Bringing you the latest news from the Linux World.
Dedicated to keeping Linux users up-to-date, with concise
news for all interests
Sections: Main page Security Kernel Distributions Development Commerce Linux in the news Announcements Back page
Other LWN stuff:
Archives/search
Recent features: Here is the permanent site for this page. See also: last week's LWN.
|
Leading items and editorialsIs the GPL really less business-friendly? As long as there is free software (which will be a very long time), there will be license debates that go with it. Different people have very different goals when they release software, and the licenses they use will attempt to reflect those goals. So we will continue to see different licenses in use. The two most common free software licenses out there are the GNU General Public License (GPL) and the whole set of BSD-like licenses. They differ in a number of respects, but the core difference between the two comes down to one thing:
The BSD license has often been touted as being more friendly to business interests, since it allows companies to create proprietary products from (previously) free code. Few people have questioned that assessment. It is worth thinking for a moment about why a company releases code. In general, a code release happens because the person or company releasing it wants to see that code find users and be successful. The hope is that free code will attract users, be improved, and generally thrive. Those who released the code then hope to benefit from its greater popularity. The code, along with those who work with it, benefits every time somebody contributes an improvement. If somebody adds to the code and takes the result proprietary, instead, the users of the code as a whole lose. Companies in particular need to fear the possibility of a competitor using their code to produce a value-added, proprietary version. But those who take code proprietary pay a cost too, since their work can not benefit from the free software process. Suppose your company has made a powerful enhancement to a BSD-licensed program. The choice must now be made: should that enhancement be contributed back under that same license, or should it be kept proprietary? Keeping it proprietary greatly reduces the value of that code, since it can not participate in the free software process. But releasing it risks helping a competitor who will not return the favor. It's a classic example of the prisoner's dilemma - a system where seemingly rational behavior brings about a poor result for everybody involved. And herein lies the value of the GPL in this situation: it takes away the prisoner's dilemma. A company that releases code under the GPL need not fear what its competitors will do - the risk of competing against proprietary enhancements is gone. As an extreme example, think about what a Microsoft Linux distribution would look like, and compare it to what MS-BSD could be. There will never be a single license that works in every situation, and neither license can be said to be superior to the other. They are both free software licenses. But the GPL may well win out in the hard calculations that go into farsighted business decisions. Review: The Book of Linux Music & Sound. In a long-overdue update to our Book Reviews page, we present this review of The Book of Linux Music & Sound. The book is written by Dave Phillips, and is the first in the Linux Journal Press imprint published by No Starch Press. It goes a long way toward filling in the void in Linux audio documentation, and provides a wonderful catalog of the wealth of audio software available for Linux. Beginning audio users, however, will find that it is relatively short on entry-level information. The fun patent of the week, as pointed out at the Embedded Systems Conference: Hewlett-Packard has a patent on embedded web servers. This patent, which was filed in October, 1996, covers the idea of having a device interoperate through the use of a standard, public protocol. HP, thus far, has made no move to enforce this patent. The Red Hat Network launches. At the same time that it announced a new major release of its distribution (covered on this week's Distributions page), Red Hat announced the launch of the "Red Hat Network." This offering is the latest in a series of attempts by Red Hat to shift its revenue model in the direction of services. As such, it's an indicator of where the distributors are likely to go in the future with regard to supporting their products. So what does the Red Hat Network offer? At the current time, customers get:
Looking at the offering, a number of interesting questions come up. With regard to the package update service, there appears to be little there that is new. Any Debian user will laugh at the idea of automated updates being an innovative service. But the real question might be: is it going to get harder to get package information and updates out of Red Hat without giving them a credit card number? Red Hat responds quickly to problems, but its "redhat-watch" list tends to deliver alerts days late, and Red Hat's free FTP servers are hard to get into in the best of times. As Red Hat tries to push customers into the Network offering, that situation is unlikely to improve. The system tracking feature means that Red Hat maintains an online database of the configuration of all its customers' systems. One can only hope that both their privacy policy and security practices are robust. A database of systems, their configurations, and their current security vulnerabilities is going to be a tempting target. Nonetheless, the Network service is likely to be of interest to a number of customers. It will be interesting to see the extent to which Linux users go for this sort of offering - it will tell a lot about how likely the service-oriented Linux offerings of the future are to succeed. The open source panel debate at ESC. LWN's Forrest Cook was at the Embedded Systems Conference panel entitled "The Open Source Movement: Boon or Bane for Embedded Developers?" Quite a bit of interesting conversation took place between proponents of open source and proprietary solutions to embedded systems problems. Have a look at LWN's report for a summary of how the event went. Inside this week's Linux Weekly News:
This Week's LWN was brought to you by:
|
September 28, 2000
|
Sections: Main page Security Kernel Distributions Development Commerce Linux in the news Announcements Back page See also: last week's Security page. |
News and EditorialsBuzz on Intel's CDSA software. Intel introduced an open source software implementation which they're calling CDSA - Common Data Security Architecture.CDSA, developed by Intel's Architecture Lab, is a specification for the creation of interoperable, security-enabled, e-Business applications. CDSA allows applications to gain access to security services like encryption, biometrics, and the management of digital certificates and authorization credentials. In a related announcment, Caldera and Bull announced their support of this new software. So what is this thing? According to Intel's Developers website: CDSA is a security middleware specification and reference implementation that is open source, cross-platform, interoperable, extensible, and freely exportable**. The Open Group (TOG) has adopted CDSA as an Open Group Technical Standard that successfully completed TOG formal consensus process for member acceptance and approval. CDSA is a set of layered security services that is enabling a new generation of interoperable e-Business solutions for the Internet. "Exportable" except to those countries which the US currrently has embargoes against. Anyway, CDSA is essentially an API from which developers, especially Web-based developers, can make use of existing security technologies such as the Public Key Encryption Standard (PKCS). While a useful addition to the toolsets available to programmers for making use of secure processing across network connections, it's not a pancea for security. It won't, for example, deal with the all too common issues of format string buffer overflows. These are two unrelated types of vulnerabilities. Format string bugs are problems associated in how an API is used - CDSA is just an API for accessing services which provide secure transactions. Since Intel has open-sourced CDSA we may be hearing more about this in the near future. Open source carnivore. ZDNet took a look this week at Network ICE's Altivore, an open source snooping package meant to be a replacement for the FBI's Carnivore. "The program currently only consists of source code and may be buggy, the company said on its Web site. However, Robert Graham, chief technology officer for the San Mateo, Calif., company, believes that the open-source community will quickly get the code ship-shape, as well as add new features to it."Without irony, the article concludes with: "So far, the open-source community has largely remained silent on the source code." LinuxNewbie also carried a brief discusson on the same subject. Red Hat GLINT symlink vulnerability. glint, Red Hat's original graphical configuration tool, blindly follows a symlink in /tmp, overwriting the target file, so it can conceivably be used to destroy any file on the system. The problem affects Red Hat 5.2 only since glint doesn't work with RPM 3.0 or later. On systems with RPM 3.0 or later, just remove the package to eliminate the problem.Note that glint is not delivered with most non-Red Hat derived distributions of Linux. For example, SuSE would not be affected by this problem. SuSE does note that...: ...the "xglint" package that is on newer SuSE distributions is an accelerated X-server for GLINT/PERMEDIA/PERMEDIA-2 based graphics cards and has nothing to do with the glint package mentioned in the RedHat Security advisory. In other words, don't confused "xglint" with "glint". They aren't related. Selective rejection in sendmail. It seems even BugTraq is getting dangerous, security-wise. A recent message talked of seeing a Windows DLL file included in another message. Discussion on how to prevent such attachments led to a discussion on using libmilter, a program to selectively filter out mail with certain attachments. This was followed up by discussions of other tools and methods for taking the bite out of MIME-based email attacks.Another tool was mentioned in this thread as well: MimeDefang, an e-mail filter program which works with Sendmail 8.10 or 8.11 More information about securing email from such attacks can be found online. Privacy Foundation on :CueCat. The Privacy Foundation has issued its opinion on Digital:Convergence and their :CueCat handheld bar code reader. The primary concern is whether Digital:Convergence intends to track individual users using the information the :CueCat returns to the company.... the :CueCat software attaches a unique user ID to each scanned bar code. This unique ID number, along with the bar code, is then sent back to Digital:Convergence Corp. computer servers. This feature could potentially allow the company to track the :CueCat scans of every consumer who registers for the service.
Conflicting reports on SDMI participation. The music industry's effort to find copy protection options for digital recordings - known as SDMI and which was covered last week by LWN - may or may not be getting serious attention from the hacker community, depending on who you talk to.News.com reports that hackers are snubbing the SDMI's 'hacking contest'. "But Linux Journal's Marti said that many expert hackers, including hacking superstars who cracked the encryption codes on DVDs, had agreed not to participate in the SDMI's challenge."
However a followup article in ZDNet claims A threatened Linux community boycott doesn't seem to be putting a chill on a hacking challenge sponsored by the music industry. Interestingly enough, Linux Journal's Don Marti is quoted in both articles, with a hardened stance in the first and a softer in the latter after a talk with SDMI's executive director Leonardo Chiariglione. The Economist also reported on the "crack SDMI" challenge. "Writing in the Linux Journal, one programmer, Don Marti, called upon his fellows to boycott the contest rather than do SDMI's dirty work for it by offering what is, in effect, free consulting. And many hackers, including Eric Raymond, the guru of open-source software, object to helping this particular enemy on the grounds that if SDMI succeeds, it will prevent legitimate 'fair use' copying of music as well as preventing piracy."
Linux security quick reference card. Dave Wreski announced the Linux Security Quick Reference Card from LinuxSecurity.com. The cards are currently in PDF and Postscript formats and are now part of the Linux Documentation Project.Caldera security update to LPRng. Chris Evans reported to BugTraq on a format string bug in LPRng that almost certainly exposes a system to remote-root access. The first posted update related to this problem came from Caldera, who issued this security update to the LPRng print system which fixes the problem.Because of the remote exploit possibility with this problem you can expect to see updates from most major distributions in the coming week. Updating LPRng with these updates, when available, is highly recommended. Chris later posted a simple test he ran to find this vulnerability, something many people may find useful in doing their own search for similar format string problems. eSound /tmp file vulnerability. Linux-Mandrake was the first distribution to post a security advisory and updated packages to BugTraq for esound that address that packages use of domain sockets in the /tmp directory.Versions of esound prior to and including 0.2.19 create a world-writable directory in /tmp called .esd which is owned by the user running esound. This directory is used to store a unix domain socket. The socket is also created world-writable, so a race condition exists in the creation of this socket which allows a local attacker to cause an arbitrary file or directory owned by the user running esound to become world-writable.
Security ReportsSuSE 6.4 httpd configuration. An apparent configuration problem may exist with the httpd.conf file as provided in SuSE 6.4 distributions. The configuration allows visitors to a site to peruse the packages installed by viewing the /usr/doc/packages directory. The fix is simple enough - apply directory specific deny rules for the /usr/doc/packages directory.SuSE, monitoring the BugTraq announcement, was quick to provide a modified configuration to address this issue. Alternative configurations were offered to BugTraq.
The key is to determine a policy for who
should be allowed access to those directories and implement the
policy with the appropriate Apache Location rules.
Commercial products.
DoS possible with nmap in OpenBSD. A vulnerability in nmap on OpenBSD was reported to BugTraq this past week that involves the protocol scanning option (-sO). Empty AH/ESP packets sent to OpenBSD 2.7 can put it into debug mode, followed by a kernel panic. The problem appears to only be related to OpenBSD, as both Linux and FreeBSD were specifically found to not be vulnerable.09/28 Correction: The problem here is with OpenBSD's handling of these packets, not with nmap itself. UpdatesUpdate to Cisco PIX issue. Ioannis Migadakis posted to BugTraq that the recently reported SMTP content filtering problem in Cisco PIX Firewall's was not a new issue.It has been posted to BUGTRAQ on 9 Jul 2000 by Lincoln Yeoh with a title "Out of order SMTP DATA commands incorrectly allow pass-through mode in some firewall smtp filters/proxies" Meanwhile, as suggested in last week's Security Reports, Cisco has come out with fixes for this problem. Update to IMP vulnerability. Conectiva posted a fix for the previously reported format string vulnerabilities in IMP/Horde. Previous updates:
Update to xpdf race condition exploit. Linux Mandrake posted an addendum to its previous update for this problem. This version resolves an incorrect dependency in the t1lib package from previous udpates to the 6.x and 7.0 releases of Linux Mandrake.Other previous updates for this problem:
Security updates to sysklogd. Yellow Dog has wandered in with a security update to sysklogd, fixing the format string vulnerability in that package. MandrakeSoft has issued a new security update to sysklogd which supersedes the original, September 18 update. This version includes an additional fix that is worth having. SuSE noted that ftp server problems caused older versions of syslogd packages to be provided instead of the recently released patched versions. Previous updates for this problem (all from last week): ResourcesUpdated security tools. Here are some Open Source security tools which were announced, released, or for which minor updates have been made available in the past week:
Resource announcements. Here are some other announcements related to Linux security that were made this past week.
EventsUpcoming security events and announcements.
Section Editor: Liz Coolbaugh |
September 28, 2000
| |||||||||||||||||||||
Sections: Main page Security Kernel Distributions Development Commerce Linux in the news Announcements Back page See also: last week's Kernel page. |
Kernel developmentThe current development kernel release is still 2.4.0-test8. The 2.4.0-test9 prepatch series is up to 2.4.0-test9-pre7. This patch is said to fix the sound problems that have afflicted recent -test9 prepatches, but some complaints on the subject are still being posted. The current stable kernel release is 2.2.17. The 2.2.18 prepatch series is currently at 2.2.18pre11. A great many fixes and updates are still going into this series; recently these include a bunch of USB updates and a native Yamaha YMF7xx sound driver ("a result of high-speed collision between ymfpci.c of ALSA and cs46xx.c of Linux."). So where do the prepatches live, anyway? Every now and then somebody drops us a note asking that question. It makes sense - the announcements for prepatches only rarely say where you actually have to go to pick them up. The answer is:
Your closest kernel.org mirror, of course, will be found at ftp.*.kernel.org, where the * is replaced with your country code. So folks in the U.S. should go to ftp.us.kernel.org, for example. Bear in mind, of course, that prepatches are exactly that. They are out there for a first round of testing, and have the potential to crash your system, corrupt your files, fry your monitor, drink all your beer, or make you believe that LinuxOne is for real this time. Use with caution. As an example of what can happen with prepatches, consider the case of the new memory management code. Rik van Riel has been working for some time on an improved memory management scheme; Linus integrated the results of his work in 2.4.0-test9-pre2. It seems that there were still a few glitches still needing to be worked out; quite a few people started reporting system deadlocks. Some of these problems have proved hard to fix. Low-level deadlocks can be one of the hardest sorts of problems to track down. It also didn't help that Rik van Riel headed off to attend the Linux Kongress in Germany. Things got to the point where Linus threatened to back out the VM patches if the problems didn't get fixed soon. Progress is being made on that front, and others are counseling patience. The memory update really does seem to make things work much better for a number of people. Removal of these changes would create some discontent. Meanwhile, Andrea Arcangeli has stated his intent to revive his "classzone" patch as the Real Solution to the VM situation. Classzone got put on hold after the Ottawa Linux Symposium as it was decided to concentrate on Rik's approach; evidently Andrea has changed his mind. It will be interesting to see what sort of results Andrea gets, but the chances of including a completely new, more complex VM solution at this point in the 2.4 process seem pretty small. Linux on the AlphaServer GS320. Here's the fun boot log of the week. Some folks at Compaq got Linux to boot and run on a 31-processor, 256GB AlphaServer GS320 system. It reports a total of 46,170 BogoMIPS. As they say, "things like kernel builds run really fast." One more look at kernel patch management. Last week's kernel page asked "why not BitKeeper?" in response to the proposed new patch management system. A few tidbits that have wandered in since that article went up:
Those interested in how BitKeeper can be used to track changes in the kernel may want to have a look at the kernel repository browser on the BitMover site. Other patches and updates released this week include:
Section Editor: Jonathan Corbet |
September 28, 2000 For other kernel news, see: Other resources: |
Sections: Main page Security Kernel Distributions Development Commerce Linux in the news Announcements Back page See also: last week's Distributions page.
Lists of Distributions |
DistributionsPlease note that security updates from the various distributions are covered in the security section. News and EditorialsRed Hat 7 is out. Red Hat has announced Red Hat 7 - the latest major release of its flagship operating system. A few things have changed with this release - starting with the missing ".0". Evidently somebody in marketing has decided that it looks better that way. The distribution has also grown. Red Hat has been a one-CD installation since the beginning; this time around there are not only two software disks, but the documentation has been booted off onto a disk of its own as well. So what's new in this release? There's a lot of updated packages, including the 2.2.16 kernel (presumably with some patches) and XFree86 4. MySQL has been thrown in, as have utilities for digital cameras and the latest development compilers. Perhaps most significant for many will be the addition of OpenSSH - a utility that was often the very first add-on for many administrators. Red Hat also claims that the default install is more secure, which is certainly an overdue step. Strangely, you have to buy one of the more expensive versions if you want StarOffice in the box. In case you're worried about being able to buy a system with Red Hat 7 installed: we have already seen announcements from VA Linux Systems, Penguin Computing, and Dell that they will be installing the new distribution. That these companies had to rush out releases expressing their support shows the degree of importance that the Red Hat distribution has attained. Not too many other distributors get that sort of response to their releases. A project to create a multimedia-oriented distribution is starting up. The force behind this effort is Curtis Lee Fulton, the author of an upcoming book on Linux video editing, and the producer of a video documentary about Linux. According to his announcement, the new distribution is intended to serve as the standard desktop for people using multimedia applications. It will be based on Debian, but will have the vast bulk of the packages hacked out of it. They will be replaced with a large collection of multimedia tools, the ALSA sound drivers, low-latency patches, etc. The hope is to end up with a CD image of 100MB or less. This project is in an early stage, and Mr. Fulton is looking for people who are interested in helping out. The project highlights what is still a strangely unpopulated territory. A tremendous number of distributions exist, but very few of them address domain-specific tasks. Where is the scientific distribution, the packet radio distribution, or the AI hacker's distribution? In each case, a specialized distribution could provide a depth of tools and domain-specific configuration that the general purpose distributions would be hard put to match. There may well be more activity in this area in the future. Distribution ReviewsThe beginnings of a distro NHF (LinuxNewbie.org). LinuxNewbie.org has put up a help file comparing several distributions. "Just for the record, the distro you should buy is the one that comes with the big fat book you are gonna go out and buy. As far as book recommendations, I recommend Slackware Linux Unleashed (isbn# 0672317680) or Redhat Linux Unleashed (isbn# 0672319853), both from Sams." Tom's Root Boot reviewed in NTK. NTK.net has put up a brief review of the tomsrtbt distribution. "Oh sure, you've got your fancier picoLinuxen and your Linux Router Project derivatives elsewhere, but only Tom's distribution manages to combine a 2.0.37 kernel, network card mods, pcmcia, ftp/wget'ish downloader, and more rescue utils than you really want to think about right now." There's also coverage of Demon's decision not to shut down a customer site carrying the DeCSS code. Debian GNU/Linux 2.2 (DukeOfUrl). The DukeOfUrl reviews Debian 2.2. "Unless you were lucky enough to grab a copy at Linux World, Debian 2.2 will cost you at least two CDs and the download time. Of course, you can probably purchase a copy, but who wants to do that, these days?" New DistributionsTimpanogas announces Ute-Linux and Ute-Cluster-Linux. The Timpanogas Research Group has announced Ute-Linux and Ute-Cluster-Linux. Both are based on TRG's NetWare file system; the cluster version, of course, adds clustering capabilities. Availability is October 1 for Ute-Linux, and October 15 for the cluster variant. What little information that is currently available on these distributions can be found on the TRG web site. UTE-Linux is an RPM-based distribution assembled, according to CEO Jeff Merkey, from packages taken from both Red Hat's and Caldera's distributions. It's sold on a per-server basis; that's because one of the important components (the M2FS clustered NetWare filesystem) is proprietary to Timpanogas. The bet Timpanogas is making, essentially, is that there is a market in companies that are trying to move to Linux while not disrupting their large, NetWare-based networks. UTE-Linux is part of their plan to service that market. Accelent Systems introduces acceLinux. Here's today's new distribution: Accelent Systems has announced the availability of "acceLinux," an embedded distribution oriented toward the StrongARM platform. General-Purpose DistributionsDebian dropping support for 2.1. Here's a message from the Debian Project confirming the phaseout of support for the 2.1 distribution. They have decided to extend that support through the end of October for the i386 and m68k architectures, for security patches only. All the rest goes away as of September 30. Debian Weekly News. The September 26 Debian Weekly News is out. It covers a set of problems in the "unstable" distribution that make it earn its name, Debian support of IPv6 and capabilities, and more.
SuSE cryptographic packages available. SuSE has announced the availability of a set of cryptographic packages for the 7.0 release. These packages were omitted from the U.S. version of the distribution for the usual crypto law problems. If you want them, grab them now; they will be removed from the FTP site in a few weeks time. Have you seen your Caldera Linux Technology Preview rebate? Evidently, not too many others have either. The word from those who have done Caldera's rebate deals in the past is to be patient - it can take up to three months to get the promised money back. In this case, the first of the LTP rebates are just beginning to trickle in.
Caldera's OpenLinux eDesktop 2.4 Traditional Chinese Edition a top seller in Taiwan. Caldera Systems has put out this press release proclaiming it's top-three position in a survey of retail software sales for August in Taiwan. Where are the LinuxPPC security updates?. Some LinuxPPC users have begun to ask about the lack of security updates for LinuxPPC. After all, LinuxPPC's security updates page says that there are currently "no known issues" with the distribution. Readers of the LWN Security Page know that quite a few security incidents have gone by recently. Are the LinuxPPC folks really so good that they managed not to be hit by those problems? LWN asked that question of LinuxPPC's Jason Haas, who responded "We RULE!" The truth of the matter, though, is that Jason's automobile accident set the company back in a serious way; it also has not helped that the person in charge of security updates left to pursue other opportunities. Jason is now back on the job and doing better every day, and the various customer service problems noticed by LinuxPPC users are being dealt with. Security is on their list, and will be addressed shortly. See this page on the LinuxPPC web site for an explanation of the situation. Meanwhile if there is anybody who is interested in coordinating LinuxPPC security updates on a volunteer basis, they are encouraged to contact the company. NTT selects TurboLinux. TurboLinux has announced that NTT Communications, said to be the world's largest telecom firm, has chosen TurboLinux for its information service systems platform. TurboLinux Powers Fujisoft ABC's payroll system. In another in its series of success story releases, TurboLinux has announced that Fujisoft ABC Inc. will be running its payroll system on TurboLinux. Embedded DistributionsEmbedix 3.0 is out. Lineo announced the release of Embedix 3.0 at the Embedded Systems Conference. It sticks with the current trend of providing hard real-time performance - they guarantee 30 microsecond response times. The announcement does not say so, but one assumes that the RTAI real-time extensions are being used to provide this level of response. This version of Embedix also includes enhanced debugging capability, and bundles the Linux Trace Toolkit as well.Section Editor: Liz Coolbaugh |
September 28, 2000
Please note that not every distribution will show up every week. Only distributions with recent news to report will be listed.
|
Sections: Main page Security Kernel Distributions Development Commerce Linux in the news Announcements Back page See also: last week's Development page. |
Development projectsNews and EditorialsDevelopment projects get organized. Recent changes in how a couple of free software projects handle their development processes are interesting to look at. While they resemble each other greatly in some ways, they also have some important differences.
BrowsersA revised Mozilla roadmap has been posted. Among other things, a new version numbering scheme has been devised; after the M18 milestone release will come Mozilla 0.9, and things will go up from there.EducationSEUL/edu Linux in Education Report. The SEUL/edu Linux in Education Report for September 25 is out. It looks at the new kmLinux distribution and several other topics. High AvailabilityPiranha 4.17-2 is out. Red Hat has released version 4.17-12 of the Piranha clustering system. It fixes a number of problems; users of Piranha should probably upgrade. Of course, you'll need to look at the followup posting to find out where the upgrade is...InteroperabilityThe Wine Weekly News for September 26, 2000 is available. It looks like a slow week in the Wine world, but there is a move afoot to beef up the documentation as part of the 1.0 release effort.Network ManagementOpenNMS Update. The OpenNMS Update for September 27 is out. It describes the team's meeting with IBM cyberevangelist Doug Tidwell, and a number of other development topics.On the DesktopNot paying the piper. Piper is "a system for managing multi-protocol connections between Internet-distributed objects." It's based on a number of GNOME components (Loci, GMS, and Overflow), and is seen as an open source answer to Microsoft's ".NET". The project is in its early stages, but has gotten far enough to have a screenshot up.They are, of course, looking for people who want to help. For more information, see the Piper web page and this GNOME News writeup.
KDE 2.0 release schedule. An updated KDE 2.0 release schedule has been posted. It calls for a final freezing of the code on October 2, with only the most urgent of fixes allowed. The actual release is set to happen on October 16. People behind KDE: Stephan Kulow. The "People Behind KDE" series continues with this interview with Stephan Kulow. " I guess, I'm one of the most central persons within KDE development. It's hard to develop for KDE and haven't heard of me. It's not that I'm that great, but that I give away CVS accounts, 'moderate' the kde-core-devel mailing list (I decide, who posts and who doesn't), I maintain all the stuff around building KDE." Kugar 1.0 is out. The release of Kugar 1.0, a business report generator and viewer, has been announced. It relies on some other application to actually generate the data; once it's there, it applies a template to present the data in proper pointy-haired fashion. It's implemented as a KPart, and can thus be easily used within other KDE applications.
New KDE news site. Navindra Umanee, who wrote the KDE updates that appeared in LWN (and elsewhere) a while back, has resurfaced with KDE Dot News, a news site covering happenings in the KDE community. Section Editor: Forrest Cook |
September 28, 2000
|
|
Programming LanguagesJavaTritonus 0.3.0 is out. Tritonus is a free implementation of the Java sound API. This release is considered to be a developer's release, with the intent of stabilizing things before the 0.4.x series. It includes a number of new features, with more on the way; see the announcement for more.PerlPerl.com talks with Dr. Ilya Zakharevich. Recommended reading: this interview with Dr. Ilya Zakharevich which appears on the Perl.com web site. On the Perl 6 effort: "Currently, I have only one sentiment about this effort: It should be terminated ASAP. There are many problems with Perl, but I would consider a ground-up rewrite as the last alternative for fixing these problems. The only aspect in which a ground-up rewrite would help is PR. While PR is important, I would think that there should be less wasteful ways to improve PR than locking the resources into a possible vaporware for 2 to 3 years."Inlining other languages into Perl code. Looking for a way to make your Perl code more interesting? Or perhaps just faster? The Inline module (now at release 0.26) allows you to embed code from other languages in the middle of a Perl program. Currently the only supported "other language" is C; using C not only allows writing fast code, but that code gets full access to the internals of the Perl system. The potential for fun and adventure is obvious. The real fun, though, will come when other languages are added. Inline assembly is obviously called for, and inline BASIC should sit well with the Perl crowd. But how could anybody resist the temptation of mixing in Lisp code? Maybe the ActiveState folks would like to do inline Visual Basic as well? The Obfuscated Perl Contest will never be the same. Report from YAPC::Europe. Thanks to Charlie Stross, we have a summary report from YAPC::Europe (YAPC being, of course, "Yet Another Perl Conference"), which was held in London last week. It looks like it was far too much fun... PythonPython 2.0b2 is out. This is, with luck, the last beta release before 2.0 goes live. The What's new in Python 2.0b2 page gives a list of what's in this release - it's mostly a long list of bug fixes.According to the Python 2.0 release schedule (otherwise known as PEP 200), the final release should happen around October 10. Distutils 0.9.3 released. Distutils is a Python package intended to make the packaging and installation of modules easier and more standard. It's already part of the 2.0 beta release; if you're running an older Python system, however, you may need to install distutils separately to be able to install and use some modules. See the announcement for details. This week's Python-URL. Here is Dr. Dobb's Python-URL for September 25 with the latest Python news. Among other things, you can get an answer to the important question of just what "lambda" is good for. Tcl/tkThis week's Tcl-URL. Here is Dr. Dobb's Tcl-URL for September 25, with a roundup of what happened in the Tcl/Tk development world over the last wekk. Section Editor: Forrest Cook |
Language Links Erlang Guile Haskell Blackdown.org IBM Java Zone Perl News PHP Daily Python-URL Python.org Python.faqts JPython Smalltalk Tcl Developer Xchange Tcltk.com |
Sections: Main page Security Kernel Distributions Development Commerce Linux in the news Announcements Back page See also: last week's Commerce page. |
Linux and BusinessA busy week for Red Hat. Of course there was the release of Red Hat Linux 7, covered in this week's distributions page. Akopia Interchange will be included with the Deluxe edition and a trial version of Computer Associates' ARCserveIT will ship with the Professional Edition. Red Hat also announced the "Red Hat Network" subscription service at about the same time. The "Red Hat Network" is an Internet-based service which allows Red Hat to provide support and service via the Internet. The company also announced that the service also works for embedded customers. Other companies announcing support for Red Hat Linux 7 and Red Hat Network include Computer Associates, IBM Corporation, Lotus, Novell and Tivoli. Red Hat has put out another set of announcements. It seems that Samsung has awarded them a "million dollar contract" to port the GNUpro tools to Samsung's processors. Red Hat has also announced its "RedBoot" embedded debugging/bootstrap tool, along with the EL/IX "Level I compatibility layer" for eCos. Red Hat also announced a couple of partnerships, this one with Interactive Objects to develop a new digital audio device, which will be based on Red Hat's eCos, and this one with Jabber.com the purports to "make it easy for developers of embedded Linux applications to add real-time messaging and XML routing to their applications." A busy week for Lineo. Lineo has sent out an announcement for uClinux 2.4, based on the 2.4 pre-release kernel series. uClinux is a version of the kernel tweaked to work on systems that lack a memory management unit. The company has run embedded Linux on a custom FPGA core. Open source cores are already available including the ESA LEON processor. By utilizing FPGAs, it is now possible to fully simulate both the hardware and software prior to production. There are new partnerships with Dia Semicon Systems and Kanematsu Semiconductor Corporation, both of Japan. Lineo hopes to advance the presence of Linux-based solutions in equipment including cell phones, set top boxes, and global positioning. They announced a deal with ACCESS Co to provides the NetFront embedded browser for Embedix. Metrowerks, a subsidiary of Motorola, has announced its intent to invest $22.5 million in Lineo. That money will buy 3 million shares of the company. Finally, there is a partnership with Samsung in Korea. "'We intend to leverage Lineo's technical expertise and its dedicated focus on embedded systems technology to push the frontiers of embedded device innovation', said Young Won Park, executive director of planning, Samsung Electronics." LinuxOne is back. A company called International Mercantile Corp., which does business as Micromatix.net has announced its intention to merge with LinuxOne and adopt LinuxOne's name. However, they are getting the announcement out early, given that "the parties have not settled upon terms of the merger." LinuxOne, it seems, is a "developer of embedded Linux thin client systems" these days. In a separate announcement Micromatix.net, LinuxOne and Concierge Inc. unveiled plans to develop a file server targeted to the B2B server market. Concierge announced a joint venture agreement with LinuxOne "to coordinate the companies' efforts in several strategic markets." That's about as specific as it gets, however. Also Patrick Flaherty, executive vice president of Concierge Inc., will join the board of directors of LinuxOne. See last week's "this week in history" column for some more background on LinuxOne. BSDi to deliver packaged BSD system. BSDi has announced its intent to distribute the new "BSD Desktop Edition," which will be available at large retailers throughout the U.S. It's based on FreeBSD 4.1, and will cost $130. Availability is in October. BSDi is not limiting itself to software, however; the company has also announced a new 1U rackmount server product (the "iXtreme") which can be had with either BSD or Linux. Software is bundled with hardware companies through LinuxBoxen.com. LinuxBoxen.com has put out a press release plugging its new e-commerce site. Their angle is that with just about any piece of hardware you buy you also get a custom CD with Linux driver software for that hardware and "popular Linux software titles related to the product." Timpanogas to demonstrate M2FS on Linux at Networld+Interop. The Timpanogas Research Group has announced that it will be demonstrating its "M-Squared Clustered NetWare File System" product at the Networld + Interop conference. NuSphere ships MySQL distribution. NuSphere has announced the availability of "NuSphere MySQL," a boxed product with the MySQL database, along with Apache, PHP, and Perl. It bills it as "the first packaged software product for the open source database market." Price is $79. Trolltech, Opera, and PalmPalm team up in Asian wireless market. Opera Software, PalmPalm Technology Inc., and Trolltech announced the formation of a strategic alliance for the Asian wireless Linux market. The three companies will jointly develop the "Linux Total Solution for Wireless Internet Appliance" using Opera's "Opera for Linux" Web browser, Trolltech's "Qt/Embedded", integrated with PalmPalm's "Tynux", a Linux distribution optimized for the wireless Internet. Trolltech also announced a partnership with the Korean firm MiziResearch. Mizi will help Trolltech with its Asian marketing, and will include Qt/Embedded with its "LINUETTE Linux" embedded distribution. Sun releases Grid Engine 5.2. Sun has announced the open source release of its "Grid Engine" product - a loose clustering package oriented toward making use of idle desktop systems. It currently only runs on Solaris. It's also currently binary-only, despite the "open source" claims - the source will become available in December under "an industry-accepted open source license." More information is available on Sun's Grid Engine page. Sun announces plans to establish accessibility lab. Sun has announced that it plans to build a laboratory aimed at developing technology for people with disabilities. They plan to use GNOME as the base of their efforts. Press Releases:Open Source ProductsUnless specified, license is unverified.
Commercial Products for Linux
Embedded Systems Conference Announcements
Products with Linux Versions
Java Products
Books and Training
Partnerships
Investments and Acquisitions
Financial Results
Personnel
Linux At Work
Other
Section Editor: Rebecca Sobol. |
September 28, 2000
|
Sections: Main page Security Kernel Distributions Development Commerce Linux in the news Announcements Back page See also: last week's Linux in the news page. |
Linux in the NewsRecommended ReadingLicense to be good (Salon). Salon looks at free software licenses. "Yes, open-source licenses are boring, complicated, obtuse and multiplying in number faster than porn spam. But they are also the heart of the flourishing open-source software scene. The way they are used, or more to the point, the way they are not abused, is worth paying close attention to. Particularly if you are part of an industry like, say, the music business, where there currently seems to be a wee problem of copyright violation." LinuxMonth Issue Three available. LinuxMonth has returned from its vacation with its third issue. This issue contains articles on ssh, configuring X, an introduction to perl, the Open Source Tech Support Partnership, ten reasons not to log in as root ("The six month background check gets really tiring when fourth cousins start to complain about the NSA surveillance"), and, well, an interview with LWN's editors. Patents and LicensesCisco response to LWN article on NAT patent. The "Linuks" site in Germany has posted an article containing LWN's coverage of Cisco's NAT patent in last week's weekly edition along with a response from an (unspecified) Cisco office. "This is right. But be careful. Linux is not scaling in large Networks where you have to monitor and protect 10.000 sessions for example." Not reassuring. Fair wages for Trolltech (LinuxWorld). Nicholas Petreley worries about the Qt GPL release in this LinuxWorld column. "But I am afraid for Trolltech that it won't play out that way. The problem for Trolltech is that you still can't sell commercial software based on Qt without paying Trolltech a license fee. In contrast, due to the LGPL nature of the GNOME libraries, you can sell proprietary software based on the GNOME libraries without paying anyone a cent." Open Source DebateOpen Source Point/Counterpoint (ESP). Embedded Systems Programming has put up a pair of articles debating the usefulness of open source in embedded systems. The anti- side of the debate brings up the old "open source does not innovate" charge: "It is significant that the major open source companies are all leveraging already existing open source products, which were originally written with no commercial motivation. I contend that these companies will fail to ever truly innovate. Innovation requires a level of risk, and the returns will never justify the risk when the playing field has been levelled by an open source philosophy." And here is the other side of the debate. "The truth is that the free software movement is a long overdue course correction that reverses the software technology industry's progression towards a state that holds the rights of software vendors in higher regard than the rights of software consumers. Furthermore, products of the free software movement provide models that demonstrate how software should be designed, managed, and marketed in the coming years." (Thanks to César A. K. Grossmann). The Great Open Source Debate of ESC West 2000 (LinuxDevices.com). LinuxDevices.com covers an Embedded Systems Conference panel session on open source vs. proprietary solutions. Quoting John Fogelin of Wind River Systems: "The embedded market is inherently fragmented, and therefore does not lend itself to being supported by a community-based open source development process. One way or another, in the embedded market, you really must invest in unique technology, because the needs are truly individualized. Innovation really does cost money." CompaniesTheKompany.com: A New Approach to Linux Business (LinuxPlanet). LinuxPlanet talks with Shawn Gordon of theKompany. "And so began a series of projects. Most are open source, free software. But in addition, Gordon and his company, theKompany.com, are producing specialized development tools that, while typically Linux-based, will work on multiple platforms and will be sold to businesses. This hybrid -- producing open-source software, helping with existing projects, and working on proprietary projects, too -- is a thin wire to walk, but Gordon says it's working." BSD System Takes On Linux (ZDNet). ZDNet looks at BSDi. "BSDi also touts the security features offered with the BSD OS. Problems such as the common Unix buffer overflow exposure, where a malicious hacker crashes a system by putting too many characters into a command field and feeds the system rogue commands as it restarts itself, were identified and eliminated in BSD, primarily through the painstaking work of independent software developer Theo de Raadt." There is also this companion piece highlighting the differences between the BSD variants. Red Hat to unveil Linux subscription service (ZDNet). ZDNet reports on Red Hat's new subscription service, which it calls a "bold new concept." This bold concept looks much like the old RHMember service of years gone by. "This is essentially a subscription service that connects customers to Red Hat's central office, allowing them to receive all Red Hat Linux software updates and patches as well as news of kernel and other Linux developments for a monthly fee." Red Hat Is Now at Your Service (Industry Standard). The Industry Standard looks at the Red Hat Network. "Web-based service is particularly well-suited to open-source software, which is developed collaboratively and doesn't have the benefit of version control, as does proprietary software." No comment. Bumpy road(map) to Mozilla browser (ZDNet). ZDNet looks at the latest Mozilla roadmap. "The updated roadmap calls for Mozilla.org to release Mozilla 1.0 in the second quarter of 2001. The roadmap distinguishes this 1.0 release from the Netscape 6 implementation of the Mozilla code, but doesn't elaborate on the differences. The Mozilla.org team also is continuing to work on projects beyond the browser, including an LDAP-based directory, instant messaging/chat facility, e-mail reader and other open-source deliverables." Motorola places big bet on Linux developer Lineo (ZDNet). ZDNet reports on Motorola's investment in Lineo. "A company spokesman said Motorola was committed to establishing Linux as the open platform choice for embedded development, particularly as its customers require increasingly more complex capabilities in embedded devices." Sun-Cobalt deal boosts confidence in Linux sector (Upside). Upside examines the effect of Sun's purchase of Cobalt on other Linux stocks. "VA and Cobalt weren't really going head to head, but with Cobalt gone, VA Linux and its own low-cost server line certainly becomes more attractive fodder for companies hoping to match Sun's move." S3 spins off Net appliance venture (ZDNet). Here's a ZDNet article on S3's spinoff of FrontPath, which will go into the Internet Appliance business. "The device will weigh less than three pounds. It will run the Linux operating system and use a Transmeta processor. A 10.4-inch touch screen will come with the device, which will have wireless communications capabilities and work within a local area network." Fiorina outlines HP's role in e-biz 'renaissance' (ZDNet). ZDNet covers HP CEO Carly Fiorina's keynote at NetWorld+Interop. "Fiorina described the move to open-source computing as 'inevitable and natural.' Open-source initiatives are successful and already mainstream, she maintained. 'We're supporting Linux across all of our systems, software and services,' she said." BusinessGnutella is going down in flames! (ZDNet). ZDNet predicts the death of Gnutella. "Unfortunately, we have found that Gnutella is not as scalable as the centralized Napster network. Translation: the more users, the less efficient. In recent weeks, doing a search or query with the program yielded little or no results." That (other) f-word (ZDNet). This ZDNet column looks at Linux on mainframes and the stresses those platforms put on kernel development. "I heard similar whines about GUIs a few years ago, and from here it looks like the Linux desktop has surpassed the tired Unix offerings of Motif and CDE, both in usability and popularity. So let's turn to the area of big iron, and see just how long it will take before Linux can play with the big boys." What's Wrong With Linux Services? (Andover News). Here's an Andover News column looking at why investors are down on Linux services. "Several that I spoke to suggested that the very nature of Open Source made it too easy for new firms to enter the market. They worry about a glut of new Linux-based service vendors depressing profit margins and stalling growth of individual companies. They point out that international markets may already be closed to U.S.-based Linux specialists because local vendors are rapidly establishing themselves in local markets." (Thanks to César A. K. Grossmann). Music To Their Ears? (TechWeb). TechWeb contemplates the use of Linux by musicians. "So why the move to Linux? According to industry experts, it offers an affordable and stable way to manipulate electronic music. Today, without looking too hard, users can find more than 750 Linux-based music applications both online and off." (Thanks to Scott Dowdle). Keep tech simple, stupid (Upside). Here's an Upside column on the need for simplicity in tech products. "The most successful Linux company in the world, Red Hat (RHAT), specializes in taking the complexity out of Linux. Note that Red Hat does not deliver on the promise of diversity, of tapping into every Linux developer's mind, but on the approach of limiting choices. It takes the complexity of choosing what version and which applications to use away from the customer. The Red Hat executives and technicians decide that for you, making the choice easier." ResourcesLinuxDevices.com Embedded Linux Weekly Newsletter. The LinuxDevices.com Embedded Linux Weekly Newsletter for September 21 is out. Embedded Linux Market Survey -- Sept. 2000 Snapshot (LinuxDevices.com). LinuxDevices.com has put together a snapshot of the results of its Embedded Linux Market Survey. Have a look for a hefty dose of pie charts on why and how people are using embedded Linux. Program Your Computer to See (O'Reilly Net). Here's an O'Reilly Network article on using Intel's open source Computer Vision Library. "The facilities provided by the library vary from the common and easy-to-understand to the very complex. Some of the former include camera calibration, image statistics and histograms, gesture recognition, arbitrarily sized matrix math support, edge detection, and flood filling. The more complex include optical flow algorithms, segmentation, eigen objects, and embedded hidden Markov models." From MFC to GTK: A Developer's Journey (Linux.com). Linux.com has put up this tutorial article on porting Windows applications to the GTK toolkit. "Legality aside, don't forget your end users; not only are win32 wrappers considered to be 'cheating' by the Linux community, no one wants to run a native Linux application that looks like a native Windows application. After all, if we wanted to use Windows programs, we'd just run Windows in the first place and save all this hassle. Your users demand more from you. Do not cheat them out of it." ReviewsInstalling Nautilus: An Emerging Linux File Manager (O'Reilly Net). The O'Reilly Network reviews the Nautilus installation process. "Clearly, these installs are not meant for the typical Linux newbie at this point ... but it's encouraging that, with a little sense of adventure, I was able to get Nautilus running on the desktop." Nautilus buffs desktop Linux (ZDNet). ZDNet reviews the Nautilus preview release. "In tests of the first preview release, Nautilus shone particularly brightly in comparison with the GNU Midnight Commander file manager that ships with the GNOME desktop. Nautilus also impressed us more than the KFM file manager that is included with the KDE (K Desktop Environment) Linux package. However, we expect KDE to show significant strides in usability when Version 2 ships later this year." Building a low-cost router appliance with Embedded Linux (LinuxDevices.com). LinuxDevices.com has run this how-to article on building a Linux-based router. "Building an embedded Linux device just got a whole lot easier. A new set-top box computer form-factor from Allwell (in Taiwan) enables embedded Linux developers to create great looking products without the hassle and huge expense of building it themselves." InterviewsRaymond... Eric Raymond (Government Technology). Government Technology interviews Eric Raymond. "Anybody who believes that closed-source helps their system be secure needs to go have a therapeutic conversation with a cryptographer immediately and get rid of this delusion. Cryptographers have known for 15-20 years now that it's folly, absolute, utter folly, to make the security of the system depend on the security of the algorithms." Up Close with Microsoft's Paul Maritz (Crosstalk). Crosstalk talks with Paul Maritz, VP of Microsoft's development group. They don't really talk about Linux, but one little gem slips in: "Is Linux an open operating system? You have free access to the source but is there any official standard party that controls the interfaces to Linux? No. Is that an open process or not? I do not know." (Thanks to Soren Lundsgaard). Section Editor: Rebecca Sobol |
September 28, 2000 |
Sections: Main page Security Kernel Distributions Development Commerce Linux in the news Announcements Back page See also: last week's Announcements page. |
AnnouncementsResourcesNew Linux job site Lolix.org launches. Lolix.org, which has been around as a French-language free software jobs site for a while, has launched a new US/English section. It's free for job seekers and posters both. EventsLinux.conf.au submissions closing. For those of you wanting to speak at linux.conf.au in Sydney next January, take note of this announcement that the deadline for submissions is the end of this month. September/October events.
Additional events can be found in the LWN Event Calendar. Event submissions should be sent to lwn@lwn.net in a plain text format. User Group NewsLUG Events: September 28 - October 12, 2000.
Additional events can be found in the LWN Event Calendar. Event submissions should be sent to lwn@lwn.net in a plain text format. |
September 28, 2000 | ||||||||||||||||||||||||||||||||||||||||||||||||
|
Software AnnouncementsHere are this week's Freshmeat software announcements. Freshmeat now offers the announcements sorted in two different ways: |
Our software announcements are provided courtesy of FreshMeat
| ||||||||||||||||||||||||||||||||||||||||||||||||
Sections: Main page Security Kernel Distributions Development Commerce Linux in the news Announcements Back page See also: last week's Back page page. |
Linux Links of the WeekAs you may have noticed, trying to download a distribution right now is a difficult undertaking, even if you are not after that new release that's in the news. One place to look is LinuxISO.org, which has CD images of a number of distributions. Most of LinuxISO's servers seem to be in Europe. There is also the SourceForge mirror server, though even its heavily hyped massive bandwidth appears to be a bit stressed at the moment. And don't forget, of course, the Tucows Linux library. It has mirrors worldwide, and is especially good if you're looking for something a little older. Section Editor: Jon Corbet |
September 28, 2000 |
|
This week in historyTwo years ago (October 1, 1998 LWN). This was the week when Intel and Netscape announced investments in an obscure company called Red Hat. If you were not paying attention at the time, you will likely have a hard time understanding the impact that those investments had. Money from Intel now shows up on Linux business plans sometime shortly after getting the incorporation papers signed. At the time, however, it was the first direct statement from an established technology company that Linux was going to go somewhere. It brought a new legitimacy to the Linux business arena. To a great extent, this investment changed the situation overnight.
In a way, the investments could be looked at as the day Linux bought a suit and shaved. Linux, a Unix-like operating system, so far has mostly been an underground computing phenomenon.
LWN reviewed GNOME 0.30. Things have come along since then. Cygnus released the first version of its eCos embedded operating system. Red Hat, which had a proprietary CDE offering back then, discovered that it was full of bugs. Not only that, but Red Hat couldn't fix them. So they dropped the product, and pretty much got out of the proprietary software business altogether. The development kernel was 2.1.123. This kernel came out with a bunch of compilation errors due to a messed up patch application. After the screaming reached too high a point, Linus threw up his hands and left to take a vacation. This was one of the famous "Linus does not scale" events of the 2.1 development series, and served notice that something had to change. Two years later, the 2.3 development has been free of such episodes. Some of the changes made, wherein more patches pass through various "lieutenants" before getting to Linus, appear to have helped. Caldera officially launched its 1.3 distribution. SuSE announced its "Office Suite 99" -- essentially a package built around its distribution and the ApplixWare office suite. One year ago (September 30, 1999 LWN): Then, as now, the Embedded Systems Conference was in progress. The big players were Cygnus, with its new EL/IX platform, and Lineo, which had a thing called "Embedix" in the works. PC Week put up a "Hack PC Week" challenge; its Linux server was promptly hacked. The problem, as it turned out, was a third-party ad serving script they had put on the system, along with a distinct lack of attention to application of security updates. Then, as now, somebody was trying to get a project management system for the Linux kernel adopted. The first release of GNOME's Bonobo component system happened.
[The penguins] are, in fact, trained actors used to appearing before hot lights and cameras. Some of their commercial credits include Batman (the movie), as well as several frozen food ads. However, it would now appear that their career as the Magic penguin (nicknamed 'MeL' by the Company) is at an end.
Linus Torvalds was awarded an honorary doctorate at the University of Stockholm. | |
|
Letters to the editorLetters to the editor should be sent to letters@lwn.net. Preference will be given to letters which are short, to the point, and well written. If you want your email address "anti-spammed" in some way please be sure to let us know. We do not have a policy against anonymous letters, but we will be reluctant to include them. | |
Date: Thu, 21 Sep 2000 12:37:08 -0400 From: "Bill Rugolsky Jr." <rugolsky@ead.dsa.com> To: letters@lwn.net Subject: NFS in 2.2.18pre9 Hi, Just a quick note: Alan has only merged Trond Myklebust's NFS client patch (SunRPC/NFSv2 fixes, TCP,NFSv3 added). Dave Higgen's knfsd patch, which applies over Trond's patch, has not been merged. Alan may still have concerns about compatibility or particular implementation details; he hasn't elaborated publicly. On the positive side, even if the knfsd patch doesn't go in, it is relatively localized to lockd and nfsd, and so should apply fairly cleanly going forward. Still, it would be nice to have Linux NFS client/server works out-of-the-box; this is a principal requirement in NFS-heavy environments such as our workgroup. Once 2.4 is stable, it will be a non-issue, but that is several months away, at minimum. Regards, Bill Rugolsky rugolsky@ead.dsa.com | ||
Date: 24 Sep 2000 00:43:02 -0000 From: Eric Smith <eric@brouhaha.com> To: letters@lwn.net Subject: Eric Raymond on closed-source security Gentlemen, On September 22, you quoted a Government Technology interview with Eric Raymond: "it's folly, absolute, utter folly, to make the security of the system depend on the security of the algorithms." I did a double-take when I read this. Then I followed the link and was astonished to see that you did in fact accurately quoted the GT article. Of course, I don't know whether GT accurately quoted ESR. What ESR should have said is that it is folly to make the security of the system depend on the *secrecy* of the algorithm. I imagine that secrecy is what he meant when he said security, and perhaps secrecy is a form of security, but it's only one aspect. In general it is not even possible to have a secure system without a secure (but not necessarily secret) algorithm. If your algorithms aren't secure, it matters little whether they are secret or not. Part of this is to use crypto algorithms that are secure, i.e., to use triple-DES rather than XOR with a small constant. However, many people think that just because they use a good crypto algorithm, their program is secure. Unfortunately, while the use of a good crypto algorithm is necessary for a program to be secure, it is not sufficient. Read any issue of Bruce Schneier's Crypto-gram newsletter, and you'll find listings of cases where people have built insecure programs by improperly using a good crypto algorithm: http://www.counterpane.com/crypto-gram.html If you wonder how a program that uses a very secure algorithm can still be insecure, read Bruce's essays "Why Cryptography is Harder than it Looks" and "Security Pitfalls in Cryptography": http://www.counterpane.com/publish.html Eric Smith | ||
Date: Thu, 21 Sep 2000 16:06:26 +0100 From: Dave Peacock <davep@netscape.com> To: letters@lwn.net Subject: Outrage at Debian dropping security for 2.1 Who the hell do Debian think they are?! How dare they make people wait a _ridiculously_ long time for an official release, and then drop sec support within a few months? That is completely unacceptable. Security is a _vital_ aspect of any software, _especially_ an OS. Debian has been dropping in my opinions for a while now, for various reasons, but this is really the icing on the cake. Debian, you have _totally_ lost my support. _Maybe_ I can understand dropping support for non-sec bug fixes this early, but security fixes should at _least_ be worked on for a year or two, ideally, indefinately. I think I will replace my 2.1 machines with a dist that has a better release cycle, no bloatware (read - wannabe crappy packages with no value in a base OS dist), and some kind of concept that sec fixes are _critical_. Debian developers/maintainers/people of power: Please re-consider and maintain sec stuff for _at least_ a year. -- Dave Peacock Technical Support Engineer davep@netscape.com +44 (0)208 564 5121 iPlanet E-Commerce Solutions www.iplanet.com ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ I/O, I/O, It's off to disk I go, a bit or byte to read or ~~~~~~~~~~~~~~~ write, I/O, I/O, I/O, I/O ~~~~~~~~~~~~~~~~ | ||