Recently, I had the opportunity to attend GUADEC in The Hague, Netherlands and was quite impressed by the conference and the GNOME project itself. There were many more sessions than one could possibly attend, and too many attended to do a full write-up on. Rather than let the notes languish on the laptop hard drive, though, a brief look at some of the other sessions I sat in on seems warranted.
The conference venue, De Haagse Hogeschool—College (or University) of The Hague—was an excellent facility for GUADEC, with plenty of room for the sessions as well as a nice atrium in the center for the always important "hallway track". The city was quite nice as well, with easy walking to most things, and ever-present trams for places that were further away. While there was a fair amount of the expected rain during GUADEC, there were some very nice weather days as well. I took the opportunity to do a little wandering around the city center—where the conference hotel was located—my only regret is that I never made it to the Escher Museum; another trip there is clearly called for.
Luis Villa was not the only one who thought that GNOME should become more web-focused; there were several other presentations that looked at various aspects of how to make that happen. Xan Lopez of Igalia and Gustavo Noronha of Collabora nearly short-circuited their presentation by stating their agreement with Villa and John Palmieri—who has also pushed "GNOME web"—followed by the traditional "Questions?" slide. After the laughter died down, they pushed on to look at the history of desktops and the web, as well as how they saw GNOME fitting in.
Lopez and Noronha noted that the basics of the desktop were invented by Alan Kay in the 1970s and have been incrementally improved since then. "Apple made it [the desktop UI] popular, Microsoft made it really popular, we are trying to make it free." Web applications are rapidly catching up to the desktop in functionality, though, and the perception is that the desktop is "losing momentum".
They looked at the evolution of web support in GNOME, starting with gtkhtml, which was "not feature complete", to Gecko and gtkmozembe, which was problematic because it focused on the browser, not those who wanted to embed an HTML renderer. The most recent effort, WebKitGTK has a number of advantages, they said. WebKit was designed "from the ground up" to be embedded. It is also easier to have a voice in WebKit development because there are multiple vendors using it, unlike Gecko which is focused on Mozilla's needs.
In addition, WebKit uses existing libraries that are already used by GNOME. For example, Gecko uses the Necko library for networking, but WebKit uses libsoup. WebKitGTK is "much better suited for us", they said. They also listed multiple GNOME applications that are using the toolkit for rendering, like Banshee and Rhythmbox embedding browser windows into their interfaces, multiple different browsers, the Liferea RSS reader for its display, and even things like Gwibber and Empathy are using it for "sexier" message display as well as more flexible layout and theming.
The "web does not exist in a vacuum" and GNOME has lots of components to bring to the table, they said. Things like Cairo for vector graphics or GStreamer for multimedia are used by WebKit, so the two projects have much in common. In the mobile space, they noted that Litl and Palm's WebOS both treat all of their applications as web applications, but use GNOME underneath. Lopez and Noronha clearly see WebKitGTK as the way forward for GNOME.
MeeGo hacker Rob Bradford of Intel gave a presentation on a concrete example of integrating web services into GNOME using LibSocialWeb and librest. The basic idea is to keep interested applications informed of updates to the user's social web applications, like Facebook, Flickr, Twitter, and others. Applications can use a D-Bus interface to LibSocialWeb to register their interest in various kinds of events and then to receive them asynchronously.
Backends are responsible for talking with each of the web services, and each has its own D-Bus service. Currently there are backends available for the most popular services and, depending on the API provided by the service, they can also update the service (i.e. sending Facebook status updates or a photo to Flickr) in addition to being a passive listener. The backends periodically connect to the service, parse the returned XML, and notice things that have been added or changed. There is a common core, which is shared by most of the backends to do the parsing and noticing.
For handling the communication tasks, librest is used. It targets RESTful web applications, and includes a simple XML parser—as a wrapper around the more powerful libxml2—to parse data returned from web applications. Traditional XML parsing is "overkill for the simple data returned from most web services", he said.
The goal is to get LibSocialWeb added as an external dependency for GNOME 3, so that GNOME applications can take advantage of it. There is still lots to do before that can happen, Bradford said, including reworking the client-side API as there is "just enough" now to be able to demonstrate the functionality.
In addition to interacting with the "standard" social web services, he also discussed other uses for LibSocialWeb. Using libchamplain to display maps that include location information retrieved from the web (or by doing an IP address to location lookup using GeoClue) is one. He also described a small application that he wrote in 20 minutes to search compfight.com for Creative-Commons-licensed images that could be used as a screen background, which could be integrated into the GNOME control center.
All told, LibSocialWeb and librest seem like a way forward for GNOME applications that want to be more "webby". They will presumably get a good workout in MeeGo, which should shake loose many of the bugs and limitations.
With Seif Lofty acting as a "master of ceremonies" of sorts, several members of the Zeitgeist team gave short presentations about aspects of the desktop event collector and advances made since it was introduced at last year's desktop summit. The Zeitgeist engine is a means to capture events, like file access, application use, or communication action, as the user does them, and then allow applications to query the events. The idea is that various user interfaces, like the GNOME activity journal, Nautilus, or Docky, can then present that information in different ways to help users keep track of what they were doing, when, where, and so on.
Thorsten Prante described the deployment of Zeitgeist in different applications and provided use cases of how the data gathered might be used. The activity journal gives a timeline-based look at what the user was doing on different days or at different points within a day. It can then answer questions like "when did I do X?", and "what else did I do then?". But it goes further than that as correlations can be made with location or other applications or documents used at the same time.
This gives users a "time-referential access" to their activities, which will help them "go back to where [they] left off", he said. Correlating that information with chat and email history "can show the big picture of what you've been doing". Adding application-specific information like browser history can help give a better context for which related tasks the user was performing—leading to better workflow.
Former Google Summer of Code participant—now core maintainer—Siegfried Gevatter talked about Zeitgeist framework. Over the last year, a new, better performing database structure has been adopted, along with a more powerful D-Bus API. Applications can push events into Zeitgeist using Python, C, Vala, or directly using the D-Bus interface.
The framework is "intended to be enhanced with plugins", he said. Those plugins are written in Python, reside in the Zeitgeist process, and "manipulate events in and out". They can provide their own D-Bus API and handle tasks like blacklisting, geolocation, adding file content and full text search events, etc. At the end of his mini-presentation, Gevatter demonstrated an application that placed various activities on a map (from OpenStreetMap naturally) so that a user could see where, geographically, they were when they performed those tasks—all in "200 lines of Python".
After that, Youness Alaoui presented the newest part of Zeitgeist: the Teamgeist framework. Teamgeist was motivated by a "lack of real-time collaboration tools", he said. Sharing desktop events between team members is the idea behind the framework, so that others can see what you were doing and pick up where you left off. Teamgeist started with a prototype last year and, since then, Collabora sponsored work on a "full-fledged" implementation.
The criteria for sharing events is under the control of each user, but there are multiple use cases that Alaoui presented, including sharing of online research progress, files edited, documents created, and so on. Teamgeist uses Telepathy "tubes" to exchange events currently, but other transports could be added, sharing events through email for example. The vision for Teamgeist is that teams could be fully aware of what the other members are doing, sharing files and documents through version control repositories or via some kind of cloud storage.
The most eye (and headline) catching result from Dave Neary's GNOME census report was the less-than-stellar ranking of Canonical among corporate contributors, but that was certainly not the thrust of his presentation. He set out to examine the makeup of GNOME committers because he "thought it would be an interesting thing to know". But he also pointed out that partners and potential partners, the press, big institutional clients, vertical application developers, and headhunters all have expressed interest in that kind of data at times.
Neary measured changesets, rather than lines of code (LoC), because LoC is "not a good measure", though he admitted that changesets was not a perfect measure either. He looked at the commits from the GNOME 2.30 release in March 2010 and before, omitting some external dependencies, deprecated modules, and GNOME mobile.
He used various tools to gather his statistics, gitdm and CVSAnaly primarily along with a number of shell scripts. He put the data into MySQL for easy access and querying and used Gnumeric for his charts. One of the biggest difficulties was to try to disambiguate multiple email addresses that corresponded to the same developer and to properly attribute developer's contributions to their employer—or to "none" as appropriate.
The slides [slideshare] from the talk show some interesting trends. The "Rhythm" graph shows the number of commits over time, which clearly shows the post-GUADEC flurry of work as well as the steep dropoff in commits at each release point. There is, unsurprisingly, a long tail in the number of commits based on each committers rank: there are some 3500 committers, with the top 200 accounting for the overwhelming majority of commits—number 1000 in the ranking has only 2 or 3 commits, he said.
There is an interesting mix between two kinds of prolific developers, he said, as they either have "thousands of commits in a few modules or hundreds of commits in many modules". That reflects a split between specialists and generalists among GNOME hackers.
He also looked at the company contributions to GNOME, noting that Red Hat had 16% of the overall commits and "11 of the top 20 contributors" were either former or current Red Hat employees. Red Hat tends to spread its contributions throughout GNOME, while Novell (10%) seems to focus on particular applications. Collabora, third on the list of companies at 5%, is tightly focused on GStreamer and Telepathy.
While he did point out that Canonical came in quite low (1%), that was partly because it was doing a lot of work that it had not yet submitted upstream. "It would be a better strategy to work directly with GNOME", he said. He also noted that there may be a worry because of Nokia's shift to Qt as it had pushed a number of startups to make significant GNOME contributions. If much of that work was funded by Nokia, "what happens going forward?"
His other concern was for the territory that various companies have staked out. Should GNOME be worried for GStreamer and Telepathy if Collabora was to go out of business, he asked. He was clear that he wasn't worried about Collabora's future but about the more general question of GNOME modules that are dominated by a single company—one that could change strategies with little or no warning.
Thorsten Sick, an anti-virus developer at AVIRA, gave a nice overview of the desktop malware landscape, with an eye toward helping GNOME avoid some of the mistakes other desktops have made. He would like to prevent "the Windows malware situation" from developing on the Linux desktop. In his spare time, Sick also contributes to the GNOME Seahorse project, which is an encryption key (e.g. SSH or PGP) manager for the desktop.
Malware has moved from "cool hacker experiments", through "script kiddie stuff", to where it is now, which is a thriving malware economy. Today's attacks are largely focused on extracting money from their victims somehow. But that shift makes for one way to combat these attackers: reducing their return on investment (ROI) will make them turn to easier targets.
The malware scene has gotten more sophisticated over time as well; today's attacks will try to hide from scanners and will adjust to anti-virus detection within hours. Malware is sold with support contracts and guarantees of evading detection. Making it more difficult to attack systems, thus raising the price of the malware, is one way to reduce the attackers' ROI. Others include increasing the chance of getting caught, ratcheting up the legal penalties for malware distribution, or reducing the prices for the valuables that can be gained. He noted that a glut of stolen credit card numbers available at one point drastically reduced prices, which probably, temporarily anyway, reduced attacks that targeted credit card numbers.
To the attackers, "Linux is not interesting at all right now because Ubuntu bug #1 is not solved", he said. But that may change as Linux users typically "feel safe" and tend not to use any anti-virus programs on their systems. This makes for a fertile ground for attackers.
He pointed out that many in the Linux community focus on root exploits, but "malware does not need to be root". Today's attacks are focused at user data that is completely accessible without root access. On the other hand, Linux distributions have some advantages over other systems, including easy updating of the system for security problems and various security technologies (SELinux, AppArmor, etc.) that are turned on by some distributions.
His main point was education, and he wants Linux and GNOME to "be prepared" for the attackers turning their eyes to that platform. "Everyone can do a small piece of the puzzle to improve Linux desktop security", he said.
I agree with Brad Kuhn's assessment that if you rate conferences by "inspiration value", this year's GUADEC ranks very highly indeed. Like Kuhn, I also found myself wondering where I might be able to contribute to GNOME, which is a bit amusing given that I generally run KDE—though I am not terribly religious about it. It was a very high-energy conference that clearly indicated a strong and engaged project.
The conference also had two nice parties, one at a club in the city center that was sponsored by Canonical and a beach barbecue that Collabora put on. There were lots of interesting folks to talk to—and play Go with—to complement the wide array of interesting presentations. The only downside for me was a self-inflicted Rawhide upgrade that left me only able to suspend my laptop once per boot—next time testing suspend several times before braving a trans-Atlantic trip seems indicated.
The cow-themed wooden shoe slippers (at right), which were given to me as a speaker's gift, were quite the hit with my wife after I swapped them to a smaller size. I almost regret that switch as I must admit that Lennart Poettering looked rather sharp in the orange version of the slippers during one of his presentations.
In the closing session, Berlin was announced as the location for the next GUADEC, which will be a combined conference with KDE's Akademy making for the second desktop summit. I certainly have high hopes of attending.
[I would like to thank the GNOME foundation for its assistance with travel costs for GUADEC. LWN depends on sponsors for our overseas (and sometimes domestic) travel, and we truly appreciate that help.]
Oracle vice president Wim Coekaerts started off the conference with a keynote talk on how much Oracle likes Linux. The Oracle database was first ported to Linux in 1998, just barely winning a race with Informix to be the first commercial database on Linux. The big push started in 2002; now some 20% of Oracle's installed base runs on Linux (as opposed to 27% on Solaris). Surprisingly enough, Wim's talk did not cover Oracle's lawsuit which was just about to land on Google and its Android Linux distribution.
Oracle, it seems, has a list of things it would like to see improved with Linux. Wim pointed out diagnosis tools (tracing and such) as a weak point; he asked the community to recognize that non-hacker users need to be able to support Linux in production situations and could benefit from better tools. Testing was also high on the list; Wim said that nobody is testing mainline kernels - a claim that was disputed during the kernel panel later the same day. Oracle runs some kernel tests of its own, but would like to see more testing done elsewhere. It would also be nice, he said, if more tests could be added to the kernel repository itself, and if distributors could stay closer to the mainline so that testing results would be more relevant to the kernels they ship.
Oracle also wants to see more testing of the full stack; there is a test kit available to help in this regard.
Wim talked up Oracle's contributions, including work with NFS over IPv6, the contribution of the reliable datagram protocol implementation, support for the T10DIF data integrity standard (making Linux the first platform with that feature), improvements to Xen, and, of course, btrfs. It was a convincing discussion of how much Oracle likes Linux, but Oracle's subsequent actions have ensured that any associated warm fuzzy feelings did not last long.
"Harmony" seems to be a popular choice for controversial projects; your editor first encountered the name associated with an ill-fated attempt to replace the (then) non-free Qt toolkit. The latest Project Harmony touches on another difficult issue: contributor agreements for free software projects. This project is headed up by Canonical counsel Amanda Brock, who ran a BOF session about it at LinuxCon.
The core idea behind this Harmony project is that contributor agreements are a pain. They are seen as a waste of time, they are often unclear and complicated, and it's not always clear who should be signing them. Those who do sign these agreements do not always understand what they are agreeing to. Project Harmony is trying to make life easier for everybody involved by creating a set of standardized agreements that everybody understands. These agreements, we were told, are to be drafted by the Software Freedom Law Center, so we can hope that the end result will not be too contrary to the needs of developers.
There will never be a single, one-size-fits-all agreement, of course, so the standardized version will have a number of options which can be chosen. The especially controversial issue of copyright assignment will be one of those options. Others will include the license to be applied to contributions, indemnification, etc. The idea is to try to cover the wishes of most projects in a standard way.
It seems that quite a few of the people involved with this project are opposed to the idea of contributor agreements (or at least certain types of agreements) in general. They are involved because they realize that these agreements are not going away and they want to keep an eye on the process. One reason that the list of participants has not been made public is that a number of these people do not want to be publicly-associated with the concept of contributor agreements.
Given that, it's not entirely surprising that Project Harmony seems to be treading cautiously and trying not to step on anybody's toes. The end result will not advocate any particular choices, and will avoid calling into doubt the agreement any agreements that specific projects may be using now.
Efforts are being made to make the project more transparent; it seems like it's mostly a matter of placating nervous participants. Stay tuned.
Karen Sandler has been a lawyer at the Software Freedom Law Center for some years now. She is also, unfortunately, afflicted with a heart condition which carries the risk of sudden death; one need not be a lawyer to want to try to mitigate a risk like that. To that end, she now has an implanted device which works to ensure that her heart continues to function in a way which keeps the rest of her body happy and healthy. She is, she says, "Karen the cyborg."
Being a free-software-minded cyborg, Karen started to wonder about the software which was about to be implanted into her body. So she went to the various manufacturers of the type of device she needed, asking about the software and whether she could see the source. These manufacturers were somewhat surprised by the request, but wasted no time in turning it down. Karen would really like to take a look at the software which is attached to her heart, but she eventually had to give in and accept the implantation of a closed-source device.
In the process, though, she wrote a paper on software in medical devices for the SFLC. There is, she says, a real issue here: some 350,000 pacemakers are implanted in the US every year, and nobody knows anything about the software on them. Or, it seems, almost nobody knows: some others have already figured out ways to hack these devices. It seems that a number of them use no encryption or security in their communications with the world and can conceivably be made to do unfortunate things.
In general, when the US Food and Drug Administration is considering medical devices for approval, it does not look at the software at all. The agency just does not have the time to do that level of research. But the wider community could look at that code, if it were to be made available. There should be little harm to the manufacturer in releasing its code - if the code is good; patients do not choose pacemakers based on which has the flashiest proprietary code. Like most medical system reforms, this one looks like an uphill battle, but many of our lives may well depend on its outcome.
Stormy Peters is the executive director of the GNOME Foundation, which is concerned with the creation of a free desktop system. Increasingly, though, she has been looking at issues beyond the desktop, and issues surrounding web-based services in particular. Unless we're careful, she says, our use of such services risks giving away much of the freedom that we have worked so hard to build for ourselves.
A lot of people have made a lot of sacrifices over the years, she says, to create our free desktops. Many of them did that work because they believe in freedom. Others, though, worked in this area because they were tired of the blue screen of death and wanted something a little more reliable. The providers of web services have successfully taken away the pain of the BSOD, and, as a result, a lot of us have gotten lazy. We have, Stormy says, forgotten about freedom. As a result, they are becoming trapped by systems which compromise their private information, entrap their data, and may block them out at any time.
That said, people in the community are working on some good initiatives. She mentioned Firefox sync as one example: there are two passwords involved and all data is encrypted so that Mozilla cannot look at (or disclose) it. Also mentioned were identi.ca and the Tomboy online effort.
There are things we should bear in mind when evaluating an online service. One is data: how do you delete it, and what happens to it? Then there's the issue of backups: users should always have a data backup under their control in case they get shut out of the service. We should, Stormy says, create services which make the creation of backups easy. Lock-in is another issue: how easy is it to move to a competing service? And, finally, is licensing; Stormy is a fan of the Affero GPL, which requires that the source for the service be available.
As free software developers, we should make sure that our software integrates well with online services, and we should be working toward the creation of truly free services. We also need to solve the problem of hosting for these services; she mentioned the Gobby collaborative editor, which, she says, is a great tool with no hosting available. We need better APIs for service integration; Grilo and libgdata were mentioned in this context. And, of course, we need web-aware desktop applications.
All told, it's a tall order, but it's one we have to face up to if we care about our freedom.
The patents all cover various aspects of the implementation of Java-based systems. Some of them seem rather trivial; others are quite broad. One of them, for example, would appear to cover the concept of a just-in-time compiler. Those wanting details can see the complaint itself, which lists the patents in question, and this page on the End Software Patents wiki for a look at each patent and the beginning of an attempt to collect prior art. The short summary, though, is that we're just dealing with another set of obnoxious software patents; these are not the silliest ones your editor has ever seen. The patents used for Apple's attack on Android cover much more fundamental concepts.
The patents may or may not stand up to a determined prior-art defense, but chances are that it will not come to that. Prior art is a hard way to go when defending against patents, which enter the courtroom under the halo of presumed validity. What we may see, instead, is an attempt to push the inadequate Bilski decision to get the whole mess invalidated as a set of unpatentable abstract ideas. That would be a risky course which would take years to play out, but there is the potential, at least, of dealing a severe blow to software patents in general. One can always dream.
Meanwhile, there are many outstanding questions about whether Oracle (or, more precisely, Sun before Oracle) has licensed these patents to the world, either implicitly through the GPLv2 code release, or explicitly via patent grants. Only a court will be able to provide a definitive answer to that sort of question, but it is not obvious that such a license exists. The explicit patent grants are generally tied to exact implementations of the language and library specifications, with neither subsets nor supersets allowed. Android's Dalvik is not such an implementation. There may be an implicit patent grant with Sun's GPL-licensed code, but Android does not use that code. Dalvik is not governed by Sun's license, so it may be hard to claim protection under the patent grant which is (implicitly) found in that license.
But, then, your editor is not a lawyer and his opinions on any subject are known to have a tenuous grip on reality; just ask your editor's children.
The complaint also alleges copyright infringement, but no specifics are available at this time. There is some speculation that Oracle sees an "unauthorized" implementation of the Java specification as an infringement on that specification's copyright. For now, though, we must wait to see what Oracle is really claiming.
This is not an attack on free software in general, despite the fact that Google would like to see the community view it that way. It is an attack on a specific platform (much of which is free software) by a rapacious company which has just bought an expensive asset and wants to squeeze some revenue from it. It seems quite likely that this suit would have happened in the same way if Dalvik were proprietary. Even if Oracle gets everything it wants, the damage to the wider free software community will be limited. We were strong before the advent of Android, and would remain strong if it were to be removed from the scene.
That said, we are certainly stronger with a free Android than without, and we surely do not want to see a thriving free software platform taken down (or taxed) by a patent troll.
What is going on here is that the mobile market is seen as a gold mine, and everybody is trying to grab a piece of it in one way or another. Some companies are most interested in gaining their slice through the creation of mobile platforms that people actually want to buy and use; others are more inclined toward getting theirs through the courts. And some companies are doing both. As a result, anybody trying to work in this market is currently embroiled in lawsuits; see this diagram in the New York Times for a summary of where things stood back in March. It will be most interesting to see if this whole mess can be resolved. In the past, such situations have led to the creation of patent pools - not a free-software-friendly solution.
Despite this suit, and despite the withdrawal of OpenSolaris, Oracle seems to be determined to continue to work with the community on other fronts. The company claims to contribute to a long list of projects, and it employs a number of well-respected developers. One assumes that those projects will not start rejecting contributions from those developers. But neither will those projects deal with Oracle in the future without wondering, if just for a moment, what the company's motives and goals really are. It may not be an attack on free software in general, but this lawsuit has shown that Oracle is willing to use software patents to attack a specific free software project that it disagrees with. This move will kill a lot of the trust between Oracle and the development community; now one cannot help but wonder what might happen if, say, an OpenSolaris or MySQL fork starts to overshadow the original.
Non-free platforms should be avoided. Sun released much of the Java code under the GPL - eventually - but it never made Java truly free. The company went out of its way to retain control over the language and of any implementations of it; control over the specifications, copyright licensing policies forcing control over the code, and software patents held in reserve do not add up to a platform one can trust. Sun seemingly feared forks above all else, and so went out of its way to eliminate the freedom to fork whenever possible. The result was a non-free and hazardous platform; Oracle now seems to be saying that it cannot even be implemented independently without infringing both patents and copyrights. This kind of suit would not have happened had Google decided to make its own version of, say, Python.
There is no absolute security in this world. But there is relative security, and, by now, it should be clear that the relative security of a platform owned and controlled by a single corporation is quite low. Corporations, by their nature, are not trustworthy beasts; even the most well-intentioned company is only one bad quarter (or one takeover) away from becoming an aggressive troll. Sun was unlikely to sue over a not-really-Java virtual machine, but Sun has been replaced by a company with a rather different mindset. That company now has control over a platform that many people have based their businesses on, and, as we can see, it will react strongly when it sees a potential threat to that control.
How all this will turn out is anybody's guess. Perhaps Google will pay the troll to have some peace to continue to pursue the goal of total Android world domination. Perhaps some parts of Android will become more closed. Or perhaps Google will fight to the end while simultaneously executing an emergency backup plan which involves shifting the whole platform to the Ruby language. One thing that can be said is that, as long as software patents remain a threat, we will continue to see cases like this.
Page editor: Jonathan Corbet
Copyright © 2010, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds