[LWN Logo]
[LWN.net]

Bringing you the latest news from the Linux World.
Dedicated to keeping Linux users up-to-date, with concise news for all interests


Sections:
 Main page
 Security
 Kernel
 Distributions
 Development
 Commerce
 Linux in the news
 Announcements
 Back page
All in one big page

Other LWN stuff:
 Daily Updates
 Calendar
 Linux Stocks Page
 Book reviews
 Penguin Gallery

 Archives/search
 Use LWN headlines
 Advertise here
 Contact us

Recent features:
- RMS Interview
- 2001 Timeline
- O'Reilly Open Source Conference
- OLS 2001
- Gaël Duval
- Kernel Summit
- Singapore Linux Conference
- djbdns

Here is the permanent site for this page.

See also: last week's LWN.

Leading items and editorials


Debian slink security updates, one more time. As LWN has been reporting over the last few weeks, the Debian project has decided to terminate support for its 2.1 ("slink") release. Regular updates are already a thing of the past, while security-related updates will go away as of the end of October. Given that 2.2 has been out for less than two months, this termination of support seems rather abrupt to many.

Last week's LWN Letters to the Editor Page carried a rather harshly-written note expressing disapproval of this move. We got back a number of responses, some of which can be seen on the back page this week. Based on those, and discussion on the debian-devel mailing list, we conclude that support for 2.1 is being terminated because (1) the Debian developers see no need for it, and (2) nobody is available who is willing and able to do the work.

The first point turns on the fact that Debian systems are especially easy to upgrade. The whole packaging system is built around that idea. Why, ask the developers, should an old system be supported when it is so easy to go to the new one?

The problem here, of course, is that a great many people - especially business users - are highly reluctant to upgrade a system which is working. Upgrades - even easy ones - break things. Thus a lot of administrators will never touch a working system unless they really have to. If these sorts of users see Debian as a system that will force them to upgrade on a tight schedule, they will go to a different distribution.

Whether this is a problem depends on how the Debian Project sees its user community. If they are making a distribution for themselves, the loss of a large group of potential users may not matter. If, instead, they would like to see their distribution grow into a user community beyond just developers, they should be worried about policies that will scare users away.

The second point - that there is nobody to do the work of maintaining security updates for old releases - is also interesting. It is true that a volunteer project can have a hard time finding people for this sort of work. It is, after all, somewhat tedious and unglamorous. Nonetheless, other projects, such as the kernel, have been able to get this work done.

Even so, maintenance work is often the sort of thing that one has to pay people to do. And that raises an interesting question: would it not make sense for the companies that are selling commercial, Debian-based distributions to take on this task? It would be nice if these companies could contribute directly back to Debian. Failing that, one would hope that they would at least keep on top of the updates for their own products.

With that idea in mind, LWN took a look at a few commercial Debian distributors. The results were discouraging:

  • Corel has a security updates page. It currently contains exactly one update, an installer fix for the first edition of Corel Linux. There are absolutely no updates for the other packages in either the first or second edition. Despite several tries over the last few days, LWN has had no luck in getting a response out of Corel regarding security updates. Of course, Corel has been busy this week...

  • Libranet has a support page, but it makes no mention of security updates. The company did answer our queries, however. They make security updates available, but only to registered users who have expressed an interested in hearing about them. We were unable to get any specific information on any updates that might be available.

  • Stormix Technologies, publishers of Storm Linux, has a "bugs and errata" page, but it's empty. Stormix did not answer queries from LWN regarding its security updates.
It would appear that none of the above distributors have updates easily available for any of the recent problems - things like the vulnerabilities in glibc, sysklogd, mgetty, and others. Not even for their current distributions, to say nothing of previous releases.

Compare this performance against the aggressive security update policies of distributors like Caldera, Conectiva, MandrakeSoft, Red Hat, SuSE, TurboLinux, and others, and you'll see that the above companies simply are not taking security seriously. This is not the sort of performance that will make nervous corporate IT types sleep well at night. The commercial distributors are not filling in the Debian support gap.

It would be nice to see the Debian distribution continue to grow in usage and influence. To gain (and keep) a wider audience, however, it is going to have to address the concerns that audience has. One important component of that is to provide timely updates for current and past releases. Currently, this need is not being met, and that will affect Debian's future growth.

LWN Penguin Gallery updated. [Gallery example] After way too long, we've finally gotten around to updating the LWN Penguin Gallery. We're up to 275 unique penguins at this point, and still counting...

For those who would like to point out additional penguins: please drop a note to lwn@lwn.net. Please provide a page where the penguin can be found (so we can link to it); that works far better than sending us the image as an attachment.

Microsoft buys into Corel. The folks at Corel have gained some substantial relief in their battle to save the company. Here is the announcement that Corel and Microsoft have entered into an alliance to work together on ".NET". This is no ordinary alliance, though, since Microsoft is buying almost 25% of the company in the process.

Acting chief executive Derek Burney has been rewarded for bringing this deal to fruition - Corel has announced that he now has the role of President and CEO permanently.

The above is about all that is really known about this deal; all the rest is speculation. And there is plenty of material to speculate on.... After all, Microsoft has essentially just bought its way into the Linux business.

The Canadian Information Processing Society has issued a press release expressing concern about the fact that neither company has said anything about how this deal will affect Corel's Linux activities. That is indeed curious. One can only hope that Corel will clarify things in the near future.

Also ominous is this pronouncement from the Meta Group which was carried on CNet News.com:

Corel currently plays an important role in Linux. Many other Linux companies look to it for its skills, tool sets and the work it does on key Linux committees. Therefore, Corel can be a valuable ally for Microsoft in Linux, allowing Microsoft to influence key questions, such as how the user interface, setup and deployment will look and function.

The folks at Meta perhaps overstate Corel's role and influence in the Linux world. But if this is what Microsoft has in mind, things could certainly get interesting.

Then there are suggestions that Microsoft wants to ensure the success of .NET by making Linux support it; that they want to open up WordPerfect to take the open source pressure off of Office; that they want a path into the Linux distribution business; or that they were simply taking an easy path to settle some outstanding legal fights. All of those ideas are plausible, but there is little evidence for any of them.

About all that is clear, perhaps, is that this situation is going to be interesting to watch.

Eric Raymond on the SDMI boycott. Eric Raymond has sent us a strongly-worded reply to the recent Salon article on the "hack SDMI challenge" boycott. "So sure, we'll crack SDMI. *After* the record companies and any consumer-electronics companies gullible enough to do their bidding have sunk billions of dollars into hardware and business plans based on it. Hasta la vista, idiots!"

Embedded Systems Conference summary. LWN's Forrest Cook has written a summary report on this fall's Embedded Systems Conference in San Jose, CA. Linux is making many inroads into the embedded systems world.

Open Source as ESS. Last week's LWN Weekly Edition examined software licenses using a (superficial) understanding of game theory and the prisoner's dilemma. It turns out that David Rysdam has written up a much more detailed analysis of what game theory has to say about different software licenses. The conclusion is that GPL-style licenses will eventually prevail over BSD-style licenses in the market place.

The article, necessarily, makes use of a number of simplified assumptions. It's nonetheless worth a read. In contrast to what we wrote, it's nice to see what comes out when game theory is applied by somebody who really understands it... :)

The Atlanta Linux Showcase starts October 10. Actually, the event is now properly known as the 4th Annual Linux Showcase & Conference; the name will eventually stick because next year's event will be held in Oakland, California instead. For now, however, it can be ALS one more time. Keynote speakers include Larry Wall and Ken Coar, and it looks like the conference will have a strong technical program.

Inside this week's Linux Weekly News:

  • Security: Trouble with ssh/scp, SYNCookies vs. Genesis, traceroute gives root access, and GnoRPM gets a fix.
  • Kernel: The 2GHz limit; KernelWiki wants you; filesystem happenings
  • Distributions: Red Hat 7 - too far off the bleeding edge?
  • Development: Sourceforge developer rating system; embedded Linux workshop
  • Commerce: Atipa acquires OpenNMS, ProGear, VA Linux announcements.
  • Back page: Linux links, this week in Linux history, and letters to the editor
...plus the usual array of reports, updates, and announcements.

This Week's LWN was brought to you by:


October 5, 2000

 

Next: Security

 
Eklektix, Inc. Linux powered! Copyright © 2000 Eklektix, Inc., all rights reserved
Linux ® is a registered trademark of Linus Torvalds