new kid in town" is Ubuntu Software Center, which replaces the "Add/Remove Applications" application to locate, install, and remove applications. Ubuntu Software Center introduces a new intuitive interface which, despite its simplicity, is already better than the previous one in a number of ways. For example, the user doesn't have to tick an application and click on Apply anymore, but is able to install an application in one click. Furthermore, while an application is installing, the user can continue browsing available software and select other applications for installation, which wasn't possible with "Add/Remove Applications".
Canonical's aim is to extend the functionality of Ubuntu Software Center gradually. The roadmap mentions some key goals. In Ubuntu 10.04 LTS, Software Center should be a viable alternative to Synaptic, allowing the same fine-grained package control and handling of error cases. Ubuntu 10.10 will provide the ability to purchase software from within Software Center and the ability to add PPAs (Personal Package Archives with user-contributed software packages). Ubuntu 11.04 will fine-tune the possibilities, for example with specialized interfaces for browsing and installing fonts, screen savers, or other particular classes of packages.
Empathy
After years of discussion, the Ubuntu developers have decided to change the default instant messaging client. Users of Ubuntu 9.10 will find that Pidgin has been replaced by Empathy. This application has been the official IM client of the GNOME desktop since version 2.24, and is built upon Telepathy, a universal messaging platform. Empathy supports all messaging protocols that Telepathy supports, such as MSN, Jabber, AIM, Yahoo!, IRC, etc. Even voice and video chats via Google Talk are possible.
The downside is that Empathy is still not on par with Pidgin with respect to functionality. While Pidgin offers a lot of preferences, options, and plug-ins, Empathy's preferences are rather spartan. The user just cannot personalize a lot in Ubuntu's new default IM client. For example, if someone sends a message, the notification icon at the right of the top GNOME panel shows an icon, on which the user has to click to see the window with the message. There is no possibility to have this message window pop up automatically on an incoming message. That may be fine for the average user that just wants to chat occasionally, but your author will stay with Pidgin for now.
Ubuntu One
With the Ubuntu One web service, Canonical has added the possibility to synchronize different Ubuntu computers. This is ideal for people that have an Ubuntu netbook or laptop that they use regularly in their garden or on a terrace. They can synchronize their mobile Ubuntu environment with their Ubuntu desktop at home. The first time a user launches Ubuntu One in the GNOME menu "Applications / Internet", the user gets referred to the Launchpad web site to create a free account. Then the computer gets added to the Ubuntu One account.
The free account gives access to 2 GB storage space on the Ubuntu One server (with proprietary server side software). By paying a monthly fee of $10, this is extended to 50 GB. After registration, an Ubuntu One applet appears in the top GNOME panel and Nautilus shows a directory Ubuntu One inside the home directory. Every file transferred to the Ubuntu One directory gets uploaded transparently to the Ubuntu One servers and synchronized with other Ubuntu computers added to the account. All in all, this seems to work, but there are alternatives that cost the same and provide the same functionality, while also supporting other platforms, such as Dropbox (though its server side is also closed source). With a bit of effort, Ubuntu One also synchronizes Tomboy notes, Evolution contacts, and Firefox bookmarks. Synchronization of these types of data is based on the open source document-oriented database CouchDB.
Ubuntu Enterprise Cloud
In Ubuntu 9.04 (Jaunty Jackalope), Canonical started focusing on cloud computing. For this purpose, the company collaborated with the Eucalyptus project, which brought an Amazon EC2-style private cloud within the reach of every Ubuntu user. Eucalyptus made it possible to investigate cloud possibilities inside a company, without the need to deploy the applications on external servers at Amazon. Half a year ago, we took a look at the development of Eucalyptus and how to create a private cloud in Ubuntu 9.04.
However, Eucalyptus was still a technology preview in Jaunty and it had some rough edges. Your author set up a private cloud with Eucalyptus on Jaunty successfully, but it was a rather laborious and not a trivial task. With Karmic Koala, Eucalyptus has been integrated neatly into the distribution and has received the name Ubuntu Enterprise Cloud (UEC). Users can even install Ubuntu Enterprise Cloud machines directly from the server CD with the option "Install Ubuntu Enterprise Cloud" in the boot menu. This install has to be done on at least two systems: a cluster (the master server that implements the virtual network and the EC2 and S3 APIs) and one or more nodes (servers with a KVM hypervisor running virtual machines). The server install asks the user about the type of UEC installation. When the cluster is already installed, the installer on the node should detect the running cluster and select "Node" as UEC installation type automatically. This is much more user-friendly than before.
While users had to build their own images for Jaunty, Ubuntu 9.10 includes the first official release of Ubuntu Server images for UEC. In addition, these images also run on Amazon EC2 and have been published to Amazon EC2, where they can be used immediately with no need to download anything. Canonical has even opened a "Cloud Store". From within the web interface of a UEC cluster, the administrator can check a list of official images that Canonical makes available to run on Ubuntu Enterprise Cloud. At the moment, this is limited to 32-bit and 64-bit versions of Ubuntu 9.10 RC Server and a MediaWiki Demo Appliance. An image can be downloaded and installed right from within the web interface.
The growing Eucalyptus tree
Eucalyptus Systems, the company that the Eucalyptus developers founded right after the release of Ubuntu 9.04, has been working closely with Canonical for the development of Ubuntu Enterprise Cloud. As UEC layers Ubuntu-specific technologies atop the generic Eucalyptus cloud platform, much of the collaboration from the part of Eucalyptus Systems focused on helping members of the Canonical UEC development team understand the mechanics of the system. Eucalyptus Systems CTO Rich Wolski gives an example:
However, Eucalyptus Systems doesn't shut out other distributions. They have been working with the Debian community recently to get Eucalyptus into their next release "Squeeze" (6.0). They have also spoken with some of the people associated with openSUSE, Wolski said, adding:
External contributions
Earlier this year Wolski said that the developers were restricting external contributions to bug fixes, because they wanted to keep the code base stable in that early phase of development. Because the project's wiki still mentions this restriction, your author asked Wolski when they would accept more external contributions. He answered that they are not quite there, but almost:
Some people have criticized Eucalyptus for a perceived unwillingness to work with outsiders, unless they are Ubuntu. However, Wolski, who stresses that he is speaking for himself and not for the project, strongly objects to this criticism:
Canonical's future in the cloud
It's clear that Ubuntu Enterprise Cloud is a central feature in the Server Edition of Karmic Koala. Beginning with this release, Canonical adds consultancy, online training, support, and management tools. So there's no shortage of professional services for people that want to implement Ubuntu Enterprise Cloud in their company. There are even commercial images on the roadmap for the Cloud Store. This whole cloud ecosystem is one way in which Canonical wants to monetize Ubuntu. However, the basics can all be done for free. Ubuntu One has the same business model: users have a basic storage capacity for free, and can pay for more.
Half a year ago, your author wrote "Canonical wants to do for
cloud computing just the same thing it has done with its desktop operating
system: make it work out-of-the-box and make it easy to deploy.
",
and expressed the hope that the technology would be mature in Ubuntu
9.10. With Ubuntu Enterprise Cloud, this hope is definitely fulfilled: it
couldn't be easier to install. And thanks to the excellent online documentation, your
author only needed a couple of hours to run an experiment with his own
private mini-cloud with two Ubuntu machines.
New Releases
FreeBSD 8.0 released
The FreeBSD Project has announced the release of FreeBSD 8.0. "This next major release branch of FreeBSD delivers a large number of new technologies into the hands of an ever-increasing number of users. Key release focuses include wireless networking, virtualization, and storage technology." See the release notes for more information.
Linux Mint 8 released
The Linux Mint team has announced the release of Linux Mint 8 "Helena". "The 8th release of Linux Mint comes with numerous bug fixes and a lot of improvements. In particular Linux Mint 8 comes with support for OEM installs, a brand new Upload Manager, the menu now allows you to configure custom places, the update manager now lets you define packages for which you don't want to receive updates,the software manager now features multiple installation/removal of software and many of the tools' graphical interfaces were enhanced."
Mandriva presents Mandriva Flash 2010
Mandriva has announced the availability of Mandriva Flash 2010. "Mandriva Flash 2010 is the ideal companion for travellers. You can now take your desktop wherever you want with Mandriva Flash. Plug in the USB key, boot up your PC and within a handful of seconds the Mandriva Linux 2010 Operating System is ready for work, listening to music or surfing the Internet. Mandriva Linux 2010 is completely operational, needs no installation and fits into your pocket."
Tiny Core Linux 2.6 Is Now Available (Softpedia)
Softpedia covers the release of Tiny Core Linux 2.6. "Tiny Core Linux is a very small (10 MB) minimal Linux GUI Desktop. It is based on Linux 2.6 kernel, Busybox, Tiny X, and Fltk. The core runs entirely in ram and boots very quickly. Also offered is Micro Core a 6 MB image that is the console based engine of Tiny Core. CLI versions of Tiny Core's program allows the same functionality of Tiny Core's extensions only starting with a console based system."
Distribution News
Debian GNU/Linux
Debian 6.0 Squeeze to be released in summer 2010 (The H)
While the headline overstates the commitment to a northern hemisphere summer release of Debian "Squeeze" (6.0), there is an interesting tidbit in The H's brief article: "Due to the postponement of the final release until the summer, the code freeze has now also been rescheduled for March 2010. This thwarts Mark Shuttleworth's efforts to synchronise the release cycles of Debian and the Debian-based Ubuntu distribution, at least for Squeeze — the release of the next version 10.04 of Ubuntu is planned for April 2010."
Invitation to the BSP in Mönchengladbach (Germany)
There will be a Bug-Squashing-Party in Mönchengladbach, Germany on the weekend of 22-24 January, 2010 to help squash release critical bugs in squeeze (Debian 6.0). "Even if you are not a Debian developer, but are interested in helping Debian to get all the open release critical bugs fixed, you're welcome at the BSP. There will be enough developers around to sponsor your NMUs."
Bits from the NM people
Click below for the latest news from the Debian New Maintainers team. "The NM process is always short of application managers. Applicants are waiting to get one assigned. As usual, we invite experienced DDs to join up and help out. Remember that AM work is a fun and interesting way to learn more about Debian and the people involved! It's always better to have AMs waiting rather than NMs."
Fedora
Callaway: Chromium: Why it isn't in Fedora yet as a proper package
Fedora engineering manager Tom "spot" Callaway looks at Chromium development on his blog. Specifically, he has been building Chromium from source and makes it available for Fedoras 10-12, but hasn't packaged it up officially; in the blog post, he outlines reasons why. "Google is forking existing FOSS code bits for Chromium like a rabbit makes babies: frequently, and usually, without much thought. Rather than leverage the existing APIs from upstream projects like icu, libjingle, and sqlite (just to name a few), they simply fork a point in time of that code and hack their API to shreds for chromium to use. This is akin to much of the Java methodology, which I can sum up as 'I'd like to use this third-party code, but my application is too special to use it as is, so I covered it with Bedazzler Jewels and Neon Underlighting, then bury my blinged out copy in my application.'. A fair amount of the upstream Chromium devs seem to have Java backgrounds, which may explain this behavior, but it does not excuse it. This behavior should be a last resort, not a first instinct."
Fedora Elections
Fedora elections are underway for seats on the Fedora Advisory Board, Fedora Ambassadors Steering Committee and Fedora Engineering Steering Committee. Voting will open from December 8 - 15, 2009. A questionnaire with answers from the candidates is now available.Fedora's upcoming multi-day outage
The Fedora Project has announced a multi-day outage for some services. "Starting on December 12th The Fedora Project will start to move several servers, disk trays and related hardware from our current hosting location to another. This move is planned to be completed on December 15th and will ultimately provide better hosting facilities and room for growth."
Mandriva Linux
Noteworthy changes in Mandriva Cooker
Frederik Himpe takes a look at some changes in Mandriva Cooker (the development branch). "The Sysklogd system log daemon has been replaced by rsyslog. Rsyslog is a very modern system logger with very active development. It includes advanced features such as storing logs in SQL databases, e-mail warnings on certain log messages, support for sending syslog messages over TCP and many more. Users of sysklogd will be automatically migrated to rsyslog."
SUSE Linux and openSUSE
OpenSUSE sacks SaX2
Novell has announced that its much-loved "SaX2" tool for the configuration of the X Window System will be retired as of the openSUSE 11.2 release. "Novell has decided to no longer invest in development maintenance of SaX2 but instead rely on the new automatic and dynamic configuration features and invest in desktop applets to perform dynamic changes." Some members of the openSUSE community are rather vocally unhappy with this decision. Novell seems determined to follow this course (similar to what other distributors are doing), but points out: SaX2 is free software and others are welcome to keep it going.
Ubuntu family
Giving up the GIMP is a sign of Ubuntu's mainstream maturity (ars technica)
ars technica looks at a decision from the recent Ubuntu Developer Summit (UDS) to remove the GIMP from the default install. "An important part of the 10.04 roadmap that emerged during UDS is a tentative plan to remove the GIMP, the GNU Image Manipulation Tool, from the default Ubuntu installation. Although this decision is viewed by some as controversial, the reasoning behind it is valid. The removal of a niche professional graphics editing tool reflects Ubuntu's growing maturity as a mainstream platform for regular users."
Distribution Newsletters
DistroWatch Weekly, Issue 331
The DistroWatch Weekly for November 30, 2009 is out. "Small-screen displays have become an interesting playground for developers of Linux-based systems where creative engineers let their imagination run freely. Whether this is good or bad depends on many factors, but the fact remains that this freedom has already resulted in plenty of experimental interface designs which are exciting to check out and test. They diverge significantly from that "standard" desktop design pioneered by a large software company and provide a surprise or two along the way. Read our first-look review of Kubuntu Netbook Edition 9.10 for one such promising, though still incomplete, netbook interface design. In the news section, FreeBSD brings a variety of new features in the latest version of its popular operating system, Mandriva worldwide user communities complement the official products with a range of additional options, and Debian project leader hints at a possible release of "Sqeeze" in the middle of next year. Also in this issue, a link to an Ubuntu Netbook Remix optimisation guide, a preliminary development and release roadmap of openSUSE 11.3, and an update to the latest changes in Mandriva's development branch. Happy reading!"
Fedora Weekly News 204
The Fedora Weekly News for November 29, 2009 is out. "We start this week's issue off with a couple additional Fedora 12 reviews to highlight, and also lots of Fedora Project Election information to inform and engage the user community! In news from the Fedora Planet this week, comparing the Nokia Maemo and Google Android platforms, thoughts on sustainable open source engineering, and a review of the 0.4 Eclipse Linux Tools. In the Quality Assurance beat, much detail on this past week's QA team activities, and an interesting Fedora 12 QA retrospective. Ambassadors news this week gives us an event report from the recent New York State Association for Technology and Computers in Education meeting. In Translation happenings, 0-day Fedora 12 translation polishing, and new members to the Fedora Localization Project for Italian, Sinhala and German. The Art/Design beat shows off discussion on an interactive design hackfest and wrapup of screenshots for a Fedora Game Spin. This issue wraps up with security patches released last week for Fedora 10, 11 and 12. Please enjoy FWN 204!"
Openmoko Community Updates
The Openmoko Community Updates for November 25, 2009 are available. Topics include tangogps 0.9.9, mokopod 0.1.5.1, Babiloo 2.0.9-3, and more.OpenSUSE Weekly News/99
This issue of the OpenSUSE Weekly News covers Dominique Leuenberger: Compiz 0.8.4, Michal Hrusecky: Status Report - Media Wiki Theme, Linux.com/Joe Brockmeier: Vim 101: A Beginner's Guide to Vim, Pavol Rusnak: Fedora and openSUSE Community Engagement, Nmap 5.10BETA1 released, and more.Ubuntu Weekly Newsletter #170
The Ubuntu Weekly Newsletter for November 28, 2009 is out. "In this issue we cover: Jono Bacon: Introducing Lernid, Mackenzie Morgan Interview, New Developers, LoCo News: Maryland, Massachusetts, Chile & Nicaragua, Ubuntu Forums Tutorial of the Week, The Planet: Laura Czajkowski, Andres Rodriguez, Amber Graner, & Harald Sitter, Full Circle Magazine #31."
Distribution meetings
FOSDEM 2010
There will be a 'distribution mini-conference' at FOSDEM 2010. "For those of you who were waiting for a call for talks from me on this subject, it's not really coming. However, if you think your talk may be of some interest to people working on distributions (Debian or non-Debian), your talk should be welcome."
Distribution reviews
Linux Mint 8 (Helena) Released (ZDNet UK Blog)
J.A. Watson covers the release of Linux Mint 8. "It is important to note that a good part of Linux Mint could be reproduced by a moderately experienced user installing Ubuntu and then adding the appropriate packages from Synaptic or whatever software repository or services - but that is exactly one of the major advantages of Linux Mint, you install it, and you have a system that includes many/most/all of the most popular packages."
Linux Mint 8 - Review and Commentary (Linux Critic)
Linux Critic has a review of Linux Mint 8 with plenty of screenshots. "Founded by Clement Lefebvre, this Irish based distribution has taken the linux world by storm and turned into one of the most popular user friendly distributions on the market. Linux Mint has turned into such a popular system, in fact, that a lot of people wait for it to come out as opposed to adopting the latest Ubuntu release."
Concurrent unhoods RedHawk Linux 5.4 (The Register)
The Register takes a look at RedHawk Linux 5.4. "With RedHawk Linux 5.4, announced Tuesday, Concurrent is slipping into Linux 2.6.31 and offering full compatibility with Red Hat Enterprise Linux 5 update 4. That's because RedHawk is a tweak on Red Hat, adding real-time extensions and other goodies cooked up by Concurrent to make it different from Red Hat's own Enterprise MRG real-time Linux."
Page editor: Rebecca Sobol
Development
Pyspread - a Python-based Spreadsheet application
Pyspread is a spreadsheet program with the unusual capability of supporting Python syntax within its cells:
![[Pyspread]](https://static.lwn.net/images/ns/Pyspreadlogo.png)
The Pyspread feature list includes:
- Released under the GPLv3 license.
- Designed for cross-platform operation.
- Individual cells can hold a Python expression.
- Cells return Python objects such as lists and matrices.
- Cells can access all of the available Python modules.
- The cell grid can be three dimensional.
- Unicode characters are supported.
- Pyspread can import and export comma separated value (CSV) lists.
- Statistics and plotting functions are available through RPy.
Pyspread version 0.0.12a was
announced
on November 21, 2009 by developer Martin Manns;
it added some new functionality and included some bug fixes.
The software is still in an early state of development:
"Pyspread is currently in the Alpha stage. Feel free to try it out on your own risk. Toy with it. Send me lots of bug reports, feedback, suggestions and improvements.
"
Your author tried a test installation of Pyspread on an Ubuntu 9.10
system.
The version 0.0.12a .zip file was downloaded and, unzipped.
The installation instructions in the INSTALL file said to
run python setup.py install as root. This was done and
pyspread was installed in /usr/local/bin/.
Pyspread was run with the command pyspread and produced the
error: No module named wx. The project's SourceForge
main page
had more information on the required packages:
"In case you do not have it already get and install Python, wxpython and numpy.
If you want the examples to work, install gmpy, R and rpy.
"
The required Ubuntu packages were named python-wxgtk2.8 and
python-numpy. After installing the dependencies, Pyspread started
successfully.
On the surface, Pyspread operation is similar to that of other spreadsheets, with the exception that the cells can contain the much more powerful Python expressions. The screenshot gives an example of the user interface. The Tutorial is the first place to go to learn how to use Pyspread, the FAQ may help to answer more obscure questions about the software. A few basic tutorial examples were tried and the software behaved as one would expect.
One issue that caused your author some confusion was that cells were
labeled [X, Y, Z] but X was the position within the columns and Y was the position within the rows. From the Tutorial:
"Each cell can access its own position in the grid through the magic variables X (row), Y (column) and Z (table).
"
The documentation is quite
sparse at this point in the software's evolution, it could
be improved by including basic spreadsheet examples such as how to
calculate the sum of a row and/or column of numbers.
One could imagine that it would take a document the size of a book
to cover the software's full capabilities.
Some interesting questions can be raised when using a general purpose language such as Python to calculate the cell values in a spreadhseet. Could the cells be filled with values produced by a USB-connected sensor or pulled from an external web page? Could the output of a cell be sent somewhere across the network? Could it encroach on the turf of commercial software such as PV-WAVE? And of course, what are the security implications of all of this? Pyspread should be an interesting application to watch as it matures.
System Applications
Database Software
Database Designer for PostgreSQL 1.2.9 released
Version 1.2.9 of Database Designer for PostgreSQL has been announced. "Version 1.2.9 (December 1, 2009) Extended SQL Editor with code completion and syntax validation added. Support for privileges added as well as Grant Manager for ACL editing. Diagram objects drawing improved."
PostgreSQL Weekly News
The November 29, 2009 edition of the PostgreSQL Weekly News is online with the latest PostgreSQL DBMS articles and resources.
Device Drivers
libshcodecs 0.9.9 released
Version 0.9.9 of libshcodecs, a library for controlling SH-Mobile hardware codecs, has been announced. "This release adds support for encoding and decoding in resolutions up to 720p (1280x720). The shcodecs-dec and shcodecs-play commands now accept size arguments "720p" and "D1", and resolutions up to 1280x720 are valid for shcodecs-enc and shcodecs-record."
Interoperability
Samba 3.5.0pre1 is available
Version 3.5.0pre1 of Samba has been announced. "This is a preview of the next upgrade production release version of Samba. It is intended for testing purposes only."
Telecom
Moblin Toolkit (MX) 0.2.0 developer snapshot released
Version 0.2.0 of the Moblin Toolkit has been announced. "A new developer snapshot of the Moblin Toolkit (MX) is available today, along with a preliminary schedule (see below). The toolkit will be available in Moblin 2.2 and replaces the Netbook Toolkit (Nbtk). This is a development release. API and ABI are very likely to change."
Virtualization Software
VirtualBox 3.1 released
Sun has announced the release of version 3.1 of the VirtualBox virtualization platform. There's a bunch of new stuff in this release, including a more flexible snapshot mechanism, better 2D video acceleration, and more storage options, but the headline feature appears to be "teleportation," which allows live migration of guests between hosts.
Desktop Applications
Desktop Environments
GNOME Software Announcements
The following new GNOME software has been announced this week:- Accerciser 1.9.3 (documentation and translation work)
- at-spi 1.29.3 (bug fixes and translation work)
- AT-SPI2 0.1.3 (new features and bug fixes)
- atk 1.29.3 (bug fix)
- Evince 2.29.3 (new features, bug fixes and translation work)
- Eye of GNOME 2.29.3 (bug fixes and translation work)
- GDM2 2.29.1 (new features and bug fixes)
- gedit 2.29.3 (new features and bug fixes)
- GLib 2.22.3 (bug fixes and translation work)
- GLib 2.23.0 (new features, bug fixes and translation work)
- GNOME games 2.29.3 (new features, bug fixes and translation work)
- gnome-system-tools 2.29.1 (new features, bug fixes and translation work)
- Gnote 0.6.3 (bug fixes and translation work)
- GParted 0.5.0 (new features)
- GTK+ 2.18.4 (bug fixes and translation work)
- GTK+ 2.19.1 (new features, bug fixes and translation work)
- gtksourceview 2.9.3 (new features, bug fixes and translation work)
- Java ATK Wrapper 0.29.1 (new feature)
- mousetweaks 2.29.3 (translation work)
- seahorse 2.29.3 (bug fixes and translation work)
- seahorse-plugins 2.29.3 (new features, bug fixes and translation work)
- tracker 0.7.9 (new features, bug fixes, documentation and translation work)
- Zeitgeist 0.3.0 (new features, code cleanup and documentation work)
Repositioning the KDE Brand (KDE.News)
KDE.News covers the rebranding of KDE. Essentially, the "K Desktop Environment" expansion is deprecated, KDE refers to the community and is an "umbrella brand", what is currently called a KDE release will instead be a "KDE Software Compilation" release, and so on. "In the process, KDE's identity has shifted from being simply a desktop environment to representing a global community that creates a remarkably rich body of free software targeted for use by people everywhere. [...] KDE is no longer software created by people, but people who create software. [...] To be able to communicate this clearly in our messaging, it is necessary to reposition the KDE brand so that it reflects the reality. We therefore also need distinct brands for the products we produce." KDE hacker Aaron Seigo has some thoughts as well.
Armitage: The Future of Activities
KDE hacker Chani Armitage writes about KDE "activities" on her blog. Activities are part of a move towards a context-dependent desktop. Both Sugar's Activities and GNOME 3.0 workspaces have a similar focus, as we looked at back in May. "Theyre just desktop containments, groups of plasmoids. They can have a name, but nothing makes use of that yet. What I think of as an "activity" is the entirety of what I'm working on at the moment — be it a kde-related project or a university course or just reading lots of comics. :) This activity includes several windows from several applications. It includes files needed for the project. It includes a set of plasmoids, like the one I put my list of math questions on and the calculator plasmoid to go with it. At times it includes only *part* of an application: show me school email folders when I'm doing schoolwork, hide the KDE lists so that Im less tempted to procrastinate. ;)"
KDE 4.3.4 released
Version 4.3.4 of the KDE Software Compilation has been announced. "This month's edition of KDE SC is a bugfix and translation update to KDE 4.3. KDE SC 4.3.4 is a recommended upgrade for everyone running KDE 4.3.3 or earlier versions."
KDE Software Announcements
The following new KDE software has been announced this week:- 1337-x369513929661000482 1.0v (initial release)
- digiKam 1.0.0 rc (new features and bug fixes)
- Eclectus 0.2beta (unspecified)
- executebin-servicemenu-kde 0.1 (initial release)
- Kipi-plugins 0.9.0 (unspecified)
- KMess 2.0.1 (new features and bug fixes)
- KMid2 0.1.0 (initial release)
- KTodoList 1.0 (initial release)
- OnlineKostenStatistics 0.2.2 (unspecified)
- shared-desktop-ontologies 0.2 (new features)
- Soprano 2.3.70 (unspecified)
- YouVideor 0.1 (initial release)
Xorg Software Announcements
The following new Xorg software has been announced this week:- xcb-proto 1.6 (new features, bug fixes and documentation work)
- xf86-input-wacom 0.10.2 (new features, bug fixes and documentation work)
- xf86-video-dummy 0.3.3 (new features and bug fixes)
- xorg-server 1.7.2 (bug fixes)
- xorg-server 1.7.2 addendum (regression report)
Electronics
PCB 20091103 released
Development Snapshot 20091103 of PCB, an electronic CAD application, has been announced. "Many thanks to everyone who tested, provided patches, and wrote code that went into this release. This release represents almost 200 commits and as such this summary clearly is not complete."
Mail Clients
Sylpheed 3.0beta3 (development) released
Development version 3.0beta3 of the Sylpheed mail client has been announced. "# SHA1/MD5 fingerprint and validity period of certificate is now displayed when verification of server SSL certificate failed. # Address book is now sortable by each column. # Address book search feature was added. # The visibility of message number columns in the folder view is now configurable for each column. # The error check of socket connection became more strict..."
Thunderbird 3.0 Release Candidate: Just in Time for Thanksgiving (OStatic)
Joe Brockmeier looks at Thunderbird 3.0 RC 1 on OStatic. "If you just can't get away from email over the holidays, you can at least help test the release candidate for Thunderbird 3.0. The Mozilla folks released Thunderbird 3.0 RC 1 on Tuesday with more than 100 changes in the release. It's been a long time in coming, the first release in the 2.0 series was back in 2007. But Thunderbird 3.0 looks like it might be worth the wait when the final is released. What's new and interesting? The user interface changes are probably the first thing you'll notice, especially the new tabbed interface. Instead of opening messages in a new window, they'll now open in a tab." Thunderbird is available here.
Math Applications
GMPY 1.11rc1 is available
Version 1.11rc1 of GMPY has been announced. "I'm pleased to annou[n]ce that a new version of GMPY is available. GMPY is a wrapper for the MPIR or GMP multiple-precision arithmetic library. GMPY 1.11rc1 is available for download from: In addition to support for Python 3.x, there are several new features in this release".
Music Applications
guitarix 0.05.2-1 released
Version 0.05.2-1 of guitarix has been announced, it includes some new capabilities and bug fixes. "guitarix is a simple Linux Rock Guitar amplifier and is designed to achieve nice thrash/metal/rock/blues guitar sounds. Guitarix uses the Jack Audio Connection Kit as its audio backend and brings in one input and two output ports to the jack graph."
Jackbeat 0.7.3 released
Version 0.7.3 of Jackbeat has been announced. "Jackbeat, the minimal-but-nevertheless-useful multi-platform step sequencer, has just reached version 0.7.3 ! This is mainly a bugfix release".
Jackbeat 0.7.4 released
Version 0.7.4 of Jackbeat has been announced. "A bug which may prevent to load samples have been fixed."
PianoBooster 0.6.4 released
Version 0.6.4 of PianoBooster has been announced, it includes numerous improvements. "Piano Booster is an Open Source program that helps with playing the piano and learning to sight read music. It's key feature is that it listens and follows what you are playing on the piano and waits for you to find and play the right notes. It helps you with this by giving you audio feed back. So if you play a wrong note then that note will have the Harpsichord sound but the right notes will have the Piano sound."
Office Applications
SyncEvolution 1.0 alpha 1 released
Version 1.0 alpha 1 of SyncEvolution has been announced. "In particular, we can: * synchronize directly with a phone over Bluetooth/OBEX * accept Bluetooth/OBEX connections in cooperation with obexd 0.19 * run SyncEvolution as a rudimentary HTTP SyncML server * be reasonably sure that it compiles and runs as well as 0.9.x because it passes the same nightly testing without known regressions. The main goal of this release is to get feedback on where we are going with 1.0 and its SyncML server and direct synchronization features."
Web Browsers
Firefox 3.6 Beta 4 released
Version 3.6 Beta 4 of Firefox has been announced. "This update contains over 100 fixes from the last Firefox 3.6 beta, containing many improvements for web developers, Add-on developers, and users."
Miscellaneous
BleachBit 0.7.2 released
Version 0.7.2 of BleachBit has been announced. "BleachBit (a pure PyGTK app) deletes traces of online Internet usage and recovers wasted disk space. Highlight of changes since 0.7.1: * Clear Konqueror cache, cookies, and history * Improve notifications (show them less often and for shorter a period of time) * Show system information for reporting bugs * Clear Microsoft Paint MRU * Clear more of WinRAR and Adobe Reader 6 * Request escalated (administrator) privileges on Windows Vista and Windows 7 * Fix many bugs".
cmndbot 0.1 beta 1 released
Version 0.1 beta 1 of cmndbot has been announced. "So once again i bite the bullet because i can no longer wait on going public with this. I'm pleased to announce CMNDBOT 0.1 BETA1 to the world as this is the first released of my port of GOZERBOT to the Google Application Engine, enabling it on wave, web and xmpp."
doit 0.5 released
Version 0.5 of doit has been announced. "doit - Automation Tool doit comes from the idea of bringing the power of build-tools to execute any kind of task. It will keep track of dependencies between "tasks" and execute them only when necessary. It was designed to be easy to use and "get out of your way". doit can be used as: * a build tool (generic and flexible) * home of your management scripts (it helps you organize and combine shell scripts and python scripts) * a functional tests runner (combine together different tools)".
Languages and Tools
Caml
Caml Weekly News
The December 1, 2009 edition of the Caml Weekly News is out with new articles about the Caml language.
Python
GarlicSim 0.1.x released
Version 0.1.x of GarlicSim has been announced. "I'm pleased to announce the first alpha release, version number 0.1.x, of GarlicSim! GarlicSim is a Pythonic framework for working with simulations."
pdfrw pure-Python PDF file reading and writing
An early release of pdfrw has been announced. "pdfrw is a basic PDF file manipulation library, developed and tested on Python 2.5 and 2.6. pdfrw can read and write PDF files, and can also be used to read in PDFs which can then be used inside reportlab (as source material for new PDFs). This is also the underlying library for a new rst2pdf extension (not yet released, but in rst2pdf subversion) which allows arbitrary fragments of source PDFs to be embedded in the output PDF (without rasterization)."
pyxser 1.3r released
Version 1.34 of pyxser has been announced, it adds some new capabilities and bug fixes. "I'm pleased to announce pyxser-1.3r, a python extension which contains functions to serialize and deserialize Python Objects into XML."
Moving from Python 2 to Python 3: A 4 page "cheat sheet"
Mark Summerfield has produced a Python 2 to Python 3 cheat sheet. "I've produced a 4 page document that provides a very concise summary of Python 2<->3 differences plus the most commonly used new Python 3 features. It is aimed at existing Python 2 programmers who want to start writing Python 3 programs and want to use Python 3 idioms rather than those from Python 2 where the idioms differ."
The Python: Rag
The December, 2009 edition of the Python:Rag is available. "The Python: Rag is a monthly newsletter covering any aspect of the Python programming language."
Version Control
Mercurial 1.4.1 released
Version 1.4.1 of the Mercurial source code management system has been announced. "This is a minor bug-fix release."
Miscellaneous
ciss 0.1 released
Version 0.1 of ciss has been announced. "just released ciss-0.1, my attempt at (what i call) code-centered issue tracking. ciss is: - a command line tool for managing your ISSUES.txt - code-centered: associate issues to files in your project - extensible: assign tags for status/milestone/custom usage. - ueber-powerful issue editing: your text editor! - well tested (more tests than code)"
Page editor: Forrest Cook
Announcements
Non-Commercial announcements
FSFE: EC caves in to proprietary lobbyists on interoperability
The Free Software Foundation Europe has issued a press release regarding EU government software interoperability. "The European Commission (EC) has given in to the demands of lobbyists for Microsoft and SAP when it revised a key document on interoperability between electronic government services. The Free Software Foundation Europe (FSFE) has analysed the evolution of a new version of the European Interoperability Framework (EIF), showing that Commission has based its work on the input of the Business Software Alliance (BSA), a lobby group for proprietary software vendors, and ignored the voices of a large part of the European software industry. At the same time, remarks by the EC's Vice President about Free Software point to a worrying lack of awareness within the Commission."
Commercial announcements
CELF looking to fund embedded development projects
The Consumer Electronics Linux Forum is looking for ideas for improvements to embedded Linux that they can fund. "The CELF Open Project Proposal is a process whereby members of the public submit to the CE Linux Forum ideas and proposals for projects that they think should be worked on to enhance embedded Linux. The plan is to solicit ideas for our 2010 contract work projects. Areas of work can include the Linux kernel, graphics systems, toolchain work, or anything else that will help enhance Linux for use in embedded systems." See the open project proposal page for more information.
rPath offers management solution for Red Hat
rPath has announced its new release automation platform for Red Hat Enterprise Linux. "rPath, an innovator in automating application deployment and maintenance, today announced enterprise-focused productivity and management enhancements to the rPath release automation platform. The upgrades refine the functionality and user experience of the industry's first fully version controlled release automation solution, meeting the needs of each stakeholder in the enterprise release management process."
Thunderbird Connector for Open-Xchange is available
Open-Xchange has announced the availability of a free Open-Xchange connector for the Mozilla Thunderbird e-mail client. "The "Community OXtender for Thunderbird" software connector gives users full access to appointments and contacts stored in the Open-Xchange Server and enables them to use Thunderbird as a rich PIM (Personal Information Management) client to access data online and offline."
Articles of interest
Dell releases unofficial Chrome OS Linux desktop (ComputerWorld Blogs)
Steven J. Vaughan-Nichols reports that an unofficial build of Chrome OS is available for Dell's Mini 10v. "The Mini 10v is, as you might have guessed, one of Dell's PCs that already comes with Ubuntu as an option, but this is a very experimental release [of Chrome OS]. Still, as a USB-based distribution, it can't harm your 10v - if something goes wrong or it doesn't work you just remove the USB drive and reboot - so it's worth playing with if you like experimenting with Linux's newest bleeding-edge distribution."
Senators Nudge EU On Sun (Linux Journal)
Linux Journal reports that the U.S. Senate is now involved in the acquisition of Sun Microsystems by Oracle. "Despite having issued it's formal objections, the European Commission continues to investigate the matter, and according to Oracle officials, it's costing Sun some $100 million per month. Given that Sun is a sizable employer, concern has grown that layoffs and possibly worse may be on the horizon, leading US officials to step in. Following the lead of high-profile senators Orrin Hatch and John Kerry, some fifty-nine members of the Untied States Senate — more than half — joined in sending a letter to the European Commission, asking that it complete its investigation ASAP. Citing the threat to American jobs, Senator Kerry told reporters that the senators "felt compelled to ask for a speedy resolution" to the seven-month saga."
Sun Leaves License Behind (Linux Journal)
Linux Journal reports that Sun will remove one license from its X.org contributions. "One project with a proliferation of licenses though thankfully compatible is X.org. We count some seventy-six separate licenses in the xorg/xserver's COPYING file, most of which are derivatives of the "standard" license, itself an MIT license. Most derivatives bear roughly the same language along with a single distinguishing feature: '...and that the name of [the copyright holder] not be used in advertising or publicity pertaining to distribution of the software without specific, written prior permission.' That file will soon have one less license, however, as Sun Microsystems' Alan Coopersmith announced yesterday that the company will begin licensing its contributions under the "standard" license, which does not bear the advertising/publicity provision. Further, Sun will re-license all of its prior contributions some twenty-one years of substantial contribution under the "standard" licenses, ridding the code entirely of its derivative license."
New Books
Crafting Digital Media book from Apress
Apress has published the book Crafting Digital Media by Daniel James. "It covers Free Software audio applications including ALSA Modular Synth, Ardour, Audacity, Hydrogen, Jamin, Mixxx, and Seq24."
New revision of "Inkscape: Guide to a Vector Drawing Program" book
A new revision of the book Inkscape: Guide to a Vector Drawing Program has been announced. "The print version of Tavmjong's book "Inkscape: Guide to a Vector Drawing Program, 3rd Edition" is now in stock at a number of on-line bookstores. The book had been updated to cover Inkscape release 0.47. It is also available as a PDF download and for free on the web."
Resources
CE Linux Forum Newsletter
The November, 2009 edition of the CE Linux Forum Newsletter has been published. "In this month's CE Linux Forum newsletter: * Call for Presentations: ELC 2010 * CELF announces plan for "Open Project Proposals" * 31st Japan Technical Jamboree Announcement * Embedded Technology (ET) 2009 * 5th CELF Korea Technical Jamboree Report * New release of SMEM tool available!"
Interstellar overdrive - Linux and astronomy (The H)
The H has posted a lengthy look at Linux and astronomy at both the professional and amateur levels. "Perhaps the most impressive astronomy software on Linux for the impressionable layperson with a passing interest in science fiction and the stars is Celestia. Celestia is an interactive 3D application for astronomical visualisation, and is free software, licensed under the GPL. Unlike most planetarium software Celestia allows the user to travel across the universe, seeing objects as they would be seen from a spacecraft, and is the perfect way to forget your responsibilities in front of your computer as you set your controls for the heart of the sun."
The December Linux Gazette is out - sort of
The December issue of the Linux Gazette is out, but it consists only of one "back page" article bemoaning the lack of submissions and asking for more participation. "Because you - you, our readers, our authors, the participants in this process, the people who get involved and passionate and interested - you are the reason for the continuing existence of LG. If you're not there, not involved, and not interested... then LG has outlived its usefulness to the community, and all that's left is to thank everyone who has contributed, publish a wrap-up issue, turn off the lights, and go home. I can only hope that things have not reached that state - and I hope to see those articles, those questions, that commitment to tell me so."
Calls for Presentations
Linux Audio Conference 2010: Call for Papers now open
The call for papers has gone out for Linux Audio Conference 2010, submissions are due by February 14. "The next Linux Audio Conference (LAC#8) will take place at the HKM in Utrecht, Netherlands, from May 1st - 4th, 2010"
PGCon 2010 call for papers
A call for papers has gone out for PGCon 2010, Submissions are due by January 19. "PGCon 2010 will be held 20-21 May 2010, in Ottawa at the University of Ottawa. It will be preceded by two days of tutorials on 18-19 May 2010."
Upcoming Events
GUADEC to be held July 24-30 in The Hague
The GNOME Foundation has announced the location and dates for its annual conference GUADEC. It will be held July 24-30, 2010 in The Hague, Netherlands. "'Free Software is of great importance to culture in the digital age,' said Kees Vendrik, Green MP and advocate of open source and open standards in the Dutch public sector. 'It offers a fertile feeding ground for education, innovation, and the economy at large. My party is delighted that the GNOME conference is coming to The Netherlands and we believe it will inspire our governmental bodies to put policy into practice.'" Click below for the full announcement.
L2Ork Debut Performance at Virginia Tech
A free performance of the Linux Laptop Orchestra will be held at Virginia Tech. "On December 4th Virginia Tech DISIS Linux Laptop Orchestra will hold its first sneak preview debut performance on Virginia Tech (VT) campus, Squires Studio Theatre, starting at 7pm. Admission is free. At noon on the same day, L2Orkists will also host a demo booth outside the Commonwealth Ballroom in Squires Student Center (VT campus) demoing how L2Ork works."
UKUUG Spring 2010 Tutorial and Conference
The UKUUG Spring 2010 Tutorial and Conference has been announced, it will be held in Manchester, UK on March 23-25.Events: December 10, 2009 to February 8, 2010
The following event listing is taken from the LWN.net Calendar.
| Date(s) | Event | Location |
|---|---|---|
| December 7 December 11 |
Annual Computer Security Applications Conference | Honolulu, HI, USA |
| December 7 December 13 |
Make Art 2009 | Poitiers, France |
| December 12 December 13 |
Django Development Sprint | Dallas, TX, USA |
| December 12 December 17 |
SciPy India 2009 | Kerala, India |
| December 12 | BSD community day | Utrecht, The Netherlands |
| December 19 | New Mexico Linux Fest | Albuquerque, NM, USA |
| December 27 December 30 |
26th Chaos Communication Congress | Berlin, Germany |
| January 13 January 15 |
Foundations of Open Media Software | Wellington, New Zealand |
| January 15 January 22 |
Camp KDE 2010 | San Diego, CA, USA |
| January 18 January 23 |
linux.conf.au | Wellington, New Zealand |
| January 23 | Workshop on GCC Research Opportunities | Pisa, Italy |
| January 23 January 24 |
DrupalSouth Wellington 2010 | Wellington, New Zealand |
| February 2 | Prague PostgreSQL Developers' Day 2010 | Prague, Czech Republic |
| February 5 February 7 |
Frozen Perl 2010 | Minneapolis, MN, USA |
| February 6 | Super Happy Dev Castle #0 | Belfast, N. Ireland, United Kingdom |
| February 6 February 7 |
Free and Open Source Developers' European Meeting | Brussels, Belgium |
If your event does not appear here, please tell us about it.
Miscellaneous
The Mysterious Disappearance Of Phil Agre (NPR)
Here's an NPR article on Phil Agre, who has not been heard from in over a year. "Agre's online influence reaches far and wide - which makes it all the more surprising that he could have gone missing for such a long time without more people noticing. He was the publisher of the Red Rock Eaters News Service, an influential mailing list he started in the mid-1990s that ran for around a decade. A mix of news, Internet policy and politics, RRE served as a model for many of today's political blogs and online newsletters." LWN was certainly influenced by RRE, and your editor still misses it. (Thanks to Jay Ashworth).
Page editor: Forrest Cook