[LWN Logo]

Bringing you the latest news from the Linux World.
Dedicated to keeping Linux users up-to-date, with concise news for all interests

 Main page
 Linux in the news
 Back page

Other LWN stuff:
 Daily Updates
 Linux Stocks Page
 Book reviews
 Penguin Gallery

 Use LWN headlines
 Advertise here
 Contact us

Recent features:
- RMS Interview
- 2001 Timeline
- O'Reilly Open Source Conference
- OLS 2001
- Gaël Duval
- Kernel Summit
- Singapore Linux Conference
- djbdns

Here is the permanent site for this page.

See also: last week's LWN.

Leading items and editorials

Debian slink security updates, one more time. As LWN has been reporting over the last few weeks, the Debian project has decided to terminate support for its 2.1 ("slink") release. Regular updates are already a thing of the past, while security-related updates will go away as of the end of October. Given that 2.2 has been out for less than two months, this termination of support seems rather abrupt to many.

Last week's LWN Letters to the Editor Page carried a rather harshly-written note expressing disapproval of this move. We got back a number of responses, some of which can be seen on the back page this week. Based on those, and discussion on the debian-devel mailing list, we conclude that support for 2.1 is being terminated because (1) the Debian developers see no need for it, and (2) nobody is available who is willing and able to do the work.

The first point turns on the fact that Debian systems are especially easy to upgrade. The whole packaging system is built around that idea. Why, ask the developers, should an old system be supported when it is so easy to go to the new one?

The problem here, of course, is that a great many people - especially business users - are highly reluctant to upgrade a system which is working. Upgrades - even easy ones - break things. Thus a lot of administrators will never touch a working system unless they really have to. If these sorts of users see Debian as a system that will force them to upgrade on a tight schedule, they will go to a different distribution.

Whether this is a problem depends on how the Debian Project sees its user community. If they are making a distribution for themselves, the loss of a large group of potential users may not matter. If, instead, they would like to see their distribution grow into a user community beyond just developers, they should be worried about policies that will scare users away.

The second point - that there is nobody to do the work of maintaining security updates for old releases - is also interesting. It is true that a volunteer project can have a hard time finding people for this sort of work. It is, after all, somewhat tedious and unglamorous. Nonetheless, other projects, such as the kernel, have been able to get this work done.

Even so, maintenance work is often the sort of thing that one has to pay people to do. And that raises an interesting question: would it not make sense for the companies that are selling commercial, Debian-based distributions to take on this task? It would be nice if these companies could contribute directly back to Debian. Failing that, one would hope that they would at least keep on top of the updates for their own products.

With that idea in mind, LWN took a look at a few commercial Debian distributors. The results were discouraging:

  • Corel has a security updates page. It currently contains exactly one update, an installer fix for the first edition of Corel Linux. There are absolutely no updates for the other packages in either the first or second edition. Despite several tries over the last few days, LWN has had no luck in getting a response out of Corel regarding security updates. Of course, Corel has been busy this week...

  • Libranet has a support page, but it makes no mention of security updates. The company did answer our queries, however. They make security updates available, but only to registered users who have expressed an interested in hearing about them. We were unable to get any specific information on any updates that might be available.

  • Stormix Technologies, publishers of Storm Linux, has a "bugs and errata" page, but it's empty. Stormix did not answer queries from LWN regarding its security updates.
It would appear that none of the above distributors have updates easily available for any of the recent problems - things like the vulnerabilities in glibc, sysklogd, mgetty, and others. Not even for their current distributions, to say nothing of previous releases.

Compare this performance against the aggressive security update policies of distributors like Caldera, Conectiva, MandrakeSoft, Red Hat, SuSE, TurboLinux, and others, and you'll see that the above companies simply are not taking security seriously. This is not the sort of performance that will make nervous corporate IT types sleep well at night. The commercial distributors are not filling in the Debian support gap.

It would be nice to see the Debian distribution continue to grow in usage and influence. To gain (and keep) a wider audience, however, it is going to have to address the concerns that audience has. One important component of that is to provide timely updates for current and past releases. Currently, this need is not being met, and that will affect Debian's future growth.

LWN Penguin Gallery updated. [Gallery example] After way too long, we've finally gotten around to updating the LWN Penguin Gallery. We're up to 275 unique penguins at this point, and still counting...

For those who would like to point out additional penguins: please drop a note to lwn@lwn.net. Please provide a page where the penguin can be found (so we can link to it); that works far better than sending us the image as an attachment.

Microsoft buys into Corel. The folks at Corel have gained some substantial relief in their battle to save the company. Here is the announcement that Corel and Microsoft have entered into an alliance to work together on ".NET". This is no ordinary alliance, though, since Microsoft is buying almost 25% of the company in the process.

Acting chief executive Derek Burney has been rewarded for bringing this deal to fruition - Corel has announced that he now has the role of President and CEO permanently.

The above is about all that is really known about this deal; all the rest is speculation. And there is plenty of material to speculate on.... After all, Microsoft has essentially just bought its way into the Linux business.

The Canadian Information Processing Society has issued a press release expressing concern about the fact that neither company has said anything about how this deal will affect Corel's Linux activities. That is indeed curious. One can only hope that Corel will clarify things in the near future.

Also ominous is this pronouncement from the Meta Group which was carried on CNet News.com:

Corel currently plays an important role in Linux. Many other Linux companies look to it for its skills, tool sets and the work it does on key Linux committees. Therefore, Corel can be a valuable ally for Microsoft in Linux, allowing Microsoft to influence key questions, such as how the user interface, setup and deployment will look and function.

The folks at Meta perhaps overstate Corel's role and influence in the Linux world. But if this is what Microsoft has in mind, things could certainly get interesting.

Then there are suggestions that Microsoft wants to ensure the success of .NET by making Linux support it; that they want to open up WordPerfect to take the open source pressure off of Office; that they want a path into the Linux distribution business; or that they were simply taking an easy path to settle some outstanding legal fights. All of those ideas are plausible, but there is little evidence for any of them.

About all that is clear, perhaps, is that this situation is going to be interesting to watch.

Eric Raymond on the SDMI boycott. Eric Raymond has sent us a strongly-worded reply to the recent Salon article on the "hack SDMI challenge" boycott. "So sure, we'll crack SDMI. *After* the record companies and any consumer-electronics companies gullible enough to do their bidding have sunk billions of dollars into hardware and business plans based on it. Hasta la vista, idiots!"

Embedded Systems Conference summary. LWN's Forrest Cook has written a summary report on this fall's Embedded Systems Conference in San Jose, CA. Linux is making many inroads into the embedded systems world.

Open Source as ESS. Last week's LWN Weekly Edition examined software licenses using a (superficial) understanding of game theory and the prisoner's dilemma. It turns out that David Rysdam has written up a much more detailed analysis of what game theory has to say about different software licenses. The conclusion is that GPL-style licenses will eventually prevail over BSD-style licenses in the market place.

The article, necessarily, makes use of a number of simplified assumptions. It's nonetheless worth a read. In contrast to what we wrote, it's nice to see what comes out when game theory is applied by somebody who really understands it... :)

The Atlanta Linux Showcase starts October 10. Actually, the event is now properly known as the 4th Annual Linux Showcase & Conference; the name will eventually stick because next year's event will be held in Oakland, California instead. For now, however, it can be ALS one more time. Keynote speakers include Larry Wall and Ken Coar, and it looks like the conference will have a strong technical program.

Inside this week's Linux Weekly News:

  • Security: Trouble with ssh/scp, SYNCookies vs. Genesis, traceroute gives root access, and GnoRPM gets a fix.
  • Kernel: The 2GHz limit; KernelWiki wants you; filesystem happenings
  • Distributions: Red Hat 7 - too far off the bleeding edge?
  • Development: Sourceforge developer rating system; embedded Linux workshop
  • Commerce: Atipa acquires OpenNMS, ProGear, VA Linux announcements.
  • Back page: Linux links, this week in Linux history, and letters to the editor
...plus the usual array of reports, updates, and announcements.

This Week's LWN was brought to you by:

October 5, 2000


 Main page
 Linux in the news
 Back page

See also: last week's Security page.


News and Editorials

Security trouble with ssh. It turns out that there is a security vulnerability in ssh, for all versions derived from ssh-1.2.x (which wraps rcp inside of ssh), which bears watching. If a user employs scp to move files from a server that has been compromised, the operation can be used to replace arbitrary files on the user's system. The problem is made more serious by setuid versions of ssh which allow overwriting any file on the local (users) system. If the ssh program is not setuid or is setuid to someone other than root then the intrusion is limited to files with write access granted to the owner of the ssh program. In either case, files can be overwritten with code allowing others access to the system unexpectedly. For example, cron jobs that blindly execute scripts could be duped into opening a hole for an intruder if that script has been overwritten using the scp exploit.

Because this type of vulnerability can be used to open holes to root access, the arguments could be made that

  1. ssh should not be setuid for root
  2. scp should not be used by root to move files
  3. ssh should not be used in automated processes, such as cron jobs
The latter of these issues is hard to resolve - how would cron know if a file has been compromised? But automating the movement of files is such a common administrator task. The only resolution may be to force such automation to be performed by non-privileged users. That, at least, may minimize the impact of intrusions.

Crist J. Clark posted a possible workaround for this problem: wrap the file transfer into a tar command, then check the resulting tar file for suspicous files:

$ ssh remote-host "tar cf - " > ssh_tmp.tar
$ tar tvf ssh_tmp.tar
  [check for suspicious paths or files]
$ tar xf ssh_tmp.tar && rm ssh_tmp.tar
It is an unpleasant problem and it affects both regular ssh and OpenSSH versions derived from the original ssh-1.2.x (and rcp too since this version of ssh just wraps around the rcp protocols). Since ssh-2.x uses a different protocol it does not suffer from this problem. Fixes are not yet available, but presumably will be in short order.

Better than SYNcookies?. Steve Gibson's alternative to SYNcookies, known as Genesis (Gibson's ENcryption-Enhanced Spoofing Immunity System), might be a simple solution to DoS attacks. On his web site, Steve writes:

The elimination of Denial of Service (DoS) vulnerability from spoofed IP flooding requires that the Server defers any per-connection resource commitment until the Client's remote IP address has been "authenticated".

Commercial and personal firewalls have attempted to protect their client machines from half-open connection flooding by maintaining size-limited lists of half-open (possibly spoofed) connections. The oldest non-established connection is discarded when the list becomes full to make room for newly arriving SYN packets. This solution suffers from requiring resources to limit and manage the number of allowed half-open connections, and from the significant possibility that valid half-open connections will be pushed from the list, replaced by more recently spoofed SYN packets. This would cause valid connections to be rejected thus denying service to valid Clients. As a result, while existing techniques can mitigate the damaging effects of Denial of Service, they fail to completely solve the problem. By comparison, the GENESIS system requires NO local resources and suffers from none of these limitations.

Steve's solution takes three parts:

  • The deferral of all "connection management" until the end of the standard 3-way TCP handshake.
  • The explicit, non-spoofable, cryptographic authentication of the remote Client's IP address.
  • Use the Client's Initial Sequence Number as a bias to the ISN we generate from the Client's IP address.
The question is: is this a better solution to what has been an apparently complex - and arguable successful - solution, SYNcookies, to preventing Denial of Service attacks? In fact, is it even all that different?

In a letter to the Linux-Kernel and Linux-Net mailing lists, Dan Hollis quoted Steve as saying that the main difference between the two is that SYNcookies switches on and off, potentially causing valid packets to be rejected. Steve also says that SYNcookies breaks aspects of the TCP protocol but that Genesis does not.

The question was unresolved at the time of this writing, but because of the nature and effects of DoS attacks, we're sure to hear more about this issue in the future.

Slashcode default passwords. The Web site code provide by Slashdot that implements their system, known as slashcode, has been provided with default user and password entries for the administrative login. The INSTALL document provided with this code reminded administrators to change these prior to going live with their sites. This sound advice was, apparently, not followed by the Slashdot team itself, leaving the Slashdot site (via a test system on their network that they left connected to the internet) open to intrustion by a pair of clever if not overly destructive bandits. Oops.

c|net's News.com covered this story in a more mundane fashion."The hackers appear not to have done anything beyond posting a story trumpeting their achievement, and the site was never taken down because of the attack..."

Misuse of xhost. A report to BugTraq stated that Mandrake 7.1 bypasses Xauthority X session security by using the xhost command within the system wide Xsession file. A seperate posting stated that a similar problem existed for XFCE 3.5.1.

The xhost man page specifically states:

In the case of hosts, [this command] provides a rudimentary form of privacy control and security. It is only sufficient for a workstation (single user) environment, although it does limit the worst abuses. Environments which require more sophisticated measures should implement the user-based mechanism or use the hooks in the protocol for passing other authentication data to the server.

Use of xhost in the system wide Xsession file, therefore, would imply a distribution targeted at single user hosts. While xfce is not a commercial distribution with a well defined audience, one wonders if a single user environement was really MandrakeSoft's target audience.

The Mandrake report also covers issues with the use of ssh agenting in the system-wide Xsession file, suggesting the use of ssh-add be left to the individual users' ~/.Xclients file.

Linux Mandrake posted a security update which addresses the problem.

Security scanner checks source code for security problems. Version 1.1 of ITS4 from Cigital was released this week. It's a freely available package that uses a command line interface on Unix systems to scan C and C++ code for security problems. LWN noted a previous release of ITS4 in the February 24th issue of the Linux Weekly News.

Digital Signatures become law. While it's not a security issue for software, it is interesting to note that the Electronic Signatures in Global and National Commerce Act took effect on October 1st. This act provides the legal binding that makes digital signatures as meaningful as their hand written cousins. One wonders if that makes them as forgeable too...

The document for this act can be found online in pdf format.

CERT changes disclosure policy. CERT posted a change in policy for disclosing reported vulnerabilities.

It is the goal of this policy to balance the need of the public to be informed of security vulnerabilities with the vendors' need for time to respond effectively. The final determination of a publication schedule will be based on the best interests of the community overall.

Elias Levy on ``10 Most Important'' list.. Not everything here is about things that are broken...

SecurityFocus.com's co-founder Elias Levy, who also happens to be the moderator for the highly regarded BugTraq mailing list, was chosen by Network Computing as one of the 10 Most Important People of the Decade. Congratulations, Elias.

U.S. Selects a New Encryption Technique (NY Times). It's been a long time coming, but the US Department of Commerce has finally settled on a new encryption technique upon which to standardize: Rijindael (a play on the names of two Belgium inventors of the algorithm used):

Rijndael (whose creators suggest pronunciations approximating "Rhine doll") does not become a new standard overnight. Officials said that in the coming weeks the institute would publish a notice in the Federal Register recommending the software as the new Federal Information Processing Standard. After 90 days for comment and revision, the secretary of commerce will most likely accept the proposal.

More information on the Advanced Encryption Standards (AES) effort can be found at NIST's AES page and at NIST's Public Affairs release announcing the winners. (Thanks to Kalle Svensson and Dan York).

FBI releases first Carnivore documents (ZDNet). ZDNet carried a story this week on the FBI's release of the first batch of Carnivore related documents in response to a Freedom of Information Act suit from the Electronic Privacy Information Center. The documents were heavily blacklined (aka redacted) and many were simply missing.

"There is one document that talks very generally about voice-over-IP interception," said Banisar. "It's mostly about what 'voice-over-IP' is. When it gets to the part about what they are doing about it -- those pages are redacted."

Security Reports

Pine exploit. An exploit in Pine was reported to BugTraq this past week. The problem involves Pine's handling of incoming mail during an open session. Interestingly, Pine was found to have over 4000 calls to sprintf, strcpy, and/or strcat, raising the question "can Pine be made secure?"

Apache mod_rewrite vulnerabilty. A vulnerability in the mod_rewrite module for Apache was reported in Apache Week of 2000-09-22. According to the notice: "A patch is currently being tested and will be part of the release of Apache 1.3.13. Until then, users should check their configuration files and not use rules that map to a filename". An appropriate example is provided with more details in the announcement.

A patch, which has also been committed to the Apache source, has been posted to BugTraq for this issue.

Traceroute allows local access to root. Tim Robbins posted to the Security Audit mailing list about problems he'd found in traceroute, the tool used to follow packets through a network. The problems are interesting by their nature - heap overflow and buffer size issues - and are compounded by the installation of traceroute as a suid program. A more detailed explanation showed up in the Linux Security mailing list. A number of distributions that include traceroute, including any that based their version on LBNL 1.4a5, are expected to be vulnerable to attacks from local users attempting to gain root access. Some reports, however, suggest that OpenBSD, at least, fixed this problem up to two years ago.

This week's updates (in no particular order):

Root access from cfd daemon in GNU CFEngine. Another syslogd style problem, this one in the form of format string problems with GNU CFEngine.

As cfd is almost always run as root due to it's nature (centralized configuration management etc.), this can be quite lethal and lead into a root compromise.

This project is aimed at providing a very high level language for building expert systems which administrate and configure large computer networks.

While included as a package in the Debian distribution, cfd is not started by default. Red Hat does not include cfd. Other distributions have yet to respond to this issue.

GnoRPM security update. Thanks to Gnotices, we hear that a security problem has been fixed in GnoRPM. There was a /tmp vulnerability in all versions prior to 0.95.1 that could allow local users to do undesirable things. An upgrade is recommended - especially since this utility, which has not distinguished itself as one of the most stable programs around, is said to actually work these days.

This week's updates:

thttpd exposes world readable files. A CGI program called ssi included with the thttpd server allows visitors read access to any files on the server that are world readable or readable by the owner of the thttpd process. The fix involves upgrading to 2.20, which has been patched to fix this problem.

ISS issues security advisory for GNU Groff. Groff is the GNU version of troff, the text formatting package. According to the Internet Security Systems Security Advisory, groff will read untrusted commands from the current working directory. According to the advisory:

The vulnerability is particularly dangerous in Linux distributions that have the "lesspipe" feature. By default, a "LESSOPEN" environment variable is set which points to a wrapper script for the "less" pager program named "/usr/bin/lesspipe.sh". If less is passed a filename with any of the extensions ".1" through ".9", ".n", or ".man", it automatically calls groff to handle the file.

Commercial products. The following commercial products were reported to contain vulnerabilities:


LPRng, lpr format string vulnerability. Check the September 28th LWN Security Summary for the initial report.

This month's advisories:

Last month's advisories: Red Hat also issued an advisory for a similar problem in lpr.

Related advisories this month:

Rehashing an old su problem. LWN reported this past week on what appeared to be a new report on a format string vulnerability in /bin/su. However, that report turned out to be a rehashing of an older su problem related to problems found in glibc and reported on last month. The problems are serious and users should upgrade their glibc packages as soon as possible.

wu-ftp vulnerability. Check the June 15th LWN Security Summary for the original report of this problem. An upgrade to wu-ftpd 2.6.1 should fix the problem.

This week's updates:

Previous updates:

Discussion on this thread in BugTraq uncovered possible bugs in the ftp client as well, though it's not clear if this problem is exploitable in any way.


Other resources on security this week.


Upcoming security events and announcements.
Date Event Location
October 4-6, 2000. 6th European Symposium on Research in Computer Security (ESORICS 2000) Toulouse, France.
October 4-6, 2000. Elliptic Curve Cryptography (ECC 2000) University of Essen, Essen, Germany.
October 11, 2000. The Internet Security Forum Edinburgh, Scotland.
October 14-21, 2000. Sans Network Security 2000 Montery, CA, USA.
October 16-19, 2000. 23rd National Information Systems Security Conference Baltimore, MD, USA.
October 29-November 2, 2000. SD 2000 (Software Development Conference) Washington D.C., USA
For additional security-related events, included training courses (which we don't list above) and events further in the future, check out Security Focus' calendar, one of the primary resources we use for building the above list. To submit an event directly to us, please send a plain-text message to lwn@lwn.net.

Section Editor: Liz Coolbaugh

October 5, 2000

Secure Linux Projects
Bastille Linux
Secure Linux
Secure Linux (Flask)

Security List Archives
Bugtraq Archive
Firewall Wizards Archive
ISN Archive

Distribution-specific links
Caldera Advisories
Conectiva Updates
Debian Alerts
Kondara MNU/Linux Advisories LinuxPPC Security Updates
Mandrake Updates
Red Hat Errata
SuSE Announcements
Yellow Dog Errata

Security Software Archives
ZedZ.net (formerly replay.com)

Miscellaneous Resources
Comp Sec News Daily
Linux Security Audit Project
Security Focus


 Main page
 Linux in the news
 Back page

See also: last week's Kernel page.

Kernel development

The current development kernel release is 2.4.0-test9. Linus released this kernel just prior to taking a trip to Germany, so it may be the last for a little while. This is also the point at which Linus had said that he would no longer accept any patches that were not fixes for "urgent" bugs. The freeze is getting tighter.

The current stable kernel release is 2.2.17. The 2.2.18 prepatch is up to 2.2.18pre15 currently. This patch is in the "bug squash" mode, and has a few small problems - for example, the PPC and Sparc architectures do not build. There's a few other things to be dealt with as well, so the official 2.2.18 release is still somewhat distant.

If you install Red Hat 7, be sure to install the "kgcc" package and use it when building kernels. The gcc package in this distribution is a little too new to be used for this task (see this week's Distributions Page for more).

Fixing the 2GHz limit. It turns out that the Linux kernel has a built in limit that will cause it to break on processors with a clock speed greater than 2GHz. Since processors that run at well over 1GHz are already available, the day when this limit will matter is not that far away.

Fortunately, the problem is easy to fix. It's just a matter of changing the way the udelay() function does its work. The fix has already gone into the 2.2.18pre series, and will likely show up before too long in the 2.4.0-test kernels as well. When the blazingly fast new processors show up, Linux will be ready.

The Kernel Wiki wants your help. Gary Lawrence Murphy is looking to get 10 minutes worth of time from everybody who knows something about the internals of the Linux kernel. His project, known as KernelWiki, is to completely document the internals of the 2.4 kernel in some sort of reasonable time frame. In typical Wiki fashion, the Kernel Wiki allows anybody to add content to the site. With luck, enough knowledgeable people will take up the challenge and something useful will result.

Recent developments with filesystems. A few different filesystem issues have come up over the last week. They include:

  • Soft Updates. Kirk McKusick developed the "soft updates" technique for BSD a few years ago. It is a (relatively) simple set of write ordering guarantees that tries to keep the filesystem as consistent as possible. Experience from users shows that soft updates helps a lot in crash recovery.

    The question that came up is whether there were any plans to port soft updates to Linux. The general consensus is that the real answer is going to be full journaling filesystems and that there is no need, at this point, for partial measures like soft updates. There are people who would like to see soft updates go in, but it's unlikely in a time when large virtual filesystem changes are already planned to support journaling and better memory management.

  • ext3: Stephen Tweedie has released ext3-0.0.4, the latest snapshot of his journaling extension to the ext2 filesystem. This patch includes metadata-only journaling, which helps get the performance closer to that of straight ext2.

    This release is not meant for any but the most hardcore of users, however. That's because a complete implementation of metadata-only journaling requires an incompatible superblock change. Soon a 0.0.5 release will come out with the new superblock; at that point, going back to earlier ext3 implementations will be more difficult (but still possible). Meanwhile, the ext3-0.0.4 release comes with even fewer guarantees than usual.

  • TUX2: The TUX2 phase tree filesystem was covered in the August 31 LWN Kernel Page; it is a different approach to the creation of a crash-proof filesystem. Daniel Phillips, TUX2's creator, has run across a set of patents held by Network Appliance that would seem to cover the TUX2 approach. If Network Appliance were to attempt to enforce these patents - which it is not currently doing - it would obviously create trouble for the inclusion of TUX2 in the kernel.

    See Daniel Phillips' posting for a rather strongly worded discussion of the patents and what he thinks of them. He claims prior art for all of the techniques covered in the patents - several years prior. So if it comes to a fight he should win. But there are only so many of these fights that the free software world can afford to fight. Software patents remain a serious problem.

In the middle of all this, the ReiserFS group has been strangely quiet...

A reminder on ECN. Recent 2.4.0-test kernels support the Explicit Congestion Notification (ECN) extension; the September 14 Kernel Page describes this change somewhat. Unfortunately, some firewalls out there on the net react poorly to systems that try to use ECN, with the result that many systems are simply unreachable to ECN-capable hosts. LinuxToday.com was recently cited as being one of the affected sites.

If you are running a recent 2.4.0-test kernel and are experiencing difficulties in connecting to certain sites, you should try turning off ECN. A simple command like:

echo 0 > /proc/sys/net/ipv4/tcp_ecn
will do the trick.

TUX 1.0 (kernel HTTP server) released. The first stable release of the TUX 1.0 kernel-based web server has been announced. TUX is the server which produced such great SPECWeb numbers last June, and which still holds the record for the fastest performance. For those who would like to learn more, LWN looked at how TUX works in the September 7 kernel page.

Other patches and updates released this week include:

Section Editor: Jonathan Corbet

October 5, 2000

For other kernel news, see:

Other resources:


 Main page
 Linux in the news
 Back page

See also: last week's Distributions page.

Lists of Distributions
Woven Goods

Embedded Distributions:

BluePoint Embedded
Compact Linux
Embedded Debian
Hard Hat Linux
OnCore Systems
RedBlue Linux
Royal Linux
White Dwarf Linux

Familiar (iPAQ)
Intimate (iPAQ)
Linux DA

Special Purpose/Mini
2-Disk Xwindow System
Mindi Linux

Coyote Linux
Fd Linux
Fli4l (Floppy ISDN/DSL)
Linux in a Pillbox (LIAP)
Linux Router Project
Small Linux

BBLCD Toolkit
Crash Recovery Kit
innominate Bootable Business Card
Linuxcare Bootable Business Card
Sentry Firewall
Timo's Rescue CD
Virtual Linux

Zip disk-based

Small Disk
--> Peanut Linux
Relax Linux

Bambi Linux
Flying Linux

ARM Linux
Scyld Beowulf
Think Blue Linux
(Oracle's NIC)
NIC Linux
Black Lab Linux
Yellow Dog
(Older Intel)
Monkey Linux

DOS/Windows install
Armed Linux
Phat Linux

Diskless Terminal
GNU/Linux TerminalServer for Schools


Please note that security updates from the various distributions are covered in the security section.

News and Editorials

Red Hat 7 - is the edge bleeding too much? Red Hat 7 comes with a number of nifty new packages, as described in the new features page. A couple of these, however, are attracting special attention:
  • The compiler package in Red Hat 7 is gcc-2.96. There is no such version of the compiler, however, in public release; according to the gcc web page the latest version is 2.95.2.

  • Red Hat 7's C library is glibc-2.1.92. According to GNU's glibc page the current release is 2.1.2. Red Hat's version, instead, is a beta of the upcoming 2.2 release.

In comparison, the recently-released SuSE 7.0 distribution ships gcc-2.95.2 and glibc-2.1.3.

There are a couple of problems with Red Hat's choice of tools here. The first is that they have shipped beta versions of both the compiler and the C library. While Red Hat was obviously confident of the quality of these packages, the fact remains that they have not seen the level of testing that one might like to see for such fundamental components of the system.

The other is that both tools are still in flux. The gcc that Red Hat calls 2.96 (essentially a patched CVS snapshot) produces binaries that are incompatible with those from 2.95 - especially where C++ is involved. These binaries will also be incompatible with gcc-3.0, whenever that comes out. The C library is also still in a development phase, and the possibility of incompatible changes before the 2.2 release is real.

As a result, Red Hat 7 binaries are incompatible with other Linux systems out there - at least in some cases. If glibc-2.2 turns out to contain any other incompatible changes, then distributors will be forced to choose between shipping the stable version of the library or being binary compatible with Red Hat 7.

There have already been flames posted to the effect that Red Hat is using unfair tactics here. The company said to be abusing its market position and its ownership of Cygnus to lock application developers and customers into its own system. These charges almost certainly have no basis in reality, however.

Red Hat has always had a tendency toward shipping very new software. Remember back, for example, to the 5.0 release. It was the first to include glibc2, and was a rather difficult experience for many people who were trying to install it into (previously) working networks. But it also spearheaded the acceptance of a crucial new version of the library.

In this case, Red Hat's reasoning on gcc is perhaps best expressed by this linux-kernel posting by Richard Henderson. Essentially, he says that gcc-2.95 is insufficiently stable and is a dead line of development; it's already binary-incompatible with other gcc releases; and that there's no way to be binary compatible with what gcc-3.0 will be in any case. At least this way they are source-compatible with gcc-3.0. On the library side, they presumably felt sufficiently assured that there would be no more incompatible changes before 2.2 comes out. Red Hat's employment of Ulrich Drepper, the glibc maintainer, probably helped in that regard.

So conspiracy theories are not called for here. Riding the bleeding edge has always been a characteristic of the Red Hat distribution - especially with "dot-zero" releases. The fact that marketing did away with the ".0" doesn't change the nature of Red Hat 7. Perhaps this release should have been delayed until the tools stabilized somewhat, but marketing probably wasn't thrilled with that idea either...

Distribution Reviews

LinuxPlanet reviews SuSE Linux 7.0 Personal/Professional. LinuxPlanet has run this review of SuSE Linux 7.0 both Personal and Professional editions. "SuSE Linux 7.0, the latest offering from the Germany-based SuSE GmbH, comes in two distinct offerings--Personal and Professional, as well as an Upgrade version for current SuSE users. Superficially, there is little difference between the products, not even in price. The SuSE Linux 7.0 Personal costs a mere $39.95, the Upgrade version $49.95, and the Professional version just $69.95, should you choose to pick them up off the shelf. Downloading is available, as with most Linux distributions, but in this instance, I strongly recommend plunking down the cash for this distro." (Thanks to Pieter Hollants)

Mandrake 7.2 Beta2 Review (LinuxLookup). Here's a review of Linux Mandrake 7.2 beta 2 which appears on the LinuxLookup site. "Many of the Mandrake specific configuration tools have been revamped in 7.2. DrakConfig, the front end to the individual configuration tools, has simply undergone cosmetic changes. On the other hand, Mandrake Update seems to have undergone a complete rewrite. The layout is different, and installing developmental updates from Mandrake's Cooker is now supported."

Red Hat Linux 7.0 Review (Duke of URL). The Duke of URL has posted a review of Red Hat Linux 7.0. "New features like a largely-upgraded package system, kernel 2.4, enhanced USB support, and even out-of-the-box 3D support via XFree86 4.0.1 make Red Hat's latest look like a dream come true. Is it a dream come true, or Linux's worst nightmare?"

General-Purpose Distributions

Caldera's Linux management solution enters open beta. Caldera has announced that its Linux management system, once known as "Cosmos," has entered an open beta test. The utility can be downloaded (in binary form) from Caldera's open beta page. For more information, see the Cosmos FAQ page.

New FAQs from Caldera. After a bit of a pause, Caldera has resumed its practice of sending out a list of new additions to its FAQ. This week's list covers a wide range of topics, from hardware issues to Webmin modules.

Debian news. The Debian Weekly News for October 3 is out. It covers unstable's return to stability, and has an interesting summary of the debian-devel discussion on bug reporting. Debian is suffering a case of "severity inflation," resulting from a perception that only bugs marked as being highly important get attention from the package maintainers.

Kernel Cousin Debian #4 is also out, and covers discussions through September 28.

Tuxtops launches Laptop Debian. Tuxtops has announced the availability of a version of the Debian distribution that has been specially tweaked for laptop systems. It can be had on laptop systems purchased from Tuxtops; it is also available separately.

An Analysis of The Red Hat Network (LinuxToday). The Australian LinuxToday site has put up a look at the Red Hat Network, the first in a two-part series. "The Red Hat Network is a step forward for many users and system administrators. It has the potential to grow into a much larger system which will ease common system administration tasks. It's one of the first business systems I have seen which will truly automate the distribution of software."

SOT opens U.S. office. SOT, the Finnish publisher of Best Linux (claimed to be the top distribution in Finland) has announced the opening of a U.S. office in Minneapolis. The company will also be at the Linux Business Expo in November to introduce its product.

SuSE announces support for new IBM servers. SuSE has been quick to put out an announcement of its support for IBM's new "eServer" line. The announcement covers the full line, from Intel-based systems through the PowerPC models and the mainframe systems.

Section Editor: Liz Coolbaugh

October 5, 2000

Please note that not every distribution will show up every week. Only distributions with recent news to report will be listed.

Caldera OpenLinux
Debian GNU/Linux
Red Hat

Also well-known
Best Linux
Conectiva Linux

Rock Linux

Non-technical desktop
Icepack Linux
Redmond Linux

Boston University
Red Escolar

General Purpose
Alzza Linux
aXon Linux
Bad Penguin Linux
Black Cat Linux
BluePoint Linux
BYO Linux
CAEN Linux
Cafe Linux
ChainSaw Linux
Circle MUDLinux
Complete Linux
Console Linux
Corel Linux
Darkstar Linux
Elfstone Linux
ESware Linux
Eurielec Linux
eXecutive Linux
Fried Chicken
HA Linux
Halloween Linux
ix86 Linux
Lanthan Linux
Linpus Linux
Linux Cyrillic Edition
Linux MLD
LinuxOne OS
Linux Pro Plus
LNX System
Lute Linux

NoMad Linux
Omoikane GNU/Linux
PingOO Linux
Plamo Linux
Project Ballantain
Rabid Squirrel
Root Linux
Serial Terminal
TimeSys Linux/RT
Tom Linux
VA-enhanced Red Hat
Vine Linux
Virtual Linux
WinLinux 2000

GNU/Linux Ututo
Definite Linux
Red Flag
Linux Esware
Kaiwal Linux
Thai Linux Extension

Related Projects
Chinese Linux Extension

Historical (Non-active)
MCC Interim Linux
Storm Linux


 Main page
 Linux in the news
 Back page

See also: last week's Development page.

Development projects

News and Editorials

SourceForge's new developer rating system. Slipped into the SourceForge site news on September 20 was the announcement of the new "peer rating system." SourceForge now invites its registered developers to rate each other in five different categories:
  • Teamwork/Attitude, from 0 ("Q") to 6 ("Borg").
  • Code, "white belt" to "black belt."
  • Design/Architecture, "block stacker" to "Leonardo da Vinci."
  • Follow-through/Reliability, "none" to "robot."
  • Leadership, "Dr. Evil" to "Muad'Dib."
The results of these ratings are available to anybody who cares to look. Lest you wonder whether SourceForge intends for developers to be competitive about their ratings, consider the following from the news item:

Who has the strongest code-fu? Who's the best project manager? Who's the best designer? Who's the most reliable? In the end, there can be only one.

Interestingly, the "one" happens to be a person named Tim Perdue. He is, well, one of the hackers on the SourceForge code itself...

What is SourceForge trying to achieve here? Obviously creating a ratings scheme and encouraging developers to go rating each other is one way to push up traffic on the site. Perhaps they are truly trying to make the free software meritocracy work a little better. It also could help them to build an increasingly valuable database of the free software developer community.

That last bit is interesting. SourceForge does, finally, have a privacy policy, which is an encouraging step. Said policy says:

At no time, unless such disclosure is required by law or a user specifically authorizes such disclosure, will SourceForge disclose individual user personal information that is not publicly available to unrelated third parties.

Herein lies the rub: the developer's name and ratings, since they are displayed on the site, are "publicly available." VA Linux Systems, the sponsor of SourceForge, is highly trusted in the free software community, and it has earned that trust. Even so, this seems like a large loophole.

Some other concerns come to mind here:

  • What if a user does not want to be rated? The only way to avoid being available for rating would appear to be to not have an account on SourceForge.

  • How will these ratings be used? Will there come a time when prospective employers will routinely check SourceForge ratings? Do we as a community want SourceForge to serve as a ratings bureau?

  • How reliable are the ratings really? The rating system is essentially an online poll. Such schemes are good for Slashdot polls, but they need to be looked at more closely if the results are going to be put to serious use.
The point here is not that the SourceForge rating system is a bad idea. It is an interesting idea. But it could probably stand a bit more discussion than it has seen so far.


Netscape 6 Preview 3 Released. Netscape has released Preview Release number 3 of Netscape 6. This release features an exciting new user interface , and enhanced stability among other things.

Mozilla Status Report. The latest Mozilla Status Report for September 27, 2000 is out. Check it out to get a view of the parallel debugging process being done by the Mozilla team.

Galeon 0.7.6 is out. This release brings a number of nice new features, including a button bar with nice functions like "back," "forward," "home," and "reload." Until this release, Galeon users have had to go to the menus for those functions. Even nicer, though, is the little "zoom" blank on that button bar. A few keystrokes, and awful pages with tiny fonts become instantly readable. There is also (from 0.7.5) a nice option which disables popup windows on links.

Galeon is clearly reaching the point where a lot of people are using it, and some are beginning to scratch some of the more annoying itches. After all these years, we are beginning to see what an open source browser can do for us. Galeon is becoming truly usable; it will be fun to see where it goes in the future.


Gnome-DB 0.1.0 released. Gnome-DB 0.1.0 a.k.a. Olympius, has been released. "GNOME-DB is a complete framewok for developing database-oriented applications, and actually allows access to PostgreSQL, MySQL, Oracle and ODBC data sources."


KDE Games Center. KDE Dot News pointed out the updated KDE Games Center site. The site is the depository for over twenty KDE games and aims to be the place to go for information on developing games under KDE.

New games for kids. The Linux for Kids site has reviewd a number of new kid oriented games. Check out Tunnel, gSoko, 3Dtetris, 7colors, and xquarto. Congratulations go to Linux for Kids, they are now one year old and going strong.

Embedded Systems

gdbstubs 20000921-1406 available. A new version of gdbstubs is available. Gdbstubs is in effect a portable ROM monitor program for embedded systems that speaks a GDB compatible protocol. Gdbstibs allows an instance of GDB running on a development system to communicate with a target system over a serial port. There is currently support for Hitachi 704x and Motorola CPU32 architectures. The code is designed in a way that allows for the addition of new CPU families by customizing a small set of functions. Gdbstubs is released under a GPL style license.

Vendor Neutral Embedded Linux Workshop (Linux Devices). The RTC group and K computing will be providing a hands on embedded Linux workshop at the Embedded Linux Expo & Conference (ELEC) near Boston, Mass on October 26, 2000. "In the full day vendor-neutral workshop, attendees will carefully walk through the process of creating a optimized embedded Linux system. The seminar will focus on open source software that is available on the Internet free of charge. Attendees will gain direct experience, by performing each step on their own in the workshop's hands-on lab set-up."


Wine 20001002 released. The Wine development team has released Wine release 20001002. This version has lots of bug fixes and better Winelib support among other improvements.

Office Applications

The Other Media Player. Noatun is a new media player which will hopefully be released with KDE 2.1. It is said to run more efficiently under KDE compared to other media players.

German-Sponsored KOffice Meeting -- Report. KDE News reports on Linux Kongress which was held recently in Erlangen, Germany. The Koffice team will be working on adding better MS Office and rich text file compatibility.

On the Desktop

Joining the GNOME project. For those of you who would like to make a contribution to GNOME, a guide has been published on how to Join the GNOME project. The project is looking for volunteers to help with documentation, translation, testing, graphics, sound, and numerous other topics.

KDE announcements. Here are some announcements from the KDE developers:

The People Behind KDE: Cristian Tibirna. The "People Behind KDE" series continues with this talk with Christian Tibirna. " I was on the lyx lists when Matthias Ettrich started it in October 1996. His ideas caught me bad. After finishing some exams at beginning of 1997, I got involved with coding (kwm's smart placement and magnetic borders algorithms) and I started to do a lot of users support on the mailing lists."

KDE 2.0 and Korean language support. KDE Dot News has a link to a tutorial on adding multibyte language support (speficially, Korean) to KDE 2.0 applications.

Miscellaneous KDE eyecandy. KDE Dot News has put up a page of "KDE eye candy" with nice spash screens and such. Check it out for a view of the pretty side of KDE2.

Konqueror support for the Diamond Rio (KDE Dot News). A new Konqueror kioslave for the Diamond Rio has been announced. Now you can organize your portable tunes under KDE.


Latest OIO Enables Medical Forms Over the Web (Linux Med News). A new version of OIO, the Open Infrastructure for Outcomes is available. The OIO library manages XML forms and is used for managing medical forms over the net.

Web-site Development

UdmSearch V3.1.5 released. Kir Kolyshkin wrote in to tell us that version 3.1.5 of UdmSearch, a search engine similar to ht://Dig, has been released.

Midgard Weekly Summary. Here is the Midgard Weekly Summary for September 28, billed as "the first of the biweekly Midgard Weekly Summaries." It covers the new MWS format, the upcoming 1.4 release, and more.

Section Editor: Forrest Cook

October 5, 2000

Application Links
High Availability

Open Source Code Collections
Le Serveur Libre



Programming Languages


Glibc test tool (IBM Developer Works). IBM's Developer Works has run an article on using Glibc Test, an open-source tool for testing the Glibc internationalization APIs. The tool currently only supports Japanese locales, but the tool is designed to be able to support other languages. Glibc Test has been released under the IBM Public License.


Erlang User Conference Proceedings. The Proceedings from the sixth annual Erlang/OTP User Conference have been made available. Lots of interesting topics were covered.

Erlang 5.0/OTP R7B released. Erlang 5.0 release R7B was made available on August 30. See the list of highlights for the details. The code can be downloaded here.


Blackdown Java 2 SE v1.3 released. The Blackdown Java-Linux Team has announced the release candidate 1 of Java2 SE v1.3 and Debian packages for Java2 SE v1.3, Java3D 1.2 and JAI 1.0.2

Java Servelet Tutorial (IBM Developer Works). IBM's Developer Works has a 30 minute Java Servelet Tutorial by Jeanne Murray. This looks like a good way to get your feet wet with Java (ouch). Registration is required to take the tutorial.

Trusting your e-mail with Java security (IBM Developer Works). An article on using Java to implement secure internet transactions has been published on IBM's Developer Works.

Java code samples (IBM Developer Works). Lastly, IBM's Developer Works has published a useful list of Java Code Samples with lots of useful tidbits.


Upcoming Perl Classes. If you are looking to educate yourself on the use of Perl, the University of Perl has classes by several well known Perl experts in Los Angeles, Atlanta, and New York City during October. Also, Consultix is offering Perl Classes by Damien Conway and Tim Maher this month in Chicago and Kirkland, WA.


This week's Python-URL. Here is Dr. Dobb's Python-URL For October 2, with the latest in development news from the Python community.

Python-Dev newsletter for September 30. A.M. Kuchling's Python-Dev newsletter for September 30 is out. Development is a little slow with the current code freeze, but numerous topics are covered regardless.

VTK-CFD Visualization Tools. Prabhu Ramachandran has released his Python based VTK-CFD Visualization Tool package. VTK-CVD is useful for visualizing 3D graphics and has been released under the GPL license. The screenshots from this program look very impressive.

Python Disribution Utilities 1.0 released. Version 1.0 of the Python Distribution Utilities have been announced. "The Python Distribution Utilities, or Distutils for short, are a collection of modules that aid in the development, distribution, and installation of Python modules.


This week's Tcl-URL. Here is Dr. Dobb's Tcl-URL for October 2. It covers the latest in the Tcl core team charter and other Tcl development topics.

New Tcl/Tk rpms for Redhat Linux 7. New rpms of Tcl/Tk that are compatible with Redhat Linux version 7 have been announced. Both the alpha Version 8.4a1 version and the stable Version 8.3.2 version are available.

Software Development Tools

CVS tagged KDE_2_0_RELEASE. KDE Dot News reports that the release version of KDE 2.0 has been tagged. This means that the development work is done. In the absence of showstopper bugs, all that remains is the packaging work to actually put together the release, which is still set for October 16.

Section Editor: Forrest Cook

Language Links
Caml Hump
g95 Fortran
Gnu Compiler Collection (GCC)
Gnu Compiler for the Java Language (GCJ)
IBM Java Zone
Free the X3J Thirteen (Lisp)
Use Perl
O'Reilly's perl.com
Dr. Dobbs' Perl
PHP Weekly Summary
Daily Python-URL
Python Eggs
Ruby Garden
MIT Scheme
Why Smalltalk
Tcl Developer Xchange
O'Reilly's XML.com
Regular Expressions

 Main page
 Linux in the news
 Back page

See also: last week's Commerce page.

Linux and Business

Atipa acquires OpenNMS project. Kansas City, Missouri based Atipa announced the acquisition of PlatformWorks, the company behind OpenNMS, late last week. Atipa provides turnkey Linux-based solutions, including software, hardware, appliances, support and professional services. OpenNMS.org is an open source software consortium developing a next generation, truly functional network management tool for the enterprise.

Here is the announcement from the OpenNMS project on its acquisition by Atipa. "We are excited to announce that we've received the necessary funding to not only bring the Bluebird software to market, but to augment the core team with additional developers and continue toward our goal of building a world-class support organization to support Bluebird deployments." Here is Atipa's announcement.

Bluebird is currently the project name for the first of many open source projects that will be created by the OpenNMS consortium Bluebird is intended to be the flagship product in a suite of products. Atipa plans to position OpenNMS' Bluebird product as a scalable, open source alternative to HP's OpenView or IBM's Tivoli. Atipa also plans to keep the software open source and to make money on services and support. The OpenNMS Bluebird project is currently licensed under the GNU General Public License (GPL).

S3 subisidiary frontpath(TM) announces ProGear. Yet another of the long line of information appliances hitting the market these days, ProGear touts a 10.4" TFT display, x86 compatibility, up to 128Mb of memory, 6.4GB (2.5") slim hard disk, and touch screen all running on a Transmeta(TM) TM3200 400 MHz processor. A Linux 2.4 kernel powers this latest gizmo, while Netscape 4.74 is provided as a front end.

Of course, it raises the question: where did they get the 2.4 kernel?

HotDispatch and Caldera to create knowledge exchange for Linux developers. HotDispatch.com is an online marketplace for buying and selling technical expertise and Digital Products and HotDispatch the company developed the technology behind the website. Now HotDispatch has announced an alliance with Caldera Systems to create "an online marketplace for Linux developers to purchase and sell technical expertise."

Two announcments from VA Linux Systems. First VA Linux announced the release of version 2.0 of its "VA Cluster Manager" (VACM).

VA Linux is also expanding its operations in Europe. Its recent moves include the acquisition of the Belgian consulting firm "Life" and the hiring of Wichert Akkerman, leader of the Debian Project.

New Books. O'Reilly has announced the availability of the "GIMP Pocket Reference," by Sven Neumann. It's "a remarkably petite" 97 pages, and covers GIMP 1.2. For those who want to see what this booklet looks like, O'Reilly has placed the chapter on the toolbox online as an example.

No Starch Press, publishers of the Linux Journal Press series of books, has put out a press release on the English publication of The Blender Book by Carsten Wartmann. The book covers the many intricate details of the complex yet powerful Blender 3D animation package from Not A Number.

Oracle to deliver database for Linux clusters. Oracle has announced what it claims is the first clustered database server for Linux systems - Oracle8i Parallel Server. It can currently handle clusters up to four nodes; it has been "validated and certified" by VA Linux Systems and NEC. It's currently in beta testing; availability is supposed to be by the end of the year.

Press Releases:

Distributions and Bundled Products

  • Linux2order.com has Red Hat Linux 7, now available on a custom CD-ROM. The 2-CD-ROM package is $12.95, plus shipping.

  • PentaSafe Security Technologies, Inc. (HOUSTON) announced that it is shipping its 10 Point Security Check Up Report for Linux on Red Hat's Linux Application CD that comes with Red Hat Professional Server Version 7.

  • Terra Soft Solutions introduced Abria SQL, Linda, VAST & DEEP and BRU for Yellow Dog Linux and Black Lab Linux distributions for PowerPC.

Commercial Products for Linux

  • HIARC Inc. (ANAHEIM, Calif.) introduced its new online Centralized Archiving and Backup (CAB) data management software for Linux.

  • LinuxDevices.com has opened up the product listing area of its "Embedded Linux Portal" website for free product listings from companies in the Embedded Linux Market.

  • LinuxSolve (SANTA CLARA, Calif.) announced that it is shipping LinuxSolve Cache, the latest in a line of secure server appliance products with LinuxSolve's GuardWorks, a Linux-based secure server appliance OS.

  • Macadamian Technologies Inc. (OTTAWA) announced that the Developer Edition of Syndeo Collaboration Suite 2.1 now includes Hypersonic SQL, an open- source Java database.

  • Proven Software, Inc. announced the release of the Proven CHOICE Internet Toolkit designed to help developers integrate Internet applications to Proven CHOICE accounting.

  • SteelEye Technology Inc. (FRANKFURT, Germany) will demonstrate high availability (HA) Linux clustering solutions for mySAP.com at LinuxWorld. SteelEye will showcase its LifeKeeper for Linux reliability platform on Compaq's ProLiant CL380 cluster running business-critical applications on Linux from Red Hat.

Products Using Linux

  • MSC.Software Corp. (LOS ANGELES/COSTA MESA, Calif.) announced a partnership with NEC Computers Inc. to deliver extreme performance in turnkey MSC.Linux2Go appliances, such as a fully configured NEC Express5800 server with dual Intel Pentium III processors.

Products with Linux Versions

  • APPX Software, Inc. (JACKSONVILLE, FL) announced APPX Rapid Application Development Release 4.1, now with the capability to design and run applications with either a character mode interface or a Java-based graphical user interface.

  • Bridge Information Systems (NEW YORK) announced the release of BridgeFeed 4.11, a new version of its datafeed service, with enhanced historical data features and support for the Linux operating system.

  • Brooktrout Technology (NEEDHAM, Mass.) received TMC Labs Innovation Award for its TRxStream Series.

  • CoCreate Software Inc. (FORT COLLINS, Colo.) announced ME10 2000+, the latest version of its 2-D CAD software, now with a Linux version.

  • Extended Systems (BOISE, Idaho) announced that it has reached an agreement with IBM to integrate its mobile data synchronization and management software, XTNDConnect Server, into a new IBM server software offering called WebSphere Everyplace Suite.

  • eye media, inc. (DALLAS) announced that it has recently released is web-based Virtual Auctioneer version 3.0 eCommerce software and toolset.

  • HydraWEB Technologies (NEW YORK) announced the introduction of HydraRADIUS, a RADIUS (Remote Authentication Dial In User Service) load balancing solution.

  • IBM (ARMONK, N.Y.) announced IBM eServer, a new generation of servers featuring mainframe-class reliability and scalability.

  • Computer Associates International, Inc. (ISLANDIA, N.Y.) announced support for IBM's new family of eServers.

  • IBM (SOMERS, N.Y.) unveiled the IBM eServer zSeries 900, the 64-bit eServer. It runs z/OS which should support most Linux applications.

  • Computer Associates International, Inc. (ISLANDIA, N.Y.) announced a suite of eBusiness management software for IBM's new eServer zSeries 900 mainframes.

  • Leapfrog Smart Products, Inc. (ORLANDO, Fla.) announced that it has completed the design of the Biothentic SCR100, its first member of the Biothentic family of biometric (fingerprint) Smart card readers.

  • LeaseExchange (SAN FRANCISCO) introduced Global Data Broker, a technology that enables LeaseExchange to seamlessly interface with a variety of platforms, including Oracle on Linux.

  • LoadVideo.com (NASHVILLE, Tenn.) announced that they have achieved the "next level in internet video streaming", full-screen dvd quality video streaming. A Linux version is expected soon.

  • OceanLake Commerce Inc. (TORONTO) announced the release of its proprietary mScope wireless engine, wireless enabling technology.

  • Oracle Corp. (SAN FRANCISCO) unveiled Oracle9i Real Application Clusters, which allows IT departments to add computers to a cluster without other changes to either the application or the data.

  • PeopleSoft Inc. (PLEASANTON, Calif.) announced that PeopleSoft 8 pure Internet applications are shipping with IBM's DB2 Universal Database.

  • Planet 7 Technologies Corp. (BOTHELL, Wash.) launched its flagship XML Network Server 2.0 product.

  • SAFLINK Corporation (REDMOND, Wash.) announced that it plans to incorporate both the Common Data Security Architecture (CDSA) standard and the BioAPI specification standard in its expanding product line of multi-biometric software solutions.

  • Sensiva, Inc. and Wacom Co., Ltd.(Mountain View, California) announced Sensiva will be bundled in all Wacom product lines: Intuos intelligent graphics tablet system; Graphire pressure-sensitive tablet with the cordless mouse and pen; and the PL-400 and PL-500 LCD pen tablet systems.

  • SynergyLink, Inc. (SAN JOSE, Calif.) announced the availability of a new ASP e-service offering called Hosted Application Integration Service (HAIS). It will allow ASP clients to design, test and deploy application integration, real-time, over the Internet.

  • Telxon Corporation (CINCINNATI and CHICAGO) announced it will offer the PowerNet product line from Connect, Inc. as an addition to its wireless networking products and professional services capabilities. PowerNet is a suite of Windows- and Linux-based host connectivity tools that provides real-time access to terminal emulation.

  • Unibar, Inc. and SATO America (ROCHESTER HILLS, Mich.) announced a solution to print compliance labels from a Web site through a browser.

  • Verisity Ltd. (MOUNTAIN VIEW, Calif.) announced the immediate availability of Specman Elite version 3.3, featuring improved integrations with third-party verification tools.

Java Products

  • Delano Technology Corporation (TORONTO, ONTARIO) announced the Java Edition of the Delano e-Business Interaction Suite, an e-business platform that enables organizations to rapidly develop and deploy e-business applications. This version supports Red Hat Linux.

  • Inprise/Borland (SCOTTS VALLEY, Calif.) announced its support for BEA's WebLogic product line with its JBuilder 4 enterprise productivity environment.

  • Qarbon.com (SAN JOSE, Calif.) announced the launch of ViewletBuilder2 Version 2.1, the company's free development tool for creating Viewlets. The Linux version is new with this release.


  • Conxion Corporation and Tripwire, Inc. (SANTA CLARA, Calif. & PORTLAND, Ore.) announced a partnership to create a security service designed to assure the integrity of the extensive amount of client data managed by Conxion. Linux will be among the supported operating systems.

  • dataSafe Informatica and Enhanced Software Technologies, Inc. (PHOENIX) announced that synergistic measures are being jointly undertaken to harvest the emerging Linux backup market opportunity in Brazil.

  • Enlighten Software Solutions, Inc. (SAN MATEO, Calif.) announced an alliance with Linux NetworX Inc., in which Linux NetworX will resell Enlighten's EnlightenDSM systems monitoring and administration product. EnlightenDSM is a complimentary product to Linux NetworX's ClusterWorX cluster management tool.

  • eOn Communications Corporation (MEMPHIS, Tenn. and HAYWARD, Calif.) announced an expanded partnership with Reliance Telecommunications. Reliance will now market, install and service eOn's newest line of Linux-based communications systems, servers and software.

  • Metro Link Inc. (FORT LAUDERDALE, Fla.) has joined the Wind River Systems Inc. WindLink Partner Program.

  • OPTX International (CHICO, Calif.) launched a partnership with EZY-Tech, Ltd., a Hong Kong reseller, to offer ScreenWatch 3.0 software, which runs on a variety of platforms including Linux, to the Chinese market.

  • Quintalinux has announced an agreement with Red Flag Software wherein the two will jointly market their products and services.

  • Sendmail, Inc. announced partnerships with ActiveState, Brightmail and Trend Micro to deliver secure Internet messaging solutions.

  • SteelEye Technology Inc. (MOUNTAIN VIEW, Calif.) announced a strategic alliance with NetCentrix Ltd., which will allow NetCentrix to incorporate SteelEye's reliability clustering software "LifeKeeper for Linux" to its comprehensive server and data storage offerings.

Investments and Acquisitions

  • TeamLinux Corporation (Dayton, Ohio) announced that it has launched a new kiosk, specialized device and e-commerce solutions business unit resulting from its acquisition of NCR's Design Center and Gem City Solutions.

Financial Results

  • Netgem (NEUILLY-SUR-SEINE, France) was admitted to the Forward Market (Systhme de Rhglement Diffiri), which has replaced the Monthly Settlement Market of the Paris Stock Exchange. Netgem is a developer and provider of solutions offering Internet services through television using Linux-based software. Here's Netgem's third quarter results.


  • AMIRIX Systems Inc. announced the addition of Mark Jollymore as Product Manager for Embedded Linux.

  • Red Hat, Inc. (RESEARCH TRIANGLE PARK, N.C.) announced the appointment of Kevin Thompson to the position of Vice President of Operations.

Linux At Work

  • Computational Engineering International (CEI) (MORRISVILLE, N.C.) has won a three-year, $1.4-million contract to research the use of a Beowulf computer cluster to visualize large-scale models for the Department of Energy's Accelerated Strategic Computing Initiative (ASCI). CEI will use Red Hat Linux, and an MPI processing library to allow the systems to communicate in parallel.

  • Coollogic Inc. (DALLAS) announced that it will integrate its Coollinux AE software platform with solopoint.com's next-generation online personal marketing solution.

  • Forlink Software Corporation (BEIJING) announced that it has obtained a contract to provide a customized search engine for CCIDNET. Forlink is a Chinese company providing Unix and Linux based software tool-suites.

  • Linux NetworX, Inc. (SANDY, UTAH) announced that the National Center for Macromolecular Imaging (NCMI) at Baylor College of Medicine will use the company's clustered computers in its world-renowned molecular imaging research center.

  • LinuxWizardry Systems, Inc. (BOCA RATON, Fla.) announced that its Magic Passage VPN Appliances were used by Lineo for its Internet Access at the Embedded Systems Conference.

  • Oracle Corp. (SAN FRANCISCO) announced that 1stUp.com has standardized on Oracle database and Oracle Intelligent WebHouse technologies on the Linux operating system.

  • Perforce Software, Inc. (ALAMEDA, Calif.) announced that SciTech Software has selected the Perforce source code control system to manage the Open Watcom source code base. Perforce Software makes its Fast Software Configuration Management System available at no charge to organizations developing freely available software, such as OpenWatcom.org.

Open Source in Education


  • Linux NetworX announced the Evolocity cluster server received Best of Show Award for Network Servers & Peripherals from InternetWeek and Network Computing at NetWorld+Interop 2000 Atlanta.

Section Editor: Rebecca Sobol.

October 5, 2000


 Main page
 Linux in the news
 Back page

See also: last week's Linux in the news page.

Recommended Reading

Mexico Has Resources for High-Tech Success (Los Angeles Times). The L.A. Times has run a lengthy open letter to Mexican President-elect Vincente Fox saying that Mexico's future lies in open source. "With the combination of free software and inexpensive Internet connectivity, as well as building on Mexico's Red Escolar (SchoolNet) program for wiring Mexican schools, the country could become the world's leading example of affordable high-tech infrastructure for the rest of the world's developing nations. Moreover, the philosophy behind free, open-source software fits well with your important ideas about a new 'open society' in Mexico."

Atipa acquires OpenNMS.org

Atipa Team Takes Aim At VA Linux (ZDNet). ZDNet looks at Atipa's acquisition of the OpenNMS project. "Doug Stevenson, a network management consultant and author of the industry white paper, 'Network Management: What It Is and What It Isn't,' said OpenNMS.org 'has developed what many consider to be a disruptive technology that will alter the face of the enterprise management market.'"

KC's Atipa leaps into field of ''open source'' software (Kansas City Star). The Kansas City Star reports on Atipa's acquisition of PlatformWorks. "The software will be free, but Atipa will make money by selling a version with manuals and company support for a $10,000-$12,000 annual subscription fee."

Software company finds a buyer (News & Observer). The (Raleigh) News & Observer breaks the news that the Open Network Management Software project has been acquired by Atipa. "OpenNMS' network management software, currently called Bluebird, will start being tested by customers next month and will be ready for a commercial release next spring. Like all open-source software, the OpenNMS version will be free--a stark contrast to expensive network management software from established vendors. Atipa's plan is to make money through service and support contracts."

Sun/Cobalt deal

Will We Be Sun-Lite? (LinuxToday). The Australian LinuxToday site comments on Sun and Cobalt Networks. "My take is that Sun is moving to position its own Solaris operating system and high-end server products as the next step for Linux users looking to move upscale. In effect, it's a strategy that will position Linux as a 'lite' version of Solaris."

Can Cobalt make Sun shine? (ZDNet). Here's a ZDNet column on Sun's purchase of Cobalt Networks. "Sun's Solaris operating system has failed to make inroads into Microsoft's dominance of this sector, even when Sun was essentially giving it away. Linux, on the other hand, has tripped the onward march of Microsoft, especially in any application that is Web-related. So, even though Sun has tried to pretend that the Linux part of Cobalt isn't important, it is easy to see the acquisition as a move to get into the Linux market before the likes of IBM and Hewlett-Packard clean up."

Sunset for Cobalt? (Andover News). Here's an Andover News column with a critical view of Sun's acquisition of Cobalt. "A number of analysts claimed that the high price brought by Sun's purchase of Cobalt Networks was proof of the value of Open Source. But if so, why was Cobalt's Michael DeWitt trying so hard to avoid even uttering the word Linux?" (Thanks to César A. K. Grossmann).


Tcl's Availability (ZDNet). Here's an article in ZDNet about Tcl and Ajuba Solutions. "Before explaining how Web workers use Tcl, it helps to have a clear picture of Tcl's status as a product. From the beginning, Tcl has been free. That is, [Tcl creator John] ]Ousterhout has always released Tcl's language processor as source code under a liberal "BSD-style" license which allows others to do almost anything they want with it. You can't claim you wrote what you didn't, or take action against Ousterhout for his gift; those are the only significant restrictions on Tcl's use."

Variety of Implementations (ZDNet). This is another ZDNet article about Tcl. "Scores of distinct microscripting systems are in wide use, including mod_perl , PHP, and ASP. Several of the largest Web applications rely on microscripted Tcl. Vignette's StoryServer, for example, leads the market of enterprise-class Web publication systems. Its technical basis is microscripted Tcl. StoryServer is so successful that many of its users know Tcl only through the product, and have the mistaken belief that Tcl is a proprietary language which belongs to Vignette."

Novell touts new products, Red Hat deal (News.com). News.com posted a story on Novel's eDirectory and DirXML software, including Red Hat's decision to use them in that company's latest release, Red hat Network.

Red Hat struggles to be seen in embedded space (Upside). While the Red Hat distribution enjoys strong support, Upside writer Sam Williams reports on the perception in the real world that Red Hat doesn't have a firm embedded plan yet: "Ten months after the merger, however, the integration of the two companies seems a bit awkward. Despite the outwardly can't-miss combination of Cygnus' engineering talent and Red Hat's marketing savvy, the company has spent almost the entire year watching a host of competitors sprint past it in hopes of becoming the world's top supplier of embedded Gnu/Linux software and services."

Nanux or Nanix? (LinuxDevices). Will the real embedded Linux company please stand up. One of these is the name of an embedded Linux company, the other is the code name for an embedded Linux product. LinuxDevices.com explains which is which. "A few months ago, the start-up business, Charmed Technologies, issued a press release about their idea for yet another embedded Linux, which they dubbed "Nanux". It seems, however, that they failed to check and see if the name was already in use -- when, in fact, it was."

Transmeta plans to raise more than $140 million in IPO (News.com). News.com looks at Transmeta's revised IPO filing. "Transmeta plans to sell 13 million shares at a range of $11 to $13. After its IPO, the company will have 126 million shares outstanding, giving it an approximate market value of $1.64 billion based on a sale price of $13 per share."

EnFuzion: Supercomputing by the masses (ZDNet). ZDNet reviews the TurboLinux EnFuzion product. "However, even with the potential for unlimited node scalability, at $400 per node, the cost of implementing the current version of EnFuzion could be prohibitive for some small-scale operations."

The Gnutella paradox (Salon). Salon predicts the death of Gnutella. "If the decentralized Gnutella can't handle the legal and technical threats that come from mass usage, what system can? Or are music traders doomed to confront a future in which each new 'next Napster' is progressively undermined by its own success?" (Thanks to Paul Hewitt).

Microsoft and Corel

.comment: Microsoft and Corel -- Not Good News (LinuxPlanet). LinuxPlanet worries about the Microsoft/Corel deal. "The speculation among Linux users who published their opinions at various websites runs chiefly in the vein that this is how Microsoft will insinuate itself into Linux. That speculation, I believe, is dead wrong. Microsoft is no friend to Linux. Microsoft is friend only to Microsoft."

Why did Microsoft really buy into Corel? (ZDNet). ZDNet speculates on the motivation behind the Microsoft/Corel deal. "Nipping another potential legal action in the bud was worth $150 million to Microsoft, no doubt. But I also believe Microsoft made the investment as a way to hedge its bets in the desktop-suite space. Sun Microsystems' StarOffice suite is set to go open-source on Friday the 13th of this month. Sun already has given away lots of free copies of StarOffice. Microsoft doesn't want to be forced to give away one of its biggest cash cows, Microsoft Office, in any way, shape or form. But giving away Corel WordPerfect Office wouldn't hurt Microsoft one bit."

Ballmer learns from past Microsoft missteps (News.com). News.com has another Steve Ballmer interview. Nothing incredibly new, but he does maintain a rather interesting view of Linux: "Linux is not catching on, on the desktop. There are no customers. I may be from Mars, but if there's no demand, we're not going to do the work to take Office to Linux. It's not even an interesting question until there's demand. Linux on the server is a different story. We might still dramatically outsell Linux on the server. You don't see much Linux in (business) customers. You see some Linux in Web sites and application service providers, but it's less than the press hype."

Embedded Systems Conference

Embedded Linux -- one year later (LinuxDevices). This LinuxDevices.com article looks at this year's Embedded Systems Conference compared to last year's Conference, particularly with respect to the number of Linux companies. "If you could travel back in time to the Embedded Systems Conference of September 1999, you would find that the "Embedded Linux Market" simply did not exist, one short year ago. Sure, a growing number of developers and a handful of companies were starting to embed Linux. But as a market that anyone tracked, or paid attention to, Embedded Linux simply hadn't made it onto the radar screens."

Inder Singh: address to the ELC Meeting (LinuxDevices.com). LinuxDevices.com is carrying the text of Inder Singh's address to the Embedded Linux Consortium meeting. "The momentum of Linux over the last couple of years is beyond anything we have ever seen for an operating system. The focus of the world has been on Linux in the server market, but I am convinced that Linux will have its biggest play in the embedded world."

The Great Open Source Debate wages on (Upside). Upside covers the Embedded Systems Conference. "Red Hat reinforced its strategic decision to work on everything but a real-time version of the Linux kernel."


Is the SDMI boycott backfiring? (Salon). Salon suggests that hackers may want to reconsider boycotting the SDMI challenge. "A successful effort by hackers to break the watermarks, suggest representatives of some of those technology companies, might jeopardize almost two years of work by the coalition of record labels, consumer electronics companies, technology start-ups and computer manufacturers that makes up SDMI. But this wouldn't necessarily be a bad thing."

Software's Glass Ceiling: Breaking the Tail-Lights (osOpinion). Here's an osOpinion column which cautions against going too far in imitating commercial software products. " Consider PERL, messy though it is. Did it achieve greatness by emulating BAT files and DOS command-line tools and working up from there? Did EMACS grow from an EDIT.EXE clone (yes, there are several), or from a LISP programmer's scratched itch?"

The Failure of Linux: Credibility and Responsibility (osOpinion). Here's another osOpinion piece that is very strongly critical of the engineering that goes into Linux. " The act of writing computer code is actually a small part of the overall software design process, and yet far too many Linux projects focus solely on this one area. It is why Linux breeds good programmers but lousy engineers. Linux programmers tend to place a very low value on accountability and personal responsibility, and the community is poorer for it."

Certifying the Penguin (Certification Magazine). Dan York has written an article about Linux certification for Certification Magazine. It covers all of the available certification options and how they work. "Unlike other operating systems, there is no central 'Linux, Inc.' No one company can simply dictate the standards for certification or for anything else. Instead there is the whirling bazaar of companies, organizations and individuals all cooperating to build the Linux operating system, yet many of them also competing with each other as well."

Power to the penguin (ZDNet). ZDNet is carrying a column by a Deloitte & Touche manager Linux's prospects. It's reasonably positive, but has a few problems: "While it's likely that competitive pressure will ultimately lead some Linux vendors to make the source code for their version of Linux proprietary, much of Linux's appeal lies in its populist roots."

Linux Firms Still Searching for Success (Los Angeles Times). The L.A. Times has put up this article on Linux businesses. "But TurboLinux Chief Executive Paul Thomas concedes that with little difference among Linux rivals, mergers might leave only two major distributors standing by year's end."


Linux means Business: Word Processors (LinuxLinks). LinuxLinks.com looks at Linux word processors. "Only a few years ago Linux was found lacking in this department, having a very limited choice of tools to use; with only the historic UNIX tools being available. For example, although LaTeX is a highly professional document preparation system it is aimed at the scientific community, and not at the corporate market. The situation has changed; there are a number of quality office suites that include word processing facilities which are a match for the popular Word."

Linux Buyer's Guide #5 (DukeOfUrl). Here's the latest Linux Buyer's Guide from the DukeOfUrl. "The beauty of Red Hat 7 is that, although 3D acceleration takes some tweaking to get working, and kernel 2.4 needs to be installed on your own, is that both of these integral tools are included and at the disposal of any users, and finally, a large distributor is pushing them-this is where people start listening. You can't ignore Linux anymore!"

Linux Gazette issue 58 is now available. Issue #58 of the Linux Gazette is now available. Included are interviews with Chris DiBona and SourceForge's Quentin Cregan, Linux Security Tips by Kapil Sharma, and much more.


Review: Enterasys Networks RoamAbout (Signal Ground). Signal Ground looks at the Enterasys Networks RoamAbout wireless network. "If you're installing on a Red Hat 6.1 or 6.2, Caldera 2.3 or 2.4, or SuSE 6.3 or 6.4 system, you're in luck: Enterasys Networks has provided pre-built drivers for each of these systems, so installation should be a breeze."

VMWare 2.0.2 Review. The Duke of URL has posted a review of VMWare 2.0.2, the all OS virtual environment that allows you to run Windows, Linux and even FreeBSD in a virtual machine.


Interview with Jon Danzig (RootPrompt). RootPrompt.org has run an interview with Jon Danzig, president of Libranet. "We believe that we can produce a first class Linux desktop system that almost anyone can install and use enjoyably. We expect to be the distribution of choice for a large segment of the Linux community and a good choice for those arriving to Linux." (RootPrompt also reviewed Libranet Linux 1.8 at the beginning of September).

Raymond to pen 'Zen and the Art of Unix' (Upside). Upside covers Eric Raymond's talk at Oracle's OpenWorld. "'My goal is for open source development to become the norm everywhere it is economically feasible,' said Raymond, in between videotaped aikido moves. 'I think, at equilibrium, only 5 to 15 percent of the world's software remains closed source.'"

10 Questions with Olivier Fourdan of Xfce (LinuxOrbit). LinuxOrbit talks with Olivier Fourdan, creater of Xfce. "When I read articles on interfaces available on Linux, Xfce is rarely mentioned. That's sad, because choice is a big strength in Linux. Reducing the choice to KDE or GNOME only makes Linux less attractive, in my opinion."

Defanging Carnivore (Salon). Salon talks with Robert Graham of Network ICE, the company that put out an open source "Carnivore" implementation. "More importantly, encryption technology is becoming more and more built into what we do. The real debate that we're going to have to answer and address as a society at some point is whether encryption is a fundamental human right."


Network Computing's 'Top 10' lists. Network Computing has put up a Top 10 most important people of the decade list. Linus Torvalds is there in third place, behind Bill Gates and Tim Berners-Lee. Elias "Aleph One" Levy is also on the list in eighth place.

If you look at the Top 10 Products list you'll not find Linux anywhere, but Apache got sixth place.

Section Editor: Rebecca Sobol

October 5, 2000


 Main page
 Linux in the news
 Back page

See also: last week's Announcements page.



Report from the Embedded Linux Consortium meeting. The Embedded Linux Consortium, celebrating its first birthday, held a meeting at the Embedded Systems Conference in San Jose. LWN's Forrest Cook was there, and has sent in a report from the gathering. There is much optimism in the embedded Linux community...

O'Reilly's P2P Summit. Summaries of the O'Reilly sponsored Peer-to-Peer summit are now online. The summit, held in San Francisco on September 19th, was designed to discuss technologies similar to Napster. " The music industry is positioning peer-to-peer as if it were an attack on copyright, when in fact, it's a technical approach that is fundamental to the architecture of the internet. "

Real-time applications with Linux. Karim Yaghmour, author of the Linux Trace Toolkit (LTT), will talk about real-time applications development (in French) using the Linux Real Time Application Interface (RTAI) and LTT. The technical differences between RTAI and RTLinux will be addressed. Wednesday October 11, 2000 at the École Polytechnique de Montréal.

ApacheCon Europe 2000. Here's an announcement (in French) about ApaceCon, happening October 23 - 25, 2000 in London.

Software Development Conference & Expo. Presentations by Kevin Mitnick, Larry Augustin, Gloria Gery and Martin Fowler are scheduled during SD 2000 which runs October 29 - November 2, 2000 in Washington, D.C.

October/November events.
Date Event Location
October 3 - October 7, 2000. NetForum 2000 New Zealand.
October 5 - October 7, 2000. LinuxWorld Conference and Expo Frankfurt, Germany.
October 10 - October 14, 2000. Atlanta Linux Showcase Cobb Galleria, Atlanta, Georgia.
October 15 - October 19, 2000. 2nd Annual Linux Storage Management Workshop University of Miami, Miami, Florida.
October 16 - October 18, 2000. Wireless Developer Conference Santa Clara Conference Center, Santa Clara, CA.
October 23 - October 25, 2000. ApacheCon Europe 2000 Olympia Centre, London, England.
October 27, 2000. Embedded Linux Expo & Conference Wyndham Westborough Hotel, Westborough, MA.
October 29 - November 2, 2000. Software Development Conference & Expo 2000 East Washington Convention Center, Washington, D.C.
October 30 - October 31, 2000. Open Source Database Summit Hayes Mansion Conference Center, San Jose, California.
October 30, 2000. First Annual Federal GNU and Linux Users' Conference And Awards Presentation Washington, D.C.
October 30 - November 1, 2000. Linux Expo Canada Metro Toronto Convention Center, Toronto, Ontario
November 7 - November 9, 2000. Embedded Systems Conference Europe Maastricht, Netherlands.
November 13 - November 17, 2000. LINUX Business Expo Sands Convention Center, Las Vegas, Nevada.
November 25, 2000. Australian Open Source Symposium Adelaide, Australia.
November 28 - December 1, 2000. IEEE International Conference on Cluster Computing Technische Universität Chemnitz, Saxony, Germany.

Additional events can be found in the LWN Event Calendar. Event submissions should be sent to lwn@lwn.net in a plain text format.

Web sites

Sensiva's new Web site. Sensiva launched Sensiva.com, a free content and information portal, that also links to the company's multi-platform software. Sensiva's new Web site is offered initially in English, French and Japanese; with more languages to follow.

User Group News

The Linux Users' Group of Davis. LUGOD announced that they will be demonstrating the Linux operating system on Saturday, October 7th and the following day, LUGOD and the UC Davis Computer Science Club will be hosting an Installfest in Davis, California.

Long Island Linux Users Group. LILUG announced a LAN PARTY on October 10, 2000. So bring computer, bring a hub, plug in and have fun.

LUG Events: October 5 - October 19, 2000.
Date Event Location
October 7, 2000. Roanoke Valley GNU/Linux Users Group, Virginia Tech Linux/Unix Users Group and Red Hat, Inc. host a Linux Installfest Roanoke College, Salem, Virginia
October 12, 2000. Boulder Linux Users Group NIST Radio Building, Boulder, CO
October 12, 2000. Phoenix Linux Users Group Sequoia Charter School, Phoenix, AZ
October 12, 2000. Linux Introduction Delfzijl, Netherlands
October 15, 2000. Omaha Linux User Group Omaha, Nebraska.
October 15, 2000. Beachside Linux User Group Conway, SC.
October 16, 2000. Linux Users' Group of Davis Z-World, Davis, CA
October 17, 2000. Bay Area Linux Users Group Four Seas Restaurant, Chinatown, San Francisco, CA
October 17, 2000. Kansas City Linux Users Group Kansas City Public Library, Kansas City, MO.
October 18, 2000. Linux User Group of Groningen Groningen, Netherlands
October 18, 2000. Arizona State University Linux Users Group Tempe, AZ
October 19, 2000. Rice University Linux Users Group Rice University, Houston, TX

Additional events can be found in the LWN Event Calendar. Event submissions should be sent to lwn@lwn.net in a plain text format.

October 5, 2000



Software Announcements

Here are this week's Freshmeat software announcements. Freshmeat now offers the announcements sorted in two different ways:

Sorted by section and Sorted by license


Our software announcements are provided courtesy of FreshMeat


 Main page
 Linux in the news
 Back page

See also: last week's Back page page.

Linux Links of the Week

LWN, of course, is based in Colorado, and we're generally pretty happy with that. A look at the Bay Area Linux Events calendar, however, is almost enough to make one change one's mind. People over there have a lot of fun...

If you're not in the Bay area, or are stuck at home, the Linuxcare product comparisons page can be a good place to look to find some fun new software to play with instead. The breadth of the coverage is growing; this page is turning into a useful resource.

Section Editor: Jon Corbet

October 5, 2000



This week in history

Nine years ago: October 5, 1991, was the day that Linus first released Linux to the world.

Two years ago (October 8, 1998 LWN): We asked "what will happen to the Linux VARs?" With companies like Dell making noises about getting into Linux, it looked like life could get harder for companies that sold Linux-installed computers. Two years later, most of those companies are still around and doing better than ever. But people still wonder what will happen when the Dells of the world get serious...

A new Linux news site called LinuxToday was launched by Dave Whitinger and Dwight Johnson.

Nice thought of the week:

The arguments are both noble and naïve. Linux has a cult-like following, matched only by that of the Macintosh OS and OS/2. It's a modern Unix! It's stable, superior, enriching! It's gonna get creamed. -- Richard Brandt, Upside.

Upside has since changed its tune on Linux, to say the least.

Oracle8 for Linux went up for free download. For a long time Linux supporters had heard people say that "when Oracle is available for Linux" they'll know it's serious. It was serious.

One year ago (October 7, 1999 LWN): Sun announce the release of the Solaris source code - under the Sun Community Source License. One year later, that source release has yet to make much of a splash.

Microsoft came out swinging with its Linux Myths page:

Linux is a higher risk option than Windows NT. For example how many certified engineers are there for Linux? How easy is it to find skilled development and support people for Linux? Who performs end-to-end testing for Linux-based solutions? These factors and more need to be taken into account when choosing a platform for your business.

Meanwhile, some people figured out that ssh 1.2.12 had been published under a free software license. People grabbed hold of it, and the OpenSSH project was born. OpenSSH is now the standard version for Linux systems.

Red Hat 6.1 hit the FTP servers, though the boxed version wasn't due out until October 18.



Letters to the editor

Letters to the editor should be sent to letters@lwn.net. Preference will be given to letters which are short, to the point, and well written. If you want your email address "anti-spammed" in some way please be sure to let us know. We do not have a policy against anonymous letters, but we will be reluctant to include them.
Date: Thu, 28 Sep 2000 12:01:03 -0700 (PDT)
From: Jonathan Walther <krooger@debian.org>
To: Dave Peacock <davep@netscape.com>
Subject: Re: Outrage at Debian dropping security for 2.1

If you want us to support security, perhaps you
could propose some incentive?  We are all volunteers
here at Debian, interested in putting out a quality
distribution.  Your time is limited, otherwise I'm sure
you too would love to fix and upgrade your distribution
from source.  But our time is also limited, and we want
the most bang for buck out of it.  That means not fighting
the current of progress, and keeping up with new versions
of software.

If security updates are of concern to you, perhaps you
could get your company to pay some Debian maintainers to
work on the old distribution.  If you have the time,
perhaps you would like to volunteer to do some of that
maintainership yours.

The distribution we've just released is the culmination
of 2 years of hard work for us.  Try it.  You'll like it.
Unlike many other distributions which require a reinstall
from scratch, Debian guarantees a reliable upgrade path.


Jonathan Walther
Debian GNU/Linux Developer

Date: Fri, 29 Sep 2000 14:22:22 -0700 (PDT)
From: Seth Cohn <scohn@clipper.net>
To: debian-devel@lists.debian.org
Subject: Re: Outrage at Debian dropping security for 2.1

Branden Robinson:

> Does Mr. Peacock expect Debian to provide security updates for Debian 2.0,
> 1.3, 1.2, or 1.1?  Does he expect, say, Red Hat, to provide security
> updates for 6.0?  How about 5.0?  4.2?  1.0?

> If someone is willing to maintain reliable, net-accessible slink, hamm, bo,
> rex, and buzz boxen for all architectures supported by those releases, then
> perhaps we can do what Mr. Peacock expects.  Otherwise...

A few of us discussed this last night at our LUG meeting, and the obvious
answer is that since the security fixes tend include source changes,
someone can always grab the source for the 'security' fix from the later
version and rebuild the package.  Yes, some libraries etc might need to be
changed, and this isn't 100% but anyone who is sticking with Slink for
production purposes should be able to use Potato fixes in many cases.

In the rare cases where things don't work, I'd bet if someone posted a
request for a Slink package version of a new security fix, saying clearly 
that the existing Potato package didn't work, someone would repackage it
to fit.

In another vein, this clearly could be support revenue for someone
interested.  Supporting older Debian releases could be very lucrative for
the right person(s).  Maybe Debian's normal volunteer security team isn't
interested, but someone might be if the price was right.

Seth Cohn

Date: Thu, 28 Sep 2000 23:36:37 -0500
From: Branden Robinson <branden@debian.org>
To: Dave Peacock <davep@netscape.com>, letters@lwn.net,
Subject: Re: Outrage at Debian dropping security for 2.1

It was pointed out to me today that perhaps Mr. Peacock did not release
that Debian 2.1, a.k.a "slink", is *not* the currently released version of
the Debian system.

The current version is Debian 2.2, a.k.a. "potato", which was released in
July, and we certainly take security updates very, very seriously for this
release (as well as other issues, such as usability, that merit an update
to the released distribution).

Perusal of the past several weeks' worth of Linux Weekly News will reveal
that Debian is quite timely with security updates to our released current
distribution.  (The distribution currently in development, codenamed
"woody", sees updates literally every day.)

Does Mr. Peacock expect Debian to provide security updates for Debian 2.0,
1.3, 1.2, or 1.1?  Does he expect, say, Red Hat, to provide security
updates for 6.0?  How about 5.0?  4.2?  1.0?

Does Netscape continue to support Navigator 3.0?  2.0?  1.1?

G. Branden Robinson             |      One man's "magic" is another man's
Debian GNU/Linux                |      engineering.  "Supernatural" is a
branden@debian.org              |      null word.
http://www.debian.org/~branden/ |      -- Robert Heinlein
Date: Wed, 4 Oct 2000 17:12:50 -0700
To: letters@lwn.net
Subject: Security updates for Debian 2.1 "slink"
From: Rick Moen <rick@linuxmafia.com>

Dear Ms. Coolbaugh and Mr. Corbet:

Last week's letter from Dave Peacock raises the interesting question 
of whether the Debian Project erred in discontinuing (effective Oct. 30)
security updates for the former Debian-stable branch, 2.1/"slink", 
which was obsoleted by the new Debian-stable, 2.2/"potato", on Aug. 15.

At first glance, Deve's outrage seems justified.  His 2.1 machines
appear destined to be left in the lurch.  But this is a mirage, as can
be best seen by an example:

On August 1, Dave hasn't installed updates (including those for
security) in a while.  So, as root on each machine, he executes the
following commands:

apt-get update   #Gets new available-package lists from a Debian mirror
apt-get dist-upgrade #Upgrades all installed packages to current revs.
apt-get clean  #rm's package master files from /var/cache/apt/archives/

The packages retrieved are from the 2.1/slink branch, because on Aug. 1,
2.1 still bore the "stable" designation.  Any security fixes will be
among them, since they are merged into the mirror collections as the
Debian Security Team releases them.[1]

Let us say that, on August 16, Dave runs the standard update command
sequence again.  Because the Debian Project switched the "stable" tag 
from 2.1 to 2.2, the previous day, Dave's systems now receive a few more
package updates than usual, but not many.  He may not even realise that 
he has auto-upgraded to 2.2 -- the upgrader tools' default configuration
in /etc/apt/sources.list says "track stable", not "track 2.1".  Because
of Debian-stable's enforced package policy and emphasis on incremental
upgrading without downtime, this late-2.1-to-2.2 upgrade is
undisruptive, like prior ones within 2.1.

So, on Sept. 21, when he writes his LWN letter expressing outrage that
security updates for his 2.1 boxes wil cease in 1 1/2 months, those
machines have already been 2.2 for more than a month.

There _is_ ongoing security maintenance support for 2.1, you see:
It's called "Keep using the routine Debian update mechanism to continue
following 'stable', which recently moved past 2.1."

It's possible that Dave was unaware of Debian's maintenance tools, and 
has been retrieving security updates by hand.  (It is difficult
otherwise to understand his machines remaining on 2.1.)  If so, he'll be
pleased to hear about those tools, as they require less effort and
possibly even less bandwidth -- and yield markedly better results, e.g.,
minimising security-exposure windows by automatically implementing
even security updates whose alert bulletins you haven't seen.
I'll be glad to assist him (in e-mail) with any questions.

[1] For pre-release access, add this line to sources.list:
deb http://security.debian.org/ stable/updates main contrib non-free

Cheers,                   "Teach a man to make fire, and he will be warm 
Rick Moen                 for a day.  Set a man on fire, and he will be warm
rick@linuxmafia.com       for the rest of his life."   -- John A. Hrastar
Date: Thu, 28 Sep 2000 12:34:56 +0100
From: franck@nenie.org
To: letters@lwn.net
Subject: GPL/BSD: alternative prisonners' dilemma

The leading article on BSD/GPL in this week's LWN is not entirely fair.

You focus on the release/ not release decision _once_ the choice of using a
piece of open source software has been made, and changes have been

But will you reach the point where the decision you focus on has to be
taken? A more interesting decision game is when the commercial company
decides to use free software or not.

We have two players: the open source Developer and the commercial Company,
who cannot communicate with each other in the spirit of the prisonner's
dilemma game -- and practically because these decisions are taken at
different points in time by disjoint groups and are normally unrelated.

Thus, the Developer has two choices for their release: (1) use BSD, (2) use
GPL. Because the Developer has read your article (or does what the
mainstream open source movement does) they rationally choose the GPL.

The commercial Company has two choices, (1) exclude GPL software (prefer
BSD or commercial or internally developed software instead of GPLed) or (2)
also use GPL software. Because they know that the requirement to release
_may_ put their competitive advantage at risk, they rationally decide not
to use GPL software. They do that even if they are ready to release most
code they do, because it usually has nothing to do with their competitive
advantage, but they do not want to lose their future freedom to keep even a
single line of their own code private, and lose that freedom forever.

The outcome of the game is thus that the Company does not use the software
of the Developer so the open source community loses all the possible
non-competitive enhancements and the Company has extra effort to do if the
GPL software is better than alternatively licensed.  They both lose out in
a classic example of the prisonner's dilemma, a situation created solely by
the GPL.

The game works as well if the Company is replaced by someone who values the
freedom of everybody to do what their want with open code more highly than
the narrow definition of freedom in the GPL, or people who simply oppose
the GPL for ethical reasons -- be it the misanthropic nature of the GPL, or

Of course, this game is as true as the one with the opposite result at the
later stage. The results of the sum of these games seem hard enough to
evaluate that they do not contribute much to the purely strategic question:
does the GPL produce more or better open source code than alternative
licences? Maybe we can keep on opposing or supporting the GPL on ethical
Franck Arnaud ~ email: franck@nenie.org

Date: Thu, 28 Sep 2000 13:17:51 -0700
From: Marc Matteo <mmatteo@sacbee.com>
To: lwn@lwn.net
Subject: Your One Big Assumption  (GLP less business-friendly friendly)

In your editorial this week you make one *huge* assumption when you

> A company that releases code under the GPL need not fear
> what its competitors will do - the risk of competing against proprietary
> enhancements is gone.

This assumes that all parties are playing by the rules.  The company
that releases code under the GPL still needs to fear that their
competitors will happily violate the GPL and take their GPLed code and
make it proprietary.  How would anyone know?  How would you check?

Marc Matteo
Online Technology Leader, sacbee.com
Date: Sun, 01 Oct 2000 15:50:13 +1000
To: lwn@lwn.net
From: Dark Fiber <dfiber@mega-tokyo.com>
Subject: this weeks 'Is the GPL really less business-friendly' editorial

your a pro linux site, and thus pro gpl. why even bother
with the useless editorial of the gpl vs bsd license
stuck on the front page?

dont you think you are preaching to the converted?

an editorial is an opinion. i know exactly what i do
and dont expect from a linux news site. but i have to
wonder what you hoped to achieve with your editorial...

especially running it as item #1.

-Stuart George


[ Dark Fiber <dfiber@mega-tokyo.com> Running FreeBSD 4.1 ]
[FAQ] Write Your Own OS
3x3 Eyes Fan Fiction Archive
Sarien Sierra Emulator

From: "Mark Christensen" <Mchristensen@htec.com>
To: <corbet@lwn.net>
Subject: RE: "Is the GPL more business friendly than BSD style licenses?" 
Date: Tue, 3 Oct 2000 16:52:11 -0400

Though I agree this issue is enormously important as more and more people
depend on the production and maintenance of free software for their
livelihood, I don't think you have framed the question properly.

I doubt that the question you asked has a single answer. Different business
objectives lend themselves to different licenses.

As you mentioned one feature of the GPL is that it protects a company's
intellectual product from being incorporated wholesale into a competitor's
proprietary product, but this is not always an advantage.

I reciently had a conversation with a couple developers at SGI, and they
mentioned that as one of SGI's chief reasons for releasing a significant
amount of code under the GPL.

They believed that if they released their code under a LGPL, or Open BSD
license, competitors like Sun Microsystems, and to a lesser extent
Microsoft, would "steal the SGI crown jewels."

Obviously SGI's objective was not merely to keep Sun from using their
technology. They also want to support Linux as a competitor to Solaris, and
promote integration between Linux and Irix.  In this case, if SGI wants
their code integrated into the Linux kernel, the GPL is the only choice. On
the other hand, for stand alone software SGI's desire to support an
alternitive to Solaris would be served either a BSD or GPL license.

So, for SGI the choice of the GPL is the clear result of strategic decisions
about how to achieve several significant business objectives.  But for a
different company under different circumstances the same kind of strategic
thinking would lead to the choice of a BSD style license.

For this example, let's take a look at a fictitious network security firm.
They are primarily a professional services firm that audits the security of
large heterogeneous networks. They have created several security tools to
automate some of the work involved in large-scale security auditing on Unix
an NT boxes.

For our hypothetical security company these tools are not a primary source
of income, in fact they only sell their software to current clients as part
of a larger contract.  Nor are they worried about their software being
incorporated into proprietary products, because the software without the
services is not particularly valuable to a highly security conscious

All in all, they would much rather have long standing audit/monitoring
contracts with fortune 500 companies, than sell a couple of hundred software

In fact, they would see it as a great boon if their tools were included in
distributions of Solaris, Irix, Free BSD, and Linux, since this would be a
tremendous PR tool, as will as an easy path to a very tightly integrated
security contract with a wide variety of Unix vendors.

For this company, the use of a BSD style license is almost a forgone
conclusion.  And I expect that the ease of implementation across a variety
of platforms motivated the use of the BSD style license used for the
standard implementation of the Kerberos protocol.

In the past I’ve heard, and even repeated the argument that the GPL would
have protected the protocol from any attempt to co-opt the standard.  And in
one sense they would be right --the GPL would have set the bar higher.

But Microsoft’s “clean room” re-implementation standard would have negated
any of the obligations that come with re-use of GPLed code.  So, GPLing the
code would not have helped fight Microsoft (who had the resources to
re-implement) but it would have slowed the acceptance of the protocol by
smaller companies (who might clearly do not have the same kind of resources
as Microsoft).

My point in all of this is that the choice of licenses is very complex, and
a wide variety of issues need to be weighed very carefully.

And that, unfortunately, is why major license decisions need to be made with
input from lawyers, PR people, marketing departments, in addition to
programmers, and project managers.

From: <greyfox@paratheoanametamystikhood.net>
Date: Thu, 28 Sep 2000 01:33:07 -0600
To: letters@lwn.net
Subject: Privacy Foundation on :CueCat

The privacy foundation said:

    ... the :CueCat software attaches a unique user ID to each
    scanned bar code. This unique ID number, along with the bar
    code, is then sent back to Digital:Convergence Corp. computer
    servers. This feature could potentially allow the company to
    track the :CueCat scans of every consumer who registers for
    the service. 

To which Digital Convergence Replied:

    Yes, it's true, and I would have gotten away with it, too
    if it hadn't been for THOSE DARN KIDS!

Scoobie Doo references aside (The French demographic is probably
thoroughly confused by now) this is another damn good reason (As if we
needed another one) why it is not in our best interests to allow our
rights to reverse engineer a product to be infringed. This sort of
thing is already commonplace and will become more so if companies can
arbitrairly hide behind arbitrairly restrictive hardware and software
license agreements. As if being able to use a device that you
purchased in the fashion you choose with your hardware wasn't already

If you're one of the people talking to Al Gore or George Bush on MTV,
be sure to grill them thoroughly on this issue.

Bruce Ide                   greyfox@paratheoanametamystikhood.net
Date: Thu, 28 Sep 2000 14:41:37 -0400
From: Derek Glidden <dglidden@illusionary.com>
To: letters@lwn.net
Subject: IBM _really_ into Linux?

>From your "Linux and Business" page of Sept 28:

"Other companies announcing support for Red Hat Linux 7 and Red Hat
Network include Computer Associates, IBM Corporation, Lotus, Novell and

Or if you want to be more literal:

"Other companies announcing support for Red Hat Linux 7 and Red Hat
Network include Computer Associates, IBM Corporation, IBM Corporation,
Novell and IBM Corporation."

I guess IBM really likes Red Hat Linux 7.  :)

With Microsoft products, failure is not           Derek Glidden
an option - it's a standard component.      http://3dlinux.org/
Choose your life.  Choose your            http://www.tbcpc.org/
future.  Choose Linux.              http://www.illusionary.com/
Eklektix, Inc. Linux powered! Copyright © 2000 Eklektix, Inc., all rights reserved
Linux ® is a registered trademark of Linus Torvalds