Other LWN stuff:
 Daily Updates
 Calendar
 Linux Stocks Page
 Book reviews
 Penguin Gallery

 Archives/search
 Use LWN headlines
 Advertise here
 Donate to LWN
 LWN Supporters
 Contact us

Recent features:
- RMS Interview
- 2001 Timeline
- O'Reilly Open Source Conference
- OLS 2001
- Gaël Duval
- Kernel Summit
- Singapore Linux Conference
- djbdns

Here is the permanent site for this page.

See also: last week's LWN.

Leading items and editorials

o Security fixes
  Details censored in accordance with the US DMCA

The details, apparently, may appear on a web site that is inaccessible from the U.S. before the official 2.2.20 release happens.

Alan, of course, is trying to dramatize a point: U.S. laws on these issues are seriously messed up. It is also true that the U.S. has little reluctance to try to apply its laws to foreign nationals doing things that are legal at home. Even so, one might be forgiven for wondering if Alan is taking things a little too far here. Censored changelogs will attract a bit of attention, but are unlikely to really change much. Besides, as readers of NTK know, the U.K.'s laws are not much better than those in the U.S. with regard to things like "circumvention devices."

Also true is the fact that most of the vulnerabilities fixed have already been published: see this week's LWN security page. Even though, as Alan says "there are other security related changes" in this prepatch, the information is already out there.

Still, one can not make these points too often. That is especially true in times like these, where civil liberties are in increased danger, and proposed laws like the SSSCA could make Linux itself illegal in the U.S. The presence of the DeCSS code on the net has not shielded those who have republished it. There are dangers out there for those who work with or discuss security vulnerabilities.

There is an interesting question, here, though: if a description of a Linux kernel security vulnerability potentially violates the DMCA, what about the patch that fixes it? The patch doesn't just describe the problem, it does so in exact technical terms that will point a would-be exploiter in just the right direction.

So, for example, it is considered OK to publish a patch containing:

    -#define MAX_QUOTA_MESSAGE 75
    +#define MAX_QUOTA_MESSAGE (PAGE_SIZE + 256)

Sooner or later, this situation has to resolve itself. The kinds of restrictions that corporations and governments wish to put into software (and discussions about software) are in conflict with free, source-available code. Historically, in the U.S., freedom has a reasonable chance - especially where freedom of speech is involved. But we live in interesting times, to say the least.

Emacs 21 is here. The Free Software Foundation this week announced the availability of version 21.1 of the famous emacs editor. The emacs development process has been, until now, relatively invisible to the free software community as a whole, so new releases tend to bring a number of surprises with them. Your reporter, being an emacs user, was naturally curious as to what was in the new release; being also a Debian user, he was able to satisfy his curiosity with a single apt-get command. If only more disk space could be had so easily.

So what's up with version 21? Richard Stallman is quoted as follows in the announcement:

Emacs 21 is a big step forward in our long-term plan to take Emacs from a programmable text editor to a programmable word processor.

FSF development plans do tend toward a long-term nature. Those wanting to use emacs 21 as a true word processor will be disappointed, it's not there yet. It has, however, made some definite steps in that direction. The first signs can be seen in the initial splash screen, shown on the right (click the image for a full-size version). Emacs can now display images in buffers; it is also capable, finally, of using proportional fonts. There is little user-level support for either, but elisp programmers can now get at that functionality.

Also present in the new emacs is a toolbar that appears below the standard menubar. It is, of course, customizable for emacs's various modes. It is also easily dispensed with, happily, for those of us who prefer to use the screen space for editing. And, of course, what would a toolbar be without tooltips? Emacs will now happily pop up little help windows all over the place. Perhaps more interestingly, the tooltips mechanism can also be turned on in the GUD debugger mode: move the pointer over a variable name, and a little window with the variable's value pops up.

It wouldn't be an emacs release, of course, without a ton of new features. Here's a subset, with occasional screen shots:

• How about an ASCII art mode, which allows mouse-based creation of ASCII diagrams?

• Color fonts are now supported outside of window mode if the underlying terminal can do it.

• Emacs can now play audio files, though the documentation does not say much about just why one might want to do that.

• The modeline is now mouse-sensitive.

• Emacs now features a blinking cursor in window mode. Happily, you can turn it off.

• There is a new confirm-kill-emacs variable that will cause the editor to ask before shutting itself down. Users who have found, to their chagrin, that it doesn't take much fat-fingering to turn C-X into C-X C-C will be pleased.

• Buffers can now have "header lines" that remain at the top of the window, independent of scrolling. Info mode uses this feature to present a navigation bar.

• Emacs now has wheel mouse support.

• There is, of course, a new, improved cc-mode with a lot of fancy features. Surprisingly, they appear to have managed not to break too many user configurations this time around. In general, elisp code from version 20 seems to work well in the new release.

• There's a nice new "diff" mode, most useful for picking the security patches out of kernel updates.

• The gnus newsreader now handles MIME postings. It also turns smileys into cute little images that are amusing for the first couple of messages.

• A new highlight-regexp command can be used to mark all occurrences of a given string in a buffer.

• Incremental search now highlights upcoming matches so you know where you're going next.

• The "zone out" mode implements a sort of internal screen saver for emacs windows.

• A new "woman" mode exists which can format up man pages without having to resort to external programs. There is also a new shell mode that has no need for an actual shell. A compile mode with its own built-in compiler has not yet been implemented, however.

• Cool feature: the regular expression builder allows interactive creation of complicated search strings with immediate feedback on what is matched.

• A "C warning mode" points out things it thinks are incorrect or dangerous in C code.

• There is a new postscript mode for those who like to talk to their printers directly.

The full list of new features is far more extensive than the above - and we have not even begun to talk about the elisp-level changes. Suffice to say that emacs 21 is a major release, with a lot of cool new stuff.

The best thing of all, however, may not be an editor feature at all. As of this release, it is now possible to get the development version of the code via a CVS server on savannah.gnu.org. Opening up the emacs development process can only be a good thing for both developers and users.

The latest word from Gartner. Those of us who have followed Linux for a while have grown accustomed to hostile opinions published by the Gartner Group. Recently, though, Gartner has shown signs of coming around. The latest pronouncement from that group, published in ZDNet as What's the future of Linux?, shows continued progress in this area. Consider this quote:

Linux is being viewed as an opportunity to enable users to get out from under the yoke of proprietary platforms and high software license fees and into a much more flexible and evenhanded negotiating position. But vendors will always seek new opportunities to wedge users into proprietary solutions, so users must remain vigilant to avoid past mistakes that led to lock-in.

Licensing fees and "negotiating positions" are only a small part of what make free software worthwhile. Nonetheless, it looks like Gartner is beginning to figure out what free software really means. There may yet be hope...

Inside this LWN.net weekly edition:

• Security: Responses to Scott Culp; possible ssh exploit.
• Kernel: A new driver model; looking for faster pipes.
• Distributions: More from the CLIG; Melon: Japanese Linux for the iPAQ.
• Development: Mozilla 1.0 Manifesto, Ogg Traffic, Parma Polyhedral Library, Simple Web Service API, Crystal Space 0.90 r001, GCC 3.02.
• Commerce: MontaVista releases high availability framework; Red Hat adds Linux Desktop Productivity Essentials training course; The new 'Lindows' operating system.
• History: OpenBSD project founded in 1995; Red Escolar project founded in 1998; Tcl/Tk looks for a new corporate home.
• Letters: Project Liberty, free BIOS implementations, information anarchy.

This Week's LWN was brought to you by:

• Jonathan Corbet, Executive Editor

See also: last week's Security page.

Security

News and Editorials

Cryptographers and security experts have known for years that peer review of open source code is the only reliable way to verify the effectiveness of encryption systems and other security software. So Microsoft's closed-source mode of development guarantees that customers will continue getting cracked and Microsoft will continue pointing the finger of blame everywhere except where it actually belongs.

Elias Levy, meanwhile, responded in this SecurityFocus article.

A successful attacker requires three things: the opportunity to launch an attack, the capacity to successfully execute the attack, and the motivation to attack. An opportunity to launch an attack requires a vulnerable system and an access path to the system. The capability to successfully execute the attack requires knowledge of the vulnerability and the tools to exploit it. Proponents of the information dictatorship argument are targeting the second requirement of a successful attacker: his capability to launch an attack. This approach to the problem of computer security is flawed, and can only fail.

Overall, there has been a distinct lack of people rushing out to back up Microsoft's view on security disclosure. Even people who are uncomfortable with those who circulate exploit tools have remained quiet.

Make sure your ssh is current. Here's a NewsBytes article on a new ssh exploit going around.

In its February advisory, Bindview stated that it was aware of no working exploits for the overflow flaw in the SSH daemon. But last week, rumors spread in the hacker underground that scripts were available to gain "root" or system-level access to vulnerable systems. And in recent days, system operators have posted reports on security mailing lists saying they are receiving remote scans from attackers attempting to locate vulnerable systems running SSH.

There has been little in the way of confirmation of this exploit from any other source. Nonetheless, now would be a good time to check ssh/OpenSSH installations and make sure they are current. A remote root exploit based on ssh is the sort of thing that extreme nastiness (i.e. horrific Linux-based worms) is made.

Security Reports

Two kernel security bugs explained. Here is Rafal Wojtczuk's explanation (from Bugtraq) of the two security bugs found in recent Linux kernels. They are:

• Through the use of properly constructed chains of symbolic links, a local attacker can lock up the kernel for long periods of time, thus creating a denial of service attack.

• With the proper use of a setuid binary, the ptrace() system call can be fooled into tracing another setuid program, and thus into executing arbitrary code as root.

Note that there are, apparently, some other kernel security issues out there that have not, yet, been explained publicly.

Updates seen so far:

• Caldera (October 18, 2001)
• EnGarde (October 19, 2001)
• Immunix (October 19, 2001)
• Openwall Linux (October 18, 2001).
• Red Hat (October 18, 2001)
• Trustix (October 19, 2001)

Two bugs with apache. Apache 1.3.22 fixes a couple of minor issues with the apache web server. The "split-logfile" program can be used to overwrite any file that is writable by the web server account, and which ends in ".log". That script tends not to be shipped with most Linux distributions. The other vulnerability could lead to the delivery of undesired directory listings in some situations.

Updates seen so far:

• Conectiva (October 18, 2001)
• EnGarde (October 19, 2001)

Debian security update to nvi. The Debian Project has released a security update to nvi fixing "a very stupid format string vulnerability" in that package. "Even if we don't believe that this could lead into somebody gaining access of another users account if he hasn't lost his brain, we recommend that you upgrade your nvi packages."

gftp can expose passwords. The Debian Project has put out an update to gftp fixing a problem in that package: it displays login passwords in plain text. In the interest of thwarting shoulder surfers, applying the update is probably a good idea.

A pile of Debian security alerts. Here's another set of alerts which have come out of Debian in the last week:

• w3m, buffer overflow problem, with a possible remote exploit. (Update: it seems that there is no PowerPC version of this patch available; PowerPC users are advised to avoid w3m.

• xvt, locally-exploitable buffer overflow.

• procmail, signal handling problem with possible local exploit.

Denial of service in 6tunnel. The 6tunnel utility, used for IPv6 tunneling, has a denial of service vulnerability that allows an attacker to cause the 6tunnel server to crash. Affected users should upgrade to version 0.09 or later.

Proprietary products. The following proprietary products were reported to contain vulnerabilities:

• A set of three vulnerabilities has been reported with Oracle, including one which can be exploited to overwrite files.

Updates

This week's updates:

• Red Hat (October 30, 2001)

• Conectiva (October 10, 2001)
• Debian (October 17, 2001)
• Mandrake (November 1, 2001)
• SuSE (October 24, 2001)

OpenSSH restricted host vulnerability. Versions of OpenSSH prior to 2.9.9 have a vulnerability that can allow logins from hosts which have been explicitly denied access. The fix is to upgrade to OpenSSH 2.9.9. This problem first appeared in  the October 4 LWN security page.

This week's updates:

• SuSE (December 6, 2001)
• SuSE (December 3, 2001)
• Conectiva (October 24, 2001)
• Immunix (October 17, 2001)
• Mandrake (October 16, 2001)
• Red Hat (October 19, 2001) (Adds support for version 7.2).
• Red Hat (October 9, 2001)
• Trustix (October 17, 2001)

New updates:

Previous updates:

• Red Hat (October 23, 2001) (mod_auth_pgsql)
• Conectiva (September 28, 2001) (mod_auth_pgsql)
• Conectiva (September 6, 2001) (mod_auth_mysql)

This week's updates:

• SuSE (October 30, 2001)

Previous updates:

• Red Hat (October 16, 2001) (adds an updated package for 7.2).
• Yellow Dog (July 25, 2001)
• Caldera (August 9)
• Linux-Mandrake (August 2)
• Immunix (July 26)
• Trustix (July 26)
• Red Hat (July 26)

Improper credentials from login. A problem with the login program (in the util-linux package) can, in some situations, cause a user to be given the credentials of another user at login. Use of the pam_limits module, in particular, can bring about this problem. In general, distributions using the default PAM configuration are not vulnerable; an upgrade is probably a good idea anyway. This problem was first reported in October 18 LWN security page.

This week's updates:

• Mandrake (November 1, 2001)

• Red Hat (October 16, 2001) (Adds an update for version 7.2).
• SuSE (October 23, 2001) (Doesn't use util-linux login, but vulnerable anyway).
• Red Hat (October 16, 2001)
• Trustix (October 17, 2001)

This week's updates:

• Turbolinux (January 24, 2002)

• EnGarde (October 19, 2001)
• Immunix (August 29, 2001)
• Mandrake (August 31, 2001)
• Red Hat (September 7, 2001)

Resources

Events

Upcoming Security Events.

Date	Event	Location
November 5 - 8, 2001	8th ACM Conference on Computer and Communication Security(CCS-8)	Philadelphia, PA, USA
November 13 - 15, 2001	International Conference on Information and Communications Security(ICICS 2001)	Xian, China
November 19 - 22, 2001	Black Hat Briefings	Amsterdam
November 21 - 23, 2001	International Information Warfare Symposium	AAL, Lucerne, Swizerland.
November 24 - 30, 2001	Computer Security Mexico	Mexico City
November 29 - 30, 2001	International Cryptography Institute	Washington, DC
December 2 - 7, 2001	Lisa 2001 15th Systems Administration Conference	San Diego, CA.
December 5 - 6, 2001	InfoSecurity Conference & Exhibition	Jacob K. Javits Center, New York, NY.
December 10 - 14, 2001	Annual Computer Security Applications Conference	New Orleans, LA

For additional security-related events, included training courses (which we don't list above) and events further in the future, check out Security Focus' calendar, one of the primary resources we use for building the above list. To submit an event directly to us, please send a plain-text message to lwn@lwn.net.

Section Editor: Jonathan Corbet

LWN Resources
Security alerts archive

Secured Distributions:
Astaro Security
Castle
Engarde Secure Linux
Immunix
Kaladix Linux
NSA Security Enhanced
Openwall GNU/Linux
Trustix

Security Projects
Bastille
Linux Security Audit Project
Linux Security Module
OpenSSH

Security List Archives
Bugtraq Archive
Firewall Wizards Archive
ISN Archive

Distribution-specific links
Caldera Advisories
Conectiva Updates
Debian Alerts
Kondara Advisories
Esware Alerts
LinuxPPC Security Updates
Mandrake Updates
Red Hat Errata
SuSE Announcements
Turbolinux
Yellow Dog Errata

BSD-specific links
BSDi
FreeBSD
NetBSD
OpenBSD

Security mailing lists
Caldera
Cobalt
Conectiva
Debian
Esware
FreeBSD
Kondara
LASER5
Linux From Scratch
Linux-Mandrake
NetBSD
OpenBSD
Red Hat
Slackware
Stampede
SuSE
Trustix
turboLinux
Yellow Dog

Security Software Archives
munitions
ZedZ.net (formerly replay.com)

Miscellaneous Resources
CERT
CIAC
Comp Sec News Daily
Crypto-GRAM
LinuxLock.org
LinuxSecurity.com
Security Focus
SecurityPortal

See also: last week's Kernel page.

Kernel development

The current kernel version is 2.4.13, which was released on October 24. Linus surprised some people by including another set of VM tweaks in the final release (i.e. without testing in a prepatch), but those tweaks had already seen some use in Andrea Arcangeli's releases. Says Linus: "See if you can break it."

Alan Cox's current patch is 2.4.12-ac5. It contains a bunch of ARM updates, the latest VM tweaks from Rik van Riel, and a number of other fixes.

On the 2.2 front, Alan has released 2.2.20-pre11, with a small set of updates and some unspecified security fixes (see this week's front page) If all goes will, this version will become the official 2.2.20 release, so interested parties are encouraged to try it out.

Toward a new way at looking at devices. Interestingly, Linux kernels through 2.4.x have no unified way of keeping track of devices. There are registries which hold lists of drivers, and various other bits and pieces, including device arrays in the drivers themselves. But if you were to ask the kernel to tell you about every device plugged into the system, it would not be able to answer. Even if one of those devices were a speech synthesizer.

Getting a better handle on devices was one of the topics discussed at the Kernel Summit last March. Now Patrick Mochel has taken things forward with a proposal for a new "driver model" in the 2.5 kernel. A number of things would change under the new scheme:

• All buses and devices will be treated as being hot-pluggable. Devices present at boot will be treated as if they had just been plugged in.

• A new struct device structure will be created for each physical device and bus on the system. These structures will be organized into a tree which reflects the actual configuration of the hardware. A PCI bus device, thus, becomes the parent node for all devices plugged into that bus. (Way back when, struct device was used for network devices, but the 2.3.14 kernel release changed that).

• A new virtual device driver filesystem (ddfs) type will be created. Each device in the system will export a ddfs entry, which can be used to query and change the state of the device. For example, a ddfs entry will tell whether a given device has been suspended or not.

• Each device will have a struct device_driver which contains a small set of global operations. One of them, probe, checks for the existence of a specific device and sets it to a known state. The remove operation disconnects the driver from the device. There are also suspend and resume operations for power management functions.

• The iobus structure will be used to track buses on the system. There will also be a struct iobus_driver containing another set of operations, mostly having to do with bus scanning and dealing with plugging and removal events.

Much of the motivation behind all this work is to do power management right. Power management is increasingly part of every computer component made, and people, rightly, want to be able to take advantage of the power management features. But doing things like suspending part or all of a system requires a detailed knowledge of that system's hardware structure. Thus this new model.

So it is not all that surprising that power management has been the topic of most of the discussion on this proposal. The initial plan called for a two-step suspend procedure: one to save device state, and one to shut the device down. It was pointed out that saving device state can involve actions like allocating memory, which can require the cooperation of other devices. So the plan now calls for a three-step suspend routine:

1. SUSPEND_NOTIFY tells each device that a suspend is coming. No state need be saved at this point, and the device could be asked to perform further operations after this call. The driver must, however, allocate any memory it will need to save the state later on.

2. SUSPEND_SAVE_STATE causes the driver to actually save the state of the device. It should also stop handling I/O requests at this point.

3. SUSPEND_POWER_DOWN is the final stage, which causes the device to be physically powered down.

When the system resumes, a two-step process is followed: one to reset the devices to a known state, and one to resume the pre-suspend state and resume operation.

There was a developing conversation on higher-level response to suspend events: things like trying to save dirty buffers to disk, synchronize RAID arrays, and so on. Trying to make all that work right was beginning to look like a pretty thorny problem, until Linus stepped on the discussion by pointing out that a suspend operation need not do all that.

If somebody removes a disk or equivalent while we're suspended, that's _his_ problem, and is exactly the same as removing a disk while the disk is running. Either the subsystem (like USB) already handles it, or it doesn't. Suspend is _not_ an excuse to do anything that isn't done at run-time.

So suspend is _not_ supposed to be equivalent of a full clean shutdown with just users not seeing it. That's way too expensive to be practical. Remember: the main point of suspend is to have a laptop go to sleep, and come back up on the order of a few _seconds_.

Nobody appears to have disagreed with this position; it was one of those "Linus moments" where he points out the important thing people have been overlooking.

The new driver model is still evolving; the latest version can be found here.

On MODULE_LICENSE and EXPORT_SYMBOL_GPL. In the hopes of clearing up some confusion, Keith Owens has posted a description of the MODULE_LICENSE and EXPORT_SYMBOL_GPL macros, and exactly what the two are intended to achieve. Recommended reading.

In search of faster pipes. Hubertus Franke and his colleagues at IBM decided to look into ways of making Linux pipes perform better. To that end, they decided to tweak two factors:

• The size of the kernel buffer used to hold pipe data. It is normally one page (usually 4K); they experimented with buffers up to eight pages long.

• Early awakening of readers. Normally, readers of a pipe are awakened only when a write operation completes. By waking them up after only part of the data to be written has been copied into the pipe buffer, the group hoped to improve concurrency.

The results reported are interesting: neither change improved performance on uniprocessor systems - indeed, performance often dropped. On SMP systems, instead, increasing the pipe buffer size can speed things up. The early awakening helped slightly in some cases and hurt in others; it doesn't appear to be worth the effort most of the time.

The question was raised: why not try with the single-copy pipe implementation by Manfred Spraul? The IBM crew went for it, and came up with a new set of results. Single-copy pipes are not necessarily the big win that people might expect. The single-copy patch got better lmbench results in some situations, but lagged behind the IBM patches in most tests. In fact, it lagged behind even the standard Linux pipe implementation in many cases.

The final conclusion might be that increasing the buffer size may help pipe performance in some high-end, SMP situations. Other than that, the pipe code works pretty well the way it is now.

Other patches and updates released this week include:

• Neil Brown has posted an implementation of tree quotas for the ext2 filesystem. Tree quotas differ from ordinary disk quotas in that they are handled on a per-tree basis. All files contained within a particular directory tree are charged to the owner of the tree, regardless of who actually owns the files.

• The Scalable Testing Platform is an automated test system for the Linux kernel produced at the OSDL.

• Jens Axboe has posted a new version of his patch enabling DMA to high memory without bounce buffers.

• A scheduler patch was posted by Davide Libenzi. The patch tries to get better cache efficiency by considering how long a process has been running on a particular CPU before moving it.

• The latest PCI Hotplug driver is available courtesy of Greg Kroah-Hartman.

• Worth a look: Martin Devera's graphical call graphs of both Linux VM implementations.

• Here's the latest premptible kernel patch from Robert Love.

• Version 0.2.1 of the IBM Enterprise Volume Management System has been announced by Kevin Corry.

• The latest Stanford Checker run has identified numerous potential security bugs in the kernel resulting from inadequate checks on user-supplied parameters. Happily, the Checker team is not yet censoring its reports out of fear of the DMCA.

• Martin Devera has announced a new version of his HTB queuing discipline module.

• Vamsi Krishna has announced version 3.0 of IBM's Dynamic Probes kernel debugging system.

• Keith Owens has released kdb v1.9 for the 2.4.13 kernel.

• iptables 1.2.4 was released by Harald Welte.

Section Editor: Jonathan Corbet

For other kernel news, see:

• Kernel traffic
• Kernel Newsflash
• Kernel Trap
• 2.5 Status

Other resources:

• L-K mailing list FAQ
• Linux-MM
• Linux Scalability Effort
• Kernel Newbies
• Linux Device Drivers

See also: last week's Distributions page.

Note: The list of Linux distributions has moved to its own page.

Distributions

News and Editorials

More from the Common Linux Installer Group. Last week's LWN Distributions page took a quick look at an idea from the Common Linux Installer Group, whose goal is to design and develop a standard for Linux installers. The CLIG is led by Blue Linux, a distribution that is under development. Blue Linux is also in need of an installation routine.

Standardizing the installation routines does sound like a good idea. Blue Linux is not, and will not be the only developing distribution faced with the task of creating an installation routine. Current installers, even those released under the GPL, are saturated with hardcoded references to their parent company. Often they are tied to a particular package management system as well. These points were made in the CLIG's response, which goes on to describe in further detail how they envision a standard installer would deal with package management and still allow some individuality on the front end. CLIG proposes a layered system, with customized back ends to support package management and a customizable front end to support individualized user interfaces. Inside, the main part of the installer would be a base of reusable code.

We also received a note from Anthony W. Youngman, who is working on the Linux Standards Base, v2 which, he says, will address Linux installation. Hopefully the CLIG can work with LSB v2 so that there can be an LSB-compliant standard installer released under the GPL.

New Distributions

Melon: Japanese Linux for the iPAQ. Longtime LWN supporter Maya Tamiya tells us about Melon, a new Japanese distribution for the iPAQ handheld. Melon is sold on a Compact Flash card, and can be booted directly from the card; it's based on the Familiar distribution. The Melon web site is in Japanese, of course, but the screenshots page is easily viewable by everybody.

Distribution News

Debian News. The Debian Weekly News for October 23 is out. Covered topics include the demise of Progeny Linux, the upcoming release (which, it turns out, will be Debian 3.0), coverage of free software, and much more.

The Debian Security Team announced the appointment of two Debian Security Secretaries, Matt Zimmerman and Noah Meyerhans.

FreeBSD Ports. There is a FreeBSD/ia64 port in progress that now boots into multi-user mode without any operator attendance. There is also FreeBSD ultra sparc port in progress. Check the FreeBSD website for more information.

Mandrake Linux News. Those of you who have been waiting for Mandrake Linux 8.1 to show up in physical form need wait no longer: MandrakeSoft has announced that the distribution is finally available from retail stores. It is packaged in four different forms, with varying amounts of software and support.

Also the release candidate of Mandrake Linux 8.1 for the Itanium processor has been announced. It contains a number of fixes and a couple of new packages; this is the last chance to look over this distribution and find problems before the official release.

There will soon be a Mandrake Linux Gaming Edition as MandrakeSoft and TransGaming Technologies have gotten together to announce the Mandrake Linux Gaming Edition, to ship on November 9. Included with the distribution will be a port of "The Sims" from Electronic Arts.

Here are 2 updates to ML 8.1 and another for ML 8.0. These are not security problems, but you may want these fixes:

• initscripts gave incorrect options for supermount, non-rootfs filesystems were not being checked upon bootup, tmp removal in mandrake_everytime was printing a failure message, the mandrake_consmap service was being restarted by service, and the installkernel script wasn't robust enough when getting the root filesystem.
• locales fixes missing Italian locale "it".
• sendmail packages in ML 8.0 have long delays in sending messages due to RBL lookups that are enabled by default. Here is an update that disables RBL lookups by default, eliminating the delay.

Red Hat Linux 7.2 launches. Red Hat has announced the availability of Red Hat Linux 7.2. It contains all the usual features: ext3, 2.4.7 kernel, better admin tools, firewall configuration at install time, StarOffice, etc. Check out the announcement for the details and a list of mirror sites. There are a few unsigned packages on some mirror sites, according to this security advisory, however Red Hat says it's not a problem in this Newsbytes article.

Slackware has Emacs 21.1. Source and packages for GNU Emacs 21.1 have been added for Slackware on Intel.

SuSE News. SuSE announced the shipment of its enterprise-capable Linux distribution, SuSE Linux Enterprise Server version 7, based on the latest Linux kernel 2.4 and optimized for deployment in high-performance servers.

Terra Soft Unveils Yellow Dog Linux 2.1. We mentioned the release of Yellow Dog Linux 2.1 last week, but didn't mention the improved installer, KDE 2.2.1, 2.4.10 kernel, ext3, or the improved iBook support. Terra Soft Solutions also announced they will showcase YDL 2.1 and a Yellow briQ Node cluster running Total Impact's Centricity video rendering software at LinuxWorld Expo, Tokyo, Japan.

Minor Distribution updates

Devil-Linux. Devil-Linux has announced Devil-Linux 0.5 Beta 1, a new release with a new build system. Devil-Linux is a small, customizable Linux distribution used for firewalls/routers.

Gentoo Linux. Gentoo Linux is a high-performance ports-based x86 Linux distribution for developers and admins. It features a Python-based advanced package management system called Portage. Finishing touches are in progress on Gentoo Linux 1.0_rc6, and the team is optimistic that 1.0 final will be the next release following 1.0_rc6.

NSA Security-enhanced Linux. The third public release of the LSM-based SELinux prototype was made on October 16, 2001. This release contains several bug fixes and improvements to both LSM and SELinux and is based on the lsm-2001_10_11 patch against kernel 2.4.12. See the release notes for more details.

Redmond Linux. Redmond Linux Build 41, Release Candidate 2 is available for ftp. This version upgrades the kernel to 2.4.12-ac3 and should fix the partitioning issue many of you have noticed.

Sorcerer GNU Linux. Sorcerer GNU Linux 20011022 is available, with better support for internationalization. The install menu now contains options for customization of the key map, console font, language, and timezone.

ttylinux. ttylinux came out with a bugfix release on October 18, 2001. However on Oct. 19 a bug was found in the instructions for making a bootable ttylinux CD. It is necessary to replace "initrd=rootfs.gz" with "initrd=rootfs.gz root=/dev/ram0" everywhere.

Trustix Secure Linux. Last week we mentioned TSL Bugfix Advisory #2001-0020 for bind. However advisory #2001-0027 supersedes the previous announcement. "This is really the TSL-2001-0020 Bind bugfix advisory, but the MD5 checksums are updated for the TSL 1.1 and 1.2 packages as we forgot to sign them in the proper way."

Distribution Reviews

Caldera targets developers with latest Workstation (ZDNet). ZDNet reviews Caldera OpenLinux Workstation 3.1. "In what appears to be a shift in focus from its user-centric eDesktop 2.4, Caldera seems to be targeting its workstation distribution directly at the developer market by adding a wide variety of development tools to its already solid desktop configuration, making this latest version well-suited for corporate in-house development."

Section Editor: Rebecca Sobol

Please note that not every distribution will show up every week. Only distributions with recent news to report will be listed.

See also: last week's Development page.

Development projects

News and Editorials

The document aims to answer a number of questions concerning the upcoming Mozilla 1.0 release:

• What: Mozilla 1.0 would be the first major version numbered release. The release would include promises to maintain compatibility with a number of APIs from which to build upon. The release would also involve a stable branch off of the cvs.mozilla.org trunk.
• Why: There is a need for a stable long-lived branch of Mozilla. If Mozilla.or does not create such a branch, it will be done by others, and the result would be unnecessary fragmentation. There is still a need for a 1.0 management plan, input is being accepted.
• How: There is a need for big-fixing milestones. There is also a need for reducing the bug count to "near-zero". The plan is to obtain a stable, long-lived branch. The plan involves obtaining version 1.0 through a small number of milestones. Developers are being asked to schedule their bug fixes within the boundaries of those milestones. The focus will be on stability, not new features. Commercially contributed features are to be synchronized with the milestones, and may be isolated with CVS branches or #ifdef statements.
• When: There is a strong desire among Mozilla developers to achieve 1.0 "sooner than later". There is a desire to obtain a stable branch and offer a release "within six months". Again, the emphasis will be on attaining stability more than new features.
• Who? Brendan Eich will get the final say on what goes into version 1.0. He will delegate layers to various other people. "First in the line of delegation, judgment, and consensus are staff and drivers, who in turn depend on porkjockeys, reviewers, module owners, bug assignees, QA contacts, triagers, and other members of the community." Bugs are being nominated for fixing by version 1.0, and guidelines have been given for that bug status.

Audio

Ogg Traffic #1. A new status page for the Ogg Vorbis project (free MP3 replacement) is available. Ogg Traffic gives the latest project status and is a good look at the inner workings of an open-source project.

Clusters

High Availability Linux status for October, 2001. Alan Robertson sent in the October 2001 status report for the Linux High Availability project.

Electronics

Xcircuit 2.3.5 released. Tim Edwards has released version 2.3.5 of the xcircuit schematic drawing package. This release includes lots of bug fixes and enhancements to the Python interface.

New gwave for October 21, 2001. A new version of gwave, the GPL'ed Waveform Viewer has been released. The changes include improved measurement from cursor positions, better log scale operation, and bug fixes.

Embedded Systems

Embedded Linux Newsletter. The LinuxDevices.com Embedded Linux Newsletter for October 18 is out, with the usual roundup of interesting embedded Linux stories.

Printing Systems

AFPL Ghostscript 7.03 Released. A new release of AFPL Ghostscript has been announced. The release includes bug fixes and performance improvements.

Science

Parma Polyhedra Library. Version 0.1 of the Parma Polyhedra Library has been released. "The Parma Polyhedra Library is a C++ library for the manipulation of convex polyhedra. The applications of convex polyhedra include program analysis, integer and combinatorial optimization and statistical data-editing."

Web-site Development

The Simple Web Service API. ActiveState has sent out an announcement about the new "Simple Web Service API," a standardized way for programmers to implement web services in a number of scripting languages. A beta implementation is available for Perl, Python, and PHP, with Ruby and Tcl in the works.

mnoGoSearch 3.2.2 released. Version 3.2.2 of the mnoGoSearch web search engine has been released. The changes include processing for Content-language and lang, support for IBM's DB2, documentation updates, and lots of bug fixes.

Zope Members' News. The latest news from the Zope Members' site looks at the new Z SQLvMethod, Portable Holes for Zope, CMFImageDoc 0.9, Lockable Folder 0.1.0, and more.

Building a Large-scale E-commerce Site with Apache and mod_perl (Perl.com). Perrin Harkins writes about large scale E-commerce on Perl.com. "Application server vendors will insist that you need a packaged all-in-one solution for the software. Hardware vendors will tell you that you need the top-of-the-line mega-machines to run a large site. This is a story about how we built a large e-commerce site using mainly open-source software and commodity hardware. We did it, and you can do it, too."

Webalizer Version 2.01-09 released. Version 2.10-09 of the Webalizer Web log analyzer program is available for download. This version features security related bug fixes as well as support for more languages. Upgrades are strongly recommended.

Miscellaneous

This week in DotGNU. The DotGNU weekly summary has been posted by Norbert Bollow; it gives an overview of some of the initiatives within the DotGNU project and how they are progressing.

Writing DLLs for Linux apps (IBM developerWorks). Allen Wilson talks about DLL equivalents under Linux. "Plugins and DLLs are often a great way to add functionality without writing a whole new application. In Linux, plugins and DLLs are implemented as dynamic libraries. e-business consultant and architect Allen Wilson introduces dynamic libraries and shows you how to use them to change an application after the app is running."

Application Links
GIMP
Mozilla
Galeon
High Availability
ht://Dig
mnoGoSearch
MagicPoint
Wine
Worldforge
Zope

Open Source Code Collections
Berlios
Freshmeat
OpenSourceDirectory
Savannah
Le Serveur Libre
SourceForge
Sweetcode

Desktop Development

Audio Applications

The latest from Linux Music. This week, the Linux Music site looks at Spiral Synth Modular, Muse, GSMP, and DarkIce. The second part of Dave Phillips' article on Snd is also mentioned.

Browsers

Mozilla Bug Week. A new Mozilla Bug Week has been announced for October 27 through November 4, 2001.

Galeon 0.12.5 released. The Galeon project has released version 0.12.5. Features of the release include the ability to drag tabs as well as numerous bug fixes.

Desktop Environments

This week's GNOME summary. The GNOME Summary for October 19 is out. Topics include the GNOME 2 wish list, the new Nautilus release, the Evolution cheerleader squad, and more.

GNOME Installation Guide 10/2001 has been published. A new version of the Gnome Installation Guide has been published.

GNOME Foundation Elections 2001. The GNOME Foundation has announced an election for the Foundation's board of directors. The election will be held the week of November 13-20, 2001.

KDE 3.0 Multimedia Meeting (KDE.News). Stefan Westerfeld has posted a summary of last month's KDE multimedia IRC discussion.

C Mania: KDE 3 Offers C Bindings (KDE.News). Richard Dale has committed new C bindings to KDE's CVS repository via a hacked version of kdoc.

FLTK 1.1.0b4 released. Version 1.1.0 beta 4 of the Fast Light ToolKit (FLTK) has been released. This version includes lots of bug fixes and feature enhancements.

Games

Crystal Space 0.90 r001 released. A new release of the Crystal Space game development kit has been released. This version has the aim of stabilizing the API so that game developers need not spend so much effort catching up to changes. New features include an isometric engine, a landscape engine, and a texture generation utility. A new space demo is also included. (Thanks to Jorrit Tyberghein.)

Interoperability

Wine Weekly News for October 15, 2001. The October 15, 2001 edition of the Wine Weekly News is available. Topics include Debugging MFC Programs, Submitting Patches for Wine, Borland Style Imports, and DDEConnect Errors.

Office Applications

Gnumeric 0.72 released. Gnumeric 0.72 (the "oooh yummy eye candy" release) has been announced. The eye candy (much of which depends on the new guppi-0.40 release) notwithstanding, the emphasis in this release is on bug fixes and stability. "Guppi is a GNOME-based framework for graphing and interactive data analysis."

Programming Languages

C

Gcc 3.0.2 released. Version 3.0.2 of the Gnu Compiler Collection has been released. GCC is available here. (Thanks to Martin Lindhe.)

COBOL

TinyCOBOL. It has been brought to our attention that there is an open-source COBOL compiler project known as TinyCOBOL. The compiler is currently functional, no changes have been posted since last July's 0.54 release. (Thanks to Fred Mobach.)

Java

Learning Command Objects and RMI (O'Reilly). William Grosso, talks about Java command objects in an O'Reilly article. "In this article, I introduce the basic ideas behind command objects. In order to do so, I drag in an example application that provides a translation service from a remote server. After introducing this application, I will show how to use command objects to structure the remote method invocations (RMI) made from a client program. As part of this article, I will introduce a fairly general framework for encapsulating remote method calls in command objects."

Threading lightly : Sometimes it's best not to share (IBM developerWorks). Brian Goetz discusses Java threading details on IBM's developerWorks. " Writing thread-safe classes is difficult. It requires a careful analysis of not only the conditions under which variables will be read or written, but also of how the class might be used by other classes. Sometimes, it is very difficult to make a class thread-safe without compromising its functionality, ease of use, or performance. Some classes retain state information from one method invocation to the next, and it is difficult to make such classes thread-safe in any practical way."

Perl

Perl Debugging for Beginners (O'Reilly). John Callender talks about Perl debugging in an O'Reilly article. "Debugging is a specialized skill and it takes practice to become adept at it. Debugging is somewhat like car repair; an experienced mechanic can ask a few questions, listen to the engine for a second, and immediately tell you what's wrong with your car and what it will take to fix it. Meanwhile, a novice mechanic will pull apart the transmission when the real problem is a broken light on the dashboard."

P5EE Project, Mailing List Started (use Perl). A new mailing list has been set up to discuss P5EE, a Perl API that is similar to Java's J2EE.

Perl 6 : Not Just For Damians (Perl.com). Piers Cawley looks at the differences between Perl 5 and Perl 6 on Perl.com.

PHP

PHP Weekly Summary for October 22, 2001. The October 22, 2001 edition of the PHP Weekly Summary is out. Topics include: "Extension authors, PHP on Netware, PHP 4.1.0 RC 1, PHP for Win32 via Cygwin, PHP and MySQL 4.0.0, ext/skel, CVS reorganization, fix to snapshots, new 'overload' extension."

PHP-GTK 0.1.1 released. A new version of PHP-GTK is available, with lots of changes.

Peeking at Pear (O'Reilly). Chris Coleman examines Pear. "If you have ever programmed in Perl, chances are you have heard of CPAN, the Comprehensive Perl Archive Network. As you know, it's an easy way to add functionality to Perl. Most Perl programmers can't see how they ever lived without it.

PHP has a similar capability. It's called Pear: the PHP Extension and Add-On Repository. Pear is a framework and distribution system for reusable PHP components."

Python

Python 2.2.b1 released. The first beta of Python 2.2 has been released. See the announcement for a description of what's new.

This week's Python-URL. Dr. Dobb's Python-URL for October 24 is out, with the latest from the Python development community.

PyXPCOM - Python bindings for Mozilla XPCOM technology. ActiveState has announced the first release of the Python bindings for the Mozilla XPCOM (Cross-Platform COM) technology. "Although this is the first public release of these extensions, they are being used extensively in the Komodo project, ActiveState's cross- platform, multilanguage IDE based on Mozilla. Thus the functionality and stability of this package is remarkably high for a first release." This project is being released under the Mozilla Public License (MPL).

Ruby

This week on the Ruby Garden. The latest topics on the Ruby Garden include discussions on #exception, Python modules for Ruby, and more.

Smalltalk

OOPSLA 2001 Trip report. John McIntosh summarizes the events at the OOPSLA 2001 Smalltalk conference.
"Some of the questions to ask ourselves are:
What to do with the 17 year old geek Linux kids, how do we reach them, what do we say?
Why do I have five spell checkers on my machine, but none accessible from email?"

Tcl/Tk

This week's Tcl-URL. Here's Dr. Dobb's Tcl-URL for October 22, with the latest from the Tcl/Tk development community.

Tcl/Tk 8.3.4 Final Release. Version 8.3.4 of the Tcl language and Tk toolkit has been announced. This release features lots of bug fixes, patches, and improved HURD support. (Thanks to David Welton.)

XML

An introduction to SyncML (IBM developerWorks). Scott Stemberger looks at SyncML, an open industry spec for data synchronization. "In recognition of the fact that as the number of unique devices and the desire to access different enterprise resources proliferates, the SyncML initiative was formed to provide a uniform synchronization protocol for connecting multiple devices over any network to any data store. This article provides an overview of the open industry specification for data synchronization -- SyncML -- designed to meet the needs of the mobile user and their any-device, any-network synchronization needs."

Effective XML processing with DOM and XPath in Perl (IBM developerWorks). Parand Tony Darugar examines DOM and Xpath on IBM's developerWorks. "Based on an analysis of several large XML projects, this article examines how to make effective and efficient use of DOM. Developer/author Tony Daruger provides a set of usage patterns and a library of functions to make DOM robust and easy to use. Though the DOM offers a flexible and powerful means for creating, processing, and manipulating XML documents, some aspects of DOM make it awkward to use and can lead to brittle and buggy code. This article suggests ways to avoid the pitfalls. Perl code samples demonstrate the techniques."

The Slippery Soap (O'Reilly). Martin Gudgin and Timothy Ewald look at SOAP on O'Reilly's XML.com. "SOAP 1.1 has become a de facto standard, with broad industry support from many vendors, large and small, providing client and server implementations. The specification defines a set of conventions for exchanging XML messages, including rules for encoding data structures, an extensibility mechanism, a binding to the HTTP protocol, and conventions for RPC style invocations."

Section Editor: Forrest Cook

See also: last week's Commerce page.

Linux and Business

MontaVista releases high availability framework. MontaVista Software has announced the release of its High-Availability Framework, version 2.0, for Hard Hat Linux. The framework is intended for the creation of fault-tolerant systems on CompactPCI platforms; things like "switching equipment, service provider systems, streaming media and VoIP."

Red Hat adds Linux Desktop Productivity Essentials training course. Red Hat has announced the addition of a course in "desktop productivity essentials" to its training offerings. It's a three-day course aimed at people with no Linux experience.

Ximian adds vendors to Red Carpet. Ximian has announced the addition of a number of vendors to its "Red Carpet" update service. Red Carpet users will be able to use the service to get at Wine from CodeWeavers, game demos from Loki, the Opera browser, VMWare Workstation, and StarOffice from Sun.

Opera Software has sent out its own announcement on its presence in Red Carpet.

The new 'Lindows' operating system. A company called Lindows.com has announced the forthcoming availability of its "Lindows" operating system, said to be able to run both Linux applications and "many popular Windows software titles." It runs Linux underneath it all, with the addition of an enhanced Wine layer for Windows software.

IBM releases WebSphere Commerce for Linux. IBM has announced the release of WebSphere Commerce 5.1 for Linux on Intel processors. The Red Hat and SuSE distributions are supported.

Borland launches Kylix 2. Borland has announced the release of Kylix 2 for Linux.

VA Linux Systems filing 10-K (Annual Report). VA Linux Systems has filed its annual report with the SEC. For those willing to wade through a bunch of difficult language, there is a lot of information on the company to be found therein.

Linux Stock Index for October 18 to October 24, 2001.
LSI at closing on October 18, 2001 ... 24.35
LSI at closing on October 24, 2001 ... 25.34

The high for the week was 25.34
The low for the week was 24.35

Press Releases:

Open source products & services

• ActiveState (SANTA CLARA, CA): New Standard for Scripting Languages and Web Services.

• Intrusion.com, Inc. (RICHARDSON, Texas): Intrusion.com Adds New Open Source Network IDS Signature Download Center on Web Site; Site Goes Live Today with More Than 900 Open Source String Matching Signatures.

• Nemein Solutions (): Nemein opens public Midgard and Nadmin Studio support number.

• The GNU Bayonne project and the Open Source Development Lab (PORTLAND, Ore.): OSDL and GNU Bayonne Project Make Large-Scale Development and Testing Facility Available; Facility Will Enable GNU Bayonne to Reach Carrier-Class User Base.

Distributions and bundled products

• Argus Systems Group, Inc. and SuSE Linux AG (SAVOY, Ill.): Argus' PitBull Locks Down SuSE Linux Enterprise Server 7; Award-winning PitBull LX Brings Quick Implementation, Ease-of-Use and Proactive, Application-level Security to Enterprise Linux Users.

• Egenera, Inc. (MARLBORO, Mass.): Egenera's BladeFrame System Named Winner of a Best of Show Award For NetWorld+Interop 2001 Atlanta.

• SlickEdit Inc. (MORRISVILLE, N.C.): SlickEdit Announces Visual SlickEdit v6.0 for FreeBSD.

Proprietary Products for Linux

• BMC Software, Inc. (HOUSTON): BMC Software Expands Platform Management Strategy; Delivers Cross-Enterprise Support of Linux .

• RadiSys (HILLSBORO, Ore.): RadiSys to Provide Linux Driver Support for SS7 Adapters.

• Sangoma (): Sangoma Technical Newsletter covers Enhancements To WANPIPE for Linux.

• Teja Technologies, Inc. (SAN JOSE, Calif.): Teja Technologies Demonstrates Interoperability with Linux for Network Processor Software Development; Teja Provides Linux Interoperability to Network OEMs as Alternative to Traditional RTOSs.

• Workstation Solutions, Inc. (AMHERST, N.H.): Workstation Solutions Introduces Data Protection on Debian GNU/Linux.

Products and Services Using Linux

• Gatespace and Jungo Software Technologies Inc. (PALO ALTO, Calif. & SUNNYVALE, Calif.): Gatespace and Jungo Team Up to Provide an Open Services Residential Gateway.

• Keyhaven Systems Ltd (UK): Keyhaven Systems Team with LinuxIT for Support.

• Nippon Telegraph and Telephone Corporation (TOKYO, JAPAN): Linux-based systems delivers real-time HDTV on the Internet.

• VDSL Systems Inc. (DENVER): VDSL Systems Integrates Motorola's Open Platform Into Advanced DSL Technology Equipment.

• VirtualTek (BELLEVUE, Wash.): VirtualTek Offers Latest Suite of Secured E-mail and Collaboration Applications with Joydesk 2.6.

Products With Linux Versions

• Agilent Technologies (PALO ALTO, Calif.): Agilent Technologies Accelerates Manufacturers' Time to Market with Introduction of iSCSI Development Kit.

• Agilent Technologies (LAS VEGAS): Agilent Technologies Adds System and Application Management Capabilities to OSS Service Assurance Solution.

• Brainhat Corporation (EAST HARTFORD, Conn.): Brainhat Unveils Dynamic Voice XML/Web Server Built On Natural Language Operating System.

• Gianus Technologies (NEW YORK): Gianus Technologies Announces Beyond Encryption: Stealth Technology For PCs.

• Heroix Corporation (NEWTON, Mass.): IBM Certifies Heroix Premier Products for ServerProven Program; Heroix eQ Management Suite and RoboMon Secure IBM ServerProgram Status.

• Intoto Inc. (SAN JOSE, Calif.): Intoto Inc. Demonstrates the First Network Processor Based Firewall and Announces iGateway npFastPath Solutions.

• OnePage, Inc. (REDWOOD CITY, Calif.): OnePage Extends Integration to Major Portals.

• Vertel Corporation (WOODLAND HILLS, Calif.): Vertel Announces Release of Version 2.2 Of e*ORB; Software Supports Two New Platforms.

Books

• O'Reilly (Sebastopol, CA): "Enterprise JavaBeans, Third Edition" Released by O'Reilly.

Partnerships

• Ahura Technology, Inc. (SAN JOSE, Calif.): Ahura Technology Teams With MIPS Technologies to Join the MIPS Alliance Program; Company to Deliver GNU Development Tools for Embedded Applications.

• Mentor Graphics Corporation (WILSONVILLE, Ore.): Mentor Graphics Joins Open System C Initiative.

• SearchHound.com, Inc. (KANSAS CITY, Mo.): SearchHound forms Strategic Alliance with Atipa Technologies; Alliance Creates Web Presence for Atipa and Traditional Sales Channel for SearchHound.

• Spatial Corp. and Tech Soft America (Boulder, Colorado): Spatial and Tech Soft America Announce OpenHSF Initiative; Open Specification Designed to Meet the Needs of the Visualization Market.

Personnel & New Offices

• Nemein Solutions (): Nemein, Nordic provider of Midgard solutions, has founded two business units.

• Open Source Development Lab (TOKYO, Japan): Open Source Development Lab Hires Linux Leader to Head Sub-lab in Japan; Shinji Takazawa Takes On Leadership Role At New Lab Facility Outside Tokyo.

• Turbolinux Inc. (SAN FRANCISCO): Koichi Yano Joins as New President of Turbolinux Japan, Brings 16 Years Industry Experience; Yano Poised to Help Turbolinux Accelerate Growth.

Linux At Work

• Linux NetworX (SALT LAKE CITY, UTAH): Nation's Largest Repossession Company Makes Record Profits With New Paperless System Based on Linux NetworX Cluster Computer System.

Other

• Open CASCADE (PARIS): Top Winners of the Open CASCADE Developer Challenge to Enjoy a Week's Vacation For Two in the Sun.

Section Editor: Rebecca Sobol.

See also: last week's Linux in the news page.

Linux in the news

Recommended Reading

SSSCA gets a hearing Oct. 25 (NewsForge). NewsForge looks at the upcoming hearing on the SSSCA, which, apparently, is set for next week. "Eben Moglen, chief counsel for the Free Software Foundation, is succinct: 'SSSCA is a deliberate attempt to destroy free software.'"

Governor Calls for 'Cyber Court' (Wired). Wired News reports on upcoming U.S. attempts to "fix" computer security through legislation. "Gov. James Gilmore (R-Virginia), the commission 's chairman, said Wednesday that federal judges have been far too sluggish in approving search warrants and eavesdropping of online miscreants. Instead, Gilmore told the House Science committee , the commission will recommend that a 'cyber court' be created with extraordinary powers to authorize electronic surveillance and secret searches of suspected hackers' homes and offices."

Net security: An oxymoron (News.com). News.com interviews Peter G. Neumann. "The open-source movement is not inherently guaranteed to come up with secure software unless there is significant discipline in the development, distribution, operation and administration of the resulting systems. So it's important to realize that we have a lot of weak links, all of which have to be addressed. The idea that hiding the source code is going to solve the problem is utterly ridiculous."

Word to the Wise: Writer 638C (LinuxPlanet). Here's a Linux Planet story about OpenOffice. "After last week's review of StarOffice 6.0 beta, a few people asked me how it compared to OpenOffice. There seems to be the assumption that there is a divergence between the two office suite applications. I am telling you now, there is hardly any difference in performance or interface between OpenOffice and its parent-child StarOffice. Certainly not in the Writer component of each suite, which is what I focused on for the purposes of this review."

Companies

Introducing HP's 'CoolBase' platform (LinuxDevices). LinuxDevices.com has an introduction to HP's CoolBase platform, which is available under the GPL. "At HP Labs, we've used CoolBase to prototype several compelling applications. We've prototyped an Internet Radio that can be controlled from any web-enabled device-including a PDA, cell phone, or even your PC. We also used beacons and our Esquirt software loaded on HP personal digital assistants to create a virtual tour guide for the Exploratorium, a science museum in San Francisco, California."

Ockman: Staff cuts make Penguin Computing profitable (NewsForge). NewsForge talks with Penguin Computing founder Sam Ockman. "Ockman, a veteran Open Source advocate, said the cuts were needed to insure profitability: 'It's a shame, but it's what has to be done. The number one thing is to continue the company for our customers and be profitable every month. We're a profitable company with this restructuring.'"

Sharp announces November availability of Linux/Java PDA (LinuxDevices). LinuxDevices.com has a look at the latest gadget from Sharp. "Sharp Electronics today announced November availability of developer units of the Zaurus SL-5000D, which represents the first robust Linux-based PDA from a major consumer electronics corporation."

Sony plans to launch Linux PlayStation 2 in U.S. (CNN). CNN covers Sony's announcement that Linux for the PlayStation 2 will be available in the U.S. "During the presentation, another Sony employee demonstrated Linux running on the PlayStation 2 platform, running the X-Windows graphical user interface. Show attendees were also shown demonstrations of upcoming applications. They included a word processing program, a spreadsheet program, and an MP3 player running on the system."

Business

Can Linux systems be implemented across the enterprise today? (TechWeb). TechWeb is running a short debate on whether Linux is ready for "enterprise" use. "Each of our stores has a half-dozen computers running Linux. These systems, which provide a variety of services to our customers and associates, are linked via in-store LANs connected to our headquarters. Because of Linux's Unix orientation, the operating system lends itself to remote administration, which has worked well for us. Our stores span 42 states and are staffed by nontechnical people."

Resources

Implementing devfs (developerWorks). IBM developerWorks finishes its series on setting up devfs with a detailed, technical article on making it all work. "So, if you happen to be using a non-devfs kernel module, you'll need to create a device node in /dev manually. The problem with this approach is that this new device node will be ignored by devfsd, meaning that the next time you reboot, it will disappear. Our solution to this problem is to have the /dev-state/compat directory; if you have a non-devfs module, simply create your old-style device nodes in /dev-state/compat and they will be manually added to the devfs filesystem at boot time, thanks to the considerate steps of our handy init wrapper."

Reviews

Midgard Lights An Open-Source 'LAMP.' (CMS Watch). The CMS Watch site has a review of Midgard. "The most important application for Midgard -- the one that turns Midgard from an application framework into a relatively useful content management system -- is the administrative front end."

Interviews

TransGaming Interview (GameSpyDaily). GameSpyDaily interviews Gavriel State, CEO of TransGaming. "Once we have reached our subscriber goals, we will be releasing the WineX code under the much more liberal Wine license, and we will continue releasing code that way if our subscription numbers meet our targets. Thus, by subscribing, our users not only get the features and services they want to see right now, but they also help to establish the commercial viability of the Street Performer Protocol, which will have profound implications for the future of the entire information economy."

Interview: Russell King (KernelTrap). KernelTrap interviews kernel hacker Russell King. "The Linus 2.4 kernels are almost production quality, but there's still some work to do on them. Alan Cox's 2.4-ac branch is basically there. I switched the ARM community from Linus' kernels to Alan's around 2.4.8, mainly because I wasn't happy about the direction Linus was taking."

Miscellaneous

Section Editor: Forrest Cook

See also: last week's Announcements page.

Announcements

Resources

Hacking Billy the Big Mouth Bass. For those who have not had the pleasure...Billy the Big Mouth Bass is an obnoxious toy in the form of a singing, moving fish. One of those things children use to drive parents nuts. Now there is a site dedicated to hacking Billy with Linux out there - worth a look. Billy can be made to say anything you might want. There is source available, of course...

The ACM Forum on Legal Regulation of Technology. The ACM Forum on Legal Regulation of Technology is a new mailing list for the discussion of the interaction between law and technology. "Legal scholars have been discussing these issues for some time, but computer scientists have not been nearly as active in the debate. The forum seeks to bring technologists into the debate. Although we welcome the contributions of legal scholars, the forum belongs to technologists and has a technology-centric view." The list is patterned after the (required reading) RISKS list, and is moderated by Edward Felten.

Events

The third Real-Time Linux Workshop. The Third Real-Time Linux Workshop has been announced for November 26 to 29 in Milan, Italy. The list of participants includes a large cross-section of the real-time Linux community. See the announcement for details.

Conference: The Business of Open Source Software. A conference called "The Business of Open Source Software" has been announced for November 25 in Ottawa.. The keynote speaker will be Eric Raymond.

linux.conf.au final CFP. The final call for papers has gone out for linux.conf.au, to be held in Brisbane, Australia next February. Those who would like to present at the conference need to get their abstracts in by the end of October.

Events: October 25 - December 13, 2001.

Date	Event	Location
October 25, 2001	XMLEdge International Developer Conference & Expo
October 25 - 26, 2001	The Open Group Quarterly Conference	Amsterdam, Netherlands
October 25, 2001	LinuxDays	Luxembourg
October 27, 2001	LUGOD Linux Demonstration	(Davis Food Co-Op)Davis, CA
October 30 - November 1, 2001	LinuxWorld Germany	Frankfurt, Germany
October 30 - 31, 2001	tech-u-wear 2001	(Madison Square Garden)New York City
November 5 - 10, 2001	Annual Linux Showcase(ALS)	(Oakland Marriott City Center)Oakland, California
November 6 - 10, 2001	Annual Linux Showcase and Conference	Oakland, CA
November 6 - 8, 2001	LinuxWorld Malaysia	Kuala Lumpur, Malaysia
November 6, 2001	Java Information Days, Europe	Paris
November 7, 2001	Java Information Days, Europe	Amsterdam
November 8, 2001	NLUUG Annual Autumn conference	De Reehorst, Ede, Netherlands
November 8 - 9, 2001	XFree86 Technical Conference	(Oakland Convention Center)Oakland, CA
November 8, 2001	Java Information Days, Europe	Frankfurt
November 8, 2001	Embedded Linux Expo & Conference	(Sheraton Reston Hotel)Reston, VA
November 9, 2001	Open Source in Banking and Finance(OSBAF)	(Baltimore Engineering Society)Baltimore, Maryland
November 9, 2001	Java Information Days, Europe	Zurich
November 10 - 16, 2001	SC2001	Denver, Colorado
November 12, 2001	Third Annual Beowulf Bash	Denver, Colorado
November 17, 2001	Lightweight Languages Workshop 2001(LL1)	(MIT Artificial Intelligence Lab)Cambridge MA
November 25, 2001	The Business of Open Source Software(BOSS)	(Ottawa Public Library)Ottawa Ontario, Canada
November 28 - 30, 2001	Linux-Kongress 2001	(University of Twente)Enschede, The Netherlands.

Additional events can be found in the LWN Event Calendar. Event submissions should be sent to lwn@lwn.net in a plain text format.

Web sites

Openinformatics.org. A new web site called Openinformatics.org is being developed. The operators state: "The purpose of this website is to help scientists to become more aware of Open Source Software: what it is and how it may help them in their scientific research, as well as what OSS tools are avaible to them; and to encourage software developers to release their code in an Open Source model to make the software better." The site also features a repository of open source scientific software.

User Group News

Section Editor: Forrest Cook.

Software Announcements

The Alphabetical List and Sorted by license

Our software announcements are provided courtesy of FreshMeat

See also: last week's Linux History page.

This week in Linux history

Three years ago (October 29, 1998 LWN): The Red Escolar (Scholar Net) project was announced. This was a plan to install Linux throughout 140,000 schools in Mexico and was led by Arturo Espinosa. Nowadays, after gaining experience improving Gnome for the Red Escolar project, Arturo continued his work on Gnome in the United States, working for Helix Code (now Ximian). The Red Escolar project has been bogged down in politics and is suffering from a lack of funds and a lack of knowledgeable people.

There was a development kernel release 2.1.126. However the release had a number of compilation and lockup problems, so most avoided it and waited for 2.1.127.

Debian got congratulations on their port of Debian to the Netwinder two years ago. The Netwinder, however, has remained an infrequently used device, not quite living up to the promise we thought it had back then.

Corel announced its support for the Wine project, choosing it as a platform to bring their products to Linux and promising an infusion of new developers to the project as well. Although Corel has since gone over to the dark side, Wine is flourishing. The latest release is dated October 4, 2001.

Opera Software was having trouble creating a Linux version of its browser using volunteer developers for a proprietary project.

"If they wanted to tap into all that enthusiasm, opening up the source is the only way I know how to do that," said Eric Raymond, whose pioneering work in open-source development helped spur Netscape into freeing the source code of its Communicator browser. -- Wired News

Fortunately Opera has since resolved those problems and Opera for Linux is now available.

Two years ago (October 28, 1999 LWN): To no one's surprise, licensing problems between Qt and the GPL were in the spotlight two years ago, with Corel's development as the catalyst. Corel liked using Qt for developing the software they added to the Corel Linux distribution, but their developers were much less likely to be aware of potential licensing conflicts when mixing the Qt with GPL'ed code from Debian. Of course, such problems have now been largely eliminated by the dual-licensing of Qt under the GPL, a possibility not even under discussion then.

Comdex has had a standing policy of not admitting any person under the age of eighteen to the exhibit floor. That policy came under scrutiny, spawning much debate.

"There are some realities in this marketplace that Comdex is ignoring," said Lavers, a long-time Microsoft contractor who recently signed on as an equal partner at Matrixcubed, which son Mike launched at age 14 (a programmer at 3, he already had 11 years experience, explains Lavers the elder).

"Today's Internet marketplace includes active participation, contributions, and leadership from younger and younger people." -- Wired News

This year's Comdex registration page says "Note: No one under 16 is admitted." Other computer conferences have successfully removed such age restrictions, and events such as this do have much to offer interested teens, but Comdex seems to be moving in the wrong direction.

Miguel de Icaza quit his job in Mexico and moved to the United States, to build the company called Helix Code, with Nat Friedman and "secret investors". Today Ximian (the renamed Helix Code) is doing well producing GNOME and other applications.

One year ago (October 26, 2000 LWN): Ajuba Solutions was acquired by Interwoven. Ajuba was the corporate champion of the scripting language Tcl/Tk, and put in a large part of the total development effort. Some Ajuba (Tcl/Tk) developers stayed at Ajuba, doing proprietary XML stuff for Interwoven, who had no interest in Tcl/Tk and no plans to support it. ActiveState has taken over Tcl/Tk sponsorship. Then as now, Dr. Dobb's Journal is sponsoring the "Tcl-URL!" project.

KDE 2.0 was released.

Cliff and Iris Miller, the founders of TurboLinux, left that company and started Mountain View Data, where they remain.

LynuxWorks filed for an IPO. They are still a privately held company however.

A new site called KernelTrap showed up on the Web. It remains a good source of information about (Linux) kernel hacking.

Section Editor: Rebecca Sobol.

LWN Linux Timelines
1998 In Review
1999 In Review
2000 In Review
2001 In Review

See also: last week's Letters page.

Letters to the editor

From:	 Aldrin Martoq <amartoq@dcc.uchile.cl>
To:	 <mjhammel@graphics-muse.org>
Subject: Thanks for "On the Desktop"
Date:	 Fri, 19 Oct 2001 15:08:51 -0300 (CDT)
Cc:	 <letters@lwn.net>

Michael,

	This letter is just for thank you for all the good stuff you put
into "On the Desktop" section of lwn.net.

	I followed your column every day, you did a *very good job*, from
the beggining to the end. "On the Desktop" is one of the kind of sections
that was missing on lwn... I'm very sorry that the column is not there now.

	Well, I Hope the best for you and lwn...

Greetings from Santiago de Chile,

-- 
Aldrin

Dar es dar, y no marcar las cartas simplemente dar.
Dar es dar, y no explicarle a nadie no hay nada que explicar.
-- Fito Paez, "Dar es dar"

From:	 "Jay R. Ashworth" <jra@baylink.com>
To:	 letters@lwn.net
Subject: Project Liberty
Date:	 Tue, 23 Oct 2001 14:17:16 -0400
Cc:	 brian@apache.org, tim@ora.com, doc@searls.com, esr@thyrsus.com,
	 risks@risks.org, privacy@privacy.org

In last week's Linux Weekly News, there was some preliminary coverage of
Project Liberty, an "open" alternative to Microsoft's Hailstorm, which
is -- very roughly -- an a attempt to embed Passport into everything on
the planet.

The short version is: a repository of information about your person,
life, and preferences which can be accessed by people and companies you
authorise, to provide authentication that you are you, and information
about, for example, your purchase default desires (credit card numbers,
which card to use, do you prefer first class or coach, etc).

Now, this is, fundamentally, not an especially bad idea.

But how it is implemented is -- given the sort of information which it
might end up holding -- pretty crucial to your personal privacy: do you
want anyone except your doctor and your pharmacist knowing that you
have a prescription for protease inhibitors?  (Drugs used to control
AIDS and related conditions.)

You probably don't even want your *health insuror* to know that, even
though perhaps you want them to know *other* things about you, and
therein lies the major problem:

Hailstorm will be run by Microsoft.

And we all know how pristine Microsoft's track record is for placing the
interests of individuals above that of large corporations off of whom
Microsoft makes lots of money.  Right?


So here comes Project Liberty, an "open" alternative to this. They've
not much design done yet, I don't think, so we don't know what
*specific* goals PL will be aiming towards. But that's good, because it
means that this is the exact time for private individuals to be casting
their bets on what they think is important: personal privacy and control
are good choices there, IMHO.

I know that in our New World, it's almost unpatriotic to be concerned
about personal privacy, but you know what?  That's a wrongheaded, short
sighted, and dangerous outlook to have.  Our country became something
to be proud of, protect, and defend precisely *because* it attempted to
secure such liberties to the people against government control, and
corporations should be given no extra leash -- they work for