Distributions
Fedora and OpenH264
Did we ever mention that software patents are a serious pain for free-software projects? The usual problem is in trying to avoid them and, thus, the lawyers, lawsuits, and other exciting trappings of the patent-war landscape. But, even when the danger fades for a particular patent due to a seemingly open-source-friendly licensing arrangement, there may still be hiccups. Fedora has recently "resolved" a problem with the BSD-licensed H.264 video codec that Cisco announced in October 2013—by disabling its automatic installation.
Cisco has generously offered its OpenH264 codec for the heavily patented (and strongly enforced) H.264 video format without passing on the MPEG Licensing Authority (MPEG-LA) fees. That effectively makes the codec have zero cost if it is obtained from Cisco. Taking the source and building your own version of the codec doesn't convey the waiver of the patent licensing fee.
There is already an open-source H.264 codec in FFmpeg (and the Libav fork), but some distributions (like Fedora) don't ship it due to patent concerns. The OpenH264 project looks like a way around that problem, but the fact that it must be distributed by Cisco causes problems of its own.
For Mozilla, which was looking for non-patent-encumbered way to ship an H.264 codec with Firefox, using OpenH264 made perfect sense. So it integrated a way for Firefox 33 to automatically download and install the codec from Cisco. Doing so enabled Firefox Hello, which is a video chat feature using WebRTC that will even work between different browsers (e.g. Firefox and Chrome/Chromium).
The problem for Fedora is that downloading semi-random binaries from the internet and installing them where they will be executed based on content from elsewhere on the net could be seen as a potential attack vector. Even if there is nothing malicious about the binary (and there is no evidence that there is), it is not the way that most Linux distributions deliver software to their users. For Fedora, at least, it violates the packaging policy to install a binary that is not built in the distribution's infrastructure.
Florian Weimer filed a bug toward
the end of October, noting that in addition to the build issue there were
two problems with the license that Cisco
provides: it is not presented to the user correctly in Firefox, but the
bigger problem is that it has a restriction on the use of the codec (only
allowing "USES IN WHICH IT DOES NOT RECEIVE REMUNERATION
",
which is an element of the MPEG-LA license). It is not exactly clear how
the restriction should be interpreted, especially given that the OpenH264 FAQ explicitly says
that Cisco competitors can use the codec in their products. Perhaps
MPEG-LA believes that the purchasers of those products cannot use them for
money-making enterprises?
The immediate problem for Fedora, though, was to stop Firefox from downloading and installing the codec binary. A Fedora Engineering Steering Committee (FESCo) ticket was filed around the same time as the packaging bug. At its November 12 meeting, FESCo decided to request that the Fedora Firefox-package maintainers disable the auto-download feature. That has since been done, though there was a misstep along the way and no update that disables the auto-download has been released to Fedora users.
There is a Fedora wiki page with instructions for those who would like to manually install the codec. It will not auto-update (as Firefox does), though, so users will need to be vigilant about updating when Cisco releases security alerts for OpenH264 (though the most recent is said not to affect Firefox).
Even though OpenH264 is, indeed, open, there is no way for a distribution (or anyone else) to determine that the binary downloaded corresponds to the source code provided. This is a general problem and is part of why distributions tend to build all of the packages they ship—or provide ways for users to build their own. Beyond just Fedora, Gentoo and Debian are also working on the Firefox auto-download problem.
Longer term, Christian Schaller is working with Cisco on a way to build OpenH264 on Fedora's infrastructure and provide a way for Firefox on Fedora to auto-download that version from Cisco. Presumably, if that works out, other distributions can also take advantage of it. There is some possibility that the Firefox trademark restrictions could rear their head if distributions head down that path, but there is a belief that Mozilla will not force Fedora to go the Iceweasel route.
It is likely an irritating situation for all involved. There may be a reasonable resolution at some point along the lines of what Schaller reported, but it still means extra hoops for Linux distributions (and Cisco) simply so that those distributions can ensure that their users are getting the code that they expect. It's open source, so that should be easy, but patents—once again—get in the way.
[ Thanks to Scott Dowdle for giving us a heads-up about this issue. ]
Brief items
Distribution quotes of the week
The first CentOS Linux Rolling media release
The CentOS project has announced the availability of the first in a series of monthly rolling releases. "CentOS Linux rolling builds are point in time snapshot media rebuild from original release time, to include all updates pushed to mirror.centos.org's repositories. This includes all security, bugfix, enhancement and general updates for CentOS Linux. Machines installed from this media will have all these updates pre-included and will look no different when compared with machines installed with older media that have been yum updated to the same point in time."
Fedora 21 released
The Fedora 21 distribution release is now available, in three different flavors (cloud, server, and workstation). "Fedora 21 is a game-changer for the Fedora Project, and we think you're going to be very pleased with the results." See the announcement for the highlights found in each of the released spins.
"Ubuntu Core" announced
Mark Shuttleworth has announced the availability of "Ubuntu Core," a version of the distribution that takes a different approach to package management. "This is in a sense the biggest break with tradition in 10 years of Ubuntu, because Ubuntu Core doesn’t use debs or apt-get. We call it 'snappy' because that’s the new bullet-proof mechanism for app delivery and system updates; it’s completely different to the traditional package-based Ubuntu server and desktop. The snappy system keeps each part of Ubuntu in a separate, read-only file, and does the same for each application. That way, developers can deliver everything they need to be confident their app will work exactly as they intend, and we can take steps to keep the various apps isolated from one another, and ensure that updates are always perfect. Of course, that means that apt-get won’t work, but that’s OK since developers can reuse debs to make their snappy apps, and the core system is exactly the same as any other Ubuntu system – server or desktop."
Distribution News
Debian GNU/Linux
bits from the DPL - September to November 2014
Lucas Nussbaum presents a few bits of information worth sharing with the Debian project. Topics include travel sponsorship for Bug Squashing Parties, GNOME Outreach Program for Women, 'newcomer' bugs tag, static version of 'Debian Package of the Day' available, certificates for Debian Contributors, update of reimbursement procedures, delegations updates, and more.
Fedora
Fedora 19 end of life on 2015-01-06
Fedora 19 will reach end of life on January 6, 2015 and no further updates will be available after that time.
openSUSE
Advance discontinuation notice for openSUSE 12.3
The openSUSE maintenance team has announced that it will stop releasing updates for openSUSE 12.3 after January 4, 2015.
Newsletters and articles of interest
Distribution newsletters
- DistroWatch Weekly, Issue 588 (December 8)
- Ubuntu Weekly Newsletter, Issue 395 (December 7)
Linux Mint 17.1 review—less change is good change (Ars Technica)
Ars Technica reviews the latest edition of Linux Mint, version 17.1. Based on Ubuntu 14.04 LTS, Mint 17.1 will be supported until 2019. "However, Mint 17.1 is in fact a very good sign for fans of the distro's own tools, like its homegrown Cinnamon desktop. By relying on a consistent LTS release, Mint developers can more or less ignore the base system. Instead of spending all their time and effort making sure whatever Ubuntu has changed works with Mint, they can focus on what makes the ecosystem great—namely, its two primary desktops, MATE and Cinnamon."
Puzzle GNU/Linux: Integrated Pieces Create an Intriguing OS (LinuxInsider)
LinuxInsider takes a look at Puzzle GNU/linux, an Italian distribution featuring a hybrid desktop that combines elements from Openbox, Kodi (formerly xbmc) and KDE. "Puzzle GNU/linux is built on Canonical's Ubuntu Distro -- but the similarity ends right there. Forget Unity, or any of the other desktop environments or distro flavors available to replace the Unity shell. The Ubuntu foundation allows the installation of all programs in the standard version available for Ubuntu. Then the Puzzle treatment kicks in. An in-house software management system allows unique Puzzle packages -- called "modules" -- to be installed and removed without rebooting."
Page editor: Rebecca Sobol
Next page:
Development>>