PyPy: the other new compiler project

We have recently seen a lot of attention paid to projects like LLVM. Even though the GNU Compiler Collection is developing at a rapid pace, there are people in the community who are interested in seeing different approaches taken, preferably with a newer code base. LLVM is not where all the action is, though. For the last few years (since 2003, actually), a relatively stealthy project called PyPy has been trying to shake up the compiler landscape in its own way.

On the face of it, PyPy looks like an academic experiment: it is an implementation of the Python 2.5 interpreter which is, itself, written in Python. One might thus expect it to be more elegant in its code than the standard, C-implemented interpreter (usually called CPython), but rather slower in its execution. If one runs PyPy under CPython, the result is indeed somewhat slow, but that is not how things are meant to be done. When running in its native mode, PyPy can be surprising.

PyPy is actually written in a subset of Python called RPython ("restricted Python"). Many of the features and data types of Python are available, but there are rules. Variables are restricted to data of one type. Only built-in types can be used in for loops. There is no creation of classes or functions at run time, and the generator feature is not supported. And so on. The result is a version of the language which, while still clearly Python, looks a bit more like C.

Running the RPython-based interpreter in CPython is supported; it is fully functional, if a bit slow. Running in this mode can be good for debugging. But the production version of PyPy is created in a rather different way: the PyPy hackers have created a multi-step compiler which is able to translate an RPython program into a lower-level language. That language might be C, in which case the result can be compiled and linked in the usual way. But the target language is not fixed; the translator is able to output code for the .NET or Java virtual machines as well. That means that the PyPy interpreter can be easily targeted to whatever runtime environment works best.

The result works. It currently implements all of the features of Python 2.5, with very few exceptions. There are some behavioral differences due to, for example, the use of a different garbage-collection algorithm; PyPy can be slower to call destructors than CPython is. Python extensions written in C can be used, though one gets the sense that this feature is still stabilizing. PyPy is able to run complex applications like Django and Twisted. On the other hand, for now, it only runs on 32-bit x86 systems, it is described as "memory-hungry," and Python 3 support seems to be a relatively distant goal.

Beyond that, it's fast. PyPy includes a built-in just-in-time compiler (JIT); it is, in a sense, a platform for the creation of JITs for various targets. The result is an interpreter which, much of the time, is significantly faster than CPython. For the curious, the PyPy Speed Center contains lots of benchmark results, presented in a slick, JavaScript-heavy interface. PyPy does not always beat CPython, but it often does so convincingly, and speed appears to be a top priority for the PyPy developers. It may well be that the speed of PyPy may eventually prove compelling enough that, as Alex Gaynor suggests, many of us will be using PyPy routinely instead of CPython in the near future.

There are some other interesting features as well. There is a stackless Python mode which supports microthreaded, highly-concurrent applications. There is a sandboxed mode which intercepts all external library calls and hands them over to a separate policy daemon for authorization. And so on.

What really catches your editor's eye, though, is the concept of PyPy as a generalized compiler for the creation of JITs for high-level languages. The translation process is flexible, to the point that it can easily accommodate stackless mode, interesting optimizations, or experimentation with different language features. The object model can be (and has been) tweaked to support tainting and tracing features. And the system as a whole is not limited to the creation of JIT compilers for Python; projects are underway to implement a number of other languages, including Prolog, Smalltalk, and JavaScript.

It could easily be argued that PyPy incorporates much of the sort of innovation which many people have said never happens with free software. And it is all quite well documented. This is a project which is not afraid of ambitious goals, and which appears to be able to achieve those goals; it will be interesting to watch over the next few years.

Comments (26 posted)

Looking forward to GnuCash 2.4

Long-time LWN readers will be aware that your editor has, for some time, been looking for a free accounting system which would handle the needs of a small business like, well, LWN. So it is with some interest that your editor has followed the progress of the GnuCash 2.3 development series. GnuCash is currently in the "string freeze" stage: development is seen as being close enough to done that no more changes to any visible text are allowed. So perhaps it's time to look at what the GnuCash developers have done this time around.

The actual list of new features is surprisingly short; much of the work in this development cycle has been aimed at internal improvements. Near the top of the list is the ability to use WebKit to render graphs along with GtkHTML. Your editor will confess that he has not tested out this feature; HTML rendering is a tiny part of what GnuCash does, so the availability of an alternative rendering engine is not particularly exciting.

The other headline feature is more interesting, though: the GnuCash developers have added a database backend which is capable of interfacing with Sqlite, MySQL, or PostgreSQL. The XML-based native file format is adequate for personal finance uses (though it is quite bulky), but it does not scale well to the numbers of transactions seen in a typical business setting, and it is not well suited to a multi-user, integrated workflow. GnuCash had a database backend in the 1.6 days, but it was never well supported and it did not work with the GnuCash business features. The database backend in 2.4 has been redone from the beginning, and it supports all of the program's capabilities.

Those wanting to use this feature need to be prepared for a bit of a rough start, though; the related documentation is, one might say, sparse. Actually, this documentation does not exist at all. What your editor figured out is this: users should create an empty database (default name is "gnucash") to hold the accounts. The relevant libdbi drivers must be installed on the system. Then, opening GnuCash and selecting "save to" will yield a dialog with a pulldown at the top; the default value in that pulldown will be "XML". If GnuCash sees any database drivers, the associated databases will show up as options on that menu; selecting "postgres" will allow the accounts to be saved into the selected PostgreSQL database.

A couple of related notes: GnuCash looks in /usr/lib/dbd for the database drivers. Fedora x86-64 puts them in /usr/lib64/dbd. The result is that GnuCash behaves as if the database option simply did not exist. Your editor retains a longstanding grudge against whoever came up with the /usr/lib64 idea; it seems to break every application which it comes into contact with at least once. The other thing to bear in mind is this: if you give GnuCash a password for access to the database, it will store that password - in plain text - in your .gconf directory.

The database-backed mode looks and works almost identically to the file-backed mode. The biggest visible difference is probably the lack of a "save" button; when working with a database, all changes are committed immediately. The program will also populate the working directory with files named like translog.20100517132703.log. Leaving log files lying around is a habit GnuCash has had for a long time, but, in the absence of an accounts file, GnuCash has to improvise when it comes to the naming and location of the log files.

Working from a database should offer some performance advantages when doing searches through large accounts, but that's not the real reason your editor is interested in the feature. What is far more compelling is (1) interoperability with other business processes, and (2) multi-user access to the accounting database. Unfortunately, GnuCash 2.4 does not seem to properly support either of those features.

Even a small business like LWN generates thousands of transactions over the course of a year. Unsurprisingly, it can be quite difficult to find anybody who is interested in typing all of those transactions into the accounting system - especially when "the computer" already knows all about them. In the current system, getting this information into the accounting database is done through a bunch of glue scripts and the always hair-raising QuickBooks import process. Certainly it would be nicer to just store that data directly into the accounting database.

This sort of direct storage is certainly achievable with GnuCash, but it won't be easy. The database schema is surprisingly hard to find; there is a version of it available in an old mailing list posting, but that's about it. Said schema is heavily reliant on GnuCash's "GUID" type - a 32-character ASCII representation of a 16-byte internal object identifier. So even storing a simple transaction requires generating new GUIDs and digging around to find the other GUIDs necessary to tie the transaction in properly. It is, in other words, messy, error-prone, and just crying for a nice API that could be called at a higher level. One assumes that said API will exist in library form someday, but it is not there now.

Parallel access is not there either; the FAQ is clear on the subject:

This makes storing the accounts in a centrally-located database actively dangerous. If GnuCash cannot have two clients running safely with the same database, it should go out of its way to prevent that from happening (as it does with the file backend). But there are no checks for concurrent access in the current 2.3.12 development release.

While GnuCash does have some support for dealing with various tax regimes, it's still not where it needs to be to displace other applications. Among other things, it simply has no provision for storing some of the required information. LWN, being a US-based business, needs to track which of its authors needs to receive 1099 forms at the end of the year and produce those forms at the right time. The production side could perhaps be made to work relatively easily: GnuCash has a scripting engine which enables the creation of custom reports - as long as the user is not afraid of programming in Scheme. But, without the ability to track who needs those forms (and their tax numbers), the report generator simply lacks the information it needs.

Time for one final grumble. In current stable GnuCash, the QIF importer (useful for importing credit card transactions, for example) is fast, efficient, and flexible. In 2.3, importing has turned into a slow, click-intensive, error-prone process. Users are supposed to classify transactions without seeing the amount of each, for some strange reason. In general, GnuCash is moving forward in this release, but importing transactions has regressed.

Import dialogs notwithstanding, the general appearance of GnuCash has changed little in this cycle. It remains the solid, workhorse financial management program that your editor has used for years. For those who would like to see a bigger change, there is something on the horizon, though it doesn't look like it will be ready for the 2.4 release. The Cutecash project has set itself the goal of taking the GnuCash engine and putting a Qt-based interface onto it. It will be interesting to see where the developers go with this project.

Meanwhile, lest your editor seem just a little too grumpy, let it be said that GnuCash seems to be headed in the right direction. It has been more than good enough for most personal finance management for some time, and it is slowly developing the features it will need to compete in the business area. One of these years it should start displacing proprietary accounting tools in a serious way.

Comments (35 posted)

Canonical Goes It Alone with Unity

With the Lucid Lynx release safely shipped, the Ubuntu developer community gathered in Brussels, Belgium the week of May 10 to prepare for the 10.10 release scheduled for October. Two of the focal points for the release will be a new netbook interface called "Unity," and "Ubuntu Light" — a stripped-down version of Ubuntu intended to ship on systems running Microsoft Windows as an instant-on alternative.

Mark Shuttleworth announced the new interface design and Ubuntu Light concept on Monday, May 10th via his blog and keynote at the Ubuntu Developer Summit (UDS). Ubuntu already has a Netbook Remix that's customized for small screens, but the new design is meant to focus less on access to all applications and more on rapid access to the most-used programs. Shuttleworth says that Canonical has been spending time analyzing what users use most and identifying things that are not needed in lightweight configurations. He also says that the focus is to get the user to the Web as quickly as possible:

(Emphasis in the original).

How fast can you get to a working Net connection? It looks like users will have to buy a new machine to find out. Ubuntu users who get the distribution as a download, as opposed to purchasing Ubuntu via OEM hardware, will not have access to Ubuntu Light. According to Shuttleworth's post, the company won't provide a general-purpose download due to "the requirement to customize the Light versions for specific hardware." While customization may provide an edge, it doesn't seem to be a blocker for other distributions that provide "instant on" versions, such as Mandriva InstantOn, so it's a bit disappointing to learn Canonical won't be providing a Light edition for general distribution. Presumably they will be providing the code for the improvements where required, but it may not be trivial for the community to piece a Light version together.

Ubuntu Unity, however, is already available in its somewhat unfinished state. Users on Ubuntu 10.04 only need to add the canonical-dx-team/une Personal Package Archive (PPA), install the unity package, and log out. Choose the Unity UNE (Ubuntu Netbook Edition) Session option and log back in.

The Unity interface is stable enough, though not yet feature-complete. Currently the interface consists mostly of the launcher and panel. Unity's plan also includes "Dash," which would display applications and files as an overlay. It is a sort of super-menu that's displayed over the current windows; it would replace the GNOME menus or Netbook Remix side panel. The idea is to maximize vertical space, which is at a premium on netbooks, and make the interface "finger friendly." That is to say that users should be able to navigate the interface via a touchscreen as well as using a mouse. This suggests that Canonical is targeting not just netbooks, but also tablets.

When Unity is launched, it has a set of default applications like Firefox, Rhythmbox, and the Software Center in the panel. Because the Dash is not yet ready, the current Unity default includes an Applications link, which provides access to /usr/share/applications. The Unity interface doesn't seem to include a "Run" dialog or utility. It's also unclear what the plans are for keyboard access, and whether most of the interface will be navigable using keyboard shortcuts.

Overall, the Unity interface is responsive and easy to use. Users familiar with a dock metaphor will take to Unity pretty quickly. Applications can be removed from the Dock by dragging them off the dock or right-clicking and selecting "Remove from Launcher." Applications can be added by selecting "Keep in Launcher." The Ubuntu logo in the upper-left corner tiles the open windows, showing a smaller view of all windows, enabling users to choose between them. Unlike the Netbook Remix, the title bar is currently not merged with the main title bar of the Unity interface, so there is wasted space resulting from the title bar plus Unity bar.

One interesting question raised by Unity and Canonical's push for running applications full-screen is how the company plans to ensure that the applications run well in the full-screen mode. Applications like Chromium, which has been tapped as the default browser for 10.10, handle full-screen mode well enough. But applications like Empathy, the default IM client (and presumably one of the most desirable instant-on applications) do not have a full-screen mode. Is Canonical going to work with upstream to develop this feature? Apparently not, according to this comment from Canonical developer Neil Patel. In response to questions about single-window Empathy, Patel responds "Not that I know of, we hope to use Empathy as its default in Ubuntu. Maybe we can get some community to help to make it netbook friendly."

Another question is how the Unity effort meshes with GNOME Shell, and whether Ubuntu's path is taking it too far from upstream. GNOME Shell is coming in GNOME 3.0 and planned for release in September. It appears that GNOME Shell will not be making an appearance in Ubuntu's netbook offerings, though Shuttleworth noted that GNOME Shell technologies like the Clutter libraries for and Mutter window manager, are used. Shuttleworth says that the "design seed of Unity was in place before GNOME Shell", and that the company decided to use that design for instant-on rather than GNOME Shell. GNOME Shell will be available in the standard release of Ubuntu for 10.10, but not as the default. Ubuntu is also diverging from standard GNOME with its Windows Indicators, which were offered upstream but not accepted.

Unity and Ubuntu Light also seem to mark the end of Canonical's Moblin/MeeGo efforts. The company has confirmed that it isn't planning another netbook edition of the Ubuntu Moblin Remix. This potentially puts Canonical in competition with the MeeGo effort and Google's Android/Chrome OS, and in the position of maintaining much more of the desktop environment and back-end than many other distributions. Novell discovered several years ago that innovating ahead of upstream GNOME was not particularly sustainable or effective. Whether Canonical has learned from the mistakes of others or is poised to repeat them is an open question.

It would be good to see Canonical find mainstream success for Linux with the Unity interface and Ubuntu Light. Whether this is the solution that will win over the market remains to be seen, but Canonical does seem to be pursing the netbook market with a bit more enthusiasm than any other vendor. The only concern is that the company seems increasingly out of step with the rest of the community in doing so.

Comments (49 posted)

Google Chrome and master passwords

Master passwords for browsers provide a measure of security against some common, if weak, attack vectors. Firefox has had master passwords for some time, but Google's Chrome browser does not, nor does it seem to have any kind of priority to be added. That makes some users rather unhappy, to the point of saying that they won't use the browser until it is implemented. Google's position seems to be that master passwords only provide an illusion of security, but that is an oversimplification.

The idea behind a master password is to protect the credentials (username and password) for accessing web sites that are stored by the browser. The master password is required to unlock (really decrypt) the credential storage before the browser can auto-fill login forms. Without a master password, Firefox stores credential information unencrypted on the disk. Chrome does encrypt the credentials using the user's session information—but only on Windows—for Linux it stores them unencrypted.

As Jamie Strandboge describes in a blog posting, it is trivial to extract the credentials stored by Chrome on Linux in a SQLite database file. A bug filed against Chrome in September 2008 requests adding a master password, and, while it has seen many comments, it has also seen little action on the part of the Chrome developers. For Linux users, it is pretty clear that leaving an unencrypted version of all stored passwords on the disk is a security hole; it definitely requires access to the data, either on the machine itself or elsewhere—like a network share or backup of the home directory. Ways to get that access aren't very hard to envision. Since the data is encrypted on Windows, the picture there is a little murkier.

It is certainly true that anyone who gets physical access to your machine can do an amazing amount of harm to it if they want to. But it is also true that many people allow their computer to be used by others to do a quick search or check email. Those uses are typically short in duration and are "semi-supervised" in the sense that the owner is often around and might very well notice someone installing a keylogger or running some kind of password cracker. What may escape notice is someone using the browser interface in fairly standard ways—to look at stored passwords for example.

The answer, according to Chrome developer Peter Kasting is to "lock your desktop (it's two keys!) or close Chrome" if you don't trust those with physical access. Essentially, because of the way Chrome is implemented, there is no secure way to allow someone to use your open browser session—or even to start a new one for them to use. With Firefox, one can start a new browser and not provide the master password (or just log out of the "Software Security Device"), which will allow semi-untrusted users to jump on and do a quick Google—or check Gmail.

Given the sensitivity of stored passwords—though many sensitive web sites, like banks and brokerages, have started disallowing credential storage—a master password protecting them gives users a sense of protection. It may well be that the average user overestimates the amount of protection that a master password provides, but that doesn't mean it provides no protection. There is certainly a big difference between a sophisticated hacker willing to risk jail time by installing a keylogger and a "friend" who thinks it would be funny to update your Facebook status for you. The latter is likely to be thwarted by a master password.

It is a bit hard to understand why the Chrome developers are so unwilling to consider adding the feature. It shouldn't be particularly difficult in a technical sense. The "UI complexity" argument rings a little hollow. The lack of any way to get password encryption on Linux just seems like a bug that needs to be fixed, though there isn't any real indication that it will be. Maybe someone in the community needs to take a crack at it—it is, after all, free software.

Comments (29 posted)

Quotes of the week

-- Boing Boing looks at a since-changed credit union online banking FAQ

-- Bruce Schneier on worst-case thinking

-- Harvey Anderson, Mozilla Corporation VP and General Counsel

-- Mike Chan about Android's always-on "phone home" connection

Comments (4 posted)

Morris: SELinux Notebook Edition 2 Released

Over at SELinux News, James Morris announces the second edition of The SELinux Notebook. "Richard Haines has released the 2nd edition of The SELinux Notebook, an extensive work of documentation aimed at explaining SELinux to newcomers. It is also intended to be a reference document for the policy language and configuration. The Notebook has now been split into two volumes: The Foundations and Sample Policy Source, and updated to the latest implementation of SELinux in the Fedora 12 distribution. New topics in this edition include virtualization (sVirt), SE-PostgreSQL, XSELinux and Apache/SELinux Plus."

Comments (3 posted)

aria2: insufficient input sanitizing

Package(s):	aria2	CVE #(s):	CVE-2010-1512
Created:	May 18, 2010	Updated:	January 17, 2011
Description:	From the Debian advisory: A vulnerability was discovered in aria2, a download client. The "name" attribute of the "file" element of metalink files is not properly sanitised before using it to download files. If a user is tricked into downloading from a specially crafted metalink file, this can be exploited to download files to directories outside of the intended download directory.
Alerts:	Gentoo 201101-04 aria2 2011-01-15 SUSE SUSE-SR:2010:017 java-1_4_2-ibm, sudo, libpng, php5, tgt, iscsitarget, aria2, pcsc-lite, tomcat5, tomcat6, lvm2, libvirt, rpm, libtiff, dovecot12 2010-09-21 openSUSE openSUSE-SU-2010:0338-2 aria2 2010-09-13 SUSE SUSE-SR:2010:014 OpenOffice_org, apache2-slms, aria2, bogofilter, cifs-mount/samba, clamav, exim, ghostscript-devel, gnutls, krb5, kvirc, lftp, libpython2_6-1_0, libtiff, libvorbis, lxsession, mono-addon-bytefx-data-mysql/bytefx-data-mysql, moodle, openldap2, opera, otrs, popt, postgresql, python-mako, squidGuard, vte, w3m, xmlrpc-c, XFree86/xorg-x11, yast2-webclient 2010-08-02 Pardus 2010-75 aria2 2010-06-04 Mandriva MDVSA-2010:106 aria2 2010-05-24 Fedora FEDORA-2010-8915 aria2 2010-05-22 Fedora FEDORA-2010-8908 aria2 2010-05-22 Debian DSA-2047-1 aria2 2010-05-17 MeeGo MeeGo-SA-10:05 aria2 2010-07-07

Comments (none posted)

fetchmail: denial of service

Package(s):	fetchmail	CVE #(s):	CVE-2010-1167
Created:	May 17, 2010	Updated:	June 7, 2011
Description:	From the CVE entry: fetchmail 4.6.3 through 6.3.16, when debug mode is enabled, does not properly handle invalid characters in a multi-character locale, which allows remote attackers to cause a denial of service (memory consumption and application crash) via a crafted (1) message header or (2) POP3 UIDL list.
Alerts:	Mandriva MDVSA-2011:107 fetchmail 2011-06-07 Slackware SSA:2010-136-01 fetchmail 2010-05-17

Comments (3 posted)

kdenetwork: arbitrary code execution

Package(s):	kdenetwork	CVE #(s):	CVE-2010-1000
Created:	May 13, 2010	Updated:	May 26, 2011
Description:	From the Ubuntu advisory: It was discovered that KGet did not properly perform input validation when processing metalink files. If a user were tricked into opening a crafted metalink file, a remote attacker could overwrite files via directory traversal, which could eventually lead to arbitrary code execution.
Alerts:	Gentoo 201412-08 insight, perl-tk, sourcenav, tk, partimage, bitdefender-console, mlmmj, acl, xinit, gzip, ncompress, liblzw, splashutils, m4, kdm, gtk+, kget, dvipng, beanstalkd, pmount, pam_krb5, gv, lftp, uzbl, slim, iputils, dvbstreamer 2014-12-11 Pardus 2011-80 kdenetwork 2011-05-11 Red Hat RHSA-2011:0465-01 kdenetwork 2011-04-21 Fedora FEDORA-2011-5211 kdenetwork 2011-04-12 Mandriva MDVSA-2011:081 kdenetwork4 2011-05-02 SUSE SUSE-SR:2010:024 clamav, subversion, python, krb5, otrs, moonlight, OpenOffice_org, kdenetwork4, zope, xpdf, gnutls, and opera 2010-12-23 openSUSE openSUSE-SU-2010:1085-1 kdenetwork 2010-12-21 openSUSE openSUSE-SU-2010:1077-1 kdenetwork 2010-12-17 openSUSE openSUSE-SU-2010:1076-1 kdenetwork 2010-12-17 Fedora FEDORA-2010-8577 oxygen-icon-theme 2010-05-15 Fedora FEDORA-2010-8544 oxygen-icon-theme 2010-05-15 Fedora FEDORA-2010-8547 oxygen-icon-theme 2010-05-15 Fedora FEDORA-2010-8577 kdeutils 2010-05-15 Fedora FEDORA-2010-8544 kdeutils 2010-05-15 Fedora FEDORA-2010-8547 kdeutils 2010-05-15 Fedora FEDORA-2010-8577 kdetoys 2010-05-15 Fedora FEDORA-2010-8544 kdetoys 2010-05-15 Fedora FEDORA-2010-8547 kdetoys 2010-05-15 Fedora FEDORA-2010-8577 kdesdk 2010-05-15 Fedora FEDORA-2010-8544 kdesdk 2010-05-15 Fedora FEDORA-2010-8547 kdesdk 2010-05-15 Fedora FEDORA-2010-8577 kdeplasma-addons 2010-05-15 Fedora FEDORA-2010-8544 kdeplasma-addons 2010-05-15 Fedora FEDORA-2010-8547 kdeplasma-addons 2010-05-15 Fedora FEDORA-2010-8577 kdepim-runtime 2010-05-15 Fedora FEDORA-2010-8544 kdepim-runtime 2010-05-15 Fedora FEDORA-2010-8547 kdepim-runtime 2010-05-15 Fedora FEDORA-2010-8577 kdepimlibs 2010-05-15 Fedora FEDORA-2010-8544 kdepimlibs 2010-05-15 Fedora FEDORA-2010-8547 kdepimlibs 2010-05-15 Fedora FEDORA-2010-8577 kdepim 2010-05-15 Fedora FEDORA-2010-8544 kdepim 2010-05-15 Fedora FEDORA-2010-8547 kdepim 2010-05-15 Fedora FEDORA-2010-8577 kdenetwork 2010-05-15 Fedora FEDORA-2010-8544 kdenetwork 2010-05-15 Fedora FEDORA-2010-8547 kdenetwork 2010-05-15 Fedora FEDORA-2010-8577 kdemultimedia 2010-05-15 Fedora FEDORA-2010-8544 kdemultimedia 2010-05-15 Fedora FEDORA-2010-8547 kdemultimedia 2010-05-15 Fedora FEDORA-2010-8577 kdelibs 2010-05-15 Fedora FEDORA-2010-8544 kdelibs 2010-05-15 Fedora FEDORA-2010-8547 kdelibs 2010-05-15 Fedora FEDORA-2010-8577 kde-l10n 2010-05-15 Fedora FEDORA-2010-8544 kde-l10n 2010-05-15 Fedora FEDORA-2010-8547 kde-l10n 2010-05-15 Fedora FEDORA-2010-8577 kdegraphics 2010-05-15 Fedora FEDORA-2010-8544 kdegraphics 2010-05-15 Fedora FEDORA-2010-8547 kdegraphics 2010-05-15 Fedora FEDORA-2010-8577 kdegames 2010-05-15 Fedora FEDORA-2010-8544 kdegames 2010-05-15 Fedora FEDORA-2010-8547 kdegames 2010-05-15 Fedora FEDORA-2010-8547 kdeedu 2010-05-15 Fedora FEDORA-2010-8544 kdebindings 2010-05-15 Fedora FEDORA-2010-8577 kdeedu 2010-05-15 Fedora FEDORA-2010-8544 kdeedu 2010-05-15 Fedora FEDORA-2010-8577 kdebindings 2010-05-15 Fedora FEDORA-2010-8547 kdebindings 2010-05-15 Fedora FEDORA-2010-8577 kdebase-workspace 2010-05-15 Fedora FEDORA-2010-8544 kdebase-workspace 2010-05-15 Fedora FEDORA-2010-8547 kdebase-workspace 2010-05-15 Fedora FEDORA-2010-8577 kdebase-runtime 2010-05-15 Fedora FEDORA-2010-8544 kdebase-runtime 2010-05-15 Fedora FEDORA-2010-8547 kdebase-runtime 2010-05-15 Fedora FEDORA-2010-8577 kdebase 2010-05-15 Fedora FEDORA-2010-8544 kdebase 2010-05-15 Fedora FEDORA-2010-8547 kdebase 2010-05-15 Fedora FEDORA-2010-8577 kdeartwork 2010-05-15 Fedora FEDORA-2010-8544 kdeartwork 2010-05-15 Fedora FEDORA-2010-8547 kdeartwork 2010-05-15 Fedora FEDORA-2010-8577 kdeadmin 2010-05-15 Fedora FEDORA-2010-8544 kdeadmin 2010-05-15 Fedora FEDORA-2010-8547 kdeadmin 2010-05-15 Fedora FEDORA-2010-8577 kdeaccessibility 2010-05-15 Fedora FEDORA-2010-8544 kdeaccessibility 2010-05-15 Fedora FEDORA-2010-8547 kdeaccessibility 2010-05-15 Mandriva MDVSA-2010:098 kdenetwork4 2010-05-18 Ubuntu USN-938-1 kdenetwork 2010-05-13 Pardus 2010-68 kdenetwork 2010-06-04

Comments (none posted)

krb5: denial of service

Package(s):	krb5	CVE #(s):	CVE-2010-1321
Created:	May 19, 2010	Updated:	May 3, 2011
Description:	The Kerberos GSS-API library contains a null pointer dereference vulnerability; an remote authenticated attacker could use this vulnerability to crash the server.
Alerts:	Gentoo 201201-13 mit-krb5 2012-01-23 SUSE SUSE-SU-2012:0042-1 krb5 2012-01-05 SUSE SUSE-SU-2012:0010-1 krb5 2012-01-05 SUSE SUSE-SR:2011:008 java-1_6_0-ibm, java-1_5_0-ibm, java-1_4_2-ibm, postfix, dhcp6, dhcpcd, mono-addon-bytefx-data-mysql/bytefx-data-mysql, dbus-1, libtiff/libtiff-devel, cifs-mount/libnetapi-devel, rubygem-sqlite3, gnutls, libpolkit0, udisks 2011-05-03 SUSE SUSE-SA:2011:014 java-1_6_0-ibm,java-1_5_0-ibm,java-1_4_2-ibm 2011-03-22 SUSE SUSE-SA:2011:006 java-1_6_0-ibm 2011-01-25 Red Hat RHSA-2011:0152-01 java-1.4.2-ibm 2011-01-17 Red Hat RHSA-2010:0987-01 java-1.6.0-ibm 2010-12-15 Red Hat RHSA-2010:0935-01 java-1.4.2-ibm 2010-12-01 Red Hat RHSA-2010:0873-02 java-1.5.0-ibm 2010-11-10 Red Hat RHSA-2010:0807-01 java-1.5.0-ibm 2010-10-27 openSUSE openSUSE-SU-2010:0754-1 java-1_6_0-sun 2010-10-22 SUSE SUSE-SR:2010:015 gpg2, krb5, kvirc, libpcsclite1/pcsc-lite, libpython2_6-1_0, libvorbis, libwebkit, squidGuard, strongswan 2010-08-17 SUSE SUSE-SR:2010:014 OpenOffice_org, apache2-slms, aria2, bogofilter, cifs-mount/samba, clamav, exim, ghostscript-devel, gnutls, krb5, kvirc, lftp, libpython2_6-1_0, libtiff, libvorbis, lxsession, mono-addon-bytefx-data-mysql/bytefx-data-mysql, moodle, openldap2, opera, otrs, popt, postgresql, python-mako, squidGuard, vte, w3m, xmlrpc-c, XFree86/xorg-x11, yast2-webclient 2010-08-02 SUSE SUSE-SR:2010:019 OpenOffice_org, acroread/acroread_ja, cifs-mount/samba, dbus-1-glib, festival, freetype2, java-1_6_0-sun, krb5, libHX13/libHX18/libHX22, mipv6d, mysql, postgresql, squid3 2010-10-25 rPath rPSA-2010-0065-1 krb5 2010-10-17 Red Hat RHSA-2010:0770-01 java-1.6.0-sun 2010-10-14 Mandriva MDVSA-2010:130 heimdal 2010-07-07 CentOS CESA-2010:0423 krb5 2010-06-01 Pardus 2010-71 mit-kerberos 2010-06-04 Debian DSA-2052-1 krb5 2010-05-24 CentOS CESA-2010:0423 krb5 2010-05-22 CentOS CESA-2010:0423 krb5 2010-05-22 Ubuntu USN-940-1 krb5 2010-05-19 Fedora FEDORA-2010-8805 krb5 2010-05-19 Fedora FEDORA-2010-8796 krb5 2010-05-19 Mandriva MDVSA-2010:100 krb5 2010-05-19 Red Hat RHSA-2010:0423-01 krb5 2010-05-18 Mandriva MDVSA-2010:129 heimdal 2010-07-07 Ubuntu USN-940-2 krb5 2010-07-21 SuSE SUSE-SR:2010:013 apache2-mod_php5/php5, bytefx-data-mysql/mono, flash-player, fuse, java-1_4_2-ibm, krb5, libcmpiutil/libvirt, libmozhelper-1_0-0/mozilla-xulrunner190, libopenssl-devel, libpng12-0, libpython2_6-1_0, libtheora, memcached, ncpfs, pango, puppet, python, seamonkey, te_ams, texlive 2010-06-14

Comments (none posted)

libxext: application crash

Package(s):	libxext	CVE #(s):
Created:	May 19, 2010	Updated:	May 19, 2010
Description:	From the Mandriva advisory: A vulnerability has been discovered and fixed in libxext: There's a race condition in libXext that causes apps that use the X shared memory extensions to occasionally crash.
Alerts:	Mandriva MDVSA-2010:095 libxext 2010-05-12

Comments (none posted)

mysql: forced data loss

Package(s):	mysql	CVE #(s):	CVE-2010-1626
Created:	May 19, 2010	Updated:	November 16, 2010
Description:	It is possible to cause a DROP TABLE command on one MyISAM table to remove data and index files from a different table.
Alerts:	Ubuntu USN-1397-1 mysql-5.1, mysql-dfsg-5.0, mysql-dfsg-5.1 2012-03-12 Gentoo 201201-02 mysql 2012-01-05 SUSE SUSE-SR:2010:021 mysql, dhcp, monotone, moodle, openssl 2010-11-16 openSUSE openSUSE-SU-2010:0730-1 mysql 2010-10-18 SUSE SUSE-SR:2010:019 OpenOffice_org, acroread/acroread_ja, cifs-mount/samba, dbus-1-glib, festival, freetype2, java-1_6_0-sun, krb5, libHX13/libHX18/libHX22, mipv6d, mysql, postgresql, squid3 2010-10-25 openSUSE openSUSE-SU-2010:0731-1 mysql 2010-10-18 CentOS CESA-2010:0442 mysql 2010-05-28 Ubuntu USN-950-1 mysql-dfsg-5.0, mysql-dfsg-5.1 2010-06-09 Pardus 2010-73 mysql-server 2010-06-04 Red Hat RHSA-2010:0442-01 mysql 2010-05-26 Mandriva MDVSA-2010:101 mysql 2010-05-19 Debian DSA-2057-1 mysql-dfsg-5.0 2010-06-07

Comments (none posted)

mysql: privilege escalation

Package(s):	mysql	CVE #(s):	CVE-2010-1621
Created:	May 14, 2010	Updated:	October 18, 2010
Description:	From the Red Hat bugzilla: UNINSTALL PLUGIN, looking in the mysql_uninstall_plugin() function shows that there is no code at all for checking required privileges. This means that ANY user, even a user with no privileges, can uninstall ANY plugin. (At least plugins that are loaded dynamically.)
Alerts:	Ubuntu USN-1397-1 mysql-5.1, mysql-dfsg-5.0, mysql-dfsg-5.1 2012-03-12 Gentoo 201201-02 mysql 2012-01-05 openSUSE openSUSE-SU-2010:0730-1 mysql 2010-10-18 Ubuntu USN-950-1 mysql-dfsg-5.0, mysql-dfsg-5.1 2010-06-09 Pardus 2010-73 mysql-server 2010-06-04 Fedora FEDORA-2010-7414 mysql 2010-04-27 Fedora FEDORA-2010-7355 mysql 2010-04-27

Comments (none posted)

phpgroupware: multiple vulnerabilities

Package(s):	phpgroupware	CVE #(s):	CVE-2010-0403 CVE-2010-0404
Created:	May 14, 2010	Updated:	May 19, 2010
Description:	From the Debian advisory: Several remote vulnerabilities have been discovered in phpgroupware, a Web based groupware system written in PHP. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2010-0403: A local file inclusion vulnerability allows remote attackers to execute arbitrary PHP code and include arbitrary local files. CVE-2010-0404: Multiple SQL injection vulnerabilities allows remote attackers to execute arbitrary SQL commands.
Alerts:	Debian DSA-2046-1 phpgroupware 2010-05-13

Comments (none posted)

php-ZendFramework: multiple vulnerabilities

Package(s):	php-ZendFramework	CVE #(s):
Created:	May 14, 2010	Updated:	May 19, 2010
Description:	From the ZendFrameWork advisory: In mid-March, 2010, the Dojo Foundation issued a Security Advisory indicating potential security issues with specific files in Dojo Toolkit. Details of the advisory may be found on the Dojo website: http://dojotoolkit.org/blog/post/dylan/2010/03/dojo... In particular, several files in the Dojo tree were identified as having potential exploits, and the Dojo team also advised disabling or removing any PHP scripts in the tree when deploying to production.
Alerts:	Fedora FEDORA-2010-8498 php-ZendFramework 2010-05-13 Fedora FEDORA-2010-8495 php-ZendFramework 2010-05-13

Comments (none posted)

pidgin: denial of service

Package(s):	pidgin	CVE #(s):	CVE-2010-1624
Created:	May 18, 2010	Updated:	November 4, 2010
Description:	From the Mandriva advisory: The msn_emoticon_msg function in slp.c in the MSN protocol plugin in libpurple in Pidgin before 2.7.0 allows remote attackers to cause a denial of service (application crash) via a custom emoticon in a malformed SLP message.
Alerts:	Ubuntu USN-1014-1 pidgin 2010-11-04 Red Hat RHSA-2010:0788-01 pidgin 2010-10-21 CentOS CESA-2010:0788 pidgin 2010-10-25 CentOS CESA-2010:0788 pidgin 2010-10-21 Fedora FEDORA-2010-8524 pidgin 2010-05-13 Fedora FEDORA-2010-8523 pidgin 2010-05-13 Slackware SSA:2010-138-01 pidgin 2010-05-19 Mandriva MDVSA-2010:097 pidgin 2010-05-18 Pardus 2010-69 pidgin 2010-06-04 MeeGo MeeGo-SA-10:08 pidgin 2010-07-07

Comments (none posted)

PostgreSQL: possible code execution

Package(s):	postgresql	CVE #(s):	CVE-2010-1169 CVE-2010-1170
Created:	May 19, 2010	Updated:	October 28, 2010
Description:	The PostgreSQL project has released versions 8.4.4, 8.3.11, 8.2.17, 8.1.21, 8.0.25, and 7.4.29. This update fixes potential code execution flaws in the PL/perl and PL/tcl modules.
Alerts:	Gentoo 201110-22 postgresql-base 2011-10-25 Fedora FEDORA-2010-16004 sepostgresql 2010-10-08 SUSE SUSE-SR:2010:014 OpenOffice_org, apache2-slms, aria2, bogofilter, cifs-mount/samba, clamav, exim, ghostscript-devel, gnutls, krb5, kvirc, lftp, libpython2_6-1_0, libtiff, libvorbis, lxsession, mono-addon-bytefx-data-mysql/bytefx-data-mysql, moodle, openldap2, opera, otrs, popt, postgresql, python-mako, squidGuard, vte, w3m, xmlrpc-c, XFree86/xorg-x11, yast2-webclient 2010-08-02 CentOS CESA-2010:0430 postgresql84 2010-05-28 CentOS CESA-2010:0429 postgresql 2010-05-28 Pardus 2010-74 postgresql-server 2010-06-04 Debian DSA-2051-1 postgresql-8.3 2010-05-24 CentOS CESA-2010:0428 postgresql 2010-05-22 CentOS CESA-2010:0427 postgresql 2010-05-22 Ubuntu USN-942-1 postgresql-8.1, postgresql-8.3, postgresql-8.4 2010-05-21 Mandriva MDVSA-2010:103 postgresql 2010-05-20 Red Hat RHSA-2010:0427-01 postgresql 2010-05-19 Red Hat RHSA-2010:0430-01 postgresql84 2010-05-19 Fedora FEDORA-2010-8715 postgresql 2010-05-18 Red Hat RHSA-2010:0429-01 postgresql 2010-05-19 Red Hat RHSA-2010:0428-01 postgresql 2010-05-19 Fedora FEDORA-2010-8723 postgresql 2010-05-18 openSUSE openSUSE-SU-2010:0371-1 postgresql 2010-07-14

Comments (none posted)

qt: multiple vulnerabilities

Package(s):	qt	CVE #(s):	CVE-2010-0648 CVE-2010-0656
Created:	May 17, 2010	Updated:	March 2, 2011
Description:	From the CVE entries: Mozilla Firefox, possibly before 3.6, allows remote attackers to discover a redirect's target URL, for the session of a specific user of a web site, by placing the site's URL in the HREF attribute of a stylesheet LINK element, and then reading the document.styleSheets[0].href property value, related to an IFRAME element. (CVE-2010-0648) WebKit before r51295, as used in Google Chrome before 4.0.249.78, presents a directory-listing page in response to an XMLHttpRequest for a file:/// URL that corresponds to a directory, which allows attackers to obtain sensitive information or possibly have unspecified other impact via a crafted local HTML document. (CVE-2010-0656)
Alerts:	Gentoo 201301-01 firefox 2013-01-07 Mandriva MDVSA-2011:039 webkit 2011-03-02 SUSE SUSE-SR:2011:002 ed, evince, hplip, libopensc2/opensc, libsmi, libwebkit, perl, python, sssd, sudo, wireshark 2011-01-25 openSUSE openSUSE-SU-2011:0024-1 webkit 2011-01-12 Fedora FEDORA-2010-8379 qt 2010-05-11 Fedora FEDORA-2010-8360 qt 2010-05-11

Comments (3 posted)

quake3: multiple vulnerabilities

Package(s):	quake3	CVE #(s):
Created:	May 17, 2010	Updated:	May 19, 2010
Description:	From the Red Hat bugzilla: Based on search started from http://bugs.gentoo.org/show_bug.cgi?id=222119, it seems that tremulous packages as shipped in Fedora contains multiple unfixed security issues, that were previously addressed in Quake3.
Alerts:	Fedora FEDORA-2010-8558 quake3 2010-05-15

Comments (none posted)

wireshark: denial of service

Package(s):	wireshark	CVE #(s):	CVE-2010-1455
Created:	May 18, 2010	Updated:	April 19, 2011
Description:	From the Pardus advisory: The DOCSIS dissector in Wireshark 0.9.6 through 1.0.12 and 1.2.0 through 1.2.7 allows user-assisted remote attackers to cause a denial of service (application crash) via a malformed packet trace file.
Alerts:	SUSE SUSE-SR:2011:007 NetworkManager, OpenOffice_org, apache2-slms, dbus-1-glib, dhcp/dhcpcd/dhcp6, freetype2, kbd, krb5, libcgroup, libmodplug, libvirt, mailman, moonlight-plugin, nbd, openldap2, pure-ftpd, python-feedparser, rsyslog, telepathy-gabble, wireshark 2011-04-19 SUSE SUSE-SR:2011:002 ed, evince, hplip, libopensc2/opensc, libsmi, libwebkit, perl, python, sssd, sudo, wireshark 2011-01-25 openSUSE openSUSE-SU-2011:0010-2 wireshark 2011-01-12 SUSE SUSE-SR:2011:001 finch/pidgin, libmoon-devel/moonlight-plugin, libsmi, openssl, perl-CGI-Simple, supportutils, wireshark 2011-01-11 openSUSE openSUSE-SU-2011:0010-1 wireshark 2011-01-04 Fedora FEDORA-2010-13427 wireshark 2010-08-24 CentOS CESA-2010:0625 wireshark 2010-08-27 CentOS CESA-2010:0625 wireshark 2010-08-23 Red Hat RHSA-2010:0625-01 wireshark 2010-08-11 Gentoo 201006-05 wireshark 2010-06-01 Mandriva MDVSA-2010:099 wireshark 2010-05-18 Pardus 2010-61 wireshark 2010-05-18

Comments (none posted)

Kernel release status

There is no development kernel as the 2.6.35 merge window is open. As of this writing, the flow of patches into the mainline has been relatively slow; see below for details.

2.6.34 was released on May 16. As usual, there's a lot of new stuff in this release, though it is slightly less feature-packed than some. Highlights include asynchronous power management, a lot of tracing enhancements, LogFS, and the Ceph distributed filesystem. As always, lots of details can be found in the excellent KernelNewbies summary.

There have been no stable updates over the last week.

Comments (none posted)

Quotes of the week

-- Linus Torvalds

-- Daniela Torvalds

-- James Bottomley

-- Matthew Garrett

Comments (7 posted)

Minutes from the Hardware Error Kernel Mini-Summit

A number of kernel developers held a minisummit dedicated to the collection and reporting of hardware errors at the Linux Foundation's Collaboration Summit. Mauro Carvalho Chehab has put together and posted a set of minutes from that meeting; click below for the full text. It's worth noting that some developers who were not present are not in full agreement with everything found here; follow the discussion thread for more information.

Full Story (comments: 1)

Augmented red-black trees

Red-black trees (rbtrees) are a highly-optimized data structure used in a number of places in the kernel. With an rbtree, a kernel programmer can quickly locate data structures corresponding to a specific value; all that is needed is to store data structures with the value of interest as the key. Some fuzzier sorts of matches can be hard to do with rbtrees; consider, for example, the case of finding the lowest-valued node which overlaps with a given range of values. Venkatesh Pallipadi recently encountered this problem while trying to improve the functioning of the page attribute table (PAT) support for the x86 architecture. Rather than give up on rbtrees, he chose to enhance that data structure to meet a wider range of needs.

Venkatesh's patch (which was one of the first things merged for 2.6.35) implements the concept of "augmented rbtrees." Such a tree works very much like an ordinary rbtree, with the exception that it keeps additional information in each node. That information, almost certainly, is a function of any child nodes in the tree - the maximum key value among all children, for example. Since users of rbtrees must write their own search functions anyway, they can easily take advantage of this extra information to optimize searches.

Users of augmented rbtrees must define an augment_cb() callback with this prototype:

    void (*augment_cb)(struct rb_node *node);

When the tree is initialized, the callback should be stored in its root node:

    struct rb_root my_root = RB_AUGMENT_ROOT(my_augment_cb);

Thereafter, the augment_cb() callback will be invoked whenever the value of one (or both) of a node's children might have changed. The callback can then update the node's additional information to match the new tree topology. The callback will be invoked from insert and delete operations - anything which might change the tree - so rbtree users should ensure that nodes are in a consistent state before inserting them.

Callbacks are not called recursively up the tree. So if a change to a node's augmented value might ripple upward, the augment_cb() callback must work its way up the tree and make the requisite updates. Note that a recursive call on the parent node is probably not a good idea unless the tree is known to be extremely shallow.

As of this writing, the PAT code is the only in-tree user of this functionality, but others seem likely to appear now that this feature is globally available.

Comments (none posted)

The SLEB allocator

Longtime LWN readers will know that the kernel does not have just one internal memory allocator. Instead, we have the longstanding "slab" allocator (perennially due to be removed someday), the SLUB allocator (intended for better scalability, but it hasn't been able to beat slab on every test), and the SLOB allocator (a space-efficient allocator for embedded use). There is also the SLQB allocator waiting in the wings, but it has been waiting there long enough that one may wonder if it will ever emerge from there.

All told, one might assume that we have enough allocators. Then again, there are quite a few letters still available in the SL*B namespace, so why not make another one?

Thus Christoph Lameter, author of SLUB, has come forward with the SLEB allocator, which is meant to be a mixture of the best of slab and SLUB. Unlike SLUB, SLEB retains the object queues used by slab, but it also adds a bitmap for object management as well. Also unlike SLUB, there is no storage of metadata in the objects themselves. That is a performance enhancement: if a cache-cold object is allocated or freed, SLEB will not bring it into the cache.

This code is very new; it apparently has not yet been trusted outside of a KVM virtual machine. The long benchmarking process that might lead to merging and, possibly, displacing one of the other allocators has not yet begun. But the code is there, and that's a start.

Comments (1 posted)

2.6.35 merge window part 1

It's that time again: a new kernel development cycle has started and the merge window is currently open for new code. As of this writing, some 1100 non-merge changes have been incorporated into the mainline kernel. The most significant user-visible changes include:

• The performance monitoring subsystem supports the Intel "precise event based sampling" (PEBS) mode, in which the hardware directly records event information into a dedicated memory region. The perf subsystem also can now obtain performance information from old Pentium4 CPUs.

• The "perf kvm" tool, which allows the monitoring of virtualized guests from the host, has been merged.

• The dynamic probe code has better support for a number of basic integer types.

• The "fair sleepers," "sync wakeups," and "affine wakeup" scheduler feature flags have been removed. It seems that, at this point, the scheduler developers don't believe that things will work properly without those features, so they are always enabled.

• The SuperH architecture now has hotplug CPU support.

• New drivers:
  • Processors and boards: HP iPAQ rx1950 devices, Acer N35 systems, Samsung S3C2416-based systems, Marvell GuruPlug reference boards, Voipac PXA270 single-board computers, Aeronix Zipit Z2 systems, Cavium Networks CNS3xxx processors, Cavium Networks CNS3420 MPCore boards, taskit PortuxG20 and Stamp9G20 boards, ARM SPEAr3XX- and SPEAr6XX-based systems, Versatile Express CA9x4 processors, and ARM Ltd Versatile Express boards.

  • Miscellaneous: DaVinci DM365-based realtime clock devices.

Changes visible to kernel developers include:

• The "cpu_stop" (formerly cpuhog) mechanism has been merged. A cpu_stop allows kernel code to monopolize one or more processors for brief periods.

• Augmented rbtrees are now in the mainline kernel.

• The INIT_RCU_HEAD() macro is going away; it was never really needed for RCU functionality, and RCU debugging is moving to the object debugging infrastructure.

As can be seen above, the 2.6.35 merge window has gotten off to a bit of a slow start. By the old schedule, the window would remain open through the end of the month; there has been speculation that Linus will close it rather sooner than that this time around, though, to inconvenience maintainers who wait too long to get their pull requests in. One way or another, there should certainly be more changes to report on next week.

Comments (none posted)

The trouble with the TSC

The time stamp counter (TSC) provided by x86 processors is a high-resolution counter that can be read with a single instruction (RDTSC), which makes it a tempting target for applications that need fine-grained timestamps. Unfortunately, it is also rather unreliable, so the kernel jumps through hoops to decide whether to use it and to try to detect when it goes awry. An effort to export the kernel's knowledge about the reliability of the TSC has met strong resistance for a number of reasons, but the biggest is that the kernel developers don't think that applications should be accessing the counter directly.

Dan Magenheimer and Venkatesh Pallipadi proposed adding a /sys/devices/tsc directory with several entries corresponding to the kernel's internal TSC information, including the tsc_unstable flag, which governs whether the kernel uses the counter as a stable time source. Andi Kleen questioned the idea:

That is exactly what the patch is meant to do, Magenheimer said, because applications have no reliable way to determine whether the standard system calls will be "fast" or "slow":

Depending on the hardware, gettimeofday() and clock_gettime() may be implemented as vsyscalls—virtual system calls—rather than standard system calls, which eliminates the user space to kernel transition. Vsyscalls are code that is stored in a special memory region in user space (the vdso region) that may access kernel-maintained data, like clock ticks. Using vsyscalls, the calls are (relatively) fast, but on some hardware (or virtual machines) that requires kernel-space operations to get to a reliable counter, a vsyscall cannot be used, so the calls are slower. For applications that "need to obtain timestamp data tens or hundreds of thousands of times per second", the difference is significant.

But Magenheimer believes that if the kernel finds the TSC stable enough for its own timekeeping purposes, then that guarantees that it is usable by applications. Arjan van de Ven and Thomas Gleixner are quick to correct that misunderstanding. Van de Ven notes that the stability of the TSC can change under certain circumstances and there would be no way to notify the applications. His advice: "friends don't let friends use rdtsc in application code".

Gleixner goes into some detail about how the TSC can get out of whack, including system management mode interrupts (SMIs) fiddling with the TSC to hide their presence, that multiple cores can have different values because of boot offsets and/or hotplugging, and that multiple sockets can introduce differences due to separate clocks or drift in the clock signals due to temperature. There is, in short, nothing reliable about the TSC: "the stupid hardware is not reliable whether it has some 'I claim to be reliable tag' on it or not". Gleixner did offer a possible alternative, though:

Currently, there are unnamed "enterprise applications" that attempt to figure out whether they can use the TSC, and do so if they think it will work because of the uncertainty in the performance of gettimeofday() and friends. Magenheimer suggests that perhaps that information could be made available:

Magenheimer also wonders if the kernel developers are suffering from "hot stove" syndrome, in that they have been burned in the past and are reluctant to even consider changes. But Gleixner and van de Ven both point out that there is no hardware that can make the guarantees that Magenheimer wants. And Gleixner has the burn marks to prove it:

While the discussion had various interesting analogies including hanging ropes/knives and condoms versus abstention, it did not (yet) find a car analogy. It did, however, seem to find some common ground that information about whether the clock calls are implemented as vsyscalls or system calls should be exported. That is unlikely to satisfy those that have been "using vsyscalls for a while and still have a performance headache", who Magenheimer quotes, but there is nothing stopping applications from reading the TSC directly. Those applications just have to be prepared to handle any strange TSC behavior they encounter.

Ingo Molnar tries to clarify the reasons that the kernel can't export the reliability information: "The point is for the kernel to not be complicit in practices that are technically not reliable. [...] So the kernel wont 'signal' that something is safe to use if it is not safe to use." But he also sees some reason to hope:

Peter Zijlstra has another solution to the problem. He would like to see the kernel move to eventually disable RDTSC from user space. By emulating the instruction and logging all uses of it (and the related RDTSCP), user-space programs that use it could be identified and changed:

Exporting the information about whether gettimeofday() is "slow" or not seems like a reasonable starting point. No patches to do that have emerged yet, but it is a fairly straightforward thing to do. Eventually, something like Gleixner's vget_tsc_raw() may also come about, though it won't satisfy those who are unhappy with the current vsyscall performance. Those applications will just have to read the TSC themselves and deal with whatever the hardware throws at them.

Comments (17 posted)

Blocking suspend blockers

When LWN last looked at suspend blockers in April, it appeared that this functionality was on a path to be merged into the mainline sometime soon. It may still be on that path, but an extended discussion has muddied the picture somewhat. It is a relatively small and obscure bit of code, but the fate of suspend blockers may have significant implications on how the kernel community deals with external projects in the future.

Suspend blockers, remember, are tied to the "opportunistic suspend" mode used by the Android system. In this mode, the kernel is placed into a sort of controlled narcolepsy; it will fall asleep (suspend the system) just about anytime that somebody is not actively prodding it. A suspend blocker is a form of prod which can be used to keep the system awake while some sort of important processing is going on. As long as there are suspend blockers outstanding, the system will not suspend.

There are two aspects to this approach which sit well with the Android developers. One is that they are able to get better power performance (longer battery life) by suspending the entire system whenever nothing is going on. Using normal runtime power management does not give them the same results. The other key point is that opportunistic suspend can happen even when processes are running in user space. In the absence of a suspend blocker, any computation underway is not considered to be important enough to keep the system awake. This behavior is a form of defense against poorly-written applications which might, otherwise, drain a system's battery in a short period of time.

Suspend blockers have few enthusiastic supporters. Opportunistic suspend seems like a bit of a hack, and the need to put suspend blocker calls into drivers looks invasive. Even if this feature is configured out of most kernels, it looks like it could be a maintenance burden going forward. Even so, most of the developers involved - including almost everybody involved with Linux power management - have concluded that nobody has any better ideas. So, as Matthew Garrett put it:

Requests for alternatives have been posted a number of times in this discussion, but actual proposals have been rather rare. A number of the suspend blocker opponents seem more interested in changing the use case - mandating that all Android applications be well written, for example. The problem is that users will blame the device (rather than that new dog whistle application) if its battery fails to last long enough. So the Android developers must choose between somehow forcing good behavior on all application developers (perhaps losing the "open to all" feature that is at the core of the Android way of doing things) or creating a system robust enough to function with non-ideal applications installed.

The Android developers have taken the latter approach. In the process, they have made suspend blockers a key part of their platform. Many of the drivers which have been developed for Android have suspend blocker support built into them; they cannot be merged in their current form if the suspend blocker API is not available for them. So the current alternatives are to keep those drivers out, or to hack out the suspend blocker usage before merging them. In the former case, we have more out-of-tree code; in the latter case, we have in-tree drivers which are not actually used, tested, or maintained by anybody. Neither alternative looks good.

Merging suspend blockers would make it easier to get much of the rest of this code in; as Android developer Brian Swetland said:

("Wakelocks" are the old name for suspend blockers).

Google and Android have taken a lot of grief for their failure to work with upstream and get their code into the mainline kernel. There can be no doubt that their code could have been handled better; had the Android developers worked with the kernel community before shipping this functionality in millions of handsets, perhaps much of this trouble could have been avoided. But that history cannot be rewritten now; not even the secret git "plumbing" commands can make that happen. But we can try to improve the situation going forward.

The suspend blocker effort looks like a real attempt to do better. The code has not just been posted; it has been through rather more than the usual number of revisions as its developers have put considerable time into trying to address comments which have been made. A failure to merge it would be demoralizing at best. If the development community refuses this attempt to bring Android and the mainline closer, it risks creating an impression of bad faith at best. If we do not accept their code, we really should not complain about them maintaining it outside of the mainline.

As of this writing, the 2.6.35 merge window is open. What will happen with suspend blockers is anybody's guess. The power management developers are in favor of merging it, but some others have made a fair amount of noise and Linus has not made his feelings known. So it is hard to say whether this long story is about to come to a close or not.

Comments (48 posted)

Lots of candidates for the Fedora elections

It's election season in Fedora-land, with three project board seats and five engineering steering committee (FESCo) seats up for grabs. There is some healthy competition in the races, along with something of a spectrum in the candidates' views. Many of the questions in the candidate questionnaire and IRC town halls have been about the current struggles within the project, which is as it should be—those who are elected will be working to find solutions to those problems.

There are seven candidates for the five FESCo seats: Matthias Clasen, Kevin Fenzi, Justin Forbes, Kyle Martin, Bill Nottingham, Steven Parrish, and Bruno Wolff. All of the names should be familiar to those who follow Fedora, with roughly half of them (four) being Red Hat employees. Nottingham and Fenzi are both running for re-election to FESCo, while current members Seth Vidal, Kevin Kofler, and Dennis Gilmore are not running again. The terms are for two releases—roughly one year—and the nine-member board is elected on a staggered basis (i.e. there will be four members elected around the time of the Fedora 14 release).

The project only elects five of the nine members of the project board, and the Fedora project leader is the chair, which essentially makes it half elected and half appointed by Red Hat. Like FESCo, the seats are held for two releases and roughly half (three this time) are up at any given election. Running for those seats are Larry Cafiero, Tom Callaway, Rex Dieter, Máirín Duffy, John McDonough, and Stephen Smoogen. Two current members, Dennis Gilmore and Mike McGrath, are not running again, while Callaway is running for re-election.

The two appointed seats are announced in a split fashion, one before the election and one after. Fedora project leader Paul Frields has announced that Jon Stanley will take the place of one of the current appointees, John Poelstra or Josh Boyer, for the coming term.

At various points in the recent past, Fedora has wrestled with its identity and package update policy, hall monitoring, handling of Mozilla trademarks, and a general sense that the project is too often descending into unwelcoming flames. FESCo and the board have been involved in trying to resolve those issues, so it is no surprise that many of the questions posed by project members touch on them.

Granting exceptions to the Fedora packaging rules for trademarked packages (like Firefox and Thunderbird) was the first in the questionnaire. In general, the candidates felt that the benefits of using the Mozilla trademarked names outweighed the downsides, though Parrish and Wolff thought otherwise:

Callaway looked toward a different model for handling the Mozilla trademarks:

Another question asked for three specific goals a candidate had for their term. Many of the answers touched on ways to make Fedora more welcoming and less acrimonious, but there were other thoughts as well, here are some excerpts:

Some specific packaging goals were also mentioned: Wolff would like to see larger installs available for live images, Clasen and Callaway are interested in making sure the GNOME 3 transition goes smoothly; Callaway also mentioned systemd support as a longer-term goal.

The candidates largely feel that while they are representing the community—and definitely encourage input from the project's members—ultimately, if they were elected, it would be up to them to make their best decisions and not be a "vote-bot", as Clasen put it, for any particular constituency. Some, like McDonough, Cafiero, and Duffy, were more inclined to actively seek out input from the project before making decisions. That may reflect the fact that they are running for the board, which typically makes decisions with a wider impact.

Some of the longest answers were given for the question about "flames/annoyance/anger/frustration within the the Fedora project of late". It is a problem that projects grapple with time and time again, and is the reason behind the Ubuntu code of conduct, the "be excellent to each other" motto for Fedora, along with similar efforts by other projects. All of candidates had thoughts on the causes and possible solutions, here are a few of the responses:

The elections themselves take place May 20-26 and all Fedora members are encouraged to vote. Anyone registered in the Fedora account system who has signed the Contributor License Agreement is eligible.

Comments (1 posted)

Arch Linux 2010.05 snapshots available

Arch Linux has announced the release of 2010.05 installation images. There are some notable changes in Archiso (image builds) and AIF (installation tool). "Additionally, quite some bugs have been fixed, mostly in AIF. And of course, the Official installation guide has been updated to reflect these changes."

Comments (none posted)

Release for CentOS-5.5 i386 and x86_64

CentOS 5.5 is available for i386 and x86_64 architectures. "CentOS-5.5 is based on the upstream release EL 5.5 and includes packages from all variants including Server and Client. All upstream repositories have been combined into one, to make it easier for end users to work with." Click below for the announcement or see the release notes for details.

Full Story (comments: none)

Linux Mint 9 "Isadora" released

The Linux Mint team has announced the release of Linux Mint 9 "Isadora". This release features a new software manager, a new backup tool, menu improvements, better look & feel, several system improvements, and more.

Comments (none posted)

OpenBSD 4.7 Released

The OpenBSD team has announced the official release of OpenBSD 4.7. The announcement (click below) includes a lengthy list of improvements and new features.

Full Story (comments: none)

Slackware 13.1 RC1 released

The first release candidate for Slackware 13.1 is available. From the May 14, 2010 entry in the slackware-current changelog: "Good hello! We will call this update Slackware 13.1 RC1. With this, the kernel, compiler, and glibc versions are "golden", and everything is pretty much ready to release. Last call for bug reports..." The second release candidate was announced in the May 18 changelog entry.

Comments (9 posted)

SUSE Linux Enterprise 11 service pack 1 released

Novell has announced the availability of "service pack 1" for its enterprise distributions. This "service pack" crams in a lot of new features. "First enterprise Linux distribution with an updated 2.6.32 kernel, which leverages the RAS features in Intel* Xeon* processor 7500 and 5600 series, such as MCA recovery, improved MPIO hardware support; new floating point and cryptographic features that deliver improved performance and security like AES-NI, as well as Intel* Rapid Storage Technology enterprise, fully implemented for robust software RAID."

Comments (3 posted)

The Debian leader goes to UDS

Recently elected Debian leader Stefano Zacchiroli went to the Ubuntu Developer Summit to try to improve relations between the two. He has posted a couple of interesting messages related to this visit, the first being the results of a survey of Debian developers: "The most appreciated collaboration paradigm between Debian and Ubuntu seems to be 'mixed teams', where people from both distros work together using some $VCS. I got report about a dozen such teams, of varying sizes from a handful of packages to several hundreds."

Also posted is a summary of the trip. "To my surprise, I realized that among Ubuntu developers there are quite some people which share our values and that acknowledge that Ubuntu sometimes fails at them. Those people are interested in working with Debian directly, but simply didn't realize that we do welcome their contributions".

Comments (none posted)

mipsel buildd status update

Andreas Barth has an update for Debian mipsel fans. "for mips, there is nothing new: still the same issues as last month, but still "works good enough". For mipsel, things have improved dramatically: rem is working again. The issue was the both the cpu and the psu fan were broken. Florian Lohoff fixed them for us. As unstable is fully built, rem is working on the backport-packages."

Full Story (comments: none)

Fedora Board Recap 2010-05-13

Click below for a recap of the May 13, 2010 meeting of the Fedora Advisory Board. Topics include License agreement for fedoraonline.it, License agreement for fedorastorm.com, and Hall monitor policy change.

Full Story (comments: none)

Misc Debian Developer News (#22)

This issue of the Misc Developer News covers + LWN subscriptions, + ubuntudiff.debian.net, + TXT records on debian.net, + Debian Sysadmin Team seeks for help, and + Receive Ubuntu bugs by mail via PTS.

Full Story (comments: none)

Debian Project News - May 18th, 2010

This issue of the Debian Project News covers DebConf10 update, Squeeze freeze, Debian-Ubuntu relationship, Debian installation media and non-free firmware, and much more.

Full Story (comments: none)

DistroWatch Weekly, Issue 354

The DistroWatch Weekly for May 17, 2010 is out. "As the new OpenBSD CD sets start showing up in the mailboxes of users who support the development of the project, we speak to Stefan Sperling, an OpenBSD developer. What's new in version 4.7? And what's it like being part of a mysterious group of hard-core developers who have been so successful in producing one of the most secure operating system on the market? Read on to find out. In the news section, Mandriva CEO Arnaud Laprévote diffuses rumours about the company's existential concerns, BLAG developer community revives a long-dormant Fedora-based distribution with "libre" characteristics, and Dianne Ursini of Technology Alignment explains the reasons for terminating the development of Pioneer Linux. Also in this issue, links to two excellent articles on APT and RPM package management and an interesting opinion on barriers to Linux adoption. Happy reading!"

Comments (none posted)

Fedora Weekly News 225

The Fedora Weekly News for May 12, 2010 is out. "This week's issue kicks off with Fedora In the News, offering coverage of Fedora in the trade press over the past week. Stories include coverage of Fedora 14 naming and Fedora 13 highlights and features. In Ambassador news, coverage of Fedora's participation in a recent FOSS event in Greece. In Quality Assurance news, details on the latest Fedora 13 testing processes and results, and reports on two Test Days on Preupgrade Kit and Xfce. In Translation news, details on a discovered i18n bug in Anaconda, various translation activities for packages and nine new members of the Fedora Localization Project for Brazilian Portuguese, German, Czech, Greek and Slovak languages. In Design team news, updates on Fedora 13 readiness items such as media art and starting the Fedora 14 process. Security Advisories covers security-related patches released in the past week for currently supported versions of Fedora. This week's issue is completed with more great updates on the Fedora Summer Coding project, including upcoming deadlines, new sponsor details, and an updated FAQ. Read on with FWN 225!"

Full Story (comments: none)

openSUSE Weekly News, Issue 123

The openSUSE Weekly News for May 15, 2010 is out. "This Week was very busy. In the next Week we have the Release of the Milestone 7. This will be the last Milestone. After that we have just the Release Canidates. I'm very happy of that. The other Place i'm working is the new Wiki. The Reviewing Process goes on. If anyone speak the english Language, you are welcome to help out in the Reviewing Process. If you are interested, just send a Mail to opensuse-wiki AT opensuse.org. But this is a closed list, you have to subscribe first. So we're hoping, that you like the new Weekly News. We wish you many joy by reading it..."

Comments (none posted)

Ubuntu Weekly Newsletter #193

The Ubuntu Weekly Newsletter for May 15, 2010 is out. "In this issue we cover Ubuntu Developer Summit - Ubuntu 10.10 - Maverick Meerkat planned, Ubuntu Developer Summit -M Videos, Unity, and Ubuntu Light, A Case for Modifying the Ubuntu Release Schedule, New Default Applications In Ubuntu Netbook Edition 10.10?, Ubuntu Stats, Ubuntu DC LoCo InstallFest, Release Party In Uruguay was a Big Hit, Welcome To Ubuntu in Maryland! May 20th, Ubuntu Release Party 10.04 - Alagoas, Ubuntu Hams - Our First UDS Session was Great, Clarifications around Ubuntu using "Google Chrome", UDS-Maverick recap, BTRFS By Default In Maverick?, Testing Ubuntu Releases, Receive Ubuntu bugs by mail with the Debian PTS, Columbia Areas Linux User Group - Featured speaker Mackenzie Morgan, In The Press, In the Blogoshpere, Canonical's Ubuntu support scope, Commercial bug-fixes for Ubuntu, Upcoming Meetings and Events, Updates and Security, And much much more..."

Full Story (comments: none)

ABC GNU/Linux (Dr. Dobb's Journal)

Dr. Dobb's Journal looks at ABC GNU/Linux. "It involves a free software-based distribution (Ubuntu), is live as well as installable, and is capable of automatically configuring a cluster of up to 254 computers. Castanos said, "100 PCs are purchased and my DVD is inserted into one of these and booted, either from the DVD or installed in the hard disk itself. This computer and the rest of the machines are connected together by a switch (a device that acts like a router). When the rest of the machines are booted, using a BIOS (basic in/out system) specifying which device is to be booted, they are told what to do by means of the network card. All are booted from the DVD itself -- or the hard disk if installed -- registered, and connections are created between them.""

Comments (none posted)

QA: Fedora Project Lead Paul Frields on the "Grown Up" Distro (Linux.com)

Henry Kingman talks with Fedora Project Leader Paul Frields about Fedora 13 and more. "Kingman: I guess a change of leadership like that kind of invites some high-level questions. How would you describe Fedora's identity and place within the greater open source software world? Who do you see as the target Fedora user? Frields: In the context of all other distributions, I believe we have a number of distinguishing qualities. First, I think we do the best job of balancing innovation -- including the latest and greatest open source features -- and also combining that with a completely open and transparent development process. That's truly in support of the open source principles that a lot of people and communities espouse. And, that combo sets Fedora apart, and different effects come out of that."

Comments (none posted)

The five best things coming in Fedora 13 Linux (ComputerWorld)

Steven J. Vaughan-Nichols talks with Paul Frields about the five best features in Fedora 13. "When Fedora 13, Goddard, is released on May 25, it's not going to be your usual Fedora Linux release. In the past, Fedora has been seen as a great Linux distribution for Linux experts. Paul W. Frields, the Fedora Project leader, told me though that this release is more new-user-friendly and that is no longer just for experienced Linux users. Based on my early look at this Red Hat community Linux distribution, I agree."

Comments (none posted)

Five Best Linux Netbook OSes - for Now (Linux.com)

Joe "Zonker" Brockmeier surveys the Linux netbook distributions at Linux.com. "What makes a distro one of the best choices for netbooks? It has to be easy to install, support netbook hardware relatively well, and should offer an interface that's well-suited for netbooks. Not every distro will support all hardware out of the box, but some distros are better than others at handling a wide range of hardware. Also, it has to be free to download and easy to get."

Comments (29 posted)

Building DVD discs with Bombono

DVD authoring can be a deceptively tricky business. Though it can take some time to convert source video to the proper MPEG format, the technical requirements for the various regions are standardized, so it is at least possible to configure the conversion tools and do it right, once and for all. What cannot be automated is building the disc structure that distinguishes a user-friendly disc with chapters, eye-pleasing menus, and a file hierarchy that makes sense from a down-and-dirty, technically-it-plays-but-it-looks-awful amateur job.

There are several actively-developed DVD authoring tools for Linux desktops and command-line environments today, including QDVDAuthor, DeVeDe, ManDVD, and DVDStyler. They vary quite a bit in ease-of-use and the number of disc-building options they support. We have covered several of these alternatives in the past.

One of the newest options is called Bombono, a GTK+-based disc authoring application that focuses on simplicity. The project provides packages on its download page for many Linux distributions and FreeBSD. The most recent release is 0.6, from April 16. No special dependencies are required; mjpegtools, the TwoLAME MP2 encoder, and dvdauthor are the only packages needed outside of standard GNOME components.

Of course, one reason Bombono has so few dependencies is that it makes no attempt to tackle one of the key tasks involved in producing a DVD from arbitrary video and audio content: preparing the media. Bombono requires that you convert your videos to compliant MPEG-2 format in an external tool; it recommends nonlinear video editors such as Kdenlive or stand-alone FFmpeg frontends such as WinFF. Which of these options works best in practice is a matter for individual exploration; it often depends greatly on the format of the source video. In any event, Bombono has zero margin for error for acceptable MPEG formatting, but it does at least prevent you from adding non-compliant video, and warns you about which file properties constitute the problem.

Getting started

With compliant MPEG video in hand, you can launch Bombono and immediately start working on a new disc project. The interface splits the application into three tabs, one for each of the three sequential steps in the process. "Source" allows you to add all of the media you will use (including video content and still images for menus) and to bookmark chapter divisions in the video media if desired. "Menu" provides a canvas on which you compose menu screens, and link individual menu items to videos or to other menus. "Output" controls writing the final disc image or directly burning your creation to an optical drive.

The interface is simple to understand; it is uncluttered and clearly labeled. It does, however, incorporate some peculiarities that stray from the normal GNOME human interface guidelines — most notably, the menu bar includes not only menus ("Project," "Go," and "Help"), but a tab-selector for the Source / Menu / Output mode tabs, and a drop-down listbox for selecting the disc capacity. Neither element impedes the application's usability, but they look out of place, as do several UI elements rendered in non-default font sizes and weights.

Nevertheless, with a disc needing to be crafted, one can overlook such things and concentrate on the task at hand. Bombono includes a file browser for adding video and image media, but also supports drag-and-drop from the system file manager. It can also extract video from a physical DVD or a DVD image, courtesy of a guided wizard found in the Project menu as "Add Videos from DVD...", and save single video frames as still images. Everything added is listed together in a project-wide "media list" which makes another appearance in the menu-creation process.

Apart from simply adding the relevant files, the Source tab's main feature is the ability to mark chapter break-points in video media. A simple timeline and preview window allow you to seek to the break-points you wish to add, then mark them with a right-click. A full video player is not built in, although you can open the selected video in GNOME's Totem player from the right-click menu.

Menu building

The menu-building interface is sparse, but again, easy to work with. First, you add a new menu via the plus-sign button in the Menu List. Selecting a menu in the list does not make it editable, though; to do that you must click the "edit" button, which is a green circle.

You can then build the menu design on the canvas, adding a background color, text elements, and dragging images or videos from the media list. All of the project media added in the Source tab is accessible in the media list, and video chapters are selectable as distinct elements, which allows you to build a "chapter menu" without much effort. Videos and images that you place on the canvas will be rendered as fixed-size thumbnails; chapter videos use the first frame of the chapter as their thumbnail image.

To make menu elements do something, you must add a link to them via the right-click menu. There, the Link submenu is populated with both the video content of the disc (chapters included) and the existing menus. Linking an image or text element to a video will cause it to play the video (or video chapter); linking to a menu will cause it to jump to that menu.

Those are the basics. Bombono offers a handful of layout tools, including the ability to align selected elements to each other, and bare-bones font options. It does not, however, check your links for a proper hierarchy, so if you forget to add "return to main menu" links to your submenus, you are on your own. Similarly, the image support is bare-bones; you can scale but not crop images, and you cannot change the z-ordering of any page elements — the order they are added to the page is the order in which they stack vertically.

By default, videos and stills are placed on the canvas in rectangular frames. To create a slightly more complicated look, you can change the frame shape from the drop-down menu in the toolbar. Hexagons, rounded rectangles, and alpha-transparent border fades are supplied. The project's documentation includes some incomplete instructions about creating your own frames; hopefully that will be expanded in the future.

On the other hand, Bombono's right-click linking is very difficult to get wrong. Working with the application might remind those old enough of Apple's Hypercard; Bombono keeps track of the linkable elements for you, and makes it impossible to create a semantically invalid link, which is something it is possible to do with more complex DVD authoring tools that take a scripting-like approach.

Outputting

The actual DVD image creation is handled by the external dvdauthor tool. Bombono lets you burn a disc directly, write out an ISO image, or write a DVD content folder than can be burned to disc by another application. Dvdauthor's output is written to a "Details" window as the authoring process proceeds; if it fails you can inspect the output there to try and determine the cause of the problem.

Tracking down an error caused by a moved file might be easy, but it is also possible for Bombono's menu editor to produce invalid intermediate XML that will throw an error when fed to dvdauthor. I encountered this problem when producing a test ISO. The DVD failed to burn, reporting that one of the buttons attempted to link to a chapter that did not exist in the video. How that happened is still a mystery; it isn't possible in the GUI to link to a chapter that doesn't exist, so the erroneous reference obviously had some other cause.

In such a situation, the only recourse is to open up Bombono's XML project file and look for empty attributes. This is made more difficult because the application assigns automatic names (such as Media.0.0) to disc elements, rather than using the source element's name, and because there is some ambiguity in the way non-video elements are treated. For example, a still image can be added to a menu directly, in which case it is automatically created within a frame, or the frame can be added first and the image added to it as a "Poster" element. The two appear identical, but in the former case the image is added to the frame as "Ref" element instead of a "Poster" and evidently produces different behavior when linked to a video. A little trial-and-error time is probably a wise idea before starting work on the big Annual Report DVD.

Once the kinks are worked out, however, you can open a DVD ISO image in VLC Player (or any other media player with full DVD support) to test its playback and menu functionality, without burning it to a physical disc.

Closing credits

DVDs can support a lot of non-essential features (such as alternate audio tracks, animated menus, multiple subtitles, and the rarely used "alternate angles"); most authoring tools start out supporting a small subset and slowly add more features as they progress. Looking at the support forum and issue tracker for Bombono, it appears that developer Ilya Muravjov is resisting the temptation to add too much too soon.

That is certainly wise. Some of the more feature-laden DVD authoring suites, such as QDVDAuthor, become tricky to use by virtue of supporting complex menu structures and DVD features. Although it is good to have the options available, for the majority of Linux users crafting a DVD is an occasional task at best. Still, it would be nice to see Bombono add one or two more features to help in the editing process — such as better layout tools, perhaps rulers and z-ordering, and some support for subtitle tracks.

For right now, though, if you are asked to put video content onto a disc that will play in a typical consumer DVD player, Bombono is a quick and straightforward solution.

Comments (14 posted)

Quotes of the week

-- KMyMoney 4.0 coming soon

-- Arjan van de Ven

Comments (none posted)

CKAN 1.0 released

The Comprehensive Knowledge Archive Network (CKAN) has set itself the goal of becoming "the Debian of data," providing access to free datasets worldwide. The project has just announced the 1.0 release of its core software. "After 3 years of development, twelve point releases and a several successful production deployments around the world CKAN has come of age!"

Comments (4 posted)

DiffPDF 1.0.0 released

The DiffPDF 1.0.0 release is out. DiffPDF presents a side-by-side view of two PDF files, highlighting the differences between them. It can compare files based on text only, or by also taking appearance (formatting and such) into account.

Full Story (comments: 2)

Django 1.2 released

The Django 1.2 release has been announced. The list of new features is long; it includes support for multiple database connections, a model validation mechanism, object-level permissions, a number of spatial database backends, and more. See the release notes for details.

Comments (3 posted)

The Google Font Directory

Google has launched the Google Font Directory, a collection of freely-licensed web fonts. From the announcement: "Google has been working with a number of talented font designers to produce a varied collection of high quality open source fonts for the Google Font Directory. With the Google Font API, using these fonts on your web page is almost as easy as using the standard set of so-called 'web-safe' fonts that come installed on most computers."

Comments (none posted)

Hardware Locality (hwloc) v1.0 released

Version 1.0 of the hwloc system is available. "hwloc provides command line tools and a C API to obtain the hierarchical map of key computing elements, such as: NUMA memory nodes, shared caches, processor sockets, processor cores, and processor "threads". hwloc also gathers various attributes such as cache and memory information, and is portable across a variety of different operating systems and platforms." There's a lot of changes since the previous release; click below for the details.

Full Story (comments: none)

Lightspark Flash player goes beta

Responding to the acute lack of beta-quality free Flash players, the Lightspark developers have announced a beta release. "Mostly complete support for the newer version of the flash scripting language: ActionScript 3.0, introduced with Flash 9. Both an interpreter and a JIT engine based on LLVM are provided. The previous versions of the language (supported by Gnash, which does not support 3.0) run on a completely different, and quite weird, virtual machine."

Comments (10 posted)

MDP release 2.6

The Modular Toolkit for Data Processing (MDP) is described this way:

The 2.6 release is now available; it includes a number of new classifier nodes, a dynamic extension mechanism, the ability to deal with bidirectional flows, and a new flow inspection tool.

Full Story (comments: none)

PostgreSQL Security Update Releases

The PostgreSQL project has released versions 8.4.4, 8.3.11, 8.2.17, 8.1.21, 8.0.25, and 7.4.29. Each of these fixes some "moderate-risk security issues," all tied to the PL/perl and PL/tcl extension mechanisms. Several other important bug fixes are included as well.

Full Story (comments: none)

SeaMonkey 2.1 Alpha 1 released

The first alpha of SeaMonkey 2.1 is out; it's not for regular use at this point, but it does show what the SeaMonkey developers are working on this time around. Significant changes include a number of performance improvements, full-screen HTML5 video, resizeable text areas (no more typing long stuff into tiny boxes!), some privacy improvements, and more.

Full Story (comments: none)

VirtualBox 3.2 released

Version 3.2 of VirtualBox (now "Oracle VM VirtualBox(TM)") has been released. New features include support for Mac OS X guests, a memory balloon driver, memory deduplication, CPU hotplugging, large page support, and more; see the changelog for details.

Full Story (comments: 8)

Google's WebM video codec project launches

WebM is a new project launched by Google and supported by a long list of free software projects (Mozilla, GStreamer) and companies. It is based on the Matroska container format, the Vorbis audio codec, and the (just freed) VP8 video codec. "A key factor in the web's success is that its core technologies such as HTML, HTTP, TCP/IP, etc. are open and freely implementable. Though video is also now core to the web experience, there is unfortunately no open and free video format that is on par with the leading commercial choices. To that end, we are excited to introduce WebM, a broadly-backed community effort to develop a world-class media format for the open web."

Comments (36 posted)

Development newsletters from the last week

• Caml Weekly News (May 18)
• PostgreSQL Weekly News (May 16)
• Tcl-URL! (May 14)

Comments (none posted)

How to Become Linus Torvalds (The H)

Over at The H, Glyn Moody looks at Linus Torvalds's management style, its history, and how it can be applied elsewhere. "Now, there is only one Linus, but I believe that general approach is starting to move out into other spheres. In part, that's because adaptations of the open source development methodology — based on a modular, distributed, collaborative development model — are being applied in more and more fields, from content to science and even to government. That approach brings with it a need for a different kind of management: top-down just doesn't work in these circumstances."

Comments (11 posted)

A technical analysis of VP8

Jason Garrett-Glaser has posted what he claims is The first in-depth technical analysis of the VP8 codec. The "in-depth" part is certainly right. "Overall, VP8 appears to be significantly weaker than H.264 compression-wise. The primary weaknesses mentioned above are the lack of proper adaptive quantization, lack of B-frames, lack of an 8x8 transform, and non-adaptive loop filter. With this in mind, I expect VP8 to be more comparable to VC-1 or H.264 Baseline Profile than with H.264. Of course, this is still significantly better than Theora, and in my tests it beats Dirac quite handily as well." (Thanks to Martin Jeppesen).

Comments (37 posted)

OpenOffice.org announces Summer Internship Programme

The OpenOffice.org Community has announced the launch of its Summer Internship Programme. "Students from all over the world are invited to take their first steps in OpenOffice.org development. A cash bounty up to 3.500 EUR per enhancement or bug fix is available. Participants will benefit by learning from experienced mentors from the worldwide community, gaining valueable skills -- not to mention the opportunity of coding for millions of users worldwide."

Full Story (comments: none)

Doctorow: Saying information wants to be free does more harm than good (guardian.co.uk)

Over at guardian.co.uk, Cory Doctorow thinks it's time that we kill off a "slogan" that's being used against us by media and other companies. "'Information wants to be free' (IWTBF hereafter) is half of Stewart Brand's famous aphorism, first uttered at the Hackers Conference in Marin County, California (where else?), in 1984: 'On the one hand information wants to be expensive, because it's so valuable. The right information in the right place just changes your life. On the other hand, information wants to be free, because the cost of getting it out is getting lower and lower all the time. So you have these two fighting against each other.'"

Comments (12 posted)

EFF: Web Browsers Leave 'Fingerprints' Behind as You Surf the Net

The Electronic Frontier Foundation reports that most web browsers have unique signatures that create identifiable "fingerprints". "The findings were the result of an experiment EFF conducted with volunteers who visited http://panopticlick.eff.org/. The website anonymously logged the configuration and version information from each participant's operating system, browser, and browser plug-ins -- information that websites routinely access each time you visit -- and compared that information to a database of configurations collected from almost a million other visitors. EFF found that 84% of the configuration combinations were unique and identifiable, creating unique and identifiable browser "fingerprints." Browsers with Adobe Flash or Java plug-ins installed were 94% unique and trackable."

Full Story (comments: 16)

Kees Cook: yay for barriers

In the comments following a recent LWN article there was a bit of fuss over an Ubuntu developer filing a bug report in the Fedora bugzilla. Kees Cook, the aforementioned developer, responds to the critics. "The bug was, from my perspective, a serious issue. Since I'd managed to reproduce it in another distro, it was my duty as a Free Software developer to report it to them. And, in what I felt was an unambiguous gesture, I made sure to include the link to the upstream kernel bug. Reproducing it in Ubuntu, in Fedora, and with a stock kernel had me confident that it was an upstream issue. While Ted did correctly suspect the issue was upstream, I really didn't want to just open an upstream bug and have it be ignored. I wanted some additional proof of reproduction, which I got when I tested it on Fedora."

Comments (66 posted)

Linuxcare returns with focus in the cloud (ComputerWorld)

ComputerWorld reports that Linuxcare is back, once again under the control of original founder Arthur Tyde. "This time around, instead of offering general-purpose Linux and open-source software support, Linuxcare is all about providing affordable services for companies migrating to open-source cloud computing."

Comments (3 posted)

Laprévote: About Mandriva's current situation

Mandriva CEO Arnaud Laprévote addresses rumors that Mandriva is for sale. "Mandriva has always been involved in investment and aquisition processes. Over the past years, Mandriva bought Edge-IT, Conectiva and Linbox FAS. Today, Mandriva is in takeover talks with various investors. These discussions concerning new investments in Mandriva are not new, they have happened all throughout the life of the company, and there are still going on today. We want to stress out the fact that Mandriva has not been bought by anybody."

Comments (none posted)

Mueller: The DPL and the 'Fair Troll' business model

Florian Mueller ponders the defensive patent license (which was covered here in April) as a potential force for long-term good. "The key thing about a Fair Troll is that he would have to make that patent irrevocably available to all members of the DPL pool on DPL terms. So a Fair Troll would only attack companies outside the DPL pool. Those could again eliminate or at least greatly reduce the problem by joining the DPL when they get attacked. A Fair Troll would have to leave peaceful people alone but would have to pursue all others relentlessly. In fact, the better the Fair Troll does his job, the more he will contribute to the DPL cause and the more attractive it will be for community members to work with him."

Comments (29 posted)

Tobias Rundström: What ever happened to XMMS.ORG?

Tobias Rundström reports XMMS.ORG has been sold to a possible phisher and should not be trusted for source code any longer. "Over the years XMMS development stagnated to a very slow pace and 4Front didn’t really make that much noise either. That all changed a couple of weeks ago when the XMMS.org webserver admin received a email from 4Front CEO Dev Mazumdar, stating that he had sold the domain to a company and wanted a full webpage dump. Needless to say, that was pretty surprising! We immediately responded that we where interested in taking over the domain instead, since a lot of us where still actively using it for email and personal webspace. The reply was “We invested a lot of money into XMMS development”, which is an interesting reply on all accounts. Quickly after that the domain was moved and we barely had time to move all our accounts away from the addresses, Dev told us that we should just use xmms.se and xmms2.org instead."

Comments (none posted)

HTC sues Apple for patent infringement

HTC has returned Apple's favor and filed a patent infringement suit seeking to halt imports and sales of iPhones, iPads, and iPods in the US. The press release says that five patents are involved, but we do not, yet, have a list of what those patents are. (Thanks to Keith Edmunds).

Comments (2 posted)

Hackers--New from O'Reilly

"Hackers, Heroes of the Computer Revolution--25th Anniversary Edition" has been released by O'Reilly.

Full Story (comments: none)

Linux Foundation Monthly Newsletter: May

The Linux Foundation newsletter for May 2010 covers * Keynote Speakers Confirmed for LinuxCon North America, * LinuxCon and Torvalds Go to Brazil, * Individual Members Spotlighted in New Linux.com Series, * Linux Foundation Appoints Directors in China and Taiwan, * Linux.com Store T-shirt Contest Voting Underway, * ServInt Joins The Linux Foundation, * The Linux Foundation in the News, and * Upcoming Training Courses from The Linux Foundation.

Full Story (comments: none)

Keynote Speaker at Akademy 2010: Aaron Seigo Interview (KDE.News)

KDE.News has an interview with Aaron Seigo. "These days I am the lead developer and designer for Plasma, which is a set of projects aimed at creating both a component system designed for creating amazing primary user interfaces (those things you see when you log in or first turn on a device) quickly and easily as well as creating a set of such user interfaces for the desktop, netbook, tablet, mobile and eventually media center profiles. Outside of that work, I spend a fair amount of time on community related issues: where are working well together? Where aren't we? Why? The challenge is to find good answers that fit naturally within the culture of KDE."

Comments (none posted)

BIND 10 Mascot Contest

The Internet Systems Consortium is holding a contest to find a mascot for BIND. "Linux has Tux, the penguin, BSD has its Daemon, ISC's user community deserves its own little creature to learn to love, just as love for BIND grows. Participation is easy. Submit your entry through the form below, review and accept the contest rules and you're in! Make sure to get your image in before June 11, 2010."

Comments (none posted)

Learn Linux, 101: Debian package management (developerWorks)

IBM developerWorks has an article on Debian package management. "Learn how to install, upgrade, and manage packages on your Linux system. This article focuses on the Advanced Packaging Tool, or APT, which is the package management system used by Debian and distributions derived from Debian, such as Ubuntu. You can use the material in this article to study for the LPI 101 exam for Linux system administrator certification, or just to explore the best ways to add new software and keep your system current."

Comments (none posted)

Learn Linux, 101: RPM and YUM package management (developerWorks)

IBM developerWorks has an article on RPM and YUM package management. "Learn how to install, upgrade and manage packages on your Linux system. This article focuses on the Red Hat Package Manager (RPM) developed by Red Hat, as well as the Yellowdog Updater Modified (YUM) originally developed to manage Red Hat Linux systems at Duke University's Physics department. You can use the material in this article to study for the LPI 101 exam for Linux system administrator certification, or just to explore the best ways to add new software and keep your system current."

Comments (none posted)

Desktop Summit 2011 Extends Deadline for Call for Hosts

The KDE and GNOME communities are looking for a host for the Desktop Summit 2011. The Call for Hosts will be open until June 9, 2010.

Comments (none posted)

Magnolia-CMS Conference 2010, Call for Papers

The Magnolia-CMS Conference 2010 will be held in Basel, Switzerland, September 16-17 2010. The call for papers is open until June 13, 2010. "The Magnolia Conference draws current and potential Magnolia users, partners, and community contributors from all over the globe, to meet and learn about open source, standards-based Java CMS. Through expert instruction, hands-on tutorials, case studies, and presentations, attendees will gain the knowledge they need to rapidly build open source content management solutions with Magnolia."

Full Story (comments: none)

Piksel10 :: open Call for PROJECTS

Piksel is an international event for artists and developers working with free and open source technologies in artistic practice. It takes place in Bergen, Norway, November 18-21, 2010. The call for projects is open until June 1, 2010.

Full Story (comments: none)

Call for Papers: Workshop on Self-sustaining Systems (S3) 2010

The Workshop on Self-sustaining Systems (S3) takes place in Tokyo, Japan, September 27-28, 2010. The call for papers is open until July 30, 2010. "The Workshop on Self-sustaining Systems (S3) is a forum for discussion of topics relating to computer systems and languages that are able to bootstrap, implement, modify, and maintain themselves. One property of these systems is that their implementation is based on small but powerful abstractions; examples include (amongst others) Squeak/Smalltalk, COLA, Klein/Self, PyPy/Python, Rubinius/Ruby, and Lisp. Such systems are the engines of their own replacement, giving researchers and developers great power to experiment with, and explore future directions from within, their own small language kernels."

Full Story (comments: none)

Linux Foundation Announces LinuxCon Brazil

The Linux Foundation has announced a new conference: LinuxCon Brazil, to be held August 31 - September 1 in Sao Paulo, Brazil. Confirmed speakers include Linus Torvalds and Andrew Morton. Oh, and some guy named Jonathan Corbet, too. "Brazil has long been recognized as one of the fastest growing countries for Linux adoption. The Brazilian government was one of the first to subsidize Linux-based PCs for its citizens with PC Conectado, a tax-free computer initiative launched in 2003. Nearly a decade later, Linux is accelerating both in its enterprise adoption and its functionality around the globe. Brazil's active and knowledgeable community of Linux users, developers and enterprise executives bring an important perspective to the development process and to the future of Linux."

Comments (3 posted)

Events: May 27, 2010 to July 26, 2010

The following event listing is taken from the LWN.net Calendar.

Date(s)	Event	Location
May 24 May 30	Plone Symposium East 2010	State College, PA, USA
May 27 May 30	Libre Graphics Meeting	Brussels, Belgium
June 1 June 4	Open Source Bridge	Portland, Oregon, USA
June 3 June 4	Athens IT Security Conference	Athens, Greece
June 7 June 10	RailsConf 2010	Baltimore, MD, USA
June 7 June 9	German Perl Workshop 2010	Schorndorf, Germany
June 9 June 12	LinuxTag	Berlin, Germany
June 9 June 11	PyCon Asia Pacific 2010	Singapore, Singapore
June 10 June 11	Mini-DebConf at LinuxTag 2010	Berlin, Germany
June 12 June 13	SouthEast Linux Fest	Spartanburg, SC, USA
June 15 June 16	Middle East and Africa Open Source Software Technology Forum	Cairo, Egypt
June 19	FOSSCon	Rochester, New York, USA
June 21 June 25	Semantic Technology Conference 2010	San Francisco, CA, USA
June 22 June 25	Red Hat Summit	Boston, USA
June 23 June 24	Open Source Data Center Conference 2010	Nuremberg, Germany
June 26 June 27	PyCon Australia	Sydney, Australia
June 28 July 3	SciPy 2010	Austin, TX, USA
July 1 July 4	Linux Vacation / Eastern Europe	Grodno, Belarus
July 3 July 10	Akademy	Tampere, Finland
July 6 July 9	Euromicro Conference on Real-Time Systems	Brussels, Belgium
July 6 July 11	11th Libre Software Meeting / Rencontres Mondiales du Logiciel Libre	Bordeaux, France
July 9 July 11	State Of The Map 2010	Girona, Spain
July 12 July 16	Ottawa Linux Symposium	Ottawa, Canada
July 15 July 17	FUDCon	Santiago, Chile
July 17 July 24	EuroPython 2010: The European Python Conference	Birmingham, United Kingdom
July 17 July 18	Community Leadership Summit 2010	Portland, OR, USA
July 19 July 23	O'Reilly Open Source Convention	Portland, Oregon, USA
July 21 July 24	11th International Free Software Forum	Porto Alegre, Brazil
July 22 July 23	ArchCon 2010	Toronto, Ontario, Canada
July 22 July 25	Haxo-Green SummerCamp 2010	Dudelange, Luxembourg
July 24 July 30	Gnome Users And Developers European Conference	The Hague, The Netherlands
July 25 July 31	Debian Camp @ DebConf10	New York City, USA

If your event does not appear here, please tell us about it.

Ubuntu Developer Summit Audio Recordings

Audio recordings from the Ubuntu Developer Summit are available. "http://uds.ubuntu.com/audio/uds-m has the audio files in Ogg Vorbis format for download. There are separate sub-directories for each day from Monday through Friday, and the files are timestamped and named based on the rooms that sessions happened in."

Comments (none posted)