[LWN Logo]
[LWN.net]

Bringing you the latest news from the Linux World.
Dedicated to keeping Linux users up-to-date, with concise news for all interests


Sections:
 Main page
 Security
 Kernel
 Distributions
 Development
 Commerce
 Linux in the news
 Announcements
 Letters
All in one big page

Other LWN stuff:
 Daily Updates
 Calendar
 Linux Stocks Page
 Book reviews
 Penguin Gallery

 Archives/search
 Use LWN headlines
 Advertise here
 Contact us

Recent features:
- RMS Interview
- 2001 Timeline
- O'Reilly Open Source Conference
- OLS 2001
- Gaël Duval
- Kernel Summit
- Singapore Linux Conference
- djbdns

Here is the permanent site for this page.

See also: last week's LWN.

Leading items and editorials


Not good enough. A look at this week's LWN Security Page shows that it has been a busy week. The PHP updates were still wandering in when problems turned up with OpenSSH and the zlib library. This is a scary set of vulnerabilities.

PHP is present on, according to the PHP usage page, well over 7 million domains. OpenSSH can be found on most security-conscious systems. And the zlib library finds its way into no end of applications, and even the Linux kernel. Each of these vulnerabilities has instantly exposed a large portion of the entire installed base of Linux (and Unix) systems. (In all fairness, it's not clear that the OpenSSH bug is exploitable remotely, and the zlib problem looks like a hard one to take advantage of). This is the stuff that large-scale damaging worms are made of.

It is fortunate, in other words, that nobody with the requisite skills felt the whim to take down the Internet with these vulnerabilities. The cause of Linux World Domination would certainly be set back a bit if vast numbers of Linux systems simultaneously fell prey to a vicious attack. One of these days, a widespread vulnerability will be discovered by somebody with hostile intent; that will not be a good day.

The security of open source software may well be better than that of proprietary code, but it's clearly not good enough. We are all exposed to vulnerabilities lurking in code that we depend on every day. The free software community has to improve its security performance soon, or somebody is going to rub our noses in how bad it really is.

The GNU HURD will be ready by the end of the year, or so says Richard Stallman in this PC World article. Says Richard:

We actually have the GNU kernel working, and we can now produce the GNU system, as opposed to the GNU/Linux system that people have been using so far.

The HURD, of course, is the operating system kernel built by the GNU project, which is based on the Mach microkernel. It has been under development since 1990, and many have despaired of seeing it ever reach a releasable state. But most have paid little attention; the Linux and BSD kernels have been more than adequate for a long time. What is the point of releasing a GNU kernel now?

There's a few obvious reasons that come to mind. One is that it is, in a real sense, the completion of the GNU project as laid out by Richard Stallman almost 20 years ago. The microkernel architecture is seen by some as being inherently superior to the monolithic design of the Linux kernel (though there is hardly a consensus on that point). Finally, one should not overlook this other quote from the PC World article:

Distributions of GNU/Linux include commercially licensed software, and that diverts the user and developer community from the goal of freedom, according to Stallman. "One of the reasons we are looking forward to having the GNU system finally available from the GNU Project is that it will be only free software," Stallman added.

It will take an interesting interpretation of the GPL and LGPL to keep proprietary software off the GNU kernel, but it appears that RMS is planning to try.

The chances are that no mainstream commercial software house would try to challenge a "free software only" edict for the HURD kernel. Linux and BSD both, after all, have no problem with proprietary applications. Thus, it seems unlikely that the HURD will mount a substantial challenge to the established free kernels anytime soon.

Unless, of course, the claims of technical superiority turn out to be true. If the HURD really is that much better, we may yet find it on our desktops, and "the GNU/Linux system that people have been using so far" could find itself consigned to history. But the HURD will have to be a lot better...

Running a free software business with donations. MandrakeSoft, the publisher of the Mandrake Linux distribution, has put out its strongest call yet for donations to help keep the business going:

As a company, we make our revenue by selling packaged versions of the distribution and by delivering services such as consulting, training, etc. -- but our development costs and community-based services are not yet covered by income. It is estimated that we will "break even" by the end of 2002, but it is unlikely that MandrakeSoft can remain unchanged during these next few months without drastically cutting costs unless additional revenue is generated quickly.

The company is hoping to generate that additional revenue through memberships in the Mandrake Linux Users Club and Corporate Club. Without these memberships (i.e. donations), MandrakeSoft will likely have to take further staff cuts, with the company's various free software developments being among the first things to go.

Could it really be true that the open source business model is fundamentally broken, that the only way for an open source business of any size to survive is by asking its users for tips? MandrakeSoft claims that is not the case:

The company's long term prospect are very good, but we are still paying for the "sins" of the previous management.

According to the posting, if MandrakeSoft can get past its current short-term problems, it should be in good shape for the long run. One can only hope that this claim is true. MandrakeSoft is perhaps the most community-oriented of the large commercial distributors. The company's openness to its users and commitment to free software are unparalleled. If MandrakeSoft were to fail, or to change its community-oriented approach, the community would suffer a great loss. It will be a sad sign if a company that builds such high-quality products and that is so responsive to its customers were not a viable operation.

But, then, perhaps it is appropriate that the user community should be asked to support this sort of corporation directly. Mandrake users derive a real and substantial benefit from that distribution; it is not too much to ask that they help fund its development. Making donations to support the software that one uses makes all kinds of moral sense. It is hard to see a viable way for users to contribute to all the developers of all the free software they use. But helping out a community-oriented distributor seems like a good start.

Supporting LWN. There's another community-oriented free software business which could use your help: LWN.net. We, too, are facing a short-term cash crunch and need some income to keep the site on the air for the next few months while longer-term initiatives mature. To that end, we have a couple of ways in which you, our readers, can help out:

  • Donations. Numerous readers have asked us over the last few months whether we would accept donations. We may be distressingly slow in responding to such an obviously good thing, but we eventually get there. We're glad to announce our donation page, where interested readers can contribute to LWN via Paypal. (Yes, we realize that not everybody has or wants a Paypal account; we are working on other alternatives).

  • Advertising. LWN could use some more advertisers. If you have a small business or other endeavor that you would like to advertise on LWN, please have a look at our self-service advertising page. A small amount of money can yield a great deal of exposure to LWN's readers.
We thank you, as always, for your support. Dealing with our readers has always been the greatest reward of working on LWN.

Inside this LWN.net weekly edition:

  • Security: Significant zlib vulnerability; OpenSSH release; Java VMs and Linux
  • Kernel: The IDE hostile takeover; taskfile and filtering; ultra-fast kernel compiles.
  • Distributions: Debian Project Leader Elections; New - Arch Linux; LFS 3.2 is out.
  • Development: GTK+ 2.0, GNOME 2.0b2, mpg321 0.2.9, Mozilla 0.9.9, Galeon 1.2, Gimp 1.3.4, Samba 2.2.3a, GnuCash 1.6.6, oprofile 0.1, Valgrind memory debugger.
  • Commerce: HP Announces Global Consortium; Embedded Linux Market enters era of standardization.
  • Letters: France and patents; SSSCA; AOL and Linux.
...plus the usual array of reports, updates, and announcements.

This Week's LWN was brought to you by:


March 14, 2002

 

Next: Security

 
Eklektix, Inc. Linux powered! Copyright © 2002 Eklektix, Inc., all rights reserved
Linux ® is a registered trademark of Linus Torvalds