[LWN Logo]
[LWN.net]

Bringing you the latest news from the Linux World.
Dedicated to keeping Linux users up-to-date, with concise news for all interests


Sections:
 Main page
 Security
 Kernel
 Distributions
 On the Desktop
 Development
 Commerce
 Linux in the news
 Announcements
 Linux History
 Letters
All in one big page

Other LWN stuff:
 Daily Updates
 Calendar
 Linux Stocks Page
 Book reviews
 Penguin Gallery

 Archives/search
 Use LWN headlines
 Advertise here
 Contact us

Recent features:
- RMS Interview
- 2001 Timeline
- O'Reilly Open Source Conference
- OLS 2001
- GaŽl Duval
- Kernel Summit
- Singapore Linux Conference
- djbdns

Here is the permanent site for this page.

See also: last week's LWN.

Leading items and editorials


Linux distributors are branching out in their attempts to find ways to make money with free software. Here's a couple of interesting announcements from the last week:
  • As expected, Red Hat announced the availability of the "Red Hat E-Commerce Suite." This offering is a bundling of Red Hat Linux 7.1, PostgreSQL (oops, that's "Red Hat Database"), Apache, Interchange (once known as "MiniVend"), and "CommerceLauncher," a web-based configuration tool.

    The components of the E-Commerce Suite are all open-source tools, so one could build the equivalent of this suite without having to pay for it. (In practice, though, CommerceLauncher is currently only available if you buy the E-Commerce Suite; presumably it will escape into the wild eventually). Red Hat is hoping that it will be able to convince people to pay the subscription fee ($275/month) to get a combination of an integrated platform and associated update and support services. There will also be, of course, additional consulting services for an appropriate fee.

  • Turbolinux has announced the delivery of a "tailor-made Linux package" to The Credit Index, which does credit risk modeling for catalog marketers. It's an S/390 distribution which fits the mainframe world to the degree that it can be installed from a 3490 tape drive. Amusingly, Turbolinux touts its 2.4.5 kernel, which it claims is "the latest version." More seriously, though, Turbolinux has put together a specialized install of its distribution to meet the (intense) needs of a specific company.

The common thread here shows where the money may really be in the Linux distribution business: providing integrated solutions that "just work." Linux enthusiasts are happy to pull together software from several sources and make the combination work well. People who are experimenting with deploying Linux in their companies often prefer not to have to do that; if they can get a single CD set (or 3490 tape) with everything they need, their lives are easier, and they feel more confident in proceeding.

So it would not be all that surprising to see the number of distributions actually increase in the future, even if the number of distributors drops. And the real winners may be the company that can crank out special-purpose, customized distributions in a way similar to how Dell cranks out computers. Customers who get exactly what they need tend to come back for more.

On the costs of full disclosure. A message on the Bugtraq list asked can we afford full disclosure of security holes?. The motivation for the posting was, of course, the Code Red worm, which, according to some of the more breathless accounts, has cost billions of dollars worldwide. Implicit in the posting is a claim that Code Red would not have happened in the absence of the advisory and exploit posted by eEye.

eEye, of course, denies (convincingly) that its advisory enabled the Code Red worm in any way. But what if it had? Is full disclosure of security vulnerabilities an irresponsible act?

In the proprietary software world, it is tempting to say that only vendors should be given details of vulnerabilities. They can then fix the problem and get patches in the hands of their customers without making exploit information available to the bad guys. This view misses some important points, however. One is that malware authors will figure out the problems anyway; a clever cracker with debugging tools will be able to determine just what problems a binary vendor patch fixes. Even if the license agreement says they can't do that. Vendors also tend to be slow about fixing problems until there is a real need. Independent vendors of security products and services have a legitimate interest in the details of security problems.

But the real point is that those who use buggy software - and that is all of us - have a right to know about the problems in the programs we run on our systems and depend on. Proprietary software vendors, of course, like to withhold such information; that has a lot to do with why many of us use free software instead.

In the free software community, there really are no alternatives to full disclosure. Once the source for a patch has been released, all the details are easily available anyway. And the free software community only benefits from its preference for not hiding problems in general.

So free software users need not be involved in this debate. But the truth of the matter is that the situation is not all that different for proprietary software. The information will get out - crackers have a sort of full disclosure policy of their own. Anything other than full disclosure on the "white hat" side serves only to put people with vulnerable systems (i.e. all of us) at a disadvantage.

LWN Coverage of the O'Reilly Open Source Convention. [shared source panel] Better late than never... Dennis Tenney reports on the 2001 O'Reilly Open Source Convention in San Diego, CA. The report covers the conference happenings, and includes interviews with Bruce Momjian, Bruce Perens, Guido van Rossum, and Jim Fulton.

A note to our readers. A few of our readers with eagle-eyes will have noticed that Managing Editor Liz Coolbaugh's name has been missing from the section by-lines for a couple of weeks. Here's the scoop: Liz has been ordered by her doctors to take a medical leave of absence and will therefore not be contributing directly to the journalistic side of LWN.net for a period of time. Liz, get some rest, we're looking forward to having you back.

Those who are interested should see the message to our readers from Liz.

Meanwhile, the rest of us are clearly going to have to scramble to fill the gap left by Liz's absence. This scrambling will likely include cutting back on LWN's content for a while; we're still working on what the exact changes will be, but they will be intended to keep LWN on a sustainable basis while not sacrificing that which makes us truly valuable to our readers. Stay tuned.

Inside this LWN.net weekly edition:

  • Security: Warhol worms; fun with fetchmail.
  • Kernel: Noise over the SB Live update; where to send patches?
  • Distributions: Mission Critical layoffs, Mandrake releases 2 new distributions.
  • On the Desktop: theKompany rumbles, Loki stumbles, and Miguel humbles (Windows, that is).
  • Development: PLEAC project, Vorbis RC2, GNOME-DB, Linux backups, Web services, exponential Python growth.
  • Commerce: IDC survey shows Linux growth, Linux and TeraGrid, KDE 2.2, RedHat E-Commerce suite, TurboLinux on the S/390.
  • History: GNOME's beginnings; standards battles; Red Hat goes public.
  • Letters: Fair use and first sale; astroturfing; Mono.
...plus the usual array of reports, updates, and announcements.

This Week's LWN was brought to you by:


August 16, 2001

 

Next: Security

 
Eklektix, Inc. Linux powered! Copyright © 2001 Eklektix, Inc., all rights reserved
Linux ® is a registered trademark of Linus Torvalds