See also: last week's Letters page.

Letters to the editor

From:	 Lutz Horn <lh@lutz-horn.de>
To:	 letters@lwn.net
Subject: Caldera's new licensing scheme
Date:	 Thu, 28 Jun 2001 20:18:25 +0200

Dear folks at LWN,

I guess you'll receive some amount of mail concerning Caldera's move to
a per seat license and another opinion may not be needed. But let me
share my .02 Euro with you.

In your leading leading article you tell readers that you'll be
considerung Caldera's move from two angles: 1) "why Caldera is taking
this path" and 2) "whether members of the free software community are
right to criticize the company". I'll not talk about 1) here but of
course about 2).

The free software community should be concerned about freedom, freedom
of software and freedom for it's users. It should not bother about one
company making money from free software or not. Let the open source
people give themselves headaches poundering this question.

Your interpretation of freedom includes the right of the users to vote
against Caldera and switch to an different distribution. This is an
important freedom but of course not one of the four freedoms free
software is all about (for reference let me point you to "What is Free
Software?" at http://www.gnu.org/philosophy/free-sw.html).

Another interpretation you give of freedom is that by including non-free
software into it's distribution Caldera is "demonstrating a way of
exercising the freedoms that come with free software". This of course is
not freedom as understood by the Free Software Foundation and anybody
calling himself a member of the free software community. Being a member
of this community means strifing for _more_ free software, not less. By
including non-free software Caldera, and other distributors, of course,
have found a, as you put it, "way to add value to Linux that suits its
customers" to it's distribution. At the same time they are reducing the
amount of freedom their distribution includes by making it
value-added/freedom-substracted.

As RMS once put it, using non-free software where there is no free
alternative is no valid option for a member of the free software
community. If it's not free it is of no use to us, whatever added value
it may contain.

Regards
Lutz
-- 
Lutz Horn <lh@lutz-horn.de>
For PGP information see header.

From:	 Joe Klemmer <klemmerj@webtrek.com>
To:	 <letters@lwn.net>
Subject: On Caldera
Date:	 Thu, 28 Jun 2001 13:18:27 -0400 (EDT)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


	I'm pretty sure that this will be one of a gazillion letters on
the subject.

	However, I have to say that I think the move that Caldera is
making is really a good thing.  If it succeeds, and I think it could, it
will put Linux on more systems and give it even more exposure.

	I can understand why the "rank'n'file" in the community might be a
tad hyper about the move.  However, there's more to Linux than just the
religion of the One True Way.  As mentioned in the article, the per system
licensing does not violate any of the open source licenses.  The move will
help get Linux on more boxes by giving it a more normal "appearance" to
the business world.  This is a win-win situation for Linux.  Let's try and
support Caldera and all the other Linux companies who are trying to get
Linux out there on the corporate systems.

	If I had the energy I'd go off and rant about the license wars and
distro wars and pick-your-desktop-environment wars and such but that's to
much work.  Let's just all do what we can to help Linux/*BSD/open source
[all licenses] and not help the "enemy" do it's work for them.

Joe

- ---
"It's a damn poor mind that can only think of one way to spell a word."
                -- Andrew Jackson
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE7O2bqHeWRPx8OIHARAtk5AJ4/J4EDhSrFSIOE33WVk74dPlr45wCdGLph
z8jz+E2IpfTY+S2SDjpBu6k=
=gIpv
-----END PGP SIGNATURE-----

From:	 "Matt.Wilkie" <Matt.Wilkie@gov.yk.ca>
To:	 lwn@lwn.net
Subject: comment on passwords and security
Date:	 Thu, 28 Jun 2001 17:57:16 -0700


I'd just like to make a general comment on the 'Responsibilty of
the individual [...to...] "Use different passwords at Websites and
on every machine you use."

Yeah, right. Sure.

Bob Cringely (http://www.pbs.org/cringely/oldhat.html)
wrote a really good essay on the problem with this advice but I 
can't find the link so here is my mangled version.

On average I use 3 machines a day with at least four separate 
accounts on each of those (regular user, power user, administrator, 
web admin, db admin, etc.). Add to that the half a dozen password 
enabled (or demanded) websites I visit regularily, plus the dozen
or so more I see from time to time and I have a real password 
management problem. Oh, don't forget that effective passwords need
to be changed often. And the bank machines. and the security door
at work. and...

I used to have different passwords for different machines and
different tasks that I changed regularily and often. Then I had to 
restore a year old password-protected backup tape.... 
Need I say it never happened?

As I see it there a three  possible solutions:

-Pick a small number of passwords according to general task (admin,
general use, finance, internet) and use them everywhere.

-Be responsible, use different often changing passwords for 
everything, And:
  + write it all down in a convenient little text file buried in $home
  + post-it notes in the top desk drawer

-Invent a personal algorithm based on the name of the service, say 
reverse the letter order, number-substitute and then add them up and
subtract the the year and month. (All the while hoping to God the 
name doesn't get changed)


securely yours,

-matt

-----------------------------------------------------------------
Matt Wilkie * Yukon Renewable Resources GIS
http://renres.gov.yk.ca/pubs/rrgis/
-----------------------------------------------------------------

From:	 jimd@starshine.org (Jim Dennis)
To:	 lwn@lwn.net
Subject: Virus Hoax in MP3s
Date:	 Mon,  2 Jul 2001 07:28:56 -0700 (PDT)

 Regarding Jack Clark's comment about the impossibility of
 spreading malicious code via MP3s (or other data files).

 In a certain narrow sense, he's correct.  The MP3 file
 format doesn't provide any code hooks (that I know of).

 However, in a broader view people should realize that the
 integrity of their systems depends on the robustness of any
 code that they run on "foreign" or "untrusted" files.  It is
 concievable that degenerate data in an MP3 (or any other sort
 of file) could exploit bugs (buffer overflows, parsing errors,
 or other problems) in some of the programs that are used to 
 play, view or otherwise work with these files.

 We used to hear that viruses couldn't be spread via e-mail.  This
 was the first order response to the famous "Good Times" hoax.
 However, since then we've seen far too many cases where viruses
 and other malware have been spread by *specific* e-mail clients
 (using bugs in those MUAs, of course).  
 
 While we, in the Linux and UNIX communities, like to smugly 
 attribute that problem to MS Windows, Exchange, Outlook, and IE; 
 the fact is that similar bugs can (and have) appeared in UNIX MUAs 
 and browsers.  (Obviously they don't spread as far, nor as fast,
 by virtue of the "bio/cyber-diversity" that we see in UNIX/Linux
 mail user agents, editors, and browsers.

 I stress these points to call attention to the problem.  

 Any code which interacts across security contexts (such as our
 browsers, mailers, MP3 players, and graphics file viewers) must 
 be written to be robust.  If it core dumps or segfaults, it AIN'T
 SECURE!

 It's not just SUID programs and root/daemons that can be exploited
 by crackers; it's anything we trust.  I want to raise the bar for
 all programming under Linux and UNIX by raising awareness of this
 issue.  Until every programming student is taught this principle
 from the outset, we will be vulnerable.

--
Jim Dennis,
"The (Linux Gazette) Answer Guy"

From:	 Dan Stromberg <strombrg@nis.acs.uci.edu>
To:	 letters@lwn.net
Subject: Re: Hoax virus alert targets MP3
Date:	 Mon, 2 Jul 2001 12:11:32 -0700

>"Jack Clark, European product manager at Network Associates, said that
>it was impossible to spread malicious code through MP3 files, which
>are data files that cannot execute by themselves."

Where do people get this stuff?  I can't believe someone who works at
a virus company could say something so incredibly untrue.

All it would take is a common MP3 player that doesn't check for buffer
overruns in its mp3 input - then an MP3 file could be used to spread
hostile code.  Is this guy really willing to certify that all MP3
player authors know what they're doing as far as security goes?

This is the same nonsense people used to say about viruses spreading
through e-mail - there used to be tons of claims that was impossible
too.  You'd think folks would've learned.

That's not to say this particular bit isn't a hoax.  But clearing up a
hoax by saying the attack is impossible when it isn't, is a pretty
poor idea.

-- 
Dan Stromberg                                               UCI/NACS/DCS

From:	 Dylan Thurston <dpt@math.harvard.edu>
To:	 lwn@lwn.net
Subject: Desktop Suite review
Date:	 Thu, 28 Jun 2001 09:54:03 -0400

Dear Linux Weekly News,

I found your review of desktop suites quite useful.  But I was very
disturbed that you failed to mention what is (to me) the most
important attribute of a piece of software: whether or not it is
free.  How is someone who has heard of neither to now that Siag Office
is free software (GPL), while Hancom Office costs $45 (and does not
include source)?

I find this oversight really inexcusable.  Usually you are good about
distinguishing free software from hoarded software.

Best,
	Dylan Thurston

From:	 "Bryan Feeney" <b_feeney@vistech.ie>
To:	 <lwn@lwn.net>
Subject: Re: KOffice in the office round-up
Date:	 Thu, 28 Jun 2001 10:21:01 +0100

You left quite a lot of components out from your review. If you look at the
front page of the site (http://www.koffice.org) you'll see that

1. KOffice 1.1Beta3 is the recommended version, 1.0 users are advised to
upgrade and that

2. 1.1Beta contains the following components

Word Processor: Yes (KWord)
Spreadsheet Yes (KSpread)
Email: KDE Kmail/Infusion
Scheduling: KDE KOrganiser
Database management: KDE KMySQL
Project Management: KDE Infusion?
Graphics: Yes (Krayon / Kivio / KIllustrator [/ KChart])
Presentation: Yes (KPresenter)
Web Browsing: KDE Konqueror

The latter two in the graphics category are extremely important. Kivio is
of *far* better use in an office environment than Krayon or KIllustrator.
Krayon is really for big kids.

Also I think that Kmail / Konqueror / KMySQL should have been included in
the List, maybe not as a definite "Yes", but rather as "KDE" like above.
KOffice excludes them as they're not integrated, however they'd have more in
common than, e.g., the Gnome equivalents. I'm not on a KDE/Gnome rampage
here, but the table you gave did seem a bit misleading.

Finally, I don't think anyone would normally include Email, web browsing or
Image manipulation as office apps. Even Microsoft haven't made that stretch
yet! Groupware tools (e.g. Outlook 2000 (not Express) and  Lotus Notes) and
possibly web-design would have a place alright, but not the above three. A
standard office worker would not use them for productivity. Yes I know
they'd use email, but they wouldn't really be creating any documents with
it. I'd view an office suite as a group of programs involved in the creation
of documents by typical office workers. Looking at lwn.net is what they
usually do *instead* of working ;-)

Just my two cents
--
Bryan Feeney - http://www.bfeeney.uklinux.net/
"If at first you don't succeed, try a smaller bungee..."

From:	 ischindl@univ-tlse1.fr
To:	 letters@lwn.net
Subject: desktop solution omission
Date:	 28 Jun 2001 19:13:29 +0200



I would have included lyx in the "Other Tools" section of your Desktop
Solutions page.  Lots of people in the scientific community use Scientific
Word because they don't know about lyx.

Otherwise it was a nice read.

Ian 

From:	 Oliver White <ojw@unite.com.au>
To:	 letters@lwn.net
Subject: Games On The Desktop
Date:	 Fri, 29 Jun 2001 12:16:07 +1000

I'd have to agree with my fellow readers, OTD has improved measurably
over the last couple of weeks. Well done! One thing that is sorely
lacking, however, is coverage of the most important application for the
desktop computer: Games! Oh yeah, word processors are really important,
and (yaaaaawwwwn, scuse me!) interesting too, but games have been an
integral application of the desktop computer since they first appeared.

Naturally, the WorldForge team will keep the editors well informed as to
our persuit of the ultimate massively multiplayer online roleplaying
experience. 

--
Oliver White
STAGE Janitor
www.worldforge.org

From:	 "Hurley, Kevin Joseph (Kevin)" <khurley@lucent.com>
To:	 "'letters@lwn.net'" <letters@lwn.net>
Subject: Gnucash and apt-get as the solution
Date:	 Fri, 29 Jun 2001 09:20:46 +0100

Sir,

I have followed with interest the discussion here concerning library
dependencies and application installations. The letter from Zooko this week,
in particular, raised some alarm bells. 40 new packages and 11.3MB of
downloads to install one application: I think this solution is acceptable
only for the most "bandwidth-blessed" among us, and certainly not for the 'I
just want it to work' brigade. 

I am a big fan of Debian and think apt is the best thing since sliced bread
- I use it myself and reckon its the smoothest installation tool around. But
I can well imagine that for an inexperienced user coming to Linux from Some
Other Operating System, the notion of being required to install 40 new
packages to get just one new application working would seem bizarre. And
11.3MB does not take "only a few minutes" to download when you're connected
with a 64k modem.  

When questions like these, of usability and simplicity come up, I always
think of my Dad on his PC at home. He doesn't have Linux installed, but if
he did, I'd tell him to wait until the next release of Debian becomes
available on CD before he moves to gnucash 1.6. 

Yours,

Kevin

---
"The Good Samaritan would make a Bad Economist"
 - Dickens, Hard Times

From:	 Richard Atterer <ofijqa@atterer.net>
To:	 lwn@lwn.net
Subject: Linux in Possible Crisis; IBM, NEC, Two Others to Form Promotion Group (AsiaBizTech)
Date:	 Thu, 28 Jun 2001 22:19:33 +0200

Hello,

in today's LWN edition you included a link to this article on
AsiaBizTech and called it FUD. Based on the snippet about the

  "casual attitude of Torvald [sic], which doesn't meet the needs of
  the market and minds of investors",

I went over to have a good laugh. However, instead I found the article
very interesting, not because of the facts it talks about (it's mostly
speculation anyway), but interesting because of the _point_of_view_
from which the article is written.


Why is it interesting to analyse this point of view? Because the
top-level managers of IBM, Sun etc. might be thinking in the same way! 
To them, Linux is just another market. It is naive to think that they
have suddenly been converted to the "true path of Free Software" - no,
they support Linux simply because they might make a profit and because
"my enemy's enemy is my friend", i.e. it is the most promising way of
hurting Microsoft.

In the course of becoming a player in the Linux market, the managers
must put up with those irrational techie types full of their strange
ideals. In the past years, this did not work too well, but by now they
have learned to speak in a way that pleases us. There is a wonderful
German expression "Honig um's Maul schmieren" to describe this -
sadly, this is not translatable; literally, it means "smear honey
around the [techie's] mouth".


Clearly, the author does not live in the "techie" world, but in the
"manager" world. I have found that real-world travels are infinitely
more easy than "thinking-world" travels - but if we undertook this
travel and tried to understand the suits, we could make use of the
knowledge to promote Linux to businesses in a way that _they_
understand, which would certainly be a positive thing for both them
and us.

Cheers,

  Richard

-- 
  __   _
  |_) /|  Richard Atterer
  | \/¯|  http://atterer.net
  ¯ ´` ¯