Bringing you the latest news from the Linux World.
Dedicated to keeping Linux users up-to-date, with concise news for all interests
Linux in the news
All in one big page
Here is the permanent site for this page.
See also: last week's LWN.
Not good enough. A look at this week's LWN Security Page shows that it has been a busy week. The PHP updates were still wandering in when problems turned up with OpenSSH and the zlib library. This is a scary set of vulnerabilities.
PHP is present on, according to the PHP usage page, well over 7 million domains. OpenSSH can be found on most security-conscious systems. And the zlib library finds its way into no end of applications, and even the Linux kernel. Each of these vulnerabilities has instantly exposed a large portion of the entire installed base of Linux (and Unix) systems. (In all fairness, it's not clear that the OpenSSH bug is exploitable remotely, and the zlib problem looks like a hard one to take advantage of). This is the stuff that large-scale damaging worms are made of.
It is fortunate, in other words, that nobody with the requisite skills felt the whim to take down the Internet with these vulnerabilities. The cause of Linux World Domination would certainly be set back a bit if vast numbers of Linux systems simultaneously fell prey to a vicious attack. One of these days, a widespread vulnerability will be discovered by somebody with hostile intent; that will not be a good day.
The security of open source software may well be better than that of proprietary code, but it's clearly not good enough. We are all exposed to vulnerabilities lurking in code that we depend on every day. The free software community has to improve its security performance soon, or somebody is going to rub our noses in how bad it really is.
The GNU HURD will be ready by the end of the year, or so says Richard Stallman in this PC World article. Says Richard:
We actually have the GNU kernel working, and we can now produce the GNU system, as opposed to the GNU/Linux system that people have been using so far.
The HURD, of course, is the operating system kernel built by the GNU project, which is based on the Mach microkernel. It has been under development since 1990, and many have despaired of seeing it ever reach a releasable state. But most have paid little attention; the Linux and BSD kernels have been more than adequate for a long time. What is the point of releasing a GNU kernel now?
There's a few obvious reasons that come to mind. One is that it is, in a real sense, the completion of the GNU project as laid out by Richard Stallman almost 20 years ago. The microkernel architecture is seen by some as being inherently superior to the monolithic design of the Linux kernel (though there is hardly a consensus on that point). Finally, one should not overlook this other quote from the PC World article:
Distributions of GNU/Linux include commercially licensed software, and that diverts the user and developer community from the goal of freedom, according to Stallman. "One of the reasons we are looking forward to having the GNU system finally available from the GNU Project is that it will be only free software," Stallman added.
It will take an interesting interpretation of the GPL and LGPL to keep proprietary software off the GNU kernel, but it appears that RMS is planning to try.
The chances are that no mainstream commercial software house would try to challenge a "free software only" edict for the HURD kernel. Linux and BSD both, after all, have no problem with proprietary applications. Thus, it seems unlikely that the HURD will mount a substantial challenge to the established free kernels anytime soon.
Unless, of course, the claims of technical superiority turn out to be true. If the HURD really is that much better, we may yet find it on our desktops, and "the GNU/Linux system that people have been using so far" could find itself consigned to history. But the HURD will have to be a lot better...
Running a free software business with donations. MandrakeSoft, the publisher of the Mandrake Linux distribution, has put out its strongest call yet for donations to help keep the business going:
As a company, we make our revenue by selling packaged versions of the distribution and by delivering services such as consulting, training, etc. -- but our development costs and community-based services are not yet covered by income. It is estimated that we will "break even" by the end of 2002, but it is unlikely that MandrakeSoft can remain unchanged during these next few months without drastically cutting costs unless additional revenue is generated quickly.
March 14, 2002