Mozilla and CNNIC

Adding a new Certificate Authority (CA) to a browser's list of accepted CAs is typically a quiet affair; the browser team vets the CA based on their criteria and adds those who pass the test. For Mozilla, the criteria and vetting process are not private, but the process generally happens behind the scenes. Users find out that new CAs have been added by looking at the CA store after a browser upgrade, though it is likely a very rare user that actually looks. When Mozilla followed its policies and added the China Internet Network Information Center (CNNIC) CA, things took a very different path—a firestorm of protest resulted.

CAs are the issuing authority for Secure Sockets Layer (SSL) certificates that are used to authenticate encrypted HTTP (i.e. HTTPS) sessions. A CA that has been accepted into a browser's "root store" can then sign SSL certificates for domains and those certificates will be accepted as valid by the browser. Much like self-signed certificates, SSL certificates that are signed by a CA that is not in the root store will cause the browser to emit scary security warnings.

As seen in the Mozilla bugzilla entry, Liu Yan of CNNIC requested addition to the root store in February 2009. Public discussion was opened on October 13. There were some technical concerns discussed, which CNNIC fixed, and the discussion closed on October 22. A bug was filed to actually get CNNIC's root certificate added to the root store (which is in the separate Network Security Services component). That bug was closed in mid-December once CNNIC verified that the proper certificate was added.

That is presumably how most new CAs get added, a somewhat bureaucratic process is followed, the certificate gets added, and everyone goes on their merry way. For CNNIC, though, things went a little differently. With at least some folks in the Chinese IT world, CNNIC has a terrible reputation. Starting on January 27, they were not shy about giving their opinion of CNNIC—and Mozilla's decision to include it—on the original bug report and a thread in the mozilla.dev.security.policy group.

The main complaints seem to stem from the accusation that CNNIC has been involved in distributing malware/spyware that is used by the Chinese government to monitor its citizens. It is also alleged to be involved with China's "Great Firewall" that censors specific web sites when accessed from China. In addition, Liu asserted that CNNIC is "not a Chinese Government organization" as part of the application process, but various commenters dispute that.

There are some 60 comments on the bug, along with more than 100 messages in the thread, many of them very passionate and/or heated requests to remove CNNIC. It is perfectly understandable that Chinese people are concerned about the possibility of government action against them because of what they might say on the internet. But, it is not clear that adding CNNIC as a CA has any bearing on that. Certainly CNNIC (or any CA) could abuse their position and issue SSL certificates for domains that it shouldn't, but, if they do, that act will provide clear evidence of wrongdoing.

In order for an SSL certificate to be accepted, it must be sent to the browser. Anyone visiting gmail.com, for example, and getting a certificate signed by anyone other than Thawte (the CA that signed Gmail's certificate), has proof of malfeasance. If CNNIC is abusing its position, it should be relatively easy to prove. As Mozilla's Johnathan Nightingale puts it:

To many of the commenters, though, there is abundant proof of CNNIC's involvement with malware and its "lies" about its governmental status should be enough, in their eyes, to remove CNNIC as a CA in Mozilla browsers. But, being affiliated with a government is not a reason that Mozilla would reject a CA (there are several others already in the root store for Japan, Taiwan, and others). It also isn't clear that distributing malware, separate from its CA activities, would be enough to remove a CA from the root store.

Other CAs have misbehaved along the way. Verisign's poorly-named Site Finder scheme redirected DNS queries in violation of the RFC, and in ways that were roundly criticized. But that action was separate from its CA business and there were no calls to remove it from any browser's root store. While Site Finder is a relatively minor transgression compared to the accusations leveled against CNNIC, it is difficult to punish organizations in a particular realm except based on its behavior within that realm. Thus the calls for evidence of CA abuse.

It is quite possible that an outcry back in October, as part of the public comment period, might have slowed or stopped the inclusion of CNNIC. But, that didn't happen, CNNIC complied with the policy, and was added. So, the question now is "whether we should review" that decision, Nightingale said. In order to do that, some evidence needs to be presented, he suggested:

Mozilla's Kathleen Wilson announced the creation of a draft policy for changing a root certificate that has been added to the root store. This would provide a means for handling just this kind of dispute. Eddy Nigg of Startcom, who is part of the team that reviews root inclusion requests, has specifically asked Wilson to start a review of CNNIC.

In the meantime, though, there are several technical measures that users can take to protect themselves. To start with, in "Edit -> Preferences -> Advanced -> Encryption" in Firefox, one can remove particular CAs from the root store. There are also two different Firefox addons that could help. Certificate Patrol permanently stores each SSL certificate that the browser encounters, and alerts the user when one changes. Perspectives instead uses "network notaries" that store certificates for particular hosts and can help users decide whether a self-signed or other certificate is valid.

It is instructive to take a look at the long list of CAs that are installed with Firefox. Many are for high-profile companies, but there are quite a few for seemingly obscure organizations. There are certainly enough different CAs that a government—or criminal organization—that wished to apply some pressure could get its hands on a forged SSL certificate. In truth, the pressure only need be applied to an employee who has access to the signing key. That risk exists whether or not CNNIC, or any other particular CA, is on the list.

It is certainly unfortunate that the accusations against CNNIC only surfaced after the inclusion process had already been completed. Depending on what evidence is compiled, Mozilla is likely to have a difficult decision to make. But the controversy, along with other recent security concerns that may involve the Chinese government, is likely to further raise the profile of internet censorship. It is something that many governments like to condemn on one hand and implement with the other—the only defense against it is keeping it in the public eye.

Comments (18 posted)

HTML5 video element codec debate reignited

On January 20, YouTube publicly unveiled a video player that allows site visitors to watch videos embedded directly into each page as HTML 5 video elements, replacing the plugin-based Flash player — and second-tier video sharing site Vimeo quickly followed suit. But both sites serve up HTML 5 video files only in the patented and royalty-collecting H.264 format. By sheer coincidence, the announcement neatly overlapped with the release of Firefox 3.6, and was followed days later with Apple's press event showcasing its iPad gadget, which lack H.264 and Flash support, respectively. What followed was a furious multi-way debate all about Flash, licensing, web video, and H.264 versus Ogg Theora. For the open source community, there is nothing to celebrate yet, but the high profile of the argument has opened the door for discussion of the real underlying issue: patented web standards.

Rewind

The root of the entire controversy is HTML 5's video element, which allows a web developer to include video content in a web page in any file format, obviating the need to wrap such content in a Flash player useful only because of the Flash plugin's ubiquity. But it is up to the browser to include support for the formats it chooses in its built-in video player. The HTML 5 standard does not mandate that support be included for any particular format in order to qualify as compliant, however, so a public war is underway between format proponents for de-facto dominance.

On one side is the ISO Moving Picture Experts Group (MPEG), pushing for adoption of its H.264 format. The H.264 codec is part of the broader MPEG-4 family, is patented, and all parties wishing to include support for it are required to pay licensing fees to the patent holders through a consortium called the MPEG-LA — the licensing requirement applies to encoders and decoders, hardware and software, and includes both original manufacturers and downstream redistributors.

Many on the other side are supporters of the free Theora format, which requires no royalties to implement in hardware or in software, thanks to irrevocable free licenses on the original patents granted by its original creator. The reference encoder and decoder are developed by Xiph.org and are available under a BSD-style license.

Theora proponents emphasize the need for HTML 5 to include a free-to-implement format, insulating the next decade of web development from the nightmare caused by the GIF patent enforcement debacle. H.264 supporters claim that Theora's quality-per-bitrate performance is behind H.264's, and that some unknown third-party might hold secret patents on one or more techniques used in Theora, and subsequently sue implementers for patent infringement if the format is made part of the standard (the so-called "submarine" patent threat).

The major web browsers are divided on format support. Apple's Safari ships with H.264 support only, Google's Chrome supports both H.264 and Theora, Firefox and Opera support only Theora. Microsoft's Internet Explorer does not support HTML 5 video at all. Confusing the mix slightly is the fact that both Safari and Chrome implement H.264 playback because their parent companies pay licensing fees to MPEG-LA; consequently the open source browser projects WebKit and Chromium do not support H.264, because the license fees paid do not cover these downstream derivatives.

Players

That, then, was the situation when YouTube and Vimeo announced their H.264 HTML 5 video player support. What should have been a red-letter day for open web standards instead resulted in complaints to Mozilla from users (and pundits) that Firefox 3.6 "did not support HTML 5." In fact, Firefox has supported HTML 5 video since version 3.5, but it does not include an H.264 decoder.

Video expert Silvia Pfeiffer traced the problem back to numbers. According to Statcounter's market share statistics, Firefox accounts for 22.57% of the browsers in the world, with Chrome and Safari totaling 8.53%. Thus, of all the HTML 5-capable browsers in the field, Firefox makes up nearly 73% — and that 73% could not watch any of the YouTube or Vimeo video. It should be no surprise, then, that some of those users complained.

Mozilla's Christopher Blizzard responded to the news with a detailed analysis of the H.264 ownership and patent problem. The situation is precisely the same as the GIF disaster of a decade earlier, and as the MP3 situation from the early 2000's — but with considerably higher stakes. H.264 is patented, pure and simple, and the patent owners charge royalties today and will continue to do so until their patents expire. If H.264 becomes a de facto standard, the patent owners will have the freedom to hike the price of licenses, and they will no doubt do so.

Blizzard goes on to examine the terms of H.264 licensing and its effects on corporate and independent producers of web content. To include an H.264 decoder in Firefox, Mozilla would have to pay a license fee (perhaps $5 million per year), but such a move would also undermine Mozilla's founding principles of supporting and promoting free formats and standards.

Flash, we hardly knew ye

The other big news from the last week of January was Apple's iPad launch party. The iPad, like its diminutive siblings the iPhone and iPod Touch, uses a Safari-based web browser, and includes Apple's licensed H.264 decoder for HTML 5 video. But also like the smaller devices, the iPad does not include Flash support.

Coming from Apple, that decision was hailed by some in the media as a death knell for Flash. Once the preferred format for incorporating animation and interactive page elements into web content, in recent years its usage has shrunk to the point where it is used almost exclusively as a platform to deliver online video (and for irritating advertising, of course, although strictly speaking that would not be considered "content" by most).

No one seems to lament the possibility of Flash's demise. Apple has suggested that Flash is the cause of most of the Safari crashes reported through its OS X Crash Reporter utility. Mozilla said in October of 2009 that third-party plugins cause at least 30% of all Firefox crashes, a statistic supported by the popularity of Flash-blocking add-ons.

Apple's Steve Jobs even went so far as to publicly call Flash too buggy for use in a town hall meeting last week, declaring HTML 5 the way of the future.

What's a site owner to do?

Flash may indeed have no fans remaining outside of Adobe, a fact that magnifies the importance of HTML 5 video codec battle. The plugin has survived as long as it has for one reason alone: its availability on almost every browser on almost every operating system. Long after AJAX became popular for interactive content functionality, a web developer could implement video playback in a Flash element and feel secure that it would work on virtually every browser that would encounter it.

The same cannot be said of HTML 5 video, and certainly not of HTML 5 video with H.264 content. If Theora becomes the dominant format (or officially sanctioned in the HTML 5 specification), it will be possible again, but that is simply not true of H.264. Both encoders and decoders require licensing; a fact often overlooked in the debate about browser support, but one which Blizzard addresses in his blog entry. Anyone can set up a site delivering CSS, HTML, and even Theora using free, legal tools, and without asking or signing for permission; H.264 would change that.

The only question is whether or not the web development community will recognize that and rally behind Theora or another free alternative. The H.264 patent owners' attacks on Theora are not substantive; the quality comparison is highly subjective (and, in fact, comparing video encoding quality is inherently subjective), and as Xiph.org points out, submarine patents are an equal threat to free and non-free codecs alike. The original patents on Theora technology are known and licensed freely; if a patent owner possessed sufficient evidence to kneecap Theora with an infringement lawsuit regarding other patents, it surely would have happened already.

Moreover, the HTML 5 video element includes support for multiple source files, so content providers can offer each video in multiple formats; the fight is only the H.264 patent holders trying to prevent a rival format from being blessed as part of the standard. Those patent holders would take the same tactics with any other video format.

Some critics have suggested that another free video codec is needed, and Theora is certainly not the only option. Sun has been developing its own patent-avoiding video codec through the Open Media Commons project for several years, although the project is rather quiet. Blizzard suggests that Google may have a video patent play of its own in mind with its recent attempts to acquire On2, the company that developed the VP3 codec from which Theora descended. Dan Glidden, formerly of the Open Media Commons project, is a proponent of the MPEG-RF movement to change MPEG policy to establish a royalty-free option as a "baseline" codec for MPEG-4.

The debate is far from over. YouTube and Vimeo may have changed one aspect of it, however — unlike in years past when the fight took place almost entirely within World Wide Web Consortium working groups, this time it is being fought in public. Consequently, more people are getting a look at what HTML 5 video is in practice, and can better understand the difference between the HTML element and video format delivered, which can only be a good thing.

In the meantime, small web developers who want to serve up HTML 5 video content still have choices. The simplest option is to include multiple video source files, but a better alternative is to use the Cortado applet from Xiph.org; a streaming media Java applet that decodes Theora. It is open source, works transparently on any platform that includes Java support, and does not require encoding multiple source files — so there is no inadvertent spreading of unnecessary H.264 content required. But no one should hold their breath waiting for YouTube to implement it, of course.

Comments (56 posted)

Samba with Active Directory: getting closer

From one point of view, Samba is open source high drama at its finest: an early adopter of version 3 of the GNU General Public License, and the recipient of an unprecedented release of formerly proprietary Microsoft documentation, thanks to a high-profile anti-trust case. Meanwhile, though, it's the low-profile software that implements the Server Message Block (SMB) file-sharing protocol, sometimes known as CIFS. Samba powers every inexpensive NAS device in the computer store—without even a mention on the box—and comes with all the common Linux distributions and with Apple's Mac OS X Server. Today, as Samba comes closer to implementing a key Microsoft directory protocol, the two aspects are being forced together.

Samba creator Andrew Tridgell, better known as Tridge, posted to his blog, "There has been a lot of progress recently in the development of the directory server capabilities of Samba4." In a half-hour screencast video, he demonstrated a development version of Samba acting as a Microsoft Active Directory domain controller in a mixed environment. "We are making very rapid progress now", he added.

Active Directory (AD) is a central repository for all the administrative information that a modern Microsoft Windows site needs. Besides user names and passwords, AD functions as a DNS server, stores network configuration policy such as firewall rules, and acts as a back-end for applications' configuration. Microsoft Exchange, for example, is completely dependent on it.

AD is made up of "domains" which are data structures that contain groups of objects, which might represent everything from an individual printer to the entire company sales force. Domains can then be collected up into "forests". A company might have many AD domains within its forest, and everything in the forest can be managed by the same administrators. Because AD is such a critical service, Windows sites typically install multiple AD servers, which replicate their data using a formerly secret protocol.

The Samba team received Active Directory documentation, including the server-to-server protocol, as part of an agreement made in response to a European Commission antitrust case in 2007. The documents have helped the project, Tridge said:

The documentation project was a huge project from the Microsoft side. Tridge described it this way:

In the video, Tridge demonstrates provisioning an Active Directory domain on a Samba server, running a development version of Samba from shortly before Samba 4 alpha 11. Once the Samba server is running, he then starts a copy of Microsoft Windows Server 2008R2 Standard as a guest under VirtualBox, and runs the Windows "dcpromo" command to have it join the domain as a domain controller.

A few clicks and entries in the "Active Directory Domain Services Installation Wizard" later, the Windows box is ready to reboot and come up as part of the domain originally created on Samba. It takes about 30 seconds to synchronize key information for the newly-created domain. This step might take hours on a larger, longer-running domain.

Samba 4 has a few limitations, compared to a Windows AD server. There is only one domain per forest, and only one site per domain, but Tridge says that removing those limitations are near-future priority tasks. Windows administrators, like sysadmins everywhere, fall all over the "lumpers" vs. "splitters" spectrum, and anyone but extreme lumpers with simple configurations will need the ability to define separate domains, for departments and roles, and separate sites, for physical locations.

The remaining manual step is to add the Windows domain controller to the DNS zonefile on the DNS server. Microsoft's Active Directory handles DNS duties itself, while Samba relies on the system nameserver. A change to a Samba AD domain requires a corresponding change to a zonefile on the nameserver. "What we don't yet support in Samba 4 is the ability to create arbitrary DNS names within a Bind9 server using Kerberos authenticated DNS requests," he said. "Microsoft stores DNS within Active Directory. We can't join a Windows domain controller as a new DNS server, so have to rely on the Unix machines to provide DNS," he added. After recording the screencast, Tridge did write a script to automate the needed zonefile changes, he said.

Tridge's screencast shows the Windows box successfully syncing with the Samba server, and a user added on the Windows side shows up quickly in a search of the Samba server. Samba 4 is also able to join an existing AD domain. A tool called "vampire" is the Samba-side equivalent of the "dcpromo" command on Windows. Tridge demonstrated using it to add a second Samba server to the domain, ending up with a domain with two Samba servers and one Windows server. This ability means that an administrator could soon add a Samba appliance to an existing AD network, reducing the number of actual Windows servers needed.

Integration and the "Franky" concept

Samba 4 is an ambitious rewrite, which has been in progress since 2003. Meanwhile, Samba 3 has been through many releases with incremental improvements, and currently works well as a member, but not a domain controller, of an Active Directory domain. Samba 3 is "closer and closer to Windows compatibility in timestamps and Windows ACLs. It's harder and harder to tell us from a Windows box," Samba team member Jeremy Allison said. Thanks to extensive usage and bug reports, Samba 3 has gained the ability to handle real-world client quirks, while Samba 4 has focused on the big AD problem but not faced the day-to-day beatings of production use.

Tridge said that in addition to remaining AD work, "we also need to find out exactly how we will achieve our stated goal of re-integrating the great file sharing and printing work that has been done in the Samba3 branch with all of the work on Active Directory server support in Samba4."

Samba developers have been discussing ideas for combining the new functionality in Samba 4 with the existing Samba 3 code. One design for a combined project, called "Franky," short for "Frankenstein," would run Samba 3, listening on the SMB ports (139 and 445), along with Samba 4 listening on the ports required for AD support. Another alternative would be to run Samba3, but pass through AD-related requests to Samba4. "Obviously this will require quite a lot of merge work, but we believe this may be possible to achieve in 2010", Jeremy said on the Samba team blog.

Tridge said:

"I'm expecting a fairly heated discussion at SambaXP this year," said John Terpstra, Samba team member and chief software architect of ClearCenter, which produces a web-administered distribution for small and medium businesses. The SambaXP conference is scheduled for May 3rd - 7th, 2010 in Göttingen, Germany.

Licensing and downstream

Samba with Active Directory is still not on downstream roadmaps. Simo Sorce, Principal Software Engineer at Red Hat, who maintains Samba packages for Fedora, said that project is looking at including Samba 3.5.0 in Fedora 13, if it's ready in time. But AD is still in the future. For future releases, "We will wait until the solution is stable enough that upgrades won't mean your server has a good chance of breaking," he said.

ClearCenter's ClearOS combines network gateway with VPN, web and mail filtering, Samba file server, Kolab groupware, and web-based administration tools into a package designed for resellers to deploy at small businesses and branch offices. Samba is a key part of the company's product, which competes with Microsoft Small Business Server but with a monthly subscription bill instead of an up-front license price. ClearOS is based on CentOS, a rebuild of Red Hat Enterprise Linux, but includes Samba 3.4 in place of CentOS's 3.0 package. "ClearOS 6 is going to ship pretty quickly after Samba 4 ships," John said.

Samba adopted version 3 of the GPL in 2007. One effect of the new license was to prohibit downstream Samba resellers from entering into new patent license agreements covering Samba, like the controversial Novell-Microsoft patent deal of 2006. Samba's license change doesn't affect Novell, whose contract predates the GPLv3 cutoff date, but according to the Samba web site, "Patent covenant deals done after 28 March 2007 are explicitly incompatible with the license if they are 'discriminatory' under section 11 of the GPLv3."

No GPLv2 fork has emerged, and, Jeremy says, the license change "has essentially been a complete non-issue". Downstream vendors ship Samba on everything from tiny NAS devices that connect to a USB drive, up to IBM's Scale Out File Services, which runs clustered Samba on top of IBM's proprietary General Parallel File System (GPFS). "What Samba does is it turns the CIFS server into a commodity, allowing people to compete on back-end scaled clustered filesystems," Jeremy said.

All of the Samba code is under individual copyrights, without assignment. "It's completely impossible to be bought out," Jeremy said. "No one can get any advantage over anyone else in the Samba code." As part of the agreement with Microsoft, the company must disclose any of its patents that it believes are necessary to implement its protocols, and it has not added any to its list since reaching the agreement. Microsoft has been "very cautions about breaking compatibility," Jeremy said. "With Windows 7, Microsoft made sure that it would work with a Samba 3 domain controller." Microsoft ended support for Windows NT 4, the last of its OS products to implement the old NT Directory Services system, at the end of 2004, and Windows 7 does not work with an NT4 domain controller, he added.

Help wanted

As you might expect, the Samba team is looking for help. Tridge invites new contributors: "Join the #samba-technical IRC channel (on the FreeNode network, irc.freenode.net), join the samba-technical mailing list, and get involved with the development process. Point out what the priorities are for Samba4 before you would consider deploying it, and help us to prioritize our development to meet your needs."

Jeremy asks would-be redistributors and SMB appliance vendors to work on functionality they anticipate needing. "If you're planning on a product within the next 18 months, the earlier you get involved the more chance you get to steer it to do the things you need to do," he said. "If you need Samba to interface with a particular filesystem, give us a VFS module that will let us do that," Jeremy said. Contributions to Samba itself have to be licensed under the GPLv3, but the team does want to be able to run Samba on the user's choice of clustered filesystem.

Then, as Jeremy posted, "Once we have a merged code-base, we'll declare victory, ship Samba4 and have the biggest darn release party since Duke Nukem Forever shipped and revolutionized computer gaming ! :-)." Samba 3 has served well as an essential file server, and Samba 4 has broken new ground in Microsoft protocol discovery, but eventually, one way or another, there will be one Samba again.

Comments (30 posted)

Gathering web site statistics with Piwik

Many sites these days depend on Google Analytics to measure traffic, but there's something to be said for keeping control of one's data. Piwik bills itself as an open source alternative to Google Analytics, but does it actually measure up? Piwik isn't quite a full-on replacement for Google Analytics, but it's mature and complete enough for many users.

Piwik is the successor to phpMyVisites. It lacks a few features that were in phpMyVisites, such as PDF export and mail reports, but also adds a plugin architecture, better API, cleaner user interface, and better performance/scalability.

We looked at the current stable release, Piwik 0.5.4. Piwik is very simple to set up for anyone used to installing Web applications. It requires MySQL 4.1 or later, PHP 5.1.3 or later, the pdo and pdo_mysql PHP extensions, and the PHP GD extension to get the "sparkline" graphs in Piwik. Part of the install process is a system check that shows the system requirements and what, if anything, is missing. On the test server running WordPress, the GD extension was the only bit that wasn't already present. Assuming the requirements are met, it's a simple process of navigating to the URL where Piwik is installed, filling in a few bits of info, and clicking "next" a few times. In all, it shouldn't take more than five to 10 minutes to install.

The slightly harder piece is integrating Piwik to the site. It depends on a piece of JavaScript code to run on each page that will be counted. Some popular blogging software and content management systems have plugins to work with Piwik, so it's not necessary to insert the code into site templates manually. We used the Piwik Analytics plugin to integrate it with WordPress. Once Piwik is installed and configured, results are visible almost immediately.

Because Piwik depends on JavaScript to track visitors, it will miss at least some percentage of traffic, depending on how many users hit the site with JavaScript turned off. It won't track visitors who get site information via RSS/Atom feeds, and will also miss some file downloads as well. Piwik tracks clicks on certain URLs that end with recognized filetypes but if someone clicks a link to, say, a PDF hosted on the site without visiting a page with the Piwik tracking script, that will be missed.

The Piwik interface is easy to use and provides quite a bit of flexibility. Users can customize the main dashboard by adding an assortment of widgets that track visitor actions (like what links are clicked), referrers, or visitor settings (resolution, browser, etc.). The widgets themselves can display data as bar charts, sparklines, pie charts, or just raw numbers. Data can also be exported from each widget as an image of the graph, CSV, JSON, and PHP.

Some users don't like Google Analytics because of the site's dependence on Flash. The good news is that Piwik requires far less use of Flash than Google Analytics, and many of the widgets have table displays that don't require it at all. But if you want the pretty graphs, Flash is required.

While Piwik has the advantage of putting web site owners in control of their own data, it has the disadvantage of putting additional load on the server. For low traffic sites, this probably won't be an issue. The test system we tried Piwik on had no problems with the additional load from Piwik, but the site typically had less than 1,000 page views per day (at least according to Piwik). Note that it's not necessary to run Piwik on the same server as the tracked sites.

Comparing Piwik directly to Google Analytics is sort of Apples to Oranges. Both tools give a good sense of traffic on a web site, and tend to mostly agree on traffic numbers — though as a rule Google seems to track fewer visits than Piwik by about six or seven percent. By default, Piwik doesn't (yet) have an option to discard visits from the admin users, but the WordPress plugin does provide this option — so it's not clear what traffic Google is missing or discounting that Piwik does count. Both trackers show visitor breakdowns by browser, region, operating system, resolution, and more.

Though Piwik provides webmasters with control of their own data, visitors might be uneasy if they were aware how much data Piwik harvests about them. The visitor log report displays the visitor's IP address, keyword used to find the site, date and time visiting, the URL referring them to the site, duration of the visit, operating system, browser, screen resolution, and browser plugins detected.

Piwik does a respectable job identifying keywords that lead visitors to a site, the pages that are most popular, returning visitors, time spent on site, and so forth. For amateur Webmasters who just want to see how their site performs, Piwik gives all the tools that one might want. Depending on how demanding the business needs are, Piwik should be suitable for Webmasters who need a general sense of site traffic and performance. For users who specifically need to focus on site performance as a major business goal, Piwik might not be enough.

Hands down, Google does a much better job of showing geographic data than Piwik. Users who are curious as to the exact location of their traffic will want to use Google Analytics. It's possible to drill down all the way to the city level in some cases. Piwik, by contrast, shows visitors by country and provider, and that's about it. Users who want to know whether traffic is coming from Nuremberg or Frankfurt, or Los Angeles or New York, need to use Google Analytics, try out one of the third party plugins that requires a fair amount of configuration, or write their own.

A full list of plugins is available on the Piwik Developer Zone page, though the list is simply a Trac search. One might find some interesting plugins, but it will take some digging.

Google Analytics also has more features for Webmasters trying to improve site traffic and compete with other sites. For instance, if one chooses to opt in to data sharing, Google will compare a site's traffic with aggregate data from other sites that share their data. Of course, Google already has the data, but this feature requires an extra step to allow it to be aggregated. This allows a Webmaster to track site performance against all aggregate traffic, or specific industry verticals. For example, it was possible to compare the test site traffic against other open source sites that are tracked by Google Analytics.

While Google may have features that Piwik doesn't (and vice-versa), Google Analytics is less friendly to the do-it-yourself approach. Piwik features a plugin architecture that allows developers to create their own features. Most of Piwik's features are enabled via plugins. The Plugin interface could do a better job of allowing users to get more information. Each plugin is listed with a short description, version number and links to activate or deactivate the plugin — but no link to further information about the plugin in most cases. The "Live Visitors!" plugin, for example, is particularly unhelpful with only "Live Visitors!" as a description.

The Piwik roadmap indicates that 1.0 should be released sometime in 2010. Features planned for 1.0 include the ability to anonymize IPs stored in the Piwik database, export widgets to display limited data rather than all Website data, improve performance and scaling for Piwik, and better documentation.

But what won't be in Piwik is just as telling. The roadmap warns that the Piwik team doesn't plan to provide "advanced web analytics features found in other commercial products: custom report generator, custom segments and real time segmentation, funnel analysis, advanced ecommerce reporting, etc." Instead, the team suggests that these could be added as plugins, and that the goal of Piwik is to create an "open web analytics framework" that could be used to implement these features if the community desires.

To get the most complete picture possible, it's probably a good idea to combine Piwik with a package like AWstats that will analyze Apache logs. If data privacy and using an open tool isn't a concern, Google Analytics might be a better choice for now, because it does offer a wider selection of features. But users seeking an open source solution, and those who don't want to turn data over to Google or another third party, should look seriously at Piwik. There's no conflict in setting up each of the tools to run concurrently on a site, and having all of the packages at one's fingertips provides all the information any Webmaster could want.

Comments (9 posted)

Security in the 20-teens

Recently, Google announced that its operations in China (and beyond) had been subject to sophisticated attacks, some of which were successful; a number of other companies have been attacked as well. The source of these attacks may never be proved, but it is widely assumed that they were carried out by government agencies. There are also allegations that the East Anglia email leak was a government-sponsored operation. While at LCA, your editor talked with a developer who has recently found himself at Google; according to this developer, incidents like these demonstrate that the security game has changed in significant ways, with implications that the community can ignore only at its peril.

Whenever one talks about security, one must do so in the context of a specific threat model: what are we trying to defend ourselves against? Different threat models lead to very different conclusions. For years, one of the most pressing threats has been script kiddies and others using well-known vulnerabilities to break into systems; initially these breakins were mostly for fun, but, over time, these attackers have increasingly had commercial motivations. In response, Linux distributors have created reasonably secure-by-default installations and effective mechanisms for the distribution of updates. As a result, we are, by default, quite well defended against this class of attack when carried out remotely, and moderately well defended against canned local attacks.

Attackers with more determination and focus are harder to defend against; somebody who intends to break into a specific system in pursuit of a well-defined goal has a better chance of success. Chances are, only the most hardened of systems can stand up against focused attackers with local access. When these attackers are at the far end of a network connection, we still stand a reasonable chance of keeping them out.

Often, those concerned with security simply throw up their hands when confronted with the problem of defending a system against an attacker who is working with the resources available to national governments. Most of us assume that we'll not be confronted with such an attack, and that there's little that we could do about one if we were. When governmental attackers can obtain physical access, there probably is little to be done, but remote (foreign) governmental attackers may not be able to gain that sort of access.

[PULL QUOTE: What the attacks on Google (and others) tell us is that we've now entered an era where we need to be concerned about attacks from national governments. END QUOTE] What the attacks on Google (and others) tell us is that we've now entered an era where we need to be concerned about attacks from national governments. Probably we have been in such an epoch for a while now, but the situation has become increasingly clear. Thinking about the implications would make some sense.

A look at updates from distributors shows that we still have have a steady stream of vulnerabilities in image processing libraries, PDF viewers, Flash players, and more. Some of these problems (yet another PNG buffer overflow, say) appear to have a relatively low priority, but they shouldn't. Media-based attacks can only become more common over time; it's easy to get a victim to look at a file or go to a specific web page. Properly targeted phishing (easily done by a national government) may be the method of choice for compromising specific systems for some time to come. Browsers, file viewers, and media players will play an unfortunate role in the compromise of many systems.

What may be even more worrisome, though, is the threat of back doors, trojan horses, or (perhaps most likely) subtle vulnerabilities inserted into our software development and distribution channels. This could happen at just about any stage in the chain.

On the development side, we like to think that code review would find deliberately coded security weaknesses. But consider this: kernel code tends to be reviewed more heavily than code in many other widely-used programs, and core kernel code gets more review than driver code. But none of that was able to prevent the vmsplice() vulnerability - caused by a beginner-level programming error - from getting into the mainline kernel. Many more subtle bugs are merged in every development cycle. We can't ever catch them all; what are our chances against a deliberately-inserted, carefully-hidden hole?

Source code management has gotten more robust in recent years; the widespread use of tools like git and mercurial effectively guarantees that an attempt to corrupt a repository somewhere will be detected. But that nice assumption only holds true for as long as one assumes that the hash algorithms used to identify commits are not subject to brute-force collisions. One should be careful about such assumptions when the computing resources of a national government can be brought to bear. We might still detect an attempt to exploit a hash collision - but our chances are not as good.

In any case, the software that ends up on our systems does not come directly from the source repositories; distributors apply changes of their own and build binary packages from that source. The building of packages is, one hopes, relatively robust; distributors have invested some significant resources into package signing and verification mechanisms. The Fedora and Red Hat intrusions show that this link in the chain is indeed subject to attack, but it is probably not one of the weakest links.

A weaker point may be the source trees found on developer laptops and the patches that those developers apply. A compromise of the right developer's system could render the entire signing mechanism moot; it will just sign code which has already been corrupted. Community distributions, which (presumably) have weaker controls, could be especially vulnerable to this attack vector. In that context, it's worth bearing in mind that distributions like Debian and Gentoo - at least - are extensively used in a number of sensitive environments. Enterprise distributions might be better defended against the injection of unwanted code, but the payback for the insertion of a hole into an enterprise distribution could be high. Users of community rebuilds of enterprise distributions (LWN being one of those) should bear in mind that they have added one more link to the chain of security that they depend on.

Then again, all of that may be unnecessary; perhaps ordinary bugs are enough to open our systems to sufficiently determined attackers. We certainly have no shortage of them. One assumes that no self-respecting, well-funded governmental operation would be without a list of undisclosed vulnerabilities close at hand. They have the resources to look for unknown bugs, to purchase the information from black-hat crackers, and to develop better static analysis tools than we have.

All told, it is a scary situation, one which requires that we rethink the security of our systems and processes from one end to the other. Otherwise we risk becoming increasingly vulnerable to well-funded attackers. We also risk misguided and destructive attempts to secure the net through heavy-handed regulation; see this ZDNet article for a somewhat confusing view of how that could come about.

The challenge is daunting, and it may be insurmountable. But, then, we as a community have overcome many other challenges that the world thought we would never get past, and the attacks seem destined to happen regardless of whether we try to improve our defenses. If we could achieve a higher level of security while preserving the openness of our community and the vitality of our development process, Linux would be even closer to World Domination than it is now. Even in the absence of other minor concerns - freedom, the preservation of fundamental civil rights, and the preservation of an open network, for example - this goal would be worth pursuing.

Comments (83 posted)

China Internet Network Information Center accepted as a Mozilla root CA

Those who are concerned about the security of Mozilla's SSL certificate validation might want to take a look at this bugzilla entry. It seems that, at the end of October, Mozilla approved the addition of the China Internet Network Information Center (CNNIC) as a root certification authority, meaning that Firefox will accept CNNIC-signed certificates as valid and fully trusted. CNNIC is said to be controlled by the Chinese government and is alleged to be heavily involved in spying on Chinese citizens; numerous people are concerned that it will use its root CA position to facilitate man-in-the-middle attacks. Unfortunately, most of these concerns were not raised during the discussion period, making the removal of CNNIC - if warranted - harder.

Comments (41 posted)

Two information leak vulnerabilities in Bugzilla

The Bugzilla project is reporting two information leaks that could lead to the disclosure of sensitive data. Several directories (CVS/, contrib/, docs/en/xml/, and t/) and the old-params.txt file were not restricted from being served by Bugzilla. By default, they do not contain sensitive information, but custom installations may have added files with passwords or other information. Also, certain bugs could be made public, at least briefly, when they were moved to a different product. Versions 3.0.11, 3.2.6, 3.4.5, and 3.5.3 have been released to address the leaks. Click below for the full announcement.

Full Story (comments: none)

bltk: privilege escalation

Package(s):	bltk	CVE #(s):
Created:	January 29, 2010	Updated:	February 19, 2010
Description:	From the Fedora advisory: bltk will run any command as root
Alerts:	Fedora FEDORA-2010-1219 bltk 2010-01-29 Fedora FEDORA-2010-1327 bltk 2010-02-18

Comments (none posted)

hybserv: denial of service

Package(s):	hybserv	CVE #(s):	CVE-2010-0303
Created:	January 29, 2010	Updated:	February 3, 2010
Description:	From the Debian advisory: Julien Cristau discovered that hybserv, a daemon running IRC services for IRCD-Hybrid, is prone to a denial of service attack via the commands option.
Alerts:	Debian DSA-1982-1 hybserv 2010-01-29

Comments (none posted)

ircd-hybrid/ircd-ratbox: multiple vulnerabilities

Package(s):	ircd-hybrid/ircd-ratbox	CVE #(s):	CVE-2009-4016 CVE-2010-0300
Created:	January 28, 2010	Updated:	June 9, 2010
Description:	From the Debian alert: David Leadbeater discovered an integer underflow that could be triggered via the LINKS command and can lead to a denial of service or the execution of arbitrary code (CVE-2009-4016). This issue affects both, ircd-hybrid and ircd-ratbox. It was discovered that the ratbox IRC server is prone to a denial of service attack via the HELP command. The ircd-hybrid package is not vulnerable to this issue (CVE-2010-0300).
Alerts:	Fedora FEDORA-2010-9312 ircd-hybrid 2010-05-31 Fedora FEDORA-2010-9312 ircd-ratbox 2010-05-31 Debian DSA-1980-1 ircd-hybrid/ircd-ratbox 2010-01-27

Comments (none posted)

kernel: insecure devtmpfs permissions

Package(s):	kernel	CVE #(s):	CVE-2010-0299
Created:	February 1, 2010	Updated:	February 8, 2010
Description:	From the Mandriva advisory: An issue was discovered in 2.6.32.x kernels, which sets unsecure permission for devtmpfs file system by default. (CVE-2010-0299)
Alerts:	SuSE SUSE-SA:2010:010 kernel 2010-02-08 Mandriva MDVSA-2010:030 kernel 2009-01-01

Comments (none posted)

kernel: arbitrary code execution

Package(s):	kernel	CVE #(s):	CVE-2009-1385
Created:	February 3, 2010	Updated:	February 3, 2010
Description:	From the Red Hat advisory: A flaw was found in the Intel PRO/1000 Linux driver (e1000) in the Linux kernel. Frames with sizes near the MTU of an interface may be split across multiple hardware receive descriptors. Receipt of such a frame could leak through a validation check, leading to a corruption of the length check. A remote attacker could use this flaw to send a specially-crafted packet that would cause a denial of service or code execution. (CVE-2009-1385, Important)
Alerts:	Red Hat RHSA-2010:0079-01 kernel 2010-02-02

Comments (none posted)

lighttpd: denial of service

Package(s):	lighttpd	CVE #(s):	CVE-2010-0295
Created:	February 2, 2010	Updated:	June 3, 2010
Description:	From the Debian advisory: Li Ming discovered that lighttpd, a small and fast webserver with minimal memory footprint, is vulnerable to a denial of service attack due to bad memory handling. Slowly sending very small chunks of request data causes lighttpd to allocate new buffers for each read instead of appending to old ones. An attacker can abuse this behaviour to cause denial of service conditions due to memory exhaustion.
Alerts:	Fedora FEDORA-2010-7643 lighttpd 2010-04-30 Fedora FEDORA-2010-7636 lighttpd 2010-04-30 Debian DSA-1987-1 lighttpd 2010-02-02 Gentoo 201006-17 lighttpd 2010-06-03 SuSE SUSE-SR:2010:003 lighttpd, net-snmp/libsnmp15/perl-SNMP, fuse, xpdf 2010-02-09

Comments (none posted)

maildrop: privilege escalation

Package(s):	maildrop	CVE #(s):	CVE-2010-0301
Created:	January 28, 2010	Updated:	September 7, 2010
Description:	From the Debian alert: Christoph Anton Mitterer discovered that maildrop, a mail delivery agent with filtering abilities, is prone to a privilege escalation issue that grants a user root group privileges.
Alerts:	Gentoo 201009-02 maildrop 2010-09-06 Debian DSA-1981-2 maildrop 2010-01-28 Debian DSA-1981-1 maildrop 2010-01-28 Mandriva MDVSA-2010:038 maildrop 2010-02-16 Fedora FEDORA-2010-1927 maildrop 2010-02-16 Fedora FEDORA-2010-1863 maildrop 2010-02-16

Comments (none posted)

moodle: multiple vulnerabilities

Package(s):	moodle	CVE #(s):	CVE-2009-4297 CVE-2009-4298 CVE-2009-4299 CVE-2009-4301 CVE-2009-4302 CVE-2009-4303 CVE-2009-4305
Created:	February 3, 2010	Updated:	February 16, 2010
Description:	From the Debian advisory: CVE-2009-4297: Multiple cross-site request forgery (CSRF) vulnerabilities have been discovered. CVE-2009-4298: It has been discovered that the LAMS module is prone to the disclosure of user account information. CVE-2009-4299: The Glossary module has an insufficient access control mechanism. CVE-2009-4301: Moodle does not properly check permissions when the MNET service is enabled, which allows remote authenticated servers to execute arbitrary MNET functions. CVE-2009-4302: The login/index_form.html page links to an HTTP page instead of using an SSL secured connection. CVE-2009-4303: Moodle stores sensitive data in backup files, which might make it possible for attackers to obtain them. CVE-2009-4305: It has been discovered that the SCORM module is prone to an SQL injection. Additionally, an SQL injection in the update_record function, a problem with symbolic links and a verification problem with Glossary, database and forum ratings have been fixed.
Alerts:	SuSE SUSE-SR:2010:004 moodle, xpdf, pdns-recursor, pango, horde, gnome-screensaver, fuse, gnutls, flash-player 2010-02-16 Debian DSA-1986-1 moodle 2010-02-02

Comments (none posted)

ncpfs: privilege escalation

Package(s):	ncpfs	CVE #(s):	CVE-2009-3297
Created:	January 28, 2010	Updated:	March 1, 2011
Description:	From the Red Hat bugzilla entry: Ronald Volgers found a race condition in the samba-client's mount.cifs utility. Local, unprivileged user could use this flaw to conduct symlink attacks, leading to disclosure of sensitive information, or, possibly to privilege escalation.
Alerts:	Ubuntu USN-1077-1 fuse 2011-02-28 SuSE SUSE-SR:2010:011 dovecot12, cacti, java-1_6_0-openjdk, irssi, tar, fuse, apache2, libmysqlclient-devel, cpio, moodle, libmikmod, libicecore, evolution-data-server, libpng/libpng-devel, libesmtp 2010-05-10 Fedora FEDORA-2010-3999 samba 2010-03-10 Fedora FEDORA-2010-4050 samba 2010-03-10 Debian DSA-1989-1 fuse 2010-02-02 Fedora FEDORA-2010-1218 samba 2010-01-29 Fedora FEDORA-2010-1190 samba 2010-01-29 Ubuntu USN-892-1 fuse 2010-01-28 Ubuntu USN-893-1 samba 2010-01-28 Fedora FEDORA-2010-1145 ncpfs 2010-01-28 Fedora FEDORA-2010-1168 ncpfs 2010-01-28 Pardus 2010-27 fuse 2010-02-02 Pardus 2010-23 samba 2010-02-02 Debian DSA-2004-1 samba 2010-02-28 Mandriva MDVSA-2010:047 fuse 2010-02-23 Mandriva MDVSA-2010:046 ncpfs 2010-02-23 SuSE SUSE-SR:2010:004 moodle, xpdf, pdns-recursor, pango, horde, gnome-screensaver, fuse, gnutls, flash-player 2010-02-16 Fedora FEDORA-2010-1159 fuse 2010-01-28 Fedora FEDORA-2010-1140 fuse 2010-01-28 SuSE SUSE-SR:2010:003 lighttpd, net-snmp/libsnmp15/perl-SNMP, fuse, xpdf 2010-02-09

Comments (1 posted)

mysql: access restriction bypass

Package(s):	mysql	CVE #(s):	CVE-2008-7247
Created:	February 2, 2010	Updated:	November 16, 2010
Description:	From the CVE entry: sql/sql_table.cc in MySQL 5.0.x through 5.0.88, 5.1.x through 5.1.41, and 6.0 before 6.0.9-alpha, when the data home directory contains a symlink to a different filesystem, allows remote authenticated users to bypass intended access restrictions by calling CREATE TABLE with a (1) DATA DIRECTORY or (2) INDEX DIRECTORY argument referring to a subdirectory that requires following this symlink.
Alerts:	Ubuntu USN-1397-1 mysql-5.1, mysql-dfsg-5.0, mysql-dfsg-5.1 2012-03-12 Gentoo 201201-02 mysql 2012-01-05 SUSE SUSE-SR:2010:021 mysql, dhcp, monotone, moodle, openssl 2010-11-16 Pardus 2010-73 mysql-server 2010-06-04 SuSE SUSE-SR:2010:011 dovecot12, cacti, java-1_6_0-openjdk, irssi, tar, fuse, apache2, libmysqlclient-devel, cpio, moodle, libmikmod, libicecore, evolution-data-server, libpng/libpng-devel, libesmtp 2010-05-10 SuSE SUSE-SR:2010:007 cifs-mount/samba, compiz-fusion-plugins-main, cron, cups, ethereal/wireshark, krb5, mysql, pulseaudio, squid/squid3, viewvc 2010-03-30 Mandriva MDVSA-2010:044 mysql 2010-02-19 Pardus 2010-29 mysql-server 2010-02-09 Ubuntu USN-897-1 mysql-dfsg-5.0, mysql-dfsg-5.1 2010-02-10 Fedora FEDORA-2010-1348 mysql 2010-02-02 Fedora FEDORA-2010-1300 mysql 2010-02-02

Comments (none posted)

postgresql: denial of service

Package(s):	postgresql-server	CVE #(s):	CVE-2010-0442
Created:	February 3, 2010	Updated:	May 28, 2010
Description:	From the NVD entry: The bitsubstr function in backend/utils/adt/varbit.c in PostgreSQL 8.0.23, 8.1.11, and 8.3.8 allows remote authenticated users to cause a denial of service (daemon crash) or have unspecified other impact via vectors involving a negative integer in the third argument, as demonstrated by a SELECT statement that contains a call to the substring function for a bit string, related to an "overflow."
Alerts:	Gentoo 201110-22 postgresql-base 2011-10-25 CentOS CESA-2010:0429 postgresql 2010-05-28 Debian DSA-2051-1 postgresql-8.3 2010-05-24 CentOS CESA-2010:0428 postgresql 2010-05-22 CentOS CESA-2010:0427 postgresql 2010-05-22 Mandriva MDVSA-2010:103 postgresql 2010-05-20 Red Hat RHSA-2010:0427-01 postgresql 2010-05-19 Red Hat RHSA-2010:0429-01 postgresql 2010-05-19 Red Hat RHSA-2010:0428-01 postgresql 2010-05-19 Ubuntu USN-933-1 postgresql-8.1, postgresql-8.3, postgresql-8.4 2010-04-28 Pardus 2010-24 postgresql-server 2010-02-02

Comments (none posted)

rootcerts: upgrade to latest certdata.txt

Package(s):	rootcerts	CVE #(s):
Created:	January 29, 2010	Updated:	February 4, 2010
Description:	From the Mandriva advisory: The rootcerts package was added in Mandriva in 2005 and was meant to be updated when necessary. The provided rootcerts packages has been upgraded using the latest certdata.txt file from the mozilla cvs repository, as of 2009/12/03.
Alerts:	Mandriva MDVSA-2010:029 rootcerts 2010-01-28 Mandriva MDVSA-2010:032 rootcerts 2010-02-04

Comments (none posted)

roundcubemail: information disclosure

Package(s):	roundcubemail	CVE #(s):	CVE-2010-0464
Created:	February 3, 2010	Updated:	February 25, 2010
Description:	From the Red Hat bugzilla entry: Roundcube 0.3.1 and earlier does not request that the web browser avoid DNS prefetching of domain names contained in e-mail messages, which makes it easier for remote attackers to determine the network location of the webmail user by logging DNS requests.
Alerts:	Mandriva MDVSA-2010:048 roundcubemail 2010-02-25 Fedora FEDORA-2010-1385 roundcubemail 2010-02-02 Fedora FEDORA-2010-1399 roundcubemail 2010-02-02

Comments (none posted)

wireshark: multiple vulnerabilities

Package(s):	wireshark	CVE #(s):	CVE-2009-4337 CVE-2010-0304
Created:	February 1, 2010	Updated:	May 28, 2010
Description:	From the Debian advisory: CVE-2009-4337: A NULL pointer dereference was found in the SMB/SMB2 dissectors. CVE-2010-0304: Several buffer overflows were found in the LWRES dissector.
Alerts:	CentOS CESA-2010:0360 wireshark 2010-05-28 CentOS CESA-2010:0360 wireshark 2010-04-20 CentOS CESA-2010:0360 wireshark 2010-04-20 Red Hat RHSA-2010:0360-01 wireshark 2010-04-20 SuSE SUSE-SR:2010:007 cifs-mount/samba, compiz-fusion-plugins-main, cron, cups, ethereal/wireshark, krb5, mysql, pulseaudio, squid/squid3, viewvc 2010-03-30 Fedora FEDORA-2010-3556 wireshark 2010-03-03 Debian DSA-1983-1 wireshark 2010-01-30 Pardus 2010-26 wireshark 2010-02-02

Comments (none posted)

zabbix: multiple vulnerabilities

Package(s):	zabbix	CVE #(s):	CVE-2009-4499 CVE-2009-4501
Created:	January 28, 2010	Updated:	February 3, 2010
Description:	From the CVE entry for CVE-2009-4499: SQL injection vulnerability in the get_history_lastid function in the nodewatcher component in Zabbix Server before 1.6.8 allows remote attackers to execute arbitrary SQL commands via a crafted request, possibly related to the send_history_last_id function in zabbix_server/trapper/nodehistory.c. From the CVE entry for CVE-2009-4501: The zbx_get_next_field function in libs/zbxcommon/str.c in Zabbix Server before 1.6.8 allows remote attackers to cause a denial of service (crash) via a request that lacks expected separators, which triggers a NULL pointer dereference, as demonstrated using the Command keyword.
Alerts:	Fedora FEDORA-2010-0266 zabbix 2010-01-07 Fedora FEDORA-2010-0278 zabbix 2010-01-07

Comments (none posted)

Kernel release status

The current development kernel is 2.6.33-rc6, released on January 29. "Give it a go. Hopefully we've fixed a number of regressions, we're getting to that stage of the release cycle where things mostly should 'just work' and people who still see regressions should start making loud noises." Full details can be found in the full changelog.

Stable updates: 2.6.32.7 and 2.6.27.45 were released on January 28. The 2.6.32.7 update is rather large, consisting of 98 patches, which Greg Kroah-Hartman explains as follows: "This release is brought to you by the very appreciated efforts of the Debian, Gentoo, and Novell kernel teams, who spent a lot of time to flush out patches that were in their trees to me for inclusion. Special thanks goes to Ben Hutchings for doing a lot of this work." A footnote in the 2.6.32.7 review announcement makes it clear that Kroah-Hartman was the Gentoo and Novell kernel team member responsible.

Ancient kernels: 2.4.37.8 was released on January 31; it contains an e1000 security fix and a few other updates. 2.4.37.9 followed the next day with a fix for the e1000 fix.

Comments (none posted)

Quotes of the week

-- Alan Cox

-- Ingo Molnar

-- Chris DiBona

Comments (8 posted)

Improving readahead

Readahead is the process of speculatively reading file data into the page cache in the hope that it will be useful to an application in the near future. When readahead works well, it can significantly improve the performance of I/O bound applications by avoiding the need for those applications to wait for data and by increasing I/O transfer size. On the other hand, readahead risks making performance worse as well: if it guesses wrong, scarce memory and I/O bandwidth will be wasted on data which will never be used. So, as is the case with memory management in general, readahead algorithms are both performance-critical and heavily based on heuristics.

As is also generally the case with such code, few people dare to wander into the readahead logic; it tends to be subtle and quick to anger. One of those who dare is Wu Fengguang, who has worked on readahead a few times over the years. His latest contribution is this set of patches which tries to improve readahead performance in the general case while also making it more responsive to low-memory situations.

The headline feature of this patch set is an increase in the maximum readahead size from 128KB to 512KB. Given the size of today's files and storage devices, 512KB may well seem a bit small. But there are costs to readahead, including the amount of memory required to store the data and the amount of I/O bandwidth required to read it. If a larger readahead buffer causes other useful data to be paged out, it could cause a net loss in system performance even if all of the readahead data proves to be useful. Larger readahead operations will occupy the storage device for longer, causing I/O latencies to increase. And one should remember that there can be a readahead buffer associated with every open file descriptor - of which there can be thousands - in the system. Even a small increase in the amount of readahead can have a large impact on the behavior of the system.

The 512K number was reached by way of an extensive series of benchmark runs using both rotating and solid-state storage devices. With rotating disks, bumping the maximum readahead size to 512KB nearly tripled I/O throughput with a modest increase in I/O latency; any further increases, while increasing throughput again, caused latency increases that were deemed to be unacceptable. On solid-state devices the throughput increase was less (on a percentage basis) but still significant.

These numbers hold for a device with reasonable performance, though. A typical USB thumb drive, not being a device with reasonable performance, can run into real trouble with an increased readahead size. To address this problem, the patch set puts a cap on the readahead window size for small devices. For a 2MB device (assuming such a thing can be found), readahead is limited to 4KB; for a 2GB drive, the limit is 128KB. Only at 32GB does the full 512KB readahead window take effect.

This heuristic is not perfect. Jens Axboe protested that some solid-state devices are relatively small in capacity, but they can be quite fast. Such devices may not perform as well as they could with a larger readahead size.

Another part of this patch set is the "context readahead" code which tries to prevent the system from performing more readahead than its memory can handle. For a typical file stream with no memory contention, the contents of the page cache can be visualized (within your editor's poor drawing skills) like this:

Here, we are looking at a representation of a stream of pages containing the file's data; the green pages are those which are in the page cache at the moment. Several recently-consumed pages behind the offset have not yet been evicted, and the full readahead window is waiting for the application to get around to consuming it.

If memory is tight, though, we could find a situation more like this:

Because the system is scrambling for memory, it has been much more aggressive about evicting this file's pages from the page cache. There is much less history there, but, more importantly, a number of pages which were brought in via readahead have been pushed back out before the application was able to actually make use of them. This sort of thrashing behavior is harmful to system performance; the readahead occupied memory when it was needed elsewhere, and that data will have to be read a second time in the near future. Clearly, when this sort of behavior is seen, the system should be doing less readahead.

Thrashing behavior is easily detected; if pages which have already been read in via readahead are missing when the application tries to actually read them, things are going amiss. When that happens, the code will get an estimate of the amount of memory it can safely use by counting the number of history pages (those which have already been consumed by the application) which remain in the page cache. If some history remains, the number of history pages is taken as a guess for what the size of the readahead window should be.

If, instead, there's no history at all, the readahead size is halved. In this case, the readahead code will also carefully shift any readahead pages which are still in memory to the head of the LRU list, making it less likely that they will be evicted immediately prior to their use. The file descriptor will be marked as "thrashed," causing the kernel to continue to use the history size as a guide for the readahead window size in the future. That, in turn, will cause the window to expand and contract as memory conditions warrant.

Readahead changes can be hard to get into the mainline. The heuristics can be tricky, and, as Linus has noted, it can be easy to optimize the system for a subset of workloads:

The stated goal of this patch set is to make readahead more aggressive by increasing the maximum size of the readahead window. But, in truth, much of the work goes in the other direction, constraining the readahead mechanism in situations where too much readahead can do harm. Whether these new heuristics reliably improve performance will not be known until a considerable amount of benchmarking has been done.

Comments (10 posted)

The x86_64 DOS hole

As of this writing, there have not yet been any distributor updates for the vulnerability which will become known as CVE-2010-0307. This particular bug does not (as far as your editor knows) allow a complete takeover of a system, but it can be used for denial-of-service attacks, or in a situation where an attacker with unprivileged local access wishes to force a reboot. It is also an illustration of the hazards which come with old and tricky code.

Mathias Krause reported the problem at the end of January. It seems that, on an x86_64 system, a kernel panic can be forced by trying (and failing) to exec() a 64-bit program while running in 32-bit mode, then triggering a core dump. There does not seem to be a way to exploit this bug to run arbitrary code - but those who would take over systems have shown enough creativity in situations like this that one can never be sure. Even without that, though, the ability to take any 64-bit x86 system down is not a good thing. Current kernels are affected, as are older ones; your editor is not aware of anybody having taken the time to determine when the problem first appeared, but Mathias has shown that 2.6.26 kernels contained the bug.

The execve() system call is the means by which a process stops running one program and starts running a new one. It must clean up most (but not all) of the state associated with the old program, resetting things for the new one. In this process, there is a "point of no return": the place where the system call is committed to making the change and can no longer back out. Before this point, any sort of failure should lead to an error return from the system call (which otherwise is not expected to return at all); afterward, the only recourse is to kill the process outright.

Sometime after the point of no return, execve() must adjust the "personality" of the process to match the new executable image. For example, a 64-bit process switching to a 32-bit image must go into the 32-bit personality. In the past, personalities have also been used to emulate other operating environments - running SYSV binaries, for example. The personality changes a number of aspects of the environment the program runs in, though, as we'll see, fewer than it once did.

In the past, personality changes have included filesystem namespace changes. That was necessary because the process of starting the new executable could require looking up other images, such as an "interpreter" image to run the new program. The lookup clearly had to happen prior to the point of no return; if the lookup fails then the system call should fail. So some aspects of the new image's environment had to be present while the process was still running in the context of the old image.

The solution, at the time, was to put some brutal hacks into the low-level SET_PERSONALITY() macro. This macro's job is to switch the process to a new personality, but, post-hack, it no longer did that. Instead, it would make the namespace changes, but leave most of the environment unchanged, setting the special TIF_ABI_PENDING task flag to remind the kernel that, at a later point, it needed to complete the personality change. Over time, the namespace changes were removed from the kernel, but this two-step personality switch mechanism remained.

This hackery allowed SET_PERSONALITY() to be called before the point of no return without breaking the process of tearing down the old image. What was missing, though, was any mechanism for fully restoring the old personality should things change after the SET_PERSONALITY() call. In effect, that call became the real point of no return, since the kernel had no way of going back to how things were before.

There aren't too many ways that execve() could fail in the window between the SET_PERSONALITY() call and the official point of no return. But one is all it takes, and one easily accessible failure mode is an inability to find the "interpreter" for the new image. The interpreter need not be an executable; it's really the execution environment as a whole. As it happens, there's no means by which a 32-bit process can run a 64-bit image; trying to do so leads to a failure in just the wrong part of the execve() call. Control will return to the calling program, but with a partially-corrupted personality setup.

As it happens, the most common response to an execve() failure is to inform the user and exit; the calling program wasn't expecting to be running any more, so it will normally just bail out. So the schizophrenic personality it's running under will likely never be noticed. But if the calling program instead takes a signal which forces a core dump, the confused personality information will lead to an equally confused kernel and a panic.

In summary, what we have here is a combination of tricky code, made worse by inter-architecture compatibility concerns, implementing behavior which is no longer needed - and doing it wrong. For added fun, it's worth noting that this problem was reported in December, but it fell through the cracks and remained unfixed.

The initial solution proposed by Linus was to simply remove the early SET_PERSONALITY() call. After a bit of discussion, though, Linus and H. Peter Anvin concluded that it was better to fix the code for real. The result was a pair of patches, the first of which splits flush_old_exec() (which contained the point of no return deeply within) into two functions meant to run before and after that point. This patch also gets rid of the early SET_PERSONALITY() call. The second patch then eliminates the TIF_ABI_PENDING hack, simply doing the full personality change at the point of no return.

These changes were merged just prior to the release of 2.6.33-rc6. This is a fairly significant pair of patches to put into the core kernel at this late stage in the 2.6.33 development cycle. And, indeed, they have caused some problems, especially with non-x86 architectures. Distributors looking to backport this fix into older kernels may well find themselves looking for a way to simplify it. But security fixes are important, and fixes which get rid of cobweb-encrusted code which could be hiding other problems are even better. The remaining problems should be cleaned up in short order, and the 2.6.33 kernel will be better for it.

Comments (10 posted)

Lockdep-RCU

Introduction

Read-copy update (RCU) is a synchronization mechanism that was added to the Linux kernel in October of 2002. RCU improves scalability by allowing readers to execute concurrently with writers. In contrast, conventional locking primitives require that readers wait for ongoing writers and vice versa. RCU ensures read coherence by maintaining multiple versions of data structures and ensuring that they are not freed until all pre-existing read-side critical sections complete. RCU relies on efficient and scalable mechanisms for publishing and reading new versions of an object, and also for deferring the collection of old versions. These mechanisms distribute the work among read and update paths in such a way as to make read paths extremely fast. In some cases (non-preemptable kernels), RCU's read-side primitives have zero overhead. RCU updates can be expensive, so RCU is in general best-suited to read-mostly data structures.

RCU readers execute in RCU read-side critical sections that begin with rcu_read_lock() and end with rcu_read_unlock(). The Linux kernel has multiple flavors of RCU, and each flavor uses its own flavor of rcu_read_lock() and rcu_read_unlock(). Anything outside of an RCU read-side critical section is a quiescent state, and a grace period is any time period in which every CPU (or task, for real-time RCU implementations) passes through at least one quiescent state. Taken together, these rules guarantee that any RCU read-side critical section that is executing at the beginning of a given grace period must complete before that grace period can be permitted to end.

This guarantee is surprisingly useful, allowing RCU to act as a high-performance scalable replacement for reader-writer locking, among other things. But this guarantee is sufficient only for systems with sequentially consistent memory ordering, which are quite rare. Even strongly ordered architectures such as x86 or s390 will allow later reads to execute ahead of prior writes, and compilers can reorder code quite freely. Therefore, RCU needs an additional publish-subscribe guarantee, which is provided by rcu_assign_pointer() and rcu_dereference(). Uses of rcu_assign_pointer() are typically protected by the update-side lock, and uses of rcu_dereference() must typically be within an RCU-read-side critical section.

Unfortunately for this simple rule on use of rcu_dereference(), there is quite a bit of code that is used by both RCU readers and updaters. A more accurate rule is that rcu_dereference() must either be:

1. within an RCU read-side critical section,
2. protected by the update-side lock, or
3. inaccessible to RCU readers.

The remainder of this article is as follows:

1. Why Bother With lockdep-Enabling RCU?
2. RCU API for lockdep.
3. RCU lockdep Usage Examples.
4. RCU lockdep Implementation.
5. RCU API for lockdep: Quick Reference.

These sections are followed by Conclusions and Future Directions and Answers to Quick Quizzes.

Why Bother With lockdep-Enabling RCU?

Compliance with the usage rule for rcu_dereference() is verified by manual code inspection. And this manual code inspection worked great back in 2.6.10, when there were at grand total of 38 occurrences of rcu_dereference(). However, given that there are now more than 350 occurrences of rcu_dereference() in 2.6.32, it appears the day of sole reliance on manual code inspection is long over. Additional evidence on this point was provided by Thomas Gleixner when he trained his eagle eye on a few rcu_dereference() instances in mainline.

It is clearly time to bring lockdep-style checking to rcu_dereference(). Unfortunately, because rcu_dereference_check() can be used in such a wide variety of environments, simple addition of lockdep checking to the current API fails, producing reams of false positives while ignoring potentially dangerous bugs.

Quick Quiz 1: How can you be so sure that there is no clever lockdep-check strategy given the current API? Answer

RCU API for lockdep

Some major goals of any API change is to minimize impact on existing code, patches in flight, and ongoing debugging efforts.

Because the most common use of rcu_dereference() is for accesses that are strictly within a vanilla RCU read-side critical section, rcu_dereference() should check only for being in a vanilla RCU read-side critical section. This minimizes impact on existing code, including patches in flight. This means that other rcu_dereference() API members must be created.

However, these other API members cannot be defined in terms of rcu_dereference() because these other members must be usable outside of vanilla RCU read-side critical sections. Therefore, a raw interface named rcu_dereference_raw() inherits the implementation that used to belong to rcu_dereference(). In other words, if you “know what you are doing”, just use rcu_dereference_raw() and lockdep will never complain about them. (But you just might hear a few questions from me!)

The underlying API for the other forms of rcu_dereference() is rcu_dereference_check(), which takes two arguments. The first argument is an RCU-protected pointer, the same as that of rcu_dereference() and the new rcu_dereference_raw(). The second argument is a boolean expression that evaluates to zero if there is a problem, in which case, if RCU lockdep is enabled, you will get a WARN_ON_ONCE() on your console log.

The other dereferencing APIs are rcu_dereference(), rcu_dereference_sched(), rcu_dereference_bh(), and srcu_dereference(), each of which checks to make sure that it is being used in the corresponding flavor of RCU read-side critical section, giving your console log a WARN_ON_ONCE() otherwise (again, assuming that RCU lockdep is enabled). All of these take a single RCU-protected pointer as an argument, except for srcu_dereference(), which also takes a pointer to a struct srcu_struct. This additional argument permits srcu_dereference() to distinguish among multiple SRCU domains.

These four dereferencing APIs use corresponding APIs that check for being in the corresponding flavor of RCU read-side critical section: rcu_read_lock_held(), rcu_read_lock_bh_held(), rcu_read_lock_sched_held(), and srcu_read_lock_held(). Of these, only srcu_read_lock_held() takes an argument, namely a struct srcu_struct, again permitting distinguishing among multiple SRCU domains.

RCU lockdep Usage Examples

The prototypical use of these new APIs is as follows:

  1 rcu_read_lock();
  2 p = rcu_dereference(gp->data);
  3 do_something_with(p);
  4 rcu_read_unlock();

The alert reader may have noticed that this is no different from the old usage of these APIs. This situation is strictly intentional.

Similar code may be written for other flavors of RCU, for example:

  1 srcu_read_lock();
  2 p = srcu_dereference(gp->data, sp);
  3 do_something_with(p);
  4 srcu_read_unlock();

These examples work well when used inside RCU read-side critical sections, but fail completely for code that is invoked both by readers and updaters. Although we could insert artificial RCU read-side critical sections in updaters, these can cause much confusion. Instead, we use rcu_dereference_check(), for example, in the files_fdtable() macro:

  1 #define files_fdtable(files) \
  2   (rcu_dereference_check((files)->fdt, \
  3                          rcu_read_lock_held() || \
  4                          lockdep_is_held(&(files)->file_lock) || \
  5                          atomic_read(&files->count) == 1))

This statement fetches the RCU-protected pointer (files)->fdt, but requires that files_fdtable() be invoked within an RCU read-side critical section, with lockdep_is_held(&(files)->file_lock) held, or with the &files->count reference counter zeroed (in other words, if inaccessible to RCU readers).

Quick Quiz 2: Suppose that an access to an RCU-protected pointer gp must be either inside an RCU-bh read-side critical section, an SRCU read-side critical section for SRCU domain sp, or with mylock held. How do you code this? Answer

RCU lockdep Implementation

The basic change underlying the RCU lockdep implementation is a set of per-RCU-flavor lockdep maps (in the case of SRCU, per-SRCU-domains lockdep maps ->depmap in each struct srcu_struct):

  1 extern struct lockdep_map rcu_lock_map;
  2 # define rcu_read_acquire() \
  3     lock_acquire(&rcu_lock_map, 0, 0, 2, 1, NULL, _THIS_IP_)
  4 # define rcu_read_release()  lock_release(&rcu_lock_map, 1, _THIS_IP_)
  5 
  6 extern struct lockdep_map rcu_bh_lock_map;
  7 # define rcu_read_acquire_bh() \
  8     lock_acquire(&rcu_bh_lock_map, 0, 0, 2, 1, NULL, _THIS_IP_)
  9 # define rcu_read_release_bh()  lock_release(&rcu_bh_lock_map, 1, _THIS_IP_)
 10 
 11 extern struct lockdep_map rcu_sched_lock_map;
 12 # define rcu_read_acquire_sched() \
 13     lock_acquire(&rcu_sched_lock_map, 0, 0, 2, 1, NULL, _THIS_IP_)
 14 # define rcu_read_release_sched() \
 15     lock_release(&rcu_sched_lock_map, 1, _THIS_IP_)
 16 
 17 # define srcu_read_acquire(sp) \
 18     lock_acquire(&(sp)->dep_map, 0, 0, 2, 1, NULL, _THIS_IP_)
 19 # define srcu_read_release(sp) \
 20     lock_release(&(sp)->dep_map, 1, _THIS_IP_)

These are used to implement rcu_read_lock_held(), rcu_read_lock_bh_held(), rcu_read_lock_sched_held(), and srcu_read_lock_held():

  1 static inline int rcu_read_lock_held(void)
  2 {
  3   if (debug_locks)
  4     return lock_is_held(&rcu_lock_map);
  5   return 1;
  6 }
  7 
  8 static inline int rcu_read_lock_bh_held(void)
  9 {
 10   if (debug_locks)
 11     return lock_is_held(&rcu_bh_lock_map);
 12   return 1;
 13 }
 14 
 15 static inline int rcu_read_lock_sched_held(void)
 16 {
 17   int lockdep_opinion = 0;
 18 
 19   if (debug_locks)
 20     lockdep_opinion = lock_is_held(&rcu_sched_lock_map);
 21   return lockdep_opinion || preempt_count() != 0;
 22 }
 23 
 24 static inline int srcu_read_lock_held(struct srcu_struct *sp)
 25 {
 26   if (debug_locks)
 27     return lock_is_held(&sp->dep_map);
 28   return 1;
 29 }

In each case, if lockdep is enabled, we consult the corresponding lockdep_map, otherwise, we (conservatively) guess that we are in the appropriate RCU read-side critical section. This permits WARN_ON_ONCE(!rcu_read_lock_held()) to be used freely.

Quick Quiz 3: How do these work if lockdep is not configured at all? Answer

The non-checking variant of rcu_dereference() is rcu_dereference_raw(), which is defined as follows:

  1 #define rcu_dereference_raw(p)  ({ \
  2         typeof(p) _________p1 = ACCESS_ONCE(p); \
  3         smp_read_barrier_depends(); \
  4         (_________p1); \
  5         })

Then rcu_dereference_check() is implemented in terms of rcu_dereference_raw() as follows:

  1 #define rcu_dereference_check(p, c) \
  2   ({ \
  3     if (debug_locks) \
  4       WARN_ON_ONCE(!(c)); \
  5     rcu_dereference_raw(p); \
  6   })

However, if lockdep is not configured, the following alternative implementation is used:

  1 #define rcu_dereference_check(p, c)     rcu_dereference_raw(p)

Quick Quiz 4: Why not include a ((void)(c)) to the non-lockdep version of rcu_dereference_check() in order to detect compiler errors in the “c” argument? Answer

The remainder of the primitives are defined as follows:

  1 #define rcu_dereference(p) \
  2   rcu_dereference_check(p, rcu_read_lock_held())
  3 
  4 #define rcu_dereference_bh(p) \
  5     rcu_dereference_check(p, rcu_read_lock_bh_held())
  6 
  7 #define rcu_dereference_sched(p) \
  8     rcu_dereference_check(p, rcu_read_lock_sched_held())
  9 
 10 #define srcu_dereference(p, sp) \
 11     rcu_dereference_check(p, srcu_read_lock_held(sp))

Quick Quiz 5: What are the non-lockdep definitions of these primitives? Answer

RCU API for lockdep: Quick Reference

Name	CONFIG_PROVE_RCU	!CONFIG_PROVE_RCU
rcu_dereference(p)	returns p, warns if not in RCU read-side critical section	returns p, never warns
rcu_dereference_bh(p)	returns p, warns if not in RCU-bh read-side critical section	returns p, never warns
rcu_dereference_sched(p)	returns p, warns if not in RCU-sched read-side critical section	returns p, never warns
srcu_dereference(p, sp)	returns p, warns if not in SRCU read-side critical section for sp	returns p, never warns
rcu_dereference_check(p, c)	returns p, warns if !c	returns p, never warns
rcu_dereference_raw(p)	returns p, never warns	returns p, never warns
rcu_read_lock_held()	non-zero if in RCU read-side critical section	always non-zero
rcu_read_lock_bh_held()	non-zero if in RCU-bh read-side critical section	always non-zero
rcu_read_lock_sched_held()	non-zero if in RCU-sched read-side critical section	always non-zero
srcu_read_lock_held(sp)	non-zero if in SRCU read-side critical section for sp	always non-zero

Conclusions and Future Directions

These are early days for the lockdep-enabled RCU primitives. They have been applied to some of the networking, VFS, scheduler, radix tree, and IDR code. Thus far, things are going well, but here are some possible future directions:

1. The RCU list macros, radix tree, and IDR implementations currently use rcu_dereference_raw(). At some point, it may be necessary to produce checked variants. Given that this will require yet more APIs, need must be demonstrated before the API explosion is undertaken. list_for_each_rcu(), list_for_each_rcu_bh(), list_for_each_rcu_sched(), list_for_each_srcu(), list_for_each_rcu_check(), and list_for_each_rcu_raw(), anyone?

2. Thus far, it has been easy to generate rcu_dereference_check()'s boolean expressions. Nevertheless, I am a bit nervous about code that is called both in RCU read-side critical sections and by initialization code. In some cases, it might be difficult to detect the initialization case, but this will be dealt with as they come up.

3. The rcu_assign_pointer() primitive remains unchecked. It is used primarily under locks, which are quite a bit more familiar, and for which there is already lockdep available.

Regardless of how the future unfolds, lockdep-enabled RCU should be very helpful in detecting RCU-usage bugs.

Acknowledgments

I am grateful to Peter Zijlstra and Thomas Gleixner for sharing their experiences applying lockdep checking to rcu_dereference(). I owe thanks to Eric Dumazet for helping me work out how to handle some difficult rcu_dereference() instances in the networking code, to Ingo Molnar for much encouragement and advice, and to Kathy Bennett for her support of this effort.

This work represents the view of the authors and does not necessarily represent the view of IBM.

Answers to Quick Quizzes

Quick Quiz 1: How can you be so sure that there is no clever lockdep-check strategy given the current API?

Answer: Because if there was a clever lockdep-check strategy given the current RCU API, Peter Zijlstra would have implemented it! If you know of one, please don't keep it a secret — but please do yourself the favor of reading the rest of this article before deciding whether or not you do have a solution.

Back to Quick Quiz 1.

Quick Quiz 2: Suppose that an access to an RCU-protected pointer gp must be either inside an RCU-bh read-side critical section, an SRCU read-side critical section for SRCU domain sp, or with mylock held. How do you code this?

Answer: One approach is as follows:

  1   rcu_dereference_check(gp,
  2                         rcu_read_lock_bh_held() ||
  3                         srcu_read_lock_held(sp) ||
  4                         lockdep_is_held(&mylock));

Back to Quick Quiz 2.

Quick Quiz 3: How do these work if lockdep is not configured at all?

Answer: As follows:

  1 static inline int rcu_read_lock_held(void)
  2 {
  3   return 1;
  4 }
  5 
  6 static inline int rcu_read_lock_bh_held(void)
  7 {
  8   return 1;
  9 }
 10 
 11 static inline int rcu_read_lock_sched_held(void)
 12 {
 13   return preempt_count() != 0;
 14 }
 15 
 16 static inline int srcu_read_lock_held(struct srcu_struct *sp)
 17 {
 18   return 1;
 19 }

Back to Quick Quiz 3.

Quick Quiz 4: Why not include a ((void)(c)) to the non-lockdep version of rcu_dereference_check() in order to detect compiler errors in the “c” argument?

Answer: Because lockdep_is_held() is defined only in lockdep builds of the kernel. Therefore, ((void)(c)) would give you lots of false alarms. So, just make sure that you do at least one build-and-test cycle with lockdep defined.

Back to Quick Quiz 4.

Quick Quiz 5: What are the non-lockdep definitions of these primitives?

Answer: They are exactly the same as the lockdep definitions! The implementations of rcu_dereference_check() remove the need for duplicate definitions for rcu_dereference(), rcu_dereference_bh(), rcu_dereference_sched(), and srcu_dereference().

Back to Quick Quiz 5.

Comments (none posted)

Fedora's privilege escalation policy proposal

Back in November, when Fedora 12 was released, there was something of an uproar over a new feature that allowed unprivileged package installation. While there are differing opinions on how sensible it was to add that feature, Fedora developers would much rather argue about that before a release is made—rather than shortly after, as happened with Fedora 12. To that end, Adam Williamson has been drafting a "Fedora privilege escalation policy" that seeks to clearly identify the types of package behavior that should either be avoided for unprivileged users, or undergo more thorough review.

There are two principles to guide the policy, which essentially encapsulate the idea that unprivileged users should not be able to "break" things for other users:

The policy then gives examples of package elements that are likely to make a package subject to the policy, such as setuid programs, PolicyKit policies, or udev rules. It also lists nearly two dozen actions that should only be allowed for privileged users. Privileged users, for the purposes of the policy, are those that authenticate with the root password, use sudo if that is configured by the administrator, or are the first user account added—without an additional password check—for approved Fedora spins that grant administrative privileges to that account. The latter is in keeping with the idea of a "desktop spin" that would be targeted at single-user systems, where the user and the administrator are one and the same.

The list of privileged-only actions is fairly comprehensive. Earlier drafts, like one posted to the fedora-testers mailing list, were discussed with additions and wording changes made. One somewhat puzzling omission is the ability to upgrade an installed package. Though it appears as a privileged operation in an earlier draft announced on fedora-devel, that was an oversight, which Williamson corrected. The PackageKit policy for Fedora 12 allows unprivileged upgrades, and the intent is to continue that policy.

Allowing unprivileged upgrades, while much less potentially dangerous than the original Fedora 12 policy, still has its share of pitfalls. Allowing regular users the ability to upgrade assumes that security vulnerabilities are not introduced in package upgrades. It may also run counter to an administrator's policies as Davide Cescato points out in a comment on the original Fedora 12 bug:

Overall, though, the policy is well thought-out and covers the kinds of problems that new or updated packages might cause. There has been some resistance to the enforcement and approval elements of the policy, but that seems to be based on a misunderstanding. The intent of the policy is that new mechanisms which affect privileges need review, not new users of existing mechanisms (such as PolicyKit, kdesu, etc.). As Miloslav Trmač put it:

As a set of guidelines to help packagers, testers, and reviewers, the proposed policy is quite useful. Williamson plans to present the draft to the Fedora board at its meeting on February 9, so it may become Fedora policy in the very near future. Beyond that, though, it would also be a good starting point for other distributions that are considering policies to help tighten up the security of their packages.

Comments (none posted)

Debian GNU/Linux 5.0 updated

The Debian project has announced the fourth update of its stable distribution Debian GNU/Linux 5.0 (codename "lenny"). "This update mainly adds corrections for security problems to the stable release, along with a few adjustments for serious problems. Please note that this update does not constitute a new version of Debian GNU/Linux 5.0 but only updates some of the packages included."

Comments (none posted)

Its here! openSUSE 11.3 Milestone 1

The first openSUSE 11.3 Milestone release is available for testing. "This is the first step toward the next openSUSE release. The most important goal of this first milestone is to test the build interactions between newly added features in openSUSE Factory, also known as "get the snapshot to build". It is in no way feature complete or ready for daily usage. There is no code freeze for any component yet, so many major changes are still to come."

Full Story (comments: none)

New Owl ISOs, OpenVZ container templates; Debian integrates new passwdqc

Click below for some announcements from the Openwall Project. Fresh ISO images and pre-created OpenVZ container templates of Owl-current for x86 and x86-64 are available. Also Martin F. Krafft adopted the passwdqc Debian package and brought it up to date.

Full Story (comments: none)

Tiny Core Linux for XO-1 and XO-1.5

A build of Tiny Core Linux for XO-1 and XO-1.5 (based on OLPC build 802 and os108) has been announced. This build is based on the Tiny Core 2.8 microcore variant and uses the OLPC kernel for hardware support.

Full Story (comments: none)

Ubuntu 8.04.4 LTS released

The Ubuntu team has announced the release of Ubuntu 8.04.4 LTS, the fourth maintenance update to Ubuntu's 8.04 LTS release. "This release includes updated server, desktop, and alternate installation CDs for the i386 and amd64 architectures. Ubuntu 8.04 LTS continues to be maintained through 2011 for desktops and 2013 for servers through online updates, but this is the final maintenance release of 8.04 LTS."

Full Story (comments: none)

Debian policy update (3.8.4.0)

Debian policy 3.8.4.0 has been uploaded. Click below for a list of changes.

Full Story (comments: none)

Noteworthy Mandriva Cooker changes 18 January - 31 January 2010

Frederik Himpe covers some recent changes in Mandriva development. "Linux kernel 2.6.33 rc6 is now the default kernel in Mandriva Cooker. In this kernel, the anticipatory I/O scheduler has been removed, and there were again various performance improvements to the CFQ I/O scheduler, which is the default already for a long time. There were also different performance improvements to KVM virtualization (such as improved kernel context switching speed and IRQ scaling). There are power saving improvements in the Intel i915 driver (render standby and LVDS downclock, the latter being disabled by default for now), a new driver supporting VMware's paravirtualized SCSI device, better support for ALPS DualPoint touchpad/trackpoint on some Dell laptops, and many other improvements to hardware support."

Comments (none posted)

Mandriva Brazil launches its brand new website

Mandriva has announced the launch of a new website for its Brazilian subsidiary: www.mandriva.com/br. "With www.mandriva.com/br, Brazilian will be able to download Mandriva Linux free solutions, and buy Mandriva Linux's products and goodies on the Mandriva Online Store. You will find: videos and detailed features, informations on training courses, contributions to Mandriva. Each visitors can create its very own Mandriva account, access to Mandriva forums and community resources, as well as our web-support contact details."

Comments (none posted)

Jono Bacon: Connecting The Opportunistic Dots

Ubuntu community manager Jono Bacon writes about a software stack that is geared towards "opportunistic developers" on his blog. The stack is based on Python and GNOME, using GTK, GStreamer, Glade, and DesktopCouch. Ubuntu developers have been adding tools like Quickly and Ground Control to integrate it more closely with features like Launchpad, Bazaar, and Personal Package Archives. "We have been seeing a growing movement inside the Ubuntu community in helping to make Ubuntu a rocking platform for opportunistic developers. While all the components are Open Source and can be shipped on any distribution, I am really keen for Ubuntu to really optimize and integrate around the needs of opportunistic programmers and I just wanted to highlight some of the work that has happened here."

Comments (7 posted)

International Women's Day stories about Ubuntu and the computing longevity meme

The latest initiative by the Ubuntu Women Project is a contest to collect "How I discovered Ubuntu" stories written by women. The winner will be announced on March 8th, International Women's Day. "One of the goals of this initiative is to try and answer the "How can I get $woman to use Ubuntu?" question that we often get by demonstrating that there is no single answer for it. Women get involved and interested in Ubuntu for all kinds of reasons, and without knowing anything about her there is really no way to know what specific spark will get her interested in involvement. (For what it's worth, a much better question is "$woman is interested in $subject and is tied to Windows for $reason but doesn't like it for $another_reason, she currently uses her computer for $thing0 and $thing1, do you have any suggestions as to how I can try and convert her to Ubuntu?")"

Comments (1 posted)

DistroWatch Weekly, Issue 338

The DistroWatch Weekly for February 1, 2010 is out. "User-friendliness of computer operating systems is something that gets often discussed in open-source software circles. But adding features that are designed to attract more new users isn't always viewed positively in some hard-core geek communities. This week's feature story examines a case of a developer who was met with a hostile reception when he tried to present his easy-to-use live CD to an unforgiving group of OpenBSD hackers. In the news section, Sun Microsystems closes its corporate web site, but what does that mean for some of its popular products? Also in this week's issue, we investigate the idea of converting the ext3 file system to the newer ext4, take a look at Ubuntu's controversial deal with Yahoo, and link to an article that reveals a little-known, but useful Mandriva feature. All this and more in this week's issue of DistroWatch Weekly - happy reading!"

Comments (none posted)

Fedora Weekly News #211

The Fedora Weekly News for January 31, 2010 is out. "Our issue kicks off with a couple development announcements related to the Fedora 13 Feature Freeze last week for Feature and Spin submissions. In news from the Fedora Planet, several posts about opensource.com, coverage of a "State of the Union" from Red Hat's Jim Whitehurst, progress on Máirín Duffy's Inkspace course to a Boston area middle school, coverage of a discussion around Fedora's goals from several Fedora Project leaders, and enthusiasm for Gource, "an amazing program for visualizing commit history in a git-based code project." In Ambassador news, an event report for the Cerea Fair contributed by several people from Italy that drew 20,000, including blog postings and photos. In news from the Design team, details on preparation for Fedora 13 Alpha, with upcoming decisions this week on Fedora 13 wallpaper, and coverage of some ideas for Fedora 13 overall designs. The Security Advisories beat brings us current with last week's Fedora 11 and 12 security patches. We hope you enjoy FWN 211!"

Full Story (comments: none)

openSUSE Weekly News/108

This issue of the openSUSE Weekly News covers * openSUSE News: Wanted: Linux Community Manager, * Sirko Kemter: Art-Team meeting, * Worldlabel.com/Dmitri Popov: OpenOffice.org Extensions for Business Users, * Ben Kevan: Installing KDE 4.4 RC2 on openSUSE and Kubuntu Linux, and * LinuxFoundation: Sign Up for the Free Linux Training Webinar Series.

Comments (none posted)

Ubuntu Weekly Newsletter #178

The Ubuntu Weekly Newsletter for January 30, 2010 is out. "In this issue we cover: Contribute with Ubuntu One Bug Day, Lucid changes to Firefox default search provider, Announcement: Ubuntu Server update for Lucid Alpha3, Interview With Ubuntu Manual Project Leader Ben Humphrey, Ubuntu Honduras, Back up old sources from PPA's, Improved Bug Patch Notifications, Getting your code into Launchpad, Ubuntu Developer Week Recap, Canonical Voices, Ubuntu Community Learning Project Update, NZ school ditches Microsoft and goes totally open source, Full Circle Magazine #33, and much, much more!"

Full Story (comments: none)

Martin F. Krafft: DistroSummit 2010

Martin Krafft covers the Distrosummit at linux.conf.au. "The theme of the day was cross-distro collaboration, and we started the day a little bit on the Debian-side with Lucas Nussbaum telling us about quality assurance in Debian, alongside an overview of available resources. We hoped to give people from other distros pointers, and solicit feedback that would enable us to tie quality assurance closer together."

Comments (none posted)

Fedora vs. Ubuntu: Is Either Better? (Datamation)

Bruce Byfield looks at Fedora and Ubuntu. "In the last five years, both Fedora and Ubuntu have attracted large and rapidly growing communities, often governed by codes of conduct and having their own in-person meetings -- FUDCon for Fedora and the Ubuntu Developer Summit for Ubuntu. Members of both are also active in other free and open source software meetings, especially GNOME's GUADEC. In short, Fedora and Ubuntu have evolved surprisingly similar structures. The main difference lies in their goals: Ubuntu aims to provide "an open-source alternative to Windows and Office," and is currently focusing on usability improvements, while Fedora's goal is to create "a Linux-based operating system that showcases the latest in free and open source software.""

Comments (3 posted)

Mozilla Weave 1.0 makes the browser experience portable

After two years of development, Mozilla Labs has released Weave 1.0, a Firefox add-on that synchronizes browser data among desktops, laptops and smartphones that are running the open source web browser. This is a perfect solution for users who want to take their bookmarks, history, passwords, filled-in forms, and open tabs with them on multiple devices or for dual-boot environments.

The Weave project is aimed at increasing the user's control over their data and personal information. Users can tap into these possibilities by installing the Weave Sync add-on for Firefox on their desktop, laptop, or mobile phone. Weave Sync 1.0 requires Firefox 3.5 or later or the newly released Firefox Mobile 1.0, also known as Fennec, for Maemo.

By installing the Weave Sync add-on on different devices, users can have their Firefox experience synchronized on all their devices. For example, they can visit several web sites on their Windows desktop at work, go home, open Firefox on their Linux desktop and have everything waiting for them as they left it at work: browsing history, open tabs, bookmarks, the contents of the Awesome Bar, and so on. When they leave the house with their Nokia N900 device to go out for a drink, they have all this in their pocket.

Hands-on

After installing the Weave Sync add-on, Firefox shows the Sync preferences and asks the user to create a Mozilla Weave account (on the first device) or to sign in with a username and password that was previously created (on the other devices). When creating a new account, the user has to choose a username and a password, solve a CAPTCHA (which your author failed miserably at, as always), and then enter a secret passphrase, which must be at least 12 characters long and cannot match the account password.

The user then has different options to synchronize the browser's data. The recommended option is to merge the browser's data with data on the Weave server (from devices that already synced with Weave). The other two options are more destructive, but could come in handy in some situations: one replaces all Weave data on the browser with data on the Weave server, and the other replaces all data on devices using the same Weave account with the local data.

The release notes warn of problems with stale data. If a device that has been inactive for a while reconnects to the Weave Server, the server's current data could be overwritten by stale data from that device. As a result, an old password or an older collection of bookmarks might reappear on other devices even though they have been changed. This is one of the circumstances where the user should choose "Start Over" in the preferences and replace the local data of the stale device with data from the Weave server.

After Weave is set up, it shows an icon with the user's account name at the right side of the status bar. A notification will be shown there while the Weave Sync add-on is synchronizing with the Weave Server. In the menu that pops out when clicking on the icon the user has the possibility to disconnect from the server (to stop synchronizing), to trigger a synchronization manually, to read the (very verbose) activity log, or to change the add-on's preferences.

Weave has a preferences pane in the Firefox settings, where users can manage their account and select which types of data they want to synchronize. By default, Weave synchronizes bookmarks, passwords, preferences, history, and tabs, but they can be ticked off individually. The user can also disconnect here and click on "Start Over" to create another account or shift to different one. This makes it possible to use one Weave account for work and another one for personal browsing.

Weave synchronization doesn't happen continuously. The FAQ mentions that, for most users that are synchronizing multiple devices, the Weave Sync add-on connects to the server every hour. If Firefox is heavily used, synchronization happens more frequently. Of course, the user can always trigger synchronization manually. Bookmarks and history items are synchronized in chunks for better performance, but because of this, uploading the complete set could take hours. Favicons for the bookmarks are currently not synchronized to the server. Weave synchronizes the 25 most recently-used tabs from other synchronized computers and does this in a non-intrusive way. That is, the local tabs are not changed to the synchronized tabs, but the tabs from other computers are shown in the menu "History -> Tabs From Other Computers".

Encryption

The Weave Sync add-on encrypts all user data before uploading it to Mozilla's servers and the secret passphrase the data are encrypted with is only known by the browser and not stored on the server. This means that the server cannot read the contents of the data. For example, the server can't read the bookmarks a user has synchronized, but it can tell how many bookmarks the user has. When the user sets up a new browser to synchronize with his Weave account, the secret passphrase has to be entered again, to decrypt the data stored on the Weave server and give the browser the ability to read it.

The low-level details of the encryption Weave uses can be found on the Mozilla wiki. In short, when a user first signs up for Weave, the Weave Sync add-on generates a random pair of public and private keys, 2048-bit RSA. Then, the PBKDF2 (Password Key Derivation Function) algorithm uses the user's passphrase to create a symmetric key, 256-bit AES. This symmetric key is used to encrypt the user's private key and the result is uploaded along with the public key to the Weave server.

Whenever a particular data engine like Bookmarks or History is to be synchronized, Weave Sync generates a random symmetric key for the engine. The key is then encrypted using the user's public key and uploaded to the Weave server. All entries in that engine, such as individual bookmarks, are encrypted with the engine's symmetric key. Because the Weave server only holds the encrypted symmetric key, only the user with the private key corresponding to the public key that was used to encrypt the symmetric key is able to retrieve the original symmetric key.

If this all sounds needlessly complex, it is because the Weave developers have a bigger purpose in the pipeline. With this cryptographic scheme in place, it should be possible for Weave users to share items securely. For example, a user that wants to share his bookmarks just has to encrypt the corresponding symmetric key with the public key of the person he wants it to share with. This is even granular to the level of an individual synchronizable item, such as a specific bookmark.

A private Weave server

Concerned users that don't feel comfortable with their data on Mozilla's servers (even if they are encrypted and the passphrase is never stored on the server) will be happy to hear that there is also a standalone server component, the Weave Server, that can be installed on their own private server. By default, the Weave Sync extension synchronizes with Mozilla's server, but users can point the client to their own server by selecting "Use a custom server" in the Weave preferences and point it to the URI of their own Weave server.

The Mozilla wiki has some documentation about the Server APIs and some instructions to set up the synchronization and user registration parts of the server. Because the Weave Server uses standard HTTP authentication, it should be set up over HTTPS to prevent the password from being sent in the clear. Moreover, the server should have Apache, PHP with PDO, UTF-8, and JSON support installed, and it should have MySQL available for storage.

Setting up a Weave server is not rocket science, but it's a fairly laborious task and can break in a lot of ways. It's also overkill for users that want to have synchronization for themselves or their household. Therefore, the developers have made available a Weave Minimal Server which they recommend over a full install. It requires just one alias line in the Apache configuration and sets up a SQLite database. Creating and deleting users is done manually on the server by a PHP script.

If even this is too difficult, Felix Hummel has written an almost foolproof installation script for the minimal Weave server. Your author tested this by setting up an Apache server on his home network, downloading Hummel's script and changing some variables there. After running the installation script, it shows the steps to configure the Weave client to work with this Weave server. One important thing to remember here is that the user first has to visit the URI of the private Weave server, to accept the SSL certificate, before entering the custom server URI in the Weave Sync preferences. After this, working with a private Weave server is exactly the same as working with Mozilla's Weave server, except that creating users doesn't work from the Weave Sync preferences but requires running a commandline script on the server.

Protect your passwords

But even when users install their own private Weave server, the mere user-friendliness of the synchronization of passwords with Weave poses a risk. As Michael Froomkin mentions on his blog:

And this risk is real, Froomkin adds:

This is of course not a problem specific to Weave, but is a more general issue for hibernating laptops: the concerned user should encrypt the laptop's hard drive and turn it off before leaving it unattended. However, there is one tip that can reduce the risk substantially: use a master password in Firefox and shut down Firefox before hibernating or leaving the computer alone. After setting up a master password and restarting Firefox, the user will be asked for this master password the first time he goes to a page with a saved password. This ensures that no one else is logging onto the user's web site accounts without explicit authorization. Moreover, the master password only has to be entered once a session.

Mozilla Weave taps into the master password feature to protect the synchronization of the user's data: if Firefox is configured with a master password, Weave Sync stays disconnected until the user enters the master password for another site or chooses to connect to the Weave server manually (after which the master password is asked for). But one warning: the master password itself is not synced, so to protect the passwords on all computers that are synchronized with Weave, they each have to be protected by a master password.

More synchronization in the pipeline

The current incarnation of the Weave Sync add-on is just a first step in a bigger vision. In the long run, the Weave project aims to integrate all kinds of other services more closely with the browser. For example, the roadmap mentions that Weave Sync 1.2 should bring synchronization of installed add-ons and search engines. And some of the ideas for the more distant future are syncing Jetpacks and preferences.

The Weave wiki also publishes a Client API, which can be used to write 'sync engines' to synchronize new data types. This can be anything that the extension JavaScript code has access to through any Mozilla API. To add synchronization of a new data type, the programmer writes an engine class and some helper classes and registers them with Weave. One of the helper classes called CryptoWrapper handles all the encryption and decryption of the new data type. It's also possible to add a check-box to the Weave preferences screen to let the user turn the engine on and off.

Conclusion

Mozilla Weave is a very user-friendly way to synchronize the user's browser experience between different computers with Firefox. The API is set up in such a way that other browser add-on writers can add support for their own data types to Weave and the security architecture hints at a future that allows granular sharing of data between users. A lesser visible, but in your author's opinion nonetheless important, feature is that the Weave server code is also available and can be set up on a private web server. In the spirit of the open web, this is an example that should be followed by other services that handle user's private data.

Comments (7 posted)

MySQL Community Server 5.0.90 released

Version 5.0.90 of MySQL Community Server has been announced. "Please note that the active maintenance of 5.0 has ended,and this version is mostly provided because of the fix to security bug#50227 as described below."

Full Story (comments: none)

MySQL Community Server 5.1.43 released

Version 5.1.43 of MySQL Community Server has been announced. "MySQL 5.1.43 is recommended for use on production systems. For an overview of what's new in MySQL 5.1, please see http://dev.mysql.com/doc/refman/5.1/en/mysql-nutshell.html".

Full Story (comments: none)

PostgreSQL Weekly News

The January 31, 2010 edition of the PostgreSQL Weekly News is online with the latest PostgreSQL DBMS articles and resources.

Full Story (comments: none)

BusyBox 1.16.0 released

Version 1.16.0 of BusyBox, a collection of command line utilities for embedded systems, has been announced. This version adds several new applets and includes a long list of bug fixes.

Comments (none posted)

CE Linux Forum Newsletter

The January, 2010 edition of the CE Linux Forum Newsletter is out with the latest news from the embedded Linux software development community. Topics include: 2009 CELF Annual Report, CELF Soliciting Bids for 2010 Contract Work and 2010 Japan Technical Jamboree Schedule.

Full Story (comments: none)

Tahoe 1.6 released

Version 1.6 of the Tahoe cloud storage system has been announced. "Tahoe-LAFS v1.6.0 is the successor to v1.5.0, which was released August 1, 2009. This release includes major performance improvements, usability improvements, and one major new feature: deep-immutable directories (cryptographically unalterable permanent snapshots)."

Full Story (comments: none)

Symbian source released

The Symbian Foundation has announced that the source code release for Symbian is now complete. "All 108 packages containing the source code of the Symbian platform can now be downloaded from Symbian's developer web site (tiny.symbian.org/open), under the terms of the Eclipse Public License and other open source licenses. Also available for download are the complete development kits for creating applications (the Symbian Developer Kit) and mobile devices (the Product Development Kit)." See developer.symbian.org for more information.

Comments (22 posted)

Apache HTTP server 1.3.42 released

Version 1.3.42 of the apache server is out. It contains a security fix, but the real news is this: "Apache 1.3.42 is the final stable release of the Apache 1.3 family. We strongly recommend that users of all earlier versions, including 1.3 family releases, upgrade to to the current 2.2 version as soon as possible."

Full Story (comments: 7)

flashrom 0.9.1 is out

Version 0.9.1 of flashrom has been announced. "flashrom is a utility for reading, writing, erasing and verifying flash ROM chips on mainboards, SATA/network controller cards and external programmers. flashrom is often used to flash BIOS/EFI/coreboot/firmware images because it allows you to update your BIOS/EFI/coreboot/firmware without opening the computer and without any special boot procedures. After nine years of development and constant improvement, we have added support for every BIOS flash ROM technology present on x86 mainboards and every flash ROM chip we ever saw in the wild."

Full Story (comments: none)

Mozilla Sponsors GNOME Accessibility Efforts

The GNOME foundation has announced that Mozilla has granted the project $10,000 for 2010 to work on accessibility. "'The direct impact of the Mozilla funding has allowed GNOME to add Accessible Rich Internet Applications (ARIA) support to the Orca screen reader and other accessibility enhancements in GNOME,' said Willie Walker, lead of the GNOME Accessibility Team. 'All these helped make GNOME/Firefox a compelling free alternative to commercial products for the visually impaired. As a result, we're seeing users around the world using GNOME as their every day solution.'"

Comments (1 posted)

Non DAW and Non Mixer 1.0.0 released

Version 1.0.0 of Non DAW and Non Mixer have been announced. "I'm pleased to announce the release of Non-DAW and Non-Mixer version 1.0.0. Some version numbers have been skipped, as a lot time as gone without an official release. Those who have followed Non-DAW via git will only notice a few changes, most of them pushed very recently. The chief advancement provided by this release is the long overdue inclusion of the Non-Mixer."

Full Story (comments: none)

GNOME 2.29.6 released

Version 2.29.6 of the GNOME desktop environment has been announced. "Here is the second GNOME release for year 2010 and sixth development release towards our 2.30 release that will happen in March; we are quickly getting there! Your mission, it never changes: Go download it. Go compile it. Go test it. And go hack on it, document it, translate it, fix it. And come to FOSDEM! There will be both a booth and a developer room for GNOME, and tons of hackers to hug."

Full Story (comments: none)

GNOME Software Announcements

The following new GNOME software has been announced this week:

• Almanah Diary 0.7.2 (new features and translation work)
• Epiphany Extensions 2.29.6 (new features, bug fixes and translation work)
• GNOME Color Manager 2.29.3 (new features, bug fixes and translation work)
• gnome-mag 0.16.0 (new features and translation work)
• GNOME PackageKit 2.29.3 (new features, bug fixes and translation work)
• GNOME Power Manager 2.29.2 (new features, bug fixes and translation work)
• gscan2pdf 0.9.30 (new features, bug fixes and translation work)
• gtranslator 1.9.7 (new features, bug fixes and translation work)
• Java ATK Wrapper 0.28.2 (new feature)
• Java ATK Wrapper 0.29.3 (new feature)
• tracker 0.7.18 (new features, bug fixes and translation work)
• libchamplain 0.4.4 (bug fixes and performance improvements)

You can find more new GNOME software releases at gnomefiles.org.

Comments (2 posted)

KDE SC 4.4 RC3

Version 4.4 RC3 of the KDE software compilation is out. "Today KDE has issued another release candidate for the 4.4.0 release (planned 9th February)".

Full Story (comments: none)

KDE Software Announcements

The following new KDE software has been announced this week:

• digiKam 1.1.0 (bug fixes)
• EMoC 0.90 (unspecified)
• Kipi-plugins 1.1.0 (new features and bug fixes)
• Nepomuk Virtuoso Converter 1.0 (initial release)
• tunedrill 0.35 (unspecified)

You can find more new KDE software releases at kde-apps.org.

Comments (none posted)

Xorg Software Announcements

The following new Xorg software has been announced this week:

• libvdpau 0.4 (new features, bug fixes and documentation work)
• xf86-video-geode 2.11.7 (bug fixes, code cleanup and documentation work)
• xmessage 1.0.3 (bug fixes)

More information can be found on the X.Org Foundation wiki.

Comments (none posted)

Claws Mail 3.7.5 released

Version 3.7.5 of Claws Mail has been announced. "This is a bug-fix release, there is a claws-mail-extra-plugins 3.7.5 release but it is simply a repackaged claws-mail-extra-plugins 3.7.4 with no changes. Therefore, you can use the claws-mail-extra-plugins 3.7.4 release with this, but please remember that you will have to rebuild the plugins after installing this version."

Full Story (comments: none)

Sylpheed 3.0 beta 7 (development) released

Development version 3.0 beta 7 of the Sylpheed mail client has been announced, it includes new features and bug fixes.

Comments (none posted)

Aqualung 0.9 beta 11 released

Version 0.9 beta 11 of Aqualung has been announced. "It is my pleasure to announce the latest release of Aqualung, an advanced, cross-platform, gapless music player. This release adds some features and many bugfixes - all users are encouraged to upgrade."

Full Story (comments: none)

KMid2 0.2.0 released

Version 0.2.0 of KMid2 has been announced, it includes several new capabilities. "KMid2 is a MIDI/Karaoke player for KDE4. It runs in Linux, using the ALSA Sequencer. KMid2 plays to hardware MIDI devices or software synthesizers. It supports playlists, MIDI mapper, tempo (speed), volume and pitch (transpose) controls and configurable character encoding, font and color for lyrics."

Full Story (comments: none)

Lashstudio release 4 is out

Release 4 of Lashstudio has been announced. "This new release adds two more applications to the usual lash-centred suite, they are: dino sequencer and specimen sampler. Lashstudio is a quick and dirty, LASH centered, suite of applications. It is packed as a squashfs module for Puppy Linux."

Full Story (comments: none)

Linux Audio Plugin Update (Linux Journal)

Dave Phillips covers the state of Linux audio plugins in a Linux Journal article. "Audio processing and synthesis plugins are always a lively topic for musicians. Many contemporary music-makers rely completely upon their plugin collection for all their sound sources and processing routines, and it is not at all uncommon to discover that some of these composers have never learned to play a traditional instrument. However you feel about audio plugins they are a fact of life in modern music production. In the Win/Mac worlds the VST standard rules, thanks to the Steinberg Company's liberal policy regarding the use of their VST SDK (systems development kit), but the VST flag is not the only one waving over those worlds."

Comments (none posted)

Minicomputer 1.4 released

Version 1.4 of Minicomputer has been announced. "just released the version 1.4 of the software synthesizer Minicomputer for Linux. Its mainly a bugfix release: - fix: names of patches and multis were displayed wrong, only the last letters which are usually blanks - fix: change so that it can be now compiled without being in C99 mode - new: using alsaseq eventfilter to receive only events that are processed".

Full Story (comments: none)

Leo 4.7 b3 released

Version 4.7 b3 of Leo has been announced. "Leo 4.7 beta 3 fixes all known serious bugs in Leo. Leo is a text editor, data organizer, project manager and much more."

Full Story (comments: none)

Mozilla releases first mobile Firefox browser (CNET)

CNET looks at Mozilla's release of Firefox 1.0 for Maemo (aka "Fennec"). "Firefox for the Maemo 5 platform has a few interesting conceits that set it apart from other mobile browsers, like Opera Mobile and Opera Mini. Mozilla is banking on the uniqueness of its claim to fame—third-party, customizable browser extensions—to help its browser win mobile market share. Add-ons, after all, helped make Firefox the top browser alternative to Internet Explorer in the desktop space."

Comments (8 posted)

Caml Weekly News

The February 2, 2010 edition of the Caml Weekly News is out with new articles about the Caml language.

Full Story (comments: none)

Facebook's "HipHop" PHP translator

Facebook has announced the release of its "HipHop" tool under the PHP license. "HipHop for PHP isn't technically a compiler itself. Rather it is a source code transformer. HipHop programmatically transforms your PHP source code into highly optimized C++ and then uses g++ to compile it. HipHop executes the source code in a semantically equivalent manner and sacrifices some rarely used features - such as eval() - in exchange for improved performance. HipHop includes a code transformer, a reimplementation of PHP's runtime system, and a rewrite of many common PHP Extensions to take advantage of these performance optimizations." These optimizations are said to double the speed of PHP code.

Comments (109 posted)

acora 1.1 - 'fgrep' for Python

Version 1.1 of acora has been announced. "Acora is 'fgrep' for Python, a fast multi-keyword text search engine. Based on a set of keywords, it generates a search automaton (DFA) and runs it over string input, either unicode or bytes. It is based on the Aho-Corasick algorithm and an NFA-to-DFA powerset construction. Acora comes with both a pure Python implementation and a fast binary module written in Cython."

Full Story (comments: none)

blist 1.1.1 released

Version 1.1.1 of blist has been announced, some new capabilities have been added. "The blist is a drop-in replacement for the Python list the provides better performance when modifying large lists. Python's built-in list is a dynamically-sized array; to insert or removal an item from the beginning or middle of the list, it has to move most of the list in memory, i.e., O(n) operations. The blist uses a flexible, hybrid array/tree structure and only needs to move a small portion of items in memory, specifically using O(log n) operations."

Full Story (comments: none)

circuits 1.2.1 released

Version 1.2.1 of circuits has been announced. "This is a minor bug fix release. circuits is a Lightweight Event driven Framework for the Python Programming Language, with a strong Component Architecture. circuits also includes a lightweight, high performance and scalable HTTP/WSGI web server (with some similar features to CherryPy) as well as various I/O and Networking components."

Full Story (comments: none)

Cython 0.12.1 released

Version 0.12.1 of Cython has been announced, it includes new features and bug fixes. "Cython is a language that makes writing C extensions for the Python language as easy as Python itself. Cython is based on the well-known Pyrex, but supports more cutting edge functionality and optimizations."

Full Story (comments: none)

GMPY 1.11 released

Version 1.11 of GMPY has been announced. "GMPY is a wrapper for the MPIR or GMP multiple-precision arithmetic library. In addition to support for Python 3.x, there are several new features in this release..."

Full Story (comments: none)

The Python: Rag February issue

The February, 2010 edition of the Python:Rag is available. "The Python: Rag is a monthly newsletter covering any aspect of the Python programming language."

Comments (none posted)

Python-URL! - weekly Python news and links

The February 3, 2010 edition of the Python-URL! is online with a new collection of Python article links.

Full Story (comments: none)

Scripy released

The initial release of Scripy, a Pythonic shell-scripting solution, has been announced. "Whatever administrator without great knowledge about programming can built basic scripts fastly after of read the tutorial. Its sintaxis is as pseudo-code so it's very easy to code. The basic errors --as syntax errors and exceptions-- help to debug together to the error logging system implemented in logging module. In addition Python comes with an extensive standard library of useful modules which will help to speed up the development of scripts, and if you need some another module could be searched in the PyPi repository."

Full Story (comments: none)

Tcl-URL! - weekly Tcl news and links

The January 29, 2010 edition of the Tcl-URL! is online with new Tcl/Tk articles and resources.

Full Story (comments: none)

Arduino 0018 released

Version 0018 of Arduino, an open-source development system for Atmel AVR microprocessors, is available. See the release notes for more information.

Comments (none posted)

libfishsound 1.0.0 released

Version 1.0.0 of libfishsound has been announced. "libfishsound provides a simple programming interface for decoding and encoding audio data using Xiph.org codecs (FLAC, Speex and Vorbis)... This is a stable maintenance release including the result of security review and bug fixes included in the Mozilla Firefox 3.5 release."

Full Story (comments: none)

PyModel 0.8 released

Version 0.8 of PyModel has been announced. "PyModel is an open-source model-based testing framework in Python. Code, documents, and downloads are available".

Full Story (comments: none)

Mercurial 1.4.3 released

Version 1.4.3 of the Mercurial source code management system has been announced. "This is a scheduled bugfix release. Full details here: http://mercurial.selenic.com/wiki/WhatsNew".

Full Story (comments: none)

Missing Internet Pioneer Phil Agre found alive (NPR)

NPR reports that Phil Agre has been located, or at least temporarily contacted. "Well, apparently the search is over. The UCLA police department has updated their missing persons bulletin for Agre with the following news: "Philip Agre was located by LA County Sheriff's Department on January 16, 2010 and is in good health and is self sufficient." This rather terse statement doesn't go into any further detail, so it doesn't shed any more light on what Agre has been doing in recent months, except confirming that Agre had indeed gone off the grid rather than being harmed." (Thanks to Jay R. Ashworth).

Comments (3 posted)

iPad is iBad for Freedom (GNU/FSF Press)

The GNU/FSF Press has issued a statement regarding the Apple iPad. "As Steve Jobs and Apple prepared to announce their new tablet device, activists opposed to Digital Restrictions Management (DRM) from the group Defective by Design were on hand to draw the media's attention to the increasing restrictions that Apple is placing on general purpose computers. The group set up "Apple Restriction Zones" along the approaches to the Yerba Buena Center for the Arts in San Francisco, informing journalists of the rights they would have to give up to Apple before proceeding inside."

Full Story (comments: none)

ATI releases ATI Catalyst 10.1 drivers with Ubuntu 9.10 support (Maximumpc)

Maximumpc reports that ATI has released new Catalyst 10.1 drivers for their Radeon video cards. "There are a bunch of bug fixes, many of them Windows 7 specific, and all of which you can read in the release notes. But the big news for Linux fans is the introduction of production support for Ubuntu 9.10, otherwise known as Karmic Koala. Available for both x86 and x86_64 distros, the latest Catalyst package resolves a bunch of open-source issues..."

Comments (22 posted)

Oracle will boost MySQL, release Cloud Office suite (Computerworld)

Computerworld covers Oracle's plans following the Sun acquisition. "Oracle Corp. today promised to aggressively push its newly acquired MySQL open-source database, rather than kill it. Oracle also plans to continued to invest in and maintain the independence of OpenOffice.org, the longtime Microsoft Office challenger from Sun Microsystems Inc., but it will also launch a separate cloud productivity suite that's similar to Google Docs, according to Chief Corporate Architect Edward Screven."

Comments (21 posted)

Sun Deal Complete, Oracle Says 'We're Hiring' (Datamation)

Datamation reports on Oracle CEO Larry Ellison's plans for Sun. ""The truth is, we're hiring two thousand people over the next few months to beef up the Sun sales and engineering base. That's twice as many as we're letting go," [Ellison] added. Staffers in the lobby, Sun and Oracle alike, wore red buttons that said "We're hiring!""

Comments (7 posted)

When is it worth saying it's Linux? (The H)

The H takes a look at the proliferation of Linux based devices. "Take Google's Android ; at its core, yes, there is a Linux kernel and a whole host of other familiar bits of software. But if you are a developer, you don't get to see any of that because on top of the Linux kernel is the Dalvik virtual machine and Android's own set of APIs for accessing the underlying device. Even if the developer makes use of the Android native development kit (NDK), they are still relatively boxed in and the NDK only works in conjunction with a Dalvik based application. So is Android a Linux device or is it different operating system with a Linux kernel?"

Comments (19 posted)

For the Love of Culture (The New Republic)

Here is a lengthy article by Lawrence Lessig in the New Republic. It's mostly concerned with copyright as it relates to books and films, but it's not hard to see implications for free software as well. "And this requires progress in how we think about copyright. It requires giving up the idea that the elements in a compiled work--the music in a film, for example--have a continuing power to block access to, or distribution of, that work. Once a work is made, rather, we need to recognize that it has its own claim within our culture. And so long as the necessary permissions to make the work were secured originally, then at some point in the future (again, say fourteen years after its creation), the parts lose the power to control the whole."

Comments (3 posted)

FSF files new objection to amended Google Book Search settlement

The Free Software Foundation has announced the filing of a new objection to the amended Google Book Search settlement. "The objection notes that proposed amendments which discuss works under free licenses unfairly burden their authors with ensuring license compliance, and urges the court to reject the proposed settlement unless it incorporates terms that better address the needs of authors using free licenses like the GNU Free Documentation License (GFDL)."

Full Story (comments: none)

The FSF objects (again) to the Google book settlement

Here's a release from the Free Software Foundation detailing more objections to the proposed Google book search settlement. Essentially, they see it as a way for Google to bypass the requirements of the Free Documentation License. "But under the proposed amended settlement, Google would generally have permission to display and distribute these works without abiding by the requirements to pass the freedoms guaranteed under the GFDL on to Google Books readers. Authors who wanted to use the GFDL or another free license would be required to designate that license in a Registry -- and the Registry would determine which licenses could and could not be chosen"

Comments (17 posted)

The International Free and Open Source Software Law Review

The publication of the second edition of the International Free and Open Source Software Law Review has been announced. "Volume 1, Issue 2 of the Review includes articles such as: “Open Source Policies and Processes For In-Bound Software” by Karen F. Copenhaver “Corporate Governance and Open Source” by Richard Kemp “The Paris Court of Appeals GPL case” by Martin von Willebrand “Trademarks in Open Source” by Tiki Dare and Harvey Anderson “Standards, Competition and IP in Open Source” by Susanna Shepherd “Back to the Future: IP and property rights” by Iain G. Mitchell Q.C."

Comments (none posted)

Kuhn: I Think I Just Got Patented

Bradley Kuhn grumbles about Black Duck Software's recently-announced patent on the process of finding license incompatibilities. "Indeed, the process described is so simple-minded, that it's a waste of time in my view to spend time writing a software system to do it. With a few one-off 10-line Perl programs and a few greps, I've had a computer assist me with processes like this one many times since the late 1990s." Here's the full patent for the curious.

Comments (18 posted)

Domain-Driven Design Using Naked Objects--New from Pragmatic Bookshelf

Pragmatic Bookshelf has published the book Domain-Driven Design Using Naked Objects by Dan Haywood.

Full Story (comments: none)

Search Patterns--New from O'Reilly

O'Reilly has published the book Search Patterns by Peter Morville and Jeffery Callender.

Full Story (comments: none)

Greg Kroah-Hartman: Android and the Linux kernel community

Kernel hacker Greg Kroah-Hartman looks at the problems with Android's kernel modifications, which aren't in the mainline—nor headed that way. He does hold out hope that the situation will eventually change, as well as offering his help to get there. "Now branches in the Linux kernel source tree are fine and they happen with every distro release. But this is much worse. Because Google doesn't have their code merged into the mainline, these companies creating drivers and platform code are locked out from ever contributing it back to the kernel community. The kernel community has for years been telling these companies to get their code merged, so that they can take advantage of the security fixes, and handle the rapid API churn automatically. And these companies have listened, as is shown by the larger number of companies contributing to the kernel every release. [...] But now they are stuck. Companies with Android-specific platform and drivers can not contribute upstream, which causes these companies a much larger maintenance and development cycle."

Comments (111 posted)

Linux Foundation: mobile Linux needs "magic" to beat Apple (Ars Technica)

Ars Technica uses a blog posting from Linux Foundation executive director Jim Zemlin as a jumping off point to look at mobile Linux vs. Apple's iPhone and iPad. "'It has been impossible for an independent open source developer such as Funambol to access certain basic parts of iPhone (such as the calendar, and presumably this is the same on iPad) whereas on Android, there are no similar limitations,' he [Hal Steger, the VP of marketing at Funambol] told us in an e-mail. He thinks that Apple needs to reach out to open source software developers and loosen its restrictions on the iPhone software platform."

Comments (8 posted)

Linux Gazette #171 is out

The February 1, 2010 edition of the Linux Gazette has been published. Topics include: "* Mailbag * Talkback * 2-Cent Tips * News Bytes, by Deividson Luiz Okopnik and Howard Dyckoff * Taming Technology: The Case of the Vanishing Problem, by Henry Grebler Case Studies in Problem Solving * Random signatures with Mutt, by Kumar Appaiah * The Next Generation of Linux Games - Word War VI, by Dafydd Crosby * The Gentle Art of Firefox Tuning (and Taming), by Rick Moen * Words, Words, Words, by Rick Moen * Bidirectionally Testing Network Connections, by René Pfeiffer * Sharing a keyboard and mouse with Synergy (Second Edition), by Anderson Silva and Steve 'Ashcrow' Milner * HelpDex, by Shane Collinge * XKCD, by Randall Munroe * Doomed to Obscurity, by Pete Trbovich * Reader Feedback, by Kat Tanaka Okopnik and Ben Okopnik".

Full Story (comments: 1)

Canonical copyright assignment policy 'same as others' (ITWire)

ITWire talks with Mark Shuttleworth about copyright assignment policies. "The most common complaint I've heard is 'why can't a company accept my patches to them under the same licence that they give me the original code?' But that suggests that the two contributions are equal, when they really are not. One party contributes a whole working system, with a commitment to continue to do maintenance on it, the other contributes a patch which is (generally) of no value without the rest of the codebase."

Comments (52 posted)

The final FOSDEM speaker interviews

The last set of FOSDEM speaker interviews has been posted; the subjects this time are Andrew Tanenbaum, Benoît Chesneau, Lindsay Holmwood, and Elena Reshetova, speaking on Maemo 6 security. "The main advantage of our security framework architecture is that we don't have any special 'security APIs' by default. For example, there is no secure_fopen() instead of fopen(), which should make the developer's life much easier. The only main change for most applications will be the creation of an additional file inside a Debian package, which we call the 'Aegis Manifest File'. This file declares the needed access control rights for the application, and it will be explained in more details in the presentation."

Comments (1 posted)

Materials from the Free Technology Academy

The Free Technology Academy, a "virtual university" with support from the European Commission, has announced that it has made a set of free-software-related educational materials available under the CC ShareAlike and GNU FDL licenses. Available books include The concepts of free software and open standards (291 pages) and GNU/Linux advanced administration (545 pages). Both books are available in English, Spanish and Catalan.

Comments (2 posted)

Akademy 2010 Call for Papers is out

A Call for Papers has gone out for Akademy 2010, submissions are due by April 23. "Akademy is the annual conference of the KDE community and open to all who share an interest in the KDE community and its goals. This conference brings together artists, designers, programmers, translators, users, writers and other contributors to celebrate the achievements of the past year and helps define the vision for the next year. In its 7th year, we invite all contributors and users to participate in Akademy in Tampere, Finland from July 3 to 10 2010."

Full Story (comments: none)

LAC2010: Paper deadline coming closer

The Linux Audio Conference 2010 paper submission deadline is coming soon. "Dear all, the deadline for submission of papers for the Linux Audio Conference 2010(*) is coming closer (February 14th, 2010), and (like last year) the amount of submissions so far is..quite small. However, without papers and presentations this kind of conference cannot exist."

Full Story (comments: none)

Linux Foundation Collaboration Summit cfp and registration

A call for participation has gone out for the Linux Foundation Collaboration Summit, submissions are due by February 19. "The Linux Foundation is pleased to announce the opening of registration and call for papers for the 4th Annual Collaboration Summit which will take place April 14-16, 2010 in San Francisco."

Full Story (comments: none)

10th edition of FOSDEM this weekend

The 10th Free and Open Source Developer Meeting takes place on February 6 and 7. "On February 6 and 7, over five thousand Free and Open Source developers gather at the Université Libre de Bruxelles, campus Solbosch, for the tenth annual FOSDEM conference. Keynote speakers this year include Brooks Davis (FreeBSD committer), Richard Clayton (Cambridge university security expert) and Greg Kroah-Hartman (Linux kernel maintainer)."

Full Story (comments: none)

GUADEC 2010 call for volunteers

A call for volunteers has gone out for GUADEC 2010. "GUADEC 2010, the eleventh edition, will be in The Hague, The Netherlands and takes place on July 24 - July 30. The organisation team calls you to arms! A community conference like GUADEC only happens when the community puts its weight behind it. This is your chance to be part of this event. Whether you are a conference rookie or a seasoned GUADEC veteran, your help is much appreciated."

Full Story (comments: none)

Panama MiniDebConf 2010

The Panamá MiniDebConf has been announced. "I'm pleased to announce that we will be arranging a MiniDebConf starting on 19/Mar/2010 ending on 21/Mar/2010 on Panamá City. This event is organized by Software Libre Centroamerica a group of Free Software Enthusiasts and a strong Panamá local community".

Full Story (comments: none)

Events: February 11, 2010 to April 12, 2010

The following event listing is taken from the LWN.net Calendar.

Date(s)	Event	Location
February 11 February 13	Bay Area Haskell Hackathon	Mountain View, USA
February 15 February 18	ARES 2010 Conference	Krakow, Poland
February 17 February 25	PyCon 2010	Atlanta, GA, USA
February 19 February 21	SCALE 8x - 2010 Southern California Linux Expo	Los Angeles, USA
February 19 February 20	GNUnify	Pune, India
February 20 February 21	FOSSTER '10	Amritapuri, India
February 22 February 24	O'Reilly Tools of Change for Publishing	New York, NY, USA
February 27 February 28	The Debian/GNOME bug weekend	Online, Internet
March 1 March 5	Global Ignite week	Online, Online
March 2 March 4	djangoski	Whistler, Canada
March 2 March 5	FOSSGIS 2010	Osnabrück, Germany
March 2 March 6	CeBIT Open Source	Hannover, Germany
March 5 March 6	Open Source Days 2010	Copenhagen, Denmark
March 7 March 10	Bossa Conference 2010	Recife, Brazil
March 13 March 19	DebCamp in Thailand	Khon Kaen, Thailand
March 15 March 18	Cloud Connect 2010	Santa Clara, CA, USA
March 16 March 18	Salon Linux 2010	Paris, France
March 17 March 18	Commons, Users, Service Providers	Hannover, Germany
March 19 March 21	Panama MiniDebConf 2010	Panama City, Panama
March 19 March 21	Libre Planet 2010	Cambridge, MA, USA
March 19 March 20	Flourish 2010 Open Source Conference	Chicago, IL, USA
March 22 March 26	CanSecWest Vancouver 2010	Vancouver, BC, Canada
March 22	OpenClinica Global Conference 2010	Bethesda, MD, USA
March 23 March 25	UKUUG Spring 2010 Conference	Manchester, UK
March 25 March 28	PostgreSQL Conference East 2010	Philadelphia, PA, USA
March 26 March 28	Ubuntu Global Jam	Online, World
March 30 April 1	Where 2.0 Conference	San Jose, CA, USA
April 9 April 11	Spanish DebConf	Coruña, Spain
April 10	Texas Linux Fest	Austin, TX, USA

If your event does not appear here, please tell us about it.