![[LWN Logo]](http://old.lwn.net/images/lcorner.png)
![[LWN.net]](http://old.lwn.net/images/bigpage.png)
|
|
|
Bringing you the latest news from the Linux World.
Dedicated to keeping Linux users up-to-date, with concise
news for all interests
 Sections: Main page Security Kernel Distributions Development Commerce Linux in the news Announcements Back page
Other LWN stuff:
Archives/search
Recent features: Here is the permanent site for this page. See also: last week's LWN.
|
Leading items and editorialsDebian slink security updates, one more time. As LWN has been reporting over the last few weeks, the Debian project has decided to terminate support for its 2.1 ("slink") release. Regular updates are already a thing of the past, while security-related updates will go away as of the end of October. Given that 2.2 has been out for less than two months, this termination of support seems rather abrupt to many. Last week's LWN Letters to the Editor Page carried a rather harshly-written note expressing disapproval of this move. We got back a number of responses, some of which can be seen on the back page this week. Based on those, and discussion on the debian-devel mailing list, we conclude that support for 2.1 is being terminated because (1) the Debian developers see no need for it, and (2) nobody is available who is willing and able to do the work. The first point turns on the fact that Debian systems are especially easy to upgrade. The whole packaging system is built around that idea. Why, ask the developers, should an old system be supported when it is so easy to go to the new one? The problem here, of course, is that a great many people - especially business users - are highly reluctant to upgrade a system which is working. Upgrades - even easy ones - break things. Thus a lot of administrators will never touch a working system unless they really have to. If these sorts of users see Debian as a system that will force them to upgrade on a tight schedule, they will go to a different distribution. Whether this is a problem depends on how the Debian Project sees its user community. If they are making a distribution for themselves, the loss of a large group of potential users may not matter. If, instead, they would like to see their distribution grow into a user community beyond just developers, they should be worried about policies that will scare users away. The second point - that there is nobody to do the work of maintaining security updates for old releases - is also interesting. It is true that a volunteer project can have a hard time finding people for this sort of work. It is, after all, somewhat tedious and unglamorous. Nonetheless, other projects, such as the kernel, have been able to get this work done. Even so, maintenance work is often the sort of thing that one has to pay people to do. And that raises an interesting question: would it not make sense for the companies that are selling commercial, Debian-based distributions to take on this task? It would be nice if these companies could contribute directly back to Debian. Failing that, one would hope that they would at least keep on top of the updates for their own products. With that idea in mind, LWN took a look at a few commercial Debian distributors. The results were discouraging:
Compare this performance against the aggressive security update policies of distributors like Caldera, Conectiva, MandrakeSoft, Red Hat, SuSE, TurboLinux, and others, and you'll see that the above companies simply are not taking security seriously. This is not the sort of performance that will make nervous corporate IT types sleep well at night. The commercial distributors are not filling in the Debian support gap. It would be nice to see the Debian distribution continue to grow in usage and influence. To gain (and keep) a wider audience, however, it is going to have to address the concerns that audience has. One important component of that is to provide timely updates for current and past releases. Currently, this need is not being met, and that will affect Debian's future growth. LWN Penguin Gallery updated.
For those who would like to point out additional penguins: please drop a note to lwn@lwn.net. Please provide a page where the penguin can be found (so we can link to it); that works far better than sending us the image as an attachment. Microsoft buys into Corel. The folks at Corel have gained some substantial relief in their battle to save the company. Here is the announcement that Corel and Microsoft have entered into an alliance to work together on ".NET". This is no ordinary alliance, though, since Microsoft is buying almost 25% of the company in the process. Acting chief executive Derek Burney has been rewarded for bringing this deal to fruition - Corel has announced that he now has the role of President and CEO permanently. The above is about all that is really known about this deal; all the rest is speculation. And there is plenty of material to speculate on.... After all, Microsoft has essentially just bought its way into the Linux business. The Canadian Information Processing Society has issued a press release expressing concern about the fact that neither company has said anything about how this deal will affect Corel's Linux activities. That is indeed curious. One can only hope that Corel will clarify things in the near future. Also ominous is this pronouncement from the Meta Group which was carried on CNet News.com: Corel currently plays an important role in Linux. Many other Linux companies look to it for its skills, tool sets and the work it does on key Linux committees. Therefore, Corel can be a valuable ally for Microsoft in Linux, allowing Microsoft to influence key questions, such as how the user interface, setup and deployment will look and function. The folks at Meta perhaps overstate Corel's role and influence in the Linux world. But if this is what Microsoft has in mind, things could certainly get interesting. Then there are suggestions that Microsoft wants to ensure the success of .NET by making Linux support it; that they want to open up WordPerfect to take the open source pressure off of Office; that they want a path into the Linux distribution business; or that they were simply taking an easy path to settle some outstanding legal fights. All of those ideas are plausible, but there is little evidence for any of them. About all that is clear, perhaps, is that this situation is going to be interesting to watch. Eric Raymond on the SDMI boycott. Eric Raymond has sent us a strongly-worded reply to the recent Salon article on the "hack SDMI challenge" boycott. "So sure, we'll crack SDMI. *After* the record companies and any consumer-electronics companies gullible enough to do their bidding have sunk billions of dollars into hardware and business plans based on it. Hasta la vista, idiots!" Embedded Systems Conference summary. LWN's Forrest Cook has written a summary report on this fall's Embedded Systems Conference in San Jose, CA. Linux is making many inroads into the embedded systems world. Open Source as ESS. Last week's LWN Weekly Edition examined software licenses using a (superficial) understanding of game theory and the prisoner's dilemma. It turns out that David Rysdam has written up a much more detailed analysis of what game theory has to say about different software licenses. The conclusion is that GPL-style licenses will eventually prevail over BSD-style licenses in the market place. The article, necessarily, makes use of a number of simplified assumptions. It's nonetheless worth a read. In contrast to what we wrote, it's nice to see what comes out when game theory is applied by somebody who really understands it... :) The Atlanta Linux Showcase starts October 10. Actually, the event is now properly known as the 4th Annual Linux Showcase & Conference; the name will eventually stick because next year's event will be held in Oakland, California instead. For now, however, it can be ALS one more time. Keynote speakers include Larry Wall and Ken Coar, and it looks like the conference will have a strong technical program. Inside this week's Linux Weekly News:
This Week's LWN was brought to you by:
|
October 5, 2000
|
|
Sections: Main page Security Kernel Distributions Development Commerce Linux in the news Announcements Back page See also: last week's Security page. |
SecurityNews and EditorialsSecurity trouble with ssh. It turns out that there is a security vulnerability in ssh, for all versions derived from ssh-1.2.x (which wraps rcp inside of ssh), which bears watching. If a user employs scp to move files from a server that has been compromised, the operation can be used to replace arbitrary files on the user's system. The problem is made more serious by setuid versions of ssh which allow overwriting any file on the local (users) system. If the ssh program is not setuid or is setuid to someone other than root then the intrusion is limited to files with write access granted to the owner of the ssh program. In either case, files can be overwritten with code allowing others access to the system unexpectedly. For example, cron jobs that blindly execute scripts could be duped into opening a hole for an intruder if that script has been overwritten using the scp exploit. Because this type of vulnerability can be used to open holes to root access, the arguments could be made that
Crist J. Clark posted a possible workaround for this problem: wrap the file transfer into a tar command, then check the resulting tar file for suspicous files: It is an unpleasant problem and it affects both regular ssh and OpenSSH versions derived from the original ssh-1.2.x (and rcp too since this version of ssh just wraps around the rcp protocols). Since ssh-2.x uses a different protocol it does not suffer from this problem. Fixes are not yet available, but presumably will be in short order.$ ssh remote-host "tar cf - Better than SYNcookies?. Steve Gibson's alternative to SYNcookies, known as Genesis (Gibson's ENcryption-Enhanced Spoofing Immunity System), might be a simple solution to DoS attacks. On his web site, Steve writes:The elimination of Denial of Service (DoS) vulnerability from spoofed IP flooding requires that the Server defers any per-connection resource commitment until the Client's remote IP address has been "authenticated". Steve's solution takes three parts:
In a letter to the Linux-Kernel and Linux-Net mailing lists, Dan Hollis quoted Steve as saying that the main difference between the two is that SYNcookies switches on and off, potentially causing valid packets to be rejected. Steve also says that SYNcookies breaks aspects of the TCP protocol but that Genesis does not. The question was unresolved at the time of this writing, but because of the nature and effects of DoS attacks, we're sure to hear more about this issue in the future. Slashcode default passwords. The Web site code provide by Slashdot that implements their system, known as slashcode, has been provided with default user and password entries for the administrative login. The INSTALL document provided with this code reminded administrators to change these prior to going live with their sites. This sound advice was, apparently, not followed by the Slashdot team itself, leaving the Slashdot site (via a test system on their network that they left connected to the internet) open to intrustion by a pair of clever if not overly destructive bandits. Oops.c|net's News.com covered this story in a more mundane fashion."The hackers appear not to have done anything beyond posting a story trumpeting their achievement, and the site was never taken down because of the attack..." Misuse of xhost. A report to BugTraq stated that Mandrake 7.1 bypasses Xauthority X session security by using the xhost command within the system wide Xsession file. A seperate posting stated that a similar problem existed for XFCE 3.5.1.The xhost man page specifically states: In the case of hosts, [this command] provides a rudimentary form of privacy control and security. It is only sufficient for a workstation (single user) environment, although it does limit the worst abuses. Environments which require more sophisticated measures should implement the user-based mechanism or use the hooks in the protocol for passing other authentication data to the server. Use of xhost in the system wide Xsession file, therefore, would imply a distribution targeted at single user hosts. While xfce is not a commercial distribution with a well defined audience, one wonders if a single user environement was really MandrakeSoft's target audience. The Mandrake report also covers issues with the use of ssh agenting in the system-wide Xsession file, suggesting the use of ssh-add be left to the individual users' ~/.Xclients file. Linux Mandrake posted a security update which addresses the problem. Security scanner checks source code for security problems. Version 1.1 of ITS4 from Cigital was released this week. It's a freely available package that uses a command line interface on Unix systems to scan C and C++ code for security problems. LWN noted a previous release of ITS4 in the February 24th issue of the Linux Weekly News.Digital Signatures become law. While it's not a security issue for software, it is interesting to note that the Electronic Signatures in Global and National Commerce Act took effect on October 1st. This act provides the legal binding that makes digital signatures as meaningful as their hand written cousins. One wonders if that makes them as forgeable too...The document for this act can be found online in pdf format. CERT changes disclosure policy. CERT posted a change in policy for disclosing reported vulnerabilities.It is the goal of this policy to balance the need of the public to be informed of security vulnerabilities with the vendors' need for time to respond effectively. The final determination of a publication schedule will be based on the best interests of the community overall.
Elias Levy on ``10 Most Important'' list.. Not everything here is about things that are broken...SecurityFocus.com's co-founder Elias Levy, who also happens to be the moderator for the highly regarded BugTraq mailing list, was chosen by Network Computing as one of the 10 Most Important People of the Decade. Congratulations, Elias. U.S. Selects a New Encryption Technique (NY Times). It's been a long time coming, but the US Department of Commerce has finally settled on a new encryption technique upon which to standardize: Rijindael (a play on the names of two Belgium inventors of the algorithm used):Rijndael (whose creators suggest pronunciations approximating "Rhine doll") does not become a new standard overnight. Officials said that in the coming weeks the institute would publish a notice in the Federal Register recommending the software as the new Federal Information Processing Standard. After 90 days for comment and revision, the secretary of commerce will most likely accept the proposal. More information on the Advanced Encryption Standards (AES) effort can be found at NIST's AES page and at NIST's Public Affairs release announcing the winners. (Thanks to Kalle Svensson and Dan York). FBI releases first Carnivore documents (ZDNet). ZDNet carried a story this week on the FBI's release of the first batch of Carnivore related documents in response to a Freedom of Information Act suit from the Electronic Privacy Information Center. The documents were heavily blacklined (aka redacted) and many were simply missing."There is one document that talks very generally about voice-over-IP interception," said Banisar. "It's mostly about what 'voice-over-IP' is. When it gets to the part about what they are doing about it -- those pages are redacted."
Security ReportsPine exploit. An exploit in Pine was reported to BugTraq this past week. The problem involves Pine's handling of incoming mail during an open session. Interestingly, Pine was found to have over 4000 calls to sprintf, strcpy, and/or strcat, raising the question "can Pine be made secure?"Apache mod_rewrite vulnerabilty. A vulnerability in the mod_rewrite module for Apache was reported in Apache Week of 2000-09-22. According to the notice: "A patch is currently being tested and will be part of the release of Apache 1.3.13. Until then, users should check their configuration files and not use rules that map to a filename". An appropriate example is provided with more details in the announcement.A patch, which has also been committed to the Apache source, has been posted to BugTraq for this issue. Traceroute allows local access to root. Tim Robbins posted to the Security Audit mailing list about problems he'd found in traceroute, the tool used to follow packets through a network. The problems are interesting by their nature - heap overflow and buffer size issues - and are compounded by the installation of traceroute as a suid program. A more detailed explanation showed up in the Linux Security mailing list. A number of distributions that include traceroute, including any that based their version on LBNL 1.4a5, are expected to be vulnerable to attacks from local users attempting to gain root access. Some reports, however, suggest that OpenBSD, at least, fixed this problem up to two years ago.This week's updates (in no particular order):
Root access from cfd daemon in GNU CFEngine. Another syslogd style problem, this one in the form of format string problems with GNU CFEngine.As cfd is almost always run as root due to it's nature (centralized configuration management etc.), this can be quite lethal and lead into a root compromise. This project is aimed at providing a very high level language for building expert systems which administrate and configure large computer networks. While included as a package in the Debian distribution, cfd is not started by default. Red Hat does not include cfd. Other distributions have yet to respond to this issue. GnoRPM security update. Thanks to Gnotices, we hear that a security problem has been fixed in GnoRPM. There was a /tmp vulnerability in all versions prior to 0.95.1 that could allow local users to do undesirable things. An upgrade is recommended - especially since this utility, which has not distinguished itself as one of the most stable programs around, is said to actually work these days.This week's updates: thttpd exposes world readable files. A CGI program called ssi included with the thttpd server allows visitors read access to any files on the server that are world readable or readable by the owner of the thttpd process. The fix involves upgrading to 2.20, which has been patched to fix this problem.ISS issues security advisory for GNU Groff. Groff is the GNU version of troff, the text formatting package. According to the Internet Security Systems Security Advisory, groff will read untrusted commands from the current working directory. According to the advisory:The vulnerability is particularly dangerous in Linux distributions that have the "lesspipe" feature. By default, a "LESSOPEN" environment variable is set which points to a wrapper script for the "less" pager program named "/usr/bin/lesspipe.sh". If less is passed a filename with any of the extensions ".1" through ".9", ".n", or ".man", it automatically calls groff to handle the file.
Commercial products. The following commercial products were reported to contain vulnerabilities:
UpdatesLPRng, lpr format string vulnerability. Check the September 28th LWN Security Summary for the initial report.This month's advisories: Last month's advisories: Red Hat also issued an advisory for a similar problem in lpr.Related advisories this month: Rehashing an old su problem. LWN reported this past week on what appeared to be a new report on a format string vulnerability in /bin/su. However, that report turned out to be a rehashing of an older su problem related to problems found in glibc and reported on last month. The problems are serious and users should upgrade their glibc packages as soon as possible.wu-ftp vulnerability. Check the June 15th LWN Security Summary for the original report of this problem. An upgrade to wu-ftpd 2.6.1 should fix the problem.This week's updates: Previous updates:
Discussion on this thread in BugTraq uncovered possible bugs in the ftp client as well, though it's not clear if this problem is exploitable in any way. ResourcesOther resources on security this week.
EventsUpcoming security events and announcements.
Section Editor: Liz Coolbaugh |
October 5, 2000
| |||||||||||||||||||||
|
Sections: Main page Security Kernel Distributions Development Commerce Linux in the news Announcements Back page See also: last week's Kernel page. |
Kernel developmentThe current development kernel release is 2.4.0-test9. Linus released this kernel just prior to taking a trip to Germany, so it may be the last for a little while. This is also the point at which Linus had said that he would no longer accept any patches that were not fixes for "urgent" bugs. The freeze is getting tighter. The current stable kernel release is 2.2.17. The 2.2.18 prepatch is up to 2.2.18pre15 currently. This patch is in the "bug squash" mode, and has a few small problems - for example, the PPC and Sparc architectures do not build. There's a few other things to be dealt with as well, so the official 2.2.18 release is still somewhat distant. If you install Red Hat 7, be sure to install the "kgcc" package and use it when building kernels. The gcc package in this distribution is a little too new to be used for this task (see this week's Distributions Page for more). Fixing the 2GHz limit. It turns out that the Linux kernel has a built in limit that will cause it to break on processors with a clock speed greater than 2GHz. Since processors that run at well over 1GHz are already available, the day when this limit will matter is not that far away. Fortunately, the problem is easy to fix. It's just a matter of changing the way the udelay() function does its work. The fix has already gone into the 2.2.18pre series, and will likely show up before too long in the 2.4.0-test kernels as well. When the blazingly fast new processors show up, Linux will be ready. The Kernel Wiki wants your help. Gary Lawrence Murphy is looking to get 10 minutes worth of time from everybody who knows something about the internals of the Linux kernel. His project, known as KernelWiki, is to completely document the internals of the 2.4 kernel in some sort of reasonable time frame. In typical Wiki fashion, the Kernel Wiki allows anybody to add content to the site. With luck, enough knowledgeable people will take up the challenge and something useful will result. Recent developments with filesystems. A few different filesystem issues have come up over the last week. They include:
A reminder on ECN. Recent 2.4.0-test kernels support the Explicit Congestion Notification (ECN) extension; the September 14 Kernel Page describes this change somewhat. Unfortunately, some firewalls out there on the net react poorly to systems that try to use ECN, with the result that many systems are simply unreachable to ECN-capable hosts. LinuxToday.com was recently cited as being one of the affected sites. If you are running a recent 2.4.0-test kernel and are experiencing difficulties in connecting to certain sites, you should try turning off ECN. A simple command like: echo 0 > /proc/sys/net/ipv4/tcp_ecnwill do the trick.
TUX 1.0 (kernel HTTP server) released. The first stable release of the TUX 1.0 kernel-based web server has been announced. TUX is the server which produced such great SPECWeb numbers last June, and which still holds the record for the fastest performance. For those who would like to learn more, LWN looked at how TUX works in the September 7 kernel page. Other patches and updates released this week include:
Section Editor: Jonathan Corbet |
October 5, 2000 For other kernel news, see: Other resources: |
|
Sections: Main page Security Kernel Distributions Development Commerce Linux in the news Announcements Back page See also: last week's Distributions page.
Lists of Distributions |
DistributionsPlease note that security updates from the various distributions are covered in the security section. News and EditorialsRed Hat 7 - is the edge bleeding too much? Red Hat 7 comes with a number of nifty new packages, as described in the new features page. A couple of these, however, are attracting special attention:
In comparison, the recently-released SuSE 7.0 distribution ships gcc-2.95.2 and glibc-2.1.3. There are a couple of problems with Red Hat's choice of tools here. The first is that they have shipped beta versions of both the compiler and the C library. While Red Hat was obviously confident of the quality of these packages, the fact remains that they have not seen the level of testing that one might like to see for such fundamental components of the system. The other is that both tools are still in flux. The gcc that Red Hat calls 2.96 (essentially a patched CVS snapshot) produces binaries that are incompatible with those from 2.95 - especially where C++ is involved. These binaries will also be incompatible with gcc-3.0, whenever that comes out. The C library is also still in a development phase, and the possibility of incompatible changes before the 2.2 release is real. As a result, Red Hat 7 binaries are incompatible with other Linux systems out there - at least in some cases. If glibc-2.2 turns out to contain any other incompatible changes, then distributors will be forced to choose between shipping the stable version of the library or being binary compatible with Red Hat 7. There have already been flames posted to the effect that Red Hat is using unfair tactics here. The company said to be abusing its market position and its ownership of Cygnus to lock application developers and customers into its own system. These charges almost certainly have no basis in reality, however. Red Hat has always had a tendency toward shipping very new software. Remember back, for example, to the 5.0 release. It was the first to include glibc2, and was a rather difficult experience for many people who were trying to install it into (previously) working networks. But it also spearheaded the acceptance of a crucial new version of the library. In this case, Red Hat's reasoning on gcc is perhaps best expressed by this linux-kernel posting by Richard Henderson. Essentially, he says that gcc-2.95 is insufficiently stable and is a dead line of development; it's already binary-incompatible with other gcc releases; and that there's no way to be binary compatible with what gcc-3.0 will be in any case. At least this way they are source-compatible with gcc-3.0. On the library side, they presumably felt sufficiently assured that there would be no more incompatible changes before 2.2 comes out. Red Hat's employment of Ulrich Drepper, the glibc maintainer, probably helped in that regard. So conspiracy theories are not called for here. Riding the bleeding edge has always been a characteristic of the Red Hat distribution - especially with "dot-zero" releases. The fact that marketing did away with the ".0" doesn't change the nature of Red Hat 7. Perhaps this release should have been delayed until the tools stabilized somewhat, but marketing probably wasn't thrilled with that idea either... Distribution ReviewsLinuxPlanet reviews SuSE Linux 7.0 Personal/Professional. LinuxPlanet has run this review of SuSE Linux 7.0 both Personal and Professional editions. "SuSE Linux 7.0, the latest offering from the Germany-based SuSE GmbH, comes in two distinct offerings--Personal and Professional, as well as an Upgrade version for current SuSE users. Superficially, there is little difference between the products, not even in price. The SuSE Linux 7.0 Personal costs a mere $39.95, the Upgrade version $49.95, and the Professional version just $69.95, should you choose to pick them up off the shelf. Downloading is available, as with most Linux distributions, but in this instance, I strongly recommend plunking down the cash for this distro." (Thanks to Pieter Hollants) Mandrake 7.2 Beta2 Review (LinuxLookup). Here's a review of Linux Mandrake 7.2 beta 2 which appears on the LinuxLookup site. "Many of the Mandrake specific configuration tools have been revamped in 7.2. DrakConfig, the front end to the individual configuration tools, has simply undergone cosmetic changes. On the other hand, Mandrake Update seems to have undergone a complete rewrite. The layout is different, and installing developmental updates from Mandrake's Cooker is now supported." Red Hat Linux 7.0 Review (Duke of URL). The Duke of URL has posted a review of Red Hat Linux 7.0. "New features like a largely-upgraded package system, kernel 2.4, enhanced USB support, and even out-of-the-box 3D support via XFree86 4.0.1 make Red Hat's latest look like a dream come true. Is it a dream come true, or Linux's worst nightmare?" General-Purpose DistributionsCaldera's Linux management solution enters open beta. Caldera has announced that its Linux management system, once known as "Cosmos," has entered an open beta test. The utility can be downloaded (in binary form) from Caldera's open beta page. For more information, see the Cosmos FAQ page. New FAQs from Caldera. After a bit of a pause, Caldera has resumed its practice of sending out a list of new additions to its FAQ. This week's list covers a wide range of topics, from hardware issues to Webmin modules. Debian news. The Debian Weekly News for October 3 is out. It covers unstable's return to stability, and has an interesting summary of the debian-devel discussion on bug reporting. Debian is suffering a case of "severity inflation," resulting from a perception that only bugs marked as being highly important get attention from the package maintainers. Kernel Cousin Debian #4 is also out, and covers discussions through September 28.
Tuxtops launches Laptop Debian. Tuxtops has announced the availability of a version of the Debian distribution that has been specially tweaked for laptop systems. It can be had on laptop systems purchased from Tuxtops; it is also available separately. An Analysis of The Red Hat Network (LinuxToday). The Australian LinuxToday site has put up a look at the Red Hat Network, the first in a two-part series. "The Red Hat Network is a step forward for many users and system administrators. It has the potential to grow into a much larger system which will ease common system administration tasks. It's one of the first business systems I have seen which will truly automate the distribution of software." SOT opens U.S. office. SOT, the Finnish publisher of Best Linux (claimed to be the top distribution in Finland) has announced the opening of a U.S. office in Minneapolis. The company will also be at the Linux Business Expo in November to introduce its product. SuSE announces support for new IBM servers. SuSE has been quick to put out an announcement of its support for IBM's new "eServer" line. The announcement covers the full line, from Intel-based systems through the PowerPC models and the mainframe systems. Section Editor: Liz Coolbaugh |
October 5, 2000
Please note that not every distribution will show up every week. Only distributions with recent news to report will be listed.
|
|
Sections: Main page Security Kernel Distributions Development Commerce Linux in the news Announcements Back page See also: last week's Development page. |
Development projectsNews and EditorialsSourceForge's new developer rating system. Slipped into the SourceForge site news on September 20 was the announcement of the new "peer rating system." SourceForge now invites its registered developers to rate each other in five different categories:
Who has the strongest code-fu? Who's the best project manager? Who's the best designer? Who's the most reliable? In the end, there can be only one. Interestingly, the "one" happens to be a person named Tim Perdue. He is, well, one of the hackers on the SourceForge code itself... What is SourceForge trying to achieve here? Obviously creating a ratings scheme and encouraging developers to go rating each other is one way to push up traffic on the site. Perhaps they are truly trying to make the free software meritocracy work a little better. It also could help them to build an increasingly valuable database of the free software developer community. That last bit is interesting. SourceForge does, finally, have a privacy policy, which is an encouraging step. Said policy says: At no time, unless such disclosure is required by law or a user specifically authorizes such disclosure, will SourceForge disclose individual user personal information that is not publicly available to unrelated third parties. Herein lies the rub: the developer's name and ratings, since they are displayed on the site, are "publicly available." VA Linux Systems, the sponsor of SourceForge, is highly trusted in the free software community, and it has earned that trust. Even so, this seems like a large loophole. Some other concerns come to mind here:
BrowsersNetscape 6 Preview 3 Released. Netscape has released Preview Release number 3 of Netscape 6. This release features an exciting new user interface , and enhanced stability among other things. Mozilla Status Report. The latest Mozilla Status Report for September 27, 2000 is out. Check it out to get a view of the parallel debugging process being done by the Mozilla team. Galeon 0.7.6 is out. This release brings a number of nice new features, including a button bar with nice functions like "back," "forward," "home," and "reload." Until this release, Galeon users have had to go to the menus for those functions. Even nicer, though, is the little "zoom" blank on that button bar. A few keystrokes, and awful pages with tiny fonts become instantly readable. There is also (from 0.7.5) a nice option which disables popup windows on links. Galeon is clearly reaching the point where a lot of people are using it, and some are beginning to scratch some of the more annoying itches. After all these years, we are beginning to see what an open source browser can do for us. Galeon is becoming truly usable; it will be fun to see where it goes in the future.
DatabasesGnome-DB 0.1.0 released. Gnome-DB 0.1.0 a.k.a. Olympius, has been released. "GNOME-DB is a complete framewok for developing database-oriented applications, and actually allows access to PostgreSQL, MySQL, Oracle and ODBC data sources." GamesKDE Games Center. KDE Dot News pointed out the updated KDE Games Center site. The site is the depository for over twenty KDE games and aims to be the place to go for information on developing games under KDE. New games for kids. The Linux for Kids site has reviewd a number of new kid oriented games. Check out Tunnel, gSoko, 3Dtetris, 7colors, and xquarto. Congratulations go to Linux for Kids, they are now one year old and going strong. Embedded Systemsgdbstubs 20000921-1406 available. A new version of gdbstubs is available. Gdbstubs is in effect a portable ROM monitor program for embedded systems that speaks a GDB compatible protocol. Gdbstibs allows an instance of GDB running on a development system to communicate with a target system over a serial port. There is currently support for Hitachi 704x and Motorola CPU32 architectures. The code is designed in a way that allows for the addition of new CPU families by customizing a small set of functions. Gdbstubs is released under a GPL style license. Vendor Neutral Embedded Linux Workshop (Linux Devices). The RTC group and K computing will be providing a hands on embedded Linux workshop at the Embedded Linux Expo & Conference (ELEC) near Boston, Mass on October 26, 2000. "In the full day vendor-neutral workshop, attendees will carefully walk through the process of creating a optimized embedded Linux system. The seminar will focus on open source software that is available on the Internet free of charge. Attendees will gain direct experience, by performing each step on their own in the workshop's hands-on lab set-up." InteroperabilityWine 20001002 released. The Wine development team has released Wine release 20001002. This version has lots of bug fixes and better Winelib support among other improvements. Office ApplicationsThe Other Media Player. Noatun is a new media player which will hopefully be released with KDE 2.1. It is said to run more efficiently under KDE compared to other media players. German-Sponsored KOffice Meeting -- Report. KDE News reports on Linux Kongress which was held recently in Erlangen, Germany. The Koffice team will be working on adding better MS Office and rich text file compatibility. On the DesktopJoining the GNOME project. For those of you who would like to make a contribution to GNOME, a guide has been published on how to Join the GNOME project. The project is looking for volunteers to help with documentation, translation, testing, graphics, sound, and numerous other topics. KDE announcements. Here are some announcements from the KDE developers:
The People Behind KDE: Cristian Tibirna. The "People Behind KDE" series continues with this talk with Christian Tibirna. " I was on the lyx lists when Matthias Ettrich started it in October 1996. His ideas caught me bad. After finishing some exams at beginning of 1997, I got involved with coding (kwm's smart placement and magnetic borders algorithms) and I started to do a lot of users support on the mailing lists." KDE 2.0 and Korean language support. KDE Dot News has a link to a tutorial on adding multibyte language support (speficially, Korean) to KDE 2.0 applications. Miscellaneous KDE eyecandy. KDE Dot News has put up a page of "KDE eye candy" with nice spash screens and such. Check it out for a view of the pretty side of KDE2. Konqueror support for the Diamond Rio (KDE Dot News). A new Konqueror kioslave for the Diamond Rio has been announced. Now you can organize your portable tunes under KDE. ScienceLatest OIO Enables Medical Forms Over the Web (Linux Med News). A new version of OIO, the Open Infrastructure for Outcomes is available. The OIO library manages XML forms and is used for managing medical forms over the net. Web-site DevelopmentUdmSearch V3.1.5 released. Kir Kolyshkin wrote in to tell us that version 3.1.5 of UdmSearch, a search engine similar to ht://Dig, has been released. Midgard Weekly Summary. Here is the Midgard Weekly Summary for September 28, billed as "the first of the biweekly Midgard Weekly Summaries." It covers the new MWS format, the upcoming 1.4 release, and more. Section Editor: Forrest Cook |
October 5, 2000
|
|
|
Programming LanguagesC/C++Glibc test tool (IBM Developer Works). IBM's Developer Works has run an article on using Glibc Test, an open-source tool for testing the Glibc internationalization APIs. The tool currently only supports Japanese locales, but the tool is designed to be able to support other languages. Glibc Test has been released under the IBM Public License. ErlangErlang User Conference Proceedings. The Proceedings from the sixth annual Erlang/OTP User Conference have been made available. Lots of interesting topics were covered. Erlang 5.0/OTP R7B released. Erlang 5.0 release R7B was made available on August 30. See the list of highlights for the details. The code can be downloaded here. JavaBlackdown Java 2 SE v1.3 released. The Blackdown Java-Linux Team has announced the release candidate 1 of Java2 SE v1.3 and Debian packages for Java2 SE v1.3, Java3D 1.2 and JAI 1.0.2 Java Servelet Tutorial (IBM Developer Works). IBM's Developer Works has a 30 minute Java Servelet Tutorial by Jeanne Murray. This looks like a good way to get your feet wet with Java (ouch). Registration is required to take the tutorial. Trusting your e-mail with Java security (IBM Developer Works). An article on using Java to implement secure internet transactions has been published on IBM's Developer Works. Java code samples (IBM Developer Works). Lastly, IBM's Developer Works has published a useful list of Java Code Samples with lots of useful tidbits. PerlUpcoming Perl Classes. If you are looking to educate yourself on the use of Perl, the University of Perl has classes by several well known Perl experts in Los Angeles, Atlanta, and New York City during October. Also, Consultix is offering Perl Classes by Damien Conway and Tim Maher this month in Chicago and Kirkland, WA. PythonThis week's Python-URL. Here is Dr. Dobb's Python-URL For October 2, with the latest in development news from the Python community. Python-Dev newsletter for September 30. A.M. Kuchling's Python-Dev newsletter for September 30 is out. Development is a little slow with the current code freeze, but numerous topics are covered regardless. VTK-CFD Visualization Tools. Prabhu Ramachandran has released his Python based VTK-CFD Visualization Tool package. VTK-CVD is useful for visualizing 3D graphics and has been released under the GPL license. The screenshots from this program look very impressive. Python Disribution Utilities 1.0 released. Version 1.0 of the Python Distribution Utilities have been announced. "The Python Distribution Utilities, or Distutils for short, are a collection of modules that aid in the development, distribution, and installation of Python modules. Tcl/tkThis week's Tcl-URL. Here is Dr. Dobb's Tcl-URL for October 2. It covers the latest in the Tcl core team charter and other Tcl development topics. New Tcl/Tk rpms for Redhat Linux 7. New rpms of Tcl/Tk that are compatible with Redhat Linux version 7 have been announced. Both the alpha Version 8.4a1 version and the stable Version 8.3.2 version are available. Software Development ToolsCVS tagged KDE_2_0_RELEASE. KDE Dot News reports that the release version of KDE 2.0 has been tagged. This means that the development work is done. In the absence of showstopper bugs, all that remains is the packaging work to actually put together the release, which is still set for October 16. Section Editor: Forrest Cook |
Language Links Caml Caml Hump Tiny COBOL Erlang g95 Fortran Gnu Compiler Collection (GCC) Gnu Compiler for the Java Language (GCJ) Guile Haskell IBM Java Zone Jython Free the X3J Thirteen (Lisp) Use Perl O'Reilly's perl.com Dr. Dobbs' Perl PHP PHP Weekly Summary Daily Python-URL Python.org Python.faqts Python Eggs Ruby Ruby Garden MIT Scheme Schemers Squeak Smalltalk Why Smalltalk Tcl Developer Xchange Tcl-tk.net O'Reilly's XML.com Regular Expressions |
|
Sections: Main page Security Kernel Distributions Development Commerce Linux in the news Announcements Back page See also: last week's Commerce page. |
Linux and BusinessAtipa acquires OpenNMS project. Kansas City, Missouri based Atipa announced the acquisition of PlatformWorks, the company behind OpenNMS, late last week. Atipa provides turnkey Linux-based solutions, including software, hardware, appliances, support and professional services. OpenNMS.org is an open source software consortium developing a next generation, truly functional network management tool for the enterprise. Here is the announcement from the OpenNMS project on its acquisition by Atipa. "We are excited to announce that we've received the necessary funding to not only bring the Bluebird software to market, but to augment the core team with additional developers and continue toward our goal of building a world-class support organization to support Bluebird deployments." Here is Atipa's announcement. Bluebird is currently the project name for the first of many open source projects that will be created by the OpenNMS consortium Bluebird is intended to be the flagship product in a suite of products. Atipa plans to position OpenNMS' Bluebird product as a scalable, open source alternative to HP's OpenView or IBM's Tivoli. Atipa also plans to keep the software open source and to make money on services and support. The OpenNMS Bluebird project is currently licensed under the GNU General Public License (GPL). S3 subisidiary frontpath(TM) announces ProGear. Yet another of the long line of information appliances hitting the market these days, ProGear touts a 10.4" TFT display, x86 compatibility, up to 128Mb of memory, 6.4GB (2.5") slim hard disk, and touch screen all running on a Transmeta(TM) TM3200 400 MHz processor. A Linux 2.4 kernel powers this latest gizmo, while Netscape 4.74 is provided as a front end. Of course, it raises the question: where did they get the 2.4 kernel? HotDispatch and Caldera to create knowledge exchange for Linux developers. HotDispatch.com is an online marketplace for buying and selling technical expertise and Digital Products and HotDispatch the company developed the technology behind the website. Now HotDispatch has announced an alliance with Caldera Systems to create "an online marketplace for Linux developers to purchase and sell technical expertise." Two announcments from VA Linux Systems. First VA Linux announced the release of version 2.0 of its "VA Cluster Manager" (VACM). VA Linux is also expanding its operations in Europe. Its recent moves include the acquisition of the Belgian consulting firm "Life" and the hiring of Wichert Akkerman, leader of the Debian Project. New Books. O'Reilly has announced the availability of the "GIMP Pocket Reference," by Sven Neumann. It's "a remarkably petite" 97 pages, and covers GIMP 1.2. For those who want to see what this booklet looks like, O'Reilly has placed the chapter on the toolbox online as an example. No Starch Press, publishers of the Linux Journal Press series of books, has put out a press release on the English publication of The Blender Book by Carsten Wartmann. The book covers the many intricate details of the complex yet powerful Blender 3D animation package from Not A Number. Oracle to deliver database for Linux clusters. Oracle has announced what it claims is the first clustered database server for Linux systems - Oracle8i Parallel Server. It can currently handle clusters up to four nodes; it has been "validated and certified" by VA Linux Systems and NEC. It's currently in beta testing; availability is supposed to be by the end of the year. Press Releases:Distributions and Bundled Products
Commercial Products for Linux
Products Using Linux
Products with Linux Versions
Java Products
Partnerships
Investments and Acquisitions
Financial Results
Personnel
Linux At Work
Open Source in Education
Other
Section Editor: Rebecca Sobol. |
October 5, 2000
|
|
Sections: Main page Security Kernel Distributions Development Commerce Linux in the news Announcements Back page See also: last week's Linux in the news page. |
Recommended ReadingMexico Has Resources for High-Tech Success (Los Angeles Times). The L.A. Times has run a lengthy open letter to Mexican President-elect Vincente Fox saying that Mexico's future lies in open source. "With the combination of free software and inexpensive Internet connectivity, as well as building on Mexico's Red Escolar (SchoolNet) program for wiring Mexican schools, the country could become the world's leading example of affordable high-tech infrastructure for the rest of the world's developing nations. Moreover, the philosophy behind free, open-source software fits well with your important ideas about a new 'open society' in Mexico." Atipa acquires OpenNMS.orgAtipa Team Takes Aim At VA Linux (ZDNet). ZDNet looks at Atipa's acquisition of the OpenNMS project. "Doug Stevenson, a network management consultant and author of the industry white paper, 'Network Management: What It Is and What It Isn't,' said OpenNMS.org 'has developed what many consider to be a disruptive technology that will alter the face of the enterprise management market.'" KC's Atipa leaps into field of ''open source'' software (Kansas City Star). The Kansas City Star reports on Atipa's acquisition of PlatformWorks. "The software will be free, but Atipa will make money by selling a version with manuals and company support for a $10,000-$12,000 annual subscription fee." Software company finds a buyer (News & Observer). The (Raleigh) News & Observer breaks the news that the Open Network Management Software project has been acquired by Atipa. "OpenNMS' network management software, currently called Bluebird, will start being tested by customers next month and will be ready for a commercial release next spring. Like all open-source software, the OpenNMS version will be free--a stark contrast to expensive network management software from established vendors. Atipa's plan is to make money through service and support contracts." Sun/Cobalt dealWill We Be Sun-Lite? (LinuxToday). The Australian LinuxToday site comments on Sun and Cobalt Networks. "My take is that Sun is moving to position its own Solaris operating system and high-end server products as the next step for Linux users looking to move upscale. In effect, it's a strategy that will position Linux as a 'lite' version of Solaris." Can Cobalt make Sun shine? (ZDNet). Here's a ZDNet column on Sun's purchase of Cobalt Networks. "Sun's Solaris operating system has failed to make inroads into Microsoft's dominance of this sector, even when Sun was essentially giving it away. Linux, on the other hand, has tripped the onward march of Microsoft, especially in any application that is Web-related. So, even though Sun has tried to pretend that the Linux part of Cobalt isn't important, it is easy to see the acquisition as a move to get into the Linux market before the likes of IBM and Hewlett-Packard clean up." Sunset for Cobalt? (Andover News). Here's an Andover News column with a critical view of Sun's acquisition of Cobalt. "A number of analysts claimed that the high price brought by Sun's purchase of Cobalt Networks was proof of the value of Open Source. But if so, why was Cobalt's Michael DeWitt trying so hard to avoid even uttering the word Linux?" (Thanks to César A. K. Grossmann). CompaniesTcl's Availability (ZDNet). Here's an article in ZDNet about Tcl and Ajuba Solutions. "Before explaining how Web workers use Tcl, it helps to have a clear picture of Tcl's status as a product. From the beginning, Tcl has been free. That is, [Tcl creator John] ]Ousterhout has always released Tcl's language processor as source code under a liberal "BSD-style" license which allows others to do almost anything they want with it. You can't claim you wrote what you didn't, or take action against Ousterhout for his gift; those are the only significant restrictions on Tcl's use." Variety of Implementations (ZDNet). This is another ZDNet article about Tcl. "Scores of distinct microscripting systems are in wide use, including mod_perl , PHP, and ASP. Several of the largest Web applications rely on microscripted Tcl. Vignette's StoryServer, for example, leads the market of enterprise-class Web publication systems. Its technical basis is microscripted Tcl. StoryServer is so successful that many of its users know Tcl only through the product, and have the mistaken belief that Tcl is a proprietary language which belongs to Vignette." Novell touts new products, Red Hat deal (News.com). News.com posted a story on Novel's eDirectory and DirXML software, including Red Hat's decision to use them in that company's latest release, Red hat Network. Red Hat struggles to be seen in embedded space (Upside). While the Red Hat distribution enjoys strong support, Upside writer Sam Williams reports on the perception in the real world that Red Hat doesn't have a firm embedded plan yet: "Ten months after the merger, however, the integration of the two companies seems a bit awkward. Despite the outwardly can't-miss combination of Cygnus' engineering talent and Red Hat's marketing savvy, the company has spent almost the entire year watching a host of competitors sprint past it in hopes of becoming the world's top supplier of embedded Gnu/Linux software and services." Nanux or Nanix? (LinuxDevices). Will the real embedded Linux company please stand up. One of these is the name of an embedded Linux company, the other is the code name for an embedded Linux product. LinuxDevices.com explains which is which. "A few months ago, the start-up business, Charmed Technologies, issued a press release about their idea for yet another embedded Linux, which they dubbed "Nanux". It seems, however, that they failed to check and see if the name was already in use -- when, in fact, it was." Transmeta plans to raise more than $140 million in IPO (News.com). News.com looks at Transmeta's revised IPO filing. "Transmeta plans to sell 13 million shares at a range of $11 to $13. After its IPO, the company will have 126 million shares outstanding, giving it an approximate market value of $1.64 billion based on a sale price of $13 per share." EnFuzion: Supercomputing by the masses (ZDNet). ZDNet reviews the TurboLinux EnFuzion product. "However, even with the potential for unlimited node scalability, at $400 per node, the cost of implementing the current version of EnFuzion could be prohibitive for some small-scale operations." The Gnutella paradox (Salon). Salon predicts the death of Gnutella. "If the decentralized Gnutella can't handle the legal and technical threats that come from mass usage, what system can? Or are music traders doomed to confront a future in which each new 'next Napster' is progressively undermined by its own success?" (Thanks to Paul Hewitt). Microsoft and Corel.comment: Microsoft and Corel -- Not Good News (LinuxPlanet). LinuxPlanet worries about the Microsoft/Corel deal. "The speculation among Linux users who published their opinions at various websites runs chiefly in the vein that this is how Microsoft will insinuate itself into Linux. That speculation, I believe, is dead wrong. Microsoft is no friend to Linux. Microsoft is friend only to Microsoft." Why did Microsoft really buy into Corel? (ZDNet). ZDNet speculates on the motivation behind the Microsoft/Corel deal. "Nipping another potential legal action in the bud was worth $150 million to Microsoft, no doubt. But I also believe Microsoft made the investment as a way to hedge its bets in the desktop-suite space. Sun Microsystems' StarOffice suite is set to go open-source on Friday the 13th of this month. Sun already has given away lots of free copies of StarOffice. Microsoft doesn't want to be forced to give away one of its biggest cash cows, Microsoft Office, in any way, shape or form. But giving away Corel WordPerfect Office wouldn't hurt Microsoft one bit." Ballmer learns from past Microsoft missteps (News.com). News.com has another Steve Ballmer interview. Nothing incredibly new, but he does maintain a rather interesting view of Linux: "Linux is not catching on, on the desktop. There are no customers. I may be from Mars, but if there's no demand, we're not going to do the work to take Office to Linux. It's not even an interesting question until there's demand. Linux on the server is a different story. We might still dramatically outsell Linux on the server. You don't see much Linux in (business) customers. You see some Linux in Web sites and application service providers, but it's less than the press hype." Embedded Systems ConferenceEmbedded Linux -- one year later (LinuxDevices). This LinuxDevices.com article looks at this year's Embedded Systems Conference compared to last year's Conference, particularly with respect to the number of Linux companies. "If you could travel back in time to the Embedded Systems Conference of September 1999, you would find that the "Embedded Linux Market" simply did not exist, one short year ago. Sure, a growing number of developers and a handful of companies were starting to embed Linux. But as a market that anyone tracked, or paid attention to, Embedded Linux simply hadn't made it onto the radar screens." Inder Singh: address to the ELC Meeting (LinuxDevices.com). LinuxDevices.com is carrying the text of Inder Singh's address to the Embedded Linux Consortium meeting. "The momentum of Linux over the last couple of years is beyond anything we have ever seen for an operating system. The focus of the world has been on Linux in the server market, but I am convinced that Linux will have its biggest play in the embedded world." The Great Open Source Debate wages on (Upside). Upside covers the Embedded Systems Conference. "Red Hat reinforced its strategic decision to work on everything but a real-time version of the Linux kernel." BusinessIs the SDMI boycott backfiring? (Salon). Salon suggests that hackers may want to reconsider boycotting the SDMI challenge. "A successful effort by hackers to break the watermarks, suggest representatives of some of those technology companies, might jeopardize almost two years of work by the coalition of record labels, consumer electronics companies, technology start-ups and computer manufacturers that makes up SDMI. But this wouldn't necessarily be a bad thing." Software's Glass Ceiling: Breaking the Tail-Lights (osOpinion). Here's an osOpinion column which cautions against going too far in imitating commercial software products. " Consider PERL, messy though it is. Did it achieve greatness by emulating BAT files and DOS command-line tools and working up from there? Did EMACS grow from an EDIT.EXE clone (yes, there are several), or from a LISP programmer's scratched itch?" The Failure of Linux: Credibility and Responsibility (osOpinion). Here's another osOpinion piece that is very strongly critical of the engineering that goes into Linux. " The act of writing computer code is actually a small part of the overall software design process, and yet far too many Linux projects focus solely on this one area. It is why Linux breeds good programmers but lousy engineers. Linux programmers tend to place a very low value on accountability and personal responsibility, and the community is poorer for it." Certifying the Penguin (Certification Magazine). Dan York has written an article about Linux certification for Certification Magazine. It covers all of the available certification options and how they work. "Unlike other operating systems, there is no central 'Linux, Inc.' No one company can simply dictate the standards for certification or for anything else. Instead there is the whirling bazaar of companies, organizations and individuals all cooperating to build the Linux operating system, yet many of them also competing with each other as well." Power to the penguin (ZDNet). ZDNet is carrying a column by a Deloitte & Touche manager Linux's prospects. It's reasonably positive, but has a few problems: "While it's likely that competitive pressure will ultimately lead some Linux vendors to make the source code for their version of Linux proprietary, much of Linux's appeal lies in its populist roots." Linux Firms Still Searching for Success (Los Angeles Times). The L.A. Times has put up this article on Linux businesses. "But TurboLinux Chief Executive Paul Thomas concedes that with little difference among Linux rivals, mergers might leave only two major distributors standing by year's end." ResourcesLinux means Business: Word Processors (LinuxLinks). LinuxLinks.com looks at Linux word processors. "Only a few years ago Linux was found lacking in this department, having a very limited choice of tools to use; with only the historic UNIX tools being available. For example, although LaTeX is a highly professional document preparation system it is aimed at the scientific community, and not at the corporate market. The situation has changed; there are a number of quality office suites that include word processing facilities which are a match for the popular Word." Linux Buyer's Guide #5 (DukeOfUrl). Here's the latest Linux Buyer's Guide from the DukeOfUrl. "The beauty of Red Hat 7 is that, although 3D acceleration takes some tweaking to get working, and kernel 2.4 needs to be installed on your own, is that both of these integral tools are included and at the disposal of any users, and finally, a large distributor is pushing them-this is where people start listening. You can't ignore Linux anymore!" Linux Gazette issue 58 is now available. Issue #58 of the Linux Gazette is now available. Included are interviews with Chris DiBona and SourceForge's Quentin Cregan, Linux Security Tips by Kapil Sharma, and much more. ReviewsReview: Enterasys Networks RoamAbout (Signal Ground). Signal Ground looks at the Enterasys Networks RoamAbout wireless network. "If you're installing on a Red Hat 6.1 or 6.2, Caldera 2.3 or 2.4, or SuSE 6.3 or 6.4 system, you're in luck: Enterasys Networks has provided pre-built drivers for each of these systems, so installation should be a breeze." VMWare 2.0.2 Review. The Duke of URL has posted a review of VMWare 2.0.2, the all OS virtual environment that allows you to run Windows, Linux and even FreeBSD in a virtual machine. InterviewsInterview with Jon Danzig (RootPrompt). RootPrompt.org has run an interview with Jon Danzig, president of Libranet. "We believe that we can produce a first class Linux desktop system that almost anyone can install and use enjoyably. We expect to be the distribution of choice for a large segment of the Linux community and a good choice for those arriving to Linux." (RootPrompt also reviewed Libranet Linux 1.8 at the beginning of September). Raymond to pen 'Zen and the Art of Unix' (Upside). Upside covers Eric Raymond's talk at Oracle's OpenWorld. "'My goal is for open source development to become the norm everywhere it is economically feasible,' said Raymond, in between videotaped aikido moves. 'I think, at equilibrium, only 5 to 15 percent of the world's software remains closed source.'" 10 Questions with Olivier Fourdan of Xfce (LinuxOrbit). LinuxOrbit talks with Olivier Fourdan, creater of Xfce. "When I read articles on interfaces available on Linux, Xfce is rarely mentioned. That's sad, because choice is a big strength in Linux. Reducing the choice to KDE or GNOME only makes Linux less attractive, in my opinion." Defanging Carnivore (Salon). Salon talks with Robert Graham of Network ICE, the company that put out an open source "Carnivore" implementation. "More importantly, encryption technology is becoming more and more built into what we do. The real debate that we're going to have to answer and address as a society at some point is whether encryption is a fundamental human right." MiscellaneousNetwork Computing's 'Top 10' lists. Network Computing has put up a Top 10 most important people of the decade list. Linus Torvalds is there in third place, behind Bill Gates and Tim Berners-Lee. Elias "Aleph One" Levy is also on the list in eighth place. If you look at the Top 10 Products list you'll not find Linux anywhere, but Apache got sixth place. Section Editor: Rebecca Sobol |
October 5, 2000 |
|
Sections: Main page Security Kernel Distributions Development Commerce Linux in the news Announcements Back page See also: last week's Announcements page. |
AnnouncementsEventsReport from the Embedded Linux Consortium meeting. The Embedded Linux Consortium, celebrating its first birthday, held a meeting at the Embedded Systems Conference in San Jose. LWN's Forrest Cook was there, and has sent in a report from the gathering. There is much optimism in the embedded Linux community... O'Reilly's P2P Summit. Summaries of the O'Reilly sponsored Peer-to-Peer summit are now online. The summit, held in San Francisco on September 19th, was designed to discuss technologies similar to Napster. " The music industry is positioning peer-to-peer as if it were an attack on copyright, when in fact, it's a technical approach that is fundamental to the architecture of the internet. " Real-time applications with Linux. Karim Yaghmour, author of the Linux Trace Toolkit (LTT), will talk about real-time applications development (in French) using the Linux Real Time Application Interface (RTAI) and LTT. The technical differences between RTAI and RTLinux will be addressed. Wednesday October 11, 2000 at the École Polytechnique de Montréal. ApacheCon Europe 2000. Here's an announcement (in French) about ApaceCon, happening October 23 - 25, 2000 in London. Software Development Conference & Expo. Presentations by Kevin Mitnick, Larry Augustin, Gloria Gery and Martin Fowler are scheduled during SD 2000 which runs October 29 - November 2, 2000 in Washington, D.C. October/November events.
Additional events can be found in the LWN Event Calendar. Event submissions should be sent to lwn@lwn.net in a plain text format. Web sitesSensiva's new Web site. Sensiva launched Sensiva.com, a free content and information portal, that also links to the company's multi-platform software. Sensiva's new Web site is offered initially in English, French and Japanese; with more languages to follow. User Group NewsThe Linux Users' Group of Davis. LUGOD announced that they will be demonstrating the Linux operating system on Saturday, October 7th and the following day, LUGOD and the UC Davis Computer Science Club will be hosting an Installfest in Davis, California. Long Island Linux Users Group. LILUG announced a LAN PARTY on October 10, 2000. So bring computer, bring a hub, plug in and have fun. LUG Events: October 5 - October 19, 2000.
Additional events can be found in the LWN Event Calendar. Event submissions should be sent to lwn@lwn.net in a plain text format. |
October 5, 2000 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|
Software AnnouncementsHere are this week's Freshmeat software announcements. Freshmeat now offers the announcements sorted in two different ways: |
Our software announcements are provided courtesy of FreshMeat
 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
Sections: Main page Security Kernel Distributions Development Commerce Linux in the news Announcements Back page See also: last week's Back page page. |
Linux Links of the WeekLWN, of course, is based in Colorado, and we're generally pretty happy with that. A look at the Bay Area Linux Events calendar, however, is almost enough to make one change one's mind. People over there have a lot of fun... If you're not in the Bay area, or are stuck at home, the Linuxcare product comparisons page can be a good place to look to find some fun new software to play with instead. The breadth of the coverage is growing; this page is turning into a useful resource. Section Editor: Jon Corbet |
October 5, 2000 |
|
|
This week in historyNine years ago: October 5, 1991, was the day that Linus first released Linux to the world. Two years ago (October 8, 1998 LWN): We asked "what will happen to the Linux VARs?" With companies like Dell making noises about getting into Linux, it looked like life could get harder for companies that sold Linux-installed computers. Two years later, most of those companies are still around and doing better than ever. But people still wonder what will happen when the Dells of the world get serious... A new Linux news site called LinuxToday was launched by Dave Whitinger and Dwight Johnson. Nice thought of the week: The arguments are both noble and naïve. Linux has a cult-like following, matched only by that of the Macintosh OS and OS/2. It's a modern Unix! It's stable, superior, enriching! It's gonna get creamed. -- Richard Brandt, Upside. Upside has since changed its tune on Linux, to say the least. Oracle8 for Linux went up for free download. For a long time Linux supporters had heard people say that "when Oracle is available for Linux" they'll know it's serious. It was serious. One year ago (October 7, 1999 LWN): Sun announce the release of the Solaris source code - under the Sun Community Source License. One year later, that source release has yet to make much of a splash. Microsoft came out swinging with its Linux Myths page: Linux is a higher risk option than Windows NT. For example how many certified engineers are there for Linux? How easy is it to find skilled development and support people for Linux? Who performs end-to-end testing for Linux-based solutions? These factors and more need to be taken into account when choosing a platform for your business.
Meanwhile, some people figured out that ssh 1.2.12 had been published under a free software license. People grabbed hold of it, and the OpenSSH project was born. OpenSSH is now the standard version for Linux systems. Red Hat 6.1 hit the FTP servers, though the boxed version wasn't due out until October 18. | |
|
|
Letters to the editorLetters to the editor should be sent to letters@lwn.net. Preference will be given to letters which are short, to the point, and well written. If you want your email address "anti-spammed" in some way please be sure to let us know. We do not have a policy against anonymous letters, but we will be reluctant to include them. | |
Date: Thu, 28 Sep 2000 12:01:03 -0700 (PDT) From: Jonathan Walther <krooger@debian.org> To: Dave Peacock <davep@netscape.com> Subject: Re: Outrage at Debian dropping security for 2.1 If you want us to support security, perhaps you could propose some incentive? We are all volunteers here at Debian, interested in putting out a quality distribution. Your time is limited, otherwise I'm sure you too would love to fix and upgrade your distribution from source. But our time is also limited, and we want the most bang for buck out of it. That means not fighting the current of progress, and keeping up with new versions of software. If security updates are of concern to you, perhaps you could get your company to pay some Debian maintainers to work on the old distribution. If you have the time, perhaps you would like to volunteer to do some of that maintainership yours. The distribution we've just released is the culmination of 2 years of hard work for us. Try it. You'll like it. Unlike many other distributions which require a reinstall from scratch, Debian guarantees a reliable upgrade path. Sincerely, Jonathan Walther Debian GNU/Linux Developer | ||
Date: Fri, 29 Sep 2000 14:22:22 -0700 (PDT) From: Seth Cohn <scohn@clipper.net> To: debian-devel@lists.debian.org Subject: Re: Outrage at Debian dropping security for 2.1 Branden Robinson: > Does Mr. Peacock expect Debian to provide security updates for Debian 2.0, > 1.3, 1.2, or 1.1? Does he expect, say, Red Hat, to provide security > updates for 6.0? How about 5.0? 4.2? 1.0? > If someone is willing to maintain reliable, net-accessible slink, hamm, bo, > rex, and buzz boxen for all architectures supported by those releases, then > perhaps we can do what Mr. Peacock expects. Otherwise... A few of us discussed this last night at our LUG meeting, and the obvious answer is that since the security fixes tend include source changes, someone can always grab the source for the 'security' fix from the later version and rebuild the package. Yes, some libraries etc might need to be changed, and this isn't 100% but anyone who is sticking with Slink for production purposes should be able to use Potato fixes in many cases. In the rare cases where things don't work, I'd bet if someone posted a request for a Slink package version of a new security fix, saying clearly that the existing Potato package didn't work, someone would repackage it to fit. In another vein, this clearly could be support revenue for someone interested. Supporting older Debian releases could be very lucrative for the right person(s). Maybe Debian's normal volunteer security team isn't interested, but someone might be if the price was right. Seth Cohn | ||
Date: Thu, 28 Sep 2000 23:36:37 -0500 From: Branden Robinson <branden@debian.org> To: Dave Peacock <davep@netscape.com>, letters@lwn.net, Subject: Re: Outrage at Debian dropping security for 2.1 It was pointed out to me today that perhaps Mr. Peacock did not release that Debian 2.1, a.k.a "slink", is *not* the currently released version of the Debian system. The current version is Debian 2.2, a.k.a. "potato", which was released in July, and we certainly take security updates very, very seriously for this release (as well as other issues, such as usability, that merit an update to the released distribution). Perusal of the past several weeks' worth of Linux Weekly News will reveal that Debian is quite timely with security updates to our released current distribution. (The distribution currently in development, codenamed "woody", sees updates literally every day.) Does Mr. Peacock expect Debian to provide security updates for Debian 2.0, 1.3, 1.2, or 1.1? Does he expect, say, Red Hat, to provide security updates for 6.0? How about 5.0? 4.2? 1.0? Does Netscape continue to support Navigator 3.0? 2.0? 1.1? -- G. Branden Robinson | One man's "magic" is another man's Debian GNU/Linux | engineering. "Supernatural" is a branden@debian.org | null word. http://www.debian.org/~branden/ | -- Robert Heinlein | ||
Date: Wed, 4 Oct 2000 17:12:50 -0700 To: letters@lwn.net Subject: Security updates for Debian 2.1 "slink" From: Rick Moen <rick@linuxmafia.com> Dear Ms. Coolbaugh and Mr. Corbet: Last week's letter from Dave Peacock raises the interesting question of whether the Debian Project erred in discontinuing (effective Oct. 30) security updates for the former Debian-stable branch, 2.1/"slink", which was obsoleted by the new Debian-stable, 2.2/"potato", on Aug. 15. At first glance, Deve's outrage seems justified. His 2.1 machines appear destined to be left in the lurch. But this is a mirage, as can be best seen by an example: On August 1, Dave hasn't installed updates (including those for security) in a while. So, as root on each machine, he executes the following commands: apt-get update #Gets new available-package lists from a Debian mirror apt-get dist-upgrade #Upgrades all installed packages to current revs. apt-get clean #rm's package master files from /var/cache/apt/archives/ The packages retrieved are from the 2.1/slink branch, because on Aug. 1, 2.1 still bore the "stable" designation. Any security fixes will be among them, since they are merged into the mirror collections as the Debian Security Team releases them.[1] Let us say that, on August 16, Dave runs the standard update command sequence again. Because the Debian Project switched the "stable" tag from 2.1 to 2.2, the previous day, Dave's systems now receive a few more package updates than usual, but not many. He may not even realise that he has auto-upgraded to 2.2 -- the upgrader tools' default configuration in /etc/apt/sources.list says "track stable", not "track 2.1". Because of Debian-stable's enforced package policy and emphasis on incremental upgrading without downtime, this late-2.1-to-2.2 upgrade is undisruptive, like prior ones within 2.1. So, on Sept. 21, when he writes his LWN letter expressing outrage that security updates for his 2.1 boxes wil cease in 1 1/2 months, those machines have already been 2.2 for more than a month. There _is_ ongoing security maintenance support for 2.1, you see: It's called "Keep using the routine Debian update mechanism to continue following 'stable', which recently moved past 2.1." It's possible that Dave was unaware of Debian's maintenance tools, and has been retrieving security updates by hand. (It is difficult otherwise to understand his machines remaining on 2.1.) If so, he'll be pleased to hear about those tools, as they require less effort and possibly even less bandwidth -- and yield markedly better results, e.g., minimising security-exposure windows by automatically implementing even security updates whose alert bulletins you haven't seen. I'll be glad to assist him (in e-mail) with any questions. [1] For pre-release access, add this line to sources.list: deb http://security.debian.org/ stable/updates main contrib non-free -- Cheers, "Teach a man to make fire, and he will be warm Rick Moen for a day. Set a man on fire, and he will be warm rick@linuxmafia.com for the rest of his life." -- John A. Hrastar | ||
Date: Thu, 28 Sep 2000 12:34:56 +0100 From: franck@nenie.org To: letters@lwn.net Subject: GPL/BSD: alternative prisonners' dilemma The leading article on BSD/GPL in this week's LWN is not entirely fair. You focus on the release/ not release decision _once_ the choice of using a piece of open source software has been made, and changes have been developed. But will you reach the point where the decision you focus on has to be taken? A more interesting decision game is when the commercial company decides to use free software or not. We have two players: the open source Developer and the commercial Company, who cannot communicate with each other in the spirit of the prisonner's dilemma game -- and practically because these decisions are taken at different points in time by disjoint groups and are normally unrelated. Thus, the Developer has two choices for their release: (1) use BSD, (2) use GPL. Because the Developer has read your article (or does what the mainstream open source movement does) they rationally choose the GPL. The commercial Company has two choices, (1) exclude GPL software (prefer BSD or commercial or internally developed software instead of GPLed) or (2) also use GPL software. Because they know that the requirement to release _may_ put their competitive advantage at risk, they rationally decide not to use GPL software. They do that even if they are ready to release most code they do, because it usually has nothing to do with their competitive advantage, but they do not want to lose their future freedom to keep even a single line of their own code private, and lose that freedom forever. The outcome of the game is thus that the Company does not use the software of the Developer so the open source community loses all the possible non-competitive enhancements and the Company has extra effort to do if the GPL software is better than alternatively licensed. They both lose out in a classic example of the prisonner's dilemma, a situation created solely by the GPL. The game works as well if the Company is replaced by someone who values the freedom of everybody to do what their want with open code more highly than the narrow definition of freedom in the GPL, or people who simply oppose the GPL for ethical reasons -- be it the misanthropic nature of the GPL, or whatever. Of course, this game is as true as the one with the opposite result at the later stage. The results of the sum of these games seem hard enough to evaluate that they do not contribute much to the purely strategic question: does the GPL produce more or better open source code than alternative licences? Maybe we can keep on opposing or supporting the GPL on ethical grounds. -- Franck Arnaud ~ email: franck@nenie.org | ||
Date: Thu, 28 Sep 2000 13:17:51 -0700 From: Marc Matteo <mmatteo@sacbee.com> To: lwn@lwn.net Subject: Your One Big Assumption (GLP less business-friendly friendly) In your editorial this week you make one *huge* assumption when you write: > A company that releases code under the GPL need not fear > what its competitors will do - the risk of competing against proprietary > enhancements is gone. This assumes that all parties are playing by the rules. The company that releases code under the GPL still needs to fear that their competitors will happily violate the GPL and take their GPLed code and make it proprietary. How would anyone know? How would you check? Cheers, Marc -- Marc Matteo Online Technology Leader, sacbee.com http://www.sacbee.com | ||
Date: Sun, 01 Oct 2000 15:50:13 +1000
To: lwn@lwn.net
From: Dark Fiber <dfiber@mega-tokyo.com>
Subject: this weeks 'Is the GPL really less business-friendly' editorial
your a pro linux site, and thus pro gpl. why even bother
with the useless editorial of the gpl vs bsd license
stuck on the front page?
dont you think you are preaching to the converted?
an editorial is an opinion. i know exactly what i do
and dont expect from a linux news site. but i have to
wonder what you hoped to achieve with your editorial...
especially running it as item #1.
-Stuart George
-df
[ Dark Fiber <dfiber@mega-tokyo.com> Running FreeBSD 4.1 ]
[FAQ] Write Your Own OS
http://www.mega-tokyo.com/os/
3x3 Eyes Fan Fiction Archive
http://www.mega-tokyo.com/pai/
Sarien Sierra Emulator
http://www.mega-tokyo.com/sarien/
| ||
From: "Mark Christensen" <Mchristensen@htec.com> To: <corbet@lwn.net> Subject: RE: "Is the GPL more business friendly than BSD style licenses?" Date: Tue, 3 Oct 2000 16:52:11 -0400 Though I agree this issue is enormously important as more and more people depend on the production and maintenance of free software for their livelihood, I don't think you have framed the question properly. I doubt that the question you asked has a single answer. Different business objectives lend themselves to different licenses. As you mentioned one feature of the GPL is that it protects a company's intellectual product from being incorporated wholesale into a competitor's proprietary product, but this is not always an advantage. I reciently had a conversation with a couple developers at SGI, and they mentioned that as one of SGI's chief reasons for releasing a significant amount of code under the GPL. They believed that if they released their code under a LGPL, or Open BSD license, competitors like Sun Microsystems, and to a lesser extent Microsoft, would "steal the SGI crown jewels." Obviously SGI's objective was not merely to keep Sun from using their technology. They also want to support Linux as a competitor to Solaris, and promote integration between Linux and Irix. In this case, if SGI wants their code integrated into the Linux kernel, the GPL is the only choice. On the other hand, for stand alone software SGI's desire to support an alternitive to Solaris would be served either a BSD or GPL license. So, for SGI the choice of the GPL is the clear result of strategic decisions about how to achieve several significant business objectives. But for a different company under different circumstances the same kind of strategic thinking would lead to the choice of a BSD style license. For this example, let's take a look at a fictitious network security firm. They are primarily a professional services firm that audits the security of large heterogeneous networks. They have created several security tools to automate some of the work involved in large-scale security auditing on Unix an NT boxes. For our hypothetical security company these tools are not a primary source of income, in fact they only sell their software to current clients as part of a larger contract. Nor are they worried about their software being incorporated into proprietary products, because the software without the services is not particularly valuable to a highly security conscious company. All in all, they would much rather have long standing audit/monitoring contracts with fortune 500 companies, than sell a couple of hundred software licenses. In fact, they would see it as a great boon if their tools were included in distributions of Solaris, Irix, Free BSD, and Linux, since this would be a tremendous PR tool, as will as an easy path to a very tightly integrated security contract with a wide variety of Unix vendors. For this company, the use of a BSD style license is almost a forgone conclusion. And I expect that the ease of implementation across a variety of platforms motivated the use of the BSD style license used for the standard implementation of the Kerberos protocol. In the past I’ve heard, and even repeated the argument that the GPL would have protected the protocol from any attempt to co-opt the standard. And in one sense they would be right --the GPL would have set the bar higher. But Microsoft’s “clean room” re-implementation standard would have negated any of the obligations that come with re-use of GPLed code. So, GPLing the code would not have helped fight Microsoft (who had the resources to re-implement) but it would have slowed the acceptance of the protocol by smaller companies (who might clearly do not have the same kind of resources as Microsoft). My point in all of this is that the choice of licenses is very complex, and a wide variety of issues need to be weighed very carefully. And that, unfortunately, is why major license decisions need to be made with input from lawyers, PR people, marketing departments, in addition to programmers, and project managers. | ||
From: <greyfox@paratheoanametamystikhood.net>
Date: Thu, 28 Sep 2000 01:33:07 -0600
To: letters@lwn.net
Subject: Privacy Foundation on :CueCat
The privacy foundation said:
... the :CueCat software attaches a unique user ID to each
scanned bar code. This unique ID number, along with the bar
code, is then sent back to Digital:Convergence Corp. computer
servers. This feature could potentially allow the company to
track the :CueCat scans of every consumer who registers for
the service.
To which Digital Convergence Replied:
Yes, it's true, and I would have gotten away with it, too
if it hadn't been for THOSE DARN KIDS!
Scoobie Doo references aside (The French demographic is probably
thoroughly confused by now) this is another damn good reason (As if we
needed another one) why it is not in our best interests to allow our
rights to reverse engineer a product to be infringed. This sort of
thing is already commonplace and will become more so if companies can
arbitrairly hide behind arbitrairly restrictive hardware and software
license agreements. As if being able to use a device that you
purchased in the fashion you choose with your hardware wasn't already
enough...
If you're one of the people talking to Al Gore or George Bush on MTV,
be sure to grill them thoroughly on this issue.
--
Bruce Ide greyfox@paratheoanametamystikhood.net
http://www.paratheoanametamystikhood.net
| ||
Date: Thu, 28 Sep 2000 14:41:37 -0400 From: Derek Glidden <dglidden@illusionary.com> To: letters@lwn.net Subject: IBM _really_ into Linux? >From your "Linux and Business" page of Sept 28: "Other companies announcing support for Red Hat Linux 7 and Red Hat Network include Computer Associates, IBM Corporation, Lotus, Novell and Tivoli." Or if you want to be more literal: "Other companies announcing support for Red Hat Linux 7 and Red Hat Network include Computer Associates, IBM Corporation, IBM Corporation, Novell and IBM Corporation." I guess IBM really likes Red Hat Linux 7. :) -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- With Microsoft products, failure is not Derek Glidden an option - it's a standard component. http://3dlinux.org/ Choose your life. Choose your http://www.tbcpc.org/ future. Choose Linux. http://www.illusionary.com/ | ||
Copyright © 2000
Eklektix, Inc., all rights reserved![[Gallery example]](/Gallery/i/prettypoly.gif)