[LWN Logo]
[LWN.net]

Bringing you the latest news from the Linux World.
Dedicated to keeping Linux users up-to-date, with concise news for all interests


Sections:
 Main page
 Security
 Kernel
 Distributions
 Development
 Commerce
 Linux in the news
 Announcements
 Linux History
 Letters

Other LWN stuff:
 Daily Updates
 Calendar
 Linux Stocks Page
 Book reviews
 Penguin Gallery

 Archives/search
 Use LWN headlines
 Advertise here
 Contact us

Recent features:
- RMS Interview
- 2001 Timeline
- O'Reilly Open Source Conference
- OLS 2001
- GaŽl Duval
- Kernel Summit
- Singapore Linux Conference
- djbdns

Here is the permanent site for this page.

See also: last week's LWN.

Leading items and editorials


The long arm of the MPAA reaches into Norway. The arrest of Dmitry Sklyarov struck many as one of those "only in America" events. Certainly no country in the "free world" would attempt to arrest a programmer for having written code. The indictment in Norway of Jon Johansen, co-author of the DeCSS code, has shown that the world is not so simple.

This indictment comes as a result of pressure from the Motion Picture Association of America on ōKOKRIM, the Norwegian agency in charge of dealing with economic crimes. As described in this EFF release, this prosecution is a novel application of Norwegian law:

Johansen's prosecution marks the first time the Norwegian government has attempted to punish individuals for accessing their own property. Previously, the government used this law only to prosecute those who violated someone else's secure system, like a bank or telephone company system, in order to obtain another person's records.

Even that is not enough for the MPAA; they wanted Mr. Johansen charged with contributory copyright infringement as well.

The usual groups are swinging into action, and protests have happened in Norway. The EFF has set up a 'Free Jon' mailing list for those who wish to follow this case. With luck, the Norwegian justice system will see reason and eventually drop the charges against Jon Johansen. In the mean time, however, he is facing the possibility of two years in prison. All for allowing people to "break into" their own property.

This is not just an American problem. In the modern world, bad ideas can spread globally in little time - especially when pushed by a mean and scared industrial group. There will be more Dmitrys and Jons in our future, and they will be found worldwide. Those of us who value free software are going to have to fight for it, even in the "free world."

Should Aunt Tillie build her own kernels? Eric Raymond has been working for some time on a new kernel configuration system which, someday, is slated for incorporation into the 2.5 series. This project has seen its share of controversy over the last year, but, perhaps, never at the level of the last week. What is the development that has set off so many kernel hackers? It is an autoconfiguration module (implemented initially by Giacomo Catenazzi) which figures out which hardware is present on the system and cooks up a kernel configuration to match.

Eric has been working overtime to justify this work by way of an amusing set of stories. For your amusement, here are the inspirational tales of Aunt Tillie, her nephew Melvin ("Autoconfigure saves the day. Possibly it even helps Melvin get laid"), and the 'girl geek' Penelope. Beyond the possible improvement to hackers' love lives worldwide, the reasoning behind the work is essentially this:

Because the second we stop thinking about Aunt Tillie, we start making excuses for badly-designed interfaces and excessive complexity. We tend to fall back into insular, elitist assumptions that limit both the useability of our software and its potential user population. We get lazy and stop checking our assumptions. When we do this, Bill Gates laughs at us, and is right to do so.

There are reasons to question some of Eric's scenarios. Aunt Tillie is almost certain to be happier with the kernel supplied by her distributor, which includes numerous patches, has modules for an unbelievable variety of hardware, and has been extensively tested. Building and running a kernel off the net, even from a "stable" series, will never be without its potential surprises.

But the hostility to the autoconfiguration idea seems to go beyond that. Some people clearly do not want Aunt Tillie to be able to build a kernel without learning about the process and understanding what hardware is on her system. Some, perhaps, fear Aunt Tillie's inevitable "help me" message to linux-kernel once the process fails. Others, perhaps, prefer a world where only the Select Few are able to do certain things.

That latter view was often seen in arguments against the desktop projects a few years ago, though it seems to have faded away in recent times. But perhaps kernel hackers ("girl geeks" included) remain a more hairy-chested bunch. If Aunt Tillie can build her own kernels, that's one less thing that sets them, and their skills, apart.

Linux hackers in general have managed to get over this attitude in general, and that has been an unmitigated good thing. It has been repeatedly shown that Linux can be made easier to use without taking away the power appreciated by more advanced users. And an easier Linux, among other things, helps to ensure that the advanced users can work with Linux in the office as well as at home.

So there is no harm in the creation of an autoconfiguration system for the Linux kernel, as long as nobody is forced to use it. Even if it does not really solve Aunt Tillie's problems, there will certainly be a class of users that is helped by easier kernel configuration. It may even turn out that some of those kernel hackers end up using it to quickly configure and build a kernel for a strange system - when nobody is looking, of course.

(See also: Aunt Tillie's web site, hosted at her very own aunt-tillie.org domain - thanks to Nicolas Pitre).

Correction: last week's LWN Weekly Edition stated that Guenter Freiherr von Gravenreuth was behind the legal attack against MobiliX in Germany. The truth of the matter is that he registered the Obelix trademark in that country, but is not the one pursuing the enforcement action. We regret the error.

Inside this LWN.net weekly edition:

  • Security: Debian taking care; January CRYPTO-GRAM; lots of reports & updates
  • Kernel: The new ATA/IDE code goes in; initramfs and the end of compiled-in drivers. Nothing about Aunt Tillie.
  • Distributions: Deleting distributons from the list.
  • Development: Arch improves on CVS, Diet libc, Mahogany 0.64, OpenPKG 1.0, Galeon 1.1.2, Evolution 1.0.1, GHC 5.02.2, Python 2.1.2.
  • Commerce: IDC: Linux is cheaper than Unix; Korea migrates 120K civil servants to Linux desktop; Lineo spins off hardware businesses.
  • History: The long and winding road between Pacific HiTech and Turbolinux; Samba 2.0.
  • Letters: Overflowing with buffer overflow responses.
...plus the usual array of reports, updates, and announcements.

This Week's LWN was brought to you by:


January 17, 2002

   

Sections:
 Main page
 Security
 Kernel
 Distributions
 Development
 Commerce
 Linux in the news
 Announcements
 Linux History
 Letters

See also: last week's Security page.

Security


News and Editorials

Debian took a month to distribute a fix for a glibc buffer overflow vulnerability. This week's glibc updates from Debian and Slackware distribute a fix for the problem about a month after the first update from Red Hat on December 14th.

You may wonder why Debian, with over eight hundred developers and a dedicated security team, took so long to distribute a fix for such a basic vulnerability. The short answer is that with a half dozen architectures the only way to change glibc is very carefully.

This note from Martin Schulze illustrates the care with which Debian manages a distribution for six different architectures. Tending the necessary balance between release management and getting out security fixes for core components is a serious challenge. As Mr. Schulze notes, "we have to be extraordinary careful. This takes time."

January CRYPTO-GRAM Newsletter. Here's Bruce Schneier's CRYPTO-GRAM Newsletter for January. The main topic this time around is the Windows UPnP vulnerability. "To think, some time ago I criticized eEye for not waiting long enough before releasing a vulnerability. Shows how hard it is to get the balance right."

Security Reports

Nasty security hole in sudo. The sudo package, used to provide limited administrator access to systems, has an unpleasant vulnerability which makes it relatively easy for a local attacker to obtain root access. If you have sudo on a system with untrusted users, you probably want to disable it until you can get a fix installed.

So far, updates are available from MandrakeSoft, Conectiva, EnGarde, SuSE, Debian, Red Hat and Red Hat Powertools

Remotely exploitable vulnerability in pine. Pine has an unpleasant vulnerability in URL handling vulnerability which can lead to command execution by remote attackers. Updates fixing the problem were released this week by Slackware, EnGarde and Red Hat. This vulnerability is remotely exploitable; updating is a good idea.

Heap corruption vulnerability in at. Security updates for this potentially exploitable heap corruption bug are available from SuSE and Debian.

XChat session hijacking vulnerability. Updates fixing this problem in XChat were released by Debian and Red Hat.

EnGarde Secure Linux security update to LIDS. EnGarde Secure Linux released a security update to LIDS (Linux Intrusion Detection System) fixing a number of locally exploitable vulnerabilities.

Debian security update to gzip. The Debian Project has issued a security update to gzip fixing a buffer overflow problem in that package.

Debian security update to cipe. The Debian Project has issued a security update to the cipe VPN package fixing a denial of service vulnerability.

Yellow Dog Linux released a whole list of updates that they evidently forgot to send out until now.

Geeklog 1.3 vulnerability. According to this post to BugTraq the version of Geeklog released last December 30th has a vulnerability which "allows any user to assume the identity of any other registered user, including the administrative user." Instructions on where to obtain a fix are on the Geeklog website.

Pi3Web Webserver v2.0 is subject to a denial of service attach which crashes the daemon according to this brief description posted to BugTraq.

Updates

Bugzilla upgrade to version 2.14.1. This is a security update with patches for a number of security-related bugs described in this announcement. "All users of Bugzilla, the bug-tracking system from mozilla.org [...] are strongly recommended to update to version 2.14.1". The problem was first reported by LWN in the January 10th Security page.

New updates:

Previous updates:

Buffer overflow problem in glibc. The glibc filename globbing code has a buffer overflow problem. For those who are interested, Global InterSec LLC has provided a detailed description of this vulnerability. This problem was first reported by LWN on December 20th.

This week's updates:

Previous updates:

Format string vulnerability in groff. A format string problem exists in groff; apparently it could be remotely exploited when it is configured to be used with the lpd printing system. (First LWN report: August 16, 2001).

The stable release of Debian is not vulnerable.

New updates:

Previous updates:

Format string bug in stunnel. Stunnel has a format string bug described in detail here. Versions prior to 3.15 are not vulnerable. LWN first reported the problem on January 3rd.

This week's updates:

Previous updates:

Resources

Securing Linux Servers for Service Providers by Bill Half, Sr. Consulting I/T Architect, is now available in PDF format from this link inside the IBM Linux Technology Center website. (Thanks to Steve Fox).

Events

Upcoming Security Events.

Sixth Annual Distributed Objects and Components Security Workshop has extended the call for papers to January 26. "The workshop, hosted by the Object Management Group and co-sponsored by Promia, Inc. and the National Security Agency (NSA), will provide a forum for discussing the issues associated with securing integrated application systems." The workshop will be held March 18 through 21, 2002 in Baltimore, Maryland, USA.

Date Event Location
January 30 - February 2, 2002Second Annual Privacy and Data Protection SummitWashington D.C., USA
February 15 - 17, 2002CODECON 2002San Francisco, California, USA
February 18 - 22, 2002RSA Conference 2002San Jose, CA., USA
March 11 - 14, 2002Financial Cryptography 2002Sothhampton, Bermuda
March 18 - 21, 2002Sixth Annual Distributed Objects and Components Security Workshop(Pier 5 Hotel at the Inner Harbor)Baltimore, Maryland, USA

For additional security-related events, included training courses (which we don't list above) and events further in the future, check out Security Focus' calendar, one of the primary resources we use for building the above list. To submit an event directly to us, please send a plain-text message to lwn@lwn.net.

Section Editor: Dennis Tenney


January 17, 2002

LWN Resources
Security alerts archive

Secured Distributions:
Astaro Security
Castle
Engarde Secure Linux
Immunix
Kaladix Linux
NSA Security Enhanced
Openwall GNU/Linux
Trustix

Security Projects
Bastille
Linux Security Audit Project
Linux Security Module
OpenSSH

Security List Archives
Bugtraq Archive
Firewall Wizards Archive
ISN Archive

Distribution-specific links
Caldera Advisories
Conectiva Updates
Debian Alerts
Kondara Advisories
Esware Alerts
LinuxPPC Security Updates
Mandrake Updates
Red Hat Errata
SuSE Announcements
Turbolinux
Yellow Dog Errata

BSD-specific links
BSDi
FreeBSD
NetBSD
OpenBSD

Security mailing lists
Caldera
Cobalt
Conectiva
Debian
Esware
FreeBSD
Kondara
LASER5
Linux From Scratch
Linux-Mandrake
NetBSD
OpenBSD
Red Hat
Slackware
Stampede
SuSE
Trustix
turboLinux
Yellow Dog

Security Software Archives
munitions
ZedZ.net (formerly replay.com)

Miscellaneous Resources
CERT
CIAC
Comp Sec News Daily
Crypto-GRAM
LinuxLock.org
LinuxSecurity.com
Security Focus
SecurityPortal

   

Sections:
 Main page
 Security
 Kernel
 Distributions
 Development
 Commerce
 Linux in the news
 Announcements
 Linux History
 Letters

See also: last week's Kernel page.

Kernel development


The current development kernel release is 2.5.2, which was released on January 14. The final version of the patch added relatively little to the prepatches; some more scheduling tweaks, a devfs update, and more block device work. It also includes a bug that prevents swap from working properly; people who really want to run 2.5.2 should probably apply this patch.

2.5.3-pre1 came out shortly thereafter. It includes the swap fix, more scheduler work, a parallel port update, and, perhaps most interestingly, the surprise appearance of Andre Hedrick's new ATA (IDE) driver code (see below).

Dave Jones's latest is 2.5.2-dj1. It fixes a number of compilation problems people have encountered in 2.5.3-pre1, adds a scheduler update, and throws in a few other fixes.

Update: it appears that there is a problem with the new ATA driver which can hang systems. Andre is recommending not using 2.5.3-pre1 until he can get a fix out.

The current stable kernel release is still 2.4.17. The 2.4.18 prepatch is up to 2.4.18-pre4; it is restricted to the sorts of fixes and updates one would expect to see in a stable series.

Those looking for a bit more adventure in a 2.4 prepatch may be interested in Alan Cox's return to the "ac" business: 2.4.18-pre3-ac2. This prepatch is more development oriented, with goodies like Rik van Riel's reverse mapping virtual memory, 32-bit UID quota support, and, yes, Andre Hedrick's ATA patches.

The Linux IDE/ATA subsystem. The current Linux ATA (IDE) subsystem is a crucial piece of code. After all, it is responsible for handling I/O to and from the disks that are used on the vast majority of Linux systems; there are good reasons for wanting it to work reliably. So it can be unsettling to hear that subsystem called an unmaintainable hack, complete with the occasional "kooky kludge," and liable to corrupt data. Especially when the person speaking this way is Andre Hedrick, the ATA subsystem's maintainer.

According to Andre, the ATA code's problem comes from its long history. The code has been slowly evolved, with ever more complex patches being applied to make it work with new hardware. Any real attempt at design, says Andre, fell by the wayside in the 2.1 series (when the driver was made to support all architectures) and has been absent since. Rigorous testing and validation of the ATA drivers has not been done. There is, in fact, a known (rare) situation, involving the failure of a DMA transfer, that can corrupt data on the disk. Finally, the current driver does not support a fair amount of modern hardware and its new command modes.

What's needed, it is said, is a massively reworked ATA driver which has been redesigned from the beginning, has been verified to work in all situations, and which supports current and future hardware. Andre, of course, has such a driver - and has for some time. This code boasts a fairly impressive set of features:

  • It supports the ATA Command Block (ACB) (also known as "taskfile") method of controlling drives. An ACB encapsulates an ATA operation in a way very similar to the analogous SCSI command blocks; it is a successor to the old "go poking a bunch of registers" method of controlling ATA devices. In the short term, ACB's are the key to controlled command sequencing and error handling; they are part of the solution for the occasional data corruption problems. The ACB mode is also required to access a number of newer drive features, and will be mandatory for future hardware (such as serial ATA).

  • A number of new features are already supported. These include 48-bit addressing (needed to make use of those nifty new 160GB drives), tagged command queueing, and expanded chipset support.

  • The drivers have been extensively tested with ATA protocol analyzers and other vendor-supplied test harnesses, and have been shown to work.
The new ATA code has been around for a while. Some vendors (i.e. SuSE and others) have shipped it in their stock kernels. It is a part of Alan Cox's 2.4-ac patches. A number of users swear by it. But it did not make it into the 2.4 kernel, and it only got into the 2.5.3 prepatches just in time to force last-minute revisions to this article. Why has this patch remained on the outside for so long?

For 2.4, the main sticking point would appear to be the size and nature of the patch - 350KB for the 2.4.16 version. Since the patch completely reworks the internals of a vital kernel subsystem, people are understandably a little nervous about it. This large patch does not fit into the slow, evolutionary nature of much kernel development; it can not be broken up into small, simple patchlets.

In recognition of the natural reluctance to include a patch of this nature, the patch is designed (1) to allow the use of the old code paths when so instructed, and (2) to be selectable as a separate configuration option. Even so, Linus never wanted to include it. Marcelo Tosatti, the current 2.4 maintainer, does intend to include the patch in the future, when it has seen some more testing.

On the 2.5 side, the block I/O work got in first. Andre suggests that it might have been better to merge in a proven and verifiable ATA layer before thrashing the upper block I/O layers, but that is not how it happened. Now that the block changes have stabilized (for now), the ATA patch has been slipped in. Barring unforeseen problems, it should be a part of the 2.5.3 release.

Part of the problem, though, has been with Andre's approach to communication with the rest of the kernel developers. He tends at times toward volume and defensiveness, and has managed to annoy a number of people. Linus essentially refused to deal with him for a while, telling him to work through Jens instead (though that situation has since improved). Difficult personalities are not hard to come by in free software development communities, but it remains true that it can be harder to get your code included if you are hard to work with.

In any case, the situation seems close to a resolution. The code will see wide testing in both the 2.4-ac and 2.5.x kernels, and it should eventually find its way into the 2.4 kernel as well. Now it must be time to get one of those 160GB disks...

Nailing down initramfs. Part of the 2.5 plan for some time has been the merging of Alexander Viro's initramfs patch. This patch was covered on this page last August; it creates an initial ramdisk containing user-space code which completes the boot process. The contents of this ramdisk are appended to the kernel image itself. The idea is to move boot-time code out of the kernel entirely and to allow greater control over the system initialization process.

One question that is being considered now is: what, exactly, will people want to put in the initramfs image? Greg Kroah-Hartman has been polling people on this question as a way of figuring out what sort of C library will be required. Some of the things that have come up include:

  • Versions of fsck for the popular filesystems. Putting the checker into the initramfs image would allow checking of the root filesystem before it is mounted, which would be a good thing.

  • Partition discovery code. The code that figures out how a particular disk drive is partitioned currently lives in the kernel, but it need not really be there.

  • The full hotplug support mechanism, as a result of the fact that most or all devices will be treated as being hotpluggable in the future (but we'll get to that in a moment).

  • Network discovery tools, such as the DHCP client.

  • The full busybox tool suite.
Adding in busybox would make a 2.5 kernel into a complete, standalone, runnable system - though the kernel image would start to get pretty large.

All this leads to the question of how the ramdisk image will be built, and where the code will live. Some of the code (such as that which finds and mounts the root filesystem) comes straight from the kernel, and seems to be tightly tied to it. Perhaps it should remain part of the kernel distribution. On the other hand, very few people think that busybox should be added to the kernel tree.

So the kernel build process is probably going to have to get a little more complicated. Some kernel initramfs code will have to be merged in with other utilities which are maintained externally, and the whole mess will become the bootable kernel image. This one may take a little while to straighten out.

Those who are curious about what the initramfs image will actually look like can go to the draft specification of the initramfs buffer format.

Alan Cox also let slip another part of the plan for initramfs; this one is proving a little more controversial. It seems that kernel modules will go into the initramfs image as well. In fact, there will no longer be such a thing as a compiled-in driver; all kernels will have to load drivers (and other components) as modules from the initramfs.

Not everybody likes this idea. Many people build kernels with no loadable module support at all, and wish to continue doing so. Their reasons include:

  • Security. Some people feel safer if there is not an easy way to patch code into their running kernels. The fact of the matter, though, is that the Bad Guys figured out how to modify a running kernel some time ago, whether or not that kernel has loadable module support.

  • Performance. For a number of reasons, modular code runs a little more slowly, especially on some architectures. See the November 15, 2001 LWN Kernel Page for more information on why. Performance is a real issue, but it appears that it can be dealt with.

If one accepts that security is a non-issue and that the performance problems can be solved, and seeing that the plan is to treat even nailed-down hardware as if it were hot-pluggable, this change seems fairly likely to happen. Expect the 2.5 kernel to look rather different from its predecessors.

Other patches and updates released this week include:

Section Editor: Jonathan Corbet


January 17, 2002

For other kernel news, see:

Other resources:

   

Sections:
 Main page
 Security
 Kernel
 Distributions
 Development
 Commerce
 Linux in the news
 Announcements
 Linux History
 Letters

See also: last week's Distributions page.

Note: The list of Linux distributions has moved to its own page.

Distributions


Please note that security updates from the various distributions are covered in the security section.

News and Editorials

Distribution List Update - Deleting distributions. Work on an updated LWN Distributions Page continues. We have always been very conservative about deleting distributions from this list. However links that cannot be found, or that go to sites that are clearly not Linux distributions anymore, aren't helping anyone. But before we nuke these distributions from our list permanently, we would like to ask our readers to let us know if they have any updated information.

The Definite Linux site is still very much Linux oriented, but it didn't look like there was a Definite Linux distribution available. Also the Timpanogas Research site, former home of Ute-Linux, is there, but Ute-Linux is not. Same with CoolLogic's Coollinux.

Then there were the distributions whose websites clearly went elsewhere than to a Linux distribution. Accordingly we bid adieu to cLIeNUX, eXecutive Linux, ix86 Linux, Linux Pro Plus, Project Ballantain, and spyLinux.

Other distributions with unaccessible web sites include Alzza Linux, aXon Linux, Cafe Linux, easyLinux, FTOSX, Jurix, LinuxEspresso, LinuxPPP, LoopLinux, OpenClassroom, Stataboware, Trinux, Turkuaz, and WholeLinux. These too are slated for deletion unless someone can tell us of a valid website for them.

Distribution News

Debian News. Debian GNU/Linux 2.2r5 has been announced. This is a minor, bugfix release consisting mostly of security fixes, but there are a few other updates rolled in as well.

Here's the Debian Weekly News for January 9. Covered topics include a new set of "Debian on CD" pages, the Debian development process, unfixable bugs, the 2.2r5 release process, and more.

Debian fans going to Linux.conf.au will want to arrive a couple days early. There will be a Debian mini-conference during the two days preceding Linux.conf.au in Brisbane, Australia.

FreeBSD development moves to FreeBSD Mall. Wind River, which acquired the FreeBSD team when it picked up BSDi, has announced that the sponsorship of that team has been transferred to the FreeBSD Mall.

In preparation for the upcoming FreeBSD 4.5 release a testing guide has been released identifying areas in need of additional testing.

Mandrake Linux Community Newsletter. The January 15 Mandrake Linux Community Newsletter is out. Therein you'll find tips for trading MandrakeSoft on the OTC market, goodies for MandrakeClub members to download, the business case of the week, and more.

Red Hat News. Werner Puschitz has contributed this HOW-TO on Oracle 9i EE Installation on Red Hat Linux 7.1 and on Red Hat Linux 7.2.

Slackware News. There have been changes to some packages in Slackware on Intel. See the ChangeLog for details. There are security issues with some of these, (see this week's Security page for details). Users of Slackware's stable branch should check out that ChangeLog as well.

Yellow Dog Linux Bug Fix Updates. Yellow Dog has updates available for pmud and yup.

Minor Distribution updates

2-Disk Xwindow Linux System. The 2-Disk Xwindow Linux System released version 1.2rc05 beta.

Embedded Coyote Project 'Wolverine' Alpha 1. The first product based on the Embedded Coyote Linux distribution has been released for alpha testing. Wolverine is a firewall and VPN server that is designed to be run on minimal hardware while still providing enterprise class security, reliability, and performance.

Mindi-Linux. Mindi-Linux released version 0.52 on January 9, 2002. Mindi builds boot/root disk images using your existing kernel, modules, tools and libraries.

Trinity Rescue Kit. Last week we introduced the Trinity Rescue Kit, and the response from LWN readers encouraged some further development. So here is an announcement for TRK 0.4, the next version of this bootable CDROM distribution.

Distribution Reviews

SuSE 7.3 offers solid server reach and desktop usability (ZDNet). ZDNet reviews SuSE Linux 7.3. "Companies seeking a desktop alternative will find SuSE 7.3 well prepared. Desktop setup is highly automated and can be performed across a network, if desired."

Distribution Watch: A Month Later with Linux-Mandrake 8.1 (LinuxPlanet). Here's a review of Mandrake Linux 8.1 Gaming Edition on LinuxPlanet. "In my first review of Mandrake Linux 8.1, I did not get much farther than the initial setup and playing around with all the fancy new toys. Once that first look was finished, however, I had to get my machine up to my home office standards. For me, that means talking to the Internet, talking to my printers, and talking to the other machines on my network, including Windows and Mac machines."

Section Editor: Rebecca Sobol


January 17, 2002

Please note that not every distribution will show up every week. Only distributions with recent news to report will be listed.

   

Sections:
 Main page
 Security
 Kernel
 Distributions
 Development
 Commerce
 Linux in the news
 Announcements
 Linux History
 Letters

See also: last week's Development page.

Development projects


News and Editorials

Arch, a substitute for CVS. Tom Lord compares the current state of open source development to early automotive assembly lines, and focuses in on CVS as a software development component that is showing its age. Tom is the author of arch, an alternative to the CVS versioning system.

CVS is a bottleneck in our infrastructure. On the one hand, CVS does something incredibly useful: it helps multiple maintainers coordinate changes software. On the other hand, CVS is very limiting: for the most part, it helps only the people who have write access to a repository. Anyone else offering changes still has to go the `diff/patch' route, relying on one of the maintainers to turn patch sets into CVS transactions.

Arch is designed to solve a number of problems that have come to plague CVS users as projects get bigger and harder to manage. The list of improvements includes:

  • Atomic whole-tree commit operations.
  • Better file and directory renaming capabilities.
  • Replacement of the trunk topology for branching and merging with a star topology based system.
  • Support for distributed code repositories.
  • Automatic changelog maintenance.
  • Configuration management for multiple package distributions.
Arch currently works only under BSD systems, but a Linux port should not be too difficult to achieve. The current version is a "pre-release version of 1.0", it is the first public release. The arch license is the GNU GPL.

In addition to porting arch to other platforms, there are a number of development areas that are in need of work, pitch in and lend a hand if you can. CVS will no doubt continue to be useful for a long time, but arch promises to remove some of the bottlenecks in the development of large open-source projects.

Subversion. Another free versioning system that has been brought to our attention is Subversion, see this Linux Journal article for a review. Subversion is undergoing active development, the 0.8 version was released January 15, 2002. Subversion features an Apache-BSD style license.

Subversions.gnu.org, however, is the name of a CVS server for the GNU project. (Thanks to Steven G. Johnson)

Audio Projects

Cow C++ library does wavs. Cow is a set of C++ classes for graphing and playing audio data. The current version is cow-0.0.2. Cow is distributed with a GPL license.

Ecasound 2.0.4 released. A new version of the Ecasound multi-track audio processor tool has been released. This version features bug fixes for LADSPA plugins and ALSA 0.9 and new documentation.

Documentation

LDP Weekly News. The January 15, 2002 edition of the Linux Documentation Project Weekly News is available. This week features a discussion of a new, but optional Wiki style interface for editing documentation A number of new and updated documents are also listed.

Electronics

New Icarus Verilog snapshot. The gEDA site lists a new snapshot of the Icarus Verilog electronic simulation language compiler. This is mainly a bugfix release, see the release notes for the details.

Embedded Systems

Diet libc 0.13. A new release of diet libc is available. Diet libc is a small version of the C library that is designed for embedded Linux applications.

Silicon Penguin updates. The Silicon Penguin embedded Linux site lists a number of new software packages in the applications, tools, libraries, drivers, graphics, and distributions sections.

Embedded Linux Newsletter. The LinuxDevices.com Embedded Linux Newsletter for January 10 is out, with the usual roundup of interesting happenings from the embedded Linux community.

January Embedded Linux Journal online. The January 2002 issue of the Embedded Linux Journal is now online, by way of LinuxDevices.com.

Mail Software

Mahogany 0.64 released. A new version of the Mahogany mail client is available. Version 0.64 features new IMAP and POP features.

Network Frameworks

OpenPKG 1.0 released. Ralf S. Engelschall has announced the release of OpenPKG 1.0. OpenPKG is a new package management system designed to allow the software on a network of heterogeneous systems to be managed as a single virtual platform. It has the potential to make life much easier for administrators of large networks. (Thanks to Giorgio Zoppi).

Network Management

First MaraDNS beta release. The first beta release of MaraDNS, a new DNS server written with security in mind, has been announced.

Web-site Development

Zope Members News. The latest from the Zope Members News includes an announcement of Zope 2.5 beta4, examination of ZDataQueryKit, a look at the ZOD Zope Documentation Tool, and more.

Bricolage Content-Management and Publishing System (use Perl). Bricolage is a Perl based content-management and publication system. The usePerl site comments on the new 1.2.0 version.


January 17, 2002


Application Links
GIMP
Mozilla
Galeon
High Availability
ht://Dig
mnoGoSearch
MagicPoint
Wine
Worldforge
Zope

Open Source Code Collections
Berlios
Freshmeat
OpenSourceDirectory
Savannah
Le Serveur Libre
SourceForge
Sweetcode

   

 

Desktop Development


Web Browsers

Galeon 1.1.2 released. Version 1.1.2 of the Galeon web browser is available. This release includes bug fixes, better auto completion, gestures, better IE favicon support, and more.

Desktop Environments

This week's GNOME Summary. The GNOME Summary for January 12 is out. Covered topics include new features in Nautilus, GUADEC 3 ("Everything from tree widgets presentations to talks on how to code when drinking lots of Guinness is welcome"), GNOME 2.0 status, and more.

Evolution 1.0.1 Released. Version 1.0.1 of Evolution has been announced by the Ximian folks. This release resolves some minor issues with the 1.0 release and improves stability and functionality.

People of KDE: Lubos Lunak. This week's People of KDE features Lubos Lunak, developer of KHotKeys.

Games

WorldForge Game Project Status. The WorldForge Game Project site features a recent project status report. Progress continues in a number of areas.

GUI Packages

Tutorial on coding with Python and Glade. Robert Laing has put together a tutorial on programming GNOME applications using Glade and Python.

Design Patterns in Qt (O'Reilly). Matthias Kalle Dalheimer, covers Design Patterns with Qt in an O'Reilly article. "Qt has the concept of signals and slots. This is a system that allows for component-based programming: Components can define signals that they emit under certain conditions and that have a defined list of parameters. Components can also define slots, which are nothing but ordinary C++ methods marked up with some preprocessor magic to be a slot."

Office Applications

AbiWord Weekly News. A whole flood of AbiWord Weekly News editions came out this week, see issue #75, issue #76, issue #77, and issue #78 for all of the latest project status and info. The AbiWord development team is on a mission to find and fix as many bugs as they can.

Miscellaneous

This week in DotGNU. This Week in DotGNU for January 12 is out with a summary of the latest developments in the DotGNU project. Among other things, the summary includes new projects to develop a DotGNU business plan and a C# application server.

 
Desktop Environments
GNOME
GNUstep
KDE
XFce
XFree86

Window Managers
Afterstep
Enlightenment
FVMW2
IceWM
Sawfish
WindowMaker

Widget Sets
GTK+
Qt
   

 

Programming Languages


C++

Initial gnomemm 2 release (C++ binding). The first releases of the gnomemm libgnome*mm libraries for GNOME2 have been announced. The libraries form the foundation for a GNOME2 C++ SDK.

Caml

Caml Weekly News for January 15, 2002. The latest Caml Weekly News is out. Topics include English translations of development docs, a packaging tool, an mlgmp bugfix release, pa_ocaml, editing mp3 tags from OCaml, and more.

This week on the Caml Hump. This week's Caml Hump looks at Mp3tag, a library containing functions to read or write mp3 tags, and pa_ocaml, a modified version of the ocamllex lexer generator.

Haskell

Glasgow Haskell Compiler version 5.02.2. A new version of the Glasgow Haskell Compiler has been released. Version 5.02.2 features a number of memory bug fixes. GHC is released under a BSD-style license.

Java

Using and Writing Java Servlets (Linux Journal). The Linux Journal features an introductory article by Petr Sorfa on Java Servelets. " In this article, I discuss the viability of using Java programs (servlets) with a web server. A servlet is a Java application that performs a task that may generate a dynamic web page or process input from a web page form."

Diagnosing Java Code: Depth-first visitors and broken dispatches (IBM developerWorks). Eric E. Allen discusses Java's depth-first visitors on IBM's developerWorks. "Allen discusses how it's possible to increase the terseness of your code through the use of depth-first visitors, a variant on the Visitor pattern."

Perl

Creating Custom Widgets (O'Reilly). Steve Lidie shows how to write widgets with Perl and Tk. "In this Perl/Tk article, I'll discuss balloon help, photos and widget subclassing. Help balloons can be attached to widgets, menu items, and, as we'll see here, individual canvas items."

PHP

PHP Weekly Summary for January 14, 2002. The January 14, 2002 PHP Weekly Summary looks at past and upcoming PHP conferences, a CORBA interface called Universe, cURL support, new extensions for SOAP and OpenGL, and more.

Python

Python 2.1.2 released. Guido van Rossum has announced the release of Python 2.1.2 - a bug fix release for the Python 2.1 series.

This week's Python-URL. Here's Dr. Dobb's Python-URL for January 14 with the latest from the Python development community. This week features Python 2.1.2c1, Pyreverse-0.1, XPipe, the Reptile Web Server, Python GUIs, IPy, Roundup 0.4.0b1, and more.

The latest from the Daily Python-URL. This week, the Daily Python-URL features articles on Bookland, a tool that generates ISBN and ISMN bar codes, PDFMap, a utility for generating maps in PDF format, the PyTraffic game, The HAP Python remote debugger, a refactoring browser known as Bicycle Repair Man, and more.

Ruby

The latest from the Ruby Garden. The latest items on the Ruby Garden look at adding an fsync method to the IO class and adding Java/c++ type method overloading to Ruby. The Ruby Weekly News also covers a number of Ruby projects.

Tcl/Tk

This week's Tcl-URL. Dr. Dobb's Tcl-URL for January 15, 2002 is out with the usual roundup of interesting stuff from the Tcl/Tk development community.

XML

Web Services Acronyms, Demystified (O'Reilly). Pavel Kulchenko defines a bunch of Web Services acronyms in an O'Reilly article. "More than twenty acronyms related to Web services came to light during 2001, and in this article I present a quick guide to the protocols and the specifications behind them, including a description of how they relate to each other and where each sits on the Web services landscape."

Working XML: Compiling XPaths (IBM developerWorks). Benoit Marchal continues his series on HC, the Java-based Handler Compiler (HC) project for SAX parsing. The HC Project is nearing its alpha release.

Miscellaneous

New Open64 compiler suite release. A new release of the Open64 C, C++, and Fortran90/95 compiler suite for the IA64 architecture is available.

Jext 3.1pre1 available. Version 3.1pre1 of the Jext programmer's editor is available. This release features changes to the core code, API, and GUI, as well as a few bug fixes.

Section Editor: Forrest Cook

 
Language Links
Caml
Caml Hump
Tiny COBOL
Erlang
g95 Fortran
Gnu Compiler Collection (GCC)
Gnu Compiler for the Java Language (GCJ)
Guile
Haskell
IBM Java Zone
Jython
Free the X3J Thirteen (Lisp)
Use Perl
O'Reilly's perl.com
Dr. Dobbs' Perl
PHP
PHP Weekly Summary
Daily Python-URL
Python.org
Python.faqts
Python Eggs
Ruby
Ruby Garden
MIT Scheme
Schemers
Squeak
Smalltalk
Why Smalltalk
Tcl Developer Xchange
Tcl-tk.net
O'Reilly's XML.com
Regular Expressions
   

Sections:
 Main page
 Security
 Kernel
 Distributions
 Development
 Commerce
 Linux in the news
 Announcements
 Linux History
 Letters

See also: last week's Commerce page.

Linux and Business


IDC: Linux is cheaper than Unix. Microsoft isn't the only one who can play this game: Red Hat has bought itself an IDC study showing that Linux has a "45-80% lower total cost of ownership" than Unix on RISC systems.

Korea migrates 120K civil servants to Linux desktop. HancomLinux reports that the Korean government is moving almost a quarter of its workers to Linux desktop systems.

By standardising on Linux and HancomOffice, the Korean government expects to make savings of 80 per cent, compared with buying Microsoft products.
-- The Register.

Lineo spins off hardware businesses. Lineo has announced the completion of the process of spinning off all those hardware businesses it acquired in the Bubble Days. Gone are Availix, uCdimm, and SnapGear, leaving the company focussed on embedded software. Lineo has also picked up a new $3 million investment from an unspecified source.

MandrakeSoft now trading in the U.S. OTC market. Here's a news flash from MandrakeSoft stating that the company's stock is now trading on the U.S. OTC market under the symbol MDKFF.

A presentation to the World Bank on free software. Here is the text of a presentation by Tony Stanco to the World Bank's annual "InfoDev" meeting. "It may surprise some of you that Open Source/Free Software is not just about developing great software. It is also an international social movement that touches on the fundamental human rights of freedom and democracy."

Red Hat filing 10-Q (Quarterly Report). Here is Red Hat's quarterly SEC filing for those interested in the details of how the company is doing. "During the three months ended November 30, 2001, the Company purchased 1,937,900 shares of its common stock at a total cost of $6.7 million."

Linux Stock Index for January 10 to January 16, 2002.
LSI at closing on January 10, 2002 ... 33.57
LSI at closing on January 16, 2002 ... 31.46

The high for the week was 33.57
The low for the week was 31.46

Press Releases:

Open Source Products

Proprietary Products for Linux

Linux PC Hardware

Products With Linux Versions

Linux At Work

Books & Documentation

Training and Certification

Partnerships

Personnel & New Offices

Other

Section Editor: Rebecca Sobol.


January 17, 2002

   

Sections:
 Main page
 Security
 Kernel
 Distributions
 Development
 Commerce
 Linux in the news
 Announcements
 Linux History
 Letters

See also: last week's Linux in the news page.

Linux in the news


Recommended Reading

Norwegian authorities indict creator of DeCSS (CNN). CNN has an article on the indictment of Jon Johansen. "With the DVD CCA's failed attempt to prosecute Johansen already on the record, it remains to be seen how successful the Norwegians will be at trying the teen. Representatives for the EFF have stated that the indictment sprouts from increased pressure from Hollywood and have said that they do not believe the case will stand under the Norwegian justice system."

DVD hacker Johansen indicted in Norway (Register). Here's an article in The Register about the indictment of Jon Johansen. "Despite the lawsuits, [EFF attorney Robin] Gross says that Johansen, who now works for a software company, is respected in Norway. She notes that he was awarded Norway's Karoline Prize given each year to a Norwegian student who receives top grades and makes a contribution to society. Gross says the EFF plans to coordinate protests and a letter-writing campaign similar to that which lobbied for the release of Russian programmer Dmitry Sklyarov."

Bride of UCITAstein (InfoWorld). Here's an InfoWorld "Gripe Line" article about the new UCITA draft. "For certain, any of the alternative proposals would have been better than the language the committee came up with -- apparently out of thin air -- for the free software amendment. The amendment the committee approved doesn't appear to benefit much of anyone, except maybe Microsoft. Just a coincidence, I'm sure."

USB 2 arrives in Linux test version (News.com). Even News.com reports on development kernel releases anymore. The article talks about the new features in 2.5.2, but misses the inconvenient problem with swapfiles not working. "Linux may have lost its allure as a get-rich-quick scheme for would-be entrepreneurs, but the largely volunteer programming community that advances the core software is still functioning."

U.S. Census Bureau Reaps Awards from MySQL-based Web Sites. According to the MySQL site, the U.S. Census Bureau has been using the MySQL database as well as other open-source software to develop a number of web sites. "In fact, one of the MySQL-run sites won the prestigious Census Bureau's Director's Award for Innovation in 2001, and the Bureau's web development team, which is led by Rachael LaPorte Taylor, senior technology architect for FedStats.gov at the Census Bureau, and Lisa Nyman, senior Internet technology architect, has begun serving as informal open-source consultants to their entire organization (of over 5,000 employees)."

UK fails to exploit open source (vnunet). vnunet says that the U.K. isn't using enough free software. "But key findings from in-depth interviews with 30 IT professionals, representative of a cross section of public and private organisations, identified key concerns as: uncertainty over what open source is; uncertainty over support and what the liabilities might be; lack of clear marketing positioning for products; and difficulties in identifying the right products for a given requirement"

Out the Windows (US News). The US News site has an introductory article about desktop Linux which is surprisingly positive. "As it nears a settlement in a U.S. antitrust suit, the software giant seems to have crushed all formal resistance to its dominance of desktop computing. But it has a guerrilla war on its hands, fought by the small but growing band of PC users who have forsaken Microsoft. They are opting for the only alternative other than switching to Apple's Macintosh: the decade-old Linux." (Thanks to Robert K. Nelson).

Ten Resolutions For Better Computing In 2002 (InformationWeek). Fred Langa has some New Year's resolutions: "I think it's time for all Windows users to have a 'Plan B' in mind: Begin exploring alternatives to Microsoft products. The free or low-cost Linux operating system is one obvious Windows alternative." (Thanks to M. Leo Cooper).

We can put an end to Word attachments (NewsForge). Richard Stallman writes about Word format attachments on NewsForge. "If you think of the document you received as an isolated event, it is natural to try to cope with it on your own. But when you recognize it as an instance of a pernicious systematic practice, it calls for a different approach. Managing to read the file is treating a symptom of a chronic illness. To cure the illness, we must convince people not to send or post Word documents." (LWN has had a policy of not accepting proprietary formats since the beginning).

Companies

MS obtains Lindows subscriber info (ZDNet). Here's a fun twist in the Lindows trademark lawsuit, as covered in ZDNet. "'We feel obligated to disclose to you that we were compelled to disclose your e-mail address to Microsoft during the discovery process as well as the content of many of your messages sent to us,' wrote Lindows founder Michael Robertson in a message on the company's Web site." (Thanks to Sean E. Walton).

The Lindows Alternative (IT-Director). Here's an IT-Director article about Lindows. "Since when did users pay $99 for a beta release of an Open Source product? This begs the question of how much we will have to pay for the finished article. LindowsOS is being aimed at small businesses so we must presume that the price will not go too high and that we will be able to download one copy and use it multiple times."

SuSE buys off trademark extortionist (Register). The Register has a strongly-worded article on the resolution of the trademark suit against SuSE. "Because crayon is a generic term it seems implausible that SuSE would have lost the suit had it gone to court. But of course the inability to distribute its product while the case was pending would have been a preposterous price to pay for vindication."

Business

Find High Tech in the Bargain Basement (Business 2.0). Business 2.0 likes the 'free beer' aspect of open source. "Forget the zealots. Open-source software isn't ready to take over the world just yet. But it can be had for free, and in this economy, free is good."

The Natural Resource View of Open Source Profit (TroubleShooting Professional). TroubleShooting Professional looks into how to make money with free software. "In fact Open Source more resembles an abundant, self renewing natural resource. Imagine it as a fast growing weed. You don't make money by selling abundant weeds -- you make money using them."

Reviews

Simputer: Ultra-cheap Linux laptop (ZDNet). ZDNet has discovered the Simputer. "The Simputer will be powered by Linux, and have an easy-to-use interface comprising mainly icons and graphics on its high-resolution 240 x 320-pixel touch screen. For users who are illiterate, the device also supports text-to-speech capability and will be able to provide voice feedback in local languages, according to specifications provided by Encore Software."

New European Linux PDA shows up at CeBIT (LinuxDevices). LinuxDevices.com has an article about yet another Linux PDA. "According to Adrian Steinmann of Invair, the device, called the Filewalker, was designed to be able to be operated with one hand and weighs a mere 0.2 lbs and is small but somewhat thick, at 3.4 x 2.2 x .74 in."

Keeping in Sync (Byte). Byte plays with the InterMezzo filesystem. "Wouldn't it be nice if my Linux box automagically always kept in sync with my desktop or my file server whenever the LAN became visible? Guess what. As of kernel 2.4.15, doing just that has become as easy as clicking on the right box when configuring the kernel before compilation."

The kernel of pain (LinuxWorld). Here's a LinuxWorld story from somebody who has not been having fun with the 2.4 kernel. "The 2.2 kernels may not handle large SMP machines as well, they may not handle large amounts of memory well (only 2 gigabytes), and they may have a practical limit of 2 gigabytes on a single file, but the 2.2. kernels don't crash or cause phone calls at 5:00 AM. Moreover, the 2.2 kernels don't make customers unhappy that they chose Linux as their server solution." (Thanks to Lance Jones).

Interviews

Interview: Rik van Riel (linux.html.it). Here's an interview with kernel hacker Rik van Riel on the linux.html.it site. "With Linus out of the way, I can make a good VM. I no longer have to worry about what Linus likes or doesn't like. This is mostly important for intermediary code, where some of the 'ingredients' to a VM are in place and others aren't yet in place. Such code can look ugly or pointless if you don't have the time to look at the design for a few days, so Linus tends to remove it ... even though it is needed to continue with development." There is also a version in Italian available.

Interview: Alan Cox (KernelTrap). KernelTrap has posted an interview with Alan Cox. "The 2.4-ac tree turned out very well. It was never something I set out to make a big thing but it ended up being used as the base for most 2.4 vendor released kernels. That was a big thing, not just for the code quality, but also because it showed everyone is still working together. 2.4-ac was built out of patches from many places, and I think almost every vendor, put together by someone at Red Hat and in various variant forms shipped by many other companies."

Interview: Gnumeric project leader Jody Goldberg (DesktopLinux). DesktopLinux.com has an interview with Jody Goldberg, leader of the Gnumeric project. "The desktop is an evolving target, we are getting there quickly. There are already many users whose needs are met by open alternatives. That number will continue to grow. That is the beauty of open source, it can continue to improve and expand as long as people are interested in it."

Interviews: Michael Meeks and Damien Sandras. The Free and Open Source Software Developers Meeting (FOSDEM) site has a couple more interviews with its speakers. The first is with Ximian hacker Michael Meeks. "Well - there are huge amounts of changes in Gnome 2.0; mostly we will be shortish on user visible changes, unless you're part of the 2/3rds of the world that couldn't read the typography before in your native language, or if you like your text right to left. Of course - there are other improvements, speedups, reduced memory usage, cleaned up and more robust libraries, a powerful accessibility framework for impaired users, the ability to use the Glib Object model in non-GUI apps etc. etc."

Then, there is this discussion with Damien Sandras, author of GnomeMeeting. "I will not detail all the things that we plan to implement into GnomeMeeting because it will be part of the talk. But the most interesting things are: the ability to make 'n to n' conference calls, support for answering machines, CU30 codec support, Gnome 2.00 port, and perhaps a Windows port."

A 'Speed Bump' vs. Music Copying (Business Week). Business Week interviews Edward Felten. " For someone like me -- I do computer-security research -- I now have this complicated, vague law [the DMCA] in my head all the time. Whenever I'm going to open my mouth to talk about technology, I have to think if it's safe, or do I have to call my lawyer. At the very least, it scares people away from topics that most need to be discussed."

Miscellaneous

Full Nelson: Postcards from the Ledge (TechWeb). TechWeb prints some of its weirder letters. "Linux is not ready for the Enterprise. There is not a single voice-controlled app for any of the mission-critical functions of the Enterprise. Conspicuously absent are warp core control, phaser bank activation, interstellar navigation, transporter operation and the all-important self-destruct sequence. Until these and thousands of other important apps are written and deployed, Linux will just be a toy in the Enterprise."

Section Editor: Forrest Cook


January 17, 2002

   

Sections:
 Main page
 Security
 Kernel
 Distributions
 Development
 Commerce
 Linux in the news
 Announcements
 Linux History
 Letters

See also: last week's Announcements page.

Announcements


Resources

Translate.org.za supports South African Languages. Translate.org.za is working on the translation of various open-source software projects into eleven South African languages. They are currently working on Mozilla and KDE and plan on enhancing the OpenOffice suite.

Events

linux.conf.au schedule posted. The schedule for the upcoming linux.conf.au (Brisbane, February 6 to 9) has been posted. There is an interesting set of speakers from Australia and beyond; we wish we were going to be there. See also the Debian mini-conference immediately preceding the main event.

GUAD3C - Call For Papers. The GNOME Gnotices site mentions a call for papers for the third annual GNOME Users and Developers European Conference 2002 in Seville, Spain from April 4- 6th, 2002.

LPI exams at Linux World. The Linux Professional Institute will be holding Linux exams at the Linux World in New York City on Thursday January 31, and Friday February 1, 2002. A 50% discount will be available.

aRts/KDE Video Roadmap Meeting. Join the aRts and KDE developers in an IRC discussion of the future of video and KDE. The discussion will take place on Saturday, January 26, 2002 at 21:00 GMT.

The Tenth International Python Conference. The Python Refereed Paper Track listing is available for the Tenth International Python Conference on February 5 and 6, 2002 in Alexandria, Virginia.

Mini developers' meetings at FOSDEM. The Free Software and Open Source Developers Meeting (Brussels, February 16 and 17) has an announcement on its web site that the event will include developers' meetings for the KDE, GNOME, PHP, Mozilla, and GNUStep projects.

The return of the Ottawa Linux Symposium. Once again, the Ottawa Linux Symposium will be held in, surprisingly, Ottawa. This year, however, the event is happening a little earlier: June 26 to 29. The call for papers has just gone out for those who would like to present at the event; the submission deadline is, according to the announcement, February 30th, but we would recommend getting yours in by the 28th.

Events: January 17 - March 14, 2002.
Date Event Location
January 28 - 29, 2002The Conference on File and Storage Technologies(FAST 2002)Monterey, CA
January 29 - February 1, 2002LinuxWorldNew York, NY
February 1 - 3, 2002Linux Event 2002Livorno, Italy
February 3 - 6, 2002Embedded Executive Summit(Ritz-Carlton)Half Moon Bay, California
February 4 - 7, 200210th International Python Conference(Hilton Alexandria Mark Center)Alexandria, Virginia
February 5, 2002OMG Information Days Europe 2002Amsterdam
February 6, 2002OMG Information Days Europe 2002Brussels
February 6 - 9, 2002linux.conf.auBrisbane, Australia
February 7, 2002OMG Information Days Europe 2002Paris
February 8, 2002OMG Information Days Europe 2002Madrid
February 13 - 15, 20021st CfP German Perl Workshop(Fachhochschule Bonn-Rhein-Sieg, Sankt Augustin)Bonn, Germany
February 16 - 17, 2002Free Software and Open Source Developer's Meeting(FOSDEM 2002)(Brussels, Belgium)Brussels, Belgium
February 18, 2002OMG Information Days Europe 2002Milan
February 19, 2002OMG Information Days Europe 2002Zurich
February 20, 2002OMG Information Days Europe 2002Munich
February 21, 2002OMG Information Days Europe 2002Vienna
February 22, 2002OMG Information Days Europe 2002Budapest
February 25, 2002OMG Information Days Europe 2002Prague
March 4 - 6, 2002International Symposium on Advanced Radio Technologies(ISART 2002)(Dept. of Commerce, 325 Broadway)Boulder, CO
March 5, 2002OMG Information Days Europe 2002Helsinki
March 6, 2002OMG Information Days Europe 2002Stockholm
March 7, 2002OMG Information Days Europe 2002Oslo
March 8, 2002OMG Information Days Europe 2002Copenhagen
March 12 - 16, 2002Embedded Systems Conference(Moscone Center)San Francisco, California

Additional events can be found in the LWN Event Calendar. Event submissions should be sent to lwn@lwn.net in a plain text format.

Section Editor: Forrest Cook.


January 17, 2002

   

 

Software Announcements


Here are this week's Freshmeat software announcements. Freshmeat now offers the announcements sorted in two different ways:

The Alphabetical List and Sorted by license

 

Our software announcements are provided courtesy of FreshMeat

   

Sections:
 Main page
 Security
 Kernel
 Distributions
 Development
 Commerce
 Linux in the news
 Announcements
 Linux History
 Letters

See also: last week's Linux History page.

This week in Linux history


Six years ago: a company called Pacific HiTech (now known as Turbolinux) hawked its latest product: the January '96 Linux Monthly CDROM. It included, among other things, a Python.org snapshot, the 1.3.45 kernel, Postgres95, and the latest Debian boot and root disks.

Five years ago: Pacific HiTech released its new product: "Turbo Linux Red Hat 4.0". The "Turbo Linux" distribution has, of course, come a long way since then...

Three years ago (January 21, 1999 LWN): ZDNet looked at what Pacific HiTech had in mind:

Coming out in March will be Pacific HiTech's new TurboLinux Enterprise Server 3.0, bundled with numerous apps, including five licenses for the Oracle 8 database. [CEO Cliff] Miller, eyeing the higher-end corporate marketplace, is mulling over a starting price of several thousand dollars.

Well, it was a nice idea...

Samba 2.0 was released after a long development period. Such was the stability of that release that, three years later, much of the world is still running happily with 2.0.10 (though a 2.2 release is also available).

The "Windows refund" movement got started after a couple of Linux users managed to get their money back for the (unused) Windows software that came with their new computers.

Corel sold its Netwinder division to a company called Hardware Canada Computing - since renamed Rebel.com.

The current development kernel was 2.2.0pre8 - one of the last steps in the path to the 2.2.0 release.

Debian 2.1 ("slink") went into "deep freeze" prior to its official release - which was, of course, longer in coming than expected.

TurboLinux 3.0.1 was released. It was the first version of TurboLinux to be sold as a boxed set.

Two years ago (January 20, 2000 LWN): The first serious enforcement of the Linux trademark came about, in the form of a shutdown of an auction of 250 Linux domain names. These names included useful domains like "LinuxOnSteriods.com" and "ScreaminLinux.com." Alas, Linus shut down the auction and those names remain unused.

Linuxcare filed for its initial public offering of stock; interested folks can read our summary of that filing. This IPO never happened, of course, due to a combination of unfriendly markets and internal troubles at Linuxcare.

The development kernel release was 2.3.39. It became increasingly apparent that a 2.4.0 release was not going to happen anytime soon after Linus let in a number of major changes.

Debian 2.2 ("potato") went into code freeze:

"The code freeze for the next Debian release, code named "potato", has begun", says Richard Braakman, current Debian Release Manager. He expects the freeze process to take about two months.

2.2 was actually released in August... Linux-Mandrake 7.0 was released, as was Red Hat 6.1 for the Alpha architecture.

The world finally found out what Transmeta was up to.

Turbolinux announced the closing of a $57 million funding round.

One year ago (January 18, 2001 LWN): The 'Ramen Worm' attacked Red Hat-based systems that weren't up-to-date on some security updates.

Linuxcare and Turbolinux made an agreement to merge. This never happened.

Lineo withdrew its intended initial public offering (IPO) of stock, which had been filed in May 2000. In another sign of the times, VA Linux Systems put out another warning that earnings would not be up to expectations.

Linus was accepting only bug fix patches on the recently released 2.4 kernel. Thus some people were rather surprised to see a whole new filesystem (ReiserFS) show up in 2.4.1-pre4.

Helix Code changed its name to Ximian.

IBM and The National Center for Supercomputing Applications (NCSA) at University of Illinois at Urbana-Champaign, claimed to have created the worlds fastest Linux supercomputers in academia when NCSA installed two IBM Linux clusters, containing more than 600 IBM eServer xSeries systems running Red Hat Linux.

Section Editor: Rebecca Sobol.


January 17, 2002

LWN Linux Timelines
1998 In Review
1999 In Review
2000 In Review
2001 In Review

   

Sections:
 Main page
 Security
 Kernel
 Distributions
 Development
 Commerce
 Linux in the news
 Announcements
 Linux History
 Letters

See also: last week's Letters page.

Letters to the editor


Letters to the editor should be sent to letters@lwn.net. Preference will be given to letters which are short, to the point, and well written. If you want your email address "anti-spammed" in some way please be sure to let us know. We do not have a policy against anonymous letters, but we will be reluctant to include them.

January 17, 2002

   
From:	 Mark J Cox <mjc@redhat.com>
To:	 lwn@lwn.net
Subject: mutt example in LWN
Date:	 Thu, 10 Jan 2002 11:07:33 +0000 (GMT)

"before sneering too hard. Linux distributors have done a good job at
rushing out fixes for the remotely exploitable vulnerability in the
widely-used mutt mailer. That vulnerability is, of course, a buffer
overflow problem."

Hiya; 

Although there are other examples of remotely exploitable vulnerabilities,
the mutt vulnerability you cite is a bad example.  In this case, according
to the mailing lists, a remote attacker can cause a NULL to be written to
an arbitrary space in memory.  I think it's unlikely that this could be
crafted to give remote access to a machine.  Also, unlike the windows
overflow, for the mutt vulnerability to write this NULL to arbitrary
memory it requires an attacker to send a crafted mail message that is read
by the root user running a vulnerable version of mutt.  Given all this,
it's not a particularly serious vulnerability.

Good software design can stop buffer overflows altogether.  Apache was
desgined to have a resiliant pool-based memory management system, and in
the history of Apache 1.3 there have been no vulnerabilities due to buffer
overflows or that are particularly serious.  See
http://www.apacheweek.com/features/security-13

Cheers, Mark
--
Mark Cox / Red Hat Europe / OpenSSL / Apache Software Foundation
mjc@redhat.com //// T: +44 798 061 3110 //// F: +44 845 333 9533

   
From:	 Zooko <zooko@zooko.com>
To:	 lwn@lwn.net
Subject: automatically prevent buffer overflows without giving up C/C++
Date:	 Thu, 10 Jan 2002 06:30:08 -0800

Folks:

I'm surprised you didn't mention libsafe:

http://www.research.avayalabs.com/project/libsafe/

I haven't used it yet, but apparently it can be applied at program-load time to 
*object* code without needing access to the source code, and it prevents all 
buffer overflow attacks.

Why isn't this standard equipment on every Linux distribution?  Possibly because 
it is new and people don't know about it yet.  Possibly because it imposes some 
tiny performance penalty.

Regards,

Zooko

---
                 zooko.com
Security and Distributed Systems Engineering
---
   
From:	 Sid Boyce <sboyce@blueyonder.co.uk>
To:	 letters@lwn.net
Subject: RE: It is time to be done with buffer overflows
Date:	 Thu, 10 Jan 2002 15:33:43 +0000

	I have been using "libsafe" (supplied by Lucent technologies) since 
version 1, version 2 offers protection, not only against buffer 
overflows, but format strings.
	I don't know how effective libsafe is; there was a dismissive/hostile 
response to it from SuSE, along the lines that it did not offer 
comprehensive protection.
	In my own experience, I had one application I compiled here that
just did not run and on examination of /var/log/warn, I discovered the 
problem was a buffer overflow, I emailed the author and it was fixed in 
a day by issue of an updated source release. Then there was IBM's 
JDK-1.3 which similarly failed and I went back to using Blackdown's Java.
	I wonder if the reluctance to deploy libsafe is thought to be an easier 
course to follow than perhaps to deliver applications that may simply 
not run and for the distributions to have to deal with those i.e it's 
easier to deal with a problem the customer hasn't seen, but that could 
be disastrous, than to deal with a "XYZ doesn't work here" call from 
many of your customers.
Regards
-- 
Sid Boyce ... hamradio G3VBV ... Cessna/Warrior Pilot
Linux only shop

   
From:	 "John D. Hardin" <jhardin@impsec.org>
To:	 lwn@lwn.net
Subject: Re: 1/10/02 Front
Date:	 Wed, 9 Jan 2002 21:44:55 -0800 (PST)

"It is time to be done with buffer overflows."

Surely you've heard of Immunix and the StackGuard compiler?

While not a cure for buffer overflows, it makes their existence less
of a critical problem during the time the code is undergoing security
audit.

--
 John Hardin KA7OHZ    ICQ#15735746    http://www.impsec.org/~jhardin/
 jhardin@impsec.org                       pgpk -a jhardin@wolfenet.com
  768: 0x41EA94F5 - A3 0C 5B C2 EF 0D 2C E5  E9 BF C8 33 A7 A9 CE 76 
 1024: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79

   
From:	 bryanh@giraffe-data.com (Bryan Henderson)
To:	 letters@lwn.net
Subject: buffer overruns - helpful tool
Date:	 Thu, 10 Jan 2002 14:36:18 -0800

Your editorial last week talks about the annoyance of buffer overruns
prevalent on Linux systems, and how the heavy use of C makes them common.

Indeed, programming to avoid buffer overruns in C is monotonous, and I
really don't blame anyone for ignoring that possibility in a large work
of free software.

Until it is practical to do all code in high level languages, though,
I have a suggestion to avoid buffer overruns in C: asprintf().

asprintf() is a surprisingly little-used GNU C library routine.  It's 
special to the GNU library, so you can use it only in Linux-only code.
But if you can limit yourself to Linux, asprintf() makes C programming
almost as easy as in a string language, and saves you from having to
think about buffer overruns.

asprintf() is just like sprintf(), except that it allocates the space for
the result string.  So your buffer is never too small.  The only thing 
you have to do, reminding yourself that you'd still rather be using a 
high level language, is free the memory after you use the string.

(The next best thing, for code that must run without the benefit of
the GNU C library, is the now prevalent feature of snprintf() where it
tells you how much space your result _would have_ required when it
doesn't fit in the space you provided.  You can use that to do a
separate malloc() and make your own asprintf().)

Also, make liberal use of macros like this:

#define STRSCPY(A,B) \
	(strncpy((A), (B), sizeof(A)), *((A)+sizeof(A)-1) = '\0')

This makes it painless to copy a string from B to A without any
possibility of overrunning your A array.

-- 
Bryan Henderson                                    Phone 408-621-2000
San Jose, California
   
From:	 Andrzej Kukula <akukula@min.pl>
To:	 letters@lwn.net
Subject: Buffer overflows
Date:	 Fri, 11 Jan 2002 12:57:45 +0100


There are at least one good technique of writing code that doesn't
contain any buffer overflows. You may see it in qmail server and other
programs written by prof. Daniel Bernstein (http://cr.yp.to). It's based
on very simple yet powerful string library called "stralloc", and
requires very high coding discipline.

Let me remind that since the first qmail release in 1996, no-one found
any buffer overflow in it, despite the fact that there was a money prize
(see http://cr.yp.to/qmail/guarantee.html). There's also very secure DNS
server from prof. Bernstein, "tinydns", which is also based on this library.

The library has many advantages:
 - strings are binary - this means that there may be \0s in the middle,
 - string length is limited only by memory,
 - library is mature - contains complete orthogonal set of functions for
   string manipulation,
 - library is portable across UN*X.

Download qmail and see examples of good engineering!

I can hardly imagine programmers rewriting their apps to use "stralloc",
I just want to say that the stralloc library, together with other
libraries from prof. Bernstein, is a very good foundation to write
error-free programs.


Regards,
Andrzej Kukula

   
From:	 Lars Wirzenius <liw@iki.fi>
To:	 letters@lwn.net
Subject: Buffer overflows in C
Date:	 11 Jan 2002 17:33:41 +0200

You will probably get a pile of letters suggesting this, but just in case
you don't: Buffer overflows are, indeed, a common problem with C
programs. It is just too darn easy to mismanage memory allocation when
doing string processing in C. If switching to a more highlevel language is
not an option, one can still improve things while staying with C. The key
is to avoid using raw C character arrays (whether allocated statically or
dynamically) directly, and instead use an abstraction layer. A simple one
is implemented in the Glib library; see
http://developer.gnome.org/doc/API/glib/glib-strings.html for a
description. Glib also includes some functions to help deal with normal C
strings but hide many allocation details in functions; see
http://developer.gnome.org/doc/API/glib/glib-string-utility-functions.html. Using
either of these should help reduce buffer overflows a bit.

I wrote a somewhat more ambitious abstraction for the Kannel project;
see http://liw.iki.fi/liw/octstr.txt for one version of the interface.
The trouble with this approach was that pretty much everything related
to string processing had to be re-implemented, since none of the
standard libraries would deal with my abstraction. (Actually, we gave up
and implemented a way to access the raw C character array within the
abstraction to be able to use certain parts of the standard library.)

It is my opinion that even using a limited and incomplete abstraction,
such as any of the above, will help reduce buffer overflows
tremendously. In fact, they even make programming easier and more fun,
since you don't have to worry about minute details of memory allocation
every time you process a string.

(Myself, I prefer to use a higher level language when possible, but the
huge numbers of tools that will work with C, but not with, say, Python,
does not always make this practical.)

-- 
"They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty not safety." -- Benjamin Franklin, 1759
   
From:	 Miles Elam <withheld on request>
To:	 letters@lwn.net
Subject: Modern C++ doesn't have the same problems
Date:	 Fri, 11 Jan 2002 15:07:08 -0800

While legacy C++ may have had as hard of a time fighting the dreaded 
buffer overflow as the language upon which it was originally based, 
modern C++ implementations have done much to help the programmer avoid 
such oversights.

Case in point, if you see the following in C++

  char *foo;
  foo = (char*)malloc(12);
  strcpy( foo, "Hello" );
  strcat( foo, " World" );
  int length = strlen( foo );
  free( foo );
 
or such relics from C as strcmp, realloc, qsort, etc. then you will 
eventually have problems.  In modern, standard C++ you will more likely 
see the following

  std::string foo;
  // foo.reserve( 12 );  // Optional if you want to avoid memory 
reallocation and keep up with the C version
  foo = "Hello";
  foo += " World";
  int length = foo.size();

And if you were to compile these, you would find little measurable 
difference (if any) in code size or speed.  Go ahead!  I dare you!  And 
note that if the former were reading a user-generated string, a buffer 
overflow exploit is quite likely without extra runtime checks and 
overhead.  The C++ version has no similar problem, and you don't have to 
explicitly bother with the heap, dynamic memory allocation, and the 
dreaded memory leak when deallocating memory.  All of the speed and 
(almost) none of the headaches.

Standard C++ was ratified in 1998.  Lumping C and C++ together is as 
outdated and wrongheaded as saying Linux has no support whatsoever for 
USB devices.  After all, it was true in 1998, and there are still plenty 
of installations out there that still don't support USB.

I hate to be a language bigot, and I truly believe that C, Java, C++, 
Perl, Python, et al have their own niche and their own set of strengths 
and weaknesses.  But the longer the belief that C++ is C with extra 
unnecessary complexity is allowed to stand,  the longer die-hard C 
programmers who refuse to use something "slower" will avoid it and its 
protection against the buffer overflow attack.

A good article on this topic is Bjarne Stroustrup's "Learning Standard 
C++ as a New Language" (http://www.research.att.com/~bs/new_learning.pdf)

As a counterargument against the "just be more careful in C," being 
careful all of the time is not realistic.  How many times have we 
accidentally dropped a plate while doing the dishes or locked ourselves 
out of the car or house?  People are fallable and therefore, so is the 
software created by people.  C++ is a logical "other language" for 
people to move toward if they already know C.  It follows a closer 
programming model than a language like Java with its JVM and 
fundamentally different focus.  Don't criticize C++ too unfairly.

And while I'm here, I'd like to mention that all copies of "Practical 
C++ Programming" published by O'Reilly should be used for kindling. 
 It's about time they came out with a new edition.  Too many people buy 
that book on the good name of the publisher only to be forever turned 
off the language for the worst reasons.

- Miles Elam

   
From:	 "Dan Maas" <dmaas@dcine.com>
To:	 <letters@lwn.net>
Subject: Buffer overflows
Date:	 Sat, 12 Jan 2002 19:50:31 -0500

"...anybody contemplating a new development should think
long and hard about using an implementation language that
is inherently resistant to buffer overflows. Many such
languages exist (consider Python, Perl, Ruby, Java, etc.)..."

One must keep in mind that while these languages are indeed resistant to
buffer overflows, this very feature makes them vulnerable to
memory-exhaustion denial-of-service attacks. (since the language runtime
presumably allocates additional memory when strings need to grow longer).

e.g. a C programmer might write:

char *a, *b, c[100];
sprintf(c, "%s%s", a, b); /* potential overflow! */

while a Python programmer might write:

c = a + b   # no chance of overflow, but allocation of space
              for c could fail if a and b are large and memory is exhausted

In other words, no language runtime can automatically eliminate the class of
bugs that results from trusting input too much. The programmer cannot avoid
spending time and effort to ensure that the code handles malicious input
gracefully (e.g. by using snprintf() in C, or wrapping the Python statement
in a 'try' block to catch memory exceptions).

Regards,
Dan

   
From:	 Adam C Powell IV <hazelsct@mit.edu>
To:	 letters@lwn.net
Subject: Buffer overflows and hardware/software diversity
Date:	 Tue, 15 Jan 2002 12:39:35 -0500

To the editor:

Thank you for your excellent editorial on buffer overflows (1/10/02 main 
page), in which you rightly decry the unfortunately common buffer 
overflow problems in both open and proprietary software.  You offer as 
solutions thorough auditing of code and more widespread use of languages 
which do not suffer from this problem (though these alternative 
languages are only as secure as their implementations).  I do not know 
the details, but from what I have heard certain kernel modifications 
such as can be found in NSA SELinux can offer additional protection.

I would like to offer one more solution which we in the Free Software 
community (and Linux in particular) are in a unique position to use: 
security by platform diversity.  When a buffer overflow problem is 
reported, the first exploits are (almost) always written for i386 and 
compatibles.  Those of us who run Linux on PowerPC, Alpha, Sparc, ARM 
and other platforms are thus inherently immune to takeover via those 
particular exploits.  And though it is possible for an attacker to write 
other exploits for these alternative platforms, it is certainly not easy 
to do so.  Debian in particular shines as a cross-platform distribution: 
potato was released for six platforms, and there are eleven platforms 
with at least 7000 packages in woody (Alpha, ARM, HPPA, IA-32, IA-64, 
M68k, MIPS, MIPSel, PowerPC, S/390, Sparc, with over 5000 packages for 
Hitachi SuperH in unstable).

Having watched the demise of the once-mighty but closed-source Amiga, 
having seen Apple declare obsolescence of generation after generation of 
old Mac hardware, and Microsoft abandon platform upon platform for 
(planned) Windows NT support, having heard Sun's recent announcement of 
the end of Solaris/x86, I can quite confidently state than nowhere in 
the proprietary world will there ever be anything close to the level of 
platform diversity that we have in our community.  The classic cycle of 
"closed-source -> not maintained -> abandoned -> insecure -> dead" 
simply does not exist in our world: as long as there are user/developers 
on a given platform, it will survive and even thrive with thousands of 
software upgrades and new releases every year.

There are of course limitations to security by hardware diversity.  One 
is that running, say, wu-ftpd on ARM protects the machine from hostile 
takeover using a wu-ftpd i386 buffer overflow exploit, but does not 
protect it from a server crash or other DoS use of the exploit.  Another 
is that it may not be easy to translate an exploit to a different 
processor architecture, but for a good assembly coder, it's not *that* 
hard either, once the exploit is known.  So this could in a way be 
considered a form of "security by obscurity" which buys hours' or days' 
worth of time (cf. your piece a few months ago on potential lightning 
worms which propagate across the entire 'net in 15 minutes) but does not 
*guarantee* protection.

Software diversity, on the other hand, does provide such a guarantee 
against these weaknesses.  For example, whereas Microsoft ships just one 
(notoriously insecure) http server, Debian has *nine* in unstable, along 
with multiple ftpds and two sshds, and the default mail transport agent 
is *not* sendmail.  In addition to Linux, Debian has Hurd in an advanced 
state, and even experimental FreeBSD, Darwin/MacOSX, and (shudder) Win32 
ports in the works for kernel diversity.  Viewed in this light, the 
GNOME/KDE/GNUStep etc. diversity gives more strength to our community 
than just the competitive stimulus which they provide -- not to mention 
Netscape4/Mozilla/Konqueror/Galeon, KMail/Evolution/NSMail/Mutt/Balsa, 
etc.  All of this diversity makes life very difficult for even a truly 
gifted cracker who wants to bring down the free software community, and 
reduces to highly improbable your prediction that the Linux community 
will suffer a catastrophic security problem in 2002 on the scale of 
those which afflicted Microsoft in 2001 (and 2000 and 1999 and...).

So diversity of hardware can offer protection from hostile takeover via 
buffer overflows, at least for a time.  Software diversity does even 
better, by limiting the machines (or users within a machine) which can 
be compromised to those which run the vulnerable implementation of a 
given service.  In this light, the monocultures of Microsoft and even 
Apple and Sun make those companies treacherously vulnerable to 
catastrophic consequences of buffer overflows, as we have seen.  On a 
smaller scale, this calls into question RedHat's decision to no longer 
provide a "complete operating system" for Alpha, and Rebel.com's  switch 
from ARM to i386-compatible Crusoe in the Netwinder firewall/server 
product line.

It is unfortunate that many of the architecture ports exist mainly to 
service legacy machines: with even Alpha and in some ways IA-32 
scheduled for phaseout, only IA-64, PowerPC, Sparc, S/390 and perhaps 
ARM and SuperH remain under active development.  Then again, nowhere 
outside the Free Software community is any software maker positioned to 
take advantage of even half of this wonderful plethora of hardware, and 
even legacy hardware platforms will remain quite capable of meeting 
security-sensitive server and router/firewall needs for a great many 
users for the indefinite future -- but only if they run Free Software!
-- 

-Adam P.

GPG fingerprint: D54D 1AEE B11C CE9B A02B  C5DD 526F 01E8 564E E4B6

Welcome to the best software in the world today cafe! 
<http://lyre.mit.edu/%7Epowell/The_Best_Stuff_In_The_World_Today_Cafe.ogg>


   
Eklektix, Inc. Linux powered! Copyright © 2002 Eklektix, Inc., all rights reserved
Linux ® is a registered trademark of Linus Torvalds