[LWN Logo]
[LWN.net]

Bringing you the latest news from the Linux World.
Dedicated to keeping Linux users up-to-date, with concise news for all interests


Sections:
 Main page
 Linux in the news
 Security
 Kernel
 Distributions
 Development
 Commerce
 Announcements
 Back page
All in one big page

Other stuff:
Contact us
Archives/search
Links
Calendar
Daily Updates

Recent features:
Alan Cox interview 1998 Timeline

Here is the permanent site for this page.

Leading items


How quickly does Linux really respond to security problems? This week serious security holes were found in the Pine mail reader and a couple of FTP daemon implementations (see the security section for details). The Pine bug was exposed on February 8, ftpd on February 9. As of this writing, only one vendor (Red Hat) has made updates available to fill these holes. A particularly disappointing case is Caldera's security updates page, which was last updated in November 1998. SuSE has no security updates page at all. They claim to have a security alerts list, but clicking on the archive link on their mailing lists pageyields a "page not found" error.

And, lest one think that Red Hat has its act entirely together, it is worth pointing out that their updates site (updates.redhat.com) has been impossible to get into since the alerts came out, and none of the mirror sites that we have checked (and we've checked many) yet have the updates. For all practical purposes, updates are not available for Red Hat either.

These security holes are guaranteed to be the source of a highly public string of breakins over the next few months. One would think that it would be in the interest of the distributions to try to head this off as much as possible. Given that one of the advantages of free software is supposed to be quick turnaround on fixes - especially security fixes - it really seems that we should be doing better than this.

We at LWN are happy to suggest work for other people. In our opinion, every distribution should set a goal of getting security fixes out within 24 hours of notification that a problem exists. Each distribution should have information on security updates available on the front page of their web site. If Linux is truly to be better than the other operating systems out there, it must get its act together on security. Otherwise we're just making more empty promises.

(Information received later on updates for these security problems is available on the daily updates page.)

Monday, February 15, is Windows refund day. This is the day to take your unused version(s) of Windows back to Microsoft to ask for your money back, as provided for in Microsoft's own end user license agreement.

This event has the potential to be a crucial turning point in free software history. The purpose here is not to slap at Microsoft, or to make opinions known on their products. The point is the freedom to buy a computer without being compelled to buy one vendor's operating system if that system is not needed. Users of free software should not have to buy proprietary software that they do not want.

While organized refund efforts are happening in some areas, it is a bit disappointing that there are not more organized groups out there. A big rally in Silicon Valley will certainly draw attention to the cause. Rallies nationwide (or worldwide) would draw much more. The relative lack of organized gatherings certainly does not mean that people can not show up at their local Microsoft offices to ask for their refunds. Go for it, every body helps.

For more information, see the Windows refund home page, the timeline and press coverage page, or the Open Directory Project Windows refund page. Readers in France may want to check out the Centre de Détaxe Windows page.

The pre-installed Linux system market is getting more crowded, as witnessed this week by the arrival of Dell, and Indelible Blue (a long-time OS/2 reseller) on the scene. If this TechWeb article is to be believed, IBM will be announcing PowerPC systems running Linux on the first of March. Compaq has also reaffirmed its Linux stance with this Linux systems page.

The larger vendors are all pushing server systems for now; they evidently see less demand for desktop computers running Linux. They may well be surprised. A fairly safe prediction is that the hardware vendors will wake up in much the same way that the database vendors have: demand for Linux products will strongly exceed their predictions and they will quickly expand their lines.

The Linux system VARs that want to survive the entrance of the big boys need to firmly establish themselves almost immediately, or else find a niche that they can retreat into. That business is going to get much more competitive in a hurry. It is an unfortunate fact that, in this industry, the companies that create a market are often not the ones that profit from its maturity.

One interesting niche that seems empty at the moment is that of systems costing less than $1,000. Linux VARs seem to aim for the high end. But, along with all its other advantages, Linux does come cheap. It should be possible to build rock-bottom end systems with a very competitive price, due to the absence of the "windows tax." The first vendors into this area may find that they do better than they expect, even in a niche with such small margins.

It turns out that out discussion of Linux engineer certification in the February 4 issue of LWN missed one provider our own back yard. The University of Colorado at Denver offers a network administration course which results in, among other things, a "NACSE-LINUX NCLA (NACSE Certified Linux Administrator) Certificate." Lucky attendees get trained toward an MCSE test at the same time... (Thanks to Chuck Morrison, who heard a radio ad for the course).

If this issue of LWN seems a little thin (or grumpy) that's because it is. We're short-handed this week due to illness. With luck we'll be back to full strength next week.


February 11, 1999

 

Next: Linux in the news

 
Eklektix, Inc. Linux powered! Copyright © 1999 Eklektix, Inc., all rights reserved
Linux ® is a registered trademark of Linus Torvalds