Bringing you the latest news from the Linux World.
Dedicated to keeping Linux users up-to-date, with concise
news for all interests
Sections: Main page Security Kernel Distributions Development Commerce Linux in the news Announcements Back page
Other LWN stuff:
Archives/search
Recent features: Here is the permanent site for this page. See also: last week's LWN.
|
Leading items and editorialsNo dividends from free software? The Creating Digital Dividends conference is being held in Seattle starting October 16. This conference has a goal of exploring how technology can better serve the third world. It has a gold-plated list of sponsors: Microsoft, HP, Motorola, etc. It looks to be full of first-world amenities. What it will not have is any representation from the Linux community. Quite a few folks from the community have taken exception to this. Tim Hanson has even announced a protest which will take place outside the event. Free CDs and literature will be handed out in an effort to educate the conference participants about other technologies which should be considered. LWN asked the organizers about the exclusion of Linux businesses from the conference. The answer we got back was interesting in a couple of regards, and deserves a closer look here. First of all, the organizers evidently did extend an invitation to Red Hat, which declined to attend. Red Hat apparently sees its best business opportunities in the first world. The conference thus can claim to have not entirely excluded Linux, but it also does not get off the hook quite that easily. Red Hat and Linux are two very different things, and inviting Red Hat is not equivalent to inviting the Linux business community. There may well be other Linux businesses which would have been more interested. Conectiva comes immediately to mind, but there would certainly be several others as well. The note makes this claim: We would like to be clear, however, that the Creating Digital Dividends Conference is not focused on specific technologies or operating systems, but rather on new business models that accelerate sustainable development.
What would the organizers think of a business model that:
Jon 'maddog' Hall has a great story about a third-world cancer screening center which was able to employ a Beowulf cluster to provide near-immediate results from tests. Getting to this clinic was a long and strenuous process for many people; being able to get an answer (and possibly treatment) immediately made the trip worthwhile. It convinced people to go, and saved lives. The Red Escolar project, which is setting up Mexican schools with Linux boxes, is another example of what can be done with free software. Linux and free software are far from a complete answer to the third world's problems. But a conference that tries to address those problems without Linux is missing a crucial tool. The people who do real work in the third world, however, are increasingly making use of the tools available to them without the need of a conference to tell them what to do. The absence of Linux from this conference is unfortunate, but will not change much in the long run. Do free software projects need public relations? An often-heard sentiment among KDE developers is that they may have a better desktop, but that the project has taken a number of hits on the public relations front. This idea was made more explicit this week with this KDE Dot News editorial on how to improve KDE's public image. There is a general consensus that the KDE project, despite its technical superiority among various desktop environments, has had a poor PR record, especially in North America. Now that the release has been delayed a week or so, let's take this opportunity on dot.kde.org to present and share ideas that will help the KDE PR and marketing efforts. Do free software project need to worry about PR? Part of the mythology of free software is that good code drives out bad, and that the best code wins. So a development project should concentrate its effort on its code, and the rest will take care of itself. Right? Of course not. In the business world, simply having the best product is no guarantee of success. The same will certainly hold true in the free software world - especially as the use of free software grows, the stakes get higher, and the amount of money involved increases. There are thousands of development projects out there competing for both users and developers. Good code is a powerful advantage in that competition, but good PR will be important too. The age of free software project PR may well have had its start at the first LinuxWorld conference in March, 1999. The GNOME project used the event to launch its 1.0 release - and even called a press conference. That move surprised a number of people; after all, press conferences for software releases had not previously been part of the free software development process. That release was part of a well-funded effort to take a project whose code was certainly second-best and make it into a true competitor - and it appears to have worked. Would GNOME be where it is without its PR work? Development projects - especially large ones - are going to have to put more thought into their PR in the future. One unfortunate consequence of that may be that, in the future, ambitious projects will have a hard time getting off the ground without some sort of corporate sponsorship. That sort of sponsorship is often available, which is an entirely good thing. But free software is supposed to be about what its users want, not what corporations want. Beowulf 2 from Scyld. Scyld Computing has announced the availability of the second generation of Beowulf software. In this release Scyld is trying to address a number of the difficulties found by users of Beowulf clusters - in particular, the lack of tools to manage clusters and make them appear to be a single system. This announcement is important for a couple of reasons. Scyld, of course, is the company created by Donald Becker, they guy who first strung together a rack full of Linux systems and called it "Beowulf." He is also, incidentally, the author of a vast number of network drivers in the kernel. Most likely, not even Donald knew what he was setting in motion with that first cluster of his. Beowulfs are now popping up everywhere; for a great many applications they are far more cost effective than the "big iron" supercomputers normally employed for serious number crunching. Beowulf clusters are not for everybody, however. They remain, to a great extent, a "build it yourself" system involving a fair amount of expertise, time, and duct tape. The users of Beowulf clusters have to be highly aware of how the system is built, and restructure their applications accordingly. Many companies have announced cluster products with nice interfaces, but most of those are oriented toward high-availability web serving. The roots of Beowulf, however, are in hard-core number crunching, and the companies operating in this area (HPTi, Linux Networx, Atipa, and others) have concentrated more on nice hardware. So the software gap remains. To address this area, Scyld has added a set of cluster configuration and monitoring tools. There is a nice graphical interface and everything. A front-end computer handles administrative tasks, and keeps the whole cluster together. The compute nodes are just that - they even get their operating system from the master system. The whole thing is meant to be easily scalable, so that adding new nodes is a simple task. As part of this release Scyld is making available a new version of BProc, which is a clustered process management utility, and a thing called Two Kernel Monte which allows substituting a system's kernel "on the fly" without dropping back to the BIOS level. Those who want to buy a CD with the new code may do so; it's also all available for download from the Scyld web site. The company is clearly planning to make its money on the service side; they offer an array of installation and support plans. The Linux cluster market could well be a large one. The world's appetite for high-end computing continues to grow, and the economics of commodity clusters are persuasive. Donald Becker and company profited little from the first wave of Beowulf clusters; they may do better with the second. Inside this week's Linux Weekly News:
This Week's LWN was brought to you by:
|
October 12, 2000
|
Sections: Main page Security Kernel Distributions Development Commerce Linux in the news Announcements Back page See also: last week's Security page. |
SecurityNews and EditorialsCERT to disclose software flaws (ZDNet). CERT, the first official "Computer Emergency Response Team", was founded in 1988 by DARPA (Defense Advanced Research Projects Agency). It quickly became an essential resource for computer systems administrators dealing with a (then rare) computer intrusion. Over time, however, CERT's policy of contacting all vendors in advance about security problems, and giving them all time to provide fixes, led to longer and longer lead times before security problems were announced. This was particularly troublesome when the reported vulnerability was widely known and being actively exploited.CERT's policy did a lot to demonstrate the need for full disclosure lists, such as BugTraq, which came along later. CERT's policy failed to put much needed pressure on vendors to make security a high priority. Now, in the midst of large-scale debates about whether or not full disclosure is a "good thing", CERT has finally, twelve years later, changed its own policy. Whether or not all vendors have produced fixes, CERT will now announce all vulnerabilities 45 days after they are initially reported, promising full credit to the originators of the report. We mentioned this policy change last week. This week, ZDNet has reported on it as well, commenting that "It may herald the end of a fight that has inflamed the security community for more than a decade". While we doubt that the fight is likely to be over any time soon, CERT has drawn a new line. They consider themselves to have chosen a middle course, between full disclosure and no disclosure. What they have done, instead, is to validate the arguments of full-disclosure adherents and establish a new outer limit to non-disclosure. Given the overwhelming number of new security vulnerabilities that are being reported, it is also likely that an open-ended vendor process for each vulnerability simply became impossible to support. In addition, there are many for-profit and non-profit security groups that are now in competition with CERT. CERT's announcement, as a result, is less ground-breaking and more an acceptance of the status quo: full disclosure with some set time allowed for cooperation with vendors, ranging from a matter of hours to a matter of a few weeks. 45 days is, under those rules, probably the most generous offer a vendor is likely to find. Why the world needs reverse engineers (ZDNet). Educating people on the need for reverse engineering is the goal of this ZDNet article, written by Weld Pond, Manager of Research and Development for @stake, Inc., a computer security firm. The CueCat barcode scanner from Digital:Convergence is used as an example. "Many of the privacy risks we face today such as the unique computer identification numbers in Microsoft Office documents, the sneaky collection of data by Real Jukebox, or the use of Web bugs and cookies to track users were only discovered by opening up the hood and seeing how things really work." Open Sources: The other side of the story (ZDNet). An interesting story showed up on ZDNet's Interactive Week. It's a story about security as seen through the eyes of Mudge, Vice President of R&D at the company once known as L0pht and now known as @stake. "...software consumers have become so cynical they 'need third-party proof of concept' before they'll believe the software's been fixed, and the only way that will happen is through independent review. The software companies are where Swift and Armour were in 1906, when Upton Sinclair wrote his classic expos on the meatpacking industry, The Jungle - the consumer uses the product at his own risk." OpenBSD plugs a rare security leak (Upside). Upside looks at OpenBSD's handling of security problems. "For most open source projects, news of an overlooked security hole is simply part of the debugging process. But for the developers of OpenBSD, an operating system whose design motto is 'secure by default,' it's nothing short of an affront." Security ReportsBuffer overflow problems in ncurses. A buffer overflow problem in the ncurses library has been reported by Jouko Pynnnen. As a result of this problem, programs that use ncurses are vulnerable to attack. Successful exploits have already been demonstrated, though none are known to be in use by the Bad Guys as yet. It is possible - though unconfirmed - that remotely-exploitable vulnerabilities could exist. The problem is present in most, if not all, Linux and BSD variants.Expect to see a pile of fixes show up in the next few days; we'll let you know when they are released. This is another ugly one. To help people find binaries linked against ncurses, Dominic Mitchell sent us this script, along with an example output from searching /usr/bin on FreeBSD. It quickly reported 27 possibly affected binaries... LinuxPPC security update - single user mode. LinuxPPC has issued a security update regarding single user mode login. Currently, all past and present versions of LinuxPPC (going back to 1998's Release 4.0, and possibly earlier) have a vulnerability when booting in single user mode. The computer will automatically perform a root login without asking for password. Updates are recommended, although LinuxPPC plans to have this fixed in its upcoming release.Red Hat security update to usermode. A bug report to Red Hat pointed out a new vulnerability in the usermode package. The userhelper binary inherits the LANG or LC_ALL environment variables and then passes them on to non-setuid root programs, bypassing protections recently integrated into the glibc library to prevent a format-string exploit.This week's updates:
Boa. Lluis Mora reported vulnerabilities in the Boa webserver which could both allow access to files outside the document tree and a compromise of the web server account. The Boa development team, in coordination with Lluis' advisory, released boa 0.94.8.3, which fixes these problems.This week's updates: TCP weak initial sequence numbers. The Hacker Emergency Response Team (HERT) put out an advisory for problems with the manner in which initial TCP sequence numbers are generated, leading to the ability to predict sequence numbers and therefore "spoof" packets. Their report focused on FreeBSD, which responded with this advisory, acknowledging the problem and providing patches. However, FreeBSD's advisory states that they do not believe this problem is unique to FreeBSD. We have no updated information on what other operating systems might be impacted; the implication is that all systems derived from 4.4BSD-Lite2 are likely candidates.Directory transversal vulnerabilities. The following web scripts were reported to contain directory transversal vulnerabilities, allowing arbitrary files on the web-server to be read:
UpdatesLPRng, LPR format string vulnerabilities. Format string problems in LPRng were reported in late September. Updates for LPRng and lpr (for a related problem) continue to be published.This week's updates:
ssh/OpenSSH file transfer vulnerability. All versions of ssh derived from ssh-1.2.x contain a vulnerability in which a compromised server can be used to copy arbitrary files to an uncompromised local system, if that system uses ssh/scp to download files from the compromised server. Check last week's LWN Security Summary for more details. No fixes for this problem have been reported as of yet. Some distributions are shipping updates that remove the setuid bit from the scp binary in order to minimize potential damage.This week's updates: traceroute local root access. A local user can exploit vulnerabilities in traceroute to gain root access. For more information, check last week's LWN Security Summary. Note that Red Hat 7 already included a patch to get a raw socket and then drop privileges at startup. As a result, it was not affected by this most recent report. Kudos to them for proactively fixing potential security problems before a new vulnerability pops up; it's nice to know somebody was looking at the code with security in mind.This week's updates: Previous updates:
esound tmpfile link vulnerability. Check the September 7th LWN Security Summary for the original report of this problem from FreeBSD. Linux security teams should note that it took two weeks from that initial report before a Linux update for this problem was released.This week's updates: Previous updates:
GNU CFEngine format string vulnerability. Root access can be obtained on a local system by exploiting CFEngine's use of syslog and its related format string vulnerability. Check last week's LWN Security Summary for more details.This week's updates: tmpwatch fork bomb denial-of-service vulnerability. Check the September 14th LWN Security Summary for additional details. Note that almost a month passed before the first update for this problem was released. Since then, a local root compromise problem has turned up as well; this is fixed in all of the updates.
gnorpm tmpfile link vulnerability. All version of gnorpm prior to 0.95.1 contain an improper use of a link to a temporary file that can be locally exploited to overwrite arbitrary files on the system. Check last week's LWN Security Summary for more details. The latest version contains many non-security fixes as well, reportedly making it actually usable.This week's updates: Previous updates:
Apache mod_rewrite vulnerabilty. Files outside the document root can be accessed, if the mod_rewrite module for Apache is in use. For more details, check last week's LWN Security Summary.This week's updates: ResourcesFull Disclosure Panel. A panel discussion on the issue of Full Disclosure is planned for the next episode of Info.sec.radio, a radio show produced by SecurityFocus.com and made available via RealAudio. The show will be held on Monday, October 16th. EventsUpcoming security events and announcements.
Section Editor: Liz Coolbaugh |
October 12, 2000
| |||||||||||||||||||||||||||||||||
Sections: Main page Security Kernel Distributions Development Commerce Linux in the news Announcements Back page See also: last week's Kernel page. |
Kernel developmentThe current development kernel release remains 2.4.0-test9. The first 2.4.0-test10 prepatch came out on October 9; it contains a number of USB updates, some miscellaneous fixes, and more virtual memory patches from Rik van Riel. Ted Ts'o posted a new 2.4 jobs list on October 9. It remains a lengthy document... The current stable kernel release is still 2.2.17. No 2.2.18 prepatches were released this week. Where is 2.0.39? The final prepatch came out a few weeks ago, but the real 2.0.39 release has not happened. It turns out that a few problems have been reported in that "final" prepatch, and they are proving difficult to resolve quickly. David Weinehall has said that the release will happen before too long, even if the problems can not be fixed. Kernel.org has a new cryptographic key. H. Peter Anvin announced that a new key is now in use to sign files on the kernel.org site. The old one, as it turns out, was set to expire. If you are using the key to verify files downloaded from a kernel.org mirror, you'll need to read the announcement and get a copy of the new one. Handling 'out of memory' (OOM) situations is a recurring linux-kernel topic. It came up again this week after Rik van Riel posted a patch with a new "OOM killer" routine; this patch subsequently made its way into 2.4.0-test10-pre1. The Linux kernel, remember, is capable of allocating more virtual memory to processes than it is really able to provide. This is done because processes generally do not use anywhere near all the memory they ask for. To require that the kernel be able to satisfy every last allocation would greatly reduce the total available memory, and would be wasteful. So Linux overcommits it memory. The consequence of that approach, however, is that the kernel can possibly find itself in a position where it is unable to provide memory to a process that thinks it already has it. It seems to be generally accepted that the only way out of that bind is to start killing processes to recover their memory. Killing processes is not a very satisfactory solution, but it is better than having the whole system lock up. The hard part, though, is choosing which process to kill. Early OOM killer attempts tried approaches like killing the largest processes on the system. Doing that does indeed recover memory, but usually at the cost of killing the X server or netscape - leading to disgruntled users. So Rik's patch tries to be smarter in how it targets processes. In particular, it:
The targeting of niced processes drew some complaints. Often a process that has been niced is the big cranker job that is the reason for the system's existence in the first place. Rik responded that long-running jobs are unlikely to be killed anyway, and thus the cranker should be safe; in the end, though, he removed the nice penalty anyway. There was some interesting talk of other approaches. One would be to account for memory on a per-user basis and to kill processes belonging to the user who is causing the problem. That, though, leads to difficulties like figuring out a way for the X server (which often runs as root) to account for resources allocated on behalf of users. Another possibility would be to provide a system call where processes could tell the kernel what their relative importance is. Yet another would be a way for the kernel to signal processes and ask them to voluntarily reduce their memory usage. After all, many processes have memory they could give up if need be; netscape's in-core cache and the X font cache come to mind. However, due to fragmentation issues, memory freed by processes is not necessarily reusable by the system. In the end, though, the "out of memory" situation is rare, and it is not necessarily worth trying too hard to find a perfect solution. As Linus put it, that perfect solution is probably unreachable, and the attempt is likely to produce worse results than the simple, "good enough" solution. So the OOM killer is probably about as refined as it is going to get. Updates on the TUX2 patent issue. Last week we covered the three patents held by Network Appliance which appear to cover the "phase tree" algorithm used by Daniel Phillips' TUX2 filesystem. Here's the latest on that situation.
Other patches and updates released this week include:
Section Editor: Jonathan Corbet |
October 12, 2000 For other kernel news, see: Other resources: |
Sections: Main page Security Kernel Distributions Development Commerce Linux in the news Announcements Back page See also: last week's Distributions page.
Lists of Distributions |
DistributionsPlease note that security updates from the various distributions are covered in the security section. News and EditorialsHere comes ... Coventive. A company called Coventive Technologies announced its existence to the western world this week. Coventive appears to be based in Taiwan, but it is now making a play for the U.S. market. "Now great technology companies originate all over the world and expand into the U.S. as part of a worldwide business strategy."Coventive has a Linux distribution it wants to sell, called XLinux. It comes in both server and embedded versions. On the server side, Coventive claims that XLinux is "one of Asia's most popular branded Linux solutions for enterprise servers;" the company apparently has partnerships with Acer, Compaq, IBM and HP. On the embedded side, they claim "the smallest known fully functional commercial embedded Linux kernel," weighing in at 143KB. The core of Coventive's offering, however, would appear to be its internationalization effort. XLinux is supported with English, French, German, Italian, Spanish, Portuguese, Russian, simplified and traditional Chinese, Japanese, Korean, Thai and Vietnamese. They highlight their "Giga Character Set" (GCS) capability, which they use to support Asian language display. In fact, there is even a white paper (published in LinuxDevices.com) on how GCS works. From that paper: GCS is fundamentally different from other display codes because it is not based on assigning binary codes to characters or letters. GCS is actually a mathematical encryption algorithm that the computer uses to transition between natural language characters and letters and computer language bits. A different algorithm is developed for each language, which captures that specific language's peculiarities, such as basic symbols, spatial relationships, directionality and supplemental symbols The explanation leaves a bit to be desired... Essentially, the company has come up with a way of representing eastern glyphs that better matches their structure. Many Asian characters are composites, made up of one or more simpler characters. Unicode simply makes a big catalog of characters, without recognizing their internal structure; GCS apparently handles things in a more natural manner. Some more information may be found on the Coventive web site, but that site evidently was not designed with Linux-based browsers in mind. There is no information on the origins of the XLinux distribution. However, a look around on their FTP site (which is at ftp.xlinux.com) reveals an RPM-based distribution with a Red Hat-like directory structure. The version on the FTP site is 1.1, however; the material on the web site talks about a number of later releases. In coming to the U.S., Coventive is jumping into a crowded marketplace - and one which may not be greatly concerned about nice display of Asian character sets. But the company seems to be doing well in its home market, and may yet have a surprise for the western hemisphere as well. LinuxToday prints Red Hat response. LinuxToday covered the Red Hat 7 gcc/glibc controversy this week, including comments from Alan Cox (from linux-kernel) and Eric Troan, Red Hat's VP of Product Engineering (from an interview with LinuxToday). Despite this statement, several members of the discussion list would not back away from charging that because of its inclusion of a compiler that was not binary compatible with anything else, Red Hat was beginning an attempt to create a proprietary distribution. Cox denied these charges in the discussion, reiterating his point that Red Hat's efforts were innovative, and not divergent. (See also: last week's LWN Distributions Page which discussed this issue in detail). Distribution ReviewsEvolution, not revolution (ZDNet). ZDNet takes a look at Red Hat 7. "Providing an easy upgrade to the soon-to-be-available Linux 2.4 kernel; a wide array of improvements, including USB support for keyboards and mice; and new encryption capabilities, Red Hat Inc.'s Red Hat Linux 7 is an evolutionary upgrade of the operating system but is hardly a showstopper." General-Purpose DistributionsA proposed change to the Debian Social Contract. A call for votes has gone out to the Debian developer community regarding a proposed change to the Debian Social Contract. The text of the proposed change is available - it's written in classic dry legalese suitable for a local tax district initiative. Essentially, this change is the follow-through of the discussions on whether the non-free directories were needed any more.The proposed change would:
Anyway, voting will go through October 23, we'll cover the results as they are released. Unfortunately, no public opinion polling data appears to be available... Debian Weekly News. The Debian Weekly News for October 11 is available. It covers some interesting changes to the Debian bug reporting system, security updates for 2.1, handling of locale data, and more. General Red Hat 7 updates. Red Hat has been cranking out the updates to fix the problems that have turned up in Red Hat 7. Beyond the security updates, which are mentioned on the security page, there are fixes available for:
Many of the problems fixed are quite small, but it is likely that quite a few users will want to apply the glibc fixes. TurboLinux announces University Outreach Program. TurboLinux has sent out an announcement describing its University Outreach Program. "Over the past six months, TurboLinux has donated software and services to more than 300 universities across North America. The TurboLinux University Outreach Program has also provided generous discounts on high-end clustering solutions, sponsored Linux 'install fests' and attended numerous university events." TurboLinux also announced that Sacramento State's computer science department, one of the largest CS departments in the California State University system, has standardized on a TurboLinux Server and IBM XSeries platform to teach its upper division systems programming class to 130 students. Immunix Workgroup Server Brings Linux to the Newbies (Network Computing). Network Computing reviews the Immunix Workgroup Server. "The underlying OS is Immunix 6.2, a standard Red Hat distribution. The source code is recompiled with StackGuard (buffer overflow protection) along with other tools to form a hardened distribution. On top of the OS is Wirex's proprietary Web-based Remote Network Administrator (RNA) engine." Blue Fox: the search for a perfect distribution continues. Rick Collette, the original founder of Spiro Linux, is now working on new projects over at deepLinux, his new company. In addition to work on embedded systems, Rick has restarted his project to build the perfect "mainstream" GNU/Linux system, to be named Blue Fox Linux. He's looking for other visionaries/programmers to help him out, as he comments in this recent announcement. Embedded DistributionsdeepLINUX embedded toolkit released. deepLINUX has announced the release of its "dELT" embedded Linux toolkit. It currently supports the Intel and MediaGX chipsets, with ports to SPARC, StrongARM, and Alpha planned in the future. Mini/Special Purpose DistributionsLinuxPPC bundles partitioning software. LinuxPPC announced their agreement with FWB Software to allow them to bundle FWB's Hard Disk Toolkit*PE partitioning tool with LinuxPPC. Anyone ordering a copy of LinuxPPC 2000 from the LinuxPPC website will receive a free copy of the disk partitioning tool, which will also be bundled with the next major release of LinuxPPC. Section Editor: Liz Coolbaugh |
October 12, 2000
Please note that not every distribution will show up every week. Only distributions with recent news to report will be listed.
| ||
Sections: Main page Security Kernel Distributions Development Commerce Linux in the news Announcements Back page See also: last week's Development page. |
Development projectsNews and EditorialsPython 2.0 release candidate 1. The first release candidate for Python 2.0 has been announced. This will be the first release since the development group moved to BeOpen, and the first under the BeOpen license. Despite being a "dot-zero" release, Python 2.0 does not bring major changes to the language. Instead, the changes are mostly incremental. They include:
This is, with luck, the only 2.0 release candidate. For those who are interested in helping, now is the time to try out this release and report on anything that it breaks for you. In the absence of trouble, the real 2.0 release will be out shortly. BrowsersOpera for Linux Beta 1. The Opera for Linux beta version is finally out. Opera is based on Qt but a statically linked version is available so you don't necessarily need Qt to run it. A strong feature set is presented for this new Linux browser entry including XML, CSS and PNG support, plus Netscape and IE bookmark import features. There are some rather unpleasant bugs, but they are mentioned on the Web site - use with caution. MozillaTranslator.org opens. Mozilla Translator is both a program and a website. The program helps to automate the process of translating Mozilla to new languages. The web site aims to be the central repository for Mozilla translation software and should help to bring people working on translations together. DatabasesPostgreSQL Developers Join Great Bridge. Three PosgreSQL developers, Bruce Momjian, Tom Lane and Jan Wieck, have been hired by Great Bridge LLC to fill senior level positions. " 'Bruce, Jan and Tom provide Great Bridge with an unparalleled level of technical expertise in open source development. By joining Great Bridge, they can turn their part-time passion into full-time careers,' said Great Bridge President and CEO Robert Gilbert. 'It is also a strong endorsement of Great Bridge's efforts to build a strong support system for businesses that use open source software. We share the belief that open source is the best, most efficient model for producing powerful software, and our business targets the single most significant barrier to its being adopted on an even larger scale -- the perceived lack of corporate support services.'" EducationSEUL/edu Linux in Education Report. After a week off, the SEUL/edu Linux in Education Report is back. It presents a wishlist for simple math programs, and covers a number of other available educational resources. ElectronicsgEDA snapshot available. A new snapshot of the GPL Electronic Design Automation (gEDA) package is available for download. The gEDA project is a collection of programs for simulating electronic circuits and drawing schematics among other things. GNU Waveform Viewer: gwave. A new version of gwave, the GNU Waveform Viewer has been released on October 9, 2000. "Gwave can read binary or ascii files written by HSpice from transient, AC, or Sweep analyses, "raw" files written by Spice2, Spice3, or ngspice, and transient analysis files from the CAzM simulator. " GamesFanwor mimics Atari Legend of Zelda (Identicalsoftware). A new version of Thomas Huth's action-adventure game, Fanwor version 1.11, has been released. Fanwor has been released under the GPL license. Embedded SystemsMicrowindows v0.89 pre2 released. The Microwindows Project has released microwindows version 0.89 pre2. A number of new features have been added including handwriting recognition, and a new window manager. "Microwindows is an Open Source project aimed at bringing the feature of modern graphical windowing environments to smaller devices and platforms. Microwindows allows applications to be built and tested on the Linux desktop, as well as cross-compiled for the target device." Lineo releases BusyBox 0.47. Lineo has announced the release of BusyBox 0.47. BusyBox is a set of tiny command line utilities for embedded (and otherwise space-constrained) systems; it was originally written by Bruce Perens. Network ManagementBIND 9 released. Version 9 of the BIND DNS nameserver has been released. BIND 9 is a complete rewrite of the code, and features improved security, IPv6 support, and more. This week's OpenNMS update. Here is the OpenNMS update for October 10, covering the latest from the Open Network Management Software project. The OpenNMS folks seem to be busy with trade shows at the moment; they'll have a booth at ALS for those who would like to drop by. Office ApplicationsKOrganizer 2.0. KOrganizer version 2.0 will be included in the upcoming, if somewhat delayed, KDE 2.0 release. "KOrganizer is the KDE calendar and scheduling application. It provides management of events and tasks, alarm notification, web export, network transparent handling of data, and more." KOrganizer looks to be a very useful desktop application and is definitely worth checking out. Gimp 1.1.27 bug fix release available. Gimp 1.1.27 has been released. This is a bug fix release that fixes some Perl problems from the previous release. Gimp is a full-featured image manipulation program with capabilities similar to Adobe Photoshop. On the DesktopKDE2 Release Delayed One Week. KDE Dot News reports that the release of KDE2 has been delayed for a week, as a result of it being not quite stable yet. A new release candidate is being prepared, and the new release date is October 23. The People Behind KDE: Waldo Bastian. The "People behind KDE" series continues with this interview with Waldo Bastian. " I try to ensure that the fundaments of KDE are technically sane, reliable and well-performing. I also edited the last incarnation of KDE's style guide and promote this to others as so ensure that the whole of KDE has a consistent look and feel." Trolltech releases Qt 2.2.1. Trolltech has released version 2.2.1 of Qt, the windowing toolkit used by KDE. This version is mainly a maintenance/bug fix release which solves several compatibility problems. KDE wins Linux Community Award 2000. According to KDE Dot News: "Matthias Elter announced today that KDE has won the Linux Community Award 2000 at LWE in Frankfurt/Germany!" GNOME Foundation Elections. The election for the GNOME Foundation board of directors will happen during the first week of November. They say that "anybody who has contributed in any way to GNOME" is eligible to vote; it is, however, necessary to register first. See this item on Gnotices for more information on how the election will work. ScienceGenomes at Home? (NewsBytes.com). In the footsteps of the wildly successful Seti@Home project comes Fold@Home, a project to "unravel the mystery of protein folding, or how proteins self-assemble." Join in and let your computer chew on some data in it's spare time. Web-site DevelopmentApache 2.0 alpha 7 released. The seventh alpha release of Apache 2.0 has been announced. This release contains a number of bug fixes, and a new "input filtering" capability as well. Midgard Weekly Summary. Here is the Midgard Weekly Summary for October 11. The first release of the Midgard 2.0 requirements document and a number of other Midgard development topics are covered. Upcoming Zope Book. Michel Pelletier and Amos Latteier are in the process of writing a new book on Zope. Parts of the book are available online, and the authors are seeking comments on the material. Beware that this is an Alpha release of the book and it may contain errors. Zope Weekly News. The somewhat misnamed Zope Weekly News for October 11 is out. It covers a number of topics in Zope development, including session tracking and write locking in Zope, web security, using Zope with Python 2.0, ZPatterns examples, and more. PyPortal web portal creation software. PyPortal is a Python library that is useful for the creation and maintenance of web portal sites. The announcement claims that you can create a web site in under 5 minutes. PyPortal has been released under the GPL license. Section Editor: Forrest Cook |
October 12, 2000
|
|
Programming LanguagesC/C++GCC steering committee position on use of snapshots. The GCC Steering Committee has issued a statement on the use of snapshots in distributions. This statement is clearly in response to Red Hat's use of gcc-2.96 in its Red Hat 7 release, as covered in last week's LWN Weekly Edition. "We would like to point out that GCC 2.96 is not a formal GCC release nor will there ever be such a release. Rather, GCC 2.96 has been the code- name for our development branch that will eventually become GCC 3.0. Current snapshots of GCC, and any version labeled 2.96, produce object files that are not compatible with those produced by either GCC 2.95.2 or the forthcoming GCC 3.0." (Thanks to Toon Moone). JavaDo not reassign the object reference of a locked object (IBM Developer Works). Peter Haggar has written an article for IBM's developer works that discusses the Java synchronized keyword and its application for the locking of objects. PerlUniversity of Perl reports (Use Perl). Use Perl has run a series of articles by Nathan Torkington that document what has been happening at the recent University of Perl class: PythonThis week's Python-URL. Dr. Dobb's Python-URL for October 9 is out, containing, as usual, the latest from the Python development world. PyXML 0.6.1 is released. PyXML version 0.6.1 has been released. This version has numerous bug fixes, better test suite support, and support for Python 1.5.2. "The Python/XML distribution contains the basic tools required for processing XML data using the Python programming language, assembled into one easy-to-install package. The distribution includes parsers and standard interfaces such as SAX and DOM, along with various other useful modules." Python 9 Conference. The 9th International Python Conference is being held from March 5 through 8, 2001 in Long Beach, California. Information on paper submission dates has been given. ReportLab 1.01. ReportLab version 1.01 is now available. ReportLab is a Python package that is used to generate PDF documents. Tcl/tkThis week's Tcl-URL. Here is Dr. Dobb's Tcl-URL for October 9. Check it out for the usual collection of interesting Tcl/Tk tidbits. FreeWrap 4.4 announced. FreeWrap is a program that converts TCL/TK scripts into single-file binary programs. The release of FreeWrap version 4.4 has been announced. Software Development ToolsAutoconf/Automake Book. Havoc Pennington, GTK+ expert and author, pointed out an upcoming book from New Riders called GNU Autoconf, Automake, and Libtool. Section Editor: Forrest Cook |
Language Links Caml Caml Hump Tiny COBOL Erlang g95 Fortran Gnu Compiler Collection (GCC) Gnu Compiler for the Java Language (GCJ) Guile Haskell IBM Java Zone Jython Free the X3J Thirteen (Lisp) Use Perl O'Reilly's perl.com Dr. Dobbs' Perl PHP PHP Weekly Summary Daily Python-URL Python.org Python.faqts Python Eggs Ruby Ruby Garden MIT Scheme Schemers Squeak Smalltalk Why Smalltalk Tcl Developer Xchange Tcl-tk.net O'Reilly's XML.com Regular Expressions |
Sections: Main page Security Kernel Distributions Development Commerce Linux in the news Announcements Back page See also: last week's Commerce page. |
Linux and BusinessE*Trade and the Red Hat IPO. Many of you will likely remember the troubles that some people had in participating in Red Hat's IPO a year ago last August. Participants had to pass through the gauntlet of E*Trade's questionnaire, followed by a last minute reconfirmation dance when the IPO price was raised (to $7, split adjusted). Most people probably thought that this story was closed long ago, especially since, in the end, 1150 of the 1300 developers who indicated interest in participating were able to do so (according to former Red Hat manager Donnie Barnes). As it turns out, the story was not over. One person who wished to participate was Semyon Varshavchik, otherwise known as "mrsam." He was one of those who never was successful in joining the IPO, and he was not pleased. So he filed an arbitration claim against E*Trade, claiming that he had been unfairly denied the opportunity to participate. This case went on for a year. Over that year, some interesting things turned up. For example, E*Trade appears to have "lost" 200,000 of the Red Hat shares that were supposed to be distributed in the offering - 25% of the total they were allotted. It also turns out that there was no SEC-mandated requirement for the questionnaire that E*Trade made participants answer. That much has been clear for a while, since companies like VA Linux Systems and Caldera Systems were able to run community offering programs without that formality. In August, Mr. Varshavchik won his case; he was awarded $14,800 in damages from E*Trade, plus interest and legal fees. That is far short of the almost $55,000 requested, but is still a clear victory. Others who were denied the ability to participate in the IPO may want to consider similar action. A great deal of information on this case may be found in Mr. Varshavchik's "etrouble" pages; it makes for interesting reading in any case. (See also this Slashdot article, which is were we found this story). Free Standards Group releases Linux Development Platform Specification. The Free Standards Group has announced the release of the Linux Development Platform Specification. The LDPS, first covered in the August 3 LWN Weekly Edition, defines a base set of capabilities that all Linux systems should provide. This set, along with some programming guidelines, is intended to help application developers write code that is portable across distributions. SAP to release database under GPL. SAP has announced the forthcoming release of its SAP DB database management system under the GPL. It will apparently be available toward the end of the year. A site is being set up at sapdb.org to support the release and subsequent development work. Cnation Unveils Open Source Platform, BingoX. Noting sites such as Fox Interactive and eToys.com as users, Cnation announced the release of their BingoX Web development environment as an open source product. Based around Perl and Apache, "BingoX is an open source, object oriented Web Application Framework written in mod_perl that is meant to dramatically reduce the time required to build large dynamic, database driven web sites and applications". Cnation has released BingoX under the LGPL license. Vita Nuova to distribute Plan 9 in a box. Vita Nuova has announced its intention to sell a boxed version of the Plan 9 operating system. Press Releases:Open Source ProductsUnless specified, license is unverified.
Distributions and Bundled Products
Commercial Products for Linux
Products Using Linux
Products with Linux Versions
Java Products
Books and Training
Partnerships
Investments and Acquisitions
Financial Results
New Offices/Personnel
Other
Section Editor: Rebecca Sobol. |
October 12, 2000
|
Sections: Main page Security Kernel Distributions Development Commerce Linux in the news Announcements Back page See also: last week's Linux in the news page. |
Linux in the newsRecommended ReadingWhy the world needs reverse engineers (ZDNet). Here's a ZDNet column in defense of reverse engineering. "There are now black boxes, whether in hardware or software, that are illegal to peek inside. You can pay for it and use it, but you are not allowed to open up the hood. You cannot look to see if the box violates your privacy or has a security vulnerability that puts you at risk." CompaniesTech giants give $30 million more to TurboLinux (News.com). News.com reports on the latest investments in TurboLinux. "One source familiar with TurboLinux's plans said the company's IPO schedule is moving along, though, and the company intends to file its initial public offering plans with federal regulators soon. An investment bank has been selected to lead the IPO, the source said." Learning the ways of Mozilla (Upside). Upside looks at the Mozilla project and the difficulties that outsiders have sometimes encountered when trying to participate. "All told, [Mozilla 'Chief Lizard Wrangler'] Baker says the ratio of Netscape to non-Netscape developers has steadily declined since the first source code release in April 1998. With Mozilla currently preparing to pass its final milestone prior to its official 1.0 release -- an event Baker currently predicts to be in the second quarter of 2001 -- the days of Mozilla's reputation as the Winchester Mystery House of open source projects are coming to a quick close." Open source uncertainty over Microsoft-Corel (Upside). Upside looks at Microsoft's investment in Corel. "As for Corel and its own future as a Linux operating system and application vendor, company president Derek Burney, who replaced the outgoing Cowpland last month as chief executive officer, says the company is already evolving beyond operating system concerns." Refreshed Corel gets down to business (Ottawa Citizen). The Ottawa Citizen looks at the changes at Corel. "In what is perhaps a sign of things to come, Corel has cancelled the annual gala that Marlen Cowpland, Mr. Cowpland's wife, used to sport revealing, attention-getting outfits. At the 1999 gala, she wore a $1-million leather catsuit with 24-karat gold breastplate, adorned with a 15-karat diamond nipple. Corel spokeswomen Anne Vis said cancelling the gala, which had cost as much as $3 million in years past, is 'part of our cost-restructuring program and our more disciplined financial approach.'" Sounds like good thinking on their part.... There's some serious news too: "Since Mr. Burney took over as interim chief executive, the Linux startups Corel had invested in under Mr. Cowpland have seen their financing cut and say the turnover in employees at Corel has left them with virtually no communication with the Ottawa company." Sun's purchase of Cobalt nullifies three potential threats (InfoWorld). Nicholas Petreley points out the advantages to Sun of its purchase of Cobalt Networks. "The best news of all for Sun is that no matter how the hardware picture develops, Sun's implicit endorsement of Linux by purchasing Cobalt puts yet another nail in the coffin of Windows 2000. This helps Sun eliminate the only threat about which it can do nothing." VA Linux creates Japanese alliance with Sumitomo (ZDNet). Looks like VA is making their move into Asia: "VA Linux Systems, Inc. and Sumitomo have invested in a new joint subsidiary, VA Linux Systems Japan, and NTTCommunicationware, NEC Technologies, Inc., and Toshiba Engineering have also indicated plans to invest in the venture." Riding the Gnutella Wave (Internet World). Internet World looks at Gonesilent, the successor to Infrasearch. "If you want to know how revolutionary a piece of software is, you might try measuring how long it stays on the Net before it is hastily banished." Synopsys pulls Linux into full ASIC design flow (EETimes). In what may be considered the "Oracle on Linux" announcement for the chip designing world, Synopsys Inc. is making a complete, front-end ASIC design flow available under Linux ..."a move that opens the door for the widespread adoption of Linux as the No. 2 EDA platform and very possibly writes the epitaph for Windows NT in chip design". (Thanks to Tom Verbeure). BusinessRed Hat, SuSE CEOs: We're for Linux open source (InfoWorld). Bob Young of Red Hat and Dirk Hondel of SuSE were interviewed at LinuxWorld in Berlin: ""If permanent copyrights had existed in the time of the ancient mathematicians, every time you wanted to use the Pythagorean Theorem or an isosceles triangle, you'd have to pay royalties," said Young, remarking that scientific progress is based on the sharing of knowledge, with each researcher building on previous innovations". Linux leader says standard version will emerge (News.com). TurboLinux CEO Paul Thomas says that Linux distributions will converge over the long run: "The world doesn't need 150" versions of Linux, he said Wednesday at a W.R. Hambrecht conference for open-source software. "Consolidation will take place." Red Hat talks big at open-source conference (News.com). News.com reports from the W.R. Hambrecht conference on open source companies. "At today's open-source conference, [Red Hat CTO] Tiemann said Red Hat has won the 'distribution' battle, the effort to sell Linux and associated software. 'The Linux distribution game is over. Red Hat has won that game. Red Hat is the market leader in virtually every respect,' he said." Penguins invade the orchard (ZDNet). Here's a ZDNet column on how Linux threatens Apple. "All I do know is that Linux is becoming a credible desktop far faster than most would have predicted, and Apple's pretty plastic cases and faux-open-source OS won't be enough to keep it from being the next victim of Linux's rise up the food chain." IBM's Entire eServer Family To Run Linux (ZDNet). IBM is preparing it's entire hardware server line to run all four major distributions of Linux - Caldera, Red Hat, SuSE, TurboLinux. InfoWorld Announces Top 10 Innovators. InfoWorld has a top 10 list available that includes some well known names in the Open Source field: Apache, Tim Berners-Lee, Richard Stallman and Phil Zimmerman. Operating System Invades Jim Henson's Creature Shop (LinuxNews.com). LinuxNews.com reports on the use of Linux at Jim Henson's Creature Shop. " While the original Muppets will remain unchanged, old favorites as well as new characters are performing in online and real-time computer graphics venues, as well as preparing for new adventures on the silver screen, through a new Linux-based control system." Microsoft `Gets It': Does the Linux Community? (LinuxNews.com). LinuxNews.com is carrying a story on how middleware will become the most important factor in the Internet age: "It will be the next "big thing" because Middleware will ultimately shape and define what the INTERNET becomes. The ability to identify, authenticate and authorize delivery of information will become fundamental to conducting business in the next generation of the INTERNET economy. It will encompass and pervade the information supply chain, all the way from your wrist watch access device to serving as the basis for building virtual corporate collaborations. It will ultimately call fundamental questions on the issue of privacy and the protection and maintenance of one's identity." Open sourcerers tweak Linux for access (EE Times). EE Times looks at open source programs for disabled users. "The recent commercialization of Linux has brought with it mass appeal, with its open-source status allowing those masses to more easily share tools and solutions. But ease of use is a different issue for the nation's 54 million disabled citizens, and accessibility is a somewhat complex proposition to define." KernelLinux 2.4 kernel release delayed (ZDNet). ZDNet reports on Linus's announcement that the 2.4 kernel is at least two months away. " Open-source backers haven't been forgiving when for-profit software makers -- most notably, Microsoft Corp. -- let development schedules slip. But when it comes to Linux, they claim expectations aren't the same thing as release dates. 'We don't do deadlines in the open-source world, which is a major reason our stuff is right when it comes out,' said open-source leader Eric Raymond." (Thanks to Rolf Heckemann). New Linux shows promise in heavy-duty business use (News.com). C|Net's News.com is carrying a story on what the scalability in the Linux 2.4 kernel will mean. "The next version of the core of Linux, the 2.4 kernel, is up and running on Sun Microsystems' top-end E10000 server with 24 processors...Solaris...works on computers with up to 105 CPUs ... and Microsoft has just released a version of Windows that can use 32 CPUs." ResourcesEmbedded Linux Newsletter, October 5, 2000. The latest Embedded Linux Newsletter from LinuxDevices.com has been published. Comparing real-time Linux alternatives (LinuxDevices.com). LinuxDevices.com has this whitepaper on alternative approaches to adding real-time capabilities to Linux. "Lately, the question of whether (and how) Linux can be made to serve the needs of real-time applications has been the subject of much debate, in a discussion made complicated by a multitude of definitions for real-time. We see the terms 'hard', 'firm', and 'soft' real-time being used. These, along with 'guarantee', 'deterministic', 'preemptible', 'fully preemptible', and 'latency', often pepper the discussions. " ReviewsOrganized bookmarks? Who'd have thought it! (Canada Computes). Canada Computes reviews Gnobog, the GNOME bookmark organizer. "We're not talking rocket science here, but it amazes me that there aren't more programs like this that do to the job well. Oh well, Gnobog is definitely worth the download if you obsessively bookmark sites like I do." Making Linux Work in the Workplace: GIMP vs. Photoshop (LinuxOrbit). LinuxOrbit compares Photoshop and the Gimp. "Using the whimsically titled, yet professionally powerful GIMP, one begins to feel that this whole Open Source deal just might work. Here is a piece of freeware going against the best in the business, and giving it a real run for the money." (Thanks to John Gowin). InterviewsIBM: The Big Blue support for the Linux community (O Linux). O Linux talks with the IBM Linux Technology Center staff. "We base our decisions on customer demand. While Debian is well thought of, our customers have consistently expressed an interest in Red Hat, SuSE, TurboLinux and Caldera - and that's what we're giving them." Sir(e) Ian Murdock (Andover News). Andover News profiles Ian Murdock. "Over the last ten years he has nursed a degree, fathered an operating system, nurtured the community that supports it, continues to parent four dogs, a company, and now, at last, a baby girl." (Thanks to César A. K. Grossmann). MiscellaneousWhich is it: -ible, or -able? (LinuxDevices.com). You may have thought that the furor over MontaVista's "fully preemptable kernel" announcement had died down, but this LinuxDevices.com article shows that the real battle has yet to be fought. "But that's not where the debate ends. Nobody thought of questioning another aspect of MontaVista's release -- namely: had they spelled 'preemptable' correctly?" Tackling The Digital Divide -- Without Linux (TechWeb). A conference to tackle the "digital divide" facing third world countries is taking shape with leaders from many big computing companies, but apparently without input from the Linux world. "But no one from the fast-growing and generally lower-cost Linux community was invited to the table, officials from the sponsoring organization, the World Resources Institute, acknowledged on Thursday". Section Editor: Rebecca Sobol |
October 12, 2000 |
Sections: Main page Security Kernel Distributions Development Commerce Linux in the news Announcements Back page See also: last week's Announcements page. |
AnnouncementsLinux Advanced Routing & Traffic Control List.Announcing the creation of the Linux Advanced Routing & Traffic Control List: those who have been working on the Advanced Routing & Traffic Control HOWTO for a while have noted a marked increase in the number of people sending them mail with questions. In response to this demand, there is now a list catering to the needs of people who want to discuss the application of advanced routing, traffic control and shaping on Linux. Interested parties are invited to subscribe here. EventsStump the Chump at Atlanta Linux Showcase. Tuxtops has announced the first annual 'Stump the Chump'. Their resident "chump", Chief Technical Officer, Mark Allen, has agreed to match wits with attendees who'd like to challenge his Linux laptop expertise. ALS runs from October 10 to 14, 2000. Keynote speakers for ApacheCon Europe. ApacheCon Europe, happening in London starting October 23, has announced its keynote speakers. They will be Dr. Kristof Kloeckner of IBM, George Paolini from Sun, and Douglas Adams, author of The Hitchhikers Guide to the Galaxy. Linux Expo brings Pengiun Power to Hogtown. The keynote sessions for Linux Expo Toronto (October 30 - November 1, 2000) have been announced. You have just missed the Linux2000 congress. Linux2000 took place in "De Reehorst", Ede in the Netherlands, recently, but there is another conference of interest to Linux users, in the same area. Look for the autumn conference of the Unix User Group - the Netherlands, coming on November 9, 2000. (Thanks to Fred Mobach). The New Entertainment Era. Scott Draeker, president and founder of Loki Software, Inc., will be joining Michael L. Robertson, chairman and CEO of MP3.com, Christie Hefner, chairman and CEO of Playboy (and Playboy.com) and other industry leaders for a conference that will address how Internet challenges of free speech, free trade, and intellectual property can coexist. Cato Institute and Forbes ASAP for Technology & Society 2000, November 9-10, 2000 in Reston, VA Second Annual Event Honors the Best of Linux. Linux Journal and Key3Media Events, Inc. announced that Linux Journal will present the second annual Penguin Playoff Awards at LINUX Business Expo-Las Vegas. LBE is co-located with Comdex Fall, November 13-17, 2000. October/November events.
Additional events can be found in the LWN Event Calendar. Event submissions should be sent to lwn@lwn.net in a plain text format. Web sitesLuteLinux adopts ShowMeLinux. LuteLinux announced the addition of ShowMeLinux to their family of services. LuteLinux will be hosting future issues and will take over as publisher of ShowMeLinux, an on-line magazine. eLance redesigns Web site. eLance, Inc. announced the release of its newly redesigned professional services marketplace site at www.elance.com. User Group NewsILUG Bangalore. "The September 2000 meeting of the ILUG Bangalore was held in the midst of bandh's, postponements and pouring rain. The meeting began at 6:30pm on 30th September with an all-time low - only 46 attendees!" So begins this wrapup of ILUG Bangalore's last meeting. (Thanks to Atul Chitnis) Geek Day Out. The Linux Users Group of Victoria is organizing a Geek Day Out. A festival gala for the Information Technology community, with an emphasis on open source software. In Victoria, Australia Friday October 20, 2000. This event kicks off ACE 2000 (see the events table above). Linux Community pavilion at Bangalore IT.COM 2000. The Linux Community of India has announced that it will be hosting a Linux pavilion at Bangalore IT.COM 2000. This is a huge event, with 350,000 attendees; the Linux area is expected to be one of the largest at the event. LUG Events: October 12 - October 26, 2000.
Additional events can be found in the LWN Event Calendar. Event submissions should be sent to lwn@lwn.net in a plain text format. |
October 12, 2000 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
Software AnnouncementsHere are this week's Freshmeat software announcements. Freshmeat now offers the announcements sorted in two different ways: |
Our software announcements are provided courtesy of FreshMeat
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Sections: Main page Security Kernel Distributions Development Commerce Linux in the news Announcements Back page See also: last week's Back page page. |
Linux Links of the WeekAtheos is a free operating system for Intel boxes. It has its own kernel, written from scratch, and its own window system. It is POSIX enough to run bash, but the window system is not compatible with X. It's intended to be a desktop system; worth a look if Linux is getting old and boring. "The face of the world has changed in 2076. Go figure. The evil multi-national corporate conglomerate empire MegaSoft® reached out and nuked someone (just about everyone, as it turns out) in 2023 with a nuclear-capable e-mail virus, designed to stop anti-trust suits. It worked, really, really well. Evil wins." Into this grim situation steps TermUnitX (TUX) to save the day. It is, of course, an online comic book, and it's wild. Worth a look. Section Editor: Jon Corbet |
October 12, 2000 |
|
This week in historyTwo years ago (October 15, 1998 LWN): The word went around that Oracle was about to launch its own Linux distribution. Two years later, one can probably say that the rumor has not stood the test of time. If Microsoft could crush us, it would already have done so. It is now several months too late for them to succeed. Well, it seemed that way at the time... Larry Wall was the recipient of the first Free Software Foundation Award. The development kernel was 2.1.125; Linus announced that the last of the showstopper bugs had been fixed, and that it was about time to move into the pre-2.2 series. Meanwhile, one kernel hacker decided to go looking for foul language in the kernel source, and was not pleased with the results. We posted the resulting linux-kernel posting with a warning that it wasn't for the easily offended; it was one of the most popular files we have ever put up. And no, the kernel source has not gotten any cleaner, at least not in the comments. User-visible output is held to a "suitable for children" standard, but comments in the source itself are unregulated... One year ago (October 14, 1999 LWN): TurboLinux racked up its first big round of equity financing. Longstanding retailer LinuxMall.com also pulled in a sizeable investment from SCO, which was clearly beginning to realize that it needed to take Linux more seriously. Both of these investments were announced at the Atlanta Linux Showcase, which was underway. Mr. Miller says that about 40 investors have approached Turbolinux, offering a total of nearly $200 million in potential funding. A lot has changed since Mr. Miller and his wife founded Turbolinux seven years ago.
OpenSSH 1.0 was released; it was the first free ssh release in a very long time. VA Linux Systems, O'Reilly & Associates, and SGI announced plans to produce a commercial, boxed version of the Debian distribution. VA also filed for its initial public offering of stock, setting in motion what was to be the most spectacular IPO of the year. In making such a bold move (Solaris is their core product) Sun is embracing everything that has made the Open Source movement such a success. Everything, that is, except that bit about opening up their source code.
| |
|
Letters to the editorLetters to the editor should be sent to letters@lwn.net. Preference will be given to letters which are short, to the point, and well written. If you want your email address "anti-spammed" in some way please be sure to let us know. We do not have a policy against anonymous letters, but we will be reluctant to include them. | |
Date: Thu, 5 Oct 2000 13:24:37 -0400 From: Eric Kidd <eric.kidd@pobox.com> To: letters@lwn.net Subject: Source Forge concerns I'm the lead developer of a SourceForge-hosted project, and I have two concerns about the site. * Silly ranking schemes SourceForge now uses the Advogato trust metric to assign developer rankings. Unfortunately, the Advogato trust metric is fairly broken, even on Advogato. (I say this as someone who has undeserved "Master" credentials, and would prefer to be a mere "Journeyer".) Quite frankly, the SourceForge implementation of this idea is tacky and juvenile. I'd prefer to opt out of the ranking systems, and just use SourceForge as a development tool. But if I can't do that, I'd like to take my projects elsewhere. Which brings me to my next concern... * Exporting I can't export my project (at least not easily). I can export the CVS repository, the web site, and some of the data. But there's no obvious way to dump the bug tracker, forums, etc. So even though the SourceForce code is available, and you can run it on your own server, there's no obvious way to move a SourceForge project elsewhere without losing data. How to fix it: A nice, big "Export Project as XML" button on the project administrator screen would make me sleep better at night. ;-) It's not that I don't trust the SourceForge folks--they're remarkably helpful--it's just that hosting a project on somebody else's servers requires an extraordinary amount of trust. Cheers, Eric | ||
Date: Tue, 10 Oct 2000 14:40:53 -0400 From: "Jay R. Ashworth" <jra@baylink.com> To: letters@lwn.net Subject: GCC/RedHat Imbroglio and Version Numbering In this weeks' Daily News, an item was posted wherein the GCC steering committee effectively says "you shouldn't have included 2.96 in any product release; that's not a real production release." I have no particular sympathy for their complaint, frankly; that's what that get for using a "real" release number. This is a topic on which I've ranted before; had they called that GCC 3.0alpha1, everyone would have known better, I think. I hope... Cheers, -- jra -- Jay R. Ashworth jra@baylink.com Member of the Technical Staff Baylink The Suncoast Freenet The Things I Think Tampa Bay, Florida http://baylink.pitas.com +1 727 804 5015 | ||
Date: Thu, 05 Oct 2000 06:46:24 -0400 (EDT) From: Arlen Carlson <adcarlso@visinet.ca> To: letters@lwn.net Subject: Commercial "Debian"-style security In this week's (Oct. 5) LWN, it seems that there is disappointment that the commercial companies have not filled in the Debian security support...However it should be noted that the commerical companies point their security updates to the Debian mirrors. Thus the apparent lack of "security patches" on their own servers. There is no real lack of interest on the part of the commercial companies...they've just chosen to go the "Debian way". ----------------------------------- Arlen Carlson <adcarlson@iname.com> "Love is an ideal thing, marriage a real thing; a confusion of the real with the ideal never goes unpunished." -- Goethe This message was sent by XFmail (Linux) -o) /\\ _\_v The penguins are coming... the penguins are coming... ----------------------------------- | ||
To: Branden Robinson <branden@debian.org> Subject: Re: Outrage at Debian dropping security for 2.1 Date: Thu, 05 Oct 2000 13:31:39 +0100 From: Tethys <tet@isengard.europe.dg.com> Branden Robinson writes: > Does Mr. Peacock expect Debian to provide security updates for Debian > 2.0, 1.3, 1.2, or 1.1? Does he expect, say, Red Hat, to provide security > updates for 6.0? How about 5.0? 4.2? 1.0? I can't speak for Mr. Peacock, but yes, *I* expect security updates for non-current versions of an OS. Fortunately, Red Hat does provide them, and currently supports its 5.x, 6.x and 7.x releases. As pointed out on LWN's front page this week, administrators are reticent to upgrade an OS that's working well, when a smaller security update would do just as well. Until Debian realise this, their distribution will never gain widespread acceptance in commercial environments. Maybe that's not one of their goals, but it's something they currently don't seem to be aware of. Tet | ||
Date: Thu, 5 Oct 2000 09:22:30 +0200 From: Marko Schulz <in6x059@public.uni-hamburg.de> To: letters@lwn.net Subject: Debian drops slink security updates It makes me angry and sad, if people are accused, because they speak the truth. When the previous version of debian (2.1 aka slink) was released, the next security update, didn't even mention the version before that (2.0 aka hamm). Now the folks from debian are even making a published deadline and they get slammed for it. If they would have dropped updates for slink silently nobody would have cried. If one wants a secure system, he has to stay mildly current. The worst bugs still get eliminated from 2.0.X-kernels, but there are others in it, that just won't be removed, because it would take too much. I expect the same for old versions of distributions, may they be called SuSe, Red Hat or Mandrake. I too don't follow the newest-version-craze and stay with older versions for quite some time, but I wouldn't rely on them as being too secure. -- marko schulz "Sind Comics Kunst?" "Ist doch scheißegal!" Stefan Dinters Antwort auf eine Podiumsfrage, Comicsalon 1997 in Hamburg | ||
Date: Fri, 6 Oct 2000 15:26:38 -0400 To: letters@lwn.net Subject: Upgrading Debian From: Zygo Blaxell <zblaxell@feedme.hungrycats.org> >apt-get update >apt-get dist-upgrade >apt-get clean The Debian Mantra. ;-) I'm a Debian advocate. I use Debian on all of my Linux systems at home, and I've successfully introduced it as an upgrade path at work at two companies--there will be no more new Red Hat systems, and the old ones will be replaced rather than upgraded. Frankly, the reason why I advocate Debian (stable) as my first choice, and Debian (unstable) as my second choice, is because of the nice semi-automated update mechanism, and because of the half-legion of developers behind it. On my own desktop and laptop systems, where the entire user population (i.e. me and my spouse) has eight years of Linux development experience combined with root access and a bootable rescue CD, Debian is close to perfect. On mission-critical systems, Debian's 'stable' distribution with daily upgrades to keep current with security patches is definitely the way to go. That said, even I, a rabid Debian fan and developer wanna-be, who runs dist-upgrade in parallel on dozens of machines at a time every day, do NOT blindly run dist-upgrade on the day after a Debian release without testing it on non-critical machines first! The first problem with this idea is that the Debian FTP archive layout changed in the last release, so you can't get past 'apt-get upgrade' without manual intervention if you're using cryptographically-enhanced packages from non-US (and who isn't, really?). Changes to NSS in glibc alone are enough to cause serious, widespread, and downright weird problems during and after the upgrade. Any package that relies on a lot of shared library components is going to be confused for several minutes, and the ones that aren't confused are likely to be simply unavailable during that time. Daemons are problematic--some will stop at some arbitrary point during the upgrade and restart at some arbitrary point after, others will continue to function throughout the upgrade, and some will fail in unpredictable ways depending on the exact timing of races between external user access and dpkg's manipulation of the filesystem. Some packages rely on scripts to rewrite configuration files as the programs that use them change syntax--we can only hope that those scripts preserve exactly the semantics of the old configuration files. dpkg itself has been known to crash during large upgrades--especially upgrades that affect itself or its own dependencies--and dpkg or apt-get sometimes crash while their own dependencies are not satisfied, which means you can't use either of these fine tools to clean up the mess afterwards. Hopefully, you won't be forced to recover the system using 'ar', 'zcat', and 'tar'. If you're smart, you install 'sash', and avoid several failure modes that might result in having to dig out the boot floppies. Upgrading Debian is a whole lot easier than upgrading other distributions, but it is by no means perfect. And so far we're only talking about Debian packages, not any third-party or local packages that might have been installed outside of the Debian package management system. apt-get does not consider at all the possibility of breaking installed packages that it doesn't know about (how can it?), and will happily break them. Even third-party packages packaged as .deb files sometimes have useless or missing Depends: fields, which effectively makes them invisible to apt-get. This kind of widespread system reconfiguration can't be bug-free. It may, in fact, be less prone to failure than back-porting many security patches at the source level, but in practice there are a tiny number of security-related patches compared to the total number of revisions between stable releases, so the trade-off doesn't pay off. A single back-ported security patch is a single, localized change, designed to fix a single, specific problem--as a rule of thumb, there's roughly an 85% chance of doing it successfully. A full dist-upgrade rarely leaves any installed non-documentation packages untouched--the probability of making hundreds of changes, each at 85% probability of success, without making any mistakes, is left as an exercise to the reader. | ||
Date: Sat, 7 Oct 2000 14:11:54 -0700 (PDT) From: Patrick Ennis <DzuSwei@excite.com> To: lwn@lwn.nwt, letters@lwn.net Subject: For shame! Dear Sirs, Please do not malign the good folks at Libranet. They make it VERY CLEAR that this is a DEBIAN distro, only compartamentalized to make it more accessible to those of us who aren't 24 hour users. Please make it clear that Libranet is simply making the fine Debian distro more user-friendly and accessible, they aren't yet a true distro in their own right. And so any user updates are through APT, ust like Debian... because it IS Debian. To portray the fine folks at Libranet as being unconsciencious is simply a complete falacy on your part. Their support is both the best, and the quickest, of any Linux outfit. Period. The folks at Libranet are, quite simply, everything Linux should be! They love linux, give it to anyone who asks and makes it known to any who BOTHER TO ASK. And to be quite honest, they are the only one of the four 'major' Canadian distros (Corel, Stormix, MaxOS, and Libranet) that treats the user as a thinking human being, and gives them the option of either mindlessly installing linux or masterfully guiding it onto your computer to the Nth degree. Who else lets you do this? Like this? To this degree? NO ONE! So please, valued Sirs, try Libranet before you malign it so easily. In my opinion, it is linux as Linus meant it to be! If there is a fault, which I question, it is with the folks at Debian.org themselves. And even then, a simple run of APT will plug the gap. In short, if any Libranet user is concerened about any of their update needs, they need only run Apt to get the 'latest and greatest'. Do not malign the folks at Libranet. They do more, better, for free, than anyone else in linux. Thank you, Patrick Ennis Dzuswei@excite.com | ||
Date: Wed, 11 Oct 2000 14:26:55 -0500 From: Dub Dublin <dub@infowave.com> To: letters@lwn.net Subject: Electronic, not digital signatures - there's a difference Your report last week of digital signatures becoming law is inaccurate. As I understand it (not a lawyer and all that), what became law on October 1st was electronic signatures, not digital signatures. There's a very important difference: electronic signatures are used to make electronic contracts enforceable, like click-through license agreements and online puchasing or services agreements. Unlike digital signatures (which rely on some sort of cryptographic method of providing authentication, non-repudiation, and content integrity), electronic signatures are simply an entry in a database somewhere - but with this law, that database now has the full force of a paper signature, regardless of its own accuracy or security. (This may well turn out to have far larger implications for online rights than DMCA or UCITA ever could.) This is a crucial difference, and the reason that electronic signatures were opposed by some consumer advocates and the handful of congressmen who bothered to read and understand the bill. It boggles the mind that this legislation passed 426-4. (Three Republicans and only a single Democrat voted against it, about the typical ratio for privacy issues, but a very poor turnout.) To be fair, the bill does provide for informing customers of paper alternatives (if any), and contains some other notification provisions as well, but these are obviously far, far, short of the protection that would be provided by a true digital signature, even one based on questionable cryptographic methods. In short, there's a big difference between electronic and digital signatures, and we need to use the correct terminology in both discussing the issue and in framing a response. Dub Dublin | ||
To: letters@lwn.net Subject: ECN From: Graham Murray <graham@webwayone.co.uk> Date: 05 Oct 2000 07:00:30 +0000 ECN, while still new and experimental, has the potential to be a very useful protocol which by greatly reducing the number of resent packets could improve bandwidth utilisation which would be to everyone's advantage. However to do this it needs to be widely accepted and implemented. This will not happen while high profile sites reject connection which indicate that they are willing to use ECN. So, I think it is a pity that we are being forced to disable it in order to communicate with certain sites. While I accept that this is, at least in the short-term, necessary, I think that we should also be informing the "offending" sites of the error of their ways. | ||
Date: 10 Oct 2000 23:46:55 -0000 From: Eric Smith <eric@brouhaha.com> To: letters@lwn.net Subject: Synopsys on Linux Gentlemen, On October 10 you reported on Synopsys making more of their ASIC tools available on Linux. You referenced an EE Times article in which Gary Smith, chief EDA analyst at Dataquest said "64-bit Linux isn't yet available". Gary needs a wakeup call. 64-bit Linux has been available for *years* on Alpha platforms, and is also available on Sparc and MIPS platforms. In fact, it's even available for Intel's upcoming IA-64 chips (e.g., Merced), despite the fact that the chips aren't even available. However, I hope that Mr. Smith is correct in his statement that "Linux is knocking NT out of the design world". I've seen numerous cases of companies trying to do EDA (or any kind of engineering) on Windows NT boxes, largely based on false Total Cost of Ownership claims by Microsoft, and discovering the hard way that Windows NT is *abysmal* as an engineering platform. In the same article, Mike Glenn of Avanti Corp. says of Linux that "it won't replace the Unix environment". Mr. Glenn needs to wake up and smell the coffee. More and more companies are discovering that Linux works just as well as (or, in many cases, better than) proprietary Unix solutions, and yet has much lower costs (both purchase and support). Despite some silly statements by analysts and vendors, it is now clear that Linux-based EDA is an idea whose time has come. Raul Camposano was quoted as expecting to find "Windows NT strong only in FPGA design". One of the leading FPGA chip vendors has stated that they have no plans to support Linux. Interestingly enough several of their competitors are working on FPGA support. As an engineer, given the choice between otherwise coparable chips, I'll pick the ones which I can develop for without using Windows NT. The choise is a no-brainer. Eric Smith | ||
From: Mark_Wiley@marcam.com To: letters@lwn.net Date: Fri, 6 Oct 2000 12:09:11 -0400 Subject: TUX and beyond With the recent release of the TUX 1.0 Kernel HTTP Server, I was thinking about the future of such an offering. TUX is a Linux kernel space HTTP server. Its primary function is to serve up static pages and images and pass along more complex requests to user space programs, such as Apache. Its current design is to minimize the impact of current web server implementations. Apache doesn't know there is anything going on, just some configuration changes. As I look at the growing importance of Web services and review the equally important growth of the underlying TCP/IP protocol a few decades ago, I must wonder about the directions that TUX or implementations like it will take. Consider. TCP/IP is only a communications protocol and protocol stack. All that really needs to be in the kernel is the network card driver. But we recognize the importance of TCP/IP, the complexity and wide use of its services. To make dealing with it easier, we made several adaptations. 1. The stack is in the kernel for speed and security. 2. The TCP/IP stack is capable of dealing with multiple IP addresses on each of multiple network adaptors. 3. Security is handled through an administrator interface allowing detailed settings for each adaptor/address. 4. We give it a friendly usable API that allows any process to register itself as being a service in the TCP/IP space (Sockets/Accept). User space programs don't have to deal with raw network packets. The result is that the stack does not need to be individually configured for any new services. The services register themselves. The general configuration and security of the stack can be controled by an administrator. Lets take a similar approach to web services. Lets make a web service stack: 1. The web stack should be capable of providing multiple service hierarchies with different protocols (http, https, other...) configured individually to IP-Range / TCP Port. Java has a model for plugable protocol handlers that might be useful. When new protocols are needed, plug in a protocol handler that understands it. 2. Each service hierarchy has its own security interface for what request source IP address it accepts, what authentication it expects, where its WebRoot is, what programs/users may register as active content providers. 3. An API is provided for userspace programs to register themselves as active content providers. These API would allow a program to enumerate what service hierarchies are currently active. It would allow a program to select one service hierarchy and register itself to it. The program would then specify where in the hierarchy its address space would begin. Finally the API would provide a blocking wait for service requests similar to the socket accept. There are already models for server components out there with Request and Response interfaces for service control (Java Servlet, ASP, ...). Make something similar available from the kernel server through the API. This whole interface requires the replacement of many current web apps with versions that use the new API, but in the end it would make web applications as portable and plugable as TCP/IP applications are now. It would also make writing web applications easier and more modular. TUX is already a good starting point. It can be expanded to include more features. But more importantly, it is in a good position to become the implementation standard for such a model. Do it right in an Open Source fasion before some company gets into the act and tries to poke a lot of propriatery requirements into the mix. Make the standard Open first. Then let it catch on elsewhere. Mark Wiley. mark.wiley@pcsinc.net | ||
Date: Fri, 06 Oct 2000 07:53:39 +0800 From: Leon Brooks <leon@brooks.smileys.net> To: letters@lwn.net Subject: You don't see much Linux Steve Ballmer is quoted as saying: > You don't see much Linux in (business) customers. You see some Linux > in Web sites and application service providers, but it's less than > the press hype." There are two points worthy of note here, either or both of which explain how Steve can say this without too much crossing of the fingers behind the back. Firstly, and this really has been done to death: where Linux is working and where Linux is seen are two quite different concepts. Many managers and CEOs are quite shocked to discover either that the backbone of their IT shop has been Linux for the last three years or that the reason their [insert favourite service here] has either sped up or stopped crashing, or given up being taken out regularly by crackers (or all of the above) in recent days is that it's no longer based on Windows. Bill Gates himself would not have been pleased to discover that every computer in the campus' new Bill Gates building was running Linux while he was touring it during the opening ceremony. It is especially pleasing to see FreeBSD, OpenBSD et al springing up more and more often in the ground plowed by ``media darling'' Linux. Repeat the mantra: ``choice is good.'' Secondly, I'm not sure how often Microsoft's boss would *expect* people to show him Linux systems: he lives in a Microsoft-saturated environment, and would have to go about anonymous and disguised to have a hope of seeing any reality. The reality is that something like half of all web servers are Linux-based, and something like a quarter of them are Microsoft-based. Compounding the issue, he lives right at the heart of Microsoft country. Internet head-counts show Microsoft more often in the USA and in corporate culture than anywhere else. The further up the corporate ladder you look, the more Microsoft you find. Microsoft has spent a lot of time and money making it so. This is where Steve lives and gads about. Note the parable of the blind men and the elephant (http://www.anointedlinks.com/elephant.html) for it applies here. In Germany, Microsoft servers are nearly a third less common than average. Non-US domains also seem to have a less pronounced ``us and them'' Apache-against-IIS focus. Educational domains also seem more willing than average to use something other than Apache, IIS or Netscape. What ``we'' (Open Source oriented people) need to be aware of is that this blindness is just as true for us as for Steve and Bill. We use Linux (replace with your chosen OS-OS as appropriate) daily to solve problems, automate drudgery and banish the three apocalyptic horsemen (Bluescreen, Virus and Cracker) from our world. Often, all we see is Linux - so all we know is Linux. We lose touch with people who use Microsoft products daily, to whom three crashes a day and living in fear of viruses is normal, to whom Word spontaneously electing to no longer display a task-bar is a major issue, and for whom the sight of an AfterSTEP or Enlightenment desktop is very disturbing. -- #include <signal.h> #include <time.h> main(){srandom(time(0));for(;;){int pid=random()%30000;if(pid>1 &&pid!=getpid())kill(pid,random()&1?SIGSTOP:SIGBUS);sleep(10);}} | ||