Leading items and editorials

Secrets & Lies

ping
    int request_module(const char *module);

eth0
    request_module("eth0");

request_module
    /sbin/modprobe -s -k eth0

eth0
request_module
modprobe
request_module
modprobe
modprobe
request_module
request_module
ping
-I
ping
request_module
    ping -I ';chmod o+w .'

modprobe
chmod
modprobe
modprobe
    ping -i '-C/my/config/file'

modprobe
modprobe
modprobe
Date: Fri, 10 Nov 2000 09:53:40 -0800
From: Jean Tourrilhes <jt@bougret.hpl.hp.com>
To: lwn@lwn.net
Subject: IrDA status in 2.4

	Hi,

	I'm writting to Jonathan Corbet, about the blurb he wrote in
this section of the LWN :
		http://lwn.net/2000/1109/kernel.php3

	You assesment of the IrDA in kernel 2.4 situation is both
premature and innacurate :

	1) Don't take all Linus words for granted, patch size is not
the only issue :
http://www.uwsg.indiana.edu/hypermail/linux/kernel/0011.1/0023.html

	2) This is not a "last minute query", there has been an
ongoing process of trying to get IrDA in the kernel in the last 6
month (I personally sent mails/patches to Linus in August), it was
just private.

	3) Don't underestimate the difficulty of feeding patch to
Linus when he give absolutely no feedback whatsoever and totally
ignore what you are doing. Alan Cox is much easier to work with.

	4) Don't over estimate the ability of Linus to understand and
appreciate patches for a large body of code he is unfamiliar with and
in a area where he doesn't have experience.

	5) This kind of flame is unfortunately the only way to get
things moving. I don't like it.

	That's it !

	Jean

From: Zygo Blaxell <zblaxell@genki.hungrycats.org>
Date: Tue, 14 Nov 2000 13:00:35 -0500
To: letters@lwn.net
Subject: Re: Linux's security

Kevin Breit <battery841@mypad.com> wrote:
>I know that the Linus and Co. think it's nazi-admin, but enable wheel
>group on Linux distributions by default.

Funny, I've been called a Nazi administrator more than once, but I 
don't agree.  :-)

Wheel-group just trades setuid security holes for setgid security holes,
without solving the real problems:  buggy programs (setuid or not) with
privileges, plaintext passwords, and unsecured communications channels.
On the other hand, wheel-group introduces new administration procedures
and interoperation difficulties.

Better to remove the setuid bits entirely from /bin/login and /bin/su,
and disable or completely remove from the system any software that
allows login as root in ways not explicitly approved by the "wheel"
people.  The vast majority of users are much better off if they can only
get root privileges by logging into the console (or via ssh, if remote
root access is a requirement).
>But Linux definatly doesn't touch OpenBSD's quality in regards to
>security, and I feel it's arguable that it has some catchup to do with
>FreeBSD.

I've been following both the FreeBSD and Debian (GNU/)Linux security
situation for some time now.  My experience suggests that Debian and
FreeBSD are fairly evenly matched (within a few weeks of each other)
in terms of security issues.

Both distributions consist of three categories of packages: essential
software, optional but installed-by-default software, and
optional but not-installed-by-default software.  There is little
security distinction between Debian and FreeBSD within each category:
both sets of essential software tend to be very secure, while both sets of
non-essential software tend to have multiple exploitable vulnerabilities
exposed every week, and both sets of installed-by-default optional
software fall somewhere in between.

Every now and then, a vulnerability is found even in the essential
software category, but when that happens both Debian and FreeBSD release
upgrades within days (if not hours) of each other.  Both Debian and
FreeBSD feature some kind of mostly automatic upgrade mechanism for end
users which can be used to install security patches in a painless and
timely manner.

Now that I've said all that:  there is a gap between Debian and other
Linux distributions, and it goes both ways.  Some Linux distributions
are as fanatical about security as the OpenBSD people (although they
don't have OpenBSD's four year head start).  On the other hand, I'm
sure we all know of at least one Linux distribution where some trivial
but essential task is by default performed with the "assistance" of
millions of lines of unaudited GUI code cobbled together from two or
three competing X11 toolkits, written by people who barely understand
C, let alone concepts like system() exploits or /tmp races, all running
under root privileges and 'xhost +'.  Heck, even Debian has optional
packages like that if you want to install them.  ;-)

Granting software the freedom to evolve guarantees only different results,
not better ones.  ;-)

Date: Thu, 09 Nov 2000 14:29:23 +0100
From: Simone Lazzaris <sw2@task84.it>
To: letters@lwn.net
Subject: Again about Microsoft Network compromise

Hi all
I just want to make some remarks about the recent network compromise at 
Microsoft and to reply to some letters read here on lwn about the "not 
so exceptional" security in linux-based systems.
I think that, while it's true that almost all big distro ships with big 
security holes, the impact of this exploit  is not just about the 
reliability of an OS, but falls into the realms of the security paradigm.
I mean, we all know that every system can be breaked. It's just a matter 
of time. But hiding security holes, encrypting password with XOR, 
putting security bits in quirk places - in other words, security through 
obscurity - that Microsoft preaches cannot be hold if the source code 
can be exposed.
And with this network compromise we all know that the source code can 
(and maybe was) be exposed.
They don't have any more excuses. We cannot trust Microsoft on security 
subject. Full Stop. (Not that *I* ever trusted them. But this is another 
story).
---
Simone Lazzaris                               simone@omni.it

Date: Thu, 09 Nov 2000 08:40:54 -0600
From: Michael Coyne <coynem@airwire.com>
To: lwn@lwn.net
Subject: GNOME Office: StarOffice vs. Abiword

Having used both Staroffice's word processor and Abiword extensively
since their early days, I would not really be in favour of Staroffice
becoming the de facto word processing standard under Gnome--it's large,
clunky and slow.  Abiword is small, lightweight, and does what I need--I
also find it far easier to use.

I think it would be a real shame if Abiword died out because of
Staroffice--but I don't think it will.  Let Sun concentrate on
Staroffice.  I think that we in the free software community should
concentrate on things like Abiword and gnumeric.  Do we really want to
be dependent on Sun for our office software?  Sure, it's open
source--but the code remains Sun's property, even if we write it.  Sun
is a big proponent of Linux right now, but I wouldn't be surprised to
see them drop it like a hot potato if the marketplace changes.

Regards,
Michael
--
Michael Coyne
coynem@airwire.com

To: letters@lwn.net
Subject: AbiWord vs. OpenOffice: Who's Gnomey?
From: Alan Shutko <ats@acm.org>
Date: 09 Nov 2000 11:18:03 -0500

In reference to 

    AbiWord does not really see itself as a GNOME project - they want
    to produce "the world's word processor." Thus, AbiWord runs on
    platforms not supported by GNOME - things like BeOS and, yes,
    Windows. There is little or no desire on their part to narrow
    their focus at this point.

At this point, both the AbiWord and OpenOffice developers have their
eyes set on producing a cross-platform application.  The OpenOffice
mailing list archives hold a number of examples where something was
done to ensure cross-platform builds or functionality.  

IMO, it's too early right now to try to predict how either application
will fit into "GNOME Office".  Many of the technologies being
developed (bonobo, for instance) are under rapid development, and it
will be a while before the best ways to use them are understood.
Eventually we (as a community) will be able to decide the best way to
proceed.

(Me, I'm patient.  I remember when nobody thought a "word processor"
project could succeed, because so many had started and died.  The
amount of progress made in the last couple years is amazing.)

-- 
Alan Shutko <ats@acm.org> - In a variety of flavors!
1 days, 23 hours, 26 minutes, 37 seconds till we run away.
Never trust an operating system.

From: "Mason, Gerard" <gm95015@GlaxoWellcome.co.uk>
To: "'letters@lwn.net'" <letters@lwn.net>
Subject: Eazel Online Storage
Date: Fri, 10 Nov 2000 17:49:27 -0000

Since Nautilus is GPL'd, does anyone know if it is easy, or even possible,
to replace Eazel's Online Storage facility (and perhaps, though it is not so
important, the Software Catalog facility), with A.N. Other ISP's? Ideally
the user would simply have to change a line in a configuration file.

It wouldn't matter too much if ISPs had to do a fair bit of implementation
to support this, since they would only have to do it once. Is the
server-side source code (assuming there is any) also GPL'd?

Gerard Mason.

Sections: Main page Security Kernel Distributions Development Commerce Linux in the news Announcements Back page See also: last week's Development page.	Development projects News and Editorials Art vs. Craft. osOpinion carried a story this week on software style and review, the difference between coding as an art and designing and engineering code. What prompted the article was the author's examination of code for various Linux based USENET clients, aka news readers. What I found both amazed and dismayed me -- most of the code I looked at was a mess. Badly commented (if at all), patched, crufted, and generally bolted together. It looked like the developers had no design at all in mind before they began; they just threw code at the wall and kept what stuck. Shock of shocks. While I won't defend the programming style of some open source developers, I can't say it produces significantly worse code than some I've seen in many other places. At Samsung there was no coding standard and developers in both the US and Korea - let your mind wander for a moment. At Dell coding standards were optional, and frequently ignored. At EMASS (now ADIC), well, spaghetti looked more uniform. But while these projects were formatted badly, they all seemed to work fine (mostly). What coding standards bring isn't more stable code, just the ability to more easily maintain projects. Coding standards work well for larger organizations, especially spread across multiple development sites, because you never know who will end up maintaining the code at some given point in the future. Sounds like open source, don't you think? Open source projects often start with someone with an itch and a spare minute. Design isn't the goal - results are. Interestingly enough, that's often true of successful proprietary projects as well. The need for processes and standards comes with project maturity. Software is like humanity - we like change less and less with age. But any change we do accept needs definitive rules and order. Code needs to be clean to provide extension and maintenance. But seldom is it that way from day one. So while open source offers many advantages over proprietary solutions, it isn't all that different in the larger picture. Style is important, in its own time. What open source forces us to do is examine our processes for proprietary projects and understand just why they develop the way they do. Youth motivates change while maturity forms stability. Browsers Netscape 6 Browser Launches. It's official: Netscape 6 is publicly available for download. Things have changed a little in the installation process. Now you download only an installer application which will grab the software components from Netscape automatically for you and install them locally. Once that finishes, you launch into registration - yes, registration. If you had a Netscape NetCenter account before you'll need your password to register; otherwise you can create a new one. After registering with NetCenter. you'll be up and running. Fairly painless, but that registration thing is annoying. And what's worse - it's not even required. You can use the "I forgot my password" link which takes you to a page with a Help button. Clicking on that pops open a browser window with a full menu bar that you can use to exit the registration process. When you do, a new browser opens and you're ready to start browsing. Alternatively, if you have no qualms about being 13 or younger, you can choose that option and Netscape will happily ignore your need to register. Oh, to be young again. Once you get past that first registration you're into the new and improved Netscape. It's flashy and gimmicky, and at least to this reviewer bounces up and down like a billiard ball on a granite floor. And be prepared for lots of debug messages on the console. Someone forgot to turn those off in the production distribution. While Netscape deserves kudos for continuing to provide and enhance for the Linux platform, this was not its best work. It shows terrific promise, but there are some stability issues to shake out first. If Netscape is anything like Red Hat, version 6.2 should be terrific. (See also: this review of Netscape 6 sent to us by Jay Ashworth). Netscape's open source browser ready at last (Upside). Here is Upside's take on the Netscape 6 release. "Netscape 6 is based on the Netscape Gecko browser engine, an ongoing technology that has evolved to support a number of Web standards, operating systems and platforms. Netscape built its newest browser based on open standards, a process that spanned more than two years and enlisted the help of thousands of open source geeks." Mozilla status 2000-11-08. Of course, Netscape isn't the only Mozilla-based browser. The November 8, 2000 Mozilla Status Report for the open source Mozilla project is out. Issues of interest include plans for post Netscape 6 integration of PSM into the Mozilla build system, a report that describes memory consumption over time and and a huge number of bug squashes. Databases Paul DuBois of MySQL Joins NuSphere. New Riders "MySQL" author Paul DuBois, who has also contributed heavily to the official MySQL documentation, has joined NuSphere. Open Source Databases: As The Tables Turn (PHPBuilder). Tim Perdue takes a real world look at the differences between MySQL and PostgreSQL in this article on PHPBuilder's site. With that in mind, I decided to test out a full port of SourceForge.net to Postgres. The site was written with a database abstraction layer and it turned out to be a cinch to get it up and running on Postgres, including a full import of all production data from MySQL. Not only did the site come up on the first attempt, but it ran fine! In fact, our very first benchmarks showed Postgres running 6x faster than MySQL on a very database-intensive page (the "My Personal Page" for logged-in users). PostgreSQL v7.0.3 and rumors of a book. The PostgreSQL Global Development Group announced this week the release of PostgreSQL v7.0.3. There have been several fixes in this release from v7.0.2, but, being a minor release, there have been no changes that will require a dump/restore. For more info and a list of changes, check out the latest news. It's also probably worth noting that Bruce Mimjian's Addison-Wesley book on PostgreSQL is supposed to hit the shelves any day. Currently it's free on the net at http://www.postgresql.org/docs/awbook.html Electronics Icarus Verilog snapshot. The gEDA project announced this week a new Icarus Verilog snapshot: 20001112. Games Nevrax Introduces NeL: An Open Source Platform for Massively Multiplayer Games. Looks like World Forge may have competition. Nevrax is a European company that, according to its .com web site, is aimed at producing massively multiplayer games under an open source (GPL) license. The first product is scheduled for shipment in 2002. In conjunction with that work, Nevrax has opened a .org web site for NeL, the Nevrax Library that contains a framework, a 3D engine, an AI engine and a Network engine aimed at running massively multi-user entertainment in a 3D environment over the Internet. NeL is also GPL. Embedded Systems The joys and perils of open-source life (LinuxDevices.com). LinuxDevices.com is running a guest column by Karim Yaghmour, on the development of the Linux Trace Toolkit. "As described above, LTT has progressed at a phenomenal rate, in a very short time -- AND with lots of outside help. It has been said that LTT has already surpassed many available tracing tools. This is confirmed by the large number of Fortune 500 companies that currently use LTT to develop Linux based applications." Free Embedded Telephony project started (LinuxDevices.com). uCommon is a new project designed to build a library of tools for use as network services for tiny footprint embedded Linux kernel based systems Qt/Embedded and Qt Palmtop Environment (LinuxDevices.com). Trolltech announced the released of their Qt/Embedded and Qt Palmtop windowing environments this week. Embedded Linux Newsletter, November 9th 2000. The latest edition of the Embedded Linux Newsletter is out with a story on Linux and PDAs and device profiles on Gateway's Connected Touch Pad and Sony's SNT-V304. Interoperability WINE Weekly News for November 13th, 2000. This week's WINE Weekly News has been published. Items of interest include an implementation for generation of import stubs, overlapped (asynchronous) I/O for serial port objects, and discussions of building WINE without X. Network Management OpenNMS update. Here is the OpenNMS update for November 15. Topics covered include the software stress test in progress, and the stress on the development staff as well. Office Applications LyX Development News. Here is the LyX Development News for November 15, with the latest from the LyX hacker community. AbiWord Weekly News. The AbiWord Weekly News is back with its first issue since early September. On the Desktop KDE, Gnome And The Media. LinuxToday Australia carried a story this week about the sensationalism often poured over KDE vs GNOME issues by the news media. Others have told me that we journalists view the world more in terms of black and white than the wider population. There is a reason for this. News writing is, in effect, the first draft of history. Or in more scientific terms, it is simply the first approximation to the truth. By its very nature it has to be simplified, we can't spend hours chasing down every loose fact because there are deadlines. And we can't lard our stories with qualifications to every statement because it makes them unreadable. This drive for speed and clarity leads towards a dualistic view. People Behind KDE: Sandy Meier. In another in its series of developer profiles, the People Behind KDE talks with Sandy Meier. Sandy is the maintainer of the KDevelop package, including the project Web site and mailing list. Kasbar update. Kasbar author Richard Moore has written up his plans for Kasbar, the KDE taskbar replacement, and posted them to KDE Dot News. Balsa 1.0.0 released. The 1.0 release of the GNOME Mail client, Balsa, which sports a Eudora-like interface, has finally arrived. New features include multiple address book support (both local vCard and remote LDAP books), CRAM and GSSAPI Kerberos authentication, spell checking, support for gnome-print and various other items. Gnumeric 0.58. has been released. Jody Goldberg sent us a brief release announcement. GTK+ News. GUI developers who grew up with Motif may be asking themselves what all the fuss is about GTK+. In this article from SunWorld, authors Cameron Laird and Kathryn Soraiz look at the positives and negatives of GTK+. "There's inertia, of course; other toolkits are as much as a decade older, and thus more trusted. But perhaps the most frequent complaint about GTK+ is its mediocre support of Win32. While GTK+ 2.0 includes a framework that addresses this problem, GTK+'s Windows support hasn't ripened like Qt's and Tk's. A couple of ports to Mac OS of GTK+ have also been started, but seem stalled in a far less usable state than the Win32 GTK+." In a related story, Havoc Pennington has posted to the rumors section of the Red Hat Advanced Development Labs site that GTK+ 2.0 is considered to be "just about feature complete". A few months of bug fixing is in order before it hits the streets. We can't wait for the new text widget... What up, gPhoto?. gPhoto is being evolved into its next incarnation - gPhoto2. Linux.com carried an article this week on what gPhoto is and will be. "With new cameras added constantly, this is arguably the fastest moving digital camera project in the world. Far outpacing and outperforming anything available under Microsoft's Windows or Apple's MacOS platforms, gPhoto2 promises to deliver compatibility with many cameras to developers, leaving them free to create any user interface they can dream of." Science FreeMed 0.2 released. LinuxMedNews reports this week that FreeMed 0.2.0, the GPL'd Electronic Medical Record and Practice Management system, has been released onto SourceForge. Web-site Development Midgard Weekly Summary. Here is the Midgard Weekly Summary for November 10 with the latest in development news from the Midgard project. Zope Weekly News, November 8th. The November 8th edition of the Zope Weekly News has been published. News includes the "Wiki for now" proposal, aimed at resolving some of the immediate shortcomings of the current Wiki product regarding its use for dev.zope.org, news on the the HiperDom project, and an update on documentation efforts. Section Editor: Michael J. Hammel	November 16, 2000 Application Links GIMP Mozilla Galeon High Availability ht://Dig mnoGoSearch MagicPoint Wine Worldforge Zope Open Source Code Collections Berlios Freshmeat OpenSourceDirectory Savannah Le Serveur Libre SourceForge Sweetcode

	Programming Languages Java Blackdown releases JMF 2.1.1-beta2 Performance Pack. The Blackdown Java Linux Team has announced the release of the Java Media Framework 2.1.1-beta2 Performance Pack for Linux. JMF is a streaming media package for Java applications and applets. Perl Beginning Perl Book Review. LinuxLookup posted a very brief review this week of Simon Cozens with Peter Wainwright's "Beginning Perl" book. This week on perl5-porters (08 Nov -- 14 Nov 2000). Perl5 Porters posted their latest newsletter. Some of the topics covered include "stat vs lstat," threads and POSIX, and a discussion on locales. use Perl; modules updates. use Perl; has quite a few modules updates this week, including Image Info and an IP telephone. PHP PHP Weekly Summary. The PHP Weekly Summary for November 13th has been published. Highlights include a new Qt XML extension and a discussion on the RFC for PHP's release cycle. Python This week's Python-URL. Here is Dr. Dobb's Python-URL for November 13 with the usual summary of events in the Python development community. Charming Python: Reloading on the fly. IBM developerWorks has another in the Charming Python series, this one covering dynamically reloading modules in long-running processes. Suppose you want to run a process on your local machine, but part of your program logic lives somewhere else. Specifically, let us assume that this program logic is updated from time to time, and when you run your process, you would like to use the most current program logic. There are a number of approaches to addressing the requirement just described; this article walks you through several of them. Tcl/tk This week's Tcl-URL. Here is Dr. Dobb's Tcl-URL for November 14 with a number of goodies from the Tcl development community. Software Development Tools GNU Autoconf text online. The new book from New Riders Publishing, GNU Autoconf, Automake, and Libtool, which was to be published in October, has also been placed online from Red Hat's site. At the time of this writing the link to the text of the book within the body of the page was incorrect, but the link in the upper right corner has the proper URL. Inprise takes its Linux app tool open source (ZDNet). Along with its release of JBuilder, Inprise (now Borland) is rumored (by ZDNet) to be releasing the code to Kylix to the GNOME foundation. "Inprise also is joining the foundation and will participate in the Bonobo out-of-process component specification, as well as add support for Bonobo to Kylix, which is in beta." UDI reference implementation for Linux. A UDI (Uniform Driver Interface) environment has been made available in binary format for Red Hat and Caldera Linux distributions from Software Technologies Group. Source releases are expected later. Section Editor: Michael J. Hammel	Language Links Caml Caml Hump Tiny COBOL Erlang g95 Fortran Gnu Compiler Collection (GCC) Gnu Compiler for the Java Language (GCJ) Guile Haskell IBM Java Zone Jython Free the X3J Thirteen (Lisp) Use Perl O'Reilly's perl.com Dr. Dobbs' Perl PHP PHP Weekly Summary Daily Python-URL Python.org Python.faqts Python Eggs Ruby Ruby Garden MIT Scheme Schemers Squeak Smalltalk Why Smalltalk Tcl Developer Xchange Tcl-tk.net O'Reilly's XML.com Regular Expressions

Sections: Main page Security Kernel Distributions Development Commerce Linux in the news Announcements Back page See also: last week's Back page page.	Linux Links of the Week TheGeek.org is another amusing news site, apparently relatively new. Check them out now, before they get popular... The plug was apparently just pulled on the last Multics machine. Multics had a great influence over many of the systems that followed, including Linux. Have a look at this RISKS posting by Peter Neumann on the goals of the Multics project; more can then be found at the Multicians.org site. Section Editor: Jon Corbet	November 16, 2000

	This week in history Two years ago (November 19, 1998 LWN): Trolltech announced that the Qt library would be released under an open source license. That license, the QPL, was truly open source, but remained controversial anyway. The Qt licensing issue didn't really die down until the library was relicensed under the GPL this year. Bruce Perens warned about the danger of trojan horse software. Two years later, there have been very few trojan incidents, but the danger is probably more real than ever. Stable kernel 2.0.36 was released with the first known application of "holy penguin pee." According to Linus: This, btw, is not something I would suggest you do in your living room. Getting a penguin to pee on demand is _messy_. We're talking yellow spots on the walls, on the ceiling, yea verily even behind the fridge. However. I would also advice against doing this outside - it may be a lot easier to clean up, but you're likely to get reported and arrested for public lewdness. Never mind that you had a perfectly good explanation for it all. The Linux Journal Editor's Choice Awards went out...the product of the year was Netscape Communicator, the "most desired port" Quark Xpress, and the best new hardware was the Corel Netwinder. Some awards just don't stand the test of time... Slackware 3.6 was released. Both Red Hat and SuSE announced support programs for their distributions. Red Hat hired Matthew Szulik to be the company president. VA Research (now VA Linux Systems) received a venture investment from Sequoia Capital, and Netscape purchased "NewHoo," which has since become the Open Directory Project. FUD of the week: Linux may be a great way for computer-literate individuals to get under the hoods of their computers for little cost, but it's nothing more than a convenient form of protest and public relations for the major software vendors that plan to support it. If nothing else, the Linux community has an influence beyond its numbers, and getting on its good side might help sales elsewhere. As long as Linux remains a religion of freeware fanatics, Microsoft (and other NOS vendors) have nothing to worry about. -- Michael Surkan, ZDNet. One year ago (November 18, 1999 LWN): The first Linux Business Expo happened as part of Comdex in Las Vegas. The Linux Professional Institute completed its first certification exam, finally. SuSE 6.3 was announced - though it was not due to hit the net until December. Mozilla M11 was released. Rumors were circulating of a new company to be formed by GNOME hackers Miguel de Icaza and Nat Friedman. Red Hat's purchase of Cygnus Solutions was confirmed. VA Linux Systems decreed that its IPO would happen at $11-13 per share - rather short of the $30 that it eventually went out at (but fairly close to today's price). Scary thought of the week: I don't think people realize just how close we came to a Microsoft-dominated Web. If Microsoft, having trounced Netscape, hadn't been surprised by the unexpected strength of Apache, Perl, FreeBSD and Linux, I can easily imagine a squeeze play on Web protocols and standards, which would have allowed Microsoft to dictate terms to the Web developers who are currently inventing the next generation of computer applications. -- Tim O'Reilly in Salon. Advogato hit the net.

	Letters to the editor Letters to the editor should be sent to letters@lwn.net. Preference will be given to letters which are short, to the point, and well written. If you want your email address "anti-spammed" in some way please be sure to let us know. We do not have a policy against anonymous letters, but we will be reluctant to include them.

Date: Fri, 10 Nov 2000 09:53:40 -0800 From: Jean Tourrilhes <jt@bougret.hpl.hp.com> To: lwn@lwn.net Subject: IrDA status in 2.4 Hi, I'm writting to Jonathan Corbet, about the blurb he wrote in this section of the LWN : http://lwn.net/2000/1109/kernel.php3 You assesment of the IrDA in kernel 2.4 situation is both premature and innacurate : 1) Don't take all Linus words for granted, patch size is not the only issue : http://www.uwsg.indiana.edu/hypermail/linux/kernel/0011.1/0023.html 2) This is not a "last minute query", there has been an ongoing process of trying to get IrDA in the kernel in the last 6 month (I personally sent mails/patches to Linus in August), it was just private. 3) Don't underestimate the difficulty of feeding patch to Linus when he give absolutely no feedback whatsoever and totally ignore what you are doing. Alan Cox is much easier to work with. 4) Don't over estimate the ability of Linus to understand and appreciate patches for a large body of code he is unfamiliar with and in a area where he doesn't have experience. 5) This kind of flame is unfortunately the only way to get things moving. I don't like it. That's it ! Jean

From: Zygo Blaxell <zblaxell@genki.hungrycats.org> Date: Tue, 14 Nov 2000 13:00:35 -0500 To: letters@lwn.net Subject: Re: Linux's security Kevin Breit <battery841@mypad.com> wrote: >I know that the Linus and Co. think it's nazi-admin, but enable wheel >group on Linux distributions by default. Funny, I've been called a Nazi administrator more than once, but I don't agree. :-) Wheel-group just trades setuid security holes for setgid security holes, without solving the real problems: buggy programs (setuid or not) with privileges, plaintext passwords, and unsecured communications channels. On the other hand, wheel-group introduces new administration procedures and interoperation difficulties. Better to remove the setuid bits entirely from /bin/login and /bin/su, and disable or completely remove from the system any software that allows login as root in ways not explicitly approved by the "wheel" people. The vast majority of users are much better off if they can only get root privileges by logging into the console (or via ssh, if remote root access is a requirement). >But Linux definatly doesn't touch OpenBSD's quality in regards to >security, and I feel it's arguable that it has some catchup to do with >FreeBSD. I've been following both the FreeBSD and Debian (GNU/)Linux security situation for some time now. My experience suggests that Debian and FreeBSD are fairly evenly matched (within a few weeks of each other) in terms of security issues. Both distributions consist of three categories of packages: essential software, optional but installed-by-default software, and optional but not-installed-by-default software. There is little security distinction between Debian and FreeBSD within each category: both sets of essential software tend to be very secure, while both sets of non-essential software tend to have multiple exploitable vulnerabilities exposed every week, and both sets of installed-by-default optional software fall somewhere in between. Every now and then, a vulnerability is found even in the essential software category, but when that happens both Debian and FreeBSD release upgrades within days (if not hours) of each other. Both Debian and FreeBSD feature some kind of mostly automatic upgrade mechanism for end users which can be used to install security patches in a painless and timely manner. Now that I've said all that: there is a gap between Debian and other Linux distributions, and it goes both ways. Some Linux distributions are as fanatical about security as the OpenBSD people (although they don't have OpenBSD's four year head start). On the other hand, I'm sure we all know of at least one Linux distribution where some trivial but essential task is by default performed with the "assistance" of millions of lines of unaudited GUI code cobbled together from two or three competing X11 toolkits, written by people who barely understand C, let alone concepts like system() exploits or /tmp races, all running under root privileges and 'xhost +'. Heck, even Debian has optional packages like that if you want to install them. ;-) Granting software the freedom to evolve guarantees only different results, not better ones. ;-)

Date: Thu, 09 Nov 2000 14:29:23 +0100 From: Simone Lazzaris <sw2@task84.it> To: letters@lwn.net Subject: Again about Microsoft Network compromise Hi all I just want to make some remarks about the recent network compromise at Microsoft and to reply to some letters read here on lwn about the "not so exceptional" security in linux-based systems. I think that, while it's true that almost all big distro ships with big security holes, the impact of this exploit is not just about the reliability of an OS, but falls into the realms of the security paradigm. I mean, we all know that every system can be breaked. It's just a matter of time. But hiding security holes, encrypting password with XOR, putting security bits in quirk places - in other words, security through obscurity - that Microsoft preaches cannot be hold if the source code can be exposed. And with this network compromise we all know that the source code can (and maybe was) be exposed. They don't have any more excuses. We cannot trust Microsoft on security subject. Full Stop. (Not that I ever trusted them. But this is another story). --- Simone Lazzaris simone@omni.it

Date: Thu, 09 Nov 2000 08:40:54 -0600 From: Michael Coyne <coynem@airwire.com> To: lwn@lwn.net Subject: GNOME Office: StarOffice vs. Abiword Having used both Staroffice's word processor and Abiword extensively since their early days, I would not really be in favour of Staroffice becoming the de facto word processing standard under Gnome--it's large, clunky and slow. Abiword is small, lightweight, and does what I need--I also find it far easier to use. I think it would be a real shame if Abiword died out because of Staroffice--but I don't think it will. Let Sun concentrate on Staroffice. I think that we in the free software community should concentrate on things like Abiword and gnumeric. Do we really want to be dependent on Sun for our office software? Sure, it's open source--but the code remains Sun's property, even if we write it. Sun is a big proponent of Linux right now, but I wouldn't be surprised to see them drop it like a hot potato if the marketplace changes. Regards, Michael -- Michael Coyne coynem@airwire.com

To: letters@lwn.net Subject: AbiWord vs. OpenOffice: Who's Gnomey? From: Alan Shutko <ats@acm.org> Date: 09 Nov 2000 11:18:03 -0500 In reference to AbiWord does not really see itself as a GNOME project - they want to produce "the world's word processor." Thus, AbiWord runs on platforms not supported by GNOME - things like BeOS and, yes, Windows. There is little or no desire on their part to narrow their focus at this point. At this point, both the AbiWord and OpenOffice developers have their eyes set on producing a cross-platform application. The OpenOffice mailing list archives hold a number of examples where something was done to ensure cross-platform builds or functionality. IMO, it's too early right now to try to predict how either application will fit into "GNOME Office". Many of the technologies being developed (bonobo, for instance) are under rapid development, and it will be a while before the best ways to use them are understood. Eventually we (as a community) will be able to decide the best way to proceed. (Me, I'm patient. I remember when nobody thought a "word processor" project could succeed, because so many had started and died. The amount of progress made in the last couple years is amazing.) -- Alan Shutko <ats@acm.org> - In a variety of flavors! 1 days, 23 hours, 26 minutes, 37 seconds till we run away. Never trust an operating system.

From: "Mason, Gerard" <gm95015@GlaxoWellcome.co.uk> To: "'letters@lwn.net'" <letters@lwn.net> Subject: Eazel Online Storage Date: Fri, 10 Nov 2000 17:49:27 -0000 Since Nautilus is GPL'd, does anyone know if it is easy, or even possible, to replace Eazel's Online Storage facility (and perhaps, though it is not so important, the Software Catalog facility), with A.N. Other ISP's? Ideally the user would simply have to change a line in a configuration file. It wouldn't matter too much if ISPs had to do a fair bit of implementation to support this, since they would only have to do it once. Is the server-side source code (assuming there is any) also GPL'd? Gerard Mason.

News and Editorials

Security Reports

Updates

Resources

Events

News and Editorials

General-Purpose Distributions

Embedded Distributions

Minor Distribution updates

News and Editorials

Browsers

Databases

Electronics

Games

Embedded Systems

Interoperability

Network Management

Office Applications

On the Desktop

Science

Web-site Development

Java

Perl

PHP

Python

Tcl/tk

Software Development Tools

Press Releases:

Commercial Products for Linux

Products and Services Using Linux

Products with Linux Versions

Java Products

Books and Training

Partnerships

Investments and Acquisitions

Financial Results

Personnel

Other

Recommended Reading

Linux 2.4 kernel

Embedded Linux

Linux in Use

Linux Advocacy

Open Source Applications

Eazel/Nautilus

Business

Other

Resources

Linux/Free Software Jobs

Events

User Group News