Bringing you the latest news from the Linux World.
Dedicated to keeping Linux users up-to-date, with concise
news for all interests
Sections: Main page Security Kernel Distributions Development Commerce Linux in the news Announcements Back page
Other stuff:
Contact us
Recent features: Here is the permanent site for this page.
|
Leading items and editorialsWhere is the 2.4 kernel? It has begun: News.com has reported on the "delay" in shipping the 2.4 kernel, and here is a ZDNet article casting this delay as a failure of sorts. "While the Windows world is all too accustomed to dealing with delays and vapourware, the Linux camp had until recently enjoyed a fairly regular nine- to 12-month update cycle. But at the current rate of development, Linux 2.4 may not reach final status until October."It's not clear exactly what "update cycle" they are referring to here. But the real question is: is the late arrival of the 2.4 kernel a free software failure? Of course, in the usual style, nobody has ever committed to a delivery date for the 2.4 kernel (with the amusing exception of Colin Tenwick of Red Hat Europe, who felt entitled to tell the world that the kernel would be released at the same time as Windows 2000). Nonetheless, Linus has made noises in the past about a Fall 1999 or (later) a Q1 2000 release. Not only has that not happened, but it seems clear that 2.4.0 will not be forthcoming until sometime this summer at best. This kernel is coming out later than its developers had wanted. It is true that free software projects are often poor at putting out releases in a timely manner. Yet advocates claim speed of development as one of the advantages of free software. As evidenced by the ZDNet article, some members of the press are starting to see an inconsistency here. The problem - if there is a problem - is not with the speed of development. It is instead with the ability to produce stable releases quickly. New capabilities get developed and bugs get fixed quickly, but it can take a long time to package up those developments for general use. One can think of a few reasons why the stable release process seems to take forever:
A more predictable release schedule for important free software components would be nice, but it is hard to imagine many cures to the "problem" that would improve things overall. Imposing deadlines on software development is usually a mistake, and the free software community has been good at avoiding them. Free software ships when it is ready, and that is the way it should be. Software Carpentry Design Contest finalists. The Software Carpentry contest has announced its finalists that will go to the last round of judging. The contest is trying to spur the development of replacements for some well-known development tools; the entries at this point consist of proposals for new tools. There is no code available - yet. Three of the finalists in the "Build" category, which is intended to produce a replacement for the venerable "make" program, have taken a similar approach. Rich Miller's PyMake, Steven Knight's sccons, and Tom Tromey's SC Build all turn the traditional makefile into a Python script. Doing things in this way makes the parsing easy, and adds a new type of procedural power and extensibility to the build process; it also turns configuring the build process into a Python programming exercise, which may not appeal to everybody. Sccons adds the concept of "environments," which replace the variable definitions in makefiles; they make it easy to build things in multiple ways, or to define build parameters (flags, installation locations) on a system-wide basis. Sccons also defines "scanner objects" which automate the process of setting up dependencies. Black by David Ascher and Trent Mick takes a different approach. The makefile becomes an XML data structure defining the system to be built, the rules to use, dependencies, and so on. The authors recognize that "XML is a terrible user interface," however, and have thus specified a graphical interface for Black as well. It includes intelligence that allows it to set up most of the build process automatically; in addition to figuring out dependencies, it can find which source file defines the main program and make a guess at the name of the executable from that. In the "build configuration" category, two of the entries (BuildConf by Vassilis Virvilis and SapCat by R. Lindsay Todd) have essentially defined an updated version of autoconf. Both of them require the developer to specify how the program is to be built as well, leading to a degree of overlap with the "build" category. Stefan Knappmann's ConfBase, instead, takes the form of a globally-available knowledge base which is used to generate makefiles. It includes an interactive approach, where build "problems" are fed back into the system in an attempt to find a remedy in the knowledge base. Only David Ascher's Tan explicitly addresses the overlap with the "build" category; it is intended to be used along with Black. Thus, like Black, it works off an XML database (explicitly patterned after the Windows registry) which describes system features, available tools, etc. There are also four entries in the "Track" (problem and issue tracking) category that are worth a look. Four finalists were selected for the "Test" category as well, but the contest organizers have decided not to award a prize in that area for now. Apparently they want to reopen it after reworking the requirements to better inspire the sort of entries they would like to see. The above descriptions are necessarily overly short; they overlook a number of interesting features in each of the entries. Interested folks are encouraged to look at the actual proposals on the Software Carpentry site. The Microsoft breakup proposal. There is actually not much to add to the debate on this topic that we have not said in the past. It's worth pointing out, however, that nothing is likely to happen along the lines of a breakup for years. Both sides seem determined to fight until the bitter end, with the result that a lot of time will be spent in the courts. People wanting Office on Linux will have to be patient. As an aside, another example of the Microsoft way of doing business was passed on to us by Jeremy Allison. It seems that Microsoft has finally made available its "embrace and extend" changes to the Kerberos protocol - sort of. You can only get the information in the form of a self-extracting executable file, which puts up an intimidating "click wrap" license first. It seems that the Kerberos extensions are presented as a trade secret, and can not be passed on - or implemented in open source software. If Microsoft allows others to implement the extensions, it will be via licensing agreements. So much for open standards. Inside this week's Linux Weekly News:
This Week's LWN was brought to you by:
|
May 4, 2000
|
Sections: Main page Security Kernel Distributions Development Commerce Linux in the news Announcements Back page See also: last week's Security page. |
SecurityNews and editorialsOpenSSH now supports the SSH 2 protocol. It was August 28th, 1998, when SSH Communications announced their license for ssh 2.0.8. That license restricted all commercial use of ssh 2.X without a licensing agreement. As a result, ssh 2.X was not widely packaged for Linux and more attention has been paid to tracking issues in ssh 1.X than ssh 2.X. Thanks to the OpenBSD team, that has all changed again. The OpenBSD Journal reported last Thursday that OpenSSH now supports the SSH 2 protocol and is still backwards compatible with SSH 1. One advantage of the SSH 2 protocol that the OpenBSD Journal mentioned was its use of DSA instead of the patented RSA algorithm. In addition, the newer protocol was intended to be more secure, or at least better designed, than its predecessor. Analysis of mstream DDoS tool. David Dittrich has published an analysis of mstream, another distributed denial of service tool for which the source code was recently released. Check it out for information on the signature of this most recent attack. David's analysis finished up with two strong recommendations. The first was a call for more training for systems administrators. "First, and fundamentally, intruders will tend to have an even greater advantage over unskilled system administrators. It is becoming ever more important that systems administrators -- Unix, NT, whatever -- have training as a primary task, not a luxury or burden to be avoided." This recommendation is up against some tough competition. Due to the current shortage of good technical staff, businesses are demanding systems that are easier to administer ... which generally leads to them being administered by less skilled staff. He also called for systems administrators to actively deal with and learn from intrusions, rather than just reinstalling and moving on. "Second, incident response and forensic investigation may be made more difficult, if not impossible, as the simple "solution" that the unskilled Unix administrator will take is to give up and just re-install the operating system. This ill-advised choice of action destroys any evidence that may exist on the system and sets the system up for a subsequent intrusion because the same security precautions they did not take before the incident will usually not be taken this time either." This comment, also wise, is likely to continue to get lost in the pressure to get back up and running as soon as possible and get back to other work. In other words, both these recommendations are good, but are unlikely to be used unless companies start taking security seriously enough to hire adequate staff to handle both their normal systems administration needs and the demands of good security. CERT advisory on bind vulnerabilities. The Computer Emergency Response Team has put out this advisory regarding continued exploitation of vulnerabilities in older versions of bind. Fixes were made available months ago, but, apparently, many sites have not installed them. Now might be a good time to check your systems and be sure that all of them that are running bind have been upgraded. (And note that, depending on your distribution, you may be running it without having explicitly set it up). SuSE libsafe analysis. Marc Heuse posted another brief analysis of libsafe, explaining why SuSE does not plan on integrating it into their system. "I can not remember a vulnerability in a network service for the last year which this tool would have prevented. Therefore: as long as this tool is not enhanced to also protect open/fopen calls against symlink/hardlink/pipe attacks, several more buffer overflow types, system/exec* function protection etc. it is not useful to use this tool." (Thanks to Fred Mobach.) Security ReportsLinux kernel knfsd vulnerability. A vulnerability in the knfsd daemon leaves a host system vulnerable to a denial-of-service attack that can bring down the NFS service, reports Chris Evans. This impacts both the 2.2 stable tree and the 2.3 development tree. A patch against Linux kernel 2.2.15pre19 has been made available and is included in his note. Note that the Red Hat kernel update we list here fixes this problem, plus others, including the IP masquerading vulnerability we discussed on March 30th. SuSE also responded to the recent security reports, but is waiting for the "any day now" release of 2.2.15 to provide updated packages. Last, but not least, please remember that the installation of a kernel update will always require care and attention. SuSE: Gnomelib buffer overflow. An exploit for a buffer overflow in Gnomelib has been posted to BugTraq and confirmed to work on SuSE 6.3 and 6.4. A workaround, according to the SecurityFocus vulnerability database, is to remove the setuid and setgid bits on all Gnome based executables. Red Hat 6.X, Linpus 6.3 and Debian are reported not to be vulnerable. SuSE has acknowledged the problem, warning that the issue depends on the version of Gnome and may therefore impact older releases of other vendors. They indicated that a fix should be forthcoming soon. Remotely exploitable hole in Sniffit. Sniffit, a widely-used packet sniffer, has been reported to contain a remotely exploitable buffer overflow, affecting version 0.3.7beta and all prior versions that log mail headers. A minor change to the source code is given that should fix the problem. Gnapster: arbitrary read file access. Gnapster 1.3.9 has been released and contains, along with other bugfixes and changes, a fix for a vulnerability that can allow a user to view arbitrary files on the system. Commercial softwareCisco Vulnerabilities. Cisco IOS, which runs on a variety of routers, is vulnerable to a denial-of-service attack if the router has a web server running on it. Cisco has acknowledged the problem and provided a work-around. They will provide a formal advisory when they have a full fix available. In addition, many commands documented to require elevated privileges are actually usable without them, according to this report from Fernando Montenegro. The report includes configuration commands that can be executed to resolve the problem. He also indicates that Cisco's Product Security Incident Response Team has confirmed the issue and approved the recommended workaround. UpdatesSuSE cron/aaabase.We mentioned in last week's issue that a problem had been reported on SuSE systems where a cron job installed by default allowed any file on the system to be deleted, via a /tmp file link. The SuSE package involved is called aaabase. Here are the distribution responses to the problem. Qpopper fgets vulnerability fixed. Qpopper 3.0.1b2 has been released and contains a fix for the qpopper fgets() vulnerability mentioned in last week's Security Summary. Resourcesnmap security scanner version 2.50. A new, stable version of the nmap security scanner has been released. This is the first stable release in slightly over a year and contains many new features. Phrack number 56. Phrase number 56 is now available via in HTML format, tar file or via FTP. HeavySecurity.com launches. The Heavy Security Group has announced the launch of its HeavySecurity.com "security portal." EventsMay/June security events. May 14-18, 2000. EuroCrypt 2000, Bruges (Brugge), Belgium. May 14-17, 2000. 2000 IEEE Symposium on Security and Privacy, Oakland, California, USA. June 12-14, 2000. NetSec 2000, San Francisco, California, USA. June 25-30, 2000. 12th Annual First Conference, Chicago, Illinois, USA. June 27-28, 2000. CSCoRE 2000, "Computer Security in a Collaborative Research Environment", Long Island, New York, USA. Section Editor: Liz Coolbaugh |
May 4, 2000
|
Sections: Main page Security Kernel Distributions Development Commerce Linux in the news Announcements Back page See also: last week's Kernel page. |
Kernel developmentThe current development kernel release is still 2.3.99-pre6. There is a pre-prepatch for 2.3.99-pre7 available in its fourth revision as of this writing. There is not much earthshaking to be found in it - it contains a number of PowerPC fixes, a bunch of driver tweaks, and a netfilter update. 2.3.99-pre6 turned up some problems with memory management that cause poor performance under some types of loads. Memory management hacker Rik van Riel has put out a patch to fix some of the problems; pre7 should presumably work better. The current stable kernel release is still 2.2.14. Alan Cox tells us that the current 2.2.15pre20 patch, with a "one-line change" will be the real release, once Linus recovers from moving to a new house and has the cats and children settled down. It may well be out by the time you read this. Update: 2.2.15 was released just as LWN went to "press." As soon as release notes become available, we'll post a note on the LWN daily updates page. 2.0.39pre4 has been released by David Weinehall. No word on when the real update for this ancient kernel will come out. Resizing of ext2 filesystems is now available with free code. Way back in May, 1998 Ted Ts'o announced that he had written an ext2 resize utility under contract with PowerQuest. After a period of time, resize2fs was to cease being proprietary software and would be released under the GPL. That period of time has finally passed. The ext2 resizer will be part of e2fsprogs 1.19, which will be released "real soon now." A beta version can be found via the e2fsprogs web site on SourceForge; back up your disk first, though... Automatic mounting of devfs remains a topic of discussion, after Richard Gooch put out a don't blame memessage regarding the change, which was inserted last week by Jeff Garzik. The final solution looks to be the addition of yet another configuration option which controls whether devfs is mounted automatically at boot. Mr. Gooch has been busy in general, having released devfs v165, v166 and v167, along with devfsd 1.3.6, 1.3.7, and 1.3.8. What's in your kernel? The Linux kernel is typically presented as the constant, unifying component that is the same in all distributions. Many distributors, however, ship heavily modified kernels with their products. As the first installment of an irregular series, LWN took a look at the Linux-Mandrake 7.0 kernel to see what they did to it. Here's what we found:
A number of little adjustments are there as well, for a total of 41 different patches. Plus, of course, they put in the Mandrake boot logo. A number of the patches are credited to either Red Hat or SuSE. Overall it's a pretty straightforward kernel, with a lot of little fixes and a few additional features (RAID, Supermount, ALSA, big memory...) added. Other patches and updates released this week include:
Section Editor: Jonathan Corbet |
May 4, 2000
For other kernel news, see: Other resources: |
Sections: Main page Security Kernel Distributions Development Commerce Linux in the news Announcements Back page See also: last week's Distributions page. |
DistributionsPlease note that security updates from the various distributions are covered in the security section.
Statistics, Statistics and Statistics. MandrakeSoft has announced that Linux-Mandrake came out at the top of the ISO download statistics at Tucows.com for both February and March. Here are the statistics on which they based their claim: February March Linux-Mandrake 46% Linux-Mandrake 31% Red Hat 27% Corel 28% Corel 15% Red Hat 14% Debian 3% Debian 6% SuSE 3% Caldera 6% Slackware 3% SuSE 5% Caldera 3% FreeBSD 4% Stormix 2% Slackware 1%We contacted Tucows for more information. Greg Cowie pointed out that the statistics in any given month are strongly affected by who has released a new version of their distribution, since ISO downloads are primarily used by people planning on installing or upgrading. The April statistics, in turn, show the impact of the release of Red Hat 6.2: April Red Hat 31% Linux-Mandrake 29% Corel 22% Debian 5% Caldera 4% FreeBSD 3% SuSE 3% Slackware 2% Stormix 1% Yellow Dog Linux 1%The numbers used in these three cases are the actual number of ISO downloads. Tucows also freely provides similar statistics on ISO downloads based on Megabytes downloaded, and non-ISO file downloads for each distribution, again by volume or by number. Looking at non-ISO file downloads by number, we can get figures with Red Hat leading by a wide margin instead (Red Hat 57%, Linux-Mandrake 24%, in April). From that, you might theorize that Red Hat has a larger installed base (people downloaded single file updates or additional applications) while Linux-Mandrake has more people installing their distribution for the first time. The really startling note from the three months worth of data, still a small sampling, is the lead that the two RPM-based distributions have on the rest of the pack. It will be an interesting trend to watch. On another note, we learned a bit about how such statistics can be swayed by small details. For example, the Phat Linux distribution does not have an ISO download, being only available as a large executable file that is run from a Windows installation. It doesn't impact the ISO download list, as a result, but is responsible for a whopping 34% of the non-ISO file downloads by volume. By number of files downloaded, since the entire distribution consists of only one file, they don't even show on the chart. Without knowing more about the structure of this distribution, these figures would seem highly anomalous. Microsoft tactics benefit Japanese Linux distributors. If you are using a computer in Japan, you may have already installed or received a system pre-installed with Windows, before you move to running Linux on it. If so, you've paid, in part, for high quality commercial fonts to support Japanese. However, people who've contacted Microsoft to check have been told that it is not legal to use these fonts with an operating system other than Microsoft, even by the same person on the exact same computer. In discussing various issues with Maya Tamiya of http://ChangeLog.net, we learned that this has ended up benefitting Japanese Linux distributors (though not necessarily the end-user). The freely available fonts are currently just not good enough to provide adequate support in Japan, she noted. Commercial Japanese distributions have benefitted as a result, because end-users expect and need the commercial fonts that are therefore bundled with Linux. In the long run, the consumer is the one that is losing, since they are potentially forced to pay multiple times for the same commercial fonts. This adds weight to the need for more and better freely-available fonts. Corel LinuxCorel makes donation to Dallas schools. Corel has announced the donation of 2000 copies of its Linux distribution and WordPerfect Office 2000 to the Dallas school district. Corel Linux voted best new product at FOSE. Corel announces that its Linux distribution was awarded "best new product" in the "End-User Software" category at the Federal Office Systems Exposition. Coyote LinuxCoyote Linux 1.20pre3.The latest version of Coyote Linux, 1.20pre3, is a bugfix-only update. Coyote Linux is a single floppy Linux distribution that provides routing/firewall services for targeted at home users. Debian GNU/LinuxDebian Test Cycle begins. After announcing the removal of 16 packagesfrom frozen on May 2nd, due to release-critical bugs, Richard Braakman officially announced the start of the First Test Cycle. If successful, a decision on a release of Debian potato could happen within the next few weeks. If it is not, then another test cycle will be started. Lilo in frozen. The question was asked whether the new Lilo, which removes the requirement that the kernel lie within the first 1024 cylinders, would be included into the new version of Debian before its release. The answer, according to Petr Cech, is "yes". Debian GNU/HurdThe Kernel Cousin debian-hurd for May 3rd is available, to provide a snapshot of recent GNU/Hurd development.Linux-MandrakeMandrakeSoft to bundle Enlighten's user management tool. MandrakeSoft has announced that it will bundle Enlighten's "User Management Tool" with the Linux-Mandrake 7.1 distribution. Slackware LinuxSlackware-current updates. Updates to slackware-current this week include gcc-2.95.2, perl-5.6.0, vim-5.6, lilo-21.4.2 (removing the 1024 cylinder restriction), and a host of other small updates. SuSE LinuxSuSE announces distribution deal with Ingram. SuSE has announced a distribution deal with Ingram Micro, a large wholesale distributor. This arrangement should help to get SuSE's distribution into a lot more stores. TurboLinuxTurboLinux 6.0 Workstation: A First Look (AboutLinux). AboutLinux reviews TurboLinux 6.0 workstation. "TurboLinux 6.0 installed a fairly vanilla Gnome setup - in this regard it is somewhat similar to Corel Linux - and they both may have a point. Does it really help a new Linux user to have their desktop cluttered with many icons?" Section Editor: Liz Coolbaugh |
May 4, 2000
Please note that not every distribution will show up every week. Only distributions with recent news to report will be listed.
|
Sections: Main page Security Kernel Distributions Development Commerce Linux in the news Announcements Back page See also: last week's Development page. |
Development projectsAnother look at gnucash. Last December we ran a review of gnucash that concluded that the program - a free personal and small business finance package - was not quite ready for prime time. Inspired by meeting the developers at the Linux Business Expo, LWN took another look at gnucash. Conclusion: it has come a long way. Your editor is pleased to announce a complete transition to gnucash, thus getting rid of the last Windows application on his system. Time to reclaim that partition. Gnucash 1.3.6 has all of the basics that one needs to track finances under Linux. It handles several types of accounts, including stocks and credit cards. The double-entry system it uses will look a little strange to users of other packages, but if you think of "expense accounts" and "income accounts" as being "categories" it all comes together just fine. The account reconciliation mechanism works well, and there is a separate little program which will keep stock prices up to date. The QIF import capability has seen a great deal of work. There is also a check printing capability that your editor has not tried out. That said, those who are contemplating moving over from Quicken or some other such package need to be prepared for a rougher existence. Gnucash is not yet at the level of those applications in either features or ease of use. Those without a bit of an "early adopter" mindset may want to wait until the 1.4 stable release comes out. Speaking of stability, your editor was able to make it crash only once. As it turns out, the problem had been fixed even before the report got sent in. There's no end of missing features. It remembers names of payees, but none of the other information (amounts, accounts) that goes along with them. As a result, more typing is needed than one would like - especially for recurring, split transactions. There is no support for scheduled transactions (i.e. the mortgage payment) yet. It doesn't really understand loans. Some cleverness is needed to enter things like reinvested long-term capital gains distributions on mutual funds. The reports are still rudimentary. And so on. Gnucash could benefit from some concentrated user interface work as well. You can get auto-incrementing check numbers, but you have to ask for it each time. Most checkbook registers put the check number first, but the gnucash register starts with the date. If you mistakenly type the check number into the date field, you get a date like "May 4, 20003843", which gnucash happily accepts. Creating accounts - something one has to do a lot of - could be easier. There are two "open" icons on the main window with different functions. And so on. In other words, it's a work in progress. There is every reason to believe that gnucash will continue to progress quickly. Meanwhile, it is ready for those who are slightly adventurous, or who place a premium on working with free software. Gnucash past that critical point of development a little while back - it is clearly going to be successful.
Probotics releases robotics code. The folks at Probotics have announced the release of their robotics code under the GPL. This code is mostly useful, of course, for programming the robots that they sell, but there's likely to be good stuff that can be used beyond that context as well. (Thanks to Alexandre Dulaunoy). Application of the Week: gkrellm. The Linuxcare application of the week this week is gkrellm. Having found this application, Brett Neely is apparently never going to live without it again. "Apparently influenced by the sci-fi movie 'Forbidden Planet,' gkrellm essentially gives you the headlines of your system's health... gkrellm gives me the kind of information that would normally require a barrage of commands. It gives me the time and date; graphs for CPU activity, process load, disk I/O activity, and eth0 traffic; available resource meters for memory, swap, and disk partitions; the number of new emails in my inbox; and my system's uptime." BrowsersTwo new Mozilla chat channels. #mozui (for Mozilla UI discussion) and #mozl10n (for Mozilla localization) are two new channels that have been added to irc.mozilla.org, according to MozillaZine. Mozilla mini-track at O'Reilly conference. A Mozilla mini-track is being planned for this summer's O'Reilly Open Source Software Convention . Speakers will include Mike Shaver, Frank Hecker, Ben Goodger, Alec Flett, Mitchell Baker, Mike Ang, Rob Ginda and Paul Everitt. EducationSEUL/edu Linux in Education Report. The eighteenth SEUL/edu Linux in Education report talks about Linux in Latin American schools. The SEUL/edu folks will also be present at Linux Canada in Toronto. GamesThe Chopping Block (Worldforge). This month's issue of The Chopping Block is now available. The Chopping Block is a newsletter/magazine covering the Worldforge project, which is developing a complete system for massively multiplayer online roleplaying games. This month's edition contains a 3D tutorial on light and reflections, a developer chat and three short stories. In addition, Aloril reviews the arguments for moving the license for Worldforge from the OPL to the GFDL+GPL. InteroperabilityKernel Cousin Samba. The April 27th edition of the Kernel Cousin Samba covers temperamental NT logins, problems with the pam_ntdom module, exchanging exchange, continuing problems (though fewer) with Windows 2000 support in Samba 2.0.7pre4 and a patch to support symlinks with smbfs. Wine Weekly News. This week's Wine Weekly News reports a new Wine snapshot, 20000430, the first snapshot to be released under the X11 license. Unicode support and the wine resource compiler were also topics for discussion this week. Office ApplicationsAbiWord 0.7.9.A new version of AbiWord, version 0.7.9, has been released. It contains some new features and both major and minor bugfixes. Overwrite mode, for example, is now available, and page margin support is now included. For more information and development news, check out this week's AbiWord Weekly News. Siag Office 3.3.4. Siag Office 3.3.4 has been released. Changes include updates to the German and Spanish translations, faster scrolling and more efficient screen updates. Tradeclient 0.2.0 released under the GPL. The Personal Information Manager (PIM) tradeclient has now been released under the GPL, as of their latest 0.2.0 release, reports Gnotices. Comments to the announcement seemed generally favorable and indicate that it is a good start, even without IMAP support. On the DesktopKDevelop 1.2 released. Gnome support has been added to KDevelop 1.2, released today, along with many other features. We've heard a lot of good things about KDevelop, so it is great to hear that it will now support both the Qt and Gtk libraries, preventing the need for reinvention of the wheel. German Gnome home page. A German Gnome home page has been created by Gnome hacker Martin Baulig. It currently contains a list of Gnome events in Germany. Konqueror website. The KDE team proudly announced the unveiling of the Konqueror website, the definite place to find information about Konqueror, KDE's new replacement for kfm. Konqueror is a web browser, file manager, universal file viewer and even a customizable application. Screenshots for the various capabilities are available. New KWin Style - Modern System (mosfet.org). Mosfet has committed his new C++ KWin style engine, dubbed "Modern System". Screenshots are provided. Response to O'Reilly 'Motif is not Dead' article. On April 6th, O'Reilly published an interview with Antony Fountain, co-author of Volume 6B: Motif Reference Manual, 2nd Edition, which talked about his opinion of both Gnome and KDE. KDE Core Developer Richard Moore published a response to what he felt were inaccuracies or errors in that article on April 28th, entitling his response "Motif Is Dead, but the body is still twitching". It does a good job of refuting some of the claims of the original author, at least from the KDE perspective. Website DevelopmentData-Driven Sites with Midgard (WebTechniques). Web Techniques walks through setting up a web site with Midgard. "Content is separated into style (layout management), structure (host management), and raw material (content management). This clear demarcation offers many opportunities to delegate responsibilities for each part of the site. In addition, full integration of the PHP3 scripting language makes it easy to extend Midgard in powerful ways." (Thanks to Henri Bergius). Section Editor: Liz Coolbaugh |
May 4, 2000
|
|
Development toolsC++OpenGL Class Library 0.0.1. The initial release of the OpenGL Class Library has been announced. It is available under the GPL. "The OpenGL Class Library is intented to be a set of C++ classes, available through static and dynamic libraries, that will allow the developer to create OpenGL applications using C++ quickly. This includes the ability to create multiple windows and assign individual events to them. In addition, other useful functionality will be included that will allow images (.bmp, .raw, .tga, etc.) and 3d object format files (.3ds, .asc, .dxf, etc.) to be loaded in a platform-independant way. " JavaIBM Linux JDK 1.3.0. IBM Developer Works has put out an early release of the IBM Developer Kit for Linux, Java 2 Technology Edition. "Version 1.3.0 Early Release (Early Release Developer Kit) is a software development kit that can be used to build Java applications on Linux. The Early Release Developer Kit includes development tools, the IBM Java Runtime Environment for Linux, sample code and Java source files." The Real-Time Specification for Java. A real time extension to the Java Language Specification and the Java Virtual Machine Specification has been issued by the Real Time Specification for Java Experts Group (RTJEG), chartered under the Java Community Process and JSR-000001. The specification is currently available in PDF format for download. Why Java seems doomed to fail (osOpinion). Here's an osOpinion piece on why Java doesn't seem to be going anywhere. "In all honesty I'd like to consider Java, but the fact that my development team would be unable to deploy on Linux - our primary server platform - makes it a no go." PerlYet Another Perl Conference (yapc). Registration for this year's yapc conference is now open. It will be held June 21-23 at the Carnegie Mellon University in Pittsburgh, PA, USA. The yapc conference is distinguished by being "driven from the bottom up, organized by and for perl users -- a grassroots conference". perl5-porters for April 25th through April 20th. The perl5-porters report on Perl development activity is back up and running. Activity is gearing up, with one major bug in perl 5.6 reported and patch provided. Perl 5.6.1 may not be too far out. PythonDr. Dobb's Python-URL. Python-URL is back, with a weekly look at postings on the comp.lang.python mailing list. My favorite: Martijn Faassen's story of the "really early days of Python". Tcl/tkDouble Tcl-URL. This week, two editions of Tcl-URL came out back to back. Here are the Tcl-URL for May 1st and May 2nd. An administrative note indicates that they plan to return to a more predictable schedule. Section Editor: Liz Coolbaugh |
Language Links Guile Haskell Blackdown.org IBM Java Zone Perl News PHP Daily Python-URL Python.org JPython Smalltalk |
Sections: Main page Security Kernel Distributions Development Commerce Linux in the news Announcements Back page See also: last week's Commerce page. |
Linux and businessGartner Group: ISV Enthusiasm for Linux: A House Divided . The Gartner Group's latest pronouncement on Linux has to do with the interest of independent software vendors. "By 2005, Linux will be among the top three to four ISV porting priorities for 60 percent to 65 percent of ISVs, but will not dislodge current top-tier operating system platforms (0.6 probability). From 2000 on, no more than two to three Linux distributors will be financially strong enough to be accepted as broad enterprise operating system vendors (0.7 probability)." (Found in Portalux News). Layoffs at Linuxcare. Linuxcare has laid off a substantial portion of its workforce - by one report, 80 people, or about 35%. The company itself isn't talking much about what is going on, so there's not a whole lot of hard information around. It seems clear, however, that Linuxcare has the dubious honor of being the first open source downsizing. One can only wish that it will be the last. This move does not mark the end of the road for Linuxcare. The company remains positioned in area that should prove lucrative, and (one can assume that) it still employs many well-known Linux developers. Linuxcare played the IPO game, and lost. Without the influx of cash from an initial offering, belts had to be tightened. Linuxcare is positioning itself to go a longer than expected route with the resources that it has. Meanwhile, it's official: here's the withdrawal letter filed with the SEC by Linuxcare cancelling its IPO. Changes in the VA Linux/Andover.Net deal. When VA announced that it was acquiring Andover.Net, part of the deal was a $60 million cash payment to Andover's stockholders. The deal has been criticized by many, but this payment was singled out for particularly harsh treatment. No more. The two parties have announced that the deal has been changed to an all-stock exchange. The official reason cited is "tax concerns"... For those wanting more information, here's a registration statement filed by VA Linux Systems as part of its acquisition of Andover.Net. If you're curious about the details of the deal, you'll find all of the answers there, though you will have to dig through a lot of legalese to get to them. Officers at Andover.Net will do well - some or all of their options will vest immediately on completion of the merger. On the other hand, Andover stockholders subject to the holding period will still have to wait until that period is up before they can sell their new VA stock. (See also: this brief Reuters article about the change in terms). VA Linux Systems acquires Precision Insight. While we're on the topic of VA acquisitions: on Precision Insight's web page is the following notice: "Precision Insight Inc. has merged with VA Linux Inc. PI's management and its entire engineering team have remained with the company and will continue to support open source development as they have while at PI. This merger adds a significant graphics, video, and multi-media development and support capability to VA Linux." VA has not yet released any information on this move. PI works with XFree86, providing support services, developing video drivers, and so on. They developed a number of video drivers for Red Hat, and are currently working on the Direct Rendering Infrastructure with support from Red Hat and SGI. They list Darryl Strauss, David Dawes, and Brian Paul as part of their development team. With this acquisition, VA adds greatly to its graphics capabilities, and to its development staff in general. PI is a group of sharp people; this could prove to be a very good move on VA's part. Andover.Net announces new magazine. Andover.Net has announced a new print magazine called "Open," which will launch in August. It will offer trade-rag style free subscriptions; signups are already possible at the OpenMagazine.net web site.
Bluepoint signs agreement to develop embedded Linux system. Bluepoint Linux Systems has announced the signing of an agreement with Shenzhen Debole Electronics Development Ltd. to develop an "intelligent housing system" which will handle functions like "security alarm; automatic water, electricity and gas meter reading; appliance control (5 ports minimum); subdivision fee collection; information broadcasting; Internet connection; Internet-based remote management; E-Commerce Service; and touch screen with at least 50 Chinese display." There is apparently already an order in place for 6000 units. Miracle Linux press release. Thanks to Maya Tamiya, we now have an English translation of the press release announcing the creation of "Miracle Linux" -- the new distribution startup being created in Japan by Oracle, NEC, and TurboLinux.
Open letter to Congress on immigration reform. A group of prominent technology figures, including Linus Torvalds, has sent an open letter to Congress asking it to make it easier for immigrants to get green cards. As of a little while ago, at least, Linus was still waiting for his... Inprise/Borland board requests update of fairness opinion in Corel merger. Inprise has announced that its board of directors has requested that its advisor take another look at the merger deal with Corel. The deal looks increasingly in peril - this is the Inprise board, and not just a couple of dissident members, that is showing signs of having cold feet. Troll Tech and Inprise/Borland collaborate on Linux GUI. Troll Tech and Inprise have announced a deal wherein Inprise will use the Qt toolkit in its Delphi product. Perforce offers SCM System for IA-64 Linux. Applications for the IA-64 are already beginning to show up - before the hardware is available. Perforce has announced the availability of its software configuration management system for TurboLinux's IA-64 port. LinuxMall CEO on Microsoft split-up. LinuxMall.com has issued a press release with CEO Mark Bolzern's opinion on the proposal to split up Microsoft. "Bolzern said no matter what happens in the Microsoft case, the end result will show that people are tired of the operating system dominance of Microsoft, and Linux will continue its rapid increase in marketshare and importance as a viable alternative operating system for businesses and individuals." Amazon opens Linux store. Amazon.com, heedless of its current difficulties with the Linux community, has opened up its own Linux software store. The store's offerings currently seem somewhat incomplete: its distributions section is missing SuSE and TurboLinux (and all of the smaller distributions), the word processors section features only Corel, etc. Section Editor: Jon Corbet.
Press Releases:
Section Editor: Rebecca Sobol. |
May 4, 2000
|
Sections: Main page Security Kernel Distributions Development Commerce Linux in the news Announcements Back page See also: last week's Linux in the news page. |
Linux in the newsRecommended Reading Upside has posted a lengthy article which may well be the definitive summary of Microsoft's problems. "Microsoft's value proposition was that an Intel-based system running Windows NT was a much less expensive proposition than a semi-proprietary Unix running on non-Intel hardware. Linux, however, beats Microsoft at its own game, offering a highly customizable, standards-compliant operating system at a fraction of the cost of a comparable Windows NT system. Sadly, it's not clear whether Microsoft fully understands the nature of the Linux threat." Business News.com looks at Embedded Linux firms. "Another difference between the companies is in royalties--the fee a company pays to sell a device using the software. Lineo charges royalties for Embedix, its version of Linux for gadgets. MontaVista won't charge royalties but will charge for use of software development tools and technical support. Support contracts cost between $5,000 and $10,000 a year depending on depth and responsiveness." Here's an article in News.com about Red Hat's plans to get into the home appliance market. "The move marks the first major expansion of Red Hat's version of Linux outside its server stronghold. However, trying to enter the home networking market pits Red Hat not only against Microsoft's Windows, but also against other Linux companies such as Lineo." This News.com article is about RealNetworks' use of Mozilla code in a version of its media player. "Whatever RealNetworks' intentions for Web-browsing capabilities, the company's participation in the Mozilla software development effort is a big win for the organization." Here's a brief article in Wide Open News about the layoff at Linuxcare. "The company had been expanding its workforce as part of an IPO ramp up, but the withdrawal has forced the company to reexamine its spending and its strategy. Without the expected cash infusion, Linuxcare has had to tighten its belt." This week's Linsider stock summary is up. "You'll get a variety of opinions as to whether a split is a useful remedy for the problems Gates and Co. have caused, but one thing is for sure: the final word on this is still a year or more away. And for Linux advocates, that's good news. See, in the long run it doesn't really matter what the Government does legally to Microsoft. What matters is that the microscope is on Microsoft for an extended period, allowing other players to move more quickly into competitive positions." Here's a lengthy Upside article covering the Piranha vulnerability, the change in the VA Linux/Andover merger terms, and the proposed French open standards law. "Despite the glowing endorsement of both free software and the principles of software liberty, free software advocates such as Richard Stallman gave the overall text of the law mixed reviews." News.com looks at the FreeNet project. "Others say Freenet, if it is able to get out of its early stages, could be the final nail in the coffin for organizations trying to prevent online piracy. Since Freenet is wholly decentralized, there is no central company to sue for copyright violations. And because each 'node' is encrypted, and users anonymous, it will be nearly impossible to track down any individual pirate or pirated work." ABC News has an article about Eazel. "Windows and Mac users should feel comfortable with Eazel. The current pre-release version, called Nautilus, features large, finely shaded icons, and windows that look like a cross between Macintosh, Windows and Netscape." (Thanks to Jay R. Ashworth and Ketil Malde). Linsider ran this column on software testing in the open source world. "Reading about Red Hat's recent troubles with its Piranha release I was struck by a thought: Linux, as a whole, lacks a formalized testing organization. In 20 years of development, having worked for 7 different companies ranging in size from a 5 man startup to the behemoth that is Samsung, this is the first time I've seen software released to the world with no formalized testing applied." Here's TechWeb's take on Red Hat's Piranha problem. "Chris Rouland, director of X-Force at ISS, Atlanta, said he does not believe the back door was installed with malicious intent, but the vulnerability does reinvigorate the debate between open source and closed source software." Salon looks at several companies that have been hit by the fall in tech stock prices. "Red Hat's IPO was widely considered a validation of the commercial potential of Linux. But its stock price slide is now hailed as proof that there is no money to be made in the entire Linux sector." Here's a LinuxPower article which looks at the whole Netpliance iOpener affair and tries to convey an understanding of what the company is up to. "When you see something you believe in succeeding it's natural to get worked up about it. Sometimes this kind of passion can lead to actions that seem wild or irrational to people outside of the group. When Netpliance changed their Terms of Service or poured epoxy on the board, they were reacting to a threat to their vision. Regardless of what we may have thought about these actions we have to put them in the context of a group of people working very hard to achieve some goal and then having that dream threatened." The Red Herring reports on a talk by IBM VP Irving Wiadawsky-Berger. "Mr. Wiadawsky-Berger's zeal for Linux even spills over into IBM's labs, he notes, where IBM is developing a Linux-based watch with speech recognition." The "Jet" cluster at NOAA (covered in LWN last month) staged its formal unveiling on April 26. Some local coverage of the event may be found in the Rocky Mountain News, the Boulder Daily Camera, and the Denver Post. Government Computer News has also posted an article about Jet. Microsoft Breakup U.S. News contemplates the effects of a Microsoft breakup on Linux. "Linux, an operating system available free online, has been a runaway success on the Internet, where it runs 30 percent of sites. But even its founder, Linus Torvalds, is disappointed at its puny 4 percent market share on desktop computers, the machines folks use at home and at the office. That's because Linux can't run the most popular software programs used with Windows, especially Microsoft Office, which includes Word and spreadsheet Excel. Without Office, Linux doesn't have a prayer of a chance on the desktop." Here's a San Francisco Chronicle column arguing that a breakup of Microsoft may not be sufficient. "In other words, it's not obvious that enough users are likely to adopt Linux in the near term to create a market large enough to induce the new Microsoft-descended applications company to develop Office for that platform -- even if the company makes its decisions strictly on the basis of its own economic self-interest, without regard to its former OS colleagues." News.com looks at the possible effects of a Microsoft breakup. "On the other hand, current makers of Linux office software such as Corel, Applix' VistaSource or Sun Microsystems' StarOffice would face a fierce new competitor already established as the standard. Netscape might not be the standard Linux browser. And Windows Media Player might give RealNetworks' RealPlayer even fiercer competition." This Reuters article ponders the possible effects of a Microsoft breakup on Linux. "'Linux is on track to beat Microsoft regardless of what the Justice Department does,' said Larry Augustin, chief executive of VA Linux Systems Inc. , a developer of systems and services optimized for Linux in Sunnyvale, Calif. 'I think that separating the company into an applications piece and an operating systems piece though, could significantly accelerate that, particularly since the applications piece of the company would have a strong economic incentive to port Office to Linux,' Augustin said. 'If Microsoft Office ran on Linux immediately we would see Linux with a 10-15 percent share of the desktop operating system market,' he added." FUD and Counter-FUD Here's another piece of old-time ZDNet FUD of the type we've not seen for a while. "What amazes me the most is that open source has gained so much momentum without showing any goods. It's a dot-com-all hype and speculation and no fundamentals. It's like an onion in a bushel of apples. Someone might notice that it looks and tastes different, but peel away its layers, and there's nothing there." Red Hat's Bob Young responded in this article. "John, you are welcome to continue to insist that this open-source movement cannot continue to succeed. Just don't try to claim it isn't succeeding. With partners like Dell, Oracle, IBM, Compaq, SAP, Computer Associates, Netscape, Intel and thousands of others, and the large and rapidly growing market share figures shown above, this thing is big and getting bigger." Evan Leibovitch compares Richard Stallman and John Taschek (author of the first article) in this ZDNet article. "John Taschek, meet Richard Stallman; two sides of the same coin, attacking the open source movement from opposite sides. Despite the polarity of their otherwise unrelated assaults, their arguments unwittingly combine to prove what a genius Linus Torvalds really is." More Opinions Computer Currents seems mystified by the interest in Linux. "Linux, despite becoming very well-known more than two years ago, has become nothing more than an experimental novelty among desktop operating systems, and is rarely used for any server application besides Web service. Its growth may have stagnated while still in the single-digit percentage range. Yet people flock to Linux classes, even though its spread in corporate IS, and the corresponding career opportunities, are only a future possibility." Here's a ZDNet column, ostensibly about the Piranha vulnerability, that brings back memories of the Good Old Days of ZDNet's Linux coverage. "The appearance of a security issue at a time when users are still asking for more applications is unlikely to bolster the fortunes of Linux stocks, which tumbled faster and farther than general technology issues in April. Quality assurance and security aren't the only issues: Outside of a few suites, there is a lack of widely available office software; consumer versions of the OS are relatively untried; and open source code's open-ended nature - with many developers working on different parts of the system - makes some information technology (IT) managers nervous about its predictability." Open Software Law - France Liberation has posted this article (in French) about the proposed French open software law. It's a sympathetic piece. For non French-capable readers, the Babelfish translation is relatively readable. (Found in Portalux News). Thanks to Stefane Fermigier, we have an extensive list of all press coverage of the proposed "open software" law in France (as described in last week's LWN). Check out Stefane's list for more articles - in more languages - than you could ever read... Resources FirstLinux has posted a series of articles with the theme "I've installed Linux: What Next?" The articles cover topics like email, web surfing, graphics, and more. If you've never set up a network before, this article from Gianluca Insolvibile is intended to get you started. This week's Dear Lina column takes a look at at the file command and cable modems. Interviews Slashdot has posted their interview with Richard Stallman. "Warning: The interview below contains mature concepts and strong opinions. It may not be suitable reading for easily-angered readers whose views conflict with Mr. Stallman's." Olinux.com.br interviews Pradeep Bhanot, the director of Linux marketing at Oracle. "Oracle's primary focus is on Linux as a server OS. Oracle wants to see Linux succeed as an OS as it offers customers openness and superior TCO. There is strong developer and customer demand for Linux. There have been over 200,000 downloads of Oracle products on linux from our developers site at http://www.technet.oracle.com." Section Editor: Rebecca Sobol |
May 4, 2000 |
Sections: Main page Security Kernel Distributions Development Commerce Linux in the news Announcements Back page See also: last week's Announcements page. |
AnnouncementsBruce Perens has announced the "release" of Bruce 2.0, otherwise known as Stanley Charles Perens. ResourcesMay Linux Gazette available. The May issue of the Linux Gazette is out. Tutorial on the GNU Privacy Guard. Kuro5hin has put up a tutorial on the GNU Privacy Guard (GPG). "Congratulations. You now have a pair of keys. One is private, and one is public. Think of them as a birth certificate, library card, and drivers' licence rolled into one." Book Review: APC Linux Pocketbook Adam Jenkins, a member of Linux Users of Victoria, has posted a book review of the APC Linux Pocketbook. "This book is aimed at intermediate Windows users who would like to try Linux and want a little guidance, but are prepared to refer to manuals themselves once they're started". Linux Laptop-HOWTO The Linux Laptop-HOWTO is a HOWTO covering laptop related Linux features, such as installation methods for laptops (via PCMCIA, without CD drive, etc.), laptop hardware features and configurations for different (network) environments. EventsUK Events Thanks to Roger Whittaker at SuSE Linux UK we have this list of UK events:
TheLinuxStore.com and EBIZ Enterprises Offer Free Seminar TheLinuxStore.com and EBIZ Enterprises Inc. announced a series of free seminars aimed at business executives and Linux enthusiasts. The first will be held Friday, June 9 at The Buttes Resort, 2000 Westcourt Way, Tempe, Arizona. LinuxFest in Independence, Virginia. LSNet, a North Carolina based ISP, sent us this announcement about a LinuxFest to be held Saturday, June 24, 2000 in Independence, Virginia. O'Reilly's Open Source Software Convention. O'Reilly sent this announcement for this year's Open Source Software Convention, in Monterey, CA July 17-20 2000.
7th International Linux Kongress call for papers. The 7th International Linux Kongress will be held at the University of Erlangen on September 20-22, 2000. The call for papers has gone out; submissions are due by the end of May. Web sitesUser Group News |
May 4, 2000
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
Software Announcements
|
Our software announcements are provided courtesy of FreshMeat
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Sections: Main page Security Kernel Distributions Development Commerce Linux in the news Announcements Back page See also: last week's Back page page. |
Linux links of the weekThe Linux Game Tome is back, after a long interruption. Have a look for the latest in Linux gaming news. The Linux for Laptop Computers (or LiLaC) site is maintained by Werner Heuser, author of the Linux Laptop HOWTO. It is a comprehensive source of information on issues with laptop systems, and contains what must be the definitive list of working PCMCIA cards. Section Editor: Jon Corbet |
May 4, 2000 |
|
Letters to the editorLetters to the editor should be sent to letters@lwn.net. Preference will be given to letters which are short, to the point, and well written. If you want your email address "anti-spammed" in some way please be sure to let us know. We do not have a policy against anonymous letters, but we will be reluctant to include them. | |
Date: 27 Apr 2000 20:35:24 -0000 From: Eric Smith <eric@brouhaha.com> To: letters@lwn.net Subject: Linus on kernel debuggers Linux Weekly News of 27-Apr-2000 reports: Linus has long had a dislike for interactive kernel debuggers. His position is that they lead developers to fix symptoms; he would rather they stare at the source and come to an understanding of the real problem. Yeah, user-space GDB is a real drag also. Too many programmers use debuggers as a crutch, when it is obvious that simply staring at the source code is *so* much more likely to result in true enlightenment. I always hate it when the hardware guys use logic analyzers, oscilliscopes, and simulators to find bugs in their designs. Obviously the correct way to verify or fix hardware designs is to stare at the Verilog code and schematics until your eyes bleed. And when my car's engine is making a funny noise, I'm apalled when the mechanic actually looks under the hood and finds the problem immediately, rather than spending a few days thinking about what could cause that sound. It's hard to believe that using methods like that, anyone could develop a true understanding of what's going on in there. Engineers today rely way too much on fancy-shmancy tools to help with their tasks. Back in the old days, we only had printf(), and WE LIKED IT. So what if it took weeks to fix obscure kernel bugs that with better tools could be found in days; the important thing is the process, not the results. Just like the "new math". Of course, good engineers don't use time-saving tools like compilers, either. If the program is worth writing, it's worth writing in assembler. Or better yet, toggling in binary via the front-panel switches. (It's not a proper computer unless it has front-panel switches.) Seriously, though, I don't understand why Linux thinks that debuggers "lead developers to fix symptoms". I've used both kernel- and user-space debuggers to find many hundreds of bugs, and in the vast majority of cases have been able to fix the underlying problem, not just symptoms. It's not at all obvious how having an additional tool and source of information can make it more difficult or less likely to develop an understanding of a problem. Eric | ||
From: LucFrench@aol.com Date: Thu, 27 Apr 2000 05:34:05 EDT Subject: Re: soft tissue To: allan@stokes.ca CC: letters@lwn.net Allan Stokes wrote: > It's exactly the same when look at the bone yard of proprietary encryption > algorithms broken and ignore the "soft tissue" of proprietary encryption > which hasn't been broken. Or as most people assume "hasn't been broken > yet". Which is exactly what the dinosaur people assumed about the kinds of > fossil fragments they had not yet found. > > Perhaps someday the mathematics of "provable security" will be invented and > they will look back at some of the proprietary work done today and discover > that some of it was actually warm blooded after all. I think I can make a statement that any professional cryptographer will agree with: If your encryption method (be it an algorithm, the underlying random number generator, or the program itself) must be kept secret in order to be secure, it is insecure. The reason most cryptographers dislike proprietary algorithms boils down to this. (There are some wrinkles and qualifications to that statement, but not many; and there are some other problems, dealing with trust and generic attacks.) I'd also like to point out that "Hasn't been broken yet" is the status of all computer based encryption algorithms, both open and closed. It's similar to all scientific theories' status of "Hasn't been disproven yet". As to the possibility of a Unified Security Theory, such a thing is quite frankly impossible. It's too complicated to go into in a letters column, but boil down to the fact that 'secure' and 'insecure' are qualitative, rather then quantitative, terms. Quantifying either requires complete knowledge of all possible attacks; and from here we get into circular logic. BTW, the cold-blooded dinosaur theory came about because all known lizards are cold blooded, and dinosaurs were clearly big lizards; therefore, dinosaurs were probably cold blooded. The syllogism was flawed only because of an unknown assumption (lizards don't have to be cold blooded). You've used a flawed syllogism as well, that because Assumption A and Assumption B look alike, and Assumption A has been proven false, Assumption B must be false as well. Just as a final note: > Of course, anyone dumb enough to trust someone who spends too much time > alone in a dark room deserves what they get. But that doesn't mean they > were wrong. People spend too much time forming opinions about what is > technically possible (we don't know) and then end up misplacing the emphasis > which belongs entirely on the social issue of what kind of development > processes we choose to trust. Actually, the underlying assumption is closer to "if you are hiding something, you may have reason to be hiding something, and since we don't know what you're hiding, we are therefore unable to trust you". *THAT* is why it's so important that encryption methods be open, and known vulnerabilities be listed; else, how can I, Strawman Consumer In Need Of A More Secure Computer Then What I Have Now, trust that you, Strawman Encryption Expert Trying To Sell Me Something, are being honest? This is what is driving people to open source for security in the first place; if you have the code, implementation flaws are easy to spot (assuming the code isn't some kind of hairball), and back doors are hard to put in (bogus stories involving fish of a South American persuasion notwithstanding). Thanks Luc "Jude the Secure" French | ||
Date: Thu, 27 Apr 2000 12:46:24 -0500 From: "John J. Adelsberger III" <jja@wallace.lusArs.net> To: letters@lwn.net Subject: "Warm blooded security" In his letter dated April 21, Allan Stokes points out(validly) that lack of peer review and general understanding does not necessarily imply insecurity of an encryption algorithm. He fails to make the point that is crucial when you need a working system on a deadline in the real world: there is no provable security today, and at this track, the rules are a little strange: 1) Betting on the underdog does not inrease the payout if you win; all winning bets pay the same. 2) The fact that my horse wins does not necessarily imply that yours will lose. 3) Despite 1 and 2, there are still underdogs and favorites. Under those circumstances, betting on an underdog is all loss and no gain. Certainly, it would be wrong to disparage researchers into unknown areas of math, whether crypto or otherwise - but deploying their research prototypes as production systems is a most brazen sort of foolishness, and trusting an algorithm that is unknown to most of the research community over one that has been widely examined is even worse. -- John J. Adelsberger III ETAONRISHDLFCMUGPYWBVKXJQZ jja@lusars.net | ||
From: nride@us.ibm.com To: ghaverla@freenet.edmonton.ab.ca, letters@lwn.net Date: Thu, 27 Apr 2000 11:55:34 -0600 Subject: Printing in Linux The UNIX printing model is dreadfully lacking. Certainly you can find out that you have some printers out there by looking in the printcap file, but what do you know about those printers? The whole printcap concept was designed in the days when your printer could handle raw ASCII and not much else. If you look at the archetecture of more "Modern" operating systems, there is a well defined API for printing. A device manufacturer codes a driver to that API and the applications use that API to render their jobs. Thus, all applications use the same rendering API, and the same rendering API can render to PostScript, PCL or whatever other printer language the printer uses. Contrast this to UNIX where the application has to implement its own rendering routines or use a third party library. If the user wants to print to a PCL printer and his application only does PostScript, he's out of luck or has to use GhostScript. GhostScript effectively becomes the printer driver for many people and PostScript becomes the rendering API. While this state of affairs isn't too bad, it's not too good either. If you can cover PCL and PostScript, I'd guesstimate that you'd be covering about 90 to 95 percent of the printers out there. As for finding out attributes of the printer (How to use those extra paper trays, etc) Adobe has a Portable Printer Definition format for PostScript printers and Microsoft has a Generic Printer Definition format for PCL printers. You can code a "Driver" outside the application to read these two formats and add headers to your jobs and you'd be doing pretty well. The Printer Working Group (www.pwg.org) is working on an XML based printer definition format, as well. There's room for a lot of cleverness in building interfaces from files in these formats. For approaches that involve actually building the correct archetecture, I know of a couple of projects underway. There is an open API called XPRT which looks kind of interesting. You send X commands to a server and it renders a printing language. Xfree86 4.0 seems to have some XPRT support. The Gnome people seem to also be working on an API which I assume you'd have to use Gnome to take advantage of. Personally, I'd like to see an open solution which doesn't lock you in to a particular environment while it brings UNIX printing up to date. -- Bruce Ide nride@us.ibm.com IBM PSC Driver Development | ||
To: letters@lwn.net Subject: Printing is definately below-par From: Alan Shutko <ats@acm.org> Date: 27 Apr 2000 10:04:46 -0400 Gordon Haverland stated that printing on Linux is perfectly fine. Unfortunately, he's missing a lot of fundamental points. While it is true that you can simply pass stuff off to LPR and something will come out the printer, there's a lot of other stuff that printing apps need to know that has never been a consideration of lpr. First, the current Linux "printing system" gives no information to apps of the fonts available. While X can do this, you would need to install fonts in two places. X only provides bitmaps, so you can't pass outlines to the printer unless you write your own font subsystem and require that fonts be installed there. (You'd also have to do this to gain additional metric information that isn't available via X.) How do you ask lpr what sizes of paper are available, or tell it to collate and staple output jobs? You can't. How do you select the tray? You can't. While some of these problems are fixed in LPRng for certain printers using certain filtering systems, other problems remain. -- Alan Shutko <ats@acm.org> - In a variety of flavors! | ||
From: "Corfield, Richard" <RICHARDCO@POLK.CO.UK> To: "'letters@lwn.net'" <letters@lwn.net>, Subject: Re: Printing and Re: WordPerfect "review" Date: Thu, 27 Apr 2000 12:53:14 +0100 I'd agree that the existing print system under UNIX is very strong. Its standardisation on PostScript as a printing language should make life a lot easier for software developers, users and administrators alike. Software developers because they only need write drivers for postscript Users because they can always preview output, and manipulate it with tools such as GS, GV and mpage. Administrators because they can redirect output to any printer knowing that its in a language that the printer driver can understand. They can also filter it on the way (mpage for example). The job is only translated from Postscript at the last minute. My experiences with some other printing systems seem to confirm these advantages. Its a pain when you can't preview output and its a pain when you can't print to a printer because you can't find the driver disk to set up your wordprocessor to be able to create jobs for it. Its also a pain when one version of the OS has a printer driver with mpage like functions and the version I work on doesn't so I can't print two sides on one from my desktop. Under Linux you can apply mpage to any print queue regardless of the type of printer on the end of it. The only problem with the system is that the word processor has no knowledge of what the capabilities of the printer are. This causes me problems at times because my printer cannot handle small margins and some programs try to print into them so some edges can be lost. What seems to be needed is a way for the word processor to find out what paper sizes and margins the particular printer supports, whilst keeping the advantage of a printer agnostic printing language and without bringing in all of the problems with a certain other system when you do this. For example I find it annoying when I load a document into a word processor to find that it has been "Changed" because my word processor has a different default printer to the original author's. Perhaps an extension to lpd or lpr or lpstat could allow the word processor to find things like paper size, margins and perhaps colour capability. Then the only problem is what happens when you try to print a document on a less capable printer than that intended by the original author, and you're not using something like LaTeX where it doesn't really matter too much. Certainly something that must happen is that this must be solved correctly, rather than just copying the solution from somewhere else, warts and all. - Richard. <Standard Disclaimer: All oppinions my own and not those of my employer, or probably anyone else in my office for that matter> | ||
Date: Tue, 2 May 2000 21:10:33 -0400 From: "Jay R. Ashworth" <jra@baylink.com> To: Tammy_Cavadias@zdcommunity.com CC: letters@lwn.net Subject: http://www.zdnet.com/zdnn/stories/comment/0,5859,2555159,00.html ... the Taschek column on Open Source. Was that op-ed? If so, it should have been slugged. If not, it's shoddy journalism. [Looks again] Ok, it's commentary. Is it ZDnet's intent to reduce readers' opinion of its worth by running commentaries that are obviously based on factually incorrect premises and incomplete research? *I* could write opinion columns too (and I do, my weblog address is listed below), but that doesn't mean anyone would read them... A major fraction of the Internet depends completely on open-source software, written well before the term was coined. BIND (name service), sendmail, (mail transport), perl (CGI scripting, among other things) and Apache (>55% of all publicly accessible webservers) are just the most visible examples. If this column wasn't a troll, then I must cast my lot with the people who'll be ignoring ZDnet completely if it's going to publish writing of this caliber. Cheers, -- jra -- Jay R. Ashworth jra@baylink.com Member of the Technical Staff The Suncoast Freenet Tampa Bay, Florida http://baylink.pitas.com +1 888 806 1654 | ||
Date: Sun, 30 Apr 2000 04:30:10 -0700 From: Jim Dennis <jimd@starshine.org> To: Microsoft.atr@usdoj.gov Subject: Protocols, APIs and File Format Libraries Hi, As a long time observer in this industry (having done stints in tech support, quality assurance, development, and systems administration) and as a writer and industry journalist (having written one book on Systems Administration, a few articles for various magazines, and an online technical support column) I'd like to comment on the possible measures that you will take vis a vis the Microsoft case. (Duh! That's what this e-mail address is for, isn't it?) Obviously we'd like to arrive at a solution which is remedial, punitive, and deterrent. I don't believe that a breakup and ongoing regulation of Microsoft's business will achieve these goals. Unfortunately any ongoing regulation of their company is likely to be mired in bureaucracy and hampered as it becomes increasing politicized. It will be interesting to see how future administrations will meddle in these affairs. The set of measures that I believe would offer the greatest remedy to consumers and industry participants while acting as a fitting punishment to Microsoft and possibly even deter future monopolists would be to require that Microsoft fully document their protocols (networking), APIs (programming interfaces) and file formats. These elements of their software are necessary to achieve interoperability. They are also the very elements that Microsoft has obscured and changed in order to stifle competition and thwart innovation throughout the rest of the industry. Furthermore I'd recommend that the only form of acceptable documentation for these software standards would be a set of functional "reference implementations" of the necessary utilities and libraries to perform a the core operations of each protocol, call each API function, or read, parse and manipulate each file format. These reference implementations would have to be published in true "open source" form and subject to a FREE license --- which which specifically allows commercial and proprietary derivative works by third parties. (I would not recommend the GPL --- a BSD like license would be more appropriate). I'd also recommend that the court should require that these implementations be delivered in a timely fashion, that they be in ANSI standard C and/or C++ programming languages, that they must compile on non-MS operating system platforms (pick three --- Linux, FreeBSD, Solaris, etc) and non-Intel (x86) hardware. A reference implementation is the only adequate documentation which can be accepted in this case --- since any other form is subject to endless subjective legal wrangling and interpretation which would necessarily cross the disciplines of computer science and jurisprudence. A reference implementation would also include a compliance suite. It can be unequivocably and objectively judged. Either it compiles and demonstrates interoperation with Microsoft's own software, or it fails and Microsoft can be fined, enjoined from releasing new products, etc. Of course Microsoft would be required to deliver such a suite for their existing operating systems and applications suites. This would be required to be done in a timely fashion. More importantly: The court should hold that Microsoft much continue to publish such reference implementations for all future upgrades and products. For future upgrades and products it would be reasonable to require that these reference implementations be published prior to software release and tested immediately. Micrsoft could then be enjoined from distributing new products and new revenue generating upgrades of their existing products until their products are judged to be in compliance (interoperable) with their own published reference standards. I believe that this approach has a number of advantages: * Objective criteria * Respect of Microsoft's legitimate intellectual property * Freedom to innovate * Low cost to the Federal Government * Little requisite regulatory burden * Promotion of both the competing commercial software industry interests and the open source and free software movements (and other consumer interests). * Low public perception of meddling and bureacracy * Academic and educational benefits Note that this plan does respect Microsoft's rights to its intellectual property. It doesn't require them to publish or provide any access to the source code of their current and future products. These reference implementations can be completely independent or they can be functional subsets of Microsoft's code. It also allows Microsoft to continue to modify their software (operating systems and applications) and to freely "integrate" and separate these products for their own business interests. However, it does so in a way that ensures that other companies can make competing products, enhancement utilities, etc. It also ensures that the U.S. Federal Government, international interests, and other parties will be able to maintain their document, networking and internal software infrastructures regardless of what Microsoft does with their future products and upgrades. (Indeed with these reference standards you significantly reduce the risks associated with use of proprietary software in general). Regardless of any breakup, and in addition to any regulatory oversight and punitive fines that you impose on Microsoft I recommend that you do the rest of the country some tangible good by requiring reference standard implementations of all networking protocols, application programming interfaces and file formats that Microsoft uses to "integrate" their clients to their servers, and to interface their applications with their operating systems, and to sort and interchange their documents configuration data, account and management databases, etc. Thanks. -- Jim Dennis jdennis@linuxcare.com Linuxcare: Linux Corporate Support Team: http://www.linuxcare.com | ||
Date: Wed, 03 May 2000 13:09:52 -0400 From: walt smith <waltech@bcpl.net> To: letters@lwn.net Subject: several fundamentals Dear LWN readers, Distributions are proliferating like mosquitos in spring. The basis for being in business and obtaining funding for doing so has almost always been that money is to be had from service, and not sales of the basic (software) box. I disagree. However, service appears to be a necessary reason in order to achieve funding for Linux companies to exist. The Microsoft empire is largely based on sales of (software) box's at a reasonable price. I believe their prices, historically, have been reasonable. Many Linux boxes are approaching the same price basis. There is the caveat that the sink and entire kitchen are thrown in with the box. In other words, sales of the box are significant and important, and should be recognized as such. I feel more notice of this is necessary. -- I had an interesting experience recently. It should prove valuable to marketing psychologists. After actually spending some loot on a Linux box off-the-shelf, I had a revelation. Like many, I'd borrowed Linux CD's, and also downloaded free Linux from the Internet. When I went to "retailer", I knew I was purchasing "free" software. Why ? It wasn't free! But it was the feeling of getting something free and paying a little for the tiny manual and box. The convenience of the CD !! ? or was it? Nope! It was the feeling that, even free, that the box wasn't a sole source product. I knew the product would be upgraded "soon", but so what? it was cheap ($29). I knew it was free if I really wanted it to be free! I knew if I didn't like it, I had a choice of multiple different packages with the same underlying function and commonality (/lilo/, /usr/, ext2fs et. al)!! ..all free or shelved at competitive prices! It was a feeling of buying into a community; that same feeling non techies have buying Nikes or Windows. And I knew it was ALL there - no additional $$ for a wordprocessor, compiler - Jeeze! I even had multiple selections. -- I read on LWN that the new 2.4 kernel isn't due until possibly Autumn. This is a shame!! One of the Hallmarks of Linux is the *continuous* improvement. Waiting beyond some magical number isn't good for me psychologically nor a significant part of the Linux community. I understand the tradeoff for the stability that many (larger corportaions) require. Perhaps there's too much concern? PLEASE! this is not a swipe at Alan or Linus!!! I'm concerned about the market momentum, and I don't have a solution. -- One last prediction. SGI has moved in the right direction to adopt Linux. If they were a company with diversified products, it'd be even better. I believe neither SGI, nor Sun can continue as they have been: major changes are coming. This might mean the names SGI and Sun disappear, like DEC. regards, Walt Smith, Baltimore | ||