LWN.net Weekly Edition for December 17, 2009
GNOME ponders its code of conduct
A wide-ranging discussion on the GNOME Foundation mailing list got rather heated at times, but touched on a number of different problems that many projects struggle with. The GNOME code of conduct (CoC) and how to keep the project's communication channels free of inappropriate content—including flamefests—was the topic, which makes it fairly ironic that a sub-thread descended into flames. While there was talk of voting on whether GNOME should leave the GNU project, cooler heads seem to have prevailed, so any vote on that is unlikely. The negative publicity that resulted from that proposal, however, led to suggestions that the mailing list cease being public—or that a private list be created—essentially keeping some portion of the foundation's discussion of its business out of the public eye.
The discussion sprung out of some complaints that the foundation board got about an inappropriate blog posting from a community member. Since many blogs of community members are aggregated on Planet GNOME (aka pgo), which is run by the project, inappropriate content could chase contributors away or reflect badly on the project. But the roots of the concern go back further than that. It was brought up by foundation member Dave Neary back in May, but it certainly wasn't new then either:
Not surprisingly, there are mixed feelings about having a "policing" role for the board. But, any kind of solution to the problem requires an understanding of what "inappropriate" means, and that's where the CoC comes into play. The code itself is pretty general, listing four things that community members should strive for:
- Be respectful and considerate
- Be patient and generous
- Assume people mean well
- Try to be concise
GNOME creates software for a better world. We achieve this by behaving well towards each other." Also unsurprisingly there seems to be little disagreement about the contents of the code, at least until some kind of enforcement enters the picture.
In November, partially as a response to the problem reported to the board,
board member Lucas Rocha proposed that the CoC become "an official document that new Foundation members are expected
to explicitly agree with before being accepted
". But the CoC explicitly
states that there is no "official enforcement of these
principles
", so it doesn't sit well with some that folks could just
agree without there being a way to do something if they fail to follow it.
Others, of course, complain that the CoC is far too vague to serve as any
kind of guide for punishing violations. There are also those who think the
problem is small enough that it could be handled on an ad hoc basis by
the pgo editors, as Philip Van Hoof suggested:
I think this could use some guidelines (for both the bloggers and the planet maintainers who for example could inform the blogger about their decision, allow the blogger to adapt his text, etc).
Others are concerned that GNOME is losing community members because of the tone and content of Planet GNOME, mailing lists, and other channels. Would a more formal enforcement section of the CoC—like the one proposed (and later withdrawn) by Jason D. Clinton—actually help keep those members? Or would it just lead to a different set becoming disgruntled with the "rules" and leaving because of that? Those are difficult questions to answer. It is also unclear how many people have been put off by inappropriate behavior rather than having left because their interests or employment changed.
Most seemed to be reasonably comfortable with enforcement being left as it is. There are some obvious problems—porn or spam were mentioned—that will be dealt with immediately, any others will be left to the discretion of pgo editors, community members in mailing list threads, and/or the board.
For Planet GNOME, though, there is a great deal of content that falls well
within the CoC, but might be objectionable for other reasons. The site is
set up to be "a window into the world, work and lives of GNOME
hackers and contributors
", but some are not that thrilled with
non-GNOME content being posted there. There was discussion of various
technical measures that could be taken: getting bloggers to limit their pgo
aggregation to posts with certain tags, adding some kind of voting system
to pgo that would raise and lower the visibility of posts based on their
popularity, and so on.
Many current and former GNOME contributors post about their work on their
blog and sometimes those posts refer to non-free software they are working
on. That seems perfectly in keeping with the stated mission of pgo, but it
didn't sit well with Richard Stallman: "GNOME
should not provide proprietary software developers with a platform to
present non-free software as a good or legitimate thing.
" He
suggested several different options for how he thought the project should
discourage those kinds of postings. That set off a firestorm.
Stallman is strident, and steadfast, in his opposition to non-free software—something that should surprise no one—but he tends to be generally polite in his email. Those who were upset by his suggestions were rather less so. Their position is that the Planet is following its mission and that none of its content is endorsed by the project. David "Lefty" Schlesinger put it this way:
Stallman disagreed, noting: "What it says [has] a
substantial effect on what people think GNOME is all about.
"
Eventually, Van Hoof proposed a vote on GNOME's
membership in the GNU project, because he believes that GNOME members
do not agree with Stallman:
Their position isn't necessarily compatible with your position that GNOME should "avoid presenting proprietary software as legitimate".
Van Hoof eventually withdrew the proposal for lack of support, along with a
recognition that GNOME's membership in GNU is largely symbolic. When
Behdad Esfahbod pointed to the criteria for GNU
software, Luis Villa noted that "we've always ignored about 90% of this page with no ill
effects for either us or GNU.
" GNOME and GNU have broadly similar
goals, but overall are not closely aligned. Villa continued:
The proposal to leave the GNU project did hit Slashdot and other outlets, though, which was seen as a bit of negative publicity the project could just as soon do without. Esfahbod proposed closing the mailing list to members only, but later amended that to propose creating a new private list. The consensus seems to be against the proposal, citing decision-making transparency as a desirable feature for GNOME. Murray Cumming pointed out that hiding the discussions will not solve the problem:
Supporters of the idea point out that other projects do have some private lists, and that allowing non-members to post can just derail the conversation—much as Stallman and others did. Clinton describes the need for a private list as follows:
One worry is that either all the conversations would migrate to the private list, reducing the transparency of the project, or that all would stay on the public list, which would make the new list moot. Sometimes projects need to struggle with issues, doing so in the open may not make for the best press, but it may make for the best decisions. As Miguel de Icaza put it:
This is not the first time GNOME has struggled with some of these issues, nor is it likely to be the last. There is much for other projects to consider here: content of aggregation sites, codes of conduct and what to do if they are violated, project transparency, and so forth. We are lucky in many ways that GNOME did have these discussions in the open. Other projects may make other decisions based on what has been discussed here, but the recent threads certainly will provide much in the way of food for thought as those decisions are being made.
Openmoko's WikiReader
Openmoko, the company that first gained attention for its Linux-based phone platform, launched a new pocket-sized open source product in time for this holiday season, the WikiReader. The WikiReader is an inexpensive ($99), low-power, 4-inch square touchscreen LCD display device pre-loaded with the text of three million Wikipedia pages on a microSD card. In the smartphone era, skeptics might dismiss the device as woefully underpowered, but to the open source community the more pertinent question is what else can it do?
Unboxed and unconnected
![[WikiReader]](https://static.lwn.net/images/wikireader-article-sm.jpg)
Physically, the WikiReader is distinctive; its square shape is easily hand-held, but stands out from mobile phones. It is white, which suggests the industrial design of e-Ink book readers, but the hardware interface is minimalist: power button on top, and three hardware buttons on the front, "Search," "History," and "Random." The screen is a monochrome LCD display with 240-by-208 pixel resolution and no backlight, but it is also a capacitive touchscreen, used for the on-screen keyboard when searching, selecting links, and scrolling through articles.
The device is very lightweight, slim, and at this size easily fits into a shirt pocket. It is available for purchase directly from the WikiReader web site, and from Amazon.com. The housing is not particularly tough, however, more akin to remote-control-quality plastics than the sturdier-walled materials on a cell phone or GPS unit, so the careful buyer might keep on the lookout for a padded PDA case of some sort to absorb abuse.
![[WikiReader back]](https://static.lwn.net/images/wikireader-back-sm.jpg)
Inside, the device uses an Epson S1C33 32-bit RISC CPU, 64KB of Flash ROM, 32MB of RAM, and a user-accessible microSD storage card. From the factory, it ships with a 4GB card, although other sizes are supported. For the curious, a debug connector is also accessible from the battery hatch. Power is supplied by two AAA batteries, which Openmoko claims will last 12 months given an average of 15 minutes usage per day. There is no other connectivity; no WiFi, no USB.
The content is a subset of Wikipedia's English-language text (no "adult" content; other omissions are not described). Naturally, given the display characteristics and storage, the 4GB card contains only article text; estimates put the total size of Wikipedia at 72 terabytes.
In use, the WikiReader always starts up on the search screen. Typing in a word on the onscreen keyboard pops up a match-as-you-type list of matching articles; the user can click on any of the links as soon as the right article is found. The History button brings up a clickable, scrollable list of recently-viewed articles, and as expected, the Random button loads a random page, almost instantly.
4 gigabytes of content is nice, but Wikipedia is constantly changing and growing. To handle this situation, Openmoko offers two choices: downloaded updated microSD card images (for free), or buy a subscription service, through which the company will mail a new microSD card semi-annually, for $29 per year. On top of that, naturally, the user also gets to collect the old microSD cards for use elsewhere.
A pocketful of information
In spite of the hardware limitations — many of which only seem like limitations in comparison to always-connected, touchscreen mobile phones — the WikiReader is remarkably fast, and despite being only a portion of the total Wikipedia, the amount of content is overwhelming. In fact, for looking up answers or information in a pinch, it easily beats connecting to the Wikipedia site over a mobile data connection.
![[Searching]](https://static.lwn.net/images/wikireader-search-sm.jpg)
The only real weaknesses are in the interface itself. First, the search function only matches the beginning of an article title, not the middle, and not full-text search. This can be a usability impediment in two ways; first by requiring the user to know the exact title of the article, and second by forcing the user to type extremely long titles (such as any "List of ..." pages). The latter issue is made worse because the on-screen keyboard is tricky to use. It is a QWERTY layout, with each key less than 5mm wide and 6mm tall. Additional space is taken up by non-sensitive black borders around each key, shrinking the target area.
As several blog reviews of the device have noted, although the history function is convenient, it would be greatly improved by a way to bookmark particular pages, and perhaps forward-and-back navigation buttons. Others have noted that the LCD screen can be difficult to read under poor lighting conditions due to the lack of a backlight.
More substantial criticisms tend to revolve around the guts of the device specifications itself, comparing it to considerably more expensive devices like e-Ink book readers and phones. Indeed, there are ways to access Wikipedia content on these devices (even offline), but the comparison misses the point Openmoko is shooting for. The WikiReader is intended for use in the offline world; it is not an underpowered Wikipedia browser or ebook reader, it is a pocket-sized reference encyclopedia. One that can be updated, for free, and uses free content. On those merits, the WikiReader is indeed a success.
Nevertheless, given the device's pedigree in multiple corners of the free culture movement (Openmoko's dedication to open source software and hardware, and Wikipedia stance on content), there are other criticisms that deserve a closer look. Benjamin Mako Hill lamented the lack of editing features — correctly noting that Wikipedia's true openness stems not from the licensing of the content for reuse, but from the user contributions. The device could cache edits locally, he said, which could be uploaded from a PC when the microSD card was pulled for an update.
Hacking
Adding editability would require substantial software changes, of course. Fortunately, the source code is all available online in a Git repository. There is documentation for cross-compiling the entire system for the S1C33 architecture from a Linux system with GCC, descriptions for flashing the boot loader, and a description of the boot sequence itself.
At boot time, the device loads an executable from the microSD card (by default, one named KERNEL.ELF, although it is not a proper operating system kernel) that contains hardware and filesystem drivers that launches the wiki reader application itself. Holding down the "History" button when powering on causes the device to load CALC.ELF instead, a basic calculator application. Holding down "Search" when booting loads FORTH.ELF, a Forth interpreter that can load the calculator or a variety of test and diagnostic applications (all written in Forth) instead.
Replacing KERNEL.ELF on the microSD card with another correctly-compiled application allows the user to customize the software without danger of bricking the device by re-flashing. It also allows Openmoko to roll out updates to the product without requiring customers to step through an upgrade process: just swap out the old card, and swap in the new.
The simplest enhancements, however, might only involve adding more content such as Wiktionary or Wikitravel (after all, the name is WikiReader, not WikipediaReader), or replacing the content with alternate languages. The tool suite contains Python and PHP utilities to convert MediaWiki XML dumps into the compressed format stored on the card, including creating the article index. Adding or replacing MediaWiki-formatted content should be as simple as exporting the XML from the wiki and running the utilities. Several users have already undertaken this task for French and Spanish Wikipedia content.
A more daring hack would be altering the wiki reader application itself to support additional content types. David Samblas, having noted that the sample Forth applications include basic graphics support, has undertaken [article in Spanish] adding portable bitmap format (PBM) images to the reader. His test images are of dubious quality for some image types — such as photographs — but others, such as line-drawing maps, might actually be useful on the device. He has not yet posted code to add this feature to the reader.
What else the WikiReader hardware can be hacked to do is an open question. Browsing the Openmoko mailing list, it is clear that a lot of early adopters are already pushing the device. Because the reader has a built-in Forth interpreter (powering the wiki reading application and all of the "hidden" test programs), writing new Forth applications is probably where outside software development will begin. So far, though, there is not yet a set of complete Forth development tools, only the toolchain at Github that is used to build the factory software. In the short term, there is still substantial room for expansion of the feature set just within the confines of the default reader application. Where Openmoko takes the product line from here is more fun to speculate about; perhaps if WikiReader is a success, a higher-end version will follow.
For today, however, the product makes for a fun stocking stuffer for the
family hacker. Openmoko is positioning the device in
its advertising as a way to get content into the hands of the "75% of
the world [that] is offline
" — including people in airplanes
or on beaches, and "most everywhere.
" The WikiReader certainly does that; several online reviews have praised its value in museums and tourist locations, where data plan charges would make a connected device prohibitively expensive to operate.
But Openmoko also praises the "important role
" Wikipedia
plays in people's lives and its goal of providing a free encyclopedia to
everyone in their native language. Hopefully the WikiReader hacking
community can make that a reality as well. There are hackable high-end
ebook readers, including some with larger, nicer displays, WiFi and GSM
connectivity, and more content. But they are also reportedly much more
difficult to work with. WikiReader takes aim at a more modest target, and
hits it.
Some thoughts on MySQL and Oracle
Your editor wishes to take no position on whether Oracle's acquisition of Sun Microsystems should be allowed to proceed by the European Union. Such a decision certainly involves a number of antitrust considerations which go beyond the free software community. That said, some of the positions being taken around this acquisition shine an interesting light on how parts of our community work.Fear #1 is that Oracle will kill MySQL, which Oracle is said to see as a threat to its cash-cow relational database management system. One might respond that similar fears were expressed after Oracle's acquisitions of Innobase and Sleepycat Software, but that things have not turned out that way so far. One might say (as Eben Moglen has) that keeping MySQL healthy is in Oracle's economic interest. One might also respond that Oracle could arguably do more damage to MySQL by breaking off the acquisition and allowing Sun to simply die. But what is most interesting about this particular concern is the lack of faith it shows in our community's ability to cope with such an outcome.
MySQL is licensed under GPLv2; it is free software. It can always be forked; indeed, some groups have already done so. There is nothing Oracle could do about that. Oracle could stop developing the free version of MySQL; it could even release future improvements which are available only on proprietary terms. But all it can take from us is the stream of future development which (we assume) we would have otherwise had from Sun. We might wish we had some of those enhancements, but it is another thing altogether to say that we are entitled to them. Free software generally does not come with a promise of future enhancements; what it does come with is the freedom to make those enhancements ourselves.
To say that Oracle would kill MySQL is to say that our community is not strong enough to continue its development outside of Oracle. That suggests that MySQL never really was an independent free software project. MySQL users who believe that should be clear about the position they think they have put themselves in: in this view, they are users of a proprietary product which happens to put out its code under the GPL. If this code has no future without its supporting company, the fact that it is freely-licensed has relatively little value. But such a view essentially writes off the community that has built the amazing collection of free software that we use every day. We are stronger than that.
Another interesting claim is that MySQL's license is the problem. Richard Stallman signed his name to a letter which expresses this worry:
The "more flexible license" in this case would be to add the "or any later version" language to MySQL's GPLv2 license. This statement looks like an attempt to push a license change onto MySQL, based on the assertion that GPLv2 somehow inhibits community contributions. Your editor is unaware of any study showing that developers are less willing to contribute to GPLv2-licensed projects; if such a study exists, it could certainly benefit from wider exposure.
That is not the only attempt to use this situation to bring out regime change on the licensing front, though. Consider Monty Widenius's "Help saving MySQL" post from December 12. He is asking readers to send messages to the European Commission; suggested text is helpfully provided. It includes:
Back in the days of MySQL AB, Monty and others were happy to put the GPL onto the MySQL code. It allowed them to release the code freely while building a business around selling proprietary licenses to companies which did not want to be bound by the GPL's terms. But the right to engage in this kind of business was sold to Sun with the company. Now Monty would like to get it back so that he, too, can sell proprietary versions of the software. This certainly looks like a bit of a request to have his cake and eat it too; it is not surprising that some observers have not been entirely impressed.
What we are really seeing here is the logical outcome of the corporate-controlled open source project model. Such projects may well create an external development community, but that community tends to be weak compared to well-established, independent projects. Additionally, the use of copyright assignments - common with company-owned projects - puts control of the entire code base into a single company's hands. As Eben Moglen noted in his submitted opinion on the acquisition, the single ownership of the MySQL code is part of the problem:
Anybody who has dealt with corporations for any period of time has probably learned one fundamental lesson: the company that one deals with today may differ significantly with the company one encounters tomorrow. Even in the absence of acquisitions, corporations tend to be just one bad quarter away from a total change of attitude. Being acquired will almost certainly change a company's approach to a project it owns - especially if that company is the sole copyright owner for the code in question.
Developers who contribute to a corporate project should be aware that they are signing their code over to an entity which may take a distinctly unpleasant turn tomorrow, regardless of how friendly it seems today. Users of this type of software should be aware that they cannot count on any promises which do not exist in a signed agreement with the owning company. The only exception is the license that the existing code is released under: that will not be going away. For a lot of MySQL users, the GPLv2 license is a more than sufficient promise for the future. Companies which have based products on the availability of affordable "GPL exception" licenses will be on less certain ground - though it is worth noting that Oracle has promised to extend those licenses for at least another five years.
Users of PostgreSQL (for example) need never worry about a takeover by Oracle or any other company; it is an independent project which will never be controlled by a single organization. Users of MySQL probably need not worry either; it is a well-established project which should survive a shift to a more community-oriented mode of development, should such a shift prove necessary. But the worries about this acquisition - at least, those which are not motivated by personal agendas - shine a light on what can happen with software which is controlled by a single organization. Being used as a political football in a regulatory fight, with all the associated uncertainties, is just one of the risks involved.
Security
TCP cookie transactions
In the currently ongoing Linux kernel merge window, for the kernel which will become 2.6.33, a new TCP feature has been added. TCP cookie transactions [PDF] are meant to eliminate various kinds of attacks, such as denial of service, while making the TCP connection handshake use fewer resources. One of the main motivations for cookie transactions is to avoid some problems that have cropped up in rolling out DNSSEC (Domain Name System Security).
DNSSEC responses are substantially larger than those of DNS, large enough that they have outgrown the default UDP datagram size of 512 bytes. UDP is generally used for DNS today, but large responses from DNSSEC over UDP result in multiple IP fragments. While it is perfectly reasonable to break up UDP packets that way, there are a large number of Network Address Translation (NAT) routers and firewalls that do not properly handle multiple UDP fragments.
When a DNS response is not received—or not received properly—a DNS resolver will typically retry the request over TCP. Because TCP is connection-oriented, there is a handshake that goes on to establish that connection before any data gets transferred. Normally, servers need to save some state between the two client packets that constitute the handshake. When handling an enormous number of requests, as the DNS root servers will for example, the storage of the state information adds up quickly. In addition, the well-known SYN-flood attack sends just the first packet of the handshake, often from a spoofed IP address, and never replies to the server to complete the connection. Enough "half open" connections can exhaust the server's resources, leading to a denial of service.
SYN cookies were created to defend against SYN flood attacks, and have been in the Linux kernel since 1997 when those attacks were raging. But, as Perry Metzger, William Allen Simpson, and Paul Vixie describe in their TCP cookie transactions (TCPCT) paper linked above, SYN cookies are only used when a system is under attack. They are a clever hack that uses the TCP sequence number to allow servers to defer using resources until they receive the second handshake packet from the client. Crucially, SYN cookies did not require client support, so they could be deployed unilaterally on the server side.
Various other mechanisms have been proposed to handle these problems over the years but, as outlined in the paper, failed to completely solve the problem. TCPCT sets out to do just that. It adds a new TCP option that contains a much larger, cryptographically secure cookie that is sent by the client in the initial handshake (SYN) packet. The server can then create a cookie for the reply that only it can decode. When the client uses that cookie in its second handshake (the third overall of the three-way handshake), the server can recover all of the information it needs to establish the connection from the cookie.
In addition, TCPCT allows for a limited amount of data to be sent in the request from the client and reply from the server, which allows for a query/response like DNS to be handled as part of the connection establishment. In those cases, the connection is torn down as soon as it is established.
TCPCT also addresses another problem that heavily used servers often have: port exhaustion. The TCP protocol requires that there be a timeout before port numbers are reused so that old messages that get delivered do not get confused with those of a newly-established connection. This is the TIME_WAIT timeout (usually four minutes) that is often annoying to those who restart server programs frequently (at least those without the SO_REUSEADDR socket flag). There are a limited number of ports available (nominally 64K, but at least 1K are reserved), an active server may have all of its free ports in the TIME_WAIT state. Because TCPCT can distinguish new and old connections based on the cookie data, it no longer has to wait on the server side. Only clients need wait out the TIME_WAIT period.
Obviously, TCPCT requires client support, and it will be some time before most operating systems have that support. As is often the case, Linux is out ahead of the pack by supporting TCPCT in the mainline. But even for Linux, it will be quite some time before 2.6.33 kernels make their way out to users via their distributions. Given that, widespread DNSSEC deployment seems quite a few years off, something that is a bit disheartening given all of the recent DNS server issues.
Brief items
Kretschmann: The Malware Problem (and a solution)
Amarok hacker Mark Kretschmann looks at the recent malware hidden in a GNOME screen saver. As he points out, it certainly isn't a GNOME-specific problem, as the same thing could happen to KDE and other projects. He and Ian Monroe came up with a way to help alleviate the problem by requiring public version control for Amarok scripts. "With a VCS [version control system], it's very easy to tell who inserted Malware, and when this person did this. This fact alone would provide some accountability, and I think it might prevent a good deal of attempts of messing around with the code. And even if it happened anyway, it would be trivial to revert the change, and we would just ban the person who did this from ever committing to this repository again."
New vulnerabilities
asterisk: denial of service
| Package(s): | asterisk | CVE #(s): | CVE-2009-4055 | ||||||||||||||||||||
| Created: | December 11, 2009 | Updated: | June 4, 2010 | ||||||||||||||||||||
| Description: | From the CVE entry: rtp.c in Asterisk Open Source 1.2.x before 1.2.37, 1.4.x before 1.4.27.1, 1.6.0.x before 1.6.0.19, and 1.6.1.x before 1.6.1.11; Business Edition B.x.x before B.2.5.13, C.2.x.x before C.2.4.6, and C.3.x.x before C.3.2.3; and s800i 1.3.x before 1.3.0.6 allows remote attackers to cause a denial of service (daemon crash) via an RTP comfort noise payload with a long data length. | ||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||
asterisk: multiple vulnerabilities
| Package(s): | asterisk | CVE #(s): | CVE-2008-3903 CVE-2009-3727 CVE-2007-2383 | ||||||||
| Created: | December 15, 2009 | Updated: | June 4, 2010 | ||||||||
| Description: | From the Debian advisory:
It is possible to determine a valid SIP username, when Digest authentication and authalwaysreject are enabled (AST-2009-003). (CVE-2008-3903) It is possible to determine a valid SIP username via multiple crafted REGISTER messages (AST-2009-008). (CVE-2009-3727) It was discovered that asterisk contains an obsolete copy of the Prototype JavaScript framework, which is vulnerable to several security issues. This copy is unused and now removed from asterisk (AST-2009-009). (CVE-2007-2383) | ||||||||||
| Alerts: |
| ||||||||||
cacti: cross-site scripting
| Package(s): | cacti | CVE #(s): | CVE-2009-4032 | ||||||||||||||||||||
| Created: | December 16, 2009 | Updated: | August 24, 2010 | ||||||||||||||||||||
| Description: | Cacti suffers from several cross-site scripting vulnerabilities. | ||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||
Cacti: privilege escalation
| Package(s): | cacti | CVE #(s): | CVE-2009-4112 | ||||||||
| Created: | December 16, 2009 | Updated: | January 12, 2010 | ||||||||
| Description: | Cacti allows authenticated administrator users to gain access to the host system and execute arbitrary commands via the "Linux: Get Memory Usage" setting. Note that no fix for this problem is available as of this writing; administrative access should simply not be given to untrusted users. | ||||||||||
| Alerts: |
| ||||||||||
firefox: multiple vulnerabilities
| Package(s): | firefox seamonkey | CVE #(s): | CVE-2009-3979 CVE-2009-3981 CVE-2009-3983 CVE-2009-3984 CVE-2009-3985 CVE-2009-3986 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | December 16, 2009 | Updated: | June 14, 2010 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | The firefox 3.5.6 and 3.0.16 and seamonkey 2.0.1 releases fix a new set of security vulnerabilities. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
firefox-sage: insufficient input sanitizing
| Package(s): | firefox-sage | CVE #(s): | CVE-2009-4102 | ||||
| Created: | December 15, 2009 | Updated: | December 16, 2009 | ||||
| Description: | From the Debian advisory: It was discovered that firefox-sage, a lightweight RSS and Atom feed reader for Firefox, does not sanitize the RSS feed information correctly, which makes it prone to a cross-site scripting and a cross-domain scripting attack. | ||||||
| Alerts: |
| ||||||
gpdf: buffer overflow
| Package(s): | gpdf | CVE #(s): | CVE-2009-4035 | ||||||||||||||||||||||||||||||||||||||||
| Created: | December 16, 2009 | Updated: | February 16, 2010 | ||||||||||||||||||||||||||||||||||||||||
| Description: | The type-1 font parser in gpdf suffers from a buffer overflow, exploitable via a maliciously-crafted PDF file. | ||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||
kdebase-runtime: missing input validation
| Package(s): | kdebase-runtime | CVE #(s): | |||||
| Created: | December 11, 2009 | Updated: | December 16, 2009 | ||||
| Description: | From the Ubuntu advisory: It was discovered that the KIO subsystem of KDE did not properly perform input validation when processing help:// URIs. If a user or KIO application processed a crafted help:// URI, an attacker could trigger JavaScript execution or access files via directory traversal. | ||||||
| Alerts: |
| ||||||
kernel: privilege escalation
| Package(s): | kernel | CVE #(s): | CVE-2009-4131 | ||||||||||||||||||||
| Created: | December 10, 2009 | Updated: | January 21, 2010 | ||||||||||||||||||||
| Description: | From the Ubuntu alert:
Akira Fujita discovered that the Ext4 "move extents" ioctl did not correctly check permissions. A local attacker could exploit this to overwrite arbitrary files on the system, leading to root privilege escalation. | ||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||
kernel: denial of service
| Package(s): | kernel | CVE #(s): | CVE-2009-4021 | ||||||||||||||||||||||||||||||||||||||||
| Created: | December 14, 2009 | Updated: | March 1, 2010 | ||||||||||||||||||||||||||||||||||||||||
| Description: | From the SUSE advisory: CVE-2009-4021: The fuse_direct_io function in fs/fuse/file.c in the fuse subsystem in the Linux kernel might allow attackers to cause a denial of service (invalid pointer dereference and OOPS) via vectors possibly related to a memory-consumption attack. | ||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||
merkaartor: symbolic link vulnerability
| Package(s): | merkaartor | CVE #(s): | CVE-2009-4193 | ||||||||
| Created: | December 16, 2009 | Updated: | December 16, 2009 | ||||||||
| Description: | Merkaartor suffers from a symbolic link vulnerability on /tmp/merkaartor.log, allowing a local attacker to append data to arbitrary files. | ||||||||||
| Alerts: |
| ||||||||||
moodle: multiple vulnerabilities
| Package(s): | moodle | CVE #(s): | |||||||||||||
| Created: | December 11, 2009 | Updated: | December 16, 2009 | ||||||||||||
| Description: | From the Red Hat bugzilla: Moodle upstream has released latest stable versions (1.9.7 and 1.8.11), fixing multiple security issues. | ||||||||||||||
| Alerts: |
| ||||||||||||||
mysql: denial of service
| Package(s): | mysql | CVE #(s): | CVE-2009-4019 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | December 11, 2009 | Updated: | May 10, 2010 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the CVE entry: mysqld in MySQL 5.0.x before 5.0.88 and 5.1.x before 5.1.41 does not (1) properly handle errors during execution of certain SELECT statements with subqueries, and does not (2) preserve certain null_value flags during execution of statements that use the GeomFromWKB function, which allows remote authenticated users to cause a denial of service (daemon crash) via a crafted statement. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
postgresql: multiple vulnerabilities
| Package(s): | postgresql | CVE #(s): | CVE-2009-4034 CVE-2009-4136 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | December 15, 2009 | Updated: | May 28, 2010 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Mandriva advisory:
NULL Bytes in SSL Certificates can be used to falsify client or server authentication. This only affects users who have SSL enabled, perform certificate name validation or client certificate authentication, and where the Certificate Authority (CA) has been tricked into issuing invalid certificates. The use of a CA that can be trusted to always issue valid certificates is recommended to ensure you are not vulnerable to this issue (CVE-2009-4034). Privilege escalation via changing session state in an index function. This closes a corner case related to vulnerabilities CVE-2009-3230 and CVE-2007-6600 (CVE-2009-4136). | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
rt3: session hijack
| Package(s): | rt3 | CVE #(s): | CVE-2009-4151 | ||||||||||||
| Created: | December 11, 2009 | Updated: | December 16, 2009 | ||||||||||||
| Description: | From the CVE entry: Session fixation vulnerability in html/Elements/SetupSessionCookie in Best Practical Solutions RT 3.0.0 through 3.6.9 and 3.8.x through 3.8.5 allows remote attackers to hijack web sessions by setting the session identifier via a manipulation that leverages "HTTP access to the RT server," a related issue to CVE-2009-3585. | ||||||||||||||
| Alerts: |
| ||||||||||||||
rubygem-actionpack: strip_tags function weakness
| Package(s): | rubygem-actionpack | CVE #(s): | CVE-2009-4214 | ||||||||||||||||||||||||||||||||||||
| Created: | December 10, 2009 | Updated: | September 5, 2011 | ||||||||||||||||||||||||||||||||||||
| Description: | From the Fedora bug report:
There is a weakness in the strip_tags function in ruby on rails. Due to a bug in the parsing code inside HTML::Tokenizer regarding non-printable ascii characters, an attacker can include values which certain browsers will then evaluate. | ||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||
webkit: multiple vulnerabilities
| Package(s): | webkit | CVE #(s): | CVE-2009-1714 CVE-2009-1710 CVE-2009-1697 CVE-2009-1695 CVE-2009-1693 CVE-2009-1694 CVE-2009-1681 CVE-2009-1684 CVE-2009-1692 | ||||||||||||||||||||
| Created: | December 14, 2009 | Updated: | January 25, 2011 | ||||||||||||||||||||
| Description: | From the Debian advisory: CVE-2009-1714: Cross-site scripting (XSS) vulnerability in Web Inspector in WebKit allows user-assisted remote attackers to inject arbitrary web script or HTML, and read local files, via vectors related to the improper escaping of HTML attributes. CVE-2009-1710: WebKit allows remote attackers to spoof the browser's display of the host name, security indicators, and unspecified other UI elements via a custom cursor in conjunction with a modified CSS3 hotspot property. CVE-2009-1697: CRLF injection vulnerability in WebKit allows remote attackers to inject HTTP headers and bypass the Same Origin Policy via a crafted HTML document, related to cross-site scripting (XSS) attacks that depend on communication with arbitrary web sites on the same server through use of XMLHttpRequest without a Host header. CVE-2009-1695: Cross-site scripting (XSS) vulnerability in WebKit allows remote attackers to inject arbitrary web script or HTML via vectors involving access to frame contents after completion of a page transition. CVE-2009-1693: WebKit allows remote attackers to read images from arbitrary web sites via a CANVAS element with an SVG image, related to a "cross-site image capture issue." CVE-2009-1694: WebKit does not properly handle redirects, which allows remote attackers to read images from arbitrary web sites via vectors involving a CANVAS element and redirection, related to a "cross-site image capture issue." CVE-2009-1681: WebKit does not prevent web sites from loading third-party content into a subframe, which allows remote attackers to bypass the Same Origin Policy and conduct "clickjacking" attacks via a crafted HTML document. CVE-2009-1684: Cross-site scripting (XSS) vulnerability in WebKit allows remote attackers to inject arbitrary web script or HTML via an event handler that triggers script execution in the context of the next loaded document. CVE-2009-1692: WebKit allows remote attackers to cause a denial of service (memory consumption or device reset) via a web page containing an HTMLSelectElement object with a large length attribute, related to the length property of a Select object. | ||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||
Page editor: Jake Edge
Kernel development
Brief items
Kernel release status
The 2.6.33 merge window is still open, so there is no published development kernel as of this writing. The 2.6.33-rc1 release, closing the merge window, can be expected almost any time now.Stable kernel updates: 2.6.32.1 and 2.6.31.8 were released on December 14. Both contain a long list of fixes, with many of them applied to the ext4 filesystem.
Quotes of the week
RCU mistakes
Thomas Gleixner has set himself the task of getting rid of the messy rwlock called tasklist_lock; in many cases, the solution is to use read-copy-update (RCU) instead. In the process, he found some problems with how some code uses RCU. They merit a quick look, since these problems may occur elsewhere, and may reflect an outdated understanding of how RCU works.The core idea behind RCU is to delay the freeing of obsoleted, globally-visible data until it is known that no users of that data exist. Traditionally, this has been accomplished by (1) requiring that all uses of RCU-protected data be in atomic code, and (2) not freeing any old data until every CPU in the system has scheduled at least once after that data was replaced by an updated copy. Since atomic code cannot schedule, this set of rules is sufficient to know that no references to the old data exist.
Needless to say, code working with RCU-protected data must have preemption disabled - otherwise the processor could schedule while a reference to that data still exists. So the rcu_read_lock() primitive has traditionally disabled preemption. Based on the code Thomas found, that seems to have led to the conclusion that disabling preemption is sufficient for code using RCU.
The problem is that newer forms of RCU use a more sophisticated batching mechanism to track references to RCU-protected data. This change was necessary to make RCU scale better, especially in situations (realtime, for example) where disabling preemption is undesirable. When using hierarchical (or "tree") RCU, code which simply disables preemption before accessing RCU-protected data will have ugly race conditions. So it's important to always use rcu_read_lock() when working with such data. Unfortunately, this is a hard rule to enforce in an automated way, so programmers will simply have to remember it.
Power capping
Salman Qazi hypothesizes a situation many of us have certainly found ourselves in:
The proposed solution, as it happens, also happens to work for another situation. Imagine you are Google, and you want to get the most out of each data center. One way to do that is to populate the site with more machines than the incoming power is able to handle, then moderate the power consumption of individual machines to keep the total below the limit.
In particular, the code that Google has works by forcing the processor to go idle for a given percentage of the time, where that percentage is set dynamically depending on the load on the machine and on the data center as a whole. If need be, a special-purpose realtime task will take over and idle the processor for the required time to keep the total computing time below the limit. There's some interesting heuristics for trying to force the idle cycles onto low-priority processes and for determining whose time slices the idle cycles are charged to.
This work sounds quite similar to the ACPI processor aggregator driver which was merged for 2.6.32 over scheduler maintainer Peter Zijlstra's objections. Peter has not yet spoken up on this patch, but, from the description, it sounds like it is closer to what he was requesting for this kind of functionality. It is hard to tell for sure, though; the actual code has not yet been posted. Hopefully that will follow soon, and this change can be evaluated for real.
kmsg_dumper
Nice new tracing tools notwithstanding, kernel developers still tend to reach for printk() when trying to figure out problems. But one need not work on kernel code for very long before running into an unpleasant fact: the most interesting stuff is often printed immediately before a crash, but, for many kinds of problems, the death of the system can prevent the output of those crucial lines. It's no fun to stare at a hung system, knowing that the information needed to find the problem is probably trapped in a buffer somewhere in that system's memory.2.6.33 will contain a new mechanism designed to help get that last bit of information out of a dying system's clutches. The developer need only set up a new "kmsg dumper" along these lines:
#include <linux/kmsg_dump.h>
struct kmsg_dumper {
void (*dump)(struct kmsg_dumper *dumper, enum kmsg_dump_reason reason,
const char *s1, unsigned long l1,
const char *s2, unsigned long l2);
struct list_head list;
int registered;
};
The dump() function will be called in the event of a crash; the two arguments s1 and s2 will have pointers to the data in the kernel's output buffer. Two pointers are needed due to the circular nature of this buffer; s1 will point to the older set of messages.
Registering and unregistering this function is a matter of calling:
int kmsg_dump_register(struct kmsg_dumper *dumper);
int kmsg_dump_unregister(struct kmsg_dumper *dumper);
In the 2.6.33 kernel, the "mtdoops" module has been reworked to use this new mechanism to save crash data to a flash device.
A new set of per-CPU operations
Per-CPU variables are a performance-improving technology. They allow processors to work with data without having to worry about locking or cache contention. One would want these operations to be well optimized, but, as it turns out, they can be improved; Tejun Heo and Christoph Lameter have done just that for 2.6.33. In the process, they have changed the way developers work with these variables.There is a set of new operations:
this_cpu_read(scalar);
this_cpu_write(scalar, value);
this_cpu_add(scalar, value);
this_cpu_sub(scalar, value);
this_cpu_inc(scalar);
this_cpu_dec(scalar);
this_cpu_and(scalar, value);
this_cpu_or(scalar, value);
this_cpu_xor(scalar, value);
In each case, scalar is either a per-CPU variable obtained with a new allocator or a static per-CPU variable as obtained from per_cpu_var(). All of them are atomic, in that the operation will not be interrupted part-way through on the current processor. It is not necessary to call put_cpu() after using these operations.
See, for example, the VM statistics conversion for an example of how operations on per-CPU variables change under the new scheme.
Kernel development news
2.6.33 merge window part 2
Since last week's summary, there have been over 4200 patches merged for the 2.6.33 development cycle. That makes a total of 8152 patches for this merge window, as of this writing.User-visible changes include:
- If there are any remaining reiserfs users out there: that filesystem
has seen a major rework of its internal locking to eliminate use of
the big kernel lock.
- The Super-H architecture has gained perf events support for a number
of system types.
- The exofs filesystem (for object storage devices) now has multi-device
mirror support.
- There is a new "discard" mount option for ext4 filesystems,
controlling whether ext4 issues TRIM commands for newly-freed space.
It defaults to off due to fears about how well this feature will
really work once hardware begins to support it.
- It is now possible to configure a kernel without ext2 or ext3 support,
but still mount filesystems with those formats using the ext4 code.
- The Nouveau reverse-engineered NVIDIA driver has been merged, but
without the accompanying firmware; see this article for more
information.
- The "ramzswap" device, formerly known as compcache,
has been merged into the staging tree.
- There is now support for the "BATMAN" mesh network protocol in the
staging tree.
- The "perf" tool now has a "diff" mode which will calculate the change
in performance between two different runs and generate a report.
- The semantics for the O_SYNC and O_DSYNC open-time
flags have been rationalized, as described in this article.
- The MD layer now supports barrier requests for all RAID types. The
device mapper, too, has improved barrier support.
- The snapshot merge
target for the device mapper has been merged.
- An extensive set of tracepoints has been added to the XFS filesystem,
allowing fine-grained visibility into most aspects of its operation.
- Memory pages shared with the kernel shared memory (KSM)
mechanism are now swappable.
- New hardware support:
- Block devices: The VMware paravirtualized SCSI HBA device,
LSI 3ware SAS/SATA-RAID controllers,
PMC-Sierra SPC 8001 SAS/SATA based host adapters,
Apple PowerMac/PowerBook internal 'MacIO' IDE controllers,
Blackfin Secure Digital host controllers,
TI DAVINCI multimedia card interfaces, and
BCM Reference Board NAND flash controllers.
- Miscellaneous: Dynapro serial touchscreens,
Altera University Program PS/2 ports,
Samsung S3C2410 touchscreens,
National Semiconductor LM73 temperature sensors,
Nuvoton NUC900 series SPI controllers
SuperH MSIOF SPI controllers,
OMAP SPI 100K master controllers,
ST-Ericsson AB4500 Mixed Signal Power management chips,
Freescale MC13783 realtime clocks,
Freescale MC13783 touchscreen devices,
SHARP LQ035Q1DH02 TFT displays, and
TI BQ32000 I2C realtime clocks.
- Networking: RealTek RTL8192U Wireless LAN NICs,
Agere Systems HERMES II Wireless PC Cards (Model 0110), and
Analog Devices Blackfin on-chip CAN controllers.
- Sound: AD525x digital potentiometers and
Texas Instruments DAC7512 digital-to-analog converters.
- Systems and processors: Neuros OSD 2.0 devices,
Nintendo GameCubes,
Freescale P1020RDB processors,
Freescale p4080ds reference boards,
Arcom/Eurotech ZEUS single-board SBC systems,
ATNGW100 mkII Network Gateway boards, and
Acvilon BF561 boards.
- USB: Xilinx USB host controllers and
OMAP34xx USBHOST 3 port EHCI controllers.
- Video4Linux: OmniVision OV2610, OV3610, and OV96xx sensors, Sharp RJ54N1CB0C sensors, E3C EC168 DVB-T USB2.0 receivers, E3C EC100 DVB-T demodulators, Maxim MAX2165 silicon tuners, Aptina MT9T112 cameras, and DiBcom DiB0090 tuners.
- Block devices: The VMware paravirtualized SCSI HBA device,
LSI 3ware SAS/SATA-RAID controllers,
PMC-Sierra SPC 8001 SAS/SATA based host adapters,
Apple PowerMac/PowerBook internal 'MacIO' IDE controllers,
Blackfin Secure Digital host controllers,
TI DAVINCI multimedia card interfaces, and
BCM Reference Board NAND flash controllers.
Changes visible to kernel developers include:
- The scsi_debug module can now emulate "thin provisioning" devices.
- The detect() callback in struct i2c_driver has lost
the unused kind parameter. Also, struct
i2c_client_address_data is no more; address lists are represented
with simple unsigned short arrays instead.
- The spinlock renaming
patch has been applied. Developers working near low-level code
will see the new arch_spin_lock_t type being used with
non-sleeping (even in the realtime tree) locks.
- Video4Linux2 has a
new subdevice API, called media-bus, intended to help in the
negotiation of image formats between the sensor and the controller.
- There is a new mechanism for grabbing and saving kernel messages on a system
crash; see this article
for more information.
- The per-CPU variable allocator has been replaced, and there is a new set of operations for working with these variables; see this article for a brief introduction.
This merge window should close in the very near future, so the 2.6.33 kernel is, at this point, close to being feature-complete. Any final additions will be noted in next week's edition.
Redesigning asynchronous suspend/resume
Your editor suspects that, were somebody to poll the community of Linux users, very few would state that they dislike the idea of having their systems suspend and resume more quickly. Rafael Wysocki has been working toward this goal for some time; his asynchronous suspend/resume patches were covered here back in August. This code has not encountered any real turbulence for a while, so one might well assume that Rafael's 2.6.33 pull request containing asynchronous suspend/resume would not be controversial. Such assumptions, however, fail to take into account the "last-minute Linus" effect.The simple fact of the matter is that, like anybody else, Linus cannot possibly follow all of the projects under way at any given time; that makes it entirely possible for work on a specific project to proceed to a conclusion without ever drawing his attention. That will inevitably come to an end, though, when somebody sends a pull request asking that the work be merged into the mainline. It seems clear that some requests are scrutinized more closely than others, but some are looked at closely indeed. The power management request, as it turns out, was one of those.
Linus didn't like what he saw, to say the least. The code struck him as overly complex and possibly unsafe; he refused to pull it. In particular, he thought that far too much work went into trying to map out the device tree topology and all of the dependencies between devices. In the past, attempts to make things asynchronous based on just the apparent topology have run into trouble; why should it be different this time?
Having said that, Linus then went on to outline an alternative solution based mainly on the device tree. In so doing, he wanted to make it possible for most drivers to ignore the concept of asynchronous suspend and resume entirely. For much of the hardware on the system, the time required for either operation is so short that there is really little point in trying to do it in parallel. If a device can be suspended in a few milliseconds, one might as well just do it serially and avoid the complexity.
For the rest, Linus very much wanted the decision on whether to do things asynchronously to be made at the driver level. But the power management core still needs to know enough about asynchronous operation to wait until it is done; one cannot suspend a controller until all devices connected to it have, themselves, completed suspending. After some revisions, Linus's plan came down to something like this:
- A reader/writer semaphore (rwsem) is associated with each node in the
device
tree. These semaphores allow an unlimited number of concurrent reader
locks, but only one writer lock can exist at any given time, and
writers must first wait for any readers to finish. At the beginning
of the suspend process, no locks are taken.
- The suspend process is initiated on all children of a given node. If
suspend is done synchronously, it happens right away and no further
action is required.
- Should the driver decide to suspend its device asynchronously, it
starts a thread to do that work. It also takes a read lock on the
parent's rwsem.
- When an asynchronous suspend for a specific device completes, the read
lock is released.
- The parent node acquires a write lock on its own rwsem before suspending the device. If any child nodes are suspending asynchronously, the write lock will block as a result of the outstanding read locks. Only when all read locks are released - meaning that all children are suspended - can the parent acquire its write lock and suspend.
For resume, the write lock is taken first, and all children take read locks on their parent before resuming the hardware. That will ensure that all devices complete resuming before any child devices begin the process.
This scheme has the benefit of simplicity. Getting it implemented took a few rounds of discussion, though, with Linus repeatedly asking developers to retain that simplicity and not try to make up new locking schemes. Things still changed along the way; as of this writing, the current suspend/resume patch set does not use Linus's plan as originally written. Among other things, Rafael, who did implement an rwsem-based solution, ran into problems with lockdep that Linus agreed were serious.
What has been implemented instead is a variant on that scheme based on completions. Every device node gets a completion structure, initially set to the "not complete" state. Additionally, any driver which implements asynchronous suspend/resume needs to call device_enable_async_suspend() to inform the power management core of that fact. It's now up to that core to create threads for asynchronous suspend/resume operations, and to invoke driver callbacks from those threads. Before suspending a specific device node, the power core will wait for completions for any child devices which have been marked for asynchronous callbacks. Once again, that ensures that all children have been suspended before the parent node is suspended.
Linus doesn't like the completion-based approach, but has indicated that he will be willing to take it. As of this writing, that has not yet happened, though.
Seen in one light, this episode highlights the sort of disregard for developer time which is occasionally seen in the kernel development process. It is not that uncommon for code which has seen a lot of work to end up being discarded or massively reworked. This model can seem quite wasteful, and there can be no doubt that it can be highly frustrating for the developers involved. But it is also a fundamental part of how quality control for the kernel works. The suspend/resume code was clearly improved by this last-minute redesign. One might say that it would have been better done some months ago, but what matters most for Linux users is that it happens at all.
The abrupt merging of Nouveau
The merge window is normally a bit of a hectic time for subsystem maintainers. They have two weeks in which to pull together a well-formed tree containing all of the changes destined for the next kernel development cycle. Occasionally, though, last-minute snags can make the merge window even more busy than usual. The unexpected merging of the Nouveau driver is the result of one such snag - but it is a story with a happy ending for all.
Dave Airlie probably thought he had enough on his plate when he generated
the DRM pull request for 2.6.33. This tree
contained 203 commits touching 122 different files, and adding over 9,000
lines of code. One of the key features aimed at the kernel is the new
"page flipping ioctl()," helpfully described in the commit message
as "The ioctl takes an fb ID and a ctrc ID and flips the crtc to the
given fb at the next vblank.
" In English, it means that a specific
video output can be quickly switched from one region of video memory to
another, allowing for clean video changes without the "tearing" that
results from display of a video buffer which is being changed.
Other changes for DRM this time around include support for Intel's "Ironlake" GPU and "Pineview" Atom processor, and a great deal of work supporting kernel mode setting on Radeon GPUs. Radeon, it seems, only lacks good power management support at this point; it will likely lose its "staging" designation before the end of this development cycle.
Linus was not impressed by any of that, though. Instead, he had one concern: the fact that the Nouveau driver - a reverse-engineered driver for NVIDIA chipsets - was not a part of the pull request. Nouveau had been discussed at the 2009 Kernel Summit, and it was generally agreed that this code should find its way into the mainline as soon as possible. 2.6.33 is the first merge window since the summit, and Linus clearly had expected some action on that front. When he didn't get it, he made his disappointment known.
One might wonder what the problem with Nouveau was. The world is full of out-of-tree Linux drivers; recent efforts have reduced their number considerably, but they still exist and Linus does not normally complain about them. Certainly Nouveau has a higher profile than most other out-of-tree drivers; it is the only hope for a free driver for a large percentage of available machines. But the real problem is that Fedora (at least) has been shipping this driver without doing enough (in Linus's opinion) to get it upstream. In Linus's words:
But not only is Fedora not following the rules, I know that Fedora people are actively making excuses about not following the rules. I know Red Hat actually employs (full-time or part-time I have no idea) some Nouveau developer, and by that point Red Hat should also man up and admit that they need to make "merge upstream" be a priority for them.
A number of reasons for the non-merging of Nouveau have been given, ranging from "not ready yet" and "unstable user-space API" to "we haven't found the time yet." The real blocker in recent times, though, has been the binary blob loaded into some NVIDIA GPUs by the driver. This chunk of code, known as the "voodoo" or "ctxprogs," was obtained by watching the proprietary drivers in action. Since nobody in the Nouveau project wrote this code, nobody has been willing to sign off on it; it's not at all clear that it can be legally distributed. Linus has not been impressed by this reason either, but the fact remains: developers take the Signed-off-by: line seriously and are not willing to attach it to something which might be legally questionable.
The obvious answer, one which has been applied in other situations, is to pull the firmware out of the driver and load it into the kernel at run time. And that is exactly what happened with Nouveau: Ben Skeggs put in an intensive effort to remove ctxprogs and use the firmware loading API to get it when the driver loads. Dave then put together the "DRM Nouveau pony tree" and requested that it be pulled for 2.6.33. Linus, of course, did exactly that.
Potential users will still have to get the "ctxprogs" from elsewhere. For whatever reason, pointers to "elsewhere" are hard to find, but your editor happens to know that the firmware can be found in the Nouveau git tree. Simply grabbing the right version and placing it in the local firmware directory should be sufficient.
All of this marks significant progress for Nouveau, but a dependence on firmware of dubious origin is likely to inhibit the adoption of this driver in the long term. So it was good to learn (via an LWN comment posting) that the contents of the ctxprogs blob are not quite as obscure as many of us had thought:
It seems that things are moving quickly on this front too; on December 15, Ben announced the availability of a replacement firmware for NVIDIA GeForce 6/7 hardware. This is a first posting for this code; doubtless testers will encounter some problems. But it sounds very much like the hardest problems have been overcome, at least for this particular variant of the hardware. With luck, NVIDIA's firmware will not be needed for much longer. In the longer term, it might even turn out to be possible to program interesting functions into the hardware, extending its capabilities in surprising ways.
Once upon a time, Linux users had to be very careful about which hardware they bought. Over the years, most of those problems have gone away; it is now easy to find systems which are completely supported by free software. One of the biggest exceptions has been in the area of graphics. Vendors like Intel and ATI/AMD have made the decision that their hardware should be supported with free drivers (most of the time) and have invested resources to make that happen. NVIDIA has been rather less cooperative, and support for its hardware has suffered accordingly. It would appear that the driver problem is getting close to a solution, but we should never forget the effort which was required to get to this point. NVIDIA would be far more worthy of our future commercial support if it had not made that effort necessary.
Patches and updates
Kernel trees
Architecture-specific
Build system
Core kernel code
Development tools
Device drivers
Filesystems and block I/O
Memory management
Networking
Security-related
Virtualization and containers
Miscellaneous
Page editor: Jonathan Corbet
Distributions
News and Editorials
Sidux 2009-03 "Momos"
Debian unstable (codenamed Sid) is not called "unstable" for nothing.
It doesn't receive security updates, it contains bleeding edge packages
which may break the system, and occasionally the system might break very
badly. Although we don't have any statistics to refer to, there is
probably no Debian unstable user who has never ended up with their sleeves
rolled up fixing some serious problem which came up after a system
upgrade. That's why the Debian project is very clear about it:
"Use it at your own risk!
"
Sid is a challenge for some, and it's quite clear that it isn't the perfect choice for non-advanced GNU/Linux users. Nevertheless, for those up for the challenge, Debian unstable has potential. Taking advantage of that potential is a matter of preference. Debian polishes the unstable packages until they reach "testing", and continues to polish them until "testing" becomes the next stable release at some point. On the other hand, Ubuntu uses snapshots of Sid's codebase, recompiling and polishing the packages to build its stable releases. Sidux takes another approach by giving more love to the vanilla Debian unstable so it becomes capable for everyday desktop use.
The past
Sidux was founded by Stefan
Lippers-Hollmann (slh), an ex-Kanotix (a KNOPPIX derivative) developer. He
resigned from his position in the Kanotix team after two years of activity,
due to "technical and personal disagreements
". Among the
issues Lippers-Hollmann found unacceptable was a strategy change towards
more stable Debian branches as a base for Kanotix. While Kanotix looked
for more stability, SLH decided to stick to unstable, which resulted with
founding of Sidux - "the best Debian Sid based live distro
", according
to the Sidux declaration. For more details about the issue jump into
the LWN time machine and read this article
from December 2006.
Three years after the initial announcement, the Sidux team has released 11 versions. The current stable release is 2009-03, codenamed Momos (Μωμος).
The present
Sidux is primarily a KDE distribution, with an optional XFCE ISO. The Lite variant provides a minimal KDE installation, available in ISOs for 32 or 64 bit machines. "KDE full" is a DVD image which ships the complete KDE suite with several additional applications like OpenOffice.org and Iceweasel.
The Sidux installer offers a painless installation interface, which transfers the system to hard drive in a matter of minutes. It's user friendly, with an interface divided into tabs (tabs are changed by clicking the "Forward" button). The Ext3 filesystem is a default, with Ext4 available. Besides an option for hard drive installs, Sidux offers an "install-sidux-to-usb" interface which installs the system to a USB stick. Apparently a bug appeared during the testing of this feature, since it didn't work for me with the default empty root password.
The first, and one of the most important differences between Debian Sid and Sidux is the kernel. While the Debian kernel is a bit conservative regarding desktop settings (preemption, etc.), Sidux uses a custom kernel which is tuned for maximum performance. In addition, there is a long list of included firmware. The goal is to make the best out-of-the-box functionality as possible. A good example of this was the Intel 4965 wireless controller on the test machine. The installer offered firmware installation and it was usable after the first boot.
The majority of Sidux software is installed from the Debian Sid repository. It's used alongside the Sidux repository which contains custom packages and updates/fixes for some of the Sid packages. For example, OpenOffice.org will be installed from Debian, but Kaffeine (the default media player) is built by the Sidux team and stored in the Sidux repository. Most of the custom packages contain the kernel, firmware, Sidux tools and other customizations like artwork and documentation.
Version 2009-03, is very fresh. It's running on top of Linux 2.6.32, Xorg 7.4, with KDE 4.3.4. A deeper look at the Sidux repository reveals Kaffeine 1.0 pre2 and Lirc 0.8.3 SVN build, together with a qemu-kvm package update, among others. The rest of the software is basically the same as Debian sid.
Besides the goal of being fast, and to recognize and make functional as much hardware as possible, Sidux ships several configuration tools. They are wrapped together into the command line interface called Sidux Control Center (siduxcc).
Siduxcc offers network interface configuration through Ceni (the network card configuration tool) and the hostname settings. Service activation/deactivation is available through rcconf for runlevels, or a custom interface per service (Apache, Cups, etc.). The X server settings offer a proprietary driver installation option for Nvidia/ATI chips, together with the usual graphical subsystem settings like resolution, color depth or compositing. Apt dist-upgrade and kernel updates are also possible to manage from Siduxcc.
The artwork has been customized for Sidux. It seems that the Sidux team takes appearances seriously since the overall look of 2009-03 showed quite a lot of energy invested into it. There is a custom font too, available in the Sidux repository. Speaking of repositories and artwork, the Sidux art development team maintains a separate repository which contains Inkscape and MyPaint packages built from SVN, which are used for the distribution's graphics production.
Sidux performed very well on the test machine, showing that kernel optimizations do their job. The snappy KDE 4 was a real pleasure, with all the goodies Debian has provided for years. Potentially the most complicated task for a regular user, proprietary Nvidia driver installation, is handled in a relatively easy way. It is managed with a command line interface, but truth to be told, it's as easy to use the arrow and enter keys rather than moving the mouse and clicking.
The future
With everything taken into account, it's hard to make a concise conclusion about Sidux. The reason is simple though: it's a desktop optimized, easy to use and configure distribution, which relies on the Debian unstable branch. Despite the fact that it runs very well in terms of performance and stability, it is still built on top of a package base which can seriously break at some point. Ordinary users should not have to deal with potential Debian Sid troubles.
Therefore, Sidux might be great for the users who are able to handle somewhat complex situations, with no time (or will) to make Debian Sid a decent desktop distribution. If one desires a Debian/KDE based distribution with fresh software Sidux is worth a try.
New Releases
GNUSTEP CD 2.0 released
Version 2.0 of the GNUSTEP live CD is available. "The GNUSTEP live CD project has a new version out including many GNUstep software forming a development environment. As a bonus you get some classic games like nethack, and quite a few network and system recovery and administrator tools. There is also a few 3D and audio programs on it. It's based on the 2.6.31 Linux kernel, and on the Debian Linux distribution, created using the live-helper package."
Jolicloud netbook Linux distro goes beta (geek.com)
geek.com covers the release of Jolicloud beta. "Jolicloud is gorgeous: a clean, crisp, stripped-down operating system with an iPhone-like quality. It's been specifically designed for netbooks, which means that most of the interface is fullscreen, and features big, punchable program launching buttons and easy-to-install app packages."
Omega (Boxer) Fedora Remix
Omega, a Fedora remix that includes multimedia players, codecs and other packages by default, has released a new version named Boxer. "Omega (Boxer) release is a remix of Fedora 12 and includes all the updates till Monday 14th of December 2009 from Fedora, RPM Fusion and Livna repositories. Adobe repository is also enabled by default for convenience but no software is installed from that repository by default."
Ubuntu Lucid Alpha 1 released
Ubuntu has announced the release of the first alpha for Lucid Lynx (10.04). This release is also available for Ubuntu Server for UEC and EC2, Ubuntu ARM, Kubuntu and Xubuntu.
Distribution News
Fedora
Fedora mailing list migration
All Fedora mailing lists that are currently hosted at redhat.com will be migrated to lists.fedoraproject.org. "Red Hat has agreed to forward the mail for the old list name to the new list names, and continue hosting the archives at their current location. Additionally, all archives will be copied over to the new location as well. All new archives will only be present at the new location."
Fedora Board Recap 2009-12-10
Click below for a recap of the December 10, 2009 meeting of the Fedora Advisory Board. Topics include Trademark agreements, fedoraturkiye.org, Planet guidelines, FUDCon follow-up, and more.FUDCon Unites Contributors in Canada's Queen City (Red Hat News)
Red Hat News covers the recent FUDCon Toronto. "This past weekend, the Fedora Project held one of its largest events ever at the York campus of Seneca College in Toronto, Canada. Over 200 talented Fedora developers and contributors started off Saturday morning in the Stephen E. Quinlan Building using the BarCamp method of "unconference" organization. The crowd was so large that we overflowed into a second large lecture hall, joined by video and audio conferencing to the first. Speakers pitched their talks, and audience interest decided the final schedule for the day, which filled lecture halls and classrooms throughout the building. Often people attend professional conferences and report that their best experiences happened in the hallway, talking to peers and luminaries. Our approach to FUDCon takes this so-called "hallway track" and makes it the focal point of the event, and as a result the conference includes much richer and satisfying content."
Ubuntu family
Minutes from the Ubuntu Technical Board meeting
Click below for the minutes of the Ubuntu Technical Board meeting held on December 1, 2009. Topics include Archive reorganization, Kubuntu updates policy, failing out of maintainer scripts, Community Bugs, and more.Sponsored security upload process update
Jamie Strandboge covers improvements to security updates for community supported packages. "Hopefully these changes will make it easier for people to contribute security updates, make our team a little more transparent, and ultimately better integrate our teams."
New Distributions
Unity Linux
Unity Linux is a Mandriva-based distribution that utilizes the MkLiveCD project, which allows developers to create their own distribution on top of a Unity Linux core. Unity Linux strives to provide a solid, well maintained foundation that developers can use as a starting point to build their own remastered distributions. The project recently announced its first beta release, Unity Linux 2010 Beta 1.
Distribution Newsletters
DistroWatch Weekly, Issue 333
The DistroWatch Weekly for December 14, 2009 is out. "As we near the end of another eventful year, the development of distributions tends to slow down a gear or two. This is perhaps a good time to take a look at some of the lesser-known projects. Today's feature article covers LinuxConsole, a small distro that started as a modified Mandriva for gaming consoles, but has since matured into a full-featured operating system in its own right. Read on for a complete review. In the news section, TuxRadar evaluates the most popular KDE-centric distributions, the Archiso-live project delivers a slick Arch Linux live CD with a friendly hard disk installer, Ubuntu sets out goals for its next stable release, and Katana announces a useful multi-boot suite containing today's most popular security distributions. Also in this release, the Q&A section hints at some reasons why Kubuntu is sometimes considered a neglected brother of the Ubuntu family, while a brief statistics section looks at online sales of low-cost CDs with free operating systems. All this and more in this issue of DistroWatch Weekly - happy reading!"
Fedora Weekly News 206
The Fedora Weekly News for December 13, 2009 is out. "This week's issue kicks off with an announcement that the Fedora-related voting has been extended one day due to some infrastructure outages. There is still time to vote, if you haven't yet! In news from Ambassadors, details on Fedora 12 release parties in Greece and Venezuela, and an Ambassadors update from Tunisia. Also a reminder to vote before the end of today in the FAMSco elections. In Quality Assurance news, we have a special double issue for you, including details from the latest weekly meetings, a report on QA activities at FUDCon Toronto last weekend, and early news on Fedora 13 work. In Design news, early details on Goddard theming and looks toward updating the Fedora community website. Security Advisories brings us up to date on the latest security patches for F10 through F12. We hope you enjoy FWN 206!"
Openmoko Community Updates/2009-12-09
This edition of the Openmoko Community Updates covers several new applications and other community news.OpenSUSE Weekly News/101
This issue of the OpenSUSE Weekly News covers Announcing New openSUSE Board members, Thomas Göttlicher: Install Multiple Kernel Versions using the YaST Qt Package Manager, Ben Kevan: KDE 4.4 Beta 1 - Tabbed Windows Review - openSUSE, Adobe Flash Vulnerabilities Affect Flash Player and Adobe AIR, Contemplating Upgrade to 11.2, and more.Ubuntu Weekly Newsletter #172
The Ubuntu Weekly Newsletter for December 12, 2009 is out. "In this issue we cover: Lucid Alpha 1 released, Call for nominations: Ubuntu Developer Membership Board, EMEA Regional Membership Board seeking new member, Edubuntu Council Elections, Ubuntu Women Team - A call for leadership nominations, Merging ubuntu-sru and motu-sru, New Ubuntu Members: Americas Membership Board Meeting, LoCo Directory, Introducing The Ubuntu Hour, Ubuntu Hour Orlando, FL & Salem, NC, Launchpad: Read-only status notification, Phone interviews about your Launchpad usage, Launchpad: Inline dupe-finding: an exercise in pain reduction (A call for testing), The Planet: Jono Bacon, Daniel Holbach, Charles Profitt, & The Ubuntu One Blog, and much much more!"
Newsletters and articles of interest
Get the best KDE Linux distro (TuxRadar)
TuxRadar looks at KDE-centric distributions. "Rather than providing simple packages for KDE, a real KDE distro is likely to include GUI refinements, usability tweaks, custom themes, artwork and a good selection of KDE applications. It's also nice when Gnome and GTK applications play happily with their KDE counterparts, especially if a compatible theme has been chosen from them both. KDE-based distros should be able to do this better than simple Gnome desktops."
Distribution reviews
Distro Review: Fedora 12 (Adventures in Open Source)
Dan Lynch reviews Fedora 12. "Fedora advocates always point to the fact that it often has new innovations before other distros. The developers work really hard on this and I think they see themselves as trail blazers in a way. They push a lot of their work back upstream and that's how it ends up in so many other distributions. That's something they really should be commended for." (Thanks to Rahul Sundaram)
Page editor: Rebecca Sobol
Development
Backup and restore PostgreSQL with pg-rman
The initial relase of pg-rman, an online backup and restore tool for the PostgreSQL DBMS, has been announced. The project developers include Itagaki Takahiro and Katsumata Tomonari and the code has been released under the BSD License. Currently, the software is only tested under Red Hat Enterprise Linux version 5.3.
![[pg-rman]](https://static.lwn.net/images/ns/pg-rmanlogo.png)
The project description states:
The software features one-line backup and restore operations, online backup, incremental backup and archive backup. Backups are compressed with gzip and the system can automatically delete its older backup archives. Backups are validated with CRC checks and the system includes the ability to restore to a specified point in time. Pg-rman supports two DBMS system configurations, standalone server and backup server.
Pg-rman is designed as a standard Unix style command line program; the user manual lists the following command line options: init, backup, restore, show, validate and delete. A variety of command line options are available and the software can output error codes, making it suitable for running from a scripted environment.
If you need an enhanced backup solution for your PostgreSQL database, pg-rman looks like the tool to use.
System Applications
Clusters and Grids
Gluster Storage Platform 3.0 released
Version 3.0 of Gluster Storage Platform has been announced. "The Gluster Storage Platform is based on the popular open source clustered file system GlusterFS, integrating the file system, an operating system layer, a web based management interface, and an easy to use installer."
Database Software
Firebird 2.5 Release Candidate 1 announced
Release Candidate 1 of Firebird 2.5 has been announced. "The project team announces that kits of Firebird 2.5.0 release candidate 1 are now available for all the supported main-line platforms (Win32, Win 64, Linux i86 and x86-64 and MacOS-X/Darwin i86 and x86-64). Please test it with your loads and report back to firebird-devel. Note, this is the first of two RC releases."
MySQL 5.5.0-m2 has been released
Version 5.5.0-m2 of MySQL has been announced. "The "-m2" suffix tells this is the second milestone according to our "milestone" release model, also called "Betony". The new features in this release are of beta quality. As with any other pre-production release, caution should be taken when installing on production level systems or systems with critical data."
PostgreSQL Security Update
A security update has been released for the PostgreSQL DBMS. has been announced. "The PostgreSQL Project today released minor versions updating all active branches of the PostgreSQL object-relational database system, including versions 8.4.2, 8.3.9, 8.2.15, 8.1.19, 8.0.23, and 7.4.27. This release fixes one moderate-risk and one low-risk security issue: an SSL authentication issue, and a privilege escalation issue with expression indexes. All PostgreSQL database administrators are urged to update your version of PostgreSQL at the earliest opportunity. There are also 48 other bug fixes in this release.."
PostgreSQL Weekly News
The December 13, 2009 edition of the PostgreSQL Weekly News is online with the latest PostgreSQL DBMS articles and resources.
Embedded Systems
BusyBox 1.15.3
Stable version 1.15.3 of BusyBox has been announced. "Bug fix release. 1.15.3 has fixes for ash (compilation with signed chars, SIGHUP handling fix), awk, flash_eraseall (fix for newer kernel headers), grep, mount (mount -a won't mount everyting again on 2nd run), ping (fix unaligned access), split (accepts "-" as stdin now), build system (parallel build)."
Nook Torn Open, Hacked and Rooted (Wired)
Wired reports on successful efforts to hack the Nook e-book reader from Barnes and Noble. "Before you tut, toss your head and mutter 'so what?' like some petulant teenager, think about the uses. The Nook is now a computer running a full Android operating system, with a built-in, free cellular connection to the internet. It also has a battery that lasts days, not hours." It is worth noting that kernel hacker Matthew Garrett has also been looking at the Nook, including GPL compliance issues.
Interoperability
Samba 3.5.0 pre2 is available
Version 3.5.0 pre2 of Samba has been announced. "This is a preview of the next upgrade production release version of Samba. It is intended for testing purposes only."
Telecom
pysensor 0.7 released
Version 0.7 of pysensor has been announced. "PySensor is an environment to work with acceleration sensor data as emitted by mobile devices such as the Nokia N95/N97 or Android G1."
Web Site Development
Karrigell 3.0.3 released
Version 3.0.3 of Karrigell has been announced. "A new release of the Python web framework Karrigell has been published. The main changes are : - improvements to the module HTMLTags (HTML generator) : minor bug fixes ; new syntax to build the DOM tree top-down, using the <= operator ; methods for SELECT tags, checkboxes and radio buttons - extension mechanism for templating systems and a new "Karrigell Templates" (KT) template system (written by Jim Eggleston)..."
Midgard Weekly Summary #83
The December 11, 2009 edition of the Midgard Weekly Summary is out with the latest news about the Midgard web content management system. Topics include Vala, Activity Streams, PHP 5.3 and more.
Desktop Applications
Audio Applications
jack_mixer 7 released
Version 7 of jack_mixer has been announced. "What changed since version 6? * New maintainer, thanks Nedko for everything! * New icon by Lapo Calamandrei * Option to have a gradient in the vumeters * Option to use stock GtkScale widget for volume and balance * Rewrite of the C/Python binding (this removed the dependency on SWIG) * Improve performance when drawing vumeters * New menu items to load/save settings * New "Channel Properties" dialog, allowing to change assigned MIDI CCs * Automatic post fader outputs for input channels * Possibility to add new output channels, besides main mix * New "monitor" output, assignable to any output channel, or input channel (in which case it will take its prefader volume) * Removal of PyXML dependency".
Data Visualization
python-graph 1.6.3 released
Versions 1.6.3 of python-graph have been announced. "The 1.6.x series is our refactoring series. Along the next releases, we'll change the API so we can better prepare the codebase to new features."
Desktop Environments
GNOME Software Announcements
The following new GNOME software has been announced this week:- Empathy 2.28.2 (bug fixes and translation work)
- Evince 2.28.2 (bug fixes, documentation and translation work)
- GCalctool 5.28.2 (bug fixes)
- gnome-keyring 2.28.2 (new features, bug fixes and translation work)
- GNOME System Tools 2.28.2 (bug fixes and translation work)
- libgnomekbd 2.28.2 (bug fixes)
- MonoDevelop 2.2 RC (new features and bug fixes)
- MonoDevelop 2.2 (new features)
- mousetweaks 2.28.2 (translation work)
- Orca 2.28.2 (bug fixes and translation work)
- tracker 0.7.11 (new features, bug fixes and documentation work)
Exploring new Nepomuk Features in Mandriva Linux 2010 (KDE.News)
KDE.News looks at Nepomuk under Mandriva Linux 2010. "Stéphane explains that "Nepomuk initially aimed at two main achievements: 1) the ability to interlink data semantically on the desktop across the applications, 2) the ability to share semantic information with other desktops". The first is "getting mature from the infrastructure point of view" and he believes that Mandriva Linux 2010 gives a good insight into the improvements it can bring to the user, but much remains to be done. The design of the framework for the second main objective started only recently: "a workshop took place in Freiburg early November and resulted in a first draft of the Nepomuk Sharing Ontology, and in a set of sharing use cases". Ultimately, it should be possible to share semantic information everywhere from mobile handsets to enterprise servers so that "the sky's the limit"."
KDE Software Announcements
The following new KDE software has been announced this week:- Colibri 0.1.0 (initial release)
- Firefox addon for kwallet 0.4 (unspecified)
- karlyriceditor 0.7 (unspecified)
- Kio as default firefox download manager 0.1 (initial release)
- KMetronome 0.9.1 (new features and bug fixes)
- Konvertible 0.1 (initial release)
- Themonospot-Gui-Qt 0.1.0 (initial release)
Xorg Software Announcements
The following new Xorg software has been announced this week:- libpciaccess 0.11.0 (new features and bug fixes)
- listres 1.0.2 (new features, bug fixes and documentation work)
- pixman 0.16.4 (bug fixes)
- util-macros 1.4.1 (.pc file changes)
- xf86-input-evdev 2.3.2 (bug fixes)
- xf86-input-synaptics 1.2.1 (bug fixes and documentation work)
- xf86-video-nv 2.1.16 (new features, bug fixes and documentation work)
- xlogo 1.0.2 (bug fixes, code cleanup and documentation work)
- xorg-server 1.7.3.901 (bug fixes)
Encryption Software
Libgcrypt 1.4.5 released
Version 1.4.5 of Libgcrypt has been announced, it adds bug fixes and performance improvements. "Libgcrypt is a general purpose library of cryptographic building blocks. It is originally based on code used by GnuPG. It does not provide any implementation of OpenPGP or other protocols."
GUI Packages
Design tool Jeszra 0.1 for Python / Tk released
Version 0.1 of Jeszra has been announced. "Jeszra is a visual design tool, written in Tcl/Tk, which combines 2D vector graphics and Graphical User Interface design. Jeszra generates Python (Tkinter) wrapper classes for the components developed within Jeszra. Through Jeszra all Tcl/Tk control become available to a Python application."
Math Applications
OpenOpt 0.27 and FuncDesigner 0.17 released
Version 0.27 of OpenOpt and version 0.17 of FuncDesigner have been announced. "I'm glad to inform you about release of OpenOpt 0.27 (numerical optimization framework), FuncDesigner 0.17 (CAS with automatic differentiation, convenient modelling of linear/nonlinear functions, can use convenient modelling for some OpenOpt optimization problems and systems of linear/nonlinear equations, possibly sparse or overdetermined), DerApproximator 0.17 (finite-differences derivatives approximation, get or check user-supplied)."
Music Applications
guitarix 0.05.2-1 released
Version 0.05.2-1 of guitarix, an electric guitar amplifier simulator, has been announced. Changes include: "* set dependency of Gtk+ down to version 2.12 (for stable users, introduced by James Morris, thanks James) * make effects moveable (reorder effect chain)"
Office Suites
OpenOffice.org Newsletter
The November, 2009 edition of the OpenOffice.org Newsletter is out with the latest OO.o office suite articles and events.
Web Browsers
New Firefox and Seamonkey releases
Firefox 3.5.6 and 3.0.16 have been released. These updates, of course, fix another set of unpleasant-looking security issues; expect distributor updates in the near future. See the release notes (3.5.6, 3.0.16) for details. Note that Firefox 3.0.x support ends next month.Seamonkey 2.0.1 has also been released with fixes for these problems.
Languages and Tools
Caml
Caml Weekly News
The December 15, 2009 edition of the Caml Weekly News is out with new articles about the Caml language.
HTML
SHPAML 0.1 released
Version 0.1 of SHPAML has been announced. "SHPAML is a HAML-like language for Python. If you are not familiar with HAML, it is a markup language implemented in Ruby that allows you to create web pages with an indentation-based syntax. SHPAML is not an exact port of HAML, but it shares the same big goal of slimming your markup, and it is written in Python! It is a simple, lightweight preprocessor and intended to be used in many authoring schemes, whether you are producing HTML directly or integrating with a templating system."
Python
CodeInvestigator 0.20.0 released
Version 0.20.0 of CodeInvestigator, a tracing tool for Python programs, has been announced. "Changes: UI changes."
Distribute 0.6.9 released
Version 0.6.9 of Distribute has been announced, it adds several improvements. "Distribute is a fork of the Setuptools project. Distribute is intended to replace Setuptools as the standard method for working with Python module distributions."
gevent 0.11.2 released
Version 0.11.2 of gevent, a coroutine-based Python networking library that uses greenlet to provide a high-level synchronous API on top of libevent event loop, has been announced. This release includes several bug fixes.Python-URL! - weekly Python news and links
The December 15, 2009 edition of the Python-URL! is online with a new collection of Python article links.
Tcl/Tk
Tcl-URL! - weekly Tcl news and links
The December 16, 2009 edition of the Tcl-URL! is online with new Tcl/Tk articles and resources.
Editors
Emacs 23.1.90 pretest released
Version 23.1.90 pretest of Emacs has been announced. "There are quite a number of changes relative to Emacs 23.1, including several new packages, notably the CEDET package of development tools. See etc/NEWS for details. Emacs developers: please note that the tree is now frozen. No new features are allowed, unless agreed to by Stefan or myself."
Test Suites
PyUseCase 3.0.1 released
Version 3.0.1 of PyUseCase, an unconventional GUI testing tool for PyGTK, has been announced. "A new major release of PyUseCase came out last week with some big improvements on previous versions, and now there is a bugfix release tidying it up also."
Version Control
Git 1.6.5.6 released
Version 1.6.5.6 of the Git distributed version control system has been announced. "Hopefully this will be the last update to the 1.6.5.X series before the upcoming feature release (1.6.6). It fixes a security issue, and users of older 1.6.5.X series are strongly recommended to update to this version."
Page editor: Forrest Cook
Announcements
Non-Commercial announcements
GNOME Foundation Advisory Board Fees changing
The GNOME Foundation Advisory Board fees will be going up. "For 2010, with the support of our advisory board, we are raising the GNOME Advisory board fees to $20,000 for large companies and $10,000 for small companies. The additional funding will enable us to to hold regular and active hackfests, support a small staff and support GNOME at local events worldwide."
Commercial announcements
Oracle's commitments for MySQL
Oracle has sent out a press release outlining a set of ten commitments it has made to the European Union regarding the future of MySQL. "Oracle shall continue to enhance MySQL and make subsequent versions of MySQL, including Version 6, available under the GPL. Oracle will not release any new, enhanced version of MySQL Enterprise Edition without contemporaneously releasing a new, also enhanced version of MySQL Community Edition licensed under the GPL."
Red Hat open-sources SPICE
Red Hat has announced that it has open sourced its recently acquired SPICE desktop virtualization technology. "Red Hat, Inc., the world's leading provider of open source solutions, today announced that, in an effort to openly collaborate with partners to drive the future of virtualization, it has open sourced its SPICE (Simple Protocol for Independent Computing Environment) hosted virtual desktop protocol. SPICE is a core component of the Red Hat Enterprise Virtualization for Desktops product that is currently in beta. Through the Spice project, Red Hat will collaborate with its partners and the open source community to expand the development of the protocol in an effort to help break down barriers to virtualization adoption."
Articles of interest
French army sides with Mozilla in Microsoft email war (Reuters)
Reuters takes a look at the use of Thunderbird by the French military. "The military found Mozilla's open source design permitted France to build security extensions, while Microsoft's secret, proprietary software allowed no tinkering. "We started with a military project, but quickly generalized it," said Lieutenant-Colonel Frederic Suel of the Ministry of Defense and one of those in charge of the project." (Thanks to Philip Webb)
Web Boosts the Cause of Free Color (Internet Evolution)
Internet Evolution discusses the problems inherent in the Pantone monopoly and introduces the Open Color Standard project as a potential solution. "What we have, then, is a venerable, widely supported, but largely inflexible and very expensive de facto standard. It has a huge impact on both print and digital media, not to mention the clothes you wear, the color you paint your living room, even the specific shades used to define healthy dirt or high-grade orange juice. It is, in short, a bloated monopoly eating up more and more of the color market."
Poulsbo mess casts a shadow on Intel's Moblin project (ars technica)
Ars technica takes Intel to task for the GMA500 graphics mess. "The crappy Poulsbo Linux drivers are practically notorious by now, so these issues aren't exactly news to Linux enthusiasts who have been watching the fiasco unfold for over a year; it has been like a trainwreck in slow motion. The real problem is Intel's lack of responsiveness to the concerns expressed by the Linux community. Intel has responded to criticism with extraordinary dismissiveness and has failed to provide meaningful clarification about the extent to which it intends to provide Linux software support for the hardware that it sells to vendors."
Legal Announcements
Best Buy, Samsung, And Westinghouse Named In SFLC Suit Today
The Software Freedom Law Center (SFLC) has filed suit against Samsung, Best Buy, Westinghouse, and others for GPL violations with regard to BusyBox. "The SFLC confirmed BusyBox violations in nearly 20 separate products cited in the complaint and gave each defendant ample time to comply with the requirements of the license. 'We try very hard to resolve these types of issues privately with companies, as we always prefer cooperation' said SFLC counsel Aaron Williamson. 'We brought this suit as a last resort after each of these defendants ignored us or failed to meaningfully respond to our requests that they release the source code'." Click below for the full announcement.
Bruce Perens: Statement on Busybox Lawsuits
Bruce Perens, creator of Busybox, comments on Busybox related lawsuits (for GPL violations). "First, I'd like to point out that I'm not represented in these lawsuits, and that the parties and the Software Freedom Law Center have never attempted to contact me with regard to them. As far as I am aware, and under advice of various attorneys, I still hold an interest in Busybox through both content and compilation copyrights."
Microsoft licenses another flash file format (cnet)
cnet reports that Microsoft is licensing the exFAT format. "Microsoft on Thursday said it has started licensing the technology behind another flash memory format. The company announced a program to license out the Extended File Allocation Table (exFAT) format, which is an updated version of the file allocation table format. Microsoft also licenses out that format, though its patents there have been the subject of contention, particularly since many distributions of Linux include the FAT formats. The newer format, exFAT, can work on far larger-capacity devices than its predecessor--256 terabytes, as opposed to 32GB for FAT."
Resources
FSFE Newsletter
The November, 2009 edition of the FSFE Newsletter is online with the latest Free Software Foundation Europe news. Topics include: "November: another month full of activities and work to do for FSFE. Among other things we launched the Fellowship grant project, fought for Open Standards in the European public sector, had an excellent time at the FSCONS in Sweden, and participated in WIPO to ensure that Free Software principles are respected. To keep FSFE strong and independent, we have launched our year-end fund raising campaign: Cooking for Freedom."
Linux Foundation Newsletter
The December, 2009 edition of the Linux Foundation Newsletter has been published. "In this month's Linux Foundation newsletter: * Get One, Give One Shares Benefits of LF Membership * 4th Annual Collaboration Summit Approaches * More Japan Linux Symposium Videos Available * LinuxCon 2010 Dates, Location Set * Linux Foundation in the News * From the Foundation: Browser Shares Reveal True Benefits of Open Source".
Open Source Hardware 2009 (Make)
Make Magazine has posted a guide to over 125 open source hardware projects. "Fab@Home is a project dedicated to making and using fabbers - machines that can make almost anything, right on your desktop. This website provides everything you need to know in order to build or buy your own simple fabber, and to use it to print three dimensional objects. The hardware designs and software on this website are free and open-source."
Education and Certification
LPI Expands Training Partner Program to 44 nations
The Linux Professional Institute has announced the expansion of its training program to 44 nations. "The Linux Professional Institute (LPI), the world's premier Linux certification organization, announced that it had expanded its training partner program to include 44 nations--up from 33 a year ago. In addition the organization has increased the number of LPI-Approved Training Partners (LPI-ATP) and LPI-Approved Academic Partners (LPI-AAP) to a total of 242 partners -- up 10% from this time last year."
Python Concurrency Workshop
David Beazley will be holding a Python Concurrency Workshop on January 14-15 in Chicago, IL. "I'm pleased to announce that that the Concurrency Workshop is back for another round and is better than ever. If you have been programming Python for awhile and want to take your skills up a notch, I think this may be of interest. Basically, we're going to take a in-depth look at concurrent programming idioms and library modules."
Calls for Presentations
Call for Talks - FOSDEM 2010 GNOME devroom
A call for talks has gone out for the FOSDEM 2010 GNOME devroom, submissions are due by January 8. "As for the last few years, we'll have a GNOME devroom next year at FOSDEM (6/7 feb in Brussels), and as always, we want *YOU* to give a talk about the cool project you are hacking on in this devroom During this week-end, we'll have half a day dedicated to GNOME specific talks, and on Sunday, we'll share the devroom with people hacking on other desktop environments and have talks about crossdesktop topics or talks about some GNOME specific topics, but which can be of interest to the other communities."
PostgreSQL Conference East 2010 Call for Papers
A call for papers has gone out for PostgreSQL Conference East, submissions are due by January 30. "The event this year is being held at Drexel University in Philadelphia from March 26th through 28th. Following previously successful United States PostgreSQL conferences, we will be hosting a series of 3-4 hour tutorials, 90 minute mini-tutorials, 45 minute talks, 5 minute lightning talks and a new 30 minute presentation time slot."
SCALE CFPs extended
The SCALE call for papers has been extended to December 24. "So far these prominent Free and Open Source Software (FOSS) experts are among those that have had presentations accepted: -- Aaron Seigo, "The Magic and Wonder of KDE4;" -- Bradley Kuhn, "Demystifying GPL Enforcement: Using the Law To Uphold Copyleft;" -- Ronald Minnich, "Ten million and One Penguins;" -- Akkana Peck, "Featherweight Linux: How to turn a netbook or older laptop into a Ferrari;" -- Pete Kronowitt, "The latest on Moblin;" -- Jeff Maier, "Tips and Techniques for Improving Embedded Linux Startup Time;" -- Tarus Balog, "So, You Think You Want to Start an Open Source Business?""
Upcoming Events
O'Reilly Media announces the First Global Ignite Week
O'Reilly Media has announced the First Global Ignite Week. "... a "worldwide distributed conference" of community-fueled Ignite events in more than 40 cities, from March 1-4, 2010. Upwards of 10,000 entrepreneurs, technologists, DIYers, local heroes, and creative professionals are expected to participate in cities including Seattle, Boston, New York, Nashville, Brussels, Paris, Sydney, and Bangalore. Igniters will gather in pubs, theaters, and other convivial venues for an evening that is a unique blend of networking, information, and fun, encapsulated in the Ignite motto: "Enlighten us, but make it quick." In talks that are exactly five minutes long, Ignite presenters share their personal and professional passions, using 20 slides that auto-advance every 15 seconds--whether they're ready or not."
Events: December 24, 2009 to February 22, 2010
The following event listing is taken from the LWN.net Calendar.
| Date(s) | Event | Location |
|---|---|---|
| December 27 December 30 |
26th Chaos Communication Congress | Berlin, Germany |
| January 13 January 15 |
Foundations of Open Media Software | Wellington, New Zealand |
| January 15 January 22 |
Camp KDE 2010 | San Diego, CA, USA |
| January 18 January 23 |
linux.conf.au | Wellington, New Zealand |
| January 23 | Workshop on GCC Research Opportunities | Pisa, Italy |
| January 23 January 24 |
DrupalSouth Wellington 2010 | Wellington, New Zealand |
| February 2 | Prague PostgreSQL Developers' Day 2010 | Prague, Czech Republic |
| February 5 February 7 |
Frozen Perl 2010 | Minneapolis, MN, USA |
| February 6 | Super Happy Dev Castle #0 | Belfast, N. Ireland, United Kingdom |
| February 6 February 7 |
Free and Open Source Developers' European Meeting | Brussels, Belgium |
| February 10 | Red Hat Cloud Computing Forum | Online, Online |
| February 11 February 13 |
Bay Area Haskell Hackathon | Mountain View, USA |
| February 15 February 18 |
ARES 2010 Conference | Krakow, Poland |
| February 17 February 25 |
PyCon 2010 | Atlanta, GA, USA |
| February 19 February 21 |
SCALE 8x - 2010 Southern California Linux Expo | Los Angeles, USA |
| February 19 February 20 |
GNUnify | Pune, India |
| February 20 February 21 |
FOSSTER '10 | Amritapuri, India |
If your event does not appear here, please tell us about it.
Event Reports
Review: Red Hat Virtual Experience 2009 (Montana Linux)
Scott Dowdle covers the Red Hat Virtual Experience. "Red Hat held the Red Hat Virtual Experience 2009 today and it was awesome. What was it? It was a completely online conference that offered everything you'd find at a traditional face-to-face show like the annual Red Hat Summit. I was hoping Red Hat would use this event to introduce / announce RHEV for Desktops but no such luck. I guess we'll have to continue to wait until January."
Miscellaneous
Potlatch/Openstreetmap going proprietary ? (Gnash)
The Gnash free Flash player site notes that Potlatch, the online editor from the OpenStreetMap project, will be going proprietary. "ActionScript 3 !? Wait, that means NO more access for free software users! What a pity, such an exemplar case of good open SWF practice (sources buildable with free software, binaries playable with free software) coming to an end."
Page editor: Forrest Cook