Other stuff:
Contact us
Archives/search
Links
Calendar
Daily Updates

Recent features:
Alan Cox interview 1998 Timeline

Here is the permanent site for this page.

Leading items

But that would be a short-sighted view, in any case. The Windows refund effort has succeeded in creating a much broader understanding of the nature of the "Microsoft tax." News reports all over the planet presented a sympathetic picture of computer users who simply wish to not be forced to pay for software that they do not use. Awareness of the problem - and of the fact that many of us have found an alternative preferable to Windows - is now much higher. The Windows refund people have done very good work, and deserve the strongest of congratulations.

It's Time to Talk about Free Software Again says Bruce Perens in this editorial sent to LWN. "I fear that the Open Source Initiative is drifting away from the Free Sofware values with which we originally created it. It's ironic, but I've found myself again siding with Software in the Public Interest and the Free Software Foundation, much as I did in 1995."

How Linux handles security problems, part II. As might be expected, last week's somewhat ill-tempered editorial on security drew quite a few responses. We would like to follow up in a couple of areas. First, with regard to how the various distributions responded the the FTP vulnerability:

• Caldera still has not updated its security page (which is nicely available from their front page) since November. We are told that an ftpd fix was made available by Caldera's VAR network, but Caldera still does not appear to have a generally-available fix.

• Debian had a patched FTP daemon available very quickly after the problem was found. However, they held off on a general announcement for a couple of days while the fix got into the archives and the various mirror sites got caught up, and it did not appear on the debian.org web page during that time. Wichert Akkerman tells us that Debian is working on a mechanism to get security fixes out more quickly.

• Red Hat, as noted last week, produced and announced a patch very quickly, but, due to heavy traffic, access to their FTP site was essentially impossible. Their mirror sites, too, were blocked out, and thus did not carry the update for some time. Red Hat claims that things are working better now.

• Slackware users don't like to be left out, and many of them wrote in to tell us that a Slackware fix for the Pine vulnerability was in place before the alerts went out. There still does not appear to be a fix out for the FTP problem, though.

• SuSE also evidently had a patch available and noted on their German updates page. They also mention it on an English page which is accessible via a series of clicks from their English-language European page, but there appears to be no obvious path to it (or a similar page) from their North American page. SuSE tells us that they are hiring a full-time security person.

• TurboLinux does appear to have a patch in place, but you have to look deep into their FTP area to find it. Their errata page was updated on the 16th, but makes no mention of the problem.

So, while we are far from perfection, it would appear that the response of most of the Linux distributions to this security problem was reasonably prompt - certainly far better than is seen with proprietary software.

The problem, thus, lies not with producing patches that close security holes, but in getting those patches into the hands of users and system administrators everywhere. There are two separate aspects to this problem: communications and infrastructure.

Communications has to do with letting people know that patches are needed and available, and with telling them where to find these patches. We repeat our call from last week for each distribution to make security information available from its front page (in each language that they support). When people are looking for a patch (now!), it is too late to tell them they should be on some mailing list.

Putting out patches is of limited use, however, if said patches are inaccessible. As the popularity of Linux grows, servers used by distributions will become ever more susceptible overwhelming surges in traffic. We were taken to task by some readers who thought we were expecting Red Hat to have the bandwidth to handle such surges. We were not suggesting that; as users and their available bandwidth grows it will probably prove not to be possible, much less economical to put in such fat pipes.

Setting up that amount of bandwidth is also unnecessary. All that is really needed is a mirror system that actually works. The Linux kernel archive mirror system, set up by H. Peter Anvin, is a great example of how to do things right. Access to the main site is controlled so that the mirrors are always able to update themselves. DNS is set up properly so that one need not actually know the name of a mirror site. It all just simply works.

Companies like Red Hat already have the most important piece for a good mirror system: a large set of willing mirror sites. A bit of organizational work should be all that's needed to make the mirror system function well.

Free software pioneers. The EFF is seeking nominations for their 1999 Pioneer awards. It would be nice to have some good nominations from the free software world (but remember that Linus Torvalds and Richard Stallman won last year).

Next: Linux in the news