[LWN Logo]
[LWN.net]

Sections:
 Main page
 Security
 Kernel
 Distributions
 Development
 Commerce
 Linux in the news
 Announcements
 Back page
All in one big page

See also: last week's Back page page.

Linux Links of the Week


As you may have noticed, trying to download a distribution right now is a difficult undertaking, even if you are not after that new release that's in the news. One place to look is LinuxISO.org, which has CD images of a number of distributions. Most of LinuxISO's servers seem to be in Europe. There is also the SourceForge mirror server, though even its heavily hyped massive bandwidth appears to be a bit stressed at the moment.

And don't forget, of course, the Tucows Linux library. It has mirrors worldwide, and is especially good if you're looking for something a little older.

Section Editor: Jon Corbet


September 28, 2000

   

 

This week in history


Two years ago (October 1, 1998 LWN). This was the week when Intel and Netscape announced investments in an obscure company called Red Hat. If you were not paying attention at the time, you will likely have a hard time understanding the impact that those investments had. Money from Intel now shows up on Linux business plans sometime shortly after getting the incorporation papers signed.

At the time, however, it was the first direct statement from an established technology company that Linux was going to go somewhere. It brought a new legitimacy to the Linux business arena. To a great extent, this investment changed the situation overnight.

In a way, the investments could be looked at as the day Linux bought a suit and shaved. Linux, a Unix-like operating system, so far has mostly been an underground computing phenomenon.
- News.com, Sep. 29, 1998

LWN reviewed GNOME 0.30. Things have come along since then.

Cygnus released the first version of its eCos embedded operating system.

Red Hat, which had a proprietary CDE offering back then, discovered that it was full of bugs. Not only that, but Red Hat couldn't fix them. So they dropped the product, and pretty much got out of the proprietary software business altogether.

The development kernel was 2.1.123. This kernel came out with a bunch of compilation errors due to a messed up patch application. After the screaming reached too high a point, Linus threw up his hands and left to take a vacation. This was one of the famous "Linus does not scale" events of the 2.1 development series, and served notice that something had to change.

Two years later, the 2.3 development has been free of such episodes. Some of the changes made, wherein more patches pass through various "lieutenants" before getting to Linus, appear to have helped.

Caldera officially launched its 1.3 distribution. SuSE announced its "Office Suite 99" -- essentially a package built around its distribution and the ApplixWare office suite.

One year ago (September 30, 1999 LWN): Then, as now, the Embedded Systems Conference was in progress. The big players were Cygnus, with its new EL/IX platform, and Lineo, which had a thing called "Embedix" in the works.

PC Week put up a "Hack PC Week" challenge; its Linux server was promptly hacked. The problem, as it turned out, was a third-party ad serving script they had put on the system, along with a distinct lack of attention to application of security updates.

Then, as now, somebody was trying to get a project management system for the Linux kernel adopted.

The first release of GNOME's Bonobo component system happened.

[The penguins] are, in fact, trained actors used to appearing before hot lights and cameras. Some of their commercial credits include Batman (the movie), as well as several frozen food ads. However, it would now appear that their career as the Magic penguin (nicknamed 'MeL' by the Company) is at an end.
-- The animal rights activists win, and the Magic Software penguins get pink slips

Linus Torvalds was awarded an honorary doctorate at the University of Stockholm.

 
   

 

Letters to the editor


Letters to the editor should be sent to letters@lwn.net. Preference will be given to letters which are short, to the point, and well written. If you want your email address "anti-spammed" in some way please be sure to let us know. We do not have a policy against anonymous letters, but we will be reluctant to include them.
 
   
Date: Thu, 21 Sep 2000 12:37:08 -0400
From: "Bill Rugolsky Jr." <rugolsky@ead.dsa.com>
To: letters@lwn.net
Subject: NFS in 2.2.18pre9

Hi,

Just a quick note: Alan has only merged Trond Myklebust's
NFS client patch (SunRPC/NFSv2 fixes, TCP,NFSv3 added).

Dave Higgen's knfsd patch, which applies over Trond's patch,
has not been merged.  Alan may still have concerns about
compatibility or particular implementation details; he hasn't elaborated
publicly.

On the positive side, even if the knfsd patch doesn't go in, it
is relatively localized to lockd and nfsd, and so should apply fairly
cleanly going forward.  

Still, it would be nice to have Linux NFS client/server works
out-of-the-box; this is a principal requirement in NFS-heavy
environments such as our workgroup.  Once 2.4 is stable, it will be a
non-issue, but that is several months away, at minimum.

Regards,

   Bill Rugolsky
   rugolsky@ead.dsa.com
   
Date: 24 Sep 2000 00:43:02 -0000
From: Eric Smith <eric@brouhaha.com>
To: letters@lwn.net
Subject: Eric Raymond on closed-source security

Gentlemen,

On September 22, you quoted a Government Technology interview with
Eric Raymond:  "it's folly, absolute, utter folly, to make the security
of the system depend on the security of the algorithms."

I did a double-take when I read this.  Then I followed the link and was
astonished to see that you did in fact accurately quoted the GT article.
Of course, I don't know whether GT accurately quoted ESR.

What ESR should have said is that it is folly to make the security of
the system depend on the *secrecy* of the algorithm.

I imagine that secrecy is what he meant when he said security, and
perhaps secrecy is a form of security, but it's only one aspect.  In
general it is not even possible to have a secure system without a secure
(but not necessarily secret) algorithm.

If your algorithms aren't secure, it matters little whether they are
secret or not.  Part of this is to use crypto algorithms that are
secure, i.e., to use triple-DES rather than XOR with a small constant.

However, many people think that just because they use a good crypto
algorithm, their program is secure.  Unfortunately, while the use of a
good crypto algorithm is necessary for a program to be secure, it is not
sufficient.  Read any issue of Bruce Schneier's Crypto-gram newsletter,
and you'll find listings of cases where people have built insecure
programs by improperly using a good crypto algorithm:

	http://www.counterpane.com/crypto-gram.html

If you wonder how a program that uses a very secure algorithm can still
be insecure, read Bruce's essays "Why Cryptography is Harder than it Looks"
and "Security Pitfalls in Cryptography":

	http://www.counterpane.com/publish.html

Eric Smith
   
Date: Thu, 21 Sep 2000 16:06:26 +0100
From: Dave Peacock <davep@netscape.com>
To: letters@lwn.net
Subject: Outrage at Debian dropping security for 2.1

Who the hell do Debian think they are?!

How dare they make people wait a _ridiculously_ long time
for an official release, and then drop sec support within
a few months? That is completely unacceptable.

Security is a _vital_ aspect of any software, _especially_
an OS.

Debian has been dropping in my opinions for a while now, 
for various reasons, but this is really the icing on the cake. 

Debian, you have _totally_ lost my support.

_Maybe_ I can understand dropping support for non-sec 
bug fixes this early, but security fixes should at _least_
be worked on for a year or two, ideally, indefinately.

I think I will replace my 2.1 machines with a dist that
has a better release cycle, no bloatware (read - wannabe
crappy packages with no value in a base OS dist), and 
some kind of concept that sec fixes are _critical_.

Debian developers/maintainers/people of power:
Please re-consider and maintain sec stuff for _at least_
a year.

-- 
Dave Peacock                    Technical Support Engineer
davep@netscape.com                     +44 (0)208 564 5121
iPlanet E-Commerce Solutions               www.iplanet.com
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
I/O, I/O, It's off to disk I go, a bit or byte to read or
~~~~~~~~~~~~~~~ write, I/O, I/O, I/O, I/O ~~~~~~~~~~~~~~~~
 

 

 
Eklektix, Inc. Linux powered! Copyright © 2000 Eklektix, Inc., all rights reserved
Linux ® is a registered trademark of Linus Torvalds