![[LWN Logo]](http://old.lwn.net/images/lcorner.png)
![[LWN.net]](http://old.lwn.net/images/bigpage.png)
|
|
|
Bringing you the latest news from the Linux World.
Dedicated to keeping Linux users up-to-date, with concise
news for all interests
 Sections: Main page Security Kernel Distributions On the Desktop Development Commerce Linux in the news Announcements Linux History Letters
Other LWN stuff:
Archives/search
Recent features: Here is the permanent site for this page. See also: last week's LWN.
|
Leading items and editorialsGartner: dump IIS. The analysts have released a new set of proclamations relating to Linux and free software. Analyst opinions should always be taken with a grain of salt (if not an entire shaker of salt); they do not always reveal a deep understanding of how free software works. Nonetheless, they are a good indicator of how a certain segment of the world views free software. The Gartner Group is one of those analyst operations that has shown, over time, an inability to "get" what makes Linux what it is. The Group's opinions have generally been hostile. So the latest words of wisdom from Gartner are doubly interesting when they state: Gartner recommends that businesses hit by both Code Red and Nimda immediately investigate alternatives to IIS, including moving Web applications to Web server software from other vendors such as iPlanet and Apache. Although those Web servers have required some security patches, they have much better security records than IIS and are not under active attack by the vast number of virus and worm writers. Apache, of course, is not a "vendor," but we'll let that pass. It's a slow process, but the corporate world is beginning to figure out that free software offers some real security advantages. It is important, too, that web servers are the subject of this discussion. Some have claimed that Linux is free of email viruses only because, as an obscure (on the desktop) platform, it is not an interesting target for virus authors. But Apache is the dominant web server platform; anybody wishing to attack large numbers of systems via a web server would look at Apache first. The "obscure and uninteresting" argument will not wash here. D.H. Brown's enterprise functionality study. A much more detailed proclamation can be found in the "2001 Linux Function Review" recently announced by D.H. Brown Associates. The full report is available from the D.H. Brown site, but only for those with $1500 to hand over. Those willing to register can get an "executive summary" in PDF format for free. The report looks at several Linux distributions and reviews their functionality in a number of areas. The boiled-down rankings, from best to worst, are:
The ranking between the distributions is, to a great extent, driven by how current they are. Distributions shipping a 2.4 kernel came out ahead of those still shipping 2.2 (Turbolinux and Debian). Beyond that, D.H. Brown looked mostly at the additional features built in by each distributor. Red Hat wins in the "scalability" category, seemingly because of its published SPECWeb results. SuSE got a lower rating because it lacks those results, and "a lack of support for key third-party load balancing software options." Caldera was penalized for not having a shipping 64-bit distribution. D.H. Brown remains unsatisfied, however, with Linux scalability: ...no Linux distribution yet provides scalability functions that are competitive with RISC-based Unix systems. The largest Unix systems can support up to 256 GB of main memory and 128 CPU's, far beyond Linux's practical limitation of eight processors. Among kernel developers (and others), the question of whether Linux should ever scale to that many processors remains highly controversial. Those wanting support of hundreds or thousands of processors in an SMP mode are likely to be disappointed with the mainstream Linux kernel; making a kernel work in that environment carries a number of performance and maintainability costs. SuSE, instead, wins the "Reliability, Availability, and Serviceability" (RAS) category. D.H. Brown liked the inclusion of ReiserFS, the S/390 partition support, and logical volume manager (LVM) support. But, says D.H. Brown, "True High Availability clustering options for Linux remain in their infancy." Also: ...leading Unix systems have added features for planned downtime reductions, such as live operating system upgrades and kernel hot-patching, which are not available in Linux. "Kernel hot-patching" in Linux may be problematic, but the comment on live upgrades shows an ignorance of the upgrade capabilities provided by a number of distributions, led by Debian's apt system. SuSE was also declared the leader in the "system management" category, due to the inclusion of LVM and its installation and administration tools. No distribution's administration tools were considered to be all that great, however. There was also an interesting comment: While ease of use has long been a point of differentiation between the various Linux distributions, most of the studied vendors have focused on easing installation and desktop usability, rather than enterprise systems management. All of the studied distributions provide strong tools for software installation and management, based on either the RPM package manager or the Debian packaging system, but none provide advanced event management capabilities, which are critical for administrators who must monitor a large number of systems. Given that a number of distributors have targeted the large enterprise market, they may wish to think about improving things in this area. Red Hat was declared to be the best for Internet and web application services, mostly for its support of proprietary, third-party platforms. Caldera's broad protocol support was also called out, however. All distributions were criticized for their lack of support for Java2 Enterprise Edition servers. The last category was "directory and security services," though security does not appear to enter much into their evaluations. SuSE came out on top as a result of its inclusion of the latest Samba Overall: Based on the results of this latest functional evaluation, DHBA believes that the leading Linux distributions are now quite capable of serving as general-purpose operating systems for a broad range of departmental and workgroup applications. The study is interesting as a comparison of the distributions, and as an expression of a certain type of shopping list. It remains, however, a shopping list. In its comparison of distributions, against each other and against proprietary Unix, it looks only at which features can be checked off for each. Features are important, but the drive to complete feature lists leads to bloated, immature software releases. A company looking at adopting Linux would be well advised to look beyond the feature comparison. After all, it is not hard to add a journaling filesystem to a distribution that lacks one. The real life and value of a distribution can be found in the openness of its development process, its approach to security, the strength of its user community, and the integration of the distribution as a whole. D.H. Brown has provided an interesting study, but it missed much that is important. A quick Sklyarov update. Current events in the world have turned eyes elsewhere, but Dmitry Sklyarov remains under indictment. Here's a quick update from the EFF on what's up. Dmitry has a new lawyer, John Keker, the "Lawyer Lawyers Would Hire If They Got Busted" Among other things, Mr. Keker handled the prosecution of Oliver North in the Iran-Contra scandal. The next hearing will happen on November 26. Inside this LWN.net weekly edition:
This Week's LWN was brought to you by:
|
September 27, 2001
|
|
Sections: Main page Security Kernel Distributions On the Desktop Development Commerce Linux in the news Announcements Linux History Letters See also: last week's Security page. |
SecurityNews and EditorialsSerious vulnerability in PHPNuke. PHPNuke 5.2 has an embarrassing vulnerability in its file manager function that can allow the creation and overwriting of arbitrary files on the server system. The advisory contains a quick source-level fix; a simpler fix was also posted. Note that PostNuke 0.63 appears not to be vulnerable.More SQL code injection problems. This RUS-CERT advisory describes a new range of SQL code injection vulnerabilities. This time the problem is with the PAM and NSS libraries shipped with most Linux (and Unix) systems. Through the use of properly-crafted usernames and passwords, an attacker can cause arbitrary SQL code to be executed. This, in turn, can lead to database corruption and unauthorized access. No vendor updates for the affected modules are yet available. CRYPTO-GRAM for September. For those who haven't yet seen it: Bruce Schneier's CRYPTO-GRAM Newsletter for September covers the September 11 attacks and several other topics. Security ReportsOpenSSH restricted command vulnerability. OpenSSH 2.9 and 2.9p2 are subject to unauthorized access problems in certain scenarios. If you are using authorized key pairs to provide remote access, and have restricted the commands that may be executed via that key pair, and have the sftp capability enabled, the command restrictions can be evaded. The result can be access to a shell on the server system even though that access had been explicitly denied. The fix, for now, exists only in the OpenSSH cvs archive; concerned administrators should update to the cvs version, or simply disable sftp.slrn executes shell code. The Debian Project has released a security update to slrn fixing an interesting problem: evidently slrn will execute any shell code it finds within an article, on the theory that the article is a self-extracting archive. This may have been desirable behavior in 1982, but it presents certain difficulties in modern times. Users of slrn should apply the update; none have yet been seen from other distributors. Minor DOS problem with squid. Also from Debian is this update to squid. Evidently a malformed FTP PUT command can cause the server to restart. The problem has been fixed in version 2.2.5-3.2. Updates seen so far: Format string problems in HylaFax. The HylaFax package has some format string vulnerabilities. On some systems (i.e. FreeBSD), the affected binaries are installed setuid uucp, and could thus provide unauthorized access to the system. Most Linux systems seem to not install HylaFax with added privileges, however.
Filename vulnerability in Red Hat's serial init script. Red Hat has
issued an alert warning of a
potential vulnerability with the setserial package. This one is obscure:
you must have installed setserial, copied the init script from the
documentation directory over to /etc/rc.d/init.d, and built your
own kernel with serial support installed as a module. If you've done all
those things, there is a potential problem with predictable temporary file
names. Most users, it is expected, need not worry about this one.
Proprietary products.
UpdatesSource page buffer overflow in man zen-parse reported a buffer overflow in man that, when manual pages begin with a '.so' statement, may be exploited to execute arbitrary code under the 'man' group id. For more details, check BugTraq ID 2872. (First reported in the June 21 LWN security page). New updates: Uucp local user exploits. There is a vulnerability in the command-line argument handling of uucp which can be exploited by a local user to obtain uid/gid uucp. See the September 13, 2001 LWN security page for the initial report.New updates:
Buffer overruns in Window Maker A buffer overrun exists in Window Maker which could, conceivably, be exploited remotely if the user runs a hostile application. This problem initially appeared in the August 16, 2001 LWN security page. New updates: Previous updates:
ResourcesPort list available. Kurt Seifried has released a comprehensive list of TCP and UDP ports, including 363 known trojan ports.
By the numbers: Comparing Windows security to Linux (TechRepublic). TechRepublic uses BugTraq reports to determine just how secure Linux is versus Microsoft, and the numbers are not tilted the way you might think. "As these numbers illustrate, Windows NT 4.0 was the leader in bugs identified during 2000. But Linux was not far behind. And in 2001, Windows 2000 has stabilized a bit and is actually running in the middle of the pack." A free registration is required to access this article. (Thanks to Sean Walton) EventsUpcoming Security Events.
For additional security-related events, included training courses (which we don't list above) and events further in the future, check out Security Focus' calendar, one of the primary resources we use for building the above list. To submit an event directly to us, please send a plain-text message to lwn@lwn.net. Section Editor: Jonathan Corbet |
September 27, 2001
LWN Resources | |||||||||||||||||||||
|
Sections: Main page Security Kernel Distributions On the Desktop Development Commerce Linux in the news Announcements Linux History Letters See also: last week's Kernel page. |
Kernel developmentThe current kernel release is 2.4.10, which was released by Linus on September 23. 2.4.10 is a huge (11MB) patch with some far-reaching changes: jffs2 and NTFS updates, a large ACPI update, the latest version of min()/max(), lots of block device changes (including one that makes block device I/O use the page cache), a new multipath RAID personality, various architecture updates, and a great deal of merging from Alan Cox's "ac" series. And a virtual memory update from Andrea Arcangeli - we'll get to that shortly. The initial user reports on 2.4.10 are almost uniformly positive. Alan Cox's latest is 2.4.9-ac15, which includes many more fixes, and some virtual memory patches from Rik van Riel. Note that the finger server at finger.kernel.org now lists the latest "ac" patch along with the Linus releases. 2.0 lives. The 2.0 kernel may be ancient history to many, but David Weinehall is still carrying the torch: he has recently released 2.0.40-pre1, the first prepatch for a 2.0.40 stable release. The patch includes a small number of fixes and a number of code cleanups. Virtual memory: the plot thickens. Readers of this page know that the Linux kernel hackers have been working to improve virtual memory performance for a long time. Since somewhere in the 2.1 series, according to some of the more cynical observers. VM performance has been, perhaps, the largest remaining issue with the 2.4 kernel. Almost everything works very well, but memory exhaustion and massive swapping have been the bane of many 2.4 users. Quite a bit of incremental work has gone into fixing up 2.4 VM. Andrea Arcangeli, however, came to the conclusion that the incremental approach wasn't going to work; instead, he posted 2.4.10-pre10-aa1, which included a major rewrite of the VM code. This rewrite throws out much of the previous VM algorithm, including things like page aging, and replaces it with something simpler. The 2.4.10 kernel has a completely different virtual memory subsystem than its predecessors. Even for people who are getting used to seeing large changes slip into the "stable" kernel series, this patch came as a bit of a surprise. Initial reactions were not positive: But suddenly, the number of people who understand the Linux VM has gone from maybe 10 down to just one-and-a-bit. A large number of comments have been removed, and a year's worth of discussion has been invalidated.
I've never seen as invasive a patch merged that ran the risk of completely torpedoing stability merged into a STABLE KERNEL SERIES, nor would I ever consider submitting such a patch.
I have nothing against the code itself (the "old" code also had bugs), but a major VM rewrite at this point seems to be dangerous if we want a stable VM.
Linus 2.4.10pre is definitely 2.5 in disguise.
Look, the problem is that Linus is being an asshole and integrating conflicting ideas into both the VM and the VFS, without giving anybody prior notice and later blame others.
There is, however, one group whose complaints are notably absent: 2.4.10 users. With an occasional exception, people who have actually installed 2.4.10 seem to be running it happily. A lot of the swap-related problems from earlier 2.4.x kernels appear to have been solved. Wider use of 2.4.10 will doubtless turn up other problems - you can't make such large changes to such a complex and crucial subsystem without them - but the final judgement may well be that this was a good change. Not everybody has bought into it yet, however. The "ac" kernel series has stayed away from the mainline VM for a while now, and, as of 2.4.9ac15, Alan was still accepting changes to that code. In other words, the Linus and Alan kernels have diverged in a much more fundamental way than ever before. For the short term, the two kernel trees can function as a laboratory to see which VM approach works better - though one does not normally use stable kernels in this mode. In the longer term, however, one can only hope that some sort of VM consensus is reached. Should proprietary security modules be allowed? The Linux Security Module project has been working since last April to create a flexible framework that would allow the plugging of arbitrary enhanced security mechanisms into the kernel. To that end, the LSM hackers have created a lengthy series of hooks which will allow a security module to make decisions on just about any operation that a process can perform. Those who are interested in what the security module interface looks like can get a view from the well-documented security.h include file provided with the LSM patch. The LSM patch is approaching readiness for inclusion into the (2.5) kernel. This proximity caused Greg Kroah-Hartman, perhaps rather belatedly, to submit a patch limiting the use of the security.h file to modules licensed as free software. The effect of this change is to say that all security modules must be free software; no proprietary modules need apply. The longstanding policy for Linux kernel modules, of course, has been that closed-source modules are allowed, as long as they follow the (not well defined) module interface. Restricting security modules may seem, at first blush, to be a deviation from this policy. Proprietary driver modules may be loaded, why not proprietary security modules? Numerous objections to the restriction have been posted, mostly arguing along these lines. There has also been an argument that the restriction is, itself, a violation of the GPL. The security module patch, however, is a major change to the module interface. With this new interface, a module can easily hook code into many parts of the kernel; very few operations are left untouched. Thus, security modules can change the functionality of the kernel in ways that, under the current module interface, are not possible. Using this interface, a proprietary module could add much interesting new code, which may have nothing to do with security, to the kernel. Greg has, for now, removed the restriction as a result of the controversy. In the end, Linus will probably have to make the decision. Given that closed-source security modules will be able to do many things that are currently forbidden to proprietary code, however, there is a good chance that the security module patch will not be accepted without a licensing restriction. (The latest security module patch is the September 23 version). A proposal for module initialization changes. Rusty Russell has posted a proposal for changes to the module loading and initialization code in 2.5. These changes have a couple of goals: (1) decreasing even further the differences between linked-in and modular code, and (2) addressing the remaining race conditions associated with loadable modules. The changes also simplify the module loading code, allow the automatic exporting of module parameters to /proc, and provide a "warm fuzzy bleeding edge feel." If this scheme is adopted, the changes for modular code will be significant, but relatively straightforward. Module initialization, for example, will be split into two phases. The first sets everything up, but does not make the module visible to the rest of the kernel. It can fail, causing the entire module load to fail, without somebody else trying to access it halfway through. The second phase then makes the module visible, and is required to succeed. Unloading works in a similar way; the first phase makes the module invisible to new users in the kernel, while the second actually shuts the module down when no more users exist. As of this writing, there have been no comments on the proposal; people must either like it, or they don't think 2.5 will ever happen. Other patches and updates released this week (and the week before - we're catching up) include:
Section Editor: Jonathan Corbet |
September 27, 2001 For other kernel news, see: Other resources: |
|
Sections: Main page Security Kernel Distributions On the Desktop Development Commerce Linux in the news Announcements Linux History Letters See also: last week's Distributions page.
Lists of Distributions |
DistributionsPlease note that security updates from the various distributions are covered in the security section. News and EditorialsLinux DA. The Linux DA O/S, made by Empower Technologies, is an embedded, Palm compatible distribution that has been in the news this week. Some has been very favorable, and some has not. LinuxDevices covered the PowerPlay III PDA which runs Linux DA O/S for the Dragonball processor. Peter Kis wrote a review of LinuxDA that is mostly favorable. So far so good, but then this Newsforge article accused Empower of not playing by the rules of the GPL. LWN took a quick look at the Linux DA website. In the legal section the Linux trademark is mentioned, but the GPL is not. We did download the source code for Linux Kernel, available from the download section and used tar -t to look at the contents. There are some source files (.c and .h and Makefiles), but we also found gif files, core files, object files, and other things not usually found in a source package. The GNU GPL did not seem to be included. According to LinuxDevices, Empower has promised to comply with the terms of the GNU GPL. Time will tell. Distribution NewsDebian News. The latest edition of the Debian Weekly News includes discussions on using HFS+ with Linux, a summary of the talks on the use of the Java "repository" directory, and a preview of the new Ghostscript packages. The latest Kernel Cousin Debian Hurd includes discussions on syncing with Linux, xmalloc, xrealloc And Friends, and lists some packages that have been ported. Last week we posted a note about an opening for a Debian Security Secretary. Here is some clarification. You do not have to be a current Debian developer to apply, though a knowledge of Debian would certainly be helpful. Gibraltar News. Gibraltar is a Debian-based router/firewall distribution, fully workable from a bootable, live CD-ROM. Log files can be stored on a hard disk, and configuration data is stored on a floppy disk and kept on a RAM disk during run-time. Version 0.99.1 was released on September 24, 2001 and contains bug-fixes and new features. This product is "Free To Use But Restricted". Kaladix Linux. Kaladix Linux is designed to be a hyper-secure Linux distribution. Version pre-0.4 was recently released along with a move to a new domain. Old pointers to Kaladix no longer work, however the link in the LWN distributions list has been updated. LWN first covered Kaladix in the June 6, 2001 Security section. Since last June Kaladix has changed to the GNU General Public License and FormatGuard has been replaced by libsafe. Linux From Scratch. Linux From Scratch (LFS) is a project that provides you with the steps necessary to build your own custom Linux system. LFS has just released a new stable version, 3.0. See the change log for details on what's new. By allowing users to build their own custom system, LFS tries to teach users more about the internals of Linux. That's why we are now listing Linux From Scratch under 'Education' (on the right sidebar). Mandrake Linux News. Don't miss out on the Mandrake Linux Special 8.1 Preorders. Mandrake Linux 8.1 will be released soon. We also received the Mandrake Linux Community Newsletter in German this week. MSC.Linux News. MSC.Linux, self-styled as the "definitive cluster distribution" is designed for demanding computational environments in engineering and life sciences. On September 21, 2001 MSC.Linux version August 2001 was released. Version numbers just aren't for everyone. Slackware News. A new -current directory was started last Friday. For now, this will be used to hold upgrades to Slackware 8.0, starting with KDE-2.2.1. Those alert people who downloaded the above mentioned KDE-2.2.1 package right away may have noticed that something was missing. koffice-1.1/: source and packages for KOffice were added on September 24. Slack-Pack is an apt-get like program for Slackware Linux. Slack-Pack queries a mysql server and, if the package is found, Slack-Pack reports it, while a second program handles the downloading and installation. Please Note: Slack-Pack is not produced by the Slackware developers nor is it supported by them. (Found at userlocal.com) These step by step instructions on how to Build Securely a Shadow Sensor Step-by-Step Powered by Slackware Linux were also found at userlocal.com. SuSE Linux Firewall and Nimda. The recently introduced SuSE Linux Firewall on CD is capable of protecting your network from the Nimda worm. Of course the Nimda worm won't affect your Linux system, but it's not nice to pass it on to others, and that can happen. The Squid proxy server, one of the open source components of the SuSE Firewall on CD, can be configured to block files such as the one one in the Nimda worm. Wasabi Systems ships NetBSD v. 1.5.2. Wasabi Systems, Inc. announced shipment of NetBSD v. 1.5.2. This version includes additional machine support for Apple iBook and PowerBook laptops; security fixes for Kerberos, BIND, ssh, ntpd, ftpd, telnetd, and IP filter; performance enhancements for NFS, LFS, Symbios/NCR SCSI, sendmail, and dhcpd; and support for running Linux VMWare on NetBSD/i386. Minor Distribution updatesMindi v0.41. Mindi Linux builds boot/root disk images using your existing kernel, modules, tools and libraries. The latest release (tgz, RPM, SRPM), was made on September 23rd. See the changelog for details. Sorcerer GNU Linux 20010924. Sorcerer GNU Linux is a source-based ix86 Linux distribution designed for advanced Linux administration. You get a bzipped bootable ISO9660 installation CDROM image. Everything else will be built from the source code. It features menu and command line interfaces that enable sysadmins to download, compile, and install source tarballs directly from the software authors' homepages. The 20010924 release contains minor feature enhancements. The latest Install/Rescue ISO9660 contains glibc 2.2.4, linux 2.4.10, and utilities for kick-starting a new box such as the linux master boot record and a menu driven installer with support for ext2 and reiserfs. Sorcerer GNU Linux is released under the terms of the GNU General Public License. Distribution ReviewsRed Hat's market-leading Linux (ZDNet). ZDNet has posted an analysis of Red Hat Linux, covering the various product options and some of the limitations on those products. "Red Hat Linux is a bargain. The Red Hat package not only gives users the Linux source code to modify in any way they please, it offers a great deal more in terms of packaged applications, Apache, SMP support, and documentation. Further, clients have access to Red Hat Network, its online solution for managing a network of Red Hat Linux systems. All Security Alerts, Bug Fix Alerts, and Enhancement Alerts can be downloaded directly from Red Hat." SuSE Linux 7.2 Professional (ComputerShopper.co.uk). SuSE Linux 7.2 gets a favorable review on ComputerShopper. "In use, SuSE 7.2 is nice. It's a filesystem hierarchy standard-compliant (FHS) distribution based on the 2.4.4 release of the Linux kernel with features such as support for up to 64Gb of Ram and Pentium 4 processors. As well as up-to-date copies of a bunch of packages including KDE 2.1.2, Gnome 1.4, XFree86 4.0.3 and StarOffice 5.2, the big improvements in this version are support for encrypted and journalling filesystems." (Registration required - Flash required.) Section Editor: Rebecca Sobol |
September 27, 2001
Please note that not every distribution will show up every week. Only distributions with recent news to report will be listed.
|
|
Sections: Main page Security Kernel Distributions On the Desktop Development Commerce Linux in the news Announcements Linux History Letters See also: last week's On the Desktop page.
|
On The DesktopThe sound of Linux. While the desktop is often associated with graphical environments, word processors, spreadsheets, and games, there is one area that is often overlooked completely: audio. The Linux operating system is rich with audio support, especially in the 2.4 kernel based distributions. But the state of audio is rather confusing. Desktop users are looking for various things from their audio support, from playing simple sound files to streaming media support for things like radio, MP3, or Ogg Vorbis broadcasts. According to Dave Phillips, author of The Book Of Linux Music & Sound, Linux has done remarkably well in its support for these activities, especially when it comes to audio players. "Anyone migrating from other platforms will be looking for familiar software, things like media players," says Phillips. "Any media player that doesn't support audio is sort of a half media player. No one ever says much about audio but everybody expects it to be there. It's like salt in a cake: you know if it's gone." So where does audio come from for Linux? For most users with current distributions it comes from the kernel itself via the sound.o and soundcore.o kernel modules, plus a soundcard-specific module (users can run "lsmod" from a command line to see which modules are loaded, or "modprobe" to look for them and load them if they aren't already). These modules are sufficient for day to day desktop use for any of the available audio players, tools like XMMS or RealPlayer, and work with a majority of the available sound cards. Phillips adds, "You should be able to play 16 bit, stereo, CD quality sound files with no trouble, and that's the baseline audio for the desktop user." But the kernel drivers currently available aren't really sufficient if Linux is to make it into professional level audio markets. The OSS Linux drivers provide commercial support for audio that is somewhat better. But the future of Linux audio comes from the open source ALSA project. ALSA supports the OSS/Lite (the free version of OSS) API with a fully modularized sound driver. However, with ALSA the typical user will end up with half a dozen or more kernel modules loaded, rather more than with the current scheme. The hope is that the ALSA drivers will replace the kernel drivers with the release of the 2.5 Linux kernel sometime in the near future. Alan Cox has been amiable to this option but only Linus can make the final decision to make the switch, and that decision has yet to be made official even though many kernel developers fully expect it to happen. Phillips says that audio support has normally been pretty good for off the shelf Linux. "Kudos have to go to the major distributors. They did not ignore audio," he said with emphasis. Creative Labs and Hoontech have been very forthcoming (recently) with driver information. And laptop support has gotten better. "IBM is making special efforts to make sure their machines support sound right out of the box." Laptops and notebooks are often the toughest area of sound for the desktop user. But, like the difficulties encountered by the XFree86 project in trying to get programming information for new 3D cards, the audio world on Linux has to deal with the lack of information coming from audio hardware vendors. "I've lost track of how much energy has gone into cajoling and arm twisting the manufacturers," notes Phillips, "that it is in their interest to provide that information." And that is keeping Linux out of the professional audio arena. Phillips says, "We still don't have fully supported 3D audio or even hardware acceleration for audio. OpenAL is very promising with good cross platform support. But its success depends on its ability to compete with Direct3D. As far as I know we're still lagging there." Direct3D, however, is tied closely to Windows which gives OpenAL a chance if cross platform support is something the audio world really wants. The professional world has many needs, including 3D Sound and Dolby Surround sound. Both are very important for a number of professional applications, though he admits the most obvious use would be in games. "But in the world of academic music making, the wider electro-acustical music community want these features badly," he says. Simulation environments would also benefit from this support. Say Phillips, "You have to have multi-channel support for this, in other words fore and back speakers. This is just beginning to see full support out of the drivers for the Creative SBLive card." Interestingly, there are three different drivers for this card: Creative's, ALSA's, and OSS's. And each offers different features even though the source is open for this card. The reason for such differences is not clear but probably has something to do with the fact that the API for the card is rather extensive. "Effects processing is just being introduced with ALSA while Creative's driver provided it from the beginning," says Phillips. As far as applications go, for the desktop users wanting access to streaming media, Linux offers xmms which actually supports a variety of video formats such as MPEG and AVI along with the audio formats. Browser plugins with audio support include RealPlayer and RealVideo, Flash (which comes directly from Macromedia) and the Crossover plugin from CodeWeavers which now provides both Shockwave and Quicktime for Linux.
At the professional level the most sophisticated application at this point is probably ardour, by Paul Davis. "Ardour is a very ambitious project that is in very capable hands," says Phillips. "It is designed to be a fully professional, multitrack, multichannel, hard disk recording system." It's designed around the RME Hammerfall, a Hollywood post-production level card. RME provided the development specifications necessary to support this card by Ardour. Additionally, the application will work with just about any ALSA supported audio hardware. Professional level audio support may become a more pressing issue as the visual effects industry in Hollywood begins to adapt more and more Linux solutions. Phillips thinks the problems can be solved, but they haven't been addressed yet. "Some people from the Maya group [Alias|Wavefront's sophisticated 3D modeller and renderer] noted that audio is still a problem for them, and I believe the reason is that OSS 3 as it stands doesn't offer the kind of audio support they need for professionals and ALSA isn't quite there yet. So we're in a bit of an uncertain state, but our direction is clear and there are some very capable hands working on it." What audio lacks at this point is the killer app, the GIMP of audio. Phillips says that comment is made often. "Users coming from Windows often ask 'Where is the fucntional equivalent of CoolEdit 2000?', the most widely used sound editor on Windows. And we haven't really had an equivalent. There are maybe a dozen or so editors for Linux, all in various stages of development and many not very advanced." Some, he says, are nice, long lived programs such as DAP. But with that particular application you can only edit files in memory. That limits the size of the file you can edit to the amount of available RAM. Modern sound file editors are hard disk oriented, what Phillips called "non-destructive," and capable of handling much larger files. Snd, a sound file editor, is probably the most advanced along these lines but lacks a reasonable user interface. Phillips is working with the author of that program to address that issue. "Hopefully some of the advancements to snd will make it due for people looking for the audio GIMP." Or perhaps Ardour. It's just a matter of effort over time. With so many editor projects we have to wonder if there are too many projects or simply not enough developers. Phillips says we have plenty of both. The real answer is more about time and commitment. "Someone like Paul Davis is so committed to doing Ardour. CoolEdit has been in consistent development since the late 1980's. Linux has only been around since about 1992," which means the low level audio is just now getting to where the applications have begun to be written. "It's easy to write basic audio applications for Linux. OSS's API is pretty easy to work with. But when it comes to writing professional applications, OSS isn't enough. ALSA is needed, but not finished yet. So if you're writing a program like Ardour you can't have your 1.0 release till the audio reaches 1.0." And that means application developers have to be committed to their work, and patient in waiting for the underlying support. Phillips also says young programmers come along with the wrong ideas. "We don't need another MP3 player. We also don't need another sound file editor. Paul is dedicated to such a project and has been for some time. How many audio applications can you say that about? Not that many. Comparing the problem to the GIMP is useful - look how long it took for GIMP to become as good as it is." And in the process GIMP spawned things like GTK+. The same thing could happen with audio. With the right application, you'll have spinoffs. "But there just isn't anyone working on it yet", says Phillips. Audio Links
Desktop EnvironmentsKDE initiative aims for corporate desktops (ZDNet). ZDNet looks briefly at the KDE::Enterprise project which was announced yesterday. "KDE::Enterprise is an attempt to remedy one of the persistent limitations of Linux: its failure to achieve significant use as a desktop platform. This failure stands in stark contrast to Linux's success in back-end systems and particularly Web servers, where it controls up to a third of the market, according to some estimates." KDE 2.2.1: Linux desktop approaches maturity (ZDNet). ZDNet reviews KDE 2.2 (and 2.2.1) and says it will ease migration from Microsoft platforms. "A comprehensive user management program, KUser, lets you create, modify, and delete user logins on multi-user Linux systems. KCron provides similar functionality for managing automated background tasks. And KDE System Guard, like Windows' Task Manager, lets you view current tasks and kill problem applications. And since KDE is merely running on top of the X Window System, you can perform remote administration of any KDE-enabled system by redirecting application output to another X server on the network." Red Hat RPMs for KDE 2.2.1. There are now KDE 2.2.1 RPMs available for Red Hat 7.0 and 7.1. An Analysis of KDE Memory Usage. A SuSE employee notified KDE Dot News of an analysis he has done on the memory usage of KDE. His results apparently show that about "650KB of memory wasted per KDE application not launched via KDE Init", something he has reported to the GCC/binutils teams. Installation Guide For GNOME 1.4.1. GNOME Gnotices noted that a new installation guide covering GNOME 1.4.1 has been posted to the karubik.de site. This new guide joins the 1.2 guide prevously posted to this site. New GTK 1.3.8 libraries Released. A new developers version of the GTK+ toolkit has been released. This version is dependent on the JPEG/PNG/TIFF libraries and pkg-config 0.8 and addresses mostly bug fix issues. XFce 3.8.8. Olivier Fourdan has announced the release of XFce 3.8.8. This release includes improved sound support, better theme support and plenty of bug fixes. Office ApplicationsEvolution 0.14. Ximian has announced another beta for Evolution. The announcement includes the list of updates since the 0.13 release. AbiWord Weekly News. Two more issues of the AbiWord Weekly News have been published. Issue 58 notes that the release of 0.9.3 is not expected soon since there are still quite a few issues yet to be resolved. Issue 59 adds information on the work being done on dictionary RPMs, the availability of Darwin/X builds and details on release engineering requirements for the project. Desktop ApplicationsLinux browser wars (Canada Computes). This article on Canada Computes compares six web browsers for Linux. "It was a close call, but of the browsers tried, Galeon appears to be the best choice. Its not the fastest loading, it doesn't render pages quicker than the other browsers, nor does it look very nice. The fact is though, of the browsers tried, it offers what I feel is the best trade off between features and performance." KDE Edutainment Project Takes Off. The KDE Edutainment team officially launched the KDE Edutainment project today, noting the project already has several applications available for educational purposes including a form based exam tool and touch typing applications. gtkdial & gwvedit release. Modem configuration on Linux has always been a difficult proposition for the uninitiated. Part of the solution has been the evolution of wvdial, a system for setting up connections to multiple ISPs. A GTK based front end to this system, gtkdial, had a new release this week. Version 0.4.0 manages first time setup for users new to wvdial/gtkdial, and allows for secure and simple management of account data. Along with this application comes a new application - gwvedit - allows for direct editing of the wvdial configuration files. Rune For Linux Review (evil3D). Games site evil3D reviews the recently released Rune for Linux, from Loki. "I tried Mandrake 8.0, but the game wouldn't even load there. Someone later discovered a symlink issue that caused this, and proposed a fix for it in Loki's Fenris bug tracking system.. However, they still couldn't save games. Personally, I had to go all the way back to Mandrake 7.2 in order to get the game to run correctly. Not good. But like I said, only one other person reported as to be having the same problem." Sodipodi author interviewd. The author of Sodipodi, Lauris Kaplinski, was interviewed by Linux.com this week. "The good thing about using a published standard is that I do not have to spend time creating an imaging model. I just have to implement it. No extra headache keeping file format upwards/downwards compatible. Using SVG natively may give Sodipodi slight advantage in web development, as it will preserve 99.9% of hand-written structure." Sodipodi is a vector graphics project which is listed as part of the GNOME office suite. It offers a number of SVG based clipart files from the web site. And in other news...Interview: Trolltech's President Eirik Eng. KDE Dot News is carrying an interview of Trolltech's President, Eirik Eng which includes both business and technical Q&A. "We don't generate income from KDE directly, but KDE has certainly been instrumental in our success. Through KDE, many of our current customers learned about us. Many engineers hack on KDE in the evening, and then go into work in the morning and typically work as a developer. If they like Qt, they ask their boss if they can buy it." City of Largo uses Balsa as the e-mail program of choice. GNOME's Gnotices reports that the City of Largo, which reported its widescale use of Linux, is currently using the Balsa mail client. "I just looked, and there are about 50 people logged in right now and we are using about 200MB of memory for them. So in theory, we could run about 500 concurrently before it would swap. That is excellent." Section Editor: Michael J. Hammel |
September 27, 2001
| |
|
Sections: Main page Security Kernel Distributions On the Desktop Development Commerce Linux in the news Announcements Linux History Letters See also: last week's Development page. |
Development projectsNews and EditorialsA Potpourri of Web Projects This week, there were a number of interesting announcements for the web projects arena. Here is a summary of some of that recent work:
Audiompg321 0.2.0 released. A new version of mpg321, a free replacement for mpg123, has been announced. This release adds better compatibility with mpg123 flags, better Alsa and esd support, and bug fixes. (Thanks to Joe Drew) BrowsersMozilla license change. Mozilla has relicensed their project code to fall under the Netscape Public License (NPL), the GPL and the LGPL. "We are also repeating and reinforcing mozilla.org's policy that the NPL (either alone or in the form of an NPL-based dual or triple license) should not be used for new source files checked into the Mozilla source tree. Instead the new MPL/GPL/LGPL triple license described below should be used for all new files checked into the tree, unless you have specific instructions from mozilla.org to do otherwise." CryptographyHow to install GnuPG (LinuxWorld). Joe Barr tells us why encryption is necessary, how it works, and how we can use it as individuals. "Traditional cryptographic schemes use secret keys. This is called symmetric-key cryptography since both the encoding and decoding use the same key. One problem with secret-key cryptography is that everyone must have access to the same key. Not only are there logistical problems getting the secret key to all concerned, but there is always the chance that it will be compromised. A relatively new type of encryption, based on public keys, largely avoids those pitfalls." Embedded SystemsEmbedded Linux Newsletter for Sept. 20, 2001. LinuxDevices weekly summary of the embedded Linux market includes notes on the RTLinux vs FSF confrontation, the release of ColdFire as GPL, and Fujitsu's Linux-based humanoid robot. Device profile: FIC AquaPAD (LinuxDevices). The FIC AquaPAD is a handheld webpad that runs Midori Linux. LinuxDevices provides the details on this device. CNN is also carrying a short story on this device as well. FreeIO.org releases ColdFire uClinux SBC under GPL (LinuxDevices). LinuxDevices reports on the release under GPL of the design of the Toast ColdFire, a controller board with built in dual ethernet NICs. "The Toast board is the fifth design which FreeIO.org has released under GPL. Past designs have included programmable I/O boards for both PC and PC/104 bus interfaces. In each case the complete design files have been released, including all CAD files, programmable logic source files, manufacturing and programming files." Mail SoftwareTMDA 0.37 Spam Reduction System. Version 0.37 of the TMDA Spam Reduction System is available. TMDA is written in Python and works with the Qmail mail delivery system. This version improves the ability to pass mail from legitimate, but unknown senders. Printing SystemsLPRng 3.7.7 available. Version 3.7.7 of the LPRng print system has been released. This version fixes several bugs, and adds a new French translation. Web-site DevelopmentWriting Input Filters for Apache 2.0 (O'Reilly). Ryan Bloom discusses Apache Input Filters in an O'Reilly ONLamp article. Building Web Sites with Mason: Part I (Dr. Dobb's). Brent Michalski talks about installing Mason in part one of a series on Dr. Dobb's. "Mason is a tool for building web sites. There are hundreds of tool for building websites, but Mason is different. Mason gives you the full power of the Perl programming language without the bloat of unnecessary features." The latest ZopeNews. The latest ZopeNews includes discussions on exUserFolder, Graph Method 0.1.0, Latex Method 0.1.0, the MatLab DA and Method, ZBabel 2.0.0 beta 1, My Media Manager 0.9.2, and more. MiscellaneousGSView Beta 4.0.2 available. A new version of GSView Beta is available. GSView is a PostScript/PDF file viewer that is based on AFPL GhostScript, it is licensed under the Aladdin Free Public Licence. Version 4.0.2 features Greek and partial Dutch translations, bug fixes, and more. Section Editor: Forrest Cook |
September 27, 2001
|
|
|
Programming LanguagesCC/C++ developers: Fill your XML toolbox (IBM developerWorks). Rick Parrish informs us about XML tools for C and C++. "It seems as if everywhere you look there is some new XML-related tool being released in source code form written in Java. Despite Java's apparent dominance in the XML arena, many C/C++ programmers do XML development, and there are a large assortment of XML tools for the C and C++ programmer. We'll confront XML library issues like validation, schemas, and API models. Next, we'll look at a collection of generic XML tools like IDEs and schema designers. Finally, we'll conclude with a list and discussion of libraries either usable from or actually written in C and/or C++." CamlCaml Weekly News for September 19, 2001. The latest Caml Weekly News is out. Topics include the new OCamlODBC 2.5, configuring the O'Caml garbage collector, and updates to the Caml Hump, a collection of Caml projects. ErlangErlang Workshop Proceedings Online. The proceedings from the September 2, 2001 Erlang Workshop in Florence, Italy are now online. Eight different sets of notes are available covering many topics. More Erlang News. The Erlang Site also features a number of new articles on Erlang including writeups on STL, the Simple Template Language, a Unix domain socket driver, and more. HaskellThe (Interactive) Glasgow Haskell Compiler Version 5.02. A new major release of the Glasgow Haskell Compiler has been released. GHC 5.02 features new interactive capabilities, compatibility with the Revised Haskell 98 Language and Library Reports, and more. (Thanks to Jens Petersen). Perl1st CfP German Perl Workshop 4.0, 2002 (use Perl). A call for papers has been issued for the 4th German Perl Workshop to be held near Bonn in February 2002. How to interoperate between UTF-8, UTF-16, and UTF-32 (IBM developerWorks). Ken Lunde discusses conversions among character encodings on IBM's developerWorks. Example conversion algorithms are presented in Perl. Changing Hash Behaviour with tie (O'Reilly). Dave Cross looks at the uses of tied objects in an O'Reilly Perl.com article. "Tied objects are, in my opinion, an underused feature of Perl. The details (together with some very good examples) are in perltie and there are some extended examples in the ``Tied variables'' chapter of Programming Perl. Despite all of this great documentation, most people seem to believe that tieing is only used to tie a hash to a DBM file. The truth is that any type of Perl data structure can be tied to just about anything." Gartner: Java more than Perl?. A posting to use Perl suggests that both Gartner and Forrester cover Java far more than Perl. Does this mean Java is more important to business? PHPPHP Weekly News for September 20, 2001. The September 20, 2001 edition of the PHP Weekly News covers a new OpenSSL API, versioning and management of extensions, the Pcntl extension, more work on rand(), and other PHP developments. PHPReview 0.9.1 available. A new release of the PHPReview online reviewing system is available. The WHATSNEW file lists some security fixes, new support for InnoDB Support, and some page layout additions. PythonDr. Dobb's Python-URL!. This week's Python-URL! includes discussions on instance and class attributes, recursive generators, and bundled modules ala-Jars. What's So Special About Python 2.2? (Unix Review). Cameron Laird and Kathryn Soraiz take a look at Python 2.2 on Unix Review. "Part of what makes 2.2 excellent for newcomers is the enhancement of Python's longstanding strength as a "batteries included" language. When you install a Python distribution, you get not only the language in a narrow sense, but also a collection of libraries, utilities, and documentation that encompasses a large portion of working programmers' daily needs. Python seldom requires you to "go outside" its standard distribution to complete such common tasks as construction of a GUI, access of standard networking protocols, Unicode processing, or management of XML texts." Universal Serial Port Python library. Version 0.1 of the USPP library, the Universal Serial Port Python library has been announced. USPP allows Python to connect to serial ports using RS-232 mode and RS-485 is in the plans. Narval 1.1b1 announced. Version 1.1b1 of Narval has been released. "Narval is a framework (language + interpreter + GUI/IDE) dedicated to the setting up of intelligent personal assistants (IPAs)." This version drops support for Python 1.5.2 in lieu of Python 2.1, adds speed improvements, and a fully functional setup.py script. Pychecker 0.8.4 announced. A new version of Pychecker, the Python code checker, has been announced. This version finds even more bugs, and includes a couple of bug fixes. SmalltalkSeptember Squeak News. The September issue of Squeak news is out. This month features a focus on multimedia, a monthly digest of the Squeak mailing list, and more. Tcl/TkDr. Dobb's Tcl-URL!. The weekly Tcl-URL! is out. Topics include discussions on threads, compilers, extreme programming, server sockets and more. Section Editor: Forrest Cook |
Language Links Caml Caml Hump Tiny COBOL Erlang g95 Fortran Gnu Compiler Collection (GCC) Gnu Compiler for the Java Language (GCJ) Guile Haskell IBM Java Zone Jython Free the X3J Thirteen (Lisp) Use Perl O'Reilly's perl.com Dr. Dobbs' Perl PHP PHP Weekly Summary Daily Python-URL Python.org Python.faqts Python Eggs Ruby Ruby Garden MIT Scheme Schemers Squeak Smalltalk Why Smalltalk Tcl Developer Xchange Tcl-tk.net O'Reilly's XML.com Regular Expressions |
|
Sections: Main page Security Kernel Distributions On the Desktop Development Commerce Linux in the news Announcements Linux History Letters See also: last week's Linux in the news page. |
Linux in the newsRecommended ReadingPhil Zimmerman's response. The Washington Post has posted an article on how Phil Zimmerman, the man who brought the world PGP, was feeling after the attacks on the WTC. The article says that Zimmerman "has been overwhelmed with feelings of guilt" because of the possibility that PGP was used by the terrorists. Zimmerman, however, says this isn't quite right. "Because of the political sensitivity of how my views were to be expressed, Ms. Cha read to me most of the article by phone before she submitted it to her editors, and the article had no such statement or implication when she read it to me. The article that appeared in the Post was significantly shorter than the original, and had the abovementioned crucial change in wording. I can only speculate that her editors must have taken some inappropriate liberties in abbreviating my feelings to such an inaccurate soundbite." Copy-control Senator sleeps while fair-use rights burn (Register). The Register takes a look at the Security Systems Standards and Certification Act (SSSCA). "And yeah, what about Linux? How do you make the operating system, where every column inch of source code is available for inspection, SSSCA compliant? I think this may be a self-answering question: You can't - not unless some drastic changes to current licenses and code distribution are made. If there's a certain level of paranoia in Hollings' office regarding the SSSCA, perhaps it's understandable. From all perspectives, this is nothing more than a blatant attempt to offer a return on investment to campaign donors." Is Linux Going Mainstream? (Washington Technology). According to a Washington Technology article, Linux is moving beyond basic services for commercial industry but that the federal government was a bit behind in adoption. "The survey of 865 corporate and governmental IT decision-makers, including 70 respondents representing federal government departments and agencies, also indicated that state and local governments were slightly more likely than the federal government to move to Linux, he said." Separating fact from fiction about Linux (ZDNet). ZDNet gives us another recommendation for migrating to Linux now. "Linux is destined for a strong role on the server. It's a fine Unix variant and Unix people take to it like ducks to water." Letter urges govt to put faith in Linux (IDG NZ). The New Zealand Education Ministry is entering a $10 million deal with Microsoft, but not without some nudging from the open source world. "The letter points out that the governments of France, Brazil, Mexico and China are considering legislation which favours open source software and says open source supporters would welcome the opportunity to present the capabilities of open source software to the government as well as their ability to support it." KDE 2.2.1: Linux desktop approaches maturity (ZDNet). ZDNet reviews KDE 2.2 (and 2.2.1) and says it will ease migration from Microsoft platforms. "A comprehensive user management program, KUser, lets you create, modify, and delete user logins on multi-user Linux systems. KCron provides similar functionality for managing automated background tasks. And KDE System Guard, like Windows' Task Manager, lets you view current tasks and kill problem applications. And since KDE is merely running on top of the X Window System, you can perform remote administration of any KDE-enabled system by redirecting application output to another X server on the network." Cooperating Geeks (Linux Journal). Here is a story about a bunch of geeks who banded together to create their own ISP and learn about system administration by doing it. "What's even more satisfying is we do almost all of the work on free UNIX variants. Between OpenBSD and, of course, Linux, we've managed to bring all this together using free software. We use Sendmail mail servers, BIND name servers (nicely secured, of course), the Apache web server, all of which you'll find in use at the best commercial network providers. It's been "almost all" free software because we inherited some HP 9000 workstations, and the HPPA UN*X ports are nowhere near production ready. As such, they still run HPUX." CompaniesBorland to add Web services to Linux (ZDNet). Borland's offering will be added to its Kylix product and made available in the fourth quarter. "[Jason Vokes, Borland's European product line manager for RAD products] explained that this meant adding support for Simple Object Access Protocol (Soap), XML transfer capability and Web Services Description Language (WSDL)." IBM throws more support behind Linux (ZDNet). IBM is expanding its thrust into the Linux world, stating that the OS is now being used for applications and not just infrastructure. "IBM said over 2,400 enterprise-class applications are now available for Linux in its Solutions Directory, which lists IBM and partner offerings. The firm said it had won a number of recent Linux contracts, including one for Integrated Genomics, a DNA analysis firm using Domino on Linux." This comes on the heels of of IBM's announcement that it expects to generate sales of $7 billion from seven key growth areas, one of which is Linux. Red Hat Earnings Offer Reason for Cautious Optimism (News & Observer). In a quarter when nobody was expecting financial greatness from Red Hat, the open-source software company proved it could hold its own despite lagging sales. ResourcesRunning Linux on the Sega Dreamcast (LinuxDevices). LinuxDevices has posted a detailed discussion on getting Linux to run on a Sega Dreamcast. "You also need a CD-R burner that can write a multisession CD using the CD/XA data track (mode 2, form 1) format. Support for this configuration is widespread in all but the least expensive CD-R burners and programming software. Note that the Dreamcast's CD-ROM drive cannot read a CD-RW disk, but it can read a CD-R disk produced by a CD-RW burner." How to create a Linux-based network of computers for peanuts - Part 3 (LinuxWorld). The third in a series of articles on creating a Linux network covers putting together an application server for multiple X terminals. "The Linux kernel needs support for specific network cards compiled in, or loaded as a module. The distribution you use may be able to "autoprobe" for the NIC installed in your machine and configure the system to automatically load a kernel module -- you may be able to use "modprobe" or you might have to uncomment the line for your NIC in a rc.modules file -- but if not -- about the only generic remedy common to most all Linux distributions is to compile in support for your card." MiscellaneousNimda, Other Worms and Life on the Internet (Linux Journal). Linux Journal publisher Phil Hughes says that while open source helps prevent attacks, pride in your code may be even more important. "Individual programmers care that their code works. They view a bug report as positive; someone took the time to find a problem and let them know about it. I remember, for example, finding what I thought was a bug in the serial driver in Linux back in 1993. While I used to be a professional software tester before I got into publishing, I still somewhat sheepishly sent e-mail to Ted T'so suggesting that I might have found a problem. Ted's response was to send me a patch to try (which worked)." Section Editor: Forrest Cook |
September 27, 2001 |
|
Sections: Main page Security Kernel Distributions On the Desktop Development Commerce Linux in the news Announcements Linux History Letters See also: last week's Announcements page. |
AnnouncementsResources10 minutes to an iptables-based Linux firewall (LinuxWorld). LinuxWorld tells how to harden your Linux 2.4 machines in no time at all. "Those heavy load issues aside, the 2.4 kernel provides a wealth of networking capabilities 2.2 lacks. These include stateful firewalling and solid quality-of-service options. One could argue that the 2.4 kernel, and its iptables firewall code, enables a person to build intricate firewalls capable of competing with the likes of CheckPoint." How to create a Linux-based network of computers for peanuts (LinuxWorld). Here is a series of articles on LinuxWorld, on how to create an inexpensive Linux network. Part 1 covers how to get started. Part 2, rounding up more hardware. Part 3, configuring an application server. Reading and writing Excel files with Perl (IBM developerWorks ). IBM's developerWorks looks at using Perl to parse Excel files. "The bad news is that Spreadsheet::WriteExcel can not be used to write to an existing Excel file. You have to import data from an existing Excel file yourself, using Spreadsheet::ParseExcel. The good news is that Spreadsheet::WriteExcel is compatible with Excel 5 up to Excel 2000." Using Mandrake MD5 checksums (IBM developerWorks). A short shell application is used to show how to help secure Unix security. "Tracing modifications made to new system files with SGID/SUID flags is an extremely difficult task. But with enough experience and caution, system services and settings can be modified without changing standard file attributes (usually an administrator pays attention to the dates a file was created and modified)." Tip Of The Week: Being strong and lazy (LinuxLookup). This week's LinuxLookup tip of the week takes a look at the use of brace expansion on the shell command line. EventsEvents: September 27 - November 22, 2001.
Additional events can be found in the LWN Event Calendar. Event submissions should be sent to lwn@lwn.net in a plain text format. Web sitesThe Linux StepByStep site is now availablie in new languages. The editors at Linux StepByStep have announced the availability of their site in the following languages: Chinese, French, German, Italian, Japanese, Korean, Portuguese and Spanish. User Group NewsThe Linux Users' Group of Davis. LUGOD will hold its next meeting on October 2, 2001. The topic will be MacOS X, presented by Robert Doss, Apple Computer. Eugene Expo. EUGLUG will be at the Eugene Computer & Internet Expo, 2001 on October 6-7 from 10am to 6pm in the Wheeler Pavilion in Eugene, Oregon. They will have demonstrations, giveaways, and presentations. LUG Events: September 27 - October 11, 2001.
Additional events can be found in the LWN Event Calendar. Event submissions should be sent to lwn-lug@lwn.net in a plain text format. Section Editor: Forrest Cook. |
September 27, 2001 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|
Software AnnouncementsHere are this week's Freshmeat software announcements. Freshmeat now offers the announcements sorted in two different ways: The Alphabetical List and Sorted by license |
Our software announcements are provided courtesy of FreshMeat
 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
Sections: Main page Security Kernel Distributions On the Desktop Development Commerce Linux in the news Announcements Linux History Letters See also: last week's Linux History page. |
This week in Linux historySix years ago Slackware Linux 3.0 was released. It included such bleeding-edge features as the ELF binary format and the 1.3.18 kernel. Five years ago, Red Hat released version 4.0 of its distribution. For the first time, it supported the Sparc and Alpha architectures, along with the usual x386. Other innovations included an XFree86 configuration process accessible to mere mortals, pluggable authentication modules, and the ill-fated "Red Baron" web browser.
Three years ago (October 1, 1998 LWN): This was the week when Intel and Netscape announced investments in an obscure company called Red Hat Software. If you were not paying attention at the time, you will likely have a hard time understanding the impact that those investments had. Intel has put its support behind numerous Linux companies over the last few years, and an investment from Intel is now relatively unremarkable. At the time, however, it was the first direct statement from an established technology company that Linux was going to go somewhere. It brought a new legitimacy to the Linux business arena. To a great extent, this investment changed the situation overnight.
In a way, the investments could be looked at as the day Linux bought a suit and shaved. Linux, a Unix-like operating system, so far has mostly been an underground computing phenomenon.
LWN reviewed GNOME 0.30. Things have come a very long way since then. Cygnus released the first version of its eCos embedded operating system. Red Hat, which had a proprietary CDE offering back then, discovered that it was full of bugs. Not only that, but Red Hat couldn't fix them. So they dropped the product, and pretty much got out of the proprietary software business altogether. The development kernel was 2.1.123. This kernel came out with a bunch of compilation errors due to a messed up patch application. After the screaming reached too high a point, Linus threw up his hands and left to take a vacation. This was one of the famous "Linus does not scale" events of the 2.1 development series, and served notice that something had to change. Three years later, kernel development seems much more stable - at least, from this point of view. Of course, there has been no development kernel since January... Caldera officially launched its 1.3 distribution. SuSE announced its "Office Suite 99" -- essentially a package built around its distribution and the ApplixWare office suite. Two years ago (September 30, 1999 LWN): Embedded Systems Conference was in progress, with lots of Linux activity. The big players were Cygnus, with its new EL/IX platform, and Lineo, which had a thing called "Embedix" in the works. PC Week put up a "Hack PC Week" challenge; its Linux server was promptly hacked. The problem, as it turned out, was a third-party ad serving script they had put on the system, along with a distinct lack of attention to application of security updates. Somebody was trying to get a project management system for the Linux kernel adopted. It's still not there. The first release of GNOME's Bonobo component system happened. The Magic Software penguins got pink slips. Dave Winer thought Microsoft should port its applications to Linux. It wasn't fatal because Java was a smoke-blow. But Linux is for real. Now is Microsoft going to make the same mistake? The smart thing to do, IMHO, is to fully embrace Linux. Let's work together to make Windows apps run beautifully on Linux. It'll be good for Microsoft. The only other choice is to be at odds with developers because the pull to Linux is economic and inexorable. We hope Dave wasn't holding his breath, waiting for it to happen. Linus Torvalds was awarded an honorary doctorate at the University of Stockholm. One year ago (September 28, 2000 LWN): talked about open source licenses, comparing the GPL to BSD style licenses. Andrew Leonard also talked about licenses in his Salon column. Yes, open-source licenses are boring, complicated, obtuse and multiplying in number faster than porn spam. But they are also the heart of the flourishing open-source software scene. The way they are used, or more to the point, the way they are not abused, is worth paying close attention to. Particularly if you are part of an industry like, say, the music business, where there currently seems to be a wee problem of copyright violation.
Hewlett-Packard won our 'fun patent of the week' award. They have a patent on embedded web servers. HP, thus far, has made no move to enforce this patent. Red Hat released Red Hat Linux 7 and also launched the Red Hat Network. Intel introduced an open source software implementation called CDSA - Common Data Security Architecture. Lineo released Embedix 3.0 and announced uClinux 2.4, based on the 2.4 pre-release kernel series. The Embedded Systems Conference hosted a panel session entitled "The Open Source Movement: Boon or Bane for Embedded Developers?" LWN's report can be found here. The anti-open source side brought up the old "open source does not innovate" charge: It is significant that the major open source companies are all leveraging already existing open source products, which were originally written with no commercial motivation. I contend that these companies will fail to ever truly innovate. Innovation requires a level of risk, and the returns will never justify the risk when the playing field has been levelled by an open source philosophy. Quoting John Fogelin of Wind River Systems: The embedded market is inherently fragmented, and therefore does not lend itself to being supported by a community-based open source development process. One way or another, in the embedded market, you really must invest in unique technology, because the needs are truly individualized. Innovation really does cost money. And here is the other side of the debate. The truth is that the free software movement is a long overdue course correction that reverses the software technology industry's progression towards a state that holds the rights of software vendors in higher regard than the rights of software consumers. Furthermore, products of the free software movement provide models that demonstrate how software should be designed, managed, and marketed in the coming years.
Section Editor: Rebecca Sobol. |
September 27, 2001
LWN Linux Timelines |
|
Sections: Main page Security Kernel Distributions On the Desktop Development Commerce Linux in the news Announcements Linux History Letters See also: last week's Letters page. |
Letters to the editorLetters to the editor should be sent to letters@lwn.net. Preference will be given to letters which are short, to the point, and well written. If you want your email address "anti-spammed" in some way please be sure to let us know. We do not have a policy against anonymous letters, but we will be reluctant to include them. |
September 27, 2001 |
From: Dylan Thurston <dpt@math.harvard.edu> To: editors@lwn.net Subject: "The open source world" Date: Thu, 20 Sep 2001 23:11:37 +0900 To the editors of LWN, In the "On the Desktop" section of your September 20th issue, you write ... Somewhere out there, someone had found a business plan that worked. Somewhere, the realities of business hadn't crushed the genuine spirit and dedication found so often in the open source world. Somewhere, there is business success with Linux. You then proceed to mention two companies, HancomLinux and The Tolis Group. HancomLinux (through theKompany) produces a few open source applications, but their focus is clearly on their proprietary products. The Tolis Group, as far as I know, supports no open source projects. In this respect, these two companies are no different from, say, Microsoft (which also supports some open source projects). Neither company can be considered part of "the open source world". Speaking for myself, I don't care about a "business success with Linux". I care about the success of free software. Sincerely, Dylan Thurston | ||
From: "Quick, Kevin" <Kevin.Quick@Surgient.com> To: "'letters@lwn.net'" <letters@lwn.net> Subject: FW: Project UDI status Date: Thu, 20 Sep 2001 15:41:37 -0500 In regards to your "Linux History" article of 20 September 2001, I'd like to borrow the time-honored words coined by Mark Twain: The news of Project UDI's demise is greatly exaggerated! Project UDI is still an active group, working on both specifications and implementations. These activities include maintaining a primary web site at http://www.project-udi.org/, along with active code for Linux and other platforms via a SourceForge-hosted project (http://projectudi.sourceforge.net/). More details on the Linux code port can be found at http://www.stg.com/udi. We've published the 1.01 version of the specifications, which is the basis of current implementations, and we are in the process of submitting it to a formal standards body. UDI drivers and environments have been released from several companies, and in fact have been bundled in the latest releases of Caldera Open UNIX 8 and OpenServer. Mail reflectors and teleconferences are used regularly to advance both the specification and the development code, and we have even held several interoperability events wherein UDI developers tested functional UDI drivers. Other activities have been publicly mentioned as well: http://www.project-udi.org/press_releases.html. While on the subject, I'd also like to comment on the quote that you referenced. Unfortunately, the brief subcontext represented by the quote does not really communicate the message we were intending. Project UDI does not depend on the Linux community, and (obviously) neither is the reverse true. The conversation from which the quote was generated was a discussion of the relationship between the Linux community and Project UDI in which I was attempting to invite the Linux community to solve one of their recurring issues (the availability of good device drivers for whatever Linux kernel version was interesting to the sysadmin) by writing UDI drivers, which would also provide Project UDI with a broader base of existing drivers. This was not an attempt to co-opt Linux developers to provide device support for proprietary Unix solutions, but rather an invitation for many of the developers to exhibit their proclaimed skills in this area. Any IHV or system vendor who is interested in UDI can develop UDI driver solutions on their own (and several already have). We also see UDI as a vehicle to help other open source OS projects. For example, a FreeBSD port is under way, which would allow them to leverage drivers originally written for proprietary OSes or Linux (or vice versa). While no code or project exists very well in a vacuum, the success of Project UDI is not intrinsically linked to the success of or acceptance by the Linux phenomenon. Project UDI is, in fact, antithetical to the concept that an API or development environment is dependent on one single OS and is instead a focus on allowing drivers to drive devices and OS's to provide system utilization without constraining or uniquifying either one. We certainly welcome the interest and assistance of the Linux community, and we feel that we have much to offer in return. It's also important to note that several other OS environments have successful releases or in-progress developments of UDI environments. I'd invite you to download UDI for your Linux environment and to peruse our specifications. We are an open community and welcome anyone with valid questions or an interest in working with us. Regards, Kevin Quick Project UDI Editor (and former Chairman) | ||
From: tom poe <tompoe@renonevada.net> To: letters@lwn.net Subject: Comment on "Pulling Back to IP" Date: Fri, 21 Sep 2001 11:54:15 -0700 Cc: "DMCA" <dmca_discuss@lists.microshaft.org> Hello: Your intro to the DMCA issue seems to be somewhat understated in my humble opinion: "The DMCA has stirred panic among some of our readers. While that bit of legislative muck isn't something to sneeze at, it isn't the cause of all changes to the open source world." From: 9/20/2001 issue. I suspect, after reading Pamela Samuelson's article at: http://www.sciencemag.org/cgi/content/full/293/5537/2028 most people will not only be educated at the level necessary to appreciate the "shuddering and convulsing" that is occurring, but the importance of what is happening in our Free Country, and around the world, unlike anything before. And while you're reading, I encourage everyone to take a moment, and imagine a world that begins with MS IPAQ devices, and ends with . . . Well, I leave it to the readers to think about such a world. A world made up of "approved" devices, Internet2, which carries only privileged information for governments and the chosen few, and ICANN domain controls yet to come. Tom | ||
From: Jarkko Santala <jake@iki.fi> To: <letters@lwn.net> Subject: Comment on 3D Date: Fri, 21 Sep 2001 20:18:28 +0300 (EET DST) Hi all, Something came into my mind when I was reading the front page article where 3D acceleration was mentioned. You pointed out that for the desktop itself 3D is completely unrequired, which is true. But think of this: a user has to choose between platforms A and B, where platform A will run her desktop applications like word processing but 3D acceleration which is need for games is not supported, whereas platform B does an equally good job on the desktop and also supports all the latest and fastest bleeding edge 3D graphics adapters. Which one would you choose? -jake ps. the movie industry and other professionals who need fast 3D in their work are another story altogether... -- Jarkko Santala <jake@iki.fi> http://www.iki.fi/jake/ System Administrator Cell. +358 40 720 4512 | ||
From: billy foss <fossinrtp@netscape.net> To: letters@lwn.net Subject: Digital Copyright Solutions Date: Fri, 21 Sep 2001 01:52:49 -0400 Has the open source community presented an open alternative for digital rights management? It would seem that the open source community would respect the licenses given by digital media creators. We rely on copyright law to keep the GPL freedoms. Given the failures of proprietary security methods maybe the MPAA, Adobe, Disney, etc could be persuaded to consider an open solution. An open solution would provide the best oppertunity to fix any weaknesses before a full implementation. Of course, the content owners would have to sponsor some company to design and implement a solution. They should also fund third-party studies of the algorithm and implementation to ensure security. If the digital media is important enough to sue any possible threat, then it should be important enough to fund the research to do it right. The problem with the current approach of preventing research into breaking encryption and digital rights management is that it only stops the good guys looking for bugs to discover. It does not stop the bad guys from looking for bugs to exploit. Both will find the bugs, but only one side will tell you about it nicely. Billy Foss | ||
From: sewalton@aep.com To: netadmin@TechRepublic.com Subject: Article comment Date: Wed, 26 Sep 2001 15:52:30 -0400 Cc: lwn@lwn.net John McCormick's article entitled "By the numbers: Comparing Windows security to Linux" details some claims that don't add up. First of all, he does not include severities with the defects. Severity is very important for proper comparison. Similarly, it's not clear that he's only looking at vulnerabilities (not just bugs). Vulnerabilities are the primary concern to a net admin, security officer, and CIO. Also, the numbers he getting do not reflect the whole system on Windows. Linux is a kernel, so you have to evaluate an entire package or distribution for vulnerability. If a Linux system just had the kernel and no other tools (like as in a NAT firewall), you would see far fewer vulnerabilities. Windows, on the other hand, breaks out many functions into tools and services. So, to get the whole picture, you have to search on the entire package, including both the OS and the tools. If you use the ICAT website (http://icat.nist.gov/icat.cfm), which draws its info from several vulnerability databases, you get different numbers than what Mr. McCormick presents: |-----------+-----------+-----------+-----------+-----------+-----------| | Platform | Within 3 | Within 6 | Within 12 | Within 24 | All | |(Severity) | Months | Months | Months | Months | | |-----------+-----------+-----------+-----------+-----------+-----------| | Microsoft| 20 | 26 | 58 | 95 | 130 | | (High)| | | | | | |-----------+-----------+-----------+-----------+-----------+-----------| | Microsoft| 29 | 38 | 84 | 163 | 229 | | (Medium)| | | | | | |-----------+-----------+-----------+-----------+-----------+-----------| | Linux| 12 | 13 | 44 | 96 | 146 | | (High)| | | | | | |-----------+-----------+-----------+-----------+-----------+-----------| | Linux| 11 | 15 | 50 | 86 | 124 | | (Medium)| | | | | | |-----------+-----------+-----------+-----------+-----------+-----------| These numbers are cumulative and do not reflect the number of outstanding defects. The primary advantage of OpenSource is the very fast turn around times -- days as compared to Microsoft's months. ---------------------------------------------- Sean Walton Senior IT Consultant Author of "Linux Socket Programming" American Electric Power | ||
Copyright © 2001
Eklektix, Inc., all rights reserved