Bringing you the latest news from the Linux World.
Dedicated to keeping Linux users up-to-date, with concise
news for all interests
Sections: Main page Security Kernel Distributions Development Commerce Linux in the news Announcements Back page
Other LWN stuff:
Archives/search
Recent features: Here is the permanent site for this page.
|
Leading items and editorialsMotif is open source - almost. The Open Group has announced that the Motif toolkit, long the standard X toolkit on commercial Unix systems, has been released under a "public license." This license looks roughly GPLish in that it requires that source be made available and disallows restrictions on redistribution. It has an interesting twist, however, in that it only allows for use of the software on "operating systems which are themselves Open Source programs." That restriction violates section eight of the Open Source Definition, in that it ties the software to specific products. The Open Group recognizes that its license is not "open source," and deals with the issue explicitly in the Open Motif FAQ. They claim they hope to make it truly open source at some point in the future. The license also fails to define an "operating system." Presumably it can run over the Linux kernel - but what if the user is running a proprietary X server? Can you run it on OS X, with its BSD-based kernel? According to the FAQ, the answer would appear to be "yes." Mac users may prove slow to take the opportunity to run Motif on their systems, however. Chances are, anyway, that the license will prove good enough to get Open Motif onto the CDs of most or all of the major distributions. And that, of course, is the Open Group's goal. Motif currently is tied to a slowly dying platform - proprietary Unix systems. While commercial Motif products have been available for Linux for years, interest has been relatively low. It is, after all, not free software. Now it is perhaps free enough, but it also looks very much like too little, too late. Two years ago, Motif might have become the toolkit (and desktop) of choice for Linux. But in that time the Linux world has learned to do very nicely without Motif, and has developed two high-quality alternatives. It is hard to imagine a newly-freed Motif attracting the same sort of incredibly vibrant and productive development team that characterizes both GNOME and KDE. Even in its heyday, Motif never generated all that much enthusiasm; why should it do so now when there are newer and better systems available? So Open Motif looks to have a useful role in helping the porting of legacy software from proprietary Unix systems, but it may well not succeed much beyond that. It is, of course, a good thing to have more code available, and there may well be valuable lessons to learn from Open Motif. But its window of opportunity to take over the Linux desktop closed some time ago. (See also: the LessTif project which intends to continue in its (successful, so far) effort to create a truly free Motif clone; ICS's announcement of Open Motif services; Imperial Software's announcement of its Open Motif distribution, and the new, relaunched MotifZone site). Microsoft versus Slashdot. Most readers will have long since seen Microsoft's notice to Slashdot requiring the removal of some comments posted to the site that are alleged to violate Microsoft's copyrights. In the simple facts of the matter, Microsoft might even have a point. If we respect copyright law (which, after all, provides the force behind the GPL), we should respect it for everybody. Directly posting Microsoft's copyrighted material was probably not the best move. Microsoft is also complaining about a couple of other things, including instructions on how to avoid the "click-wrap" license and links to the material on other sites. Its case seems rather weaker here. If we value the web at all, we certainly need to resist making linking a crime. The real point of interest here, though, is that this affair highlights once again the form that the real counterattack against free software may take. Free software can not be bought out, it is tremendously difficult to compete against, and FUD tactics have proven mostly ineffective. It is a sad possibility that intellectual property law may work where other tactics have failed. Why compete against free software, if you can simply prevent its development and/or distribution in the first place? The issue in question at the moment is Microsoft's extensions to the Kerberos protocol. With a few small tweaks, Microsoft has taken an open standard and turned it into a proprietary, non-interoperable mess. Now they seek to prevent the development of code which will restore interoperability to heterogeneous networks. It is hard to imagine a more transparent attempt to maintain a monopoly at the consumers' expense. Like the DVD and CyberPatrol cases, this one threatens our right to program. For years free software was hampered by lack of acceptance, users, and developers. What a shame it will be if, now that those obstacles have been overcome, free software is blocked by intellectual property claims and lawyers. We can not afford to let things go that way. (See also: this Technocrat article by Bruce Perens saying that the Kerberos problem could have been avoided had the Kerberos protocol been covered by a different license). SGI pushes toward Linux. SGI has announced a new line of workstations which will, it hopes, begin to turn around the company's poor performance in recent years. The systems look more reasonable than SGI's last attempt: the pricing is reasonable, the graphics are good, and so on. These might actually be computers that somebody wants to buy. SGI may claim that it still stands behind IRIX, but the press release tells another story. The name "IRIX" is mentioned three times; "Linux," instead, appears 25 times. (NT is mentioned eight times). These systems are being sold as Linux machines, not IRIX machines. Thus, SGI has jumped into the business of putting Linux on the desktop - a place where few have dared to go. Happily, SGI evidently plans to go beyond its current single distribution offering by adding support for SuSE and TurboLinux as well. On the development side, SGI has also announced the release of its C, C++, and Fortran compilers for the IA-64 architecture. According to the announcement: "These Linux compilers, which were recently demonstrated at Intel's Spring 2000 Developer Forum in Palm Springs, Calif., contain additional optimizations that take advantage of the power of the Itanium processor over those of other public compiler implementations." In other words, they appear to be positioning themselves as competition for gcc as the standard Linux compiler for the IA-64. The donation of technology is always welcome - especially for a tricky task like compiling for the IA-64 - but one hopes that SGI can find a way to fold its improvements into gcc. In any case, the compilers join a very long list of SGI contributions to Linux. SGI has, in fact, become one of the larger corporate contributors to the system, donating code for compilers, graphics, the kernel, and more. SGI appears to be quite serious about Linux. With luck, all this work will help SGI find success in the Linux arena. Inside this week's Linux Weekly News:
This Week's LWN was brought to you by:
|
May 18, 2000
|
Sections: Main page Security Kernel Distributions Development Commerce Linux in the news Announcements Back page See also: last week's Security page. |
SecurityNews and editorialsVulnerable CGI scripts. A "theme" in security for the past week seems to have been reports of vulnerable CGI scripts. To demonstrate, below is a list of recent reports:
Lots of functionality has been added to common scripting languages, such as perl, to make it possible to write secure CGI scripts. However, it takes time and effort to learn how to do it right. The list above says that people aren't taking that time; they are writing scripts in a sloppy manner and freely borrowing such scripts from other people without either auditing them or understanding how to fix them if they do. Now is the time to understand that such scripts not only are insecure, but that exploits for their vulnerabilities are available and are being circulated. Time to make a list of your CGI scripts now and audit them. Don't wait and expect bug fixes and updates from the authors of such scripts; they may not be forthcoming and you'll remain vulnerable in the meantime. BugTraq Vulnerability Database Statistics. Which operating systems really have the most security problems? Have a look at the BugTraq statistics for a clue. They have made up some charts of how many security problems they have seen on each system over the years. "We leave the interpretation of these numbers to you."We contacted Security Focus and asked a few questions about the statistics. First, because only Red Hat and Debian were directly listed, yet the sum of "Linux (aggregate)" was clearly higher than the sum of those two, we checked to make sure that Linux vulnerabilities were not being counted twice, just because they were reported on multiple distributions. They are only being counted once. Second, we checked on how they determined that a particular vulnerability was a "Linux" vulnerability. A specific package is not considered to be "part of Linux" unless it is shipped with a specific Linux distribution. Of course, especially when Debian is included, that is a vast amount of free software, but a package won't be considered part of Linux just because it is possible to compile and run it on a Linux platform. Last, because we'd love to know, we checked to see if statistics on how many of these vulnerabilities have been fixed were available. They are not, historically, but the ability to track this information has been recently added to the database, so such statistics will be possible to report in the future. Linux developers and distributors: make sure you are getting out fixes and updates for all the reported vulnerabilities. Otherwise, we are all bound to be embarrassed when full statistics on this topic become available. Bruce Schneier's CRYPTO-GRAM (May 15). This month's edition of CRYPTO-GRAMeditorializes on the need to view security as a process, not a product, with the accompanying analysis of "acceptable risk". It also reports on the Cybercrime Treaty, a proposed treaty of the Council of Europe that would "make it illegal to create, post, or download any piece of software that is "designed or adapted" to break into computer systems", effectively tying the hands of systems administrators and researchers who are working to improve security. Stoic Distro for the Paranoid (LinuxNews). LinuxNews takes a look at the recent announcement for Nexus, a new secure Linux distribution. "Unlike many currently available Linux distributions, Nexus isn't being promoted as a user-friendly proposition. 'Nexus does not try to appeal to the novice user, or even be usable by him. We sacrifice "ease of use" for power and security.'" Security ReportsBad ssh-1.2.27-8i rpms. John McNeely reported to BugTraq a problem with one set of ssh rpms as distributed from the Zedz Consultants web site for Red Hat 6.0 through 6.2. The ssh-1.2.27-8i rpms included a patch for PAM support that allows ssh to be used to log into any valid account. Note that the 1.2.27-7us and 1.2.27-7i rpms, also available, are not vulnerable. OpenSSH is also not impacted by this report. Removing the bad rpms and using unaffected rpms or OpenSSH is recommended. Check the Security Focus vulnerability database for more details. kscd: KDE CD reader. kscd, the CD player provided with the KDE multimedia package, can be easily exploited to gain root privileges. If you have this package installed, the suid bit should be removed immediately. No official update for kscd has been posted, as of yet. Netscape Warnings for invalid SSL certificates bypassed. The ACROS Security team posted an advisory detailing how a failure to issue a warning for an invalid SSL certificate, present in Netscape versions prior to 4.73, could be used to grab supposedly secured information from a third site, including potentially credit card information. Netscape has confirmed the problem, fixed it in Netscape 4.73 and made available a Personal Security Manager (PSM) to rectify the problem in older versions. Either an upgrade to 4.73 or the installation of the PSM is strongly recommended.Netscape tmpfile vulnerability. Netscape versions 4.5 through 4.73contain a tmpfile vulnerability that can be exploited to read alternate files on the system or possibly modify them. For more information, check the SecurityFocus vulnerability database. Kerberos buffer overruns. Multiple overruns in the MIT and Cygnus Kerberos implementations have been found and some of them have been demonstrated to be exploitable, according to this BugTraq posting. The KTH implementations have been reported not vulnerable. MIT will release krb5-1.2 with fixes for these problems "shortly". gnapster and knapster vulnerability. A vulnerability has been reported in gnapsterand knapster which can be used to obtain any user-readable file, not just shareable MP3 files. This is the same vulnerability reported last week in FreeBSD's gnapster port in this advisory. Corrected versions of knapster and gnapster were promptly made available. antisniff. A DNS buffer overflow in AntiSniff, a tool for detecting sniffers on a local network, can be exploited remotely to execute commands as root. L0pht, the original source of the program, has issued an advisory for the problem. Commercial Vulnerabilities:Vulnerabilities have been reported with the following hardware:. Updatesxsoldier. An exploitable buffer overflow has been reported in the xsoldier game. Linux kernel. UDP and masquerading vulnerabilities have been reported in the Linux kernel 2.2.14 and prior. Note that the Red Hat update appears to also include a fix for knfsd which is not mentioned in the SuSE advisory. ResourcesSecurity Focus releases Pager 3.0 beta. Pager 3.0 beta is a new product from SecurityFocus that will let you get your BugTraq fix in real time via a direct link to the SecurityFocus.com database. "The pager employs client-side filtering, ensuring the details you provide it about your network setup remain confidential - nothing is transmitted to the Security Focus database server. The source code for the pager is also publicly available, allowing the community to review exactly what the pager does and does not do." Nessus 1.0. The first complete, stable version of Nessus, a free, open-sourced (GPL-ed), and frequently updated security scanner, has been announced. "Nessus performs as many security checks as you could expect from a commercial security scanner (over 400) and is very up-to-date regarding this issue. It also has its own unique features, such as services recognition (so that a web server running on port 8080 will _also_ be tested), its own scripting language, and many more (see http://www.nessus.org/features.html)". EventsMay/June security events. May 22-25, 5000. SANE 2000, Maastricht, The Netherlands. June 12-14, 2000. NetSec 2000, San Francisco, California, USA. June 25-30, 2000. 12th Annual First Conference, Chicago, Illinois, USA. June 27-28, 2000. CSCoRE 2000, "Computer Security in a Collaborative Research Environment", Long Island, New York, USA. Section Editor: Liz Coolbaugh |
May 18, 2000
|
Sections: Main page Security Kernel Distributions Development Commerce Linux in the news Announcements Back page See also: last week's Kernel page. |
Kernel developmentThe current development kernel release is 2.3.99-pre8. The -pre7 release, which came out on May 12, contained the new configuration option controlling whether devfs is automatically mounted at boot time, the new devfs FAQ, a whole new PowerPC 8620 ethernet/serial driver contributed by MontaVista Software, a number of ethernet driver, USB, and PCMCIA updates, a new Specialix RIO driver, and a new "PPP over ethernet" driver. 2.3.99-pre8 came out just hours after -pre7, and contained a large S/390 architecture update, along with a major RAID update, an Integraphics Cyber2000 frame buffer driver update, and a few other tweaks. There is a 2.3.99-pre9 pre-prepatch available, in its second revision as of this writing. Most of this patch is a large MIPS64 update; also included is a rewrite of the parallel port documentation, a new ST TDA7432 audio processor chip driver, a number of IDE driver tweaks, a devfs update, an NFS update, and the usual array of small tweaks. Alan Cox posted a new 2.4 jobs list on May 18. The current stable kernel release is still 2.2.15. The 2.2.16 process continues with 2.2.16pre3. There have been, recently, some complaints about the performance of 2.2.15, but nothing specific has been found yet. Memory management problems continue with recent development kernel releases. There is currently a great deal of effort going into stabilizing things, but it is hampered somewhat by a lack of agreement over where the problems really are and how they should be fixed. Part of the trouble has to do with the zoned memory allocator. On some architectures, there is more than one type of memory to worry about. With i386 systems, only some of the available memory may be suitable for old-style DMA I/O, and "high" memory (above 1GB) has restrictions of its own. So the kernel's memory allocator divides memory into zones, and requests for memory specify which zone they wish to allocate from. A common symptom seems to be that the DMA zone runs out of memory. Once that happens, the I/O system can run into difficulties because it can't get memory when it needs it. The "kswapd" process, meanwhile, goes nuts trying to free up DMA memory but never seems to get on top of the situation. The performance of the system as a whole falls apart, and users get grumpy. One fairly reliable way to demonstrate the problem seems to be to fire up any sort of application that streams through a lot of data. The inability to do things like play MP3 files is a common complaint. Streaming data plows through a lot of memory while simultaneously keeping the I/O system busy. Linus thus far has taken the approach of trying to simplify the memory management system as much as possible. Thus many of the recent tweaks are coming back out, in the hopes of making the basic system work; at that point some of them can maybe go back in. This work, along with a couple of fixes to the page freeing and kswapd code, appears to have improved - though perhaps not completely fixed - things in the 2.3.99-pre9 prepatch series. Rik van Riel, Juan J. Quintela, and Ingo Molnar have been working on tweaking the current code, while Andrea Arcangeli continues with his much more complicated "classzone" patch. With that much high-caliber effort being concentrated on the problem, it will probably not be around for much longer, even if the shape of the final solution is not currently clear. Directory cache changes. Alexander Viro has posted a list of changes which will go into the 2.3 directory cache shortly. The posting includes a warning to anybody who maintains a filesystem that is not part of the standard kernel tree: talk to him soon or watch your code break. Deep filesystem changes like this may seem a little strange during an alleged feature freeze, but Mr. Viro says "This change is _really_ needed." That may be true, but it also reinforces the point that 2.4 remains a distant goal. Other patches and updates released this week include:
Section Editor: Jonathan Corbet |
May 18, 2000
For other kernel news, see: Other resources: |
Sections: Main page Security Kernel Distributions Development Commerce Linux in the news Announcements Back page See also: last week's Distributions page. |
DistributionsPlease note that security updates from the various distributions are covered in the security section.
News and EditorialsW. R. Hambrecht predicts the future of Linux distributions. The Red Herring has run a position paper by a W. R. Hambrecht analyst on open source companies. In it, they make a firm prediction for what they see as the future of Linux distributions. "Approximately 140 distribution companies exist across the globe. We believe all but the top five will be bought, will go out of business, or will be relegated to insignificance. Market-share leaders are currently defined around geographic boundaries. Red Hat has the largest global brand recognition and leading North American market share, SuSE leads in Europe, TurboLinux leads in Asia, and Conectiva leads in South America." "Relegated to insignificance" is an interesting turn of phrase. It is a fluffy term, one easily redefined in order to prove that you are correct. If the question is, will there be around five Linux distributions that, each of them, hold a market share that is multiple times the size of other distributions, then the accuracy of their prediction can be gauged. Given the size of the world, though, that could still leave many distributions, each individually with millions of users. Particularly within individual countries, new Linux companies are just starting to develop and may become local favorites. Within those countries, those local distributions won't be seen as "insignificant". Within a specialized niche, say medicine or education, an "insignificant" distribution may still be the best and most popular choice ... Red Escolar Linux 1.0-10. The initial release of Red Escolar Linux has been announced. Red Escolar Linux is the Linux distribution being developed and supported by the Red Escolar Project, which will be deploying the distribution throughout schools in Mexico. TimeSys Linux/RT 1.0 released. TimeSys Corporation has announced the release of TimeSys Linux/RT 1.0, its real-time Linux distribution. VectorLinux. VectorLinux is a small Linux distribution (150MB) intended to be a good base for creating your own home-brewed distribution. Version 0.5 has just been announced. The most unique feature of VectorLinux is that it uses midnight commander to allow the installation of packages from any other distribution, including Red Hat, Debian, Slackware, Stampede, et al. PKlinux(mini). PKlinux(mini) is a just-announced new Linux distribution based on the Linux 2.3.99 kernel. It loads Linux into RAM, so it can be used to try Linux for the first time without requiring disk repartitioning or space. It is distributed as a ZIP file and is derived from Red Hat 6.1. (From Freshmeat). Bastille LinuxBastille Linux 1.1.0.pre1. Bastille Linux 1.1.0.pre1 has been released. Bastille is a security-hardening script for Red Hat-based systems. "Version 1.1.0 runs on non-virgin systems, can run multiple times, is undoable, and includes a log-only mode. " Best LinuxBest Linux 2000 R2. Best Linux 2000 R2 has been released. It includes XFree86 4.0 and a number of other goodies, including Russian language support. Debian GNU/LinuxArchive and Incoming have moved. Debian developers should note that Archive and Incoming have moved to their new home on ftp-master.debian.org and your uploads should be redirected appropriately. Program now available for the first Debian Conference. The program for the first Debian Conference is now available. The conference will be held in Bordeaux, France, from the 5th to the 9th of July 2000, in conjunction with the Libre Software Meeting. Review: Learning DEBIAN GNU/LINUX. AboutLinux has published a review of O'Reilly's Learning DEBIAN GNU/LINUX. "I really liked this book. Even though the book is supposed to be for Debian Linux, users of other distributions might want to pick up a copy as well. I wish I could be as positive about Debian 2.1. I am afraid that Debian 2.1 is now quite obsolete; and in my opinion it would be a poor starting point for someone new to Linux." Interview: Martin 'Joey' Schulze (LinuxTag). Here is an interview (in German) with Debian developer Martin Schulze which appears on the LinuxTag site. English text is available via Babelfish. DragonLinuxDragonLinux v0.8. A new version of DragonLinux, version 0.8, is now available for download. DragonLinux is a UMSDOS based installation of Linux with roots in the Slackware distribution. Its target audience is brand-new Linux users. HURDKernel Cousin Debian Hurd. This week's Kernel Cousin Debian Hurd gives the latest on the HURD development. KRUDThe May release of KRUD, the value-added version of Red Hat by Tummy.com, has been announced. This release is based on Red Hat 6.2, and includes a number of updates and additional goodies, crypto utilities, and more.Linux-MandrakeReview: Mandrake 7.1 beta 2 (GNULinux.com). GNULinux.com has issued a review of Mandrake 7.1 beta 2. Along with reporting the usual set of glitches that might be expected with a beta, they mentioned the part that they liked the best. "Since we are so fond of the product, we wanted to conclude on a positive note: In their descriptions, Mandrake refer to GNU/Linux instead of just Linux ..." LuteLinuxLuteLinux 'Lite' released. LuteLinux has announced the release of its "LuteLinux Lite" distribution. The full version will be released "later this year," and will include an (unspecified) office suite. Red Hat LinuxAlpha Release of Red Hat for the IA-64. Red Hat announced today the release of a developer's version of Red Hat for the Intel Itanium Processor, targeting high-end workstations and servers. It is available for download at ftp://ftp.redhat.com/pub/redhat/ia64. The full release of this distribution will be made at the same time the Itanium Processor finally ships. Slackware LinuxNetscape Communicator 4.73 is now available in slackware-current. There are also indications in the Changelog that a beta release for 7.1.0 will be coming up soon.SuSE LinuxSuSE announces SuSE Linux for the S/390. SuSE has announced support for the IBM S/390, with a beta version of their distribution for that platform due in late June. For more on Linux support for the S/390, check this week's Commerce Page. FTP version of SuSE 6.4 available. SuSE made available the FTP version of SuSE 6.4 at 12:00 GMT on Tuesday, May 16th. A number of mirror sites (listed in the announcement) apparently had 6.4 up even sooner. Maclinux (MacDiscussion). MacDiscussion has an interview with Lenz Grimmer and Olaf Hering at SuSE about the new PPC version of SuSE Linux. "What is compatibility like for the vast catalog of applications? will things run 'out of the box' on SuSE PPC, or will PPC users be plagued with the same problems as most of the Red Hat derivatives, with much x86 specific code causing compatibility problems? Lenz: Well, we try hard to work around these problems. Ideally, you won't notice any difference in ease of use and functionality." TurboLinuxTurboLinux for the S/390. Joining SuSE, TurboLinux also announced support for the IBM S/390 platform this week. This is currently just an agreement; the release of TurboLinux for the S/390 is scheduled for "later this year". For more on Linux support for the S/390, check this week's Commerce Page. Section Editor: Liz Coolbaugh |
May 18, 2000
Please note that not every distribution will show up every week. Only distributions with recent news to report will be listed.
|
Sections: Main page Security Kernel Distributions Development Commerce Linux in the news Announcements Back page See also: last week's Development page. |
Development projectsRed Escolar Returns. This week brought renewed information from the Red Escolar Project - the project which is working to place Linux-based networks in over 100,000 Mexican schools. They've been hard at work and are now in a better place to share information on their status. This week, they issued an invitation (in both Spanish and English) for people to visit their updated web site. They are looking for volunteers to help with translating their documentation into English, test software and provide opinions. Check the Distributions Page to find their initial announcement of Red Escolar Linux on Freshmeat. BrowsersNewZilla. A new site called NewZilla is presenting itself as "the unofficial Mozilla/Netscape 6 FAQ." It's just getting going, but there's already some good information to be found there.
DatabasesInterBase Open Source release imminent (Technocrat.net\). InterBase is now "The Open Source Database", according to their web site. To back this up, Michael Bernstein posted a note to Technocrat.net stating that Interbase has announced a tentative schedule for releasing Interbase 6.X under the IPL open source license. "They expect InterBase 6.0 and the source to be officially released in the June or July time frame." A (binary) beta release of Interbase 6.0 for Linux is currently available for download. There are some useful comments posted in response to Michael's note, both supporting the IPL as a good quality open source license and comparing the strengths of Interbase and PostgreSQL. (Thanks to J.H.M. Dassen). InteroperabilityThe BIRD Internet Routing Daemon. Martin Mares, best known for his work on the PCI subsystem in the kernel, has announced the release of BIRD - the "BIRD Internet Routing Daemon." BIRD is an attempt to implement all of the current routing protocols while remaining easy to configure; it is licensed under the GPL.Wine 1.0 coming? The latest Wine Weekly News covers the discussion among the developers on whether it's time to create a Wine 1.0 release. Such a release certainly has been a long time in coming - the Wine folks did not set an easy task for themselves. The code is getting to a point where a 1.0 release is possible, and probably even a good idea - the project leaders think Wine could benefit from some time spent emphasizing stability rather than new features. There seems to be agreement on working toward 1.0, but no time frame for a freeze appears to have been set. Office ApplicationsGimp 1.1.22. Gimp 1.1.22 has been released. Although mostly containing bug fixes, people are encouraged to give it a test drive and report back. On the DesktopKDE 1.90 released. KDE 1.90, code named "Konfucious", is a new beta version of the upcoming KDE 2.0 desktop. "For the developer, KDE 1.90 provides a stable API which will enable developers to commence serious development of their application so they may time the release of their software to coincide with the release of KDE 2.0, scheduled for September 2000." Enhancements to KOffice and the release of Konqueror, a new file manager/web browser, are the key features expected to interest desktop users, though the non-adventurous should probably wait for the official 2.0 release. (From Appwatch). GNOME 1.1.90 final beta released. "Octothorp GNOME," otherwise known as GNOME 1.1.90, otherwise known as the "hopefully final beta release before GNOME 1.2" has been released. GNOME at the 2nd Braunschweiger LinuxDays. Martin Baulig posted this report from the GNOME booth at the 2nd Braunschweiger LinuxDays in Germany. It sounds like a good time was had by all. Help browser needs help. Miguel de Icaza has posted this message describing the state of the Nautilus-based help browser for GNOME. It seems that this package got off to a nice start, but is not currently maintained by anybody. So Miguel is looking for a volunteer to step in and fix it up. Drop him a note if you can help out. ScienceFreeGIS news. Bernhard Reiter has sent in a report from the FreeGIS project, noting the availability of a new mailing list, a new version of GRASS and more. OpenDX. OpenDX, formerly known as IBM Data Explorer, is an open-source "industrial-strength scientific/data visualization package". IBM made the source code for this tool available almost a full year ago, under the IBM Public License, a license that has been reviewed and generally approved as an open-source license. New resources for OpenDX added in the past month include a new ChangeLog and new binaries for the latest version (4.1.0), including binaries for Red Hat, SuSE and LinuxPPC. (From Python-URL). Web site DevelopmentApril Netcraft survey. The April Netcraft survey is out. Apache continues to rise; it now runs 61.5% of all web sites. (Thanks to Fabian Wauthier). Midgard weekly summary. Here is this week's Midgard Weekly Summary, by Ron Parker. The bulk of this issue has to do with licensing issues for Midgard documentation. Zope 2.2.0 alpha 1 released. Zope 2.2.0 alpha 1 has been released. It contains some security updates, a new help system, the new Zope tutorial, and more. Zope Weekly News. After a bit of an absence, the Zope Weekly News is back. Check it out for the latest in Zope-related happenings. Section Editor: Liz Coolbaugh |
May 18, 2000
|
|
Development toolsThe aegis project is looking for developers. Aegis is a long-standing project developing a configuration management system with an impressive set of features. Among other things, it includes regression testing built into the system, distributed repositories and more. Those who think they may want to participate in this project should check out this call for developers. PerlCulture clash. Here's a story on the Perl.com site by a Perl trainer who ended up teaching a class full of long-time Cobol programmers. "I didn't have to explain filehandles; they already knew about filehandles. But they used jargon to talk about them that wasn't the jargon I was familiar with. 'Oh, you're establishing addressibility on the file,' someone said. They seemed pleased at how easy it was in Perl to establish addressibility on a file."The end of Perl development? According to this article Larry Wall has proclaimed that 5.6 will be the last version of Perl. The reason? There's no more weird keyboard characters available... Of course, the article is in Segfault... PythonPython faqts. The Python faqts site seeks to develop an extensive knowledge base of Python tips and tricks. Here is a listing of the recent additions to the site, as an example of the sort of information that can be found there.
Python-URL (May 15). This week's Python-URL links to discussion about the effbot, performance measurement (for Zope), lightweight database objects and more. Python to change name? According to this article, Guido plans to change the name of the Python language to "Homer." Of course, this one is from Segfault too... Tcl/tkHere is this week's Dr. Dobb's Tcl-URL with the latest from the Tcl/Tk world.Section Editor: Liz Coolbaugh |
Language Links Guile Haskell Blackdown.org IBM Java Zone Perl News PHP Daily Python-URL Python.org JPython Smalltalk |
Sections: Main page Security Kernel Distributions Development Commerce Linux in the news Announcements Back page See also: last week's Commerce page. |
Linux and businessMark your calendars. As most LWN readers will already know, when a company goes public the "insider" shareholders are prevented from selling their shares for a defined period of time. This lockup serves to keep the stock price higher while its market stabilizes. When it ends, however, the stock price can suffer as all of the insiders, who have been waiting patiently all this time, cash in some of their holdings. Of particular interest to Linux investors is the fact that Andover.Net and VA Linux Systems both emerge from their lockup periods in early June. Andover comes out first, on June 5; a total of just under 8 million shares, or 50% of the company, will become trade-able on that day. VA comes out the next day (June 6) when 35 million shares - a full 85% of the company - will be unlocked. The end of the lockup does not necessarily spell disaster for the stock price, however. Cobalt Networks came out of lockup on May 2 with no long-term impact. And 30% of Red Hat's shares (part of a longer lockup due to its secondary offering) were turned loose on May 3; in this case the stock's price did fall somewhat, but it is hard to attribute a cause to the drop. (Information courtesy of IPOLockup.com).
Corel/Inprise merger cancelled. From the beginning this deal seemed a bit lopsided. Inprise is the larger company and yet Corel was to do the acquiring. Inprise would get Corel stock and Corel would gain access to Inprise application software, which it could then port to Linux. It could have been very good for Linux, but some would argue that it was never a good deal for Inprise and its shareholders. The recent drop in Corel's stock made the deal even worse for Inprise, and so now the deal has been cancelled. This paragraph from Corel's press release sums it up pretty well. "Because of significant changes since the merger was agreed to more than three months ago, Corel has concluded that it is in its best interest to terminate the agreement at this time. Corel and Inprise/Borland are parting on amicable terms and will continue to pursue opportunities for ongoing partnerships." Inprise has already ported some of its applications to Linux. The deal with Corel might have made the process go faster. Certainly with the deal in place we would have seen Inprise applications bundled with Corel Linux OS. Since opportunities do exist for ongoing relations between Corel and Inprise we may yet see more Inprise applications ported to the Linux desktop and some will no doubt be bundled with Corel Linux. The cancellation of this deal has hurt Corel, as has the recent devaluation of its stock price, but don't count them out yet. The Debian-based Corel Linux OS is still very popular, as is its WordPerfect Office product (for Linux and other OSs). The expected Linux versions of Corel's CorelDRAW and PHOTO-PAINT are still on schedule. Corel may be down, but it is far from out. For Inprise, the cancellation will have even less impact. They will no doubt continue porting at least some of their applications to Linux, though without Corel's expertise it may take them a bit longer. Here is Inprise's brief announcement on the cancellation. [Editor's note: Actually Corel is larger than Inprise. The reverse was incorrectly assumed from 1st quarter 2000 performance.]
IBM announces Linux on the S/390. IBM has finally announced that Linux is available for its S/390 mainframe system. IBM will also be offering services and software (such as DB2 Connect) for the S/390 platform. (There is also a photo that goes with the press release). TurboLinux lost no time in announcing an S/390 distribution, which will be available "later this year." Here is SuSE's press release announcing its S/390 offering. They will have a beta version available in late June, with the real product becoming available in the third quarter of the year. BMC Software Inc. has announced a systems management solution on Linux for S/390. Finally, here's a Reuters article about the announcement. "'Putting mainframes and Linux guys together, well, it's almost difficult not to laugh,' said David Floyer, analyst with ITcentrix. 'You couldn't get people farther apart in culture. Linux is the ultimate open system, and the mainframe is the ultimate proprietary platform.'"
AFUL statement on ILOVEYOU virus and Linux. The Association Francophone des Utilisateurs de Linux et des Logiciels Libres (AFUL) has issued a strongly-worded statement (in French) on how Linux systems were not affected by the ILOVEYOU virus. It castigates Microsoft for continuing to ship vulnerable software, and talks of possible liability for the damages. There is a strong recommendation for businesses and governments that they should switch to free software to avoid these problems in the future. AFUL also warns against using proprietary software on Linux, and singles out StarOffice explicitly as being possibly vulnerable. English text is available via babelfish.
Indrema Announces OpenStream Collaboration for Linux Video Project. Indrema Corporation announced the Open Source OpenStream project, a collaboration of several development groups working to create a new "royalty-free gold standard for professional video on Linux".
FreeDesk licenses VistaSource Anyware Office. VistaSource (Applix's Linux-based spinoff) has announced that FreeDesk has licensed its "Anyware Office" product. This product is essentially a version of ApplixWare which can be served over the web.
LinuxBazaar.com launches. The Linux Journal has announced the launch of the LinuxBazaar.com site. It is, of course, a place to buy Linux-related hardware and software, and thus looks like a competitor to Red Hat's Marketplace. Press Releases:
Section Editor: Rebecca Sobol. |
May 18, 2000
|
Sections: Main page Security Kernel Distributions Development Commerce Linux in the news Announcements Back page See also: last week's Linux in the news page. |
Linux in the newsRecommended Reading Upside looks at the Digital Millennium Copyright Act from a critical point of view. "So, for example, while the 'anti-device' provision makes the distribution of the DeCSS utility illegal, the 'anti-circumvention' provision would make the very act of cracking the DVD encryption illegal. Of course, that's assuming you agree with the MPAA when it claims that the CSS encryption is an 'effective' technological copyright protection." Bill Joy, Bob Fabry, Ken Thompson, Eric Allman, Kirk McKusick, John Gage and others involved in and responsible for Berkeley Unix, the legacy that has become FreeBSD, OpenBSD and more, are the topic of this Salon article, which is the next installment in Andrew Leonard's "Free Software Project" book. It is long, but full of fun, historical facts. "Unfortunately for AT&T, the version of Unix that the company was then pushing, System 5, turned out to incorporate large chunks of code originally written by BSD hackers -- including the TCP/IP stack. Berkeley released all its code under an extraordinarily liberal license -- basically, users could do anything they wanted with BSD code as long as they retained the University of California copyright. But AT&T had stripped the UC copyrights and begun marketing the software as its own. Hackers like McKusick were peeved. " O'Reilly editor Andy Oram has written a pair of articles on Gnutella and Freenet. This one on the O'Reilly Network concentrates on the technology behind the two systems. "Freenet seems more scalable than Gnutella. One would imagine that it could be impaired by flooding with irrelevant material (writing a script that dumped the contents of your 8-gig disk into it once every hour, for instance) but that kind of attack actually has little impact. So long as nobody asks for material, it doesn't go anywhere." A companion article on Web Review, instead, looks at the social and policy issues. "If you check my biography, you will see that I make my living selling content. I do not extend knee-jerk sympathy to systems publicized as ways to circumvent copyright enforcement. But investigating Gnutella, Freenet, and Napster, I have been pleasantly surprised to find that they're intriguing innovations in the best tradition of the Internet heroes." Salon's Andrew Leonard reports on the Microsoft/Slashdot confrontation. "In contrast to other disputes involving copyrighted information -- such as the Napster controversy -- this particular tangle cannot easily be painted as one in which hackers are ripping off corporations or depriving artists of revenue. Instead, Microsoft is attempting to co-opt a popular public technology and, after having been confronted about that, is attempting to control the transmission of information revealing its actions." Corel CBC considers Corel's future after the failure of its merger with Inprise. "During and after a morning conference call with Corel officials, rumours swirled about the company's possible financing schemes and whether they would send Corel into a 'death spiral.'" Upside looks at the demise of the Corel/Inprise merger. "To make matters worse, said Tera Capital's Stewart, Corel's options for raising short-term cash have grown exceedingly slim. Although the company has made an aggressive push into the Linux distribution business, Linux sales have actually fallen for the last two quarters as the company faces competitive pressure from established players such as Red Hat (RHAT) and Caldera (CALD)." LinuxStockNews has a Rant and Rave column about Corel, followed by an interview with Dr. Cowpland. Dr. Cowpland was interviewed before the Corel/Inprise deal was cancelled. "Dr. MC - We are continuing to port our flagship products to Linux - including CorelDRAW and PHOTO-PAINT. The CorelDRAW Graphics Suite will be ready to ship in July ..." *BSD Here's an article in Upside about OpenBSD and its mission to produce the most secure system possible. "Like craft brewers, [OpenBSD leader Theo] de Raadt and the OpenBSD development team prefer to let the software age a little, offering only two updates per year. As for graphic user interfaces and other user-friendly bells and whistles, de Raadt sees such decorative trimming as the cracker's best friend." From Salon comes this history of 386BSD, the earliest of Intel-based BSD systems. "The Jolitzes had a very different style. Like Torvalds, they placed a premium on quality control, but unlike him, they seem to have tried to control quality by doing most of the work themselves. This inevitably made their release cycle slow, but it was also an implied snub to would-be collaborators -- who took their contributions elsewhere." /. Here's an article in Upside about Slashdot's recent difficulties. "Nevertheless, the content deemed objectionable by Microsoft does walk the fine line between free speech and copyright violation, say some legal observers." Wired News covers recent events at Slashdot. "The response from Slashdot regulars was fast and furious. In the first hour, hundreds of readers weighed in, many condemning Microsoft's action as another example of the company's desire to crush free-wheeling discussion in general, and the Linux community in particular." Here's News.com's take on Microsoft and Slashdot. "Regardless of whether Microsoft is successful in getting the information removed from Slashdot, legal analysts say material that found its way on to the Internet may no longer be entitled to trade secret protections." The Los Angeles Times talks about Slashdot. "The boys mix up an addictive blend of high tech and low culture. They might print a riff on robots you can build with Legos, or mourn the passing of Shel Silverstein, the grade-schoolers' poet laureate. But they devote their most obsessive attention to Linux, the computer operating system that was first written by Finnish programmer Linus Torvalds and continually improved by armies of volunteers around the globe." Business AsiaBizTech has run this interview with TurboLinux CEO Cliff Miller. "As far as I can see, Japan has a 'boom culture' in which as soon as something becomes popular, it spreads very rapidly. That observation can be applied not only to Windows NT, but also to Macintosh products. At one time, Mac grew to command a whopping 15 percent to 20 percent share of the market here. I think there's a possibility that Linux will suddenly take off in a similar way. We can probably look forward to faster growth here than in the United States." EE Times reports on the new SGI systems. "The SGI workstations will support Red Hat Linux 6.1, and SGI plans to also announce support for versions of Linux from SuSE GmbH and TurboLinux Inc." The Ottawa Citizen follows up on the Puffin Group, which was acquired by Linuxcare late last year. "Sixty employees lost jobs, the chief executive was fired and a stock offering that would have made him a millionaire has been yanked. But Linux developer Christopher Beard says he and partner Alex deVries are not discouraged at the rapid fall from grace of Linuxcare Inc., a San Francisco-based company." LinuxNews looks at Rackspace.com and its new office in Hong Kong. "The Asian office is a natural step in Rackspace.com's expansion outside the U.S. and London, where it established an office in January of this year." EE Times talks with Michael Tiemann, Red Hat's CTO and founder of Cygnus. "'We're the largest company in Linux, but by no means do we have a majority of the market,' Tiemann said. 'The development of Linux is a little like a coalition government: You need 50 groups to cooperate, or the coalition collapses.'" Here's an Upside article about Intel's interest in Linux. "Given Linux's enormous momentum in the server marketplace, however, Intel has taken steps to shake off its image as Microsoft's perpetual hardware sidekick. In addition to being one of the first companies to invest in Red Hat (RHAT) back in 1998, Intel has also forged partnerships with VA Linux (LNUX), TurboLinux and SuSE to give Linux engineers a sneak preview at the IA-64 architecture." There is also a piece about MontaVista's new office in Paris. Tim O'Reilly has posted a followup to his article about Linuxcare after a conversation with Linuxcare CTO Dave Sifry. "Just as a man who wandered in a desert immediately sates his thirst upon finding an oasis, it is only after he has drank his fill that he realizes he is hungry. Our customers have begun to sate their thirst and are recognizing that open source software and the open source process can do a lot more for them than just email, file, print, web, and DNS! They are deploying open source solutions in datacenters, in telco closets, in ERP systems, and in embedded systems, to name just a few." This IT Week column looks at Linuxcare and the changing face of Linux support. "One reason for Linux's popularity is that it can be much cheaper than alternatives. Linux is estimated to be up to 15 times cheaper than NetWare or Windows NT solutions in applications such as departmental file and printer serving. But lack of support can be a drawback."
CNet's article
on Dell's recent higher-than-expected reported earnings per share has
a couple of interesting points ... particularly if you tie them
together. First, in explaining the higher earnings: "Dell
attributed the strong quarter to sales of servers, storage and PCs
associated with use and construction of the Internet."
The New Zealand Herald looks at a Linux deployment by the New Zealand government. "The Government's rental housing agency, Housing New Zealand, is about to shift one of its core financial applications to run on the open source Linux operating system. The change will bring possible savings of hundreds of thousands of dollars." (Thanks to Ian McDonald). Information Week looks at Linux on the desktop and concludes that it's not quite there yet. "There are some incentives for moving Linux to the desktop. First, the price is attractive. IT managers can acquire the open-source operating system for little or no cost. Also, IT departments can modify or customize the open-source code of Linux to meet their users' needs. Perhaps most significantly, IT managers are seeing clear value in Linux's performance and stability." ZDNet's John Taschek has returned with another inflammatory article. "Bob Young, chairman and founder of Red Hat, launched a personal attack that could only come from a person who has seen nearly $1 billion of paper wealth disappear in a matter of weeks. Perhaps I was wrong, and this industry is being beaten into a defensive trench by monopolies that push their agendas down everyone's throat, stifling nascent, struggling startups. No. What we have here is enormous hypocrisy." Resources Internet.com's ISP Planet offers this introduction to SSH. "If you're still administering *NIX servers over the Internet using rsh or telnet, stop. OpenSSH is an inexpensive improvement well worth the minimal effort required to install and configure it." (Thanks to R. McGuinness). The latest in the series of tutorial articles on LinuxPapers is this one on dealing with syslog. "Even if you are only running your own Linux box at home, sooner or later you will face the task of having to solve some strange problems (PPP has stopped working, X is not starting anymore, and so on), where the only hint is some messages left in a log file. To prepare yourself for this, you should start peeking into log files right now, even if everything is working correctly (or, at least, that's what you think...)." Here's an article in Test & Measurement World on writing data acquisition device drivers for Linux. "Linux gives you access to device drivers as if they were files. Linux users are accustomed to controlling a driver through shell commands and scripts. Therefore, your driver should include a minimal set of functions accessible using read() and write() operations at the Linux shell command." (Thanks to Jay R. Ashworth).
Brian Despain explains the importance
of open standards and open source for anyone building an
e-commerce system. "Not having the source code to your
company's internal e-mail client isn't that important. Not having
the source code to your e-commerce solution can prove
devastating. For example, in June 1999, ICat, a division of Intel
and at that time a leading e-commerce solution, informed its entire
customer base that ICat would no longer be supported. ICat also
informed these customers that they would be bound by the terms of
their license and no source code would be forthcoming. For the
IT managers and CEOs who bet the safe on closed source, lost. For
this reason, access not only to source code, but the ability to
change source code is paramount. Finally Here's an article on LinuxNews on the Linux Internationalization Initiative's (Li18nux) Globalization specification, and its recent merger with the Linux Standard Base (LSB). "The group's efforts are designed to be open to everyone, and serve as formal proposals to the Free Standards Group (FSG), which announced its incorporation earlier this week. The FSG is a mind meld of sorts between LI18NUX and the Linux Standard Base (LSB), which are combining efforts toward creating a unified Linux specification." The Wireless Developer Network interviews Eric Raymond. "Linux will be everywhere, in thicker or thinner disguises. Turnkey versions will run the appliances (and your cellphone and the web browser on your refrigerator door). Your 64-bit-monster PC will boot with a penguin logo into a desktop you won't easily be able to tell from Microsoft Office (except that it doesn't crash). You probably won't know how to get to the Linux underlayer on the PlayStation VI in your TV room -- but your kids will." Monty Manley talks about why he's made the choice to spend his personal time actively developing on Linux, even though his day job is spent in the Corporate IT world, developing on NT. "As a programmer, I enjoy myself much more when I'm programming in Linux. There is no helpless sense of fatality as there is in Windows; in Linux, when a library or component breaks or does not work as expected, I can simply go in there and fix it. In Windows-land, I must live by the Band-Aid and the workaround. In Linux I can be assured that my software sits on a robust and well-tested base; in Windows, I can only pray that the system will stay stable for more than a week at a time." John Perry Barlow, co-founder of the Electronic Frontier Foundation and Grateful Dead lyricist writes about Napster.com. "There's plenty of action in this zone, and since one of my current missions in life is to kill the music business and midwife the birth of the musician business and audience business, I'm keeping plenty busy." The New York Times has run this John Markoff column on distributed network file distribution programs and the threats they pose to copyright protections. "Many computer industry executives contend that if the recording industry's suit against Napster succeeds, it will simply lead digital-music enthusiasts to use alternatives, like Gnutella and Freenet, which are even less open to copyright enforcement." The New York Times is a registration-required site. (Thanks to Paul R Hewitt). This osOpinion columnist tells us what remains to be done for Linux to take over. "Please don't open the World Domination champagne before I can explain to my boss how to get things working himself." Jerry Pournelle describes his experiences setting up a Linux server in this TechWeb article. "Outfits like Red Hat and Corel do try to develop documentation and user manuals, but they're always a few steps behind. It's hard to get bright people to work on things that don't interest them much. This problem is built into the open software movement and little can be done about it. Linux will always have more people working on code than documenting it." From Terra in Brazil comes this anti-Linux column (in Portuguese). It brings out a lot of the old "no support" issues and such that were mostly dealt with years ago. Oh, by the way, it's written by Hélio Azevedo, the Windows 2000 marketing manager in Brazil. English text is available via Babelfish. (Thanks to César A. K. Grossmann). Section Editor: Rebecca Sobol |
May 18, 2000 |
Sections: Main page Security Kernel Distributions Development Commerce Linux in the news Announcements Back page See also: last week's Announcements page. |
AnnouncementsResourcesDr. Bob's Kylix Kicks. Dr. Bob's Kylix Kicks is a news site dedicated to Inprise's "Kylix" product, which is Delphi and C++Builder for Linux.
TUCOWS.com Unix Themes site launches. TUCOWS.com (LWN's parent company) has announced the launch of its new Unix Themes site. It contains a large collection of themes ready for download, along with tools and components which may be used in the creation of new themes. Time to go dress up that desktop. EventsGermany addresses software patents and free software. Atul Chitnis, a frequent LWN contributor from India, is vacationing in Germany right now. He sent us a note about this conference (Babelfish translation) on May 18th, in Berlin, by the German government "on the political and economical aspects of software patents, during which they are also addressing the meaning and effects of free software, as well as its relevance to security in the IT environment." Here is a followup in German (or in English) with information on planned participation by members of the Linux community. Best of luck to them. Free Training and Testing for Linux at LinuxWorld. IDG World Expo announced that free "Boot Camps" and testing for Sair Linux and GNU Certified Administrator (LCA) Level will be offered for the first time at LinuxWorld Conference & Expo, August 14-17, 2000 in San Jose, CA. Report from Windows World (Dublin). Donncha O Caoimh has posted a report (with pictures) about the experience of running a Linux booth at the Windows World expo in Dublin. It sounds like they had a good time. Web sitesGeekTek, Inc. Launches YourOfficeGeek.com GeekTek, Inc. announced the new website of its IT consulting division YourOfficeGeek. This is a 'connect jobs with workers' sort of site.User Group NewsLUG meeting in Assen, the Netherlands The HCC department of Groningen will meet on May 24 in Assen, the Netherlands. The local Linux Users Group will meet then too.Midland Bay City Saginaw Linux Users Group (MBSLUG) MBSLUG will be holding a night of public demonstrations of the Linux Operating System on Friday June 23, 2000 starting at 6:00pm at Barnes and Nobles Bookstore on Tittabawassee in Saginaw. |
May 18, 2000
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
Software Announcements
|
Our software announcements are provided courtesy of FreshMeat
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Sections: Main page Security Kernel Distributions Development Commerce Linux in the news Announcements Back page See also: last week's Back page page. |
Linux links of the weekAre you curious about the occasional references to the "Wiki Wiki Web" or just "Wiki"? Wiki sites take a new approach to web pages by allowing anybody to make changes to any page on the site. Wiki sites are thus truly cooperative developments. It sounds like a recipe for chaos, but, thus far, it seems to work fairly well. See the original Wiki Wiki Web site at the Portland Pattern Repository for a starting point. Have some patience at the beginning, getting started with Wiki takes a bit of effort. See also the ZWiki site for a Zope-based implementation. For a distinctively read-only experience, instead, William Gibson's classic novel Neuromancer is online. Section Editor: Jon Corbet |
May 18, 2000 |
|
Letters to the editorLetters to the editor should be sent to letters@lwn.net. Preference will be given to letters which are short, to the point, and well written. If you want your email address "anti-spammed" in some way please be sure to let us know. We do not have a policy against anonymous letters, but we will be reluctant to include them. | |
Date: Thu, 11 May 2000 10:49:17 +0100 From: kevin lyda <kevin@suberic.net> To: Nathan Myers <ncm@cantrip.org>, letters@lwn.net Subject: proprietary distros? Nathan Myers wrote: > Perhaps once Potato is out, Debian will just take over the world; > then all those people working on proprietary distros can go home and > do something productive instead. :-) huh? one of the most propreitary distro's i know is corel - based on debian. mandrake is based on redhat, and seems quite open. redhat's distro is gpl'ed so people are free to copy it (like mandrake and a number of other distro's outside the states). redhat for one has done a great deal to increase the amount of gpl'd code available, including but not limited to their own distribution. to call mandrake and redhat [proprietary] is a disservice to the entire free software community by watering down the true meaning of propreitary. kevin -- kevin@suberic.net "we were goin' for breakfast. in canada. we fork()'ed on 37058400 made a deal: if she'd stop hookin', i'd stop meatspace place: home shootin' people. maybe we were aiming high." --porter, "payback" | ||
Date: Thu, 11 May 2000 13:29:03 -0700 To: letters@lwn.net From: Peter Lawson <peter.lawson@noaa.gov> Subject: LoveBug "virus" As a biologist, I see an obvious analog to the epidemic of LoveBug infections. In agriculture, large fields of genetically identical plants are vulnerable to novel diseases precisely because there is no variability among the plants. Each is equally vulnerable and each spreads the disease in the same way. The large population of Windows computers running Outlook is a monoculture, just as large fields of corn or soybeans may be. A virulent virus spreads rapidly through the fields of Outlook just as it would spread through a field of corn. Nicholas Petreley comes closest to suggesting this analogy in his LinuxWorld article when he pointed out that linux users are less vulnerable to this kind of attack because there is so much variety in the mail programs we use. The problem is clear -- Microsoft has suppressed variability in the software world with its monopolistic practices, rendering the largest segment of the community vulnerable to relatively simple attacks. The solution is also clear -- do whatever it takes to allow variability in software to flourish, as it would in a fair, competitive environment. This is the best evidence I have seen of the harm that the Microsoft hegemony is causing in the computer world. Cheers, Peter Lawson pnjreid@newportnet.com | ||
Date: Thu, 11 May 2000 13:05:58 -0700 (PDT) From: Colin Kuskie <ckuskie@cadence.com> To: lwn@lwn.net Subject: Programs that run random code It is fair to say that no self-respecting open source project would intentionally put out software which would run code from random users on the net. This quote, from the main page of the May 11, 2000 Linux Weekly News is a little inaccurate. Perhaps it's picking nits, but I'll give a couple of examples: - I'm pretty sure that Mozilla runs Javascript, which is code from random users on the net. Likewise with Java. And I don't think that anyone really believes that either is as secure as they claim. - Macro capabilities inside the open-source spreadsheets and word processors are just as dangerous. Imagine if you could get root to run a Gnumeric spreadsheet with Scheme/Python/Perl bindings. - Script-Fu for Gimp. - The TCL browser plug-in. Now, arguably later on you do say: It is true that Linux is highly unlikely to be caught by such a simple, email-borne bit of nastiness. But nobody would claim that Linux systems are 100% free of vulnerabilities. A suitably talented malware author who wanted to shoot down some of those smug Linux people would not have that hard of a time creating an embarrassing incident I would say that the immunity of Linux users comes from another source. We have an innate distrust for closed source. It's my opinion that most Linux users would actually read the source to executable code before executing it, especially if it's a small attachment to an email. As our user base expands, that will no longer be true. It will be up to us to educate and to guarantee that the applications that they use will by default protect the user, at the cost of not having embedded spreadsheets and HTML in our email. Aside from the fact that embedding those things in email is stupid, it's a small cost compared to the estimated six billion dollars in damage from ILOVEYOU. Colin Kuskie | ||
Date: Fri, 12 May 2000 11:40:26 +0100 From: Edmund GRIMLEY EVANS <edmundo@rano.org> To: letters@lwn.net Subject: Linux viruses There was an entertaining discussion in the mutt-dev mailing list about how Linux can be made to support viruses just as well as Microsoft. Thomas Roessler suggested one recipe, which can probably be adapted to work with mail clients other than Mutt (www.mutt.org): .mailcap: application/x-sh; sh %s; copiousoutput .muttrc: auto_view application/x-sh I hope I am right in assuming that no reader of LWN is sufficiently stupid to actually use this recipe ... Edmund | ||
Date: Thu, 11 May 2000 13:29:11 -0400 From: Pierre Baillargeon <pb@artquest.net> Subject: Re: The trouble with redirects To: letters@lwn.net At the end of the article you mention that fixing the problem would "not be an easy problem to fix; it's buried pretty deeply in the structure of the web." Well, the the fix may be better applied on the other side of the web: the browser. Wouldn't it be trivial just to ask the user approval for redirection, just like it is currently possible with cookies? Browsers could even detect that the URL contains a submission and only request the approval for such requests. By putting the fix in the hand of the users, security conscious people can actively defend themselves against site which refuse to implement the proposed fixes. A knowledgeable coder could put this idea in practice in Mozilla now, providing yet another example of the benefits of free software: the possible quick response-time to a security problem. | ||
From: "Chris Adams" <chris@improbable.org> To: "letters@lwn.net" <letters@lwn.net> Date: Thu, 11 May 2000 18:13:56 -0700 Subject: Re: The trouble with redirects -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 http://www.lwn.net/2000/features/Redirect.phtml "The folks at Digital Creations have, in the process of tracking down a security problem with the Zope application server, turned up a security difficulty with the web as a whole. Given the way the web and authentication-based sites work, a suitably unpleasant attacker could, through the use of HTTP redirects and (perhaps) malevolent Javascript code, cause actions to be taken on your behalf simply by getting you to look at the wrong web page. The implications of this problem are stunning. Expect to hear more about it in the near future. " It's probably easier than we'd like to exploit. If the attacker can figure out the URL to use (which is easy if you don't have a home-grown system) they just need to get you to look at something while logged in; this is particularly easy if we're talking about sites like Slashdot.org or kuro5hin where they receive hundreds of unknown URLs every day. Fortunately, the fix is extremely simple - probably a single line of code. Basically what needs to be changed is the use of predictable form parameters. The easiest solution is to require the use of a session variable in the form data (e.g. "Confirm=$RANDOM_SESSION_VARIABLE" instead of "Confirm=Yes"); I added this to some PHP scripts in a single line of code. If this is done, there's no way to construct the redirect in such a fashion that an action will be made automatically since the browser never sends the attacker's server the cookies stored by the trusted server. Using the session identifier cookie's value is the easiest way as it requires no changes other than the check and the value must be unguessable in any case (or an attacker could directly hijack the session); more paranoid folks would use a random session variable. Regards, Chris Adams -----BEGIN PGP SIGNATURE----- Version: PGPsdk version 1.7.1 (C) 1997-1999 Network Associates, Inc. and its affiliated companies. iQA/AwUBORta1NRugjSFkeg+EQJ2VgCdH/Xy6lmL65q6p96nQDMHuLcocugAn2LQ eKSBHMY56mIJ7IV8Mpt5jiFn =NX7B -----END PGP SIGNATURE----- | ||
Date: Fri, 12 May 2000 20:28:46 -0700 From: Carl Thompson <cet@carlthompson.net> To: lwn@lwn.net Subject: Re: The trouble with redirects Linux Weekly News wrote about the browser redirect security problem: > ... > This will not be an easy problem to fix; it's buried pretty deeply in > the structure of the web. Short-term fixes can include user training > (always log out immediately), defensive server measures (look at the > referrer header, time out logins aggresively), or HTTP fixes > (specially mark redirects or Javascript-submitted requests). None are > perfect, and none can be implemented immediately. This is not accurate. HTTP redirects are handled by the client software (browser). When the client requests a web page from a server, the server can return a web page that has a "302 redirect" message in its headers. (The body of the returned page would typically say that the requested page has moved elsewhere. However, the body is usually not seen because the client sees the redirect and automatically loads the page specified by the redirect instead.) What this means is that this problem can be very easily fixed by fixing clients (browsers) to do any of the following: * Ignore redirect messages * Don't send authentication or cookies to pages to which the client was redirected * Pop up a warning box for all pages that are redirected * Pop up a warning box only for pages that are redirected to pages that require authentication or cookies All of these are relatively trivial modifications to the client software only that can be implemented immediately. No HTTP protocol or server fixes are necessary. The problem is definitely not "buried pretty deeply in the structure of the web." Having read the article at http://www.zope.org/Members/jim/ZopeSecurity/ClientSideTrojan it's clear that the true problem is the author's insistence on attempting to find a server side solution to a client side issue. > ... Carl Thompson | ||
Date: Thu, 11 May 2000 21:28:18 -0500 (CDT) From: Dave Finton <surazal@nerp.net> To: letters@lwn.net Subject: Where mp3 users and businesses have it wrong MP3 and/or similar formats have the potential to flip the entire media industry on its head. It's no wonder the lawyers have come out a'marching. Scarcely a day or week goes by without some major new development about such-and-such a band suing so-and-so mp3 company. How can we fight this, when the current state of laws lean heavily towards the copyright holders? The problem is our insistence of taking old media and converting it over to the new. The old media doesn't want to give up their current position. So why force them? What we should be doing it creating original content (lots of it) and distributing that through these brave new formats. It would be the best strategy to follow because 1) the media companies can't sue when they don't own the copyright of the distributed content in the first place and 2) the DMCA would protect the new media just as effectively as the old. If this strategy were followed to the point of critical mass (much like the internet did) the new media would simply supplant the old in a manner similar to how the internet is slowly supplanting newspapers and TV today. One way to do this would be to encourage independent labels to jump on board. MP3.com and napster both have been moderately successful in signing up some bands; let's continue the trend. At any rate, it sure beats a no-holds-barred lawsuit. - Dave Finton P.S. I know this isn't directly related to Linux but the open nature of mp3's lend themselves to being the favorite format of open source enthusiasts (as well as many other people as I've seen in my experience)... and it's definitely an important matter when the DMCA is involved no matter what. So I apologize for being somewhat off-topic. :^) --------------------------------------------------------- | If an infinite number of monkeys typed randomly at | | an infinite number of typewriters for an infinite | | amount of time, they would eventually type out | | this sentencdfjg sd84wUUlksaWQE~kd ::. | | ----------------------------------------------------- | | Name: Dave Finton | | E-mail: surazal@nerp.net | | Web Page: http://surazal.nerp.net/ | --------------------------------------------------------- | ||