[LWN Logo]
[LWN.net]

Sections:
 Main page
 Security
 Kernel
 Distributions
 Development
 Commerce
 Linux in the news
 Announcements
 Back page
All in one big page

See also: last week's Back page page.

Linux links of the week


Are you stuck behind an oppressive firewall? When things get really desperate, have a look at MailTunnel, which somehow actually manages to tunnel TCP/IP connections through a series of email messages...

The i-opener is a $99 flatscreen computer system sold by Netpliance. The system runs a special version of QNX, and is intended to make money via ISP fees - it only connects to Netpliance's proprietary service. People have figured out, however, that, with the addition of a cheap disk drive, these systems can be made to run Linux. For information on how to make a bargain-basement Linux system, see this page on linux-hacker.net (where you can also buy the needed drive bracket and cable), or the i-opener Linux page. (Thanks to Dub Dublin and Gordy Perkins).

Section Editor: Jon Corbet


March 16, 2000

   

 

Letters to the editor


Letters to the editor should be sent to letters@lwn.net. Preference will be given to letters which are short, to the point, and well written. If you want your email address "anti-spammed" in some way please be sure to let us know. We do not have a policy against anonymous letters, but we will be reluctant to include them.
 
   
Date: Thu, 9 Mar 2000 16:50:01 -0500
To: lwn@lwn.net
Subject: Something to think about...
From: Zygo Blaxell <zblaxell@genki.hungrycats.org>

This is possibly an abuse of statistics...no, wait, I take that back.
This is _definitely_ an abuse of statistics.  But it's interesting to
think about this nonetheless, especially in light of FUD-generators who
like to point out that Linux is "unstable", meaning that it changes often,
as if that were something undesirable.  The obvious question to ask
a FUD-generator is "how stable does software have to be, before it
becomes good?"  The following may be an answer, and I think it'll catch
a lot of FUD-generators off guard...

I was recently auditing some data I had collected from the Debian project
and came across the following statistic:  Code changes are submitted to
or accepted by the Debian project once every 13 seconds to 7 minutes
(depending on time of day).  In other words, in the time it takes to
dial a 1-800 number, someone may have fixed a bug in or added a feature
to Debian, sometimes before the first ring, and definitely before you
finally get off the holding queue and talk to a real human being. 

By contrast, the Linux kernel often sits idle for just under 6 minutes
at a time without anyone even discussing, much less submitting, patches
for it.  Bug fixes can take several hours to get integrated.

(This data comes from the debian-devel-changes@debian.org and
linux-kernel@vger.rutgers.edu mailing lists.  If the results are
reproducible at all, the errors are at least one order of magnitude.)

Interestingly enough, many people feel that Debian is a Linux distribution
that is technically superior to a number of similar Linux distributions
which are revised less often.  Apparently having a very high revision
rate does not by itself have a negative affect on software quality, or
Debian is doing something else which compensates for this effect.

Perhaps a future Debian project slogan should be:

	"Debian:  the most unstable software of all time." 

Unfortunately, many people would require re-education before they are
able to interpret that statement correctly...

--

Opinions expressed are my own, I don't speak for my employer, and all that.
Encrypted email preferred.  Go ahead, you know you want to.  ;-)
OpenPGP at work: 3528 A66A A62D 7ACE 7258 E561 E665 AA6F 263D 2C3D
   
Date: Fri, 10 Mar 2000 12:05:37 -0500 (EST)
To: erricoe@stfb.com
Subject: the meaning of "open source"
From: kragen@pobox.com (Kragen Sitaker)

I understand you are claiming http://www.stfb.com/fagreement.html is an
"open-source license".

As applied to software licenses, "open source" is a term invented by
Christine Peterson a couple of years ago to denote a specific kind of
license: licenses that give all users the freedom to use, modify, copy,
and redistribute the software, for profit or otherwise, in source-code
and executable forms.  The detailed definition is at
http://www.opensource.org/osd.html.

Your license prohibits users from redistributing your software for
profit and prohibits redistribution of the source code.  It is,
therefore, not an open-source license.

Your claim that it is an open-source license is confusing to people new
to open-source software.  When they encounter software that is
correctly labeled as "open-source", they will not understand the
guarantees this gives them until they understand that your software is
not open source.

I understand that there are many software developers who see the
advantages of open-source development and would like to join our
community.  I assume that your efforts in this direction are honest,
and I hope the flood of flames that is surely descending upon your
mailbox due to your premature labeling doesn't discourage you.

-- 
<kragen@pobox.com>       Kragen Sitaker     <http://www.pobox.com/~kragen/>
The Internet stock bubble didn't burst on 1999-11-08.  Hurrah!
<URL:http://www.pobox.com/~kragen/bubble.html>
The power didn't go out on 2000-01-01 either.  :)

   
Date: Sat, 11 Mar 2000 19:07:47 GMT
From: Cor Gest jr <cor@clsnet.nl>
To: letters@lwn.net
Subject: Opensource vs GPL


Often I see comments on ads which advertise non-free programs
which balk at the fact that although "Open-Sourced" they are not GPL'ed also. 

But Hey, get real:

GPL'ed software is always Open-Source but not all Open-Source software
has to be GPL'ed by default.

It would be nice, but even coders have to eat.
 
I rather pay for a non-GPL'ed piece with Source-Code-Included than a free
(as in beer) binary without and thus being at the mersy of the makers.

All cars are motorised-vehicles but not all motorised-vehicles are cars ! 

just my 2 euro-cents 

cor

   
Date: Mon, 13 Mar 2000 09:09:49 -0600 (CST)
From: Dave Finton <surazal@nerp.net>
To: letters@lwn.net
Subject: Thoughts about "We Teach Linux Too!"


This is in response to the OSOpinion article "The Dangers of
Over-commercialization" at
http://www.osopinion.com/Opinions/TJMiller/TJMiller17.html

I think the person writing the article might be a bit paranoid about
teaching Linux to students.  Granted, Linux shouldn't be misrepresented as
something as "easy to learn" as Windows (use-of-use is more of a personal
bias... I think that Linux is *much* easier to *use* than Windows, which
is why I use it).  However there are a couple of items to keep in mind:

TJ Miller writes:

"Unix is usually taught at the collegiate level, and most *ix professors
seem to thrive on intimidating their students into utter shock (well, mine
surely did...) On the other extreme, all this cooing and singing about
Linux as being 'no big deal' to learn, does just as much harm to the
novices as scaring them would do."

That has nothing to do with the complexity of the system.  That Unix
professor he mentions comes from a strange and distant culture where it
took balls and talent to even so much as get an account on a Unix machine,
let alone own one for yourself.  Those days are far gone.  The type of
arrogance you once saw in the old-school Unix culture is still around, but
those days are numbered.  A larger and larger portion of the normal people
like himself and many others are using Unix now, in the form of Linux
usually.  The old elite culture won't last too long in that environment,
and you'll see teaching methods changing from "here's a few commands, now
go compile yourself a C program" to more comprehensive programs.  Things
like certifications, etc. will help in this regard a great deal.

Another question I have to ask is: Why is Unix taught at the collegiate
level only?  Why not at elementary school or at high school?  Before you
say it's because kids won't understand anything so complex, remind
yourself who exactly it is that first figures out to program the time on
the VCR in your average household so that it won't blink 12:00 all the
time.  The early years are ideal for learning this stuff, because it shows
kids how a well-engineered system is designed.  And since kids soak up
knowledge like sponges (well, at least they do during the pre-teenage
years), it makes sense to teach the young folk how to use a "hard" system
before they even figure out what a "hard" system is supposed to look like.

The problem lies at the teaching level.  It's not the kids who are to
worry about.  It's the grown-ups teaching the kids.  If a teacher has a
negative experience with something (like Linux) they can easily transfer
that dislike to the kids with little effort.  The solution is, of course,
advocation of the Linux certification programs out there, as well as good
training courses.  That will do the hand-holding that T.J. Miller desires.

Well that was a tangent, so I'll finish with this parting
thought:  "Beware MCSE's offering Linux candy."  :^)

                          - Dave Finton

---------------------------------------------------------
| If an infinite number of monkeys typed randomly at    |
|   an infinite number of typewriters for an infinite   |
|   amount of time, they would eventually type out      |
|   this sentencdfjg sd84wUUlksaWQE~kd ::.              |
| ----------------------------------------------------- |
|      Name:      Dave Finton                           |
|      E-mail:    surazal@nerp.net                      |
|      Web Page:  http://surazal.nerp.net/              |
---------------------------------------------------------

   
Subject: Stallman interview
To: lwn@lwn.net
Date: Mon, 13 Mar 2000 16:46:24 -0700 (MST)
From: woods@ucar.edu (Greg Woods)

In a recent online interview, Richard Stallman was quoted as saying:

   "That movement studiously avoids mentioning idealistic concepts such
   as freedom and community, and as a result most of the
   newcomers have no idea that you can think of free software in those terms."

You *can* think of free software in those terms, but the reality is
that only the religious fanatics actually do. The vast majority of
ordinary people, especially in the business world, *will* think about
open source software as being in direct competition with pay-for
closed-source software. Is it cheaper and/or better, does it give us
more bang for the buck. Those are the questions they will be asking,
not is this politically correct or does it help the environment :-) You
can argue the religion all you want, but in the end, this is how open
source software will succeed or fail. Take my own case. I have a Linux
server at home, not because I believe in the open source religion, but
because I can run a mail and web server on it and use it as a
masquerading firewall. Commercial software to perform those functions
would cost more than my PC and be less efficient and reliable to boot, so 
I use Linux, simply because it is *better* than the alternative. Sure, if
I have a chance to, and should I ever develop something worthy of it, I
would want to contribute back to the open source community, but I am in
no way *obliged* to do so. 

Here at work, I would like to introduce Linux into our environment, but to
do that, I can't argue the open source religion, or my managers will look
at me like I'm nuts. I will have to present practical arguments about
capability, reliability and cost savings.  *That* is what they will listen
to.

I particularly dislike people who imply that there is something evil about
being paid to develop software or to make a profit from developing
software.  Not all of us are trust fund babies, some of us have to worry
about putting food on the table. I would say that if enough value is
present in closed source software to make it worth the price they are
asking, I'll buy it. If there isn't, I won't.

--Greg
   
Date: Tue, 14 Mar 2000 17:42:41 +0000
From: kevin lyda <kevin@suberic.net>
To: letters@lwn.net
Subject: Big mouth, little code...


A few years or so ago he pointed out a process table attack in the
finger daemon shipped on most linux boxes.  He bitched and moaned a year
later that no one had fixed it.  So I did, and dropped it into Red Hat's
Bugzilla.  It was about a dozen lines of code.  (including a little
comment that Mr. Garfinkle was an ass, it does my heart good to know
that millions of cd's around the world have that encoded on them...)

I think it's great that he can spot all these problems.  I think it's
lame that he doesn't get off his ass and offer solutions.  If a person
spots a problem with a closed system the author of the software has
forced the user to comment mode.  With free software the author is
saying, "here, use this fine piece of software that was worked great
magic for me.  I want it to work great magic for you, and I am providing
you with source so that you can make better magic if you feel up to
it."  That includes security fixes.  Free software doesn't get written
by little elves on the north pole after all.

I might also mention that the rpm format (and I think the deb format)
for binary packages allows for gpg/pgp signatures.

Anyway, the moral of this letter?  The GPL should be changed.  It should
state that all reviews should be prefaced with a commentary on the
programming skill level of the author.

That way I could finally know the answer to the question, "Is Simson
Garfinkle too lazy to learn to code, or too lazy to code?"

Kevin
-- 
kevin@suberic.net       "we were goin' for breakfast.  in canada.  we
fork()'ed on 37058400    made a deal: if she'd stop hookin', i'd stop
meatspace place: home    shootin' people.  maybe we were aiming high."
                                                   --porter, "payback"
   
Date: Tue, 14 Mar 2000 13:53:58 -0900
From: "Tony Taylor (ISD)" <tony@searhc.org>
Subject: Virii, and Mr. Garfinkel
To: letters@lwn.net

Mr. Simson Garfinkel seems to have quite a list of credentials. 
However, he seems to lack logic.

He claims there is a coming plague of Linux virii.  He claims the
current lack of virii for Linux (and Unix in general) is a lack of
interest in those able to write them.  He lists some basic requirements
for a successful Linux virus:

It must install itself as root
OR: It must propogate through holes in security

He lists "root abuse" and casual use of root for the first case, and
major server security holes (such as the Sendmail hole that allowed the
Morris worm to propagate years ago, and the recent Red Hat IMAP hole) as
examples for the second.

His logic fails, however, when he does not analyze why there are so many
virii for the MS-Windows platform.  He doesn't realize that the *only*
reason MS-Windows machines are so vulnerable to virii is that *nobody's
fixed the holes* that allow these virii to propagate.  There are boot
sector virii, macro virii, .com and .exe virii, and in every case,
Microsoft hasn't closed the holes that allow them to spread.  Although
there are thousands of strains of virii, there are really only a dozen
or so propagation mechanisms.  In every case, if the fundamental problem
were fixed (for instance, turning off the autoexecute of macros in
programs, instead of making it harder for users to turn it off
themselves), there would be no way for *any* virus of that class to
spread.

Why haven't we seen any more Morris-like worms?  Because that hole was
plugged within days of discovery.  Why isn't the IMAP worm around? 
Because that hole was also plugged within a few days of discovery.

There may be short-lived virii in Linux's future, but the solution won't
be stop-gap prophylactics; the holes will be closed, and the virus will
die a natural death.  And the virus detection software will die a
natural death along with it.

					- Tony
   
Date: Sat, 11 Mar 2000 12:25:24 -0600
From: Dylan Griffiths <Dylan_G@bigfoot.com>
To: letters@lwn.net
Subject: Misquoting PGP informationg.

"This issue will need to be dealt with, and quickly. The existence of a
duplicate key ID could allow falsified mail. If a duplicate key ID can be
generated by accident, presumably it can also be generated on purpose, as
well. Network Associates was not directly informed of the problem, which was
posted today, so no response from them is yet available."

Not so.  The OpenPGP standard allows this.
From: Tobias Haustein <haustein@INFORMATIK.RWTH-AACHEN.DE>
"As said, the key id is calculated from the key. A V3 key id consists
of the lowest 64 bits of the public modulus ot the RSA key, whereas a
V4 key id equals the lowest 64 bits of the fingerprint of the whole
key. However, the OpenPGP standard (RFC 2440) explicitly says that:

  "Note that it is possible for there to be collisions of key IDs --
  two different keys with the same key ID. Note that there is a much
  smaller, but still non-zero probability that two different keys
  have the same fingerprint." (page 53)"


So it's all a matter of the non-zero probability that two different keys
have the same fingerprint.  Two passwords that are not alike could also have
the same MD5 hash. 
-- 
Hi! I'm a .signature virus! Copy me into your ~/.signature to help me
spread!

[Editor: Correct. Please see the security section for an update on this topic.]

   
From: Collins_Paul@emc.com
To: letters@lwn.net
Subject: Duplicate PGP key IDs
Date: Mon, 13 Mar 2000 11:57:39 -0500

Dear Editor,

The best way to resolve the duplicate key ID issue is to use the key
fingerprint, a twenty-byte number of which the key ID is the last eight
bytes.

Duplicate key IDs are only a problem with regard to the key servers, and to
users who do not make sure that the keys they use are genuine.  Duplicate
key IDs do not affect the fundamental security of PGP itself.  Two keys with
the same ID do not have the same fingerprint, and are not the same.
Signatures generated by one will not verify with the other.

If a user uses a key from a keyserver without checking the fingerprint with
the supposed recipient, or checking the other signatories to the key, they
are in any case violating best practices.

Of course, there are (elaborate) ways to circumvent the security of
public-key cryptography, some involving man-in-the-middle attacks using fake
keys.  However, if the recipient has the real key of the sender (and not the
fake one), the attacker will not be able to generate a fake signature, since
that requires access to the sender's private key.  See "Applied Crypography"
by Bruce Schneier for details.

Note that GNU Privacy Guard is an implementation of the OpenPGP
specification, and hence should have been mentioned for clarity.

Yours sincerely,

Paul Collins.

-- 
Please note that I speak for no-one but myself.
 

 

 
Eklektix, Inc. Linux powered! Copyright © 2000 Eklektix, Inc., all rights reserved
Linux ® is a registered trademark of Linus Torvalds