See also: last week's Back page page.

Linux Links of the Week

What is CERN up to nowadays?. Sometimes dubbed the "place where the Internet was invented", CERN is currently apparently looking at LIGHT these days. That is, they are looking at Logical Information Global HyperText, a "system that automatically represents and connects information, making it available as objects on the network."

The framework of the LIGHT system will be published under the GPL. For more information, check this announcement. (Thanks to Bernhard Reiter).

Section Editor: Jon Corbet

This week in history

On the news end, Bill Gates claimed, "I've never had a customer mention Linux to me". That is one statement he is unlikely to make nowadays. Corel's Netwinder was announced, meeting a level of enthusiasm that it has failed to live up to.

Caldera made the Netware server available on OpenLinux. Donald Becker's Beowulf site came back.

One year ago. July 1, 1999. The Linux telephone was announced. Eric Raymond published his paper The Magic Cauldron. The Mindcraft Linux versus NT benchmarks were re-run and performance flaws in Linux that were found became a top priority and were quickly addressed.

Slashdot was acquired by Andover.net this week, becoming the first Linux community website to draw a truly large sale price and setting a precedent for many future acquisitions.

Slashdot sells out says Salon Magazine. "Is Slashdot moving toward the lucrative realm of IPOs and stock options? If so, it would be surprising, considering Slashdot's fiercely independent voices and for-the-people community."

The Free Practice Management Project was launched that week. Many of the folks responsible for the BugTraq full-disclosure mailing list formed SecurityFocus.com. A file corruption problem in the Linux 2.2 kernel series continued to elude developers. The Hard Hat embedded Linux distribution was announced, along with tummy.com's KRUD (Kevin's Redhat Uber-Distribution). The Apache Foundation was created to support the Apache project.

Oh, and yes, Richard Stallman and Eric Raymond were fighting again.

Letters to the editor

Date: Fri, 23 Jun 2000 09:44:57 +0000 (GMT)
From: John Carter <john@netsys.co.za>
To: lwn@lwn.net
Subject: What We Really Need Is....

Greetings LWN,

Are you aware of http://www.whatweneed.de ?

A month or three ago a group of students came onto our local Linux User
Group mailing list and asked, "What does Linux still need?" They were
doing a project and wanted to do something useful.

This started up a _long_ thread of the format...
  Answer 2n   "What we really need now is ...."
  Answer 2n+1 "We've got that already see http://......"
For n = 1 to about 30 I think.

In one sense its excellent news. Linux now has nearly everything and
http://freshmeat.net is an excellent resource for finding it if it
exists.

In the end the students went off and did something boring that had
already been done. Sad. None of us at the time knew about What We
Need.

What We Need is a site where you can add items / comment on and vote
for "What Linux Really Needs Now".

I truly believe that Mr. Herzog's excellent site needs to be more
widely known amongst the Linux community. (I have no interests in
Mr. Herzog site beyond his, mine and your common desire that Linux
succeeds.)

Thanks,

John Carter

Work Email : john@netsys.co.za Private email : cyent@mweb.co.za 
Yell Phone : 083-543-6915      Phone         : 27-12-348-4246

Carter's law of Strategic Planning.

"Beware of plans that apply equally well to making pizza as to
software development, for they shall neither improve thy pizza nor
thy software."

Date: Thu, 22 Jun 2000 10:09:30 -0400
From: John Klar <j.klar@xpedite.com>
To: letters@lwn.net
Subject: Your comments w.r.t Lessig's "Code and Other ..."

I know it's early in the morning (for me anyway), but I think you
completely missed the point of what "regulation" Mr. Lessig was
referring to.  My interpretation of the quote you provided was his
opposition to shrinkwrap licenses that indemnify the producers of bugs
(product defects).  He is absolutely not advocating the code Thought
Police.

Next you procede with a point about Open Source having less Y2K
problems.  True, but is it because Open Source packages are Open Source,
or because they use Unix time_t encoding, which, by the way, blows up
somewhere in or around 2034.

Open Source advocacy is all well and good, but be careful what features
good or ill you ascribe to it.  Unwarranted claim of the moral
high-ground, is almost as bad as a flamewar.

John Klar, for himself

Date: Thu, 22 Jun 2000 10:52:44 -0400
From: Seth Gordon <sgordon@kenan.com>
To: letters@lwn.net
Subject: Re: your capsule review of _Code_

I haven't read Lessig's _Code and Other Laws of Cyberspace_, but your
quote from the book doesn't match your fear of "government code
inspectors".  Lessig, in the quoted paragraph, refers to "the tort
system .. holding producers responsible".  That is, he wants to
control software vendors with the threat of lawsuits from customers.

For example, Congress could pass a law requiring software vendors to
*either* distribute their software under an open-source license, *or*
provide some reasonable warranty against consequential and indirect
damages.  Such a law would give closed-source software vendors an
incentive to either improve their quality or open their code; it would
provide a safe harbor for open-source software vendors; and it would
not require additional government bureaucracy.

--
--Why is it that most kids are attracted to computers while
  most adults are quite wary of computers?
--Most adults are smarter than most kids. ["Ask Uncle Louie"]
== seth gordon == sgordon@kenan.com == standard disclaimer ==
== documentation group, kenan systems corp., cambridge, ma ==

Date: Thu, 22 Jun 2000 14:11:31 -0400 (EDT)
From: Patrick Reynolds <reynolds@cs.duke.edu>
To: letters@lwn.net
Subject: disabling module loading / capability bounding set

In this week's LWN News page, LWN said:
> For this reason, many security-conscious sites disable module loading
> entirely, either via explicit kernel configuration or by using the
> capability bounding set.

And way back in December, LWN said something similar:
> It turns out that one capability, CAP_SYS_MODULE, is required to load or
> unload kernel modules. If you remove CAP_SYS_MODULE from the bounding
> set, no more modules can ever be loaded - just what the doctor ordered.

LWN is missing a significant weakness in the capability bounding set.

The capability bounding set is useless unless you disable /dev/mem,
because /proc/sys/kernel/cap-bound maps directly to the cap_bset variable
in kernel memory.  With a quick poke (remember peek and poke from the days
of BASIC on C64s and IBM PCs?) into /dev/mem, you can reset the cap_bset
variable, reenabling any or all capabilities, despite the intended
one-way-ness of the capability bounding set.  To get the address for
cap_bset, just:
  $ grep cap_bset System.map
  c01d46b0 D cap_bset
Strip off the leading 'c' (since the kernel segment maps to 0xc0000000 on
x86s) and you get the raw memory address to write to.  On an x86, it's a
32-bit, little-endian integer.  Write 0xffffffff to it to reset all
capability bounds.

To make capability bounding sets at all useful, you have to disable
CAP_SYS_RAWIO, which governs access to /dev/mem.  Be advised that doing so
will break X and any other user-space program that needs raw access to
memory or I/O ports.

More fun with module security...  Even if you compile a kernel with
module loading completely disabled, a clever attacker could still load
custom, module-like code into the kernel using /dev/mem.  It's trickier
than changing cap-bound, but it's still feasible.  I'll leave it as an
exercise for the reader to figure out how.

The morals of this story?  Security is hard.  Disable CAP_SYS_RAWIO, or
don't bother with /proc/sys/kernel/cap-bound at all.

--Patrick

Date: Mon, 26 Jun 2000 15:06:51 +0100 (BST)
To: letters@lwn.net
From: Duncan Simpson <dps@io.stargate.co.uk>
Subject: Commercia licences for GPLed stuff


IF I am the copyright holder, as is the case with checkps and word2x
in my case, I can licence under any licence I want. A GPLed copy in
no way restricts me from doing that (which is probably legally difficult
to manage). Similarly the FSF could licence gcc as $10000 per copy to
someone, alhtough it would have to be some specularly stupid.

If Hans can get all the copyright holders to agree there is nothing to
stop them selling their code for vast sums per copy to anybody, and
allowing free use in linux (and anything else GPL-compatible). Provided
you retain the copyright one can sell ones soul and keep it too.

Date: Mon, 26 Jun 2000 16:56:13 +0100
From: kevin lyda <kevin@suberic.net>
To: letters@lwn.net
Subject: Welcome to Enterprise Linux


--wac7ysb48OaltWcw
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: quoted-printable

It's nice that the "established publishing" industry has decided to
notice us and all but I hope the following things happen:

    1. People who have been involved with linux for a long time
       remember that companies like SSC (who publish LJ AFAIK)
       have been here for a long time as well.
    2. That not only remember that but that we do so with our
       subscriptions and encouraging new linux people to do the
       same.
    3. That older Linux companies remember how hard it was to get
       started, that established things like publishing had to
       be recreated just to get heard, and that they remember that
       difficulty by being open to publishing magazines (or making
       space in current ones) for other emerging systems (*bsd and
       others).

the "free s/w community" (whatever that is) should remember the people
and the companies they formed that stuck by linux and free software
before it was "profitable."

kevin
--=20
kevin@suberic.net       "we were goin' for breakfast.  in canada.  we
fork()'ed on 37058400    made a deal: if she'd stop hookin', i'd stop
meatspace place: work    shootin' people.  maybe we were aiming high."
                                                   --porter, "payback"

--wac7ysb48OaltWcw
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.1 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE5V30dSWViC/JcvFsRARTTAJ9+Dpw4MbvC9/x/+sxx8inNSwANVwCg8NS4
3k5FdBIwxBbQN9kzl8ftXLs=
=G82V
-----END PGP SIGNATURE-----

--wac7ysb48OaltWcw--

Date: Tue, 27 Jun 2000 11:27:35 +0530
From: Anand Srivastava <anand@aplion.stpn.soft.net>
To: letters@lwn.net
Subject: Crusoe: The Ultimate Linux Platform

I was thinking of how a close coupling of Linux and Crusoe could give
Wintel a run for their money on the server front. Till now Transmeta has
concentrated on the mobile computing, because its very difficult to
optimize a given operating system which you cannot change.

With linux this problem is not there. It was necessary to compete with MS
head on to build credibility and the Mobile computing is the right
place. But now that they have done this, they could divert their energies
to creating a processor for the Server side.

It should be pretty easy for them to provide more than one set of registers
to hold more than one processes' states. This will save some context
switches, and will allow to add more pipelines, which can execute
instructions from all processes.  For servers throughput is more necessary,
due to this some optimizations, like speculative execution of branches can
be dropped in favour of executing from other processes.  Also the Morphing
code may be given its own register area along with dedicated special
purpose pipelines. Also a special register set for the kernel. The
expansion ideas are only limited by the I/O bus speed, and processor
area. Since they have freed up a lot of processor area, they can afford to
add more pipes and registers.

I am waiting for the much improved Crusoe.

-anand

From: Mark Christensen <mchristensen@HTEC.com>
To: jja@wallace.lusArs.net, letters@lwn.net
Subject: More on licenses and loopholes
Date: Tue, 27 Jun 2000 11:28:21 -0400

"I think this gentleman misses the point of the BSD license.  The ability
to reuse code in traditional commercial settings is not regarded by BSD
proponents as a 'loophole.'"

On the contrary, I think you miss his point; he was not trying to claim that
code re-use is bad.  In fact, he seemed quite sympathetic to the BSD style
license.  But the question he raises is still valid--Doesn't the GPL make
the "embrace and extend" strategy significantly more difficult to implement?

My take on all of this is that, if you are writing yet another internet chat
client, the fact that your code could be re-used in a Microsoft product is
probably not that troubling.  

On the other hand, if your intent is to create an internet standard, it
seems perfectly reasonable to try to protect that standard from attempts by
proprietary software vendors to co-opt that standard by using the GPL. 

Which, for example is why SGI releases all of their open source code under
the GPL.  It's their way of sharing their work with the community and
keeping their code out of the reach of hardcore proprietary Unix vendors
like Sun.

Mark Christensen
wwwlight@mediaone.net