See also: last week's Back page page.

Linux Links of the Week

The plug was apparently just pulled on the last Multics machine. Multics had a great influence over many of the systems that followed, including Linux. Have a look at this RISKS posting by Peter Neumann on the goals of the Multics project; more can then be found at the Multicians.org site.

Section Editor: Jon Corbet

This week in history

Bruce Perens warned about the danger of trojan horse software. Two years later, there have been very few trojan incidents, but the danger is probably more real than ever.

Stable kernel 2.0.36 was released with the first known application of "holy penguin pee." According to Linus:

This, btw, is not something I would suggest you do in your living room. Getting a penguin to pee on demand is _messy_. We're talking yellow spots on the walls, on the ceiling, yea verily even behind the fridge. However. I would also advice against doing this outside - it may be a lot easier to clean up, but you're likely to get reported and arrested for public lewdness. Never mind that you had a perfectly good explanation for it all.

The Linux Journal Editor's Choice Awards went out...the product of the year was Netscape Communicator, the "most desired port" Quark Xpress, and the best new hardware was the Corel Netwinder. Some awards just don't stand the test of time...

Slackware 3.6 was released. Both Red Hat and SuSE announced support programs for their distributions. Red Hat hired Matthew Szulik to be the company president.

VA Research (now VA Linux Systems) received a venture investment from Sequoia Capital, and Netscape purchased "NewHoo," which has since become the Open Directory Project.

FUD of the week:

Linux may be a great way for computer-literate individuals to get under the hoods of their computers for little cost, but it's nothing more than a convenient form of protest and public relations for the major software vendors that plan to support it. If nothing else, the Linux community has an influence beyond its numbers, and getting on its good side might help sales elsewhere. As long as Linux remains a religion of freeware fanatics, Microsoft (and other NOS vendors) have nothing to worry about.
-- Michael Surkan, ZDNet.

One year ago (November 18, 1999 LWN): The first Linux Business Expo happened as part of Comdex in Las Vegas. The Linux Professional Institute completed its first certification exam, finally.

SuSE 6.3 was announced - though it was not due to hit the net until December. Mozilla M11 was released.

Rumors were circulating of a new company to be formed by GNOME hackers Miguel de Icaza and Nat Friedman. Red Hat's purchase of Cygnus Solutions was confirmed. VA Linux Systems decreed that its IPO would happen at $11-13 per share - rather short of the $30 that it eventually went out at (but fairly close to today's price).

Scary thought of the week:

I don't think people realize just how close we came to a Microsoft-dominated Web. If Microsoft, having trounced Netscape, hadn't been surprised by the unexpected strength of Apache, Perl, FreeBSD and Linux, I can easily imagine a squeeze play on Web protocols and standards, which would have allowed Microsoft to dictate terms to the Web developers who are currently inventing the next generation of computer applications.
-- Tim O'Reilly in Salon.

Advogato hit the net.

Letters to the editor

Date: Fri, 10 Nov 2000 09:53:40 -0800
From: Jean Tourrilhes <jt@bougret.hpl.hp.com>
To: lwn@lwn.net
Subject: IrDA status in 2.4

	Hi,

	I'm writting to Jonathan Corbet, about the blurb he wrote in
this section of the LWN :
		http://lwn.net/2000/1109/kernel.php3

	You assesment of the IrDA in kernel 2.4 situation is both
premature and innacurate :

	1) Don't take all Linus words for granted, patch size is not
the only issue :
http://www.uwsg.indiana.edu/hypermail/linux/kernel/0011.1/0023.html

	2) This is not a "last minute query", there has been an
ongoing process of trying to get IrDA in the kernel in the last 6
month (I personally sent mails/patches to Linus in August), it was
just private.

	3) Don't underestimate the difficulty of feeding patch to
Linus when he give absolutely no feedback whatsoever and totally
ignore what you are doing. Alan Cox is much easier to work with.

	4) Don't over estimate the ability of Linus to understand and
appreciate patches for a large body of code he is unfamiliar with and
in a area where he doesn't have experience.

	5) This kind of flame is unfortunately the only way to get
things moving. I don't like it.

	That's it !

	Jean

From: Zygo Blaxell <zblaxell@genki.hungrycats.org>
Date: Tue, 14 Nov 2000 13:00:35 -0500
To: letters@lwn.net
Subject: Re: Linux's security


Kevin Breit <battery841@mypad.com> wrote:
>I know that the Linus and Co. think it's nazi-admin, but enable wheel
>group on Linux distributions by default.

Funny, I've been called a Nazi administrator more than once, but I 
don't agree.  :-)

Wheel-group just trades setuid security holes for setgid security holes,
without solving the real problems:  buggy programs (setuid or not) with
privileges, plaintext passwords, and unsecured communications channels.
On the other hand, wheel-group introduces new administration procedures
and interoperation difficulties.

Better to remove the setuid bits entirely from /bin/login and /bin/su,
and disable or completely remove from the system any software that
allows login as root in ways not explicitly approved by the "wheel"
people.  The vast majority of users are much better off if they can only
get root privileges by logging into the console (or via ssh, if remote
root access is a requirement).
>But Linux definatly doesn't touch OpenBSD's quality in regards to
>security, and I feel it's arguable that it has some catchup to do with
>FreeBSD.

I've been following both the FreeBSD and Debian (GNU/)Linux security
situation for some time now.  My experience suggests that Debian and
FreeBSD are fairly evenly matched (within a few weeks of each other)
in terms of security issues.

Both distributions consist of three categories of packages: essential
software, optional but installed-by-default software, and
optional but not-installed-by-default software.  There is little
security distinction between Debian and FreeBSD within each category:
both sets of essential software tend to be very secure, while both sets of
non-essential software tend to have multiple exploitable vulnerabilities
exposed every week, and both sets of installed-by-default optional
software fall somewhere in between.

Every now and then, a vulnerability is found even in the essential
software category, but when that happens both Debian and FreeBSD release
upgrades within days (if not hours) of each other.  Both Debian and
FreeBSD feature some kind of mostly automatic upgrade mechanism for end
users which can be used to install security patches in a painless and
timely manner.

Now that I've said all that:  there is a gap between Debian and other
Linux distributions, and it goes both ways.  Some Linux distributions
are as fanatical about security as the OpenBSD people (although they
don't have OpenBSD's four year head start).  On the other hand, I'm
sure we all know of at least one Linux distribution where some trivial
but essential task is by default performed with the "assistance" of
millions of lines of unaudited GUI code cobbled together from two or
three competing X11 toolkits, written by people who barely understand
C, let alone concepts like system() exploits or /tmp races, all running
under root privileges and 'xhost +'.  Heck, even Debian has optional
packages like that if you want to install them.  ;-)

Granting software the freedom to evolve guarantees only different results,
not better ones.  ;-)

Date: Thu, 09 Nov 2000 14:29:23 +0100
From: Simone Lazzaris <sw2@task84.it>
To: letters@lwn.net
Subject: Again about Microsoft Network compromise

Hi all
I just want to make some remarks about the recent network compromise at 
Microsoft and to reply to some letters read here on lwn about the "not 
so exceptional" security in linux-based systems.
I think that, while it's true that almost all big distro ships with big 
security holes, the impact of this exploit  is not just about the 
reliability of an OS, but falls into the realms of the security paradigm.
I mean, we all know that every system can be breaked. It's just a matter 
of time. But hiding security holes, encrypting password with XOR, 
putting security bits in quirk places - in other words, security through 
obscurity - that Microsoft preaches cannot be hold if the source code 
can be exposed.
And with this network compromise we all know that the source code can 
(and maybe was) be exposed.
They don't have any more excuses. We cannot trust Microsoft on security 
subject. Full Stop. (Not that *I* ever trusted them. But this is another 
story).
---
Simone Lazzaris                               simone@omni.it

Date: Thu, 09 Nov 2000 08:40:54 -0600
From: Michael Coyne <coynem@airwire.com>
To: lwn@lwn.net
Subject: GNOME Office: StarOffice vs. Abiword

Having used both Staroffice's word processor and Abiword extensively
since their early days, I would not really be in favour of Staroffice
becoming the de facto word processing standard under Gnome--it's large,
clunky and slow.  Abiword is small, lightweight, and does what I need--I
also find it far easier to use.

I think it would be a real shame if Abiword died out because of
Staroffice--but I don't think it will.  Let Sun concentrate on
Staroffice.  I think that we in the free software community should
concentrate on things like Abiword and gnumeric.  Do we really want to
be dependent on Sun for our office software?  Sure, it's open
source--but the code remains Sun's property, even if we write it.  Sun
is a big proponent of Linux right now, but I wouldn't be surprised to
see them drop it like a hot potato if the marketplace changes.


Regards,
Michael
--
Michael Coyne
coynem@airwire.com

To: letters@lwn.net
Subject: AbiWord vs. OpenOffice: Who's Gnomey?
From: Alan Shutko <ats@acm.org>
Date: 09 Nov 2000 11:18:03 -0500

In reference to 

    AbiWord does not really see itself as a GNOME project - they want
    to produce "the world's word processor." Thus, AbiWord runs on
    platforms not supported by GNOME - things like BeOS and, yes,
    Windows. There is little or no desire on their part to narrow
    their focus at this point.

At this point, both the AbiWord and OpenOffice developers have their
eyes set on producing a cross-platform application.  The OpenOffice
mailing list archives hold a number of examples where something was
done to ensure cross-platform builds or functionality.  

IMO, it's too early right now to try to predict how either application
will fit into "GNOME Office".  Many of the technologies being
developed (bonobo, for instance) are under rapid development, and it
will be a while before the best ways to use them are understood.
Eventually we (as a community) will be able to decide the best way to
proceed.

(Me, I'm patient.  I remember when nobody thought a "word processor"
project could succeed, because so many had started and died.  The
amount of progress made in the last couple years is amazing.)

-- 
Alan Shutko <ats@acm.org> - In a variety of flavors!
1 days, 23 hours, 26 minutes, 37 seconds till we run away.
Never trust an operating system.

From: "Mason, Gerard" <gm95015@GlaxoWellcome.co.uk>
To: "'letters@lwn.net'" <letters@lwn.net>
Subject: Eazel Online Storage
Date: Fri, 10 Nov 2000 17:49:27 -0000

Since Nautilus is GPL'd, does anyone know if it is easy, or even possible,
to replace Eazel's Online Storage facility (and perhaps, though it is not so
important, the Software Catalog facility), with A.N. Other ISP's? Ideally
the user would simply have to change a line in a configuration file.

It wouldn't matter too much if ISPs had to do a fair bit of implementation
to support this, since they would only have to do it once. Is the
server-side source code (assuming there is any) also GPL'd?


Gerard Mason.