Other LWN stuff:
 Daily Updates
 Calendar
 Linux Stocks Page
 Book reviews
 Penguin Gallery

 Archives/search
 Use LWN headlines
 Advertise here
 Contact us

Recent features:
- RMS Interview
- 2001 Timeline
- O'Reilly Open Source Conference
- OLS 2001
- Gaël Duval
- Kernel Summit
- Singapore Linux Conference
- djbdns

Here is the permanent site for this page.

See also: last week's LWN.

Leading items and editorials

Also along the same lines, if you haven't yet checked out the year 2000 LWN Timeline, now is your chance. Note that this is a work in progress; comments and feedback from our readers is essential in order to complete the timeline. Reader contributions are kept in a log, so credit will be given where due. A final version of the Timeline will be released in early January.

What were the major trends for Linux and Open Source/Free Software in 2000? Using a broad rule of thumb, we searched for repeating themes that came up virtually every month and found five of them:

• Commercial companies releasing software as Open Source/Free Software. Examples can be found each and every month. Some of the most notable include Sun's release of Star Office under the GPL, IBM's release of AFS, SashXB and and the Jikes Java compiler, TRG's release of the NWFS 2.2 NetWare file system, Inprise's release of the InterBase database, and SGI's release of OpenGL, along with C, C+ and Fortran compilers for the IA-64 architecture, to provide only a few examples.

  A corollary of this plan was the tendency of Open Source development projects to become tightly tied to a single commercial entity. Following older examples, such as the tie between sendmail and Sendmail, Inc., Zope and Digital Creations, this year PostgreSQL gained Great Bridges as a sponsor. The Python team moved en masse, first to BeOpen, and later to Digital Creations. Perhaps most strikingly, the release of MySQL under the GPL license (its former license was not completely Free) was pushed primarily by commercial considerations. Companies were lining up to become strategic partners to the MySQL development, but wanted to see the GPL used to protect their interests.

• Increased international presence. Not only is business booming overseas, which is easily visible both commercially and in the vibrancy of international contributions to development projects, but governments outside of the US have been notably interested in, and voicing support for, the Open Source content. Some striking examples include the Chinese government's interest in and support of Linux (January 2000), the integration of Open Source into plans to improve the European software industry (February 2000), a proposed French law requiring open standards and the availability of source code for software used by the government (April 2000), and the strong stance in support of Open Source by Siegmar Mosdorf, German Secretary of State in the Federal Ministry for Economy and Technology (July 2000).

  Of course, to provide a counter-example of the potential dangers when governments get involved, Poland taxed a commercial company for its use of Open Source software, contending that it must be accounted for as a donation. That is one trend that we hope not to see repeated!

• Patents. We've hammered on this issue so much this year that we'll tread lightly for now. However, the RTLinux patent, the Amazon patent on its affiliate program, Microsoft's successful enforcement of its patent on the Active Stream file format against the VirtualDub (GPL'd) project and the latest, British Telecom's suit against Prodigy for violation of, essentially, a patent on the concept of a "link", stand out as infamous examples.

  On the up-side, the European Patent Convention voted in November against legitimizing software patents, at least for now.

• Mergers and Acquisitions. Never a month went by without the announcement of new mergers and acquisitions. Lineo took the lead with multiple acquisitions, including Zentropix, Use Inc., Moreton Bay, INUP, Fireplug and RT-Control. Other notable mergers/acquisition include VA Linux and Andover.net (completed in 2000), Walnut Creek and BSDi, and LinuxMall.com's trips to the altar, first with Frank Kaspar and Associates and later EBIZ. Red Hat also went on a buying spree, picking up Hell's Kitchens, BlueCurve, C2Net and, most notably, Cygnus (whereby they acquired their current CTO, Michael Tiemann). Of course, a couple of other hard-to-forget joinings: first, SCO and Caldera and second, Sun and Cobalt. Not a comprehensive list, by any means.

  That's just the commercial world, of course. Mergers happen outside the business world as well, such as the merger of the Linux Standard Base (LSB) and Linux Internationalization Initiative (LI18NUX) (May 2000), which resulted in the formation of a new entity, the Free Standards Group.

• Planned or filed IPOs that didn't happen. If you look back at our predictions for the year 2000, this is one area where our attempts (and most everyone else's) at predicting the future failed. At the beginning of 2000, we looked forward to a boatload of Linux-related IPOs. Instead, only a few successful IPOs actually happened over the past year (Caldera, Lineo). The trend we found was actually more a story of planned or announced IPOs that never happened. Linuxcare's IPO was announced, then cancelled. LinuxFund announced an IPO, but never filed. Rackspace.com actually filed its IPO, but has been quiet ever since. An imaginary visit to the board rooms of many private companies would find many more IPO plans now littering the wastebaskets.

  Corresponding to the failed IPOs was the first layoffs in Linux-related companies. In May, 2000, we saw both 35% of Linuxcare's staff laid off and, in addition, almost the entire staff of Wide Open News, Red Hat's attempt at a Linux news service. Wide Open still exists, of course, but no longer produces original content.

Note that the change mentioned above is political in nature and could be just as easily reversed. On the legal front, a good step forward was made in April, when the United States Court of Appeals for the Sixth Circuit published its decision regarding Peter Junger's challenge to the Export Administration Regulations which prevented him from posting information on the Internet that contained cryptographic example code. Most critical in the ruling: "Because computer source code is an expressive means for the exchange of information and ideas about computer programming, we hold that it is protected by the First Amendment." If this verdict holds, it should provide a more solid ground for the safety of cryptographic development in the US, as well as a wonderful precedent for future software- and freedom-related lawsuits.

VA Linux's Sourceforge must stand out as another notable success. Announced in January, Sourceforge has grown to host over 12,000 software development projects, all of them Free/Open Source. That is estimated to be over 75% of the "free software universe". Although we wish them the best, we'll reiterate our stance in favor of competition and hope to see a staunch Free Software advocate or two come out with a comparable system in the coming year.

Some major development milestones we'd like to celebrate: XFree86 4.0, KDE 2.0, Perl 5.6.0, PHP 4.0, PostgreSQL 7.0, Gnucash 1.4, Python 1.6 and 2.0, and Netscape 6 (the first based on Mozilla). Some exciting products not yet to a stable release included Helix Code's Evolution and Eazel's Nautilus, both exciting projects for the future of the desktop. Don't shoot us for leaving out the other 99% -- this edition would never have made it out the door.

Now for the hard part. What will the next year bring? Well, we'll refrain from any attempt to predict the overall economic health of the US or any other country in the world. Nonetheless, we will predict that Free Software and the value of the concepts behind it will weather both good news and bad. In the midst of a massive loss of value for Linux stocks on the NASDAQ exchange, IBM announced plans to pour a billion US dollars into Linux next year and more billions of dollars over the years to come. Dell has announced major commitments to the Linux platform. All of the major software companies out there are focused on Linux and Free Software, no longer as a get-rich trick, but as an essential part of their business plan.

Do heavy investments from the big companies presage the end or failure of small Linux-based companies? Highly unlikely. Just as the success of Microsoft spawned many small companies looking to make money off of integration, add-ons, support, etc., the heavy use of Linux and Open Source at IBM, HP, Compaq, Dell and, dare we say, Sun, will produce a fertile field for small companies. That arena will be particularly fertile because Open Source protects the rights and opportunities of all comers, providing natural obstacles to monopolies. Correspondingly though, the likelihood of one of those small companies growing large enough to push the entrenched beasts out of the field is much less likely.

What else, then, will next year bring? Continued progress on the desktop. We're not ready to plan for a victory celebration in 2001, though. A lot of work remains to be done to provide all the tools that desktop customers need and want, particularly tools that meet our standards: full-featured, high-performance and robust. We must not only match our competitors but exceed them.

Continued growth within corporate business plans. When times are tight and people are examining the bottom line carefully, the long-term advantage of using Free Software will shine. More and more companies will also see the legal advantage of Open Source. It will help protect them from lawsuits based on the number of copies of a piece of software they may be using. It will protect them from increasing software costs. It will provide a safe environment for collaboration and cooperation between companies, for strategic partnerships and more. We'll take another step down the road towards becoming a ubiquitous part of "how things are done".

More mergers and acquisitions. The reality is that many companies are not yet making a profit. The new business climate demands that they do so, or at least clearly chart how quickly they are going to get there. Companies that cannot do one or the other will be looking either at failure or a sale. Given those options, sales will be much more popular. Of course, the prices we'll be seeing won't match the types of sales and acquisitions we saw during the IPO boom; bargain-basement prices are much more likely, particularly for companies that are not yet in the black.

A lot of fun. It hasn't stopped being fun yet. That's an important part of this community. So this isn't a prediction so much as a wish; let the fun continue forever (even if we can't predict its form!).

Inside this week's Linux Weekly News:

• Security: So what was different in 2000? NSA Security-Enhanced Linux, 9 new vulnerability reports, 10 distribution updates.
• Kernel: Development versions of gcc encouraged for debugging, dirty buffers get cleaned up, wait queues and semaphores, oh my!
• Distributions: Linux Mandrake donates to the Free Software Foundation, Lunar Penguin bites the dust, The First Annual PPC/Linux Community Awards.
• Development: A Mozilla Project Roadmap, KDE & Gnome interoperability, XHTML
• Commerce: Red Hat unveils SID, Jabber integrated into PocketLinux, Loki's Myth II reviewed.
• Back page: Linux links, this week in Linux history, and letters to the editor

This Week's LWN was brought to you by:

• Jonathan Corbet, Executive Editor
• Elizabeth O. Coolbaugh, Managing Editor

See also: last week's Security page.

Security

News and Editorials

So what was different in 2000?. The end of the year has come, and with it, an opportunity to look back on the year from a security perspective. After examining many potential topics and discarding them, the question was asked, what has changed the most since 1999? From the perspective of writing this column, the sheer volume of information that is being reported stands out as the largest change. It is amazing to look back on some of the LWN Security Summaries from 1999 and find some that display in a single page view or contain no more than six paragraphs of information.

It seemed worthwhile to see if we couldn't produce some rough numbers to illustrate this change. To do so, we looked at two pieces of information: the number of open source software vulnerability reports covered and the size of the LWN Security Summary.

Starting with the first item, we quickly scanned through old issues and estimated the number of new vulnerabilities we reported each month for both 1999 and 2000. Lacking a proper database, we make no claims for absolute accuracy. We excluded vulnerabilities in commercial software and web scripts, since our coverage of those issues was not consistent between 1999 and 2000. Given those parameters, we found that the average number of vulnerabilities reported per month in 1999 was 13.67, while the equivalent number in 2000 was 26.41, almost exactly double.

For the second item, we found the average size of a security summary in 1999 to be around 6.2KB, while in 2000, the average was 16.1KB, an even larger growth. Of course, although sizes are easy to calculate accurately, they are less reliable as an indication of increased activity; maybe we are just getting more loquacious.

Nonetheless, our rough numbers strongly back up the assertion that security activity has more than doubled over the past year. Why? Well, like most statistics, you can use them to bolster just about any theory you might have, but our personal guess is that the increase is a simple demonstration of the result of more eyes on the code. Linux and free software is gaining in popularity, more and more people are using and scrutinizing the software, therefore more problems are being found and reported.

However, it does give us a kind of scary feeling about 2001 ...

NSA security-enhanced Linux available. The U.S. National Security Agency has made its security-enhanced version of Linux available for download. The site describes what has been done, though in fairly abstract terms. It's available under the GPL, of course. (See also: Ted Ts'o's comments on Slashdot on this release).

Stephen Smalley also posted an excellent short summary of the features of the Flask architecture, used by Security-Enhanced Linux, and a comparison with RSBAC (Rule Set Based Access Control) for Linux, another Open Source security extension. "RSBAC appears to have similar goals to the Security-Enhanced Linux. Like the Security-Enhanced Linux, it separates policy from enforcement and supports a variety of security policies. RSBAC uses a different architecture (the Generalized Framework for Access Control or GFAC) than the Security-Enhanced Linux, although the Flask paper notes that at the highest level of abstraction, the the Flask architecture is consistent with the GFAC. However, the GFAC does not seem to fully address the issue of policy changes and revocation, as discussed in the Flask paper."

Vendor security information update. Spurred by this excellent post by Matt Power (Bindview) to BugTraq this past week, the security links listed in our right-hand column have had a major overhaul. BSD information has been added, now that our BSD coverage is officially included, and a new section with pointers to web pages that contain subscription information for security and security announcement lists for various distributions is now available as well.

The security of RSA's SecurID token emulator is challenged. SecurID from RSA is a proprietary two-factor Authentication process, utilizing a combination of a password and a security card, on which RSA has based products for remote access and e-business. A SecurID module is available for Apache, for example.

This week, I.C. Wiener published a SecurID token emulator, prompting a discussion on BugTraq of the implications. Adam Shostack commented that such code has been in the wild since 1996 and that its current publication will have the value of allowing a real test of the assertion that the numbers on the SecurID card do not reveal sufficient information to determine the card's secret.

Group crafts rating system for server security (CNet). A new, 71-member organization, the Center for Internet Security, plans to build benchmarks and rating methodologies in order to provide "a "security ruler" defining a minimum level of security and then incrementally greater levels of security from which an organization can choose the desired level of security for its systems". Their plans are covered in this CNet article. Note that the benchmarks are to be released to the public domain.

It will be interesting to see how this venture does. The center itself is not-for-profit, so we presumably shouldn't see expensive fees for getting products or systems "rated" by the center. On the other hand, members of the center will be the ones reviewing and approving new benchmarks and ratings as they come out, so it may well be difficult to both move forward in a timely manner and prevent bias toward member products.

Security Reports

dialog lockfile symlink vulnerability. Matt Kraai reported a symlink problem with the manner in which dialog handles lockfiles. The Debian advisory below is the first and only reference to the problem we have found so far.

This week's updates:

• Debian

More stunnel vulnerabilities. More stunnel vulnerabilities have been reported, in addition to the ones discussed last week. One such vulnerability involves the logging of the stunnel process id to a non-existent directory. More stunnel updates are being released to address these additional problems.

One additional stunnel vulnerability that apparently does not impact Linux or BSD systems is the reported weak encyrption vulnerability.

This week's updates:

• Red Hat
• Debian

halflifeserver. Multiple buffer overflows and format string vulnerabilities have been reported in the halflifeserver. This week's updates:

• FreeBSD

Kerberized telnetd. Telnetd's allowance of arbitrary environment variables and a buffer overflow in the kerberos v4 library combined to allow a local root exploit on NetBSD. Note that this problem has not been confirmed on other BSD or Linux systems.

This week's updates:

• NetBSD

cgi-bin scripts. The following cgi-bin scripts were reported to contain vulnerabilities:

• Technote's print.cgi script was reported to contain a file disclosure vulnerability.

• bsguest.cg and bslist.cgi from Brian Stanbeck were reported to contain security problems related to the failure to properly filter input data. Both scripts can be manipulated to execute arbitrary commands on the server. Note that Brian appears to have released updated versions of these scripts (and a couple of others) on December 23rd, with a note that some security problems had been fixed.

Commercial products. The following commercial products were reported to contain vulnerabilities:

• BEA WebLogic Server fails to properly check input data, allowing the string ".." (double dot) to be entered. This can be exploited either to execute arbitrary commands or to crash the server. WebLogic Server 5.1 SP 7 contains a fix for this problem. Check BugTraq ID 2138 for more details.

• Oracle WebDb engine, part of the Oracle Internet Application Server, is reported to contain two vulnerabilities, one allowing an attacker to inject PL/SQL queries and the other allowing unauthorized proxy reconfiguration attempts. Here is Oracle's response, including workarounds and a promise that release 3.0.8 of Portal will address the problems.

• Two additional problems in Oracle 8.1.7 were reported this past week by Juan Manuel Pascual Escriba, including a local root exploit and a file overwrite exploit.

Updates

GnuPG web of trust circumvention. A couple of new GnuPG security problems were covered in last week's LWN Security Summary. A security patch against gnupg-1.0.4 was also issued.

Note that the discussion last week mentioned two vulnerabilities but only discussed one of them, a problem with trust circumvention. Also fixed with the security patch was a problem with detached signatures, which could cause false-positive verfications.

This week's updates:

• Linux-Mandrake
• Debian

• Red Hat (December 21st)
• Trustix (December 21st)

ProFTPD memory leak. Last week, we mentioned a potential memory lead in ProFTPD. After further discussion on the list, the official position is that the bug is not reproduceable.

BSD ftpd single byte buffer overflow. A one-byte buffer overflow was reported last week in the ftpd server provided with BSD.

This week's updates:

• NetBSD

• Trustix, not vulnerable, but new BSD ftpd packages provided anyway (December 21st)
• OpenBSD (December 21st)
• Trustix, BSD ftpd packages updated due to a typo in the original patch (December 21st)

DNS-based IRC server denial-of-service vulnerabilities. Check the December 14th LWN Security Summary for the original report of denial-of-service vulnerabilities and more in multiple IRC clients, including BitchX 1.0c17-2 and earlier.

This week's updates:

• FreeBSD

• Caldera (December 14th)
• Red Hat Powertools (December 14th)
• Linux-Mandrake (December 21st)
• Conectiva (December 21st)

ethereal buffer overflow. Check the November 23rd LWN Security Summary for the initial report of this problem. An update to ethereal 0.8.14 should fix this problem.

This week's updates:

• FreeBSD

• Debian (November 23rd)
• Conectiva (November 30th)
• Red Hat (November 30th)

Resources

ICMP Usage In Scanning. Ofir Arkin has released version 2.5 of his ICMP Usage In Scanning research paper.

Events

RAID 2001 - Call for Papers. The Call for Papers for the Fourth International Symposium on the Recent Advances in Intrusion Detection (RAID 2001) has been released. The event will be held October 10-12, 2001, in Davis, CA, USA.

Upcoming security events.

Date	Event	Location
December 27-29, 2000.	Chaos Communication Congress	Berlin, Germany.
February 7-8, 2001.	Network and Distributed System Security Symposium	San Diego, CA, USA.
February 13-15, 2001.	PKC 2001	Cheju Island, Korea.
February 19-22, 2001.	Financial Cryptography 2001	Grand Cayman, BWI.
February 24-March 1, 2001.	InfoSec World 2001	Orlando, FL, USA.

For additional security-related events, included training courses (which we don't list above) and events further in the future, check out Security Focus' calendar, one of the primary resources we use for building the above list. To submit an event directly to us, please send a plain-text message to lwn@lwn.net.

Section Editor: Liz Coolbaugh

LWN Resources


Secured Distributions:
Astaro Security
Castle
Engarde Secure Linux
Immunix
Kaladix Linux
NSA Security Enhanced
Openwall GNU/Linux
Trustix

Security Projects
Bastille
Linux Security Audit Project
Linux Security Module
OpenSSH

Security List Archives
Bugtraq Archive
Firewall Wizards Archive
ISN Archive

Distribution-specific links
Caldera Advisories
Conectiva Updates
Debian Alerts
Kondara Advisories
Esware Alerts
LinuxPPC Security Updates
Mandrake Updates
Red Hat Errata
SuSE Announcements
Turbolinux
Yellow Dog Errata

BSD-specific links
BSDi
FreeBSD
NetBSD
OpenBSD

Security mailing lists
Caldera
Cobalt
Conectiva
Debian
Esware
FreeBSD
Kondara
LASER5
Linux From Scratch
Linux-Mandrake
NetBSD
OpenBSD
Red Hat
Slackware
Stampede
SuSE
Trustix
turboLinux
Yellow Dog

Security Software Archives
munitions
ZedZ.net (formerly replay.com)

Miscellaneous Resources
CERT
CIAC
Comp Sec News Daily
Crypto-GRAM
LinuxLock.org
LinuxSecurity.com
Security Focus
SecurityPortal

See also: last week's Kernel page.

Kernel development

For those of you following Alan's patches to the prepatch system, his latest patch is 2.4.0test13pre4ac2. He's currently working on merging the 2.2.18 fixes into the 2.4.0 tree.

The current stable kernel release is still 2.2.18. One new prepatch for 2.2.19 has been released this week, 2.2.19pre3. A run_task_queue fix, resolving a lockup problem some people have been seeing, should be welcome.

Other, minor discussions. This was a relatively light week for the linux-kernel mailing list, with about half of the normal volume of posts. Here are a couple of discussion items that came up this week:

• In spite of Linus' comment, "if you think you can skip christmas with a 4-year-old in the house, think AGAIN", a bug report from Marco d'Itri regarding an innd mmap bug, plus work by Marco, Linus and others on Christmas Eve and Christmas day resulting in the finding of a slight faux-pas. It seems the only routines in the current 2.4 tree that actually write out dirty buffers are ones called under heavy memory pressure. Under certain conditions, a machine under no such pressure could be cleanly shut down, yet fail to update modified files. Expect to see a fix for this coming out soon, now that Christmas is officially over.

• Linus encourages the use of gcc 2.96 and gcc 2.97 for testing purposes. It seems that Linus' complaints about the inclusion of a relatively untested version of gcc with Red Hat 7 have caused many people to assume that the use of such compilers was globally "verboten". Linus pointed out that problems with the compiler, or with the kernel as demonstrated by the new compiler, can't be found if no one uses it. "Now, now, I'd love to see reports of expecially the new updated compiler. ... I just want people to mention the fact, so that I can correlate any bug-reports with a compiler version. Just in case. It can be important (and not just because of compiler bugs, but due to real kernel bugs that just were hidden by pure luck with other compilers)".

  So go dig up the new compilers, folks. If they can help turn up kernel bugs, then best use them before the first stable version of 2.4 is announced.

• Wait queues and wake-ups in 2.2.19pre2 were the topic of another discussion thread. Hinging upon the discussion was whether or not the 2.4 wait queue API would be back-ported, or whether the 2.2 series would continue to be unique. Underlying this was a more primary issue, that the code introducing the 2.4 behavior into the 2.2 tree was "subtly broken". Further investigation turned up some race conditions that affected both the 2.2 and 2.4 wait queue code. Fixes for those are in the works; here is Andrew Morton's draft patch for the 2.4 series.

• Daniel Phillips posted a Request for Comment on a patch that uses semaphores for daemon wakeup instead of relying on the wait queues. The primary result is to produce much cleaner code; neither performance improvements nor penalties were expected.

• Other patches and updates released this week include:

  • Jan Kara has ported his quota patch to -test12 and provided some notes on the patch, which includes both fixes and some additional functionality.

  • Rasmus Anderson posted an updated version of his rcpci45.c patch, a general cleanup that includes an update to the new PCI API.

  • Ingo Oeser has released an updated version of his OOM-Killer-API patch. This patch allows people to add the OOM handler of their choice to the 2.4 tree (The choice of an OOM handler for the 2.4 tree has not yet been determined, just discussed).

  Section Editor: Jonathan Corbet

For other kernel news, see:

• Kernel traffic
• Kernel Newsflash
• Kernel Trap
• 2.5 Status

Other resources:

• L-K mailing list FAQ
• Linux-MM
• Linux Scalability Effort
• Kernel Newbies
• Linux Device Drivers

See also: last week's Distributions page.

Lists of Distributions
distrowatch
ibiblio
Kernelnotes
Linux.com
LinuxLinks
Woven Goods

Embedded Distributions:
3ilinux
Bifrost

BluePoint Embedded
Compact Linux
Coollinux
DSPLinux
ELinOS
ELKS
Embedded Debian
Embedix
Etlinux
FlightLinux
Hard Hat Linux
Jailbait
Linux/Coldfire
LEM
Midori
NeoLinux
OnCore Systems
PeeWeeLinux
RedBlue Linux
RedIce-Linux
Royal Linux
RTLinux
Tynux
uClinux
White Dwarf Linux

Handhelds/PDAs
Agenda-VR
Familiar (iPAQ)
Intimate (iPAQ)
Linux DA
PocketLinux
PsiLinux

Secured Distributions:
Astaro Security
Castle
Engarde Secure Linux
Immunix
Kaladix Linux
NSA Security Enhanced
Openwall GNU/Linux
Trustix

Special Purpose/Mini
2-Disk Xwindow System
Mindi Linux
SmoothWall

Floppy-based
Brutalware
BYLD
Coyote Linux
DLX
Fd Linux
Fli4l (Floppy ISDN/DSL)
floppyfw
Floppix
FREESCO
Linux in a Pillbox (LIAP)
Linux Router Project
LOAF
muLinux
Nuclinux
Proxyfloppy
ShareTheNet
Small Linux
Tomsrtbt
Viralinux_II

CD-based
BasicLinux
BBLCD Toolkit
CDLinux
Crash Recovery Kit
DemoLinux
Devil-Linux
Finnix
Gibraltar
innominate Bootable Business Card
Linuxcare Bootable Business Card
LNX-BBC
MkCDrec
RunOnCD
Sentry Firewall
SuperRescue
Timo's Rescue CD
Ututo
Virtual Linux

Zip disk-based
NBROK
ZipSlack

Small Disk
hal91
MicroLinux
--> Peanut Linux
PKLinux
Relax Linux
TA-Linux
Tomukas
ttylinux
VectorLinux

Wireless
Bambi Linux
Flying Linux

Hardware-specific
(ARM)
ARM Linux
(Beowulf)
Scyld Beowulf
(IBM)
Think Blue Linux
(Oracle's NIC)
NIC Linux
(PA-RISC)
PA-RISC Linux
(Playstation)
Runix
(PowerPC)
Black Lab Linux
LinuxPPC
MkLinux
Yellow Dog
(Sparc)
Splack
UltraLinux
(Older Intel)
ClarkConnect
Monkey Linux
TINY

DOS/Windows install
Armed Linux
DragonLinux
Phat Linux

Diskless Terminal
GNU/Linux TerminalServer for Schools
K12LTSP
LTSP
Pygmy
Xdenu

Distributions

News and Editorials

Linux Mandrake donates to the Free Software Foundation. MandrakeSoft announced a donation of 2500 Euro to the Free Software Foundation Europe, the acknowledged sister organization of the Free Software Foundation in the United States. The Free Software Foundation Europe is currently in creation and it is planned to take up work in Germany, France, Sweden and Italy within the first quarter of 2001.

Lunar Penguin bites the dust. The Lunar Penguin distribution has been removed from the LWN Distributions list upon confirmation from project founder Chuck Smead that the project is dead. "I may resurrect it later but it's gone for now... :-(". This distribution was first discussed in the January 13th, 2000 Distributions Summary and was aimed at ISPs and e-business customers. (Thanks to Joseph Klemmer).

The First Annual PPC/Linux Community Awards. PenguinPPC.org presents a roast/toast for the year 2000. There are mock awards followed by a serious recognition of those who have worked hard on the project.

Distribution Reviews

Review: Best Linux 2000 R3 (Duke of URL). The latest distributions review from the Duke of URL covers Best Linux 2000 R3. "The install routine is arguably one of the better ones out there, rivaled by Mandrake and Caldera. This is an installation routine a neophyte could use. It is much closer to what the new user needs - an install program that holds your hand and gets you into the system as soon as possible."

General-Purpose Distributions

Redmond Linux beta 2 released. Redmond Linux beta 2 has been announced. Redmond Linux is a Caldera-based distribution with a target audience for non-technical desktop customers. See the August 3rd, 2000 LWN Distributions Summary for a link to an interview with Redmond project organizer Joseph Cheek. Major differences in beta 2 include glibc2.2, 2.4.0-test10 kernel and post-2.0.1 kde.

Slackware SPARC Development Tree Now Available. The "-current" tree for the Slackware SPARC port is now available on ftp.slackware.com in /pub/slackware/sparc.

Debian needs developers. Debian sent out two reports on December 22, 2000. The first report lists the packages that are looking for a maintainer. There are 71 packages up for adoption. The second report is a bug stamp list. A total of 485 release-critical bugs need to be stamped out.

Red Hat Bug Fix Advisories. The MySQL packages shipped in Red Hat Linux 7 as well as the updates had bugs which caused the DB engine to return bad results or crash. There is a new R-base package available. All R-base packages, including errata, released for Red Hat Powertools 7 experience problems with gcc optimizations. A new version of Update Agent is available which has more features and fixes many bugs present in the existing Agent. Additionally, the "new" Red Hat Network-aware Update Agent that first shipped with Red Hat Linux 7.0 is now available for Red Hat Linux 6.2.

Section Editor: Rebecca Sobol

Please note that not every distribution will show up every week. Only distributions with recent news to report will be listed.

Leading
Caldera OpenLinux
Debian GNU/Linux
Linux-Mandrake
Red Hat
Slackware
SuSE
TurboLinux

Also well-known
ASPLinux
Best Linux
Conectiva Linux
e-smith

Progeny
Rock Linux

Non-technical desktop
easyLinux
Icepack Linux
Independence
LibraNet
Redmond Linux
WinSlack

Education
Boston University
kmLinux
LinuxFromScratch
OpenClassroom
Red Escolar

General Purpose
Alzza Linux
aXon Linux
Bad Penguin Linux
BearOps
Black Cat Linux
BluePoint Linux
BYO Linux
CAEN Linux
Cafe Linux
ChainSaw Linux
Circle MUDLinux
cLIeNUX
Complete Linux
Console Linux
Corel Linux
CRUX
Darkstar Linux
DLite
easyLinux
Elfstone Linux
ESware Linux
Eurielec Linux
eXecutive Linux
Fried Chicken
FTOSX
FullPliant
Gentoo
Go!Linux
HA Linux
Halloween Linux
HispaFuentes
IceLinux
Ivrix
ix86 Linux
J-LINUX
JBLinux
Jurix
KRUD
KSI-Linux
Lanthan Linux
Laonux
LASER5
Leetnux
Linpus Linux
Linux Cyrillic Edition
Linux MLD
LinuxOne OS
LinuxPPP
Linux Pro Plus
Linux-SIS
LNX System
LoopLinux
LSD
Lute Linux
MageNet
Mastodon
MaxOS
minilinux
MSC.Linux

NoMad Linux
Omoikane GNU/Linux
PingOO Linux
Plamo Linux
PLD
Project Ballantain
PROSA
Rabid Squirrel
Repairlix
Root Linux
Scrudgeware
Serial Terminal
Sorcerer
spyLinux
Stampede
Stataboware
TechLinux
TimeSys Linux/RT
Tom Linux
Trinux
Turkuaz
Ute-Linux
VA-enhanced Red Hat
Vine Linux
Virtual Linux
WholeLinux
WinLinux 2000
XTeamLinux
ZipSpeak

Country-specific
Argentina
GNU/Linux Ututo
Britain
Definite Linux
Eridani
China
COSIX
Red Flag
France
Linux/MNIS
Italy
LinuxEspresso
Madeinlinux
Vedova
Spain
Linux Esware
Thailand
Kaiwal Linux
Thai Linux Extension

Related Projects
Chinese Linux Extension

Historical (Non-active)
Dualix
Gentus
Giotto
MCC Interim Linux
OS2000
Storm Linux

See also: last week's Development page.

Development projects

Browsers

New Mozilla roadmap posted (Mozilla.org). A new Mozilla Roadmap has been posted by Brendan Eich on Mozilla.org. This document gives a good idea of where the Mozilla project is headed in 2001.

Embedded Systems

Embedded Linux Newsletter for December 21, 2000. The weekly Embedded Linux Newsletter from LinuxDevices.com has been published. Stories covered this past week included the fundamentals of real-time linux software design, an update on Indrema's linux-based set-top game console, and the launch of several embedded Linux training programs.

Hacking the iPAQ with Linux, for fun and profit (LinuxDevices). This article is the second in a LinuxDevices.com series by Jerry Epplin that explores Linux on PDAs and handheld devices. This installment looks at the contribution made by handhelds.org. "Before you attempt to use any of the add-on development toolkits, I recommend that you first install the handhelds.org environment, and become familiar with its resources. That's because the add-ons rely heavily on the handhelds.org environment as a base for many of their services. "

Office Applications

AbiWord 0.7.12 released. AbiWord 0.7.12 has been released. From the announcement: "This release represents a huge step forward for the AbiWord team. The new features, Gnome-integration, and bugfixes are too numerous to list here. If you've held off on using AbiWord because you felt that it was 'too unstable' or not well integrated with Gnome, this release might be right for you."

Bluefish 0.6 released. Version 0.6 of the Bluefish html editor is now available. This version has lots of bug fixes and new features.

Gnumeric 0.61 released. Gnumeric 0.61, aka the "your mother was a hamster" release, is now available. This version is released as a high priority upgrade with fixes for some problems with Cell Comments and Sheet Objects.

On the Desktop

People of KDE: Stefan Taferner. Stefan Taferner, co-author of KMail and a main contributor to central technologies in the KDE project, was the latest contributor profiled in the People Behind KDE series. "In the last edition for the Year 2000 of the People Behind KDE series, Tink introduces us to Stefan Taferner, co-author of KMail and a main contributor to central technologies in the KDE project. The new, festive appearance of Tink's site greets us with the photo of a happy Konqi".

Embedding external parts into KDE. The KPart component model is extended to allow embedding of any process within a KDE window, including GTK+ based applications like Mozilla, in this white paper.

KDE and GNOME Interoperability Advances (KDE dot News). KDE dot News discusses the release of the QGtkWidget and QGtkApplications classes, which facilitate the interoperability of KDE and Gnome applications. "QGtkWidget and QGtkApplications are classes for combining Qt and Gtk widgets in a single application. While this sort of thing doesn't make much sense under normal circumstances, it can be used to help KDE and GNOME applications interact better (think of adding GNOME control-center plugins to KControl and vice versa)."

Wei Zhong Oriental Language Environment. WZOLE, the Wei Zhong Oriental Language Environment, is available free of charge for non-commercial use. This is a package that renders Chinese, Japanese, and Korean text on a VGA screen (not running the X window system). WZOLE supports large character sets.

Printing Systems

LPR. Patrick Powell, developer of the LPRng Unix printing system has sent us an article entitled LPD is Dead that discusses Gerald Carter's article, LPD Must Die! Mr. Powell discusses the use of LPRng to achieve Mr. Carter's goals of featherweight printing, simple filters, security, and print status reporting.

Web-site Development

Zope Weekly News for December 21, 2000. The December 21, 2000 edition of the Zope Weekly News is available. Upcoming releases of Zope 2.2.5 and Zope 2.3 alpha are discussed. The Zope team will also have a presence at the Linux World Expo in New York on January 31 through February 2, 2001.

Le choix de Zope comme plateforme d'enseignement à distance. Jérôme Alet of the Faculté de Médecine de Nice has posted a lengthy study (in French) on the use of Zope in remote teaching applications. It is an extensive work, looking at Zope's capabilities and disadvantages (the main one being the well-known difficulty of mastering the system). Here's a Babelfish link to translate the front page into English, but using Babelfish on a document of this length is an unrewarding activity. (Thanks to Stéfane Fermigier).

Midgard 1.4 "Bifrost" released. A new release of the Midgard content management system has been announced. Midgard 1.4 "Bifrost" provides object-oriented handling for all data, introduces Repligard, a powerful XML-based replication system, and now sports multiple virtual database support, a new administration interface (Asgard) and more.

Section Editor: Forrest Cook

Application Links
GIMP
Mozilla
Galeon
High Availability
ht://Dig
mnoGoSearch
MagicPoint
Wine
Worldforge
Zope

Open Source Code Collections
Berlios
Freshmeat
OpenSourceDirectory
Savannah
Le Serveur Libre
SourceForge
Sweetcode

Programming Languages

Java

JavaScript&DOM Factory Version 0.9. Version 0.9 of the JavaScript&DOM Factory is available. This is a tool that aids in the debugging of JavaScript and DOM code by providing object reference materials. The information is licensed under the GNU Free Documentation License.

Markup Languages

XHTML 1.0 reference with examples. Miloslav Nic has provided this XHTML 1.0 reference on zvon.org, the document describes the reformulation of HTML 4.0 as an XML 1.0 application.

Perl

Inline 0.30 released. Version 0.30 of Inline has been released. "Inline lets you write Perl subroutines in other programming languages like C. You don't need to compile anything. All the details are handled transparently so you can just run your Perl script like normal."

Python

Python-dev summary. Here is A.M. Kuchling's Python-dev summary for December 15. It covers a number of development topics, including unit testing, the proposed (and rejected) __findattr__ extension, and the progress of several enhancement proposals.

Jython 2.0 Alpha 3 released. A new release of Jython, the Java implementation of Python, has been announced. Numerous bugs have been fixed with this release.

High Profile Python Projects. Jerry Spicklemire posted this list of high-profile Python projects to the comp.language.python newsgroup. If you want to convince your boss that Python is good for serious projects, this list will certainly help.

Tcl/tk

Dr. Dobbs' Tcl-URL (Dec. 26th). The latest issue of Dr. Dobb's Tcl-URL is now available. Recent links of interest include a Tcl binding for the gdk-pixbuf image manipulation library and a new mailing list for TclPro contributors.

Tk: The Forgotten Language (Linux.com). Linux.com's Mark Stone discusses Tcl/Tk and discusses the process of writing a graphical network configuration utility.

Section Editor: Forrest Cook

See also: last week's Commerce page.

Linux and Business

Red Hat Unveils New Open Source Simulation Tool. Red Hat has introduced SID, a framework for building computer system simulations. Simulated systems may range from a CPU's instruction set to a large multi-processor embedded system.

SID has been released under the GNU General Public License. It includes a growing library of components for modeling hardware and software parts, and can represent some specific systems.

Red Hat is looking software testers and debuggers and other help with the project. You can find out more at Red Hat's SID page.

EL/IX finds a home on NetSilicon SoCs (LinuxDevices). NetSilicon announced they will be adding support for Red Hat's EL/IX API and eCos OS on their System On Chip (SOC) designs.

Transvirtual Integrates Jabber Into PocketLinux Platform. Jabber.com, Inc. is the developer of Jabber, an open source XML-based instant messaging system. Transvirtual Technologies, Inc. is the developer of PocketLinux, an embedded distribution. LWN looked at PocketLinux running on the Compaq iPAQ color palmtop at Comdex, last November. We were impressed by the WAP-XML based multimedia applications that were running with the Jabber protocol. Now Jabber.com has announced that Transvirtual Technologies, Inc. has completed their integration of the Jabber instant messaging system into the PocketLinux Platform. Yet another cool application running on a handheld device.

Loki's game gets a review. Loki's Myth II: Soulblighter is examined in this selection of video and computer game reviews. "The sequel to 1997's acclaimed Myth: The Fallen Lords brings a rich, 3-D experience to Linux war games. The folks at Loki have set out to prove the Linux 2.x kernel and glibc2 can render special effects that rival anything seen on Windows. And they achieve their goal with verve."

IDG's Network World Names Industry's Most Influential Companies, Players and Trends. Eric Raymond made it into the list of the 25 most powerful executives in Networking, according to Network World, based on his role as President of the Open Source Initiative. The link provided is just to the press release; the full coverage is likely only available in the print magazine, at least for now.

Press Releases:

Open Source Products

• Fortuitous Technologies Inc (Austin, Texas) announced the release of their "Linux Fundamentals" training curriculum under terms of the GPL license. According to sources, this course material is based on the Linux Professional Institute's LPIC-1 exam.

• LizardTech announced that DjVu and the DjVu Reference Library v.3.0 will be released under the terms of GNU General Public License. DjVu is scan-to-Web technology that converts documents into the smallest file sizes possible.

• Participate.com (CHICAGO) announced it has been retained by ChangeWave.com to help manage the ChangeWave Alliance, an open-source network for investment research.

Proprietary Products for Linux

• Etnus (Framingham, Mass.) announced the availability of the TotalView debugger/analyzer for Red Hat Linux 7.0.

• PROVEN SOFTWARE, INC. announced the release of eCHOICE, an internet shopping cart for Linux which is fully integrated with PROVEN CHOICE Accounting Systems.

Products and Services Using Linux

• Innovative Gaming Corporation (RENO, Nev.) announced the Nevada approval of a revision of its Linux-based operating system for application in the Company's video-slot machine platform. The new IGCA Linux-based video slots offer three titles including Monster Money, Area 51 and Tiki Treasure.

• Lineo, Inc. (LINDON, Utah) announced the successful porting of the uClinux 2.4 kernel to the Motorola DragonBall family of processors.

Products with Linux Versions

• Franklin Electronic Publishers, Inc. (BURLINGTON, N.J.) announced that the EBM-911-504, a special developer edition of the Company's eBookMan reader and multimedia content player, is available at http://www.franklin.com/devzone, with a version for Red Hat Linux 6.1.

• Jungo Ltd. (Natanya, Israel) announced the release of GO-HotSwap version 4.42 for Windows and Linux operating systems. The software manages CompactPCI bus systems.

• Kaspersky Lab (Moscow, Russia) announced the beta-version release of its flagship anti-virus product, Kaspersky Anti-Virus (AVP), for Lotus Notes/Domino e-mail gateways running on Linux or Windows NT.

• NVIDIA Corporation (SANTA CLARA, Calif.) announced the recent certification of its workstation graphics line, Quadro2, as compatible with the most widely used software programs for digital content creation (DCC) and computer-aided design (CAD).

• Tarantella, Inc. (SANTA CRUZ, Calif.) announced web-based shipments of Tarantella Enterprise 3 and Enterprise 3 ASP Edition web-enabling software. The new products are immediately available via the Internet through a free 60-day trial offering. This release runs on Linux servers.

Books and Training

• XOR Inc. (BOULDER, Colo.) announced the 3rd Edition of "UNIX System Administration Handbook", authored by a team including XOR's Trent Hein, Evi Nemeth and Ned McClain. The book includes Linux and FreeBSD coverage.

Partnerships

• theKompany.com (RANCHO SANTA MARGARITA, Calif.) has formed a relationship with O'Reilly & Associates that gives customers of theKompany a 20% discount on books from O'Reilly.

Financial Results

• Neoware Systems (KING OF PRUSSIA, Pa.) announced that it intends to release its fiscal year 2001, second quarter results before the open of the market on Thursday, January 18, 2000.

Personnel

• LynuxWorks, Inc. (SAN JOSE, Calif.) announced the appointment of Bob Morris as vice president of marketing.

• TeamLinux Corporation (DAYTON, Ohio) announced it is reorganizing, moving its West Coast office and adding key professional staff. It will narrow its focus and make its products and services more accessible to its target kiosk and open systems markets.

Linux At Work

• Linbox (Metz, France) announced that the company has been selected by the Direction Générale des Impôts (DGI) (French tax authority) to install 950 application servers at sites all over France. The machines will be running Red Hat 6.2.

• M-Systems Flash Disk Pioneers Ltd. (FREMONT, Calif.) announced that Virtual Resources Communications, Inc. (VRC), of Torrance, California, has selected DiskOnChip for use in its new line of next generation broadband access products. VRC is running Linux from the DiskOnChip in a PowerPC environment.

Other

• Netgem (PARIS), a developer of technology that operates on a Linux-based open software platform and a thin-client access device, reviews the company's progress in year 2000.

Section Editor: Rebecca Sobol.

See also: last week's Linux in the news page.

Linux in the news

Recommended Reading

Open Source and 'Sexy' Projects (osOpinion). What makes an application "sexy"? This osOpinion piece gives some answers. "Some hackers are writing an open source Cobol, something I never expected would happen (I have a January 1993 copy of the GNU's Bulletin, pg. 11, quote: "?but no one has volunteered to do Cobol yet."). People are building an open source Delphi community -- and Delphi is a development of Pascal, a wonderful learner's language, but with limitations for serious work."

Companies

Birth of a new Embedded Linux company (LinuxDevices). Tuxia in Augsburg, Germany launched itself into the Embedded Linux market. "Tuxia's initial Embedded Linux product family, expected to become available early in 2001, is a software suite called "TASTE" (which stands for Tuxia Appliance Synthesis Technology Enabled). TASTE derives from Infomatec's JNT Internet appliance oriented Embedded Linux technology."

E-smith Launches Partner Program (ZDNet). ZDNet reports on e-smith's partner program. "E-smith targets small businesses 5 to 100 users with its Linux wares. Local and regional integrators and resellers as well as system builders represent the company's primary channel to reach that customer set. E-smith's partner program initially has signed up 19 companies."

Open source stalwart Sendmail looks to wireless for profits (Upside). Here's an article in Upside looking at Sendmail's acquisition of Nascent Technologies. "Sendmail, you'll remember, was the first open source to win backing by major investors way back in 1998 when it secured a $6 million round of financing from the Silicon Valley investment group Band of Angels."

Business

Linux: A Contender for The Enterprise Market (DB2). DB2 Magazine has taken a look at Linux as a contender in the Enterprise Market. After examining the reasons for choosing Linux, they move on, not too surprisingly, to talking about the combination of Linux and DB2. "For a true test of the installation process, I went to a local college and recruited a student who was completely new to Linux and databases. I handed him all the necessary how-to information and asked him to come by my computer lab when he thought he could install Linux and DB2. When he stopped by that evening, I set up the same two systems and had him install Red Hat 6.1, which took about 30 minutes, and then the DB2 database on both Red Hat boxes. It took him longer to fill in his information and download the source code from IBM than it took for him to install and configure the DB2 database on the Linux box. If that isn't ease of use, I don't know what is."

Also from DB2 Magazine: Serving Up Linux, with details on the beta version of IBM's DB2 Universal Database Enterprise-Extended Edition (DB2 UDB EEE) for Linux. (Thanks to Cesar A. K. Grossmann).

The year for open source (Upside). Upside names the year 2000 as the "Year for Open Source" in a two part series covering the first half and second half of the year. "Gone is the talk about changing the software industry as we know it. In its place stands a familiar set of the goals: earning money, building market share, maximizing shareholder return and, of course, keeping an even keel in case this New Economy thing was everything it was made out to be three years ago."

Linux companies beat Microsoft in Itanium support (News.com). C|Net's News.com reports on Linux beating Windows to the Itanium punch. "Itanium is scheduled to ship in the first half of 2001, but a new version of Windows tailored for the chip won't arrive until the second half, Intel and Microsoft representatives said. Meanwhile, compatible production versions of Linux from Red Hat, Turbolinux and Caldera Systems are scheduled to debut at the same time as the chip itself, the Linux companies said."

Resources

Linux Laptop SuperGuide (ZDNet). The staff at the Linux Hardware Database have put together the ultimate guide to finding the perfect Linux laptop.

Reviews

Helix Gnome: Linux on the Desktop, Part 1 (Computer Source). The Helix Gnome installer and basic features are examined in this article from Computer Source Magazine. "This is an impressive desktop. The icons are beautiful, and the menus are well-coordinated. Although the default color scheme was pleasing, I was able after a few minutes to choose an alternative one I liked better. The menus, except for the inclusion of no less than five text editors/word processors, was complete and yet not overbearing."

A Sneak Preview of Emacs 21.0 (LinuxPlanet). LinuxPlanet plays with an emacs 21.0 prerelease. "On starting the program up, I immediately understood where the rumors of Emacs' GNOMEification had come from: where the program used to present a very sparse, black and white window with simple, unadorned, menus it now has a toolbar providing a set of basic buttons familiar to anyone who's ever used GNOME or a GTK app. The splash screen, I also noticed, showed something besides fixed-width fonts for a change: Emacs has support for scaled, proportional fonts."

Miscellaneous

Linux is too much (ZDNet). Here's a ZDNet opinion piece claiming that Linux is too big and too complicated. "Does the average user really need a bunch of terminal apps, several hex editors, a mail and Web server, and a bevy of compilers? Heck, the average developer doesn't even need all that."

Instant Messaging on GNU/Linux (Linux Orbit). John Gowin from Linux Orbit writes about various Instant Messaging programs for Linux. "In this article series, we're going to take a look at some of the IM clients available for GNU/Linux and rate them. Were also going to look at some of the new universal clients available for GNU/Linux that let you use AOL, MSN, Yahoo and ICQ all at the same time, with only one client. In Part 1 of this series, we'll look at the AOL IM service and the Linux clients available."

Their gain, your pain (ZDNet). ZDNet's Evan Leibovitch looks at "Open licensing" schemes. "So what is an 'open license'? The term apparently evolved from what most folks refer to as volume purchasing: buying software licenses in bulk without the extra boxes and CD-ROMs. With an open license, instead of all that packaging, all you need to keep track of are license numbers or unlocking keycodes - and those can even be delivered by e-mail."

Section Editor: Forrest Cook

See also: last week's Announcements page.

Announcements

Events

Richard Stallman visits MandrakeSoft. Here's a report on Richard Stallman's talk at MandrakeSoft on the Linux-Mandrake forum site. "Stallman finished the 'serious part' of his speech by stating that 'freedom isn't granted, we have to fight for it', and 'Battle isn't won yet, it's only beginning', and asking for our help - primarily in helping the FSF to reach as many GNU/Linux users as possible, and evangelising the 'freedom of software' whenever possible."

Open Source and Free Software Developers' European Meeting. The OSDEM is happening February 3 - 4, 2001 at the Universite Libre De Bruxelles. The web site has been recently updated and contains all the info you need about schedules, topics, speakers, sponsors, sign ups and more.

linux.conf.au. Here's the latest news on linux.conf.au in Sydney, Australia, January 17 - 20, 2001. This announcement includes the list of speakers and other important information for attendees. "Readers in Australia, New Zealand and elsewhere had better make sure to arrange their travel and be sure to bring adequate sunscreen and beachwear. The weather at nearby Coogee Beach has been brilliant recently!"

December/January/February events.

Date	Event	Location
January 17 - January 20, 2001.	linux.conf.au	University of New South Wales, Sydney, Australia.
January 21 - January 23, 2001.	First Annual International Linux Plug Fest	Sponsored by Linuxcare, Inc.	Embassy Suites Hotel, Burlingame, CA.
January 23 - January 24, 2001.	Linux Expo - Amsterdam	Amsterdam, Netherlands.
January 23 - January 24, 2001.	EuroZopeCon Amsterdam at Linux Expo	Amsterdam, Netherlands.
January 29, 2001.	New York Mozilla Developer Meeting	CollabNet office, New York, NY.
January 30 - February 2, 2001.	LinuxWorld Conference & Expo	Jacob Javits Convention Center, New York, NY.
January 31 - February 2, 2001.	Linux Expo Paris	Paris, France.
February 3 - February 4, 2001.	Open Source and Free Software Developers' European Meeting	Brussels.
February 14 - February 16, 2001.	O'Reilly Peer-to-Peer Conference	Westin St. Francis Hotel, San Francisco, California.

Additional events can be found in the LWN Event Calendar. Event submissions should be sent to lwn@lwn.net in a plain text format.

User Group News

LUG Events: December 28 - January 11, 2001.

Date	Event	Location
December 30, 2000.	Central Ohio Linux User Group (COLUG)	Columbus, Ohio.
January 2, 2001.	Linux Users' Group of Davis (LUGOD)	Z-World, Davis, CA.
January 3, 2001.	Kansas City Linux Users Group (KCLUG)	Kansas City Public Library, Kansas City, MO.
January 3, 2001.	Southeastern Indiana Linux Users Group (SEILUG)	Madison/Jefferson County Public Library, Madison, IN.
January 3, 2001.	Silicon Valley Linux Users Group (SVLUG)	Cisco Building 9, San Jose, CA.
January 4, 2001.	Edinburgh Linux Users Group (EDLUG)	Holyrood Tavern, Edinburgh, Scotland.
January 8, 2001.	Baton Rouge Linux User Group (BRLUG)	The Bluebonnet Library, Baton Rouge, LA.
January 9, 2001.	Long Island Linux Users Group (LILUG)	SUNY Farmingdale, NY.
January 10, 2001.	Toledo Area Linux Users Group (TALUG)	University of Toledo, Toledo, OH.
January 10, 2001.	Columbia Area Linux Users Group (CALUG)	Topic: Computer Security	Capita Technologies Training Center, Columbia, MD.
January 11, 2001.	Phoenix Linux Users Group (PLUG)	Sequoia Charter School, Mesa, AZ.
January 11, 2001.	Boulder Linux Users Group	NIST Radio Building, Boulder, CO.

Additional events can be found in the LWN Event Calendar. Event submissions should be sent to lwn@lwn.net in a plain text format.

Software Announcements

Sorted by section and Sorted by license

Our software announcements are provided courtesy of FreshMeat

See also: last week's Back page page.

Linux Links of the Week

Section Editor: Forrest Cook

This week in history

One year ago (December 30, 1999 LWN): LWN took a close look at the LinuxOne amended S-1 filing, and noted some suspicious claims within. Despite the large wave of Linux based IPOs going on at the time, that one failed to materialize.

The development kernel was version 2.3.35 and the stable kernel was still version 2.2.13, but the fix of a major IDE bug would allow version 2.2.14 to move forward. Support for the IBM S/390 was to be included in version 2.2.14. The inclusion of the kernel based web server, khttpd, was debated. The discussion centered on whether adding the complexity of a web server to the kernel was justifiable, even if it produced an incredibly fast web server.

Tiny Linux, intended for small, obsolete computers, was released. Version 1.0 came out in April, 2000 and the project is still active.

LWN mentioned a Salon article that questioned the stability of the Linux and dot com stock market frenzy: "Sooner or later, dot-com mania must be headed for a fall -- whenever you see this many lemmings gathered together in one place, you just know a steep cliff has got to be nearby. Could the rush to invest in companies which base their business models on free software be the last straw? Certainly, many observers who have long looked askance at the last few years of Internet insanity have seized upon the VA Linux IPO as just the latest, freakiest example of how crazy things are getting. "

Last, but not least, the dark gloom of impending disaster loomed heavily over sys-admins and programmers everywhere, just a few hours until all hell would break loose due to zillions of unfixed Y2K Bugs. All of the advance work paid off and computers all around the world sailed smoothly into year 19100.

Letters to the editor

Date: Thu, 21 Dec 2000 00:43:31 -0800 (PST)
From: Matt Dillon <dillon@earth.backplane.com>
To: letters@lwn.net
Subject: Yet more on Elevator algorithms and write ordering

I'm afraid there is considerable confusion over write ordering in a
filesystem.  The confusion stems from an assumption that dependant
operations are queued to the disk device all together.  This assumption
is not true of FFS with softupdates.  FFS with softupdates turned on will
queue all *NON* dependant buffers to disk all at once and doesn't care
in the least whether the kernel, the disk device, or the physical disk
itself reorders the writes.  Dependant buffers are not queued until
non-dependant buffers have completed their I/O's.  FFS without
softupdates will use synchronous writes where necessary to (try to) ensure
that dependant buffers are not queued until after such I/O's have completed.
EXT2FS is roughly similar to FFS.  However, both EXT2FS and FFS (without
softupdates) have cases related to directories, inodes, and file blocks
where *NO* write ordering is correct even if you do things synchronously.
Filesystems are more complex then they seem.  Softupdates deals with these
interdependant cases by actually unrolling portions of the buffers when
writing them to disk to guarentee consistency on-disk, allowing it to
operate almost completely asynchronously without endangering the filesystem 
A log-structured filesytem deals with such cases by writing a sequential
log, but there is nothing preventing even a log structured filesystem from
writing a bunch of log blocks in random order as long as it doesn't try
to recover past any holes created due to a crash or commit the file 
structure until after the (asynchronous) log block I/O has completed.

What this means is that a kernel, disk device, and physical disk should
be allowed to reorder blocks however they please.  It is up to the filesystem
code to handle dependant operations.

						-Matt

Date: Thu, 21 Dec 2000 10:44:44 +0000
From: Edmund GRIMLEY EVANS <edmundo@rano.org>
To: letters@lwn.net
Subject: problems in /tmp

You'll probably get a lot of letters like this one ...

http://lwn.net/2000/1221/security.php3:

> Into this model was introduced /tmp, a shared directory to which
> anyone had write privileges and the ability to delete files created by
> other users.

Since it is amazing how many otherwise experienced people don't know
about the "sticky bit" on directories, you really should have
mentioned here that /tmp is usually created with permissions 1777,
which means it is "append-only": you can't delete other people's
files.

This would also have been a good place to educate some of your readers
about what exactly the "problems in /tmp" are. AFAIK, the main problem
is a "symlink attack": if an attacker can guess that a program might
open the file /tmp/foo for writing, they can create a symbolic link
from /tmp/foo to /etc/passwd, say. If the program is running as root,
it overwrites the password file, unless the program was clever enough
to use O_EXCL, but even then, there may be a possibility for a
denial-of-service of attack. See the man pages for mktemp and mkstemp.

On SCO UnixWare a brute-force solution to this problem is used: the
kernel does not allow symbolic links to be created in a directory with
the sticky bit set which does not belong to the caller. I don't know
of any legitimate application that require symbolic links in /tmp, so
this solution should perhaps be considered as an option for Linux.

Edmund

Date: Thu, 21 Dec 2000 11:09:18 +0000 (GMT)
From: Joey Maier <maierj@home.com>
To: lwn@lwn.net
Subject: to: Liz Coolbaugh 

Hi Liz,

First off, thanks for the good work.  You do a great job with the
security page at LWN.  I especially like your editorializing of
bugtraq threads...this week's comments on the /tmp discussion is a
great example.  I stopped following the thread (and the offshoots 
from it) after the first few posts seemed to say the same thing. 
If you hadn't linked to it in  LWN, this would have caused me to 
miss Kris Kennaway's post.  Anyway, I really like your work, and
I appreciate the fact that you don't snub OpenBSD users ;-)

WRT, the Kaspersky Lab virus review, you said:
>...or, perhaps, it's the fact that it takes a little more than 
>a bogus email attachment in the Linux environment...? 

I suspect that you made the above comment because the email attatchment 
can only run in the context of the user reading the mail, and that user 
should not be root.  While this is correct, it simply means that 
malware is limited in the amount of damage that it can do to the system
configuration.  A malicious program in a unix environment could still
destroy all of the files of the user.  Most corporate environments have 
decent backup policies for end users, but home users typically don't back
up files as often as they should, and a piece of malware that destroyed 
local user files could be very nasty for them.  

It is also important to note the increase in the tendancy for unix 
desktop user to prefer HTML-rendering mail clients.  Many of these
clients - especially the ones that are incorporated into a browser - 
may have active scripting vunerabilies that could allow manipulation
or deletion of the user's local files.

I suspect that the reason we have not seen more email-born malware 
in the unix environment is not due to the slightly limited scope
of the damage that can be done.  (Loss of data can be enough of
a problem, even if the system configuration is unharmed.)  Instead,
I suspect that the currently heterogenious use of email clients make 
it more difficult to write a virus that will affect a large number 
of people in the way the Outlook-dominated Windows platform can be
affected.  

If the *nix world starts to be predominated by a single email client,
it will start to attract malware authors.  This is especially true if
the client is HTML/active scripting aware.  Unfortunately, noone seems
to be taking this seriously, and I have not seen any viable solutions
offered.

--
	"When you understand UNIX, you will understand the world.
	 When you understand NT....you will understand NT" - Richard Thieme
http://www.slothnet.com - is currently unavailable :(

Date: Thu, 21 Dec 2000 11:13:20 -0500
From: Joe Louderback <jlouder@wfu.edu>
To: letters@lwn.net
Subject: Defamation of Fortran

In this forum Mr. Kastrup took Linus Torvalds to task for incorrectly
claiming arrays in Pascal start at 1.  He then wrote, "Most probably Mr.
Torvalds is confusing Pascal with Fortran which indeed has its arrays
starting at 1."

Ahem.

real     atone(50)
integer  atminusthree(-3:50)
logical  atsix(6:50)


Joe Louderback, itinerant physicist and occasional Fortran programmer

Date: Tue, 26 Dec 2000 13:04:42 -0800
From: Davina Armstrong <davina@lickey.com>
To: letters@lwn.net
Subject: Rick Collette's "petition" to British Telecom

I was very interested in your coverage of British Telecom's patent
infringement lawsuit against Prodigy (LWN 12/21/00).  I happily clicked
on the link to Rick Collette's "petition" to British Telecom, thereby
myself infringing upon their patent (or at least contributing to your
infringement).  I was anxious to add my signature to what I assumed
would be a petition to British Telecom urging them to drop their absurd
lawsuit.  Instead, I found the following:

"British Telecom is claiming they own the rights to the Hyperlink.
That's saying that everything you click on a website, the method used to
bring you from one page to another, belongs to them. 

They are currently suing Prodigy for this, and it's only going to
worsen. We must stand up and put a stop to this craziness. 

The signatures collected here will be sent to the Linux Journal,
deepLINUX, MSN, and any other media outlet that I can think of."

This is *not*, in fact, a petition.  This is merely a statement of
fact.  Why would anyone sign it?  Webster's Dictionary defines a petion
as "1 a solemn, earnest supplication or request to a superior or deity
or to a person or group in authority; prayer or entreaty" OR "2 a formal
writing or document embodying such a request, addressed to a specific
person or group and often signed by a number of petitioners".

This "petition" is not addressed to British Telecom and does not
actually make any request.  When someone starts a real petition to
British Telecom about this issue, I will be more than happy to add my
signature to it.

Regards,
Davina Armstrong