Sections: Main page Security Kernel Distributions Development Commerce Linux in the news Announcements Back page All in one big page See also: last week's Back page page. |
Linux links of the weekAre you stuck behind an oppressive firewall? When things get really desperate, have a look at MailTunnel, which somehow actually manages to tunnel TCP/IP connections through a series of email messages... The i-opener is a $99 flatscreen computer system sold by Netpliance. The system runs a special version of QNX, and is intended to make money via ISP fees - it only connects to Netpliance's proprietary service. People have figured out, however, that, with the addition of a cheap disk drive, these systems can be made to run Linux. For information on how to make a bargain-basement Linux system, see this page on linux-hacker.net (where you can also buy the needed drive bracket and cable), or the i-opener Linux page. (Thanks to Dub Dublin and Gordy Perkins). Section Editor: Jon Corbet |
March 16, 2000 |
|
Letters to the editorLetters to the editor should be sent to letters@lwn.net. Preference will be given to letters which are short, to the point, and well written. If you want your email address "anti-spammed" in some way please be sure to let us know. We do not have a policy against anonymous letters, but we will be reluctant to include them. | |
Date: Thu, 9 Mar 2000 16:50:01 -0500 To: lwn@lwn.net Subject: Something to think about... From: Zygo Blaxell <zblaxell@genki.hungrycats.org> This is possibly an abuse of statistics...no, wait, I take that back. This is _definitely_ an abuse of statistics. But it's interesting to think about this nonetheless, especially in light of FUD-generators who like to point out that Linux is "unstable", meaning that it changes often, as if that were something undesirable. The obvious question to ask a FUD-generator is "how stable does software have to be, before it becomes good?" The following may be an answer, and I think it'll catch a lot of FUD-generators off guard... I was recently auditing some data I had collected from the Debian project and came across the following statistic: Code changes are submitted to or accepted by the Debian project once every 13 seconds to 7 minutes (depending on time of day). In other words, in the time it takes to dial a 1-800 number, someone may have fixed a bug in or added a feature to Debian, sometimes before the first ring, and definitely before you finally get off the holding queue and talk to a real human being. By contrast, the Linux kernel often sits idle for just under 6 minutes at a time without anyone even discussing, much less submitting, patches for it. Bug fixes can take several hours to get integrated. (This data comes from the debian-devel-changes@debian.org and linux-kernel@vger.rutgers.edu mailing lists. If the results are reproducible at all, the errors are at least one order of magnitude.) Interestingly enough, many people feel that Debian is a Linux distribution that is technically superior to a number of similar Linux distributions which are revised less often. Apparently having a very high revision rate does not by itself have a negative affect on software quality, or Debian is doing something else which compensates for this effect. Perhaps a future Debian project slogan should be: "Debian: the most unstable software of all time." Unfortunately, many people would require re-education before they are able to interpret that statement correctly... -- Opinions expressed are my own, I don't speak for my employer, and all that. Encrypted email preferred. Go ahead, you know you want to. ;-) OpenPGP at work: 3528 A66A A62D 7ACE 7258 E561 E665 AA6F 263D 2C3D | ||
Date: Fri, 10 Mar 2000 12:05:37 -0500 (EST) To: erricoe@stfb.com Subject: the meaning of "open source" From: kragen@pobox.com (Kragen Sitaker) I understand you are claiming http://www.stfb.com/fagreement.html is an "open-source license". As applied to software licenses, "open source" is a term invented by Christine Peterson a couple of years ago to denote a specific kind of license: licenses that give all users the freedom to use, modify, copy, and redistribute the software, for profit or otherwise, in source-code and executable forms. The detailed definition is at http://www.opensource.org/osd.html. Your license prohibits users from redistributing your software for profit and prohibits redistribution of the source code. It is, therefore, not an open-source license. Your claim that it is an open-source license is confusing to people new to open-source software. When they encounter software that is correctly labeled as "open-source", they will not understand the guarantees this gives them until they understand that your software is not open source. I understand that there are many software developers who see the advantages of open-source development and would like to join our community. I assume that your efforts in this direction are honest, and I hope the flood of flames that is surely descending upon your mailbox due to your premature labeling doesn't discourage you. -- <kragen@pobox.com> Kragen Sitaker <http://www.pobox.com/~kragen/> The Internet stock bubble didn't burst on 1999-11-08. Hurrah! <URL:http://www.pobox.com/~kragen/bubble.html> The power didn't go out on 2000-01-01 either. :) | ||
Date: Sat, 11 Mar 2000 19:07:47 GMT From: Cor Gest jr <cor@clsnet.nl> To: letters@lwn.net Subject: Opensource vs GPL Often I see comments on ads which advertise non-free programs which balk at the fact that although "Open-Sourced" they are not GPL'ed also. But Hey, get real: GPL'ed software is always Open-Source but not all Open-Source software has to be GPL'ed by default. It would be nice, but even coders have to eat. I rather pay for a non-GPL'ed piece with Source-Code-Included than a free (as in beer) binary without and thus being at the mersy of the makers. All cars are motorised-vehicles but not all motorised-vehicles are cars ! just my 2 euro-cents cor | ||
Date: Mon, 13 Mar 2000 09:09:49 -0600 (CST) From: Dave Finton <surazal@nerp.net> To: letters@lwn.net Subject: Thoughts about "We Teach Linux Too!" This is in response to the OSOpinion article "The Dangers of Over-commercialization" at http://www.osopinion.com/Opinions/TJMiller/TJMiller17.html I think the person writing the article might be a bit paranoid about teaching Linux to students. Granted, Linux shouldn't be misrepresented as something as "easy to learn" as Windows (use-of-use is more of a personal bias... I think that Linux is *much* easier to *use* than Windows, which is why I use it). However there are a couple of items to keep in mind: TJ Miller writes: "Unix is usually taught at the collegiate level, and most *ix professors seem to thrive on intimidating their students into utter shock (well, mine surely did...) On the other extreme, all this cooing and singing about Linux as being 'no big deal' to learn, does just as much harm to the novices as scaring them would do." That has nothing to do with the complexity of the system. That Unix professor he mentions comes from a strange and distant culture where it took balls and talent to even so much as get an account on a Unix machine, let alone own one for yourself. Those days are far gone. The type of arrogance you once saw in the old-school Unix culture is still around, but those days are numbered. A larger and larger portion of the normal people like himself and many others are using Unix now, in the form of Linux usually. The old elite culture won't last too long in that environment, and you'll see teaching methods changing from "here's a few commands, now go compile yourself a C program" to more comprehensive programs. Things like certifications, etc. will help in this regard a great deal. Another question I have to ask is: Why is Unix taught at the collegiate level only? Why not at elementary school or at high school? Before you say it's because kids won't understand anything so complex, remind yourself who exactly it is that first figures out to program the time on the VCR in your average household so that it won't blink 12:00 all the time. The early years are ideal for learning this stuff, because it shows kids how a well-engineered system is designed. And since kids soak up knowledge like sponges (well, at least they do during the pre-teenage years), it makes sense to teach the young folk how to use a "hard" system before they even figure out what a "hard" system is supposed to look like. The problem lies at the teaching level. It's not the kids who are to worry about. It's the grown-ups teaching the kids. If a teacher has a negative experience with something (like Linux) they can easily transfer that dislike to the kids with little effort. The solution is, of course, advocation of the Linux certification programs out there, as well as good training courses. That will do the hand-holding that T.J. Miller desires. Well that was a tangent, so I'll finish with this parting thought: "Beware MCSE's offering Linux candy." :^) - Dave Finton --------------------------------------------------------- | If an infinite number of monkeys typed randomly at | | an infinite number of typewriters for an infinite | | amount of time, they would eventually type out | | this sentencdfjg sd84wUUlksaWQE~kd ::. | | ----------------------------------------------------- | | Name: Dave Finton | | E-mail: surazal@nerp.net | | Web Page: http://surazal.nerp.net/ | --------------------------------------------------------- | ||
Subject: Stallman interview To: lwn@lwn.net Date: Mon, 13 Mar 2000 16:46:24 -0700 (MST) From: woods@ucar.edu (Greg Woods) In a recent online interview, Richard Stallman was quoted as saying: "That movement studiously avoids mentioning idealistic concepts such as freedom and community, and as a result most of the newcomers have no idea that you can think of free software in those terms." You *can* think of free software in those terms, but the reality is that only the religious fanatics actually do. The vast majority of ordinary people, especially in the business world, *will* think about open source software as being in direct competition with pay-for closed-source software. Is it cheaper and/or better, does it give us more bang for the buck. Those are the questions they will be asking, not is this politically correct or does it help the environment :-) You can argue the religion all you want, but in the end, this is how open source software will succeed or fail. Take my own case. I have a Linux server at home, not because I believe in the open source religion, but because I can run a mail and web server on it and use it as a masquerading firewall. Commercial software to perform those functions would cost more than my PC and be less efficient and reliable to boot, so I use Linux, simply because it is *better* than the alternative. Sure, if I have a chance to, and should I ever develop something worthy of it, I would want to contribute back to the open source community, but I am in no way *obliged* to do so. Here at work, I would like to introduce Linux into our environment, but to do that, I can't argue the open source religion, or my managers will look at me like I'm nuts. I will have to present practical arguments about capability, reliability and cost savings. *That* is what they will listen to. I particularly dislike people who imply that there is something evil about being paid to develop software or to make a profit from developing software. Not all of us are trust fund babies, some of us have to worry about putting food on the table. I would say that if enough value is present in closed source software to make it worth the price they are asking, I'll buy it. If there isn't, I won't. --Greg | ||
Date: Tue, 14 Mar 2000 17:42:41 +0000 From: kevin lyda <kevin@suberic.net> To: letters@lwn.net Subject: Big mouth, little code... A few years or so ago he pointed out a process table attack in the finger daemon shipped on most linux boxes. He bitched and moaned a year later that no one had fixed it. So I did, and dropped it into Red Hat's Bugzilla. It was about a dozen lines of code. (including a little comment that Mr. Garfinkle was an ass, it does my heart good to know that millions of cd's around the world have that encoded on them...) I think it's great that he can spot all these problems. I think it's lame that he doesn't get off his ass and offer solutions. If a person spots a problem with a closed system the author of the software has forced the user to comment mode. With free software the author is saying, "here, use this fine piece of software that was worked great magic for me. I want it to work great magic for you, and I am providing you with source so that you can make better magic if you feel up to it." That includes security fixes. Free software doesn't get written by little elves on the north pole after all. I might also mention that the rpm format (and I think the deb format) for binary packages allows for gpg/pgp signatures. Anyway, the moral of this letter? The GPL should be changed. It should state that all reviews should be prefaced with a commentary on the programming skill level of the author. That way I could finally know the answer to the question, "Is Simson Garfinkle too lazy to learn to code, or too lazy to code?" Kevin -- kevin@suberic.net "we were goin' for breakfast. in canada. we fork()'ed on 37058400 made a deal: if she'd stop hookin', i'd stop meatspace place: home shootin' people. maybe we were aiming high." --porter, "payback" | ||
Date: Tue, 14 Mar 2000 13:53:58 -0900 From: "Tony Taylor (ISD)" <tony@searhc.org> Subject: Virii, and Mr. Garfinkel To: letters@lwn.net Mr. Simson Garfinkel seems to have quite a list of credentials. However, he seems to lack logic. He claims there is a coming plague of Linux virii. He claims the current lack of virii for Linux (and Unix in general) is a lack of interest in those able to write them. He lists some basic requirements for a successful Linux virus: It must install itself as root OR: It must propogate through holes in security He lists "root abuse" and casual use of root for the first case, and major server security holes (such as the Sendmail hole that allowed the Morris worm to propagate years ago, and the recent Red Hat IMAP hole) as examples for the second. His logic fails, however, when he does not analyze why there are so many virii for the MS-Windows platform. He doesn't realize that the *only* reason MS-Windows machines are so vulnerable to virii is that *nobody's fixed the holes* that allow these virii to propagate. There are boot sector virii, macro virii, .com and .exe virii, and in every case, Microsoft hasn't closed the holes that allow them to spread. Although there are thousands of strains of virii, there are really only a dozen or so propagation mechanisms. In every case, if the fundamental problem were fixed (for instance, turning off the autoexecute of macros in programs, instead of making it harder for users to turn it off themselves), there would be no way for *any* virus of that class to spread. Why haven't we seen any more Morris-like worms? Because that hole was plugged within days of discovery. Why isn't the IMAP worm around? Because that hole was also plugged within a few days of discovery. There may be short-lived virii in Linux's future, but the solution won't be stop-gap prophylactics; the holes will be closed, and the virus will die a natural death. And the virus detection software will die a natural death along with it. - Tony | ||
Date: Sat, 11 Mar 2000 12:25:24 -0600 From: Dylan Griffiths <Dylan_G@bigfoot.com> To: letters@lwn.net Subject: Misquoting PGP informationg. "This issue will need to be dealt with, and quickly. The existence of a duplicate key ID could allow falsified mail. If a duplicate key ID can be generated by accident, presumably it can also be generated on purpose, as well. Network Associates was not directly informed of the problem, which was posted today, so no response from them is yet available." Not so. The OpenPGP standard allows this. From: Tobias Haustein <haustein@INFORMATIK.RWTH-AACHEN.DE> "As said, the key id is calculated from the key. A V3 key id consists of the lowest 64 bits of the public modulus ot the RSA key, whereas a V4 key id equals the lowest 64 bits of the fingerprint of the whole key. However, the OpenPGP standard (RFC 2440) explicitly says that: "Note that it is possible for there to be collisions of key IDs -- two different keys with the same key ID. Note that there is a much smaller, but still non-zero probability that two different keys have the same fingerprint." (page 53)" So it's all a matter of the non-zero probability that two different keys have the same fingerprint. Two passwords that are not alike could also have the same MD5 hash. -- Hi! I'm a .signature virus! Copy me into your ~/.signature to help me spread! [Editor: Correct. Please see the security section for an update on this topic.] | ||
From: Collins_Paul@emc.com To: letters@lwn.net Subject: Duplicate PGP key IDs Date: Mon, 13 Mar 2000 11:57:39 -0500 Dear Editor, The best way to resolve the duplicate key ID issue is to use the key fingerprint, a twenty-byte number of which the key ID is the last eight bytes. Duplicate key IDs are only a problem with regard to the key servers, and to users who do not make sure that the keys they use are genuine. Duplicate key IDs do not affect the fundamental security of PGP itself. Two keys with the same ID do not have the same fingerprint, and are not the same. Signatures generated by one will not verify with the other. If a user uses a key from a keyserver without checking the fingerprint with the supposed recipient, or checking the other signatories to the key, they are in any case violating best practices. Of course, there are (elaborate) ways to circumvent the security of public-key cryptography, some involving man-in-the-middle attacks using fake keys. However, if the recipient has the real key of the sender (and not the fake one), the attacker will not be able to generate a fake signature, since that requires access to the sender's private key. See "Applied Crypography" by Bruce Schneier for details. Note that GNU Privacy Guard is an implementation of the OpenPGP specification, and hence should have been mentioned for clarity. Yours sincerely, Paul Collins. -- Please note that I speak for no-one but myself. | ||
|