[LWN Logo]

Bringing you the latest news from the Linux World.
Dedicated to keeping Linux users up-to-date, with concise news for all interests

 Main page
 Linux in the news
 Back page

Other LWN stuff:
 Daily Updates
 Linux Stocks Page
 Book reviews
 Penguin Gallery

 Use LWN headlines
 Advertise here
 Contact us

Recent features:
- RMS Interview
- 2001 Timeline
- O'Reilly Open Source Conference
- OLS 2001
- Gaël Duval
- Kernel Summit
- Singapore Linux Conference
- djbdns

Here is the permanent site for this page.

See also: last week's LWN.

Leading items and editorials

No dividends from free software? The Creating Digital Dividends conference is being held in Seattle starting October 16. This conference has a goal of exploring how technology can better serve the third world. It has a gold-plated list of sponsors: Microsoft, HP, Motorola, etc. It looks to be full of first-world amenities.

What it will not have is any representation from the Linux community. Quite a few folks from the community have taken exception to this. Tim Hanson has even announced a protest which will take place outside the event. Free CDs and literature will be handed out in an effort to educate the conference participants about other technologies which should be considered.

LWN asked the organizers about the exclusion of Linux businesses from the conference. The answer we got back was interesting in a couple of regards, and deserves a closer look here.

First of all, the organizers evidently did extend an invitation to Red Hat, which declined to attend. Red Hat apparently sees its best business opportunities in the first world. The conference thus can claim to have not entirely excluded Linux, but it also does not get off the hook quite that easily. Red Hat and Linux are two very different things, and inviting Red Hat is not equivalent to inviting the Linux business community. There may well be other Linux businesses which would have been more interested. Conectiva comes immediately to mind, but there would certainly be several others as well.

The note makes this claim:

We would like to be clear, however, that the Creating Digital Dividends Conference is not focused on specific technologies or operating systems, but rather on new business models that accelerate sustainable development.

What would the organizers think of a business model that:

  • Allows third world companies to obtain the software they need to run their businesses without paying large amounts to first-world vendors?

  • Eliminates the need to attempt to wipe out pervasive software copying by way of repressive measures pushed by first-world companies?

  • Allows third-world hackers to participate in development on an equal footing with the rest?

  • Provides the freedom for users to modify the software to fit their particular needs, which may well be different from those of the authors?

Jon 'maddog' Hall has a great story about a third-world cancer screening center which was able to employ a Beowulf cluster to provide near-immediate results from tests. Getting to this clinic was a long and strenuous process for many people; being able to get an answer (and possibly treatment) immediately made the trip worthwhile. It convinced people to go, and saved lives. The Red Escolar project, which is setting up Mexican schools with Linux boxes, is another example of what can be done with free software.

Linux and free software are far from a complete answer to the third world's problems. But a conference that tries to address those problems without Linux is missing a crucial tool. The people who do real work in the third world, however, are increasingly making use of the tools available to them without the need of a conference to tell them what to do. The absence of Linux from this conference is unfortunate, but will not change much in the long run.

Do free software projects need public relations? An often-heard sentiment among KDE developers is that they may have a better desktop, but that the project has taken a number of hits on the public relations front. This idea was made more explicit this week with this KDE Dot News editorial on how to improve KDE's public image.

There is a general consensus that the KDE project, despite its technical superiority among various desktop environments, has had a poor PR record, especially in North America. Now that the release has been delayed a week or so, let's take this opportunity on dot.kde.org to present and share ideas that will help the KDE PR and marketing efforts.

Do free software project need to worry about PR? Part of the mythology of free software is that good code drives out bad, and that the best code wins. So a development project should concentrate its effort on its code, and the rest will take care of itself.


Of course not. In the business world, simply having the best product is no guarantee of success. The same will certainly hold true in the free software world - especially as the use of free software grows, the stakes get higher, and the amount of money involved increases. There are thousands of development projects out there competing for both users and developers. Good code is a powerful advantage in that competition, but good PR will be important too.

The age of free software project PR may well have had its start at the first LinuxWorld conference in March, 1999. The GNOME project used the event to launch its 1.0 release - and even called a press conference. That move surprised a number of people; after all, press conferences for software releases had not previously been part of the free software development process. That release was part of a well-funded effort to take a project whose code was certainly second-best and make it into a true competitor - and it appears to have worked. Would GNOME be where it is without its PR work?

Development projects - especially large ones - are going to have to put more thought into their PR in the future. One unfortunate consequence of that may be that, in the future, ambitious projects will have a hard time getting off the ground without some sort of corporate sponsorship. That sort of sponsorship is often available, which is an entirely good thing. But free software is supposed to be about what its users want, not what corporations want.

Beowulf 2 from Scyld. Scyld Computing has announced the availability of the second generation of Beowulf software. In this release Scyld is trying to address a number of the difficulties found by [Scyld logo] users of Beowulf clusters - in particular, the lack of tools to manage clusters and make them appear to be a single system.

This announcement is important for a couple of reasons. Scyld, of course, is the company created by Donald Becker, they guy who first strung together a rack full of Linux systems and called it "Beowulf." He is also, incidentally, the author of a vast number of network drivers in the kernel. Most likely, not even Donald knew what he was setting in motion with that first cluster of his. Beowulfs are now popping up everywhere; for a great many applications they are far more cost effective than the "big iron" supercomputers normally employed for serious number crunching.

Beowulf clusters are not for everybody, however. They remain, to a great extent, a "build it yourself" system involving a fair amount of expertise, time, and duct tape. The users of Beowulf clusters have to be highly aware of how the system is built, and restructure their applications accordingly. Many companies have announced cluster products with nice interfaces, but most of those are oriented toward high-availability web serving. The roots of Beowulf, however, are in hard-core number crunching, and the companies operating in this area (HPTi, Linux Networx, Atipa, and others) have concentrated more on nice hardware.

So the software gap remains. To address this area, Scyld has added a set of cluster configuration and monitoring tools. There is a nice graphical interface and everything. A front-end computer handles administrative tasks, and keeps the whole cluster together. The compute nodes are just that - they even get their operating system from the master system. The whole thing is meant to be easily scalable, so that adding new nodes is a simple task.

As part of this release Scyld is making available a new version of BProc, which is a clustered process management utility, and a thing called Two Kernel Monte which allows substituting a system's kernel "on the fly" without dropping back to the BIOS level.

Those who want to buy a CD with the new code may do so; it's also all available for download from the Scyld web site. The company is clearly planning to make its money on the service side; they offer an array of installation and support plans. The Linux cluster market could well be a large one. The world's appetite for high-end computing continues to grow, and the economics of commodity clusters are persuasive. Donald Becker and company profited little from the first wave of Beowulf clusters; they may do better with the second.

Inside this week's Linux Weekly News:

  • Security: New vulnerabilities in ncurses, usermode, and boa. Directory transversal vulnerabilities in web-based scripts.
  • Kernel: The Zen of OOM killers; TUX2 patents again.
  • Distributions: Coventive arrives in the U.S.; Proposed changes to the Debian Social Contract.
  • Development: Python 2.0 release candidate, Microwindows, BIND 9.
  • Commerce: E*Trade and the Red Hat IPO; Free Standards Group releases spec; Open Source product announcements.
  • Back page: Linux links, this week in Linux history, and letters to the editor
...plus the usual array of reports, updates, and announcements.

This Week's LWN was brought to you by:

October 12, 2000


 Main page
 Linux in the news
 Back page

See also: last week's Security page.


News and Editorials

CERT to disclose software flaws (ZDNet). CERT, the first official "Computer Emergency Response Team", was founded in 1988 by DARPA (Defense Advanced Research Projects Agency). It quickly became an essential resource for computer systems administrators dealing with a (then rare) computer intrusion. Over time, however, CERT's policy of contacting all vendors in advance about security problems, and giving them all time to provide fixes, led to longer and longer lead times before security problems were announced. This was particularly troublesome when the reported vulnerability was widely known and being actively exploited.

CERT's policy did a lot to demonstrate the need for full disclosure lists, such as BugTraq, which came along later. CERT's policy failed to put much needed pressure on vendors to make security a high priority. Now, in the midst of large-scale debates about whether or not full disclosure is a "good thing", CERT has finally, twelve years later, changed its own policy. Whether or not all vendors have produced fixes, CERT will now announce all vulnerabilities 45 days after they are initially reported, promising full credit to the originators of the report.

We mentioned this policy change last week. This week, ZDNet has reported on it as well, commenting that "It may herald the end of a fight that has inflamed the security community for more than a decade". While we doubt that the fight is likely to be over any time soon, CERT has drawn a new line. They consider themselves to have chosen a middle course, between full disclosure and no disclosure.

What they have done, instead, is to validate the arguments of full-disclosure adherents and establish a new outer limit to non-disclosure. Given the overwhelming number of new security vulnerabilities that are being reported, it is also likely that an open-ended vendor process for each vulnerability simply became impossible to support. In addition, there are many for-profit and non-profit security groups that are now in competition with CERT.

CERT's announcement, as a result, is less ground-breaking and more an acceptance of the status quo: full disclosure with some set time allowed for cooperation with vendors, ranging from a matter of hours to a matter of a few weeks. 45 days is, under those rules, probably the most generous offer a vendor is likely to find.

Why the world needs reverse engineers (ZDNet). Educating people on the need for reverse engineering is the goal of this ZDNet article, written by Weld Pond, Manager of Research and Development for @stake, Inc., a computer security firm. The CueCat barcode scanner from Digital:Convergence is used as an example. "Many of the privacy risks we face today such as the unique computer identification numbers in Microsoft Office documents, the sneaky collection of data by Real Jukebox, or the use of Web bugs and cookies to track users were only discovered by opening up the hood and seeing how things really work."

Open Sources: The other side of the story (ZDNet). An interesting story showed up on ZDNet's Interactive Week. It's a story about security as seen through the eyes of Mudge, Vice President of R&D at the company once known as L0pht and now known as @stake. "...software consumers have become so cynical they 'need third-party proof of concept' before they'll believe the software's been fixed, and the only way that will happen is through independent review. The software companies are where Swift and Armour were in 1906, when Upton Sinclair wrote his classic expos on the meatpacking industry, The Jungle - the consumer uses the product at his own risk."

OpenBSD plugs a rare security leak (Upside). Upside looks at OpenBSD's handling of security problems. "For most open source projects, news of an overlooked security hole is simply part of the debugging process. But for the developers of OpenBSD, an operating system whose design motto is 'secure by default,' it's nothing short of an affront."

Security Reports

Buffer overflow problems in ncurses. A buffer overflow problem in the ncurses library has been reported by Jouko Pynnnen. As a result of this problem, programs that use ncurses are vulnerable to attack. Successful exploits have already been demonstrated, though none are known to be in use by the Bad Guys as yet. It is possible - though unconfirmed - that remotely-exploitable vulnerabilities could exist. The problem is present in most, if not all, Linux and BSD variants.

Expect to see a pile of fixes show up in the next few days; we'll let you know when they are released. This is another ugly one.

To help people find binaries linked against ncurses, Dominic Mitchell sent us this script, along with an example output from searching /usr/bin on FreeBSD. It quickly reported 27 possibly affected binaries...

LinuxPPC security update - single user mode. LinuxPPC has issued a security update regarding single user mode login. Currently, all past and present versions of LinuxPPC (going back to 1998's Release 4.0, and possibly earlier) have a vulnerability when booting in single user mode. The computer will automatically perform a root login without asking for password. Updates are recommended, although LinuxPPC plans to have this fixed in its upcoming release.

Red Hat security update to usermode. A bug report to Red Hat pointed out a new vulnerability in the usermode package. The userhelper binary inherits the LANG or LC_ALL environment variables and then passes them on to non-setuid root programs, bypassing protections recently integrated into the glibc library to prevent a format-string exploit.

This week's updates:

Boa. Lluis Mora reported vulnerabilities in the Boa webserver which could both allow access to files outside the document tree and a compromise of the web server account. The Boa development team, in coordination with Lluis' advisory, released boa, which fixes these problems.

This week's updates:

TCP weak initial sequence numbers. The Hacker Emergency Response Team (HERT) put out an advisory for problems with the manner in which initial TCP sequence numbers are generated, leading to the ability to predict sequence numbers and therefore "spoof" packets. Their report focused on FreeBSD, which responded with this advisory, acknowledging the problem and providing patches. However, FreeBSD's advisory states that they do not believe this problem is unique to FreeBSD. We have no updated information on what other operating systems might be impacted; the implication is that all systems derived from 4.4BSD-Lite2 are likely candidates.

Directory transversal vulnerabilities. The following web scripts were reported to contain directory transversal vulnerabilities, allowing arbitrary files on the web-server to be read:


LPRng, LPR format string vulnerabilities. Format string problems in LPRng were reported in late September. Updates for LPRng and lpr (for a related problem) continue to be published.

This week's updates:

Previous updates:

ssh/OpenSSH file transfer vulnerability. All versions of ssh derived from ssh-1.2.x contain a vulnerability in which a compromised server can be used to copy arbitrary files to an uncompromised local system, if that system uses ssh/scp to download files from the compromised server. Check last week's LWN Security Summary for more details. No fixes for this problem have been reported as of yet. Some distributions are shipping updates that remove the setuid bit from the scp binary in order to minimize potential damage.

This week's updates:

traceroute local root access. A local user can exploit vulnerabilities in traceroute to gain root access. For more information, check last week's LWN Security Summary. Note that Red Hat 7 already included a patch to get a raw socket and then drop privileges at startup. As a result, it was not affected by this most recent report. Kudos to them for proactively fixing potential security problems before a new vulnerability pops up; it's nice to know somebody was looking at the code with security in mind.

This week's updates:

Previous updates:

esound tmpfile link vulnerability. Check the September 7th LWN Security Summary for the original report of this problem from FreeBSD. Linux security teams should note that it took two weeks from that initial report before a Linux update for this problem was released.

This week's updates:

Previous updates:

GNU CFEngine format string vulnerability. Root access can be obtained on a local system by exploiting CFEngine's use of syslog and its related format string vulnerability. Check last week's LWN Security Summary for more details.

This week's updates:

tmpwatch fork bomb denial-of-service vulnerability. Check the September 14th LWN Security Summary for additional details. Note that almost a month passed before the first update for this problem was released. Since then, a local root compromise problem has turned up as well; this is fixed in all of the updates.

gnorpm tmpfile link vulnerability. All version of gnorpm prior to 0.95.1 contain an improper use of a link to a temporary file that can be locally exploited to overwrite arbitrary files on the system. Check last week's LWN Security Summary for more details. The latest version contains many non-security fixes as well, reportedly making it actually usable.

This week's updates:

Previous updates:

Apache mod_rewrite vulnerabilty. Files outside the document root can be accessed, if the mod_rewrite module for Apache is in use. For more details, check last week's LWN Security Summary.

This week's updates:


Full Disclosure Panel. A panel discussion on the issue of Full Disclosure is planned for the next episode of Info.sec.radio, a radio show produced by SecurityFocus.com and made available via RealAudio. The show will be held on Monday, October 16th.


Upcoming security events and announcements.
Date Event Location
October 11, 2000. The Internet Security Forum Edinburgh, Scotland.
October 14-21, 2000. SANS Network Security 2000 Monterey, CA, USA.
October 16-19, 2000. 23rd National Information Systems Security Conference Baltimore, MD, USA.
October 29-November 2, 2000. SD 2000 (Software Development Conference) Washington D.C., USA
November 1-3, 2000. Compsec 2000 Westminster, London, U.K.
November 1-4, 2000. 7th ACM Conference on Computer and Communication Security Athens, Greece.
November 3-5, 2000. PhreakNIC v4.0 Nashville, TN, USA.
November 8, 2000. Security Forum 2000 Vancouver, British Columbia, Canada.
November 13-15, 2000. CSI 27th Annual Computer Security Conference and Exhibition Chicago, IL, USA.
November 26-December 1, 2000 Computer Security 2000 and International Computer Security Day (DISC 2000) Mexico City, Mexico
For additional security-related events, included training courses (which we don't list above) and events further in the future, check out Security Focus' calendar, one of the primary resources we use for building the above list. To submit an event directly to us, please send a plain-text message to lwn@lwn.net.

Section Editor: Liz Coolbaugh

October 12, 2000

Secure Linux Projects
Bastille Linux
Secure Linux
Secure Linux (Flask)

Security List Archives
Bugtraq Archive
Firewall Wizards Archive
ISN Archive

Distribution-specific links
Caldera Advisories
Conectiva Updates
Debian Alerts
Kondara MNU/Linux Advisories LinuxPPC Security Updates
Mandrake Updates
Red Hat Errata
SuSE Announcements
Yellow Dog Errata

Security Software Archives
ZedZ.net (formerly replay.com)

Miscellaneous Resources
Comp Sec News Daily
Linux Security Audit Project
Security Focus


 Main page
 Linux in the news
 Back page

See also: last week's Kernel page.

Kernel development

The current development kernel release remains 2.4.0-test9. The first 2.4.0-test10 prepatch came out on October 9; it contains a number of USB updates, some miscellaneous fixes, and more virtual memory patches from Rik van Riel.

Ted Ts'o posted a new 2.4 jobs list on October 9. It remains a lengthy document...

The current stable kernel release is still 2.2.17. No 2.2.18 prepatches were released this week.

Where is 2.0.39? The final prepatch came out a few weeks ago, but the real 2.0.39 release has not happened. It turns out that a few problems have been reported in that "final" prepatch, and they are proving difficult to resolve quickly. David Weinehall has said that the release will happen before too long, even if the problems can not be fixed.

Kernel.org has a new cryptographic key. H. Peter Anvin announced that a new key is now in use to sign files on the kernel.org site. The old one, as it turns out, was set to expire. If you are using the key to verify files downloaded from a kernel.org mirror, you'll need to read the announcement and get a copy of the new one.

Handling 'out of memory' (OOM) situations is a recurring linux-kernel topic. It came up again this week after Rik van Riel posted a patch with a new "OOM killer" routine; this patch subsequently made its way into 2.4.0-test10-pre1.

The Linux kernel, remember, is capable of allocating more virtual memory to processes than it is really able to provide. This is done because processes generally do not use anywhere near all the memory they ask for. To require that the kernel be able to satisfy every last allocation would greatly reduce the total available memory, and would be wasteful. So Linux overcommits it memory.

The consequence of that approach, however, is that the kernel can possibly find itself in a position where it is unable to provide memory to a process that thinks it already has it. It seems to be generally accepted that the only way out of that bind is to start killing processes to recover their memory. Killing processes is not a very satisfactory solution, but it is better than having the whole system lock up.

The hard part, though, is choosing which process to kill. Early OOM killer attempts tried approaches like killing the largest processes on the system. Doing that does indeed recover memory, but usually at the cost of killing the X server or netscape - leading to disgruntled users. So Rik's patch tries to be smarter in how it targets processes. In particular, it:

  • tries to avoid processes which have consumed a lot of CPU time, with the idea that killing them would lose a lot of work.

  • is more likely to kill processses which have been niced (i.e. are running with lower priority) on the theory that they are less important to the user.

  • tries to avoid processes running with superuser privileges or direct hardware access (i.e. the X server).

The targeting of niced processes drew some complaints. Often a process that has been niced is the big cranker job that is the reason for the system's existence in the first place. Rik responded that long-running jobs are unlikely to be killed anyway, and thus the cranker should be safe; in the end, though, he removed the nice penalty anyway.

There was some interesting talk of other approaches. One would be to account for memory on a per-user basis and to kill processes belonging to the user who is causing the problem. That, though, leads to difficulties like figuring out a way for the X server (which often runs as root) to account for resources allocated on behalf of users. Another possibility would be to provide a system call where processes could tell the kernel what their relative importance is. Yet another would be a way for the kernel to signal processes and ask them to voluntarily reduce their memory usage. After all, many processes have memory they could give up if need be; netscape's in-core cache and the X font cache come to mind. However, due to fragmentation issues, memory freed by processes is not necessarily reusable by the system.

In the end, though, the "out of memory" situation is rare, and it is not necessarily worth trying too hard to find a perfect solution. As Linus put it, that perfect solution is probably unreachable, and the attempt is likely to produce worse results than the simple, "good enough" solution. So the OOM killer is probably about as refined as it is going to get.

Updates on the TUX2 patent issue. Last week we covered the three patents held by Network Appliance which appear to cover the "phase tree" algorithm used by Daniel Phillips' TUX2 filesystem. Here's the latest on that situation.

  • Network Appliance still isn't responding to Daniel's inquiries on the matter. They seem to be hoping he will just go away. Daniel, however, is not the type to just go away. His position on software patents is very strong, and he means to make a point here.

  • As part of making that point, he is looking into filing for some "white hat patents" for aspects of TUX2. The technologies in those patents would only be licensed to free software implementations. His purpose is to make corporations realize that software patents hurt them as well.

  • Jeff Merkey of the Timpanogas Research Group has hired a patent attorney to work at busting the Network Appliance patents.
Meanwhile Daniel reports that this whole issue has generated quite a bit of interest from potential developers, and that TUX2 development may be accelerated as a result of it. He has also posted a document which describes the TUX2 phase tree algorithm in detail.

Other patches and updates released this week include:

  • Vojtech Pavlik has released a new set of VIA and AMD IDE drivers.

  • A low latency patch for 2.4.0-test9 was released by Andrew Morton.

  • Modutils 2.3.18 was released by Keith Owens.

  • Kesmarki Attila posted a new 3dfx frame buffer driver with a number of nice features.

  • Marc Mutz has announced version 0.2.2 of his Encryption HOWTO.

Section Editor: Jonathan Corbet

October 12, 2000

For other kernel news, see:

Other resources:


 Main page
 Linux in the news
 Back page

See also: last week's Distributions page.

Lists of Distributions
Woven Goods

Embedded Distributions:

BluePoint Embedded
Compact Linux
Embedded Debian
Hard Hat Linux
OnCore Systems
RedBlue Linux
Royal Linux
White Dwarf Linux

Familiar (iPAQ)
Intimate (iPAQ)
Linux DA

Special Purpose/Mini
2-Disk Xwindow System
Mindi Linux

Coyote Linux
Fd Linux
Fli4l (Floppy ISDN/DSL)
Linux in a Pillbox (LIAP)
Linux Router Project
Small Linux

BBLCD Toolkit
Crash Recovery Kit
innominate Bootable Business Card
Linuxcare Bootable Business Card
Sentry Firewall
Timo's Rescue CD
Virtual Linux

Zip disk-based

Small Disk
--> Peanut Linux
Relax Linux

Bambi Linux
Flying Linux

ARM Linux
Scyld Beowulf
Think Blue Linux
(Oracle's NIC)
NIC Linux
Black Lab Linux
Yellow Dog
(Older Intel)
Monkey Linux

DOS/Windows install
Armed Linux
Phat Linux

Diskless Terminal
GNU/Linux TerminalServer for Schools


Please note that security updates from the various distributions are covered in the security section.

News and Editorials

Here comes ... Coventive. A company called Coventive Technologies announced its existence to the western world this week. Coventive appears to be based in Taiwan, but it is now making a play for the U.S. market. "Now great technology companies originate all over the world and expand into the U.S. as part of a worldwide business strategy."

Coventive has a Linux distribution it wants to sell, called XLinux. It comes in both server and embedded versions. On the server side, Coventive claims that XLinux is "one of Asia's most popular branded Linux solutions for enterprise servers;" the company apparently has partnerships with Acer, Compaq, IBM and HP. On the embedded side, they claim "the smallest known fully functional commercial embedded Linux kernel," weighing in at 143KB.

The core of Coventive's offering, however, would appear to be its internationalization effort. XLinux is supported with English, French, German, Italian, Spanish, Portuguese, Russian, simplified and traditional Chinese, Japanese, Korean, Thai and Vietnamese. They highlight their "Giga Character Set" (GCS) capability, which they use to support Asian language display.

In fact, there is even a white paper (published in LinuxDevices.com) on how GCS works. From that paper:

GCS is fundamentally different from other display codes because it is not based on assigning binary codes to characters or letters. GCS is actually a mathematical encryption algorithm that the computer uses to transition between natural language characters and letters and computer language bits. A different algorithm is developed for each language, which captures that specific language's peculiarities, such as basic symbols, spatial relationships, directionality and supplemental symbols

The explanation leaves a bit to be desired... Essentially, the company has come up with a way of representing eastern glyphs that better matches their structure. Many Asian characters are composites, made up of one or more simpler characters. Unicode simply makes a big catalog of characters, without recognizing their internal structure; GCS apparently handles things in a more natural manner.

Some more information may be found on the Coventive web site, but that site evidently was not designed with Linux-based browsers in mind. There is no information on the origins of the XLinux distribution. However, a look around on their FTP site (which is at ftp.xlinux.com) reveals an RPM-based distribution with a Red Hat-like directory structure. The version on the FTP site is 1.1, however; the material on the web site talks about a number of later releases.

In coming to the U.S., Coventive is jumping into a crowded marketplace - and one which may not be greatly concerned about nice display of Asian character sets. But the company seems to be doing well in its home market, and may yet have a surprise for the western hemisphere as well.

LinuxToday prints Red Hat response. LinuxToday covered the Red Hat 7 gcc/glibc controversy this week, including comments from Alan Cox (from linux-kernel) and Eric Troan, Red Hat's VP of Product Engineering (from an interview with LinuxToday).

Despite this statement, several members of the discussion list would not back away from charging that because of its inclusion of a compiler that was not binary compatible with anything else, Red Hat was beginning an attempt to create a proprietary distribution. Cox denied these charges in the discussion, reiterating his point that Red Hat's efforts were innovative, and not divergent.

(See also: last week's LWN Distributions Page which discussed this issue in detail).

Distribution Reviews

Evolution, not revolution (ZDNet). ZDNet takes a look at Red Hat 7. "Providing an easy upgrade to the soon-to-be-available Linux 2.4 kernel; a wide array of improvements, including USB support for keyboards and mice; and new encryption capabilities, Red Hat Inc.'s Red Hat Linux 7 is an evolutionary upgrade of the operating system but is hardly a showstopper."

General-Purpose Distributions

A proposed change to the Debian Social Contract. A call for votes has gone out to the Debian developer community regarding a proposed change to the Debian Social Contract. The text of the proposed change is available - it's written in classic dry legalese suitable for a local tax district initiative. Essentially, this change is the follow-through of the discussions on whether the non-free directories were needed any more.

The proposed change would:

  • change the Social Contract to explicitly state that Debian supports the rights of its users to use and develop non-free software.

  • order the removal of all non-free software from the Debian archives, and forbid the introduction of any such software in the future.

  • Directs various Debian functionaries to implement these changes.
The really fun part, though, is that the project is not really voting on this initiative at this point. Instead, there is a competing proposal out there, with rather softer terms. So this is a sort of "primary election" which will choose which of the two proposals will come to a real vote. It's a bit more trouble that all the developers really wanted to deal with.

Anyway, voting will go through October 23, we'll cover the results as they are released. Unfortunately, no public opinion polling data appears to be available...

Debian Weekly News. The Debian Weekly News for October 11 is available. It covers some interesting changes to the Debian bug reporting system, security updates for 2.1, handling of locale data, and more.

General Red Hat 7 updates. Red Hat has been cranking out the updates to fix the problems that have turned up in Red Hat 7. Beyond the security updates, which are mentioned on the security page, there are fixes available for:

Many of the problems fixed are quite small, but it is likely that quite a few users will want to apply the glibc fixes.

TurboLinux announces University Outreach Program. TurboLinux has sent out an announcement describing its University Outreach Program. "Over the past six months, TurboLinux has donated software and services to more than 300 universities across North America. The TurboLinux University Outreach Program has also provided generous discounts on high-end clustering solutions, sponsored Linux 'install fests' and attended numerous university events."

TurboLinux also announced that Sacramento State's computer science department, one of the largest CS departments in the California State University system, has standardized on a TurboLinux Server and IBM XSeries platform to teach its upper division systems programming class to 130 students.

Immunix Workgroup Server Brings Linux to the Newbies (Network Computing). Network Computing reviews the Immunix Workgroup Server. "The underlying OS is Immunix 6.2, a standard Red Hat distribution. The source code is recompiled with StackGuard (buffer overflow protection) along with other tools to form a hardened distribution. On top of the OS is Wirex's proprietary Web-based Remote Network Administrator (RNA) engine."

Blue Fox: the search for a perfect distribution continues. Rick Collette, the original founder of Spiro Linux, is now working on new projects over at deepLinux, his new company. In addition to work on embedded systems, Rick has restarted his project to build the perfect "mainstream" GNU/Linux system, to be named Blue Fox Linux. He's looking for other visionaries/programmers to help him out, as he comments in this recent announcement.

Embedded Distributions

deepLINUX embedded toolkit released. deepLINUX has announced the release of its "dELT" embedded Linux toolkit. It currently supports the Intel and MediaGX chipsets, with ports to SPARC, StrongARM, and Alpha planned in the future.

Mini/Special Purpose Distributions

LinuxPPC bundles partitioning software. LinuxPPC announced their agreement with FWB Software to allow them to bundle FWB's Hard Disk Toolkit*PE partitioning tool with LinuxPPC. Anyone ordering a copy of LinuxPPC 2000 from the LinuxPPC website will receive a free copy of the disk partitioning tool, which will also be bundled with the next major release of LinuxPPC.

Section Editor: Liz Coolbaugh

October 12, 2000

Please note that not every distribution will show up every week. Only distributions with recent news to report will be listed.

Caldera OpenLinux
Debian GNU/Linux
Red Hat

Also well-known
Best Linux
Conectiva Linux

Rock Linux

Non-technical desktop
Icepack Linux
Redmond Linux

Boston University
Red Escolar

General Purpose
Alzza Linux
aXon Linux
Bad Penguin Linux
Black Cat Linux
BluePoint Linux
BYO Linux
CAEN Linux
Cafe Linux
ChainSaw Linux
Circle MUDLinux
Complete Linux
Console Linux
Corel Linux
Darkstar Linux
Elfstone Linux
ESware Linux
Eurielec Linux
eXecutive Linux
Fried Chicken
HA Linux
Halloween Linux
ix86 Linux
Lanthan Linux
Linpus Linux
Linux Cyrillic Edition
Linux MLD
LinuxOne OS
Linux Pro Plus
LNX System
Lute Linux

NoMad Linux
Omoikane GNU/Linux
PingOO Linux
Plamo Linux
Project Ballantain
Rabid Squirrel
Root Linux
Serial Terminal
TimeSys Linux/RT
Tom Linux
VA-enhanced Red Hat
Vine Linux
Virtual Linux
WinLinux 2000

GNU/Linux Ututo
Definite Linux
Red Flag
Linux Esware
Kaiwal Linux
Thai Linux Extension

Related Projects
Chinese Linux Extension

Historical (Non-active)
MCC Interim Linux
Storm Linux


 Main page
 Linux in the news
 Back page

See also: last week's Development page.

Development projects

News and Editorials

Python 2.0 release candidate 1. The first release candidate for Python 2.0 has been announced. This will be the first release since the development group moved to BeOpen, and the first under the BeOpen license. Despite being a "dot-zero" release, Python 2.0 does not bring major changes to the language. Instead, the changes are mostly incremental. They include:

  • Python users will finally be able to code things like:
    	x += 1
    The language has avoided this sort of "augmented assignment" until now. Note that the autoincrement and decrement operators (i.e. x++) are still not supported, and probably never will be.

  • A new notation for generating lists from other lists - they call it "list comprehensions." For example:
           [2*x for x in list]
    will double each entry in a list full of numbers.

  • Some new import syntax which allows renaming of imported modules.

  • A new print statement which can print to streams other than the standard output.

  • A new garbage collector which can catch cycles which elude the standard collector, which is based on reference counts.

  • A fancy new XML module.
There are also, of course, a great many smaller changes.

This is, with luck, the only 2.0 release candidate. For those who are interested in helping, now is the time to try out this release and report on anything that it breaks for you. In the absence of trouble, the real 2.0 release will be out shortly.


Opera for Linux Beta 1. The Opera for Linux beta version is finally out. Opera is based on Qt but a statically linked version is available so you don't necessarily need Qt to run it. A strong feature set is presented for this new Linux browser entry including XML, CSS and PNG support, plus Netscape and IE bookmark import features.

There are some rather unpleasant bugs, but they are mentioned on the Web site - use with caution.

MozillaTranslator.org opens. Mozilla Translator is both a program and a website. The program helps to automate the process of translating Mozilla to new languages. The web site aims to be the central repository for Mozilla translation software and should help to bring people working on translations together.


PostgreSQL Developers Join Great Bridge. Three PosgreSQL developers, Bruce Momjian, Tom Lane and Jan Wieck, have been hired by Great Bridge LLC to fill senior level positions. " 'Bruce, Jan and Tom provide Great Bridge with an unparalleled level of technical expertise in open source development. By joining Great Bridge, they can turn their part-time passion into full-time careers,' said Great Bridge President and CEO Robert Gilbert. 'It is also a strong endorsement of Great Bridge's efforts to build a strong support system for businesses that use open source software. We share the belief that open source is the best, most efficient model for producing powerful software, and our business targets the single most significant barrier to its being adopted on an even larger scale -- the perceived lack of corporate support services.'"


SEUL/edu Linux in Education Report. After a week off, the SEUL/edu Linux in Education Report is back. It presents a wishlist for simple math programs, and covers a number of other available educational resources.


gEDA snapshot available. A new snapshot of the GPL Electronic Design Automation (gEDA) package is available for download. The gEDA project is a collection of programs for simulating electronic circuits and drawing schematics among other things.

GNU Waveform Viewer: gwave. A new version of gwave, the GNU Waveform Viewer has been released on October 9, 2000. "Gwave can read binary or ascii files written by HSpice from transient, AC, or Sweep analyses, "raw" files written by Spice2, Spice3, or ngspice, and transient analysis files from the CAzM simulator. "


Fanwor mimics Atari Legend of Zelda (Identicalsoftware). A new version of Thomas Huth's action-adventure game, Fanwor version 1.11, has been released. Fanwor has been released under the GPL license.

Embedded Systems

Microwindows v0.89 pre2 released. The Microwindows Project has released microwindows version 0.89 pre2. A number of new features have been added including handwriting recognition, and a new window manager. "Microwindows is an Open Source project aimed at bringing the feature of modern graphical windowing environments to smaller devices and platforms. Microwindows allows applications to be built and tested on the Linux desktop, as well as cross-compiled for the target device."

Lineo releases BusyBox 0.47. Lineo has announced the release of BusyBox 0.47. BusyBox is a set of tiny command line utilities for embedded (and otherwise space-constrained) systems; it was originally written by Bruce Perens.

Network Management

BIND 9 released. Version 9 of the BIND DNS nameserver has been released. BIND 9 is a complete rewrite of the code, and features improved security, IPv6 support, and more.

This week's OpenNMS update. Here is the OpenNMS update for October 10, covering the latest from the Open Network Management Software project. The OpenNMS folks seem to be busy with trade shows at the moment; they'll have a booth at ALS for those who would like to drop by.

Office Applications

KOrganizer 2.0. KOrganizer version 2.0 will be included in the upcoming, if somewhat delayed, KDE 2.0 release. "KOrganizer is the KDE calendar and scheduling application. It provides management of events and tasks, alarm notification, web export, network transparent handling of data, and more." KOrganizer looks to be a very useful desktop application and is definitely worth checking out.

Gimp 1.1.27 bug fix release available. Gimp 1.1.27 has been released. This is a bug fix release that fixes some Perl problems from the previous release. Gimp is a full-featured image manipulation program with capabilities similar to Adobe Photoshop.

On the Desktop

KDE2 Release Delayed One Week. KDE Dot News reports that the release of KDE2 has been delayed for a week, as a result of it being not quite stable yet. A new release candidate is being prepared, and the new release date is October 23.

The People Behind KDE: Waldo Bastian. The "People behind KDE" series continues with this interview with Waldo Bastian. " I try to ensure that the fundaments of KDE are technically sane, reliable and well-performing. I also edited the last incarnation of KDE's style guide and promote this to others as so ensure that the whole of KDE has a consistent look and feel."

Trolltech releases Qt 2.2.1. Trolltech has released version 2.2.1 of Qt, the windowing toolkit used by KDE. This version is mainly a maintenance/bug fix release which solves several compatibility problems.

KDE wins Linux Community Award 2000. According to KDE Dot News: "Matthias Elter announced today that KDE has won the Linux Community Award 2000 at LWE in Frankfurt/Germany!"

GNOME Foundation Elections. The election for the GNOME Foundation board of directors will happen during the first week of November. They say that "anybody who has contributed in any way to GNOME" is eligible to vote; it is, however, necessary to register first. See this item on Gnotices for more information on how the election will work.


Genomes at Home? (NewsBytes.com). In the footsteps of the wildly successful Seti@Home project comes Fold@Home, a project to "unravel the mystery of protein folding, or how proteins self-assemble." Join in and let your computer chew on some data in it's spare time.

Web-site Development

Apache 2.0 alpha 7 released. The seventh alpha release of Apache 2.0 has been announced. This release contains a number of bug fixes, and a new "input filtering" capability as well.

Midgard Weekly Summary. Here is the Midgard Weekly Summary for October 11. The first release of the Midgard 2.0 requirements document and a number of other Midgard development topics are covered.

Upcoming Zope Book. Michel Pelletier and Amos Latteier are in the process of writing a new book on Zope. Parts of the book are available online, and the authors are seeking comments on the material. Beware that this is an Alpha release of the book and it may contain errors.

Zope Weekly News. The somewhat misnamed Zope Weekly News for October 11 is out. It covers a number of topics in Zope development, including session tracking and write locking in Zope, web security, using Zope with Python 2.0, ZPatterns examples, and more.

PyPortal web portal creation software. PyPortal is a Python library that is useful for the creation and maintenance of web portal sites. The announcement claims that you can create a web site in under 5 minutes. PyPortal has been released under the GPL license.

Section Editor: Forrest Cook

October 12, 2000

Application Links
High Availability

Open Source Code Collections
Le Serveur Libre



Programming Languages


GCC steering committee position on use of snapshots. The GCC Steering Committee has issued a statement on the use of snapshots in distributions. This statement is clearly in response to Red Hat's use of gcc-2.96 in its Red Hat 7 release, as covered in last week's LWN Weekly Edition. "We would like to point out that GCC 2.96 is not a formal GCC release nor will there ever be such a release. Rather, GCC 2.96 has been the code- name for our development branch that will eventually become GCC 3.0. Current snapshots of GCC, and any version labeled 2.96, produce object files that are not compatible with those produced by either GCC 2.95.2 or the forthcoming GCC 3.0." (Thanks to Toon Moone).


Do not reassign the object reference of a locked object (IBM Developer Works). Peter Haggar has written an article for IBM's developer works that discusses the Java synchronized keyword and its application for the locking of objects.


University of Perl reports (Use Perl). Use Perl has run a series of articles by Nathan Torkington that document what has been happening at the recent University of Perl class:


This week's Python-URL. Dr. Dobb's Python-URL for October 9 is out, containing, as usual, the latest from the Python development world.

PyXML 0.6.1 is released. PyXML version 0.6.1 has been released. This version has numerous bug fixes, better test suite support, and support for Python 1.5.2. "The Python/XML distribution contains the basic tools required for processing XML data using the Python programming language, assembled into one easy-to-install package. The distribution includes parsers and standard interfaces such as SAX and DOM, along with various other useful modules."

Python 9 Conference. The 9th International Python Conference is being held from March 5 through 8, 2001 in Long Beach, California. Information on paper submission dates has been given.

ReportLab 1.01. ReportLab version 1.01 is now available. ReportLab is a Python package that is used to generate PDF documents.


This week's Tcl-URL. Here is Dr. Dobb's Tcl-URL for October 9. Check it out for the usual collection of interesting Tcl/Tk tidbits.

FreeWrap 4.4 announced. FreeWrap is a program that converts TCL/TK scripts into single-file binary programs. The release of FreeWrap version 4.4 has been announced.

Software Development Tools

Autoconf/Automake Book. Havoc Pennington, GTK+ expert and author, pointed out an upcoming book from New Riders called GNU Autoconf, Automake, and Libtool.

Section Editor: Forrest Cook

Language Links
Caml Hump
g95 Fortran
Gnu Compiler Collection (GCC)
Gnu Compiler for the Java Language (GCJ)
IBM Java Zone
Free the X3J Thirteen (Lisp)
Use Perl
O'Reilly's perl.com
Dr. Dobbs' Perl
PHP Weekly Summary
Daily Python-URL
Python Eggs
Ruby Garden
MIT Scheme
Why Smalltalk
Tcl Developer Xchange
O'Reilly's XML.com
Regular Expressions

 Main page
 Linux in the news
 Back page

See also: last week's Commerce page.

Linux and Business

E*Trade and the Red Hat IPO. Many of you will likely remember the troubles that some people had in participating in Red Hat's IPO a year ago last August. Participants had to pass through the gauntlet of E*Trade's questionnaire, followed by a last minute reconfirmation dance when the IPO price was raised (to $7, split adjusted). Most people probably thought that this story was closed long ago, especially since, in the end, 1150 of the 1300 developers who indicated interest in participating were able to do so (according to former Red Hat manager Donnie Barnes).

As it turns out, the story was not over. One person who wished to participate was Semyon Varshavchik, otherwise known as "mrsam." He was one of those who never was successful in joining the IPO, and he was not pleased. So he filed an arbitration claim against E*Trade, claiming that he had been unfairly denied the opportunity to participate.

This case went on for a year. Over that year, some interesting things turned up. For example, E*Trade appears to have "lost" 200,000 of the Red Hat shares that were supposed to be distributed in the offering - 25% of the total they were allotted. It also turns out that there was no SEC-mandated requirement for the questionnaire that E*Trade made participants answer. That much has been clear for a while, since companies like VA Linux Systems and Caldera Systems were able to run community offering programs without that formality.

In August, Mr. Varshavchik won his case; he was awarded $14,800 in damages from E*Trade, plus interest and legal fees. That is far short of the almost $55,000 requested, but is still a clear victory.

Others who were denied the ability to participate in the IPO may want to consider similar action. A great deal of information on this case may be found in Mr. Varshavchik's "etrouble" pages; it makes for interesting reading in any case. (See also this Slashdot article, which is were we found this story).

Free Standards Group releases Linux Development Platform Specification. The Free Standards Group has announced the release of the Linux Development Platform Specification. The LDPS, first covered in the August 3 LWN Weekly Edition, defines a base set of capabilities that all Linux systems should provide. This set, along with some programming guidelines, is intended to help application developers write code that is portable across distributions.

SAP to release database under GPL. SAP has announced the forthcoming release of its SAP DB database management system under the GPL. It will apparently be available toward the end of the year. A site is being set up at sapdb.org to support the release and subsequent development work.

Cnation Unveils Open Source Platform, BingoX. Noting sites such as Fox Interactive and eToys.com as users, Cnation announced the release of their BingoX Web development environment as an open source product. Based around Perl and Apache, "BingoX is an open source, object oriented Web Application Framework written in mod_perl that is meant to dramatically reduce the time required to build large dynamic, database driven web sites and applications". Cnation has released BingoX under the LGPL license.

Vita Nuova to distribute Plan 9 in a box. Vita Nuova has announced its intention to sell a boxed version of the Plan 9 operating system.

Press Releases:

Open Source Products

Unless specified, license is unverified.
  • The Internet Software Consortium (REDWOOD CITY, Calif.) announced the release of BIND 9, written by Nominum, Inc. under an ISC outsourcing contract. BIND, an acronym for Berkeley Internet Name Domain, is the most commonly used domain name server on the Internet and implements the Domain Name System (DNS) suite of protocols. Available as Open Source from the Internet Software Consortium, BIND 9 supports IPv6 and the DNS security enhancements specified by the Internet Engineering Task Force.

Distributions and Bundled Products

  • LinuxPPC Inc. (WAUKEHSA, Wisconsin) announced that it has licensed the Hard Disk Toolkit*PE partitioning tool from FWB Software, LLC.

  • Red Hat has announced its support for the entire IBM eServer line.

  • SuSE Linux AG (Nuremberg, Germany) announced that SuSE Linux 7.0 is tested and optimized for Oracle8i.

  • SuSE Linux AG announced their full support for IBM eServers.

  • VA Linux Systems has announced the availability of a series of rack-mount servers with the Debian distribution installed.

Commercial Products for Linux

  • Forlink Software Corp. Inc. (BEIJING) announced that PC-Computing Magazine has honored Forlink's full-text For-Search search engine with its Five-star Product distinction in the New Product category.

  • Synopsys, Inc. (MOUNTAIN VIEW, Calif.) announced the availability of a tool suite for high-level design on the Linux operating system. In addition to the complete RTL synthesis solution with Synopsys' flagship product Design Compiler, the list of Linux products includes PrimeTime, Synopsys' gate-level static timing analysis tool for System-on-a-Chip, Scirocco high-performance VHDL Simulator, and Module Compiler.

Products Using Linux

  • AMD has announced the release of a simulator for its 64-bit processor line. This simulator, which runs on Linux, allows the porting and testing of code without the need for an actual x86-64 processor.

  • Extended Systems (BOISE, Idaho) will embed the McAfee VirusScan engine into its ExtendNet 4000 Internet appliance and offer the service as an option to new customers or as an add-on to existing customers.

  • MSC.Software Corporation (LOS ANGELES/COSTA MESA, Calif.) announced the release of MSC.visualNastran Desktop 2001 for Solid Edge, built using MSC.Linux.

Products with Linux Versions

  • Advanced Management Solutions Inc. (REDLANDS, Calif.) announced that the Python programming language has been embedded into AMS REALTIME, its suite of project and resource management software.

  • BackWeb Technologies (SAN JOSE, Calif.) unveiled BackWeb Foundation Release 6.0 and e-Accelerator v2.1, the next major versions of BackWeb's Polite push-based communications infrastructure solutions. A Linux port is in the works.

  • Executive Technologies, Inc. (BIRMINGHAM, Ala.) announced SearchExpress/Spider, a high-performance Spider and search engine that can crawl the Internet or a corporate intranet to retrieve and index millions of documents per day.

  • FGL Graphics (MUNICH, Germany & SAN JOSE, Calif.) announced that Fujitsu Siemens Computers, the manufacturer of CELSIUS workstations, will integrate FGL Graphics' new Fire GL2 and Fire GL3 accelerators into all CELSIUS models.

  • IBM (SOMERS, NY) introduced DB2 Everyplace, a compact relational database. Embedded Linux support is new with this version.

  • IBM (RESEARCH TRIANGLE PARK, N.C.) announced the IBM eServer(a) xSeries(a) 330, a 1U thin server.

  • MathSoft Inc., Data Analysis Division(SEATTLE) introduced S-PLUS 6 for UNIX, a major enhancement to the company's statistical data mining software. It is initially available for Linux and Solaris.

  • MQSoftware, Inc. (MINNEAPOLIS) announced that it is enabling Q Pasa!, its management tool for MQSeries, to work with IBM's WebSphere software platform for e-business.

  • PolyServe (BERKELEY, CA) announced an agreement with Network Associates' McAfee division in which McAfee will begin co-branding and distributing PolyServe products throughout their worldwide sales channels. PolyServe's Understudy and LocalCluster products will be marketed as McAfee Understudy and McAfee LocalCluster.

  • SGI (MOUNTAIN VIEW, Calif.) announced several enhancements to its support services, resulting in more choices and increased flexibility for customers receiving support from SGI. This includes Linux and IRIX support.

  • Tech Soft America (ALAMEDA, Calif.) announced the availability of the HOOPS Internet Tools v2.0. HOOPS Internet Tools are composed of the HOOPS/Stream, HOOPS/ActiveX, and HOOPS/Netscape Toolkits, as well as source-code references for both the ActiveX and Netscape Plug-in environments.

Java Products

  • Saffron Technology (RESEARCH TRIANGLE, N.C.) announced commercial availability of SaffronOne, which integrates with any Java-enabled IT platform to observe interactions between people and computers, locate experts in the context of user needs, and then use that information to predict relevant and accurate outcomes.

  • Sun Microsystems released the Java 2 Standard Edition SDK v1.3 for Linux. (Thanks to Greg Bailey).

Books and Training

  • Jabber.com, Inc. (DENVER) announced it has reached a multi-faceted instant messaging training and certification agreement with Kaivo, an open source solutions provider. The agreement creates the first Jabber Instant Message Training Program and Certified Developers Network.

  • LinuxCertified.com has announced a Linux certification bootcamp, to be held in the San Francisco Bay area the weekend of November 18. Attendees get a Linux laptop as part of the program.

  • O'Reilly has announced the release of Java Examples in a Nutshell, a book devoted entirely to examples of Java code. Almost 18,000 lines worth. It's written by David Flanagan.

  • Sams Publishing has wasted no time in announcing the publication of Red Hat 7 Unleashed.

  • TurboLinux has announced that it will be doing a series of "Mission Possible" seminars with IBM.


  • eOn Communications Corporation (MEMPHIS, Tenn. and BIRMINGHAM, Ala.) announced an expanded partnership with E Tech Communications, Inc. in which E Tech will market, install and service eOn's new Linux-based eNterprise communications systems.

  • EBIZ and LinuxMall.com have finally announced the completion of their merger. Given that they had announced the finalization of the agreement in August, this last step has taken a while. The company remains in Arizona, and there is no longer talk of calling the whole thing "LinuxMall.com."

  • EBIZ Enterprises Inc. (SCOTTSDALE, Ariz.), parent company of TheLinuxStore.com, announced an exclusive partnership with User Friendly Media Inc. The partnership will see the creation of a vendor-neutral online mall specializing in Linux-related products and services, branded with the characters from the User Friendly daily episodic cartoon strip.

  • Rackspace Managed Hosting (SAN ANTONIO) announced a partnership with WebTrends Corporation, which will provide Rackspace customers with analysis of the behavior patterns and preferences of visitors to their Web site using WebTrends' software.

Investments and Acquisitions

  • Dialtone Internet, Inc. (FT. LAUDERDALE, Fla.), a provider of Linux dedicated hosting and colocation solutions, announced the completion of a $2.0 million round of financing. Funds were raised from CrossBow Ventures, and are earmarked for International expansion in Latin America, Europe and Asia.

  • Northern Lights, Inc. (TOKYO), a Linux-based system solutions provider, announced that Intel Capital has invested in the company. Financial details were not disclosed.

  • TurboLinux has announced the receipt of another $30 million in venture funding. The investors include Fujitsu, Hitachi, IBM, SGI, Dell, and Intel.

Financial Results

  • Motorola, Inc. (SCHAUMBURG, Ill.) reported sales of $9.5 billion in the third quarter of 2000.

New Offices/Personnel

  • MontaVista Software, Inc. (SUNNYVALE, Calif. & MUNICH, Germany), developer of the Hard Hat Linux operating system for embedded applications, announced the inauguration of its direct presence in Germany with a new office in Munich.


  • PalmWorks Inc. (LEAGUE CITY, Texas) announced it is changing its name to Zydant Corporation. President and CEO, James T. Voss is quoted, "At Zydant, our goal is to provide the best applications, content and services for all Wireless PDA devices whether they are based on PalmOS(R), Windows(R)CE or Linux(R) operating systems."

Section Editor: Rebecca Sobol.

October 12, 2000


 Main page
 Linux in the news
 Back page

See also: last week's Linux in the news page.

Linux in the news

Recommended Reading

Why the world needs reverse engineers (ZDNet). Here's a ZDNet column in defense of reverse engineering. "There are now black boxes, whether in hardware or software, that are illegal to peek inside. You can pay for it and use it, but you are not allowed to open up the hood. You cannot look to see if the box violates your privacy or has a security vulnerability that puts you at risk."


Tech giants give $30 million more to TurboLinux (News.com). News.com reports on the latest investments in TurboLinux. "One source familiar with TurboLinux's plans said the company's IPO schedule is moving along, though, and the company intends to file its initial public offering plans with federal regulators soon. An investment bank has been selected to lead the IPO, the source said."

Learning the ways of Mozilla (Upside). Upside looks at the Mozilla project and the difficulties that outsiders have sometimes encountered when trying to participate. "All told, [Mozilla 'Chief Lizard Wrangler'] Baker says the ratio of Netscape to non-Netscape developers has steadily declined since the first source code release in April 1998. With Mozilla currently preparing to pass its final milestone prior to its official 1.0 release -- an event Baker currently predicts to be in the second quarter of 2001 -- the days of Mozilla's reputation as the Winchester Mystery House of open source projects are coming to a quick close."

Open source uncertainty over Microsoft-Corel (Upside). Upside looks at Microsoft's investment in Corel. "As for Corel and its own future as a Linux operating system and application vendor, company president Derek Burney, who replaced the outgoing Cowpland last month as chief executive officer, says the company is already evolving beyond operating system concerns."

Refreshed Corel gets down to business (Ottawa Citizen). The Ottawa Citizen looks at the changes at Corel. "In what is perhaps a sign of things to come, Corel has cancelled the annual gala that Marlen Cowpland, Mr. Cowpland's wife, used to sport revealing, attention-getting outfits. At the 1999 gala, she wore a $1-million leather catsuit with 24-karat gold breastplate, adorned with a 15-karat diamond nipple. Corel spokeswomen Anne Vis said cancelling the gala, which had cost as much as $3 million in years past, is 'part of our cost-restructuring program and our more disciplined financial approach.'"

Sounds like good thinking on their part.... There's some serious news too: "Since Mr. Burney took over as interim chief executive, the Linux startups Corel had invested in under Mr. Cowpland have seen their financing cut and say the turnover in employees at Corel has left them with virtually no communication with the Ottawa company."

Sun's purchase of Cobalt nullifies three potential threats (InfoWorld). Nicholas Petreley points out the advantages to Sun of its purchase of Cobalt Networks. "The best news of all for Sun is that no matter how the hardware picture develops, Sun's implicit endorsement of Linux by purchasing Cobalt puts yet another nail in the coffin of Windows 2000. This helps Sun eliminate the only threat about which it can do nothing."

VA Linux creates Japanese alliance with Sumitomo (ZDNet). Looks like VA is making their move into Asia: "VA Linux Systems, Inc. and Sumitomo have invested in a new joint subsidiary, VA Linux Systems Japan, and NTTCommunicationware, NEC Technologies, Inc., and Toshiba Engineering have also indicated plans to invest in the venture."

Riding the Gnutella Wave (Internet World). Internet World looks at Gonesilent, the successor to Infrasearch. "If you want to know how revolutionary a piece of software is, you might try measuring how long it stays on the Net before it is hastily banished."

Synopsys pulls Linux into full ASIC design flow (EETimes). In what may be considered the "Oracle on Linux" announcement for the chip designing world, Synopsys Inc. is making a complete, front-end ASIC design flow available under Linux ..."a move that opens the door for the widespread adoption of Linux as the No. 2 EDA platform and very possibly writes the epitaph for Windows NT in chip design". (Thanks to Tom Verbeure).


Red Hat, SuSE CEOs: We're for Linux open source (InfoWorld). Bob Young of Red Hat and Dirk Hondel of SuSE were interviewed at LinuxWorld in Berlin: ""If permanent copyrights had existed in the time of the ancient mathematicians, every time you wanted to use the Pythagorean Theorem or an isosceles triangle, you'd have to pay royalties," said Young, remarking that scientific progress is based on the sharing of knowledge, with each researcher building on previous innovations".

Linux leader says standard version will emerge (News.com). TurboLinux CEO Paul Thomas says that Linux distributions will converge over the long run: "The world doesn't need 150" versions of Linux, he said Wednesday at a W.R. Hambrecht conference for open-source software. "Consolidation will take place."

Red Hat talks big at open-source conference (News.com). News.com reports from the W.R. Hambrecht conference on open source companies. "At today's open-source conference, [Red Hat CTO] Tiemann said Red Hat has won the 'distribution' battle, the effort to sell Linux and associated software. 'The Linux distribution game is over. Red Hat has won that game. Red Hat is the market leader in virtually every respect,' he said."

Penguins invade the orchard (ZDNet). Here's a ZDNet column on how Linux threatens Apple. "All I do know is that Linux is becoming a credible desktop far faster than most would have predicted, and Apple's pretty plastic cases and faux-open-source OS won't be enough to keep it from being the next victim of Linux's rise up the food chain."

IBM's Entire eServer Family To Run Linux (ZDNet). IBM is preparing it's entire hardware server line to run all four major distributions of Linux - Caldera, Red Hat, SuSE, TurboLinux.

InfoWorld Announces Top 10 Innovators. InfoWorld has a top 10 list available that includes some well known names in the Open Source field: Apache, Tim Berners-Lee, Richard Stallman and Phil Zimmerman.

Operating System Invades Jim Henson's Creature Shop (LinuxNews.com). LinuxNews.com reports on the use of Linux at Jim Henson's Creature Shop. " While the original Muppets will remain unchanged, old favorites as well as new characters are performing in online and real-time computer graphics venues, as well as preparing for new adventures on the silver screen, through a new Linux-based control system."

Microsoft `Gets It': Does the Linux Community? (LinuxNews.com). LinuxNews.com is carrying a story on how middleware will become the most important factor in the Internet age: "It will be the next "big thing" because Middleware will ultimately shape and define what the INTERNET becomes. The ability to identify, authenticate and authorize delivery of information will become fundamental to conducting business in the next generation of the INTERNET economy. It will encompass and pervade the information supply chain, all the way from your wrist watch access device to serving as the basis for building virtual corporate collaborations. It will ultimately call fundamental questions on the issue of privacy and the protection and maintenance of one's identity."

Open sourcerers tweak Linux for access (EE Times). EE Times looks at open source programs for disabled users. "The recent commercialization of Linux has brought with it mass appeal, with its open-source status allowing those masses to more easily share tools and solutions. But ease of use is a different issue for the nation's 54 million disabled citizens, and accessibility is a somewhat complex proposition to define."


Linux 2.4 kernel release delayed (ZDNet). ZDNet reports on Linus's announcement that the 2.4 kernel is at least two months away. " Open-source backers haven't been forgiving when for-profit software makers -- most notably, Microsoft Corp. -- let development schedules slip. But when it comes to Linux, they claim expectations aren't the same thing as release dates. 'We don't do deadlines in the open-source world, which is a major reason our stuff is right when it comes out,' said open-source leader Eric Raymond." (Thanks to Rolf Heckemann).

New Linux shows promise in heavy-duty business use (News.com). C|Net's News.com is carrying a story on what the scalability in the Linux 2.4 kernel will mean. "The next version of the core of Linux, the 2.4 kernel, is up and running on Sun Microsystems' top-end E10000 server with 24 processors...Solaris...works on computers with up to 105 CPUs ... and Microsoft has just released a version of Windows that can use 32 CPUs."


Embedded Linux Newsletter, October 5, 2000. The latest Embedded Linux Newsletter from LinuxDevices.com has been published.

Comparing real-time Linux alternatives (LinuxDevices.com). LinuxDevices.com has this whitepaper on alternative approaches to adding real-time capabilities to Linux. "Lately, the question of whether (and how) Linux can be made to serve the needs of real-time applications has been the subject of much debate, in a discussion made complicated by a multitude of definitions for real-time. We see the terms 'hard', 'firm', and 'soft' real-time being used. These, along with 'guarantee', 'deterministic', 'preemptible', 'fully preemptible', and 'latency', often pepper the discussions. "


Organized bookmarks? Who'd have thought it! (Canada Computes). Canada Computes reviews Gnobog, the GNOME bookmark organizer. "We're not talking rocket science here, but it amazes me that there aren't more programs like this that do to the job well. Oh well, Gnobog is definitely worth the download if you obsessively bookmark sites like I do."

Making Linux Work in the Workplace: GIMP vs. Photoshop (LinuxOrbit). LinuxOrbit compares Photoshop and the Gimp. "Using the whimsically titled, yet professionally powerful GIMP, one begins to feel that this whole Open Source deal just might work. Here is a piece of freeware going against the best in the business, and giving it a real run for the money." (Thanks to John Gowin).


IBM: The Big Blue support for the Linux community (O Linux). O Linux talks with the IBM Linux Technology Center staff. "We base our decisions on customer demand. While Debian is well thought of, our customers have consistently expressed an interest in Red Hat, SuSE, TurboLinux and Caldera - and that's what we're giving them."

Sir(e) Ian Murdock (Andover News). Andover News profiles Ian Murdock. "Over the last ten years he has nursed a degree, fathered an operating system, nurtured the community that supports it, continues to parent four dogs, a company, and now, at last, a baby girl." (Thanks to César A. K. Grossmann).


Which is it: -ible, or -able? (LinuxDevices.com). You may have thought that the furor over MontaVista's "fully preemptable kernel" announcement had died down, but this LinuxDevices.com article shows that the real battle has yet to be fought. "But that's not where the debate ends. Nobody thought of questioning another aspect of MontaVista's release -- namely: had they spelled 'preemptable' correctly?"

Tackling The Digital Divide -- Without Linux (TechWeb). A conference to tackle the "digital divide" facing third world countries is taking shape with leaders from many big computing companies, but apparently without input from the Linux world. "But no one from the fast-growing and generally lower-cost Linux community was invited to the table, officials from the sponsoring organization, the World Resources Institute, acknowledged on Thursday".

Section Editor: Rebecca Sobol

October 12, 2000


 Main page
 Linux in the news
 Back page

See also: last week's Announcements page.


Linux Advanced Routing & Traffic Control List.Announcing the creation of the Linux Advanced Routing & Traffic Control List: those who have been working on the Advanced Routing & Traffic Control HOWTO for a while have noted a marked increase in the number of people sending them mail with questions.

In response to this demand, there is now a list catering to the needs of people who want to discuss the application of advanced routing, traffic control and shaping on Linux.

Interested parties are invited to subscribe here.


Stump the Chump at Atlanta Linux Showcase. Tuxtops has announced the first annual 'Stump the Chump'. Their resident "chump", Chief Technical Officer, Mark Allen, has agreed to match wits with attendees who'd like to challenge his Linux laptop expertise. ALS runs from October 10 to 14, 2000.

Keynote speakers for ApacheCon Europe. ApacheCon Europe, happening in London starting October 23, has announced its keynote speakers. They will be Dr. Kristof Kloeckner of IBM, George Paolini from Sun, and Douglas Adams, author of The Hitchhikers Guide to the Galaxy.

Linux Expo brings Pengiun Power to Hogtown. The keynote sessions for Linux Expo Toronto (October 30 - November 1, 2000) have been announced.

You have just missed the Linux2000 congress. Linux2000 took place in "De Reehorst", Ede in the Netherlands, recently, but there is another conference of interest to Linux users, in the same area. Look for the autumn conference of the Unix User Group - the Netherlands, coming on November 9, 2000. (Thanks to Fred Mobach).

The New Entertainment Era. Scott Draeker, president and founder of Loki Software, Inc., will be joining Michael L. Robertson, chairman and CEO of MP3.com, Christie Hefner, chairman and CEO of Playboy (and Playboy.com) and other industry leaders for a conference that will address how Internet challenges of free speech, free trade, and intellectual property can coexist. Cato Institute and Forbes ASAP for Technology & Society 2000, November 9-10, 2000 in Reston, VA

Second Annual Event Honors the Best of Linux. Linux Journal and Key3Media Events, Inc. announced that Linux Journal will present the second annual Penguin Playoff Awards at LINUX Business Expo-Las Vegas. LBE is co-located with Comdex Fall, November 13-17, 2000.

October/November events.
Date Event Location
October 10 - October 14, 2000. Atlanta Linux Showcase Cobb Galleria, Atlanta, Georgia.
October 15 - October 19, 2000. 2nd Annual Linux Storage Management Workshop University of Miami, Miami, Florida.
October 16 - October 18, 2000. Wireless Developer Conference Santa Clara Conference Center, Santa Clara, CA.
October 21 - October 22, 2000. Alternative Computer Expo (ACE 2000) Albert Park, Victoria, Australia.
October 23 - October 25, 2000. ApacheCon Europe 2000 Olympia Centre, London, England.
October 27, 2000. Embedded Linux Expo & Conference Wyndham Westborough Hotel, Westborough, MA.
October 29 - November 2, 2000. Software Development Conference & Expo 2000 East Washington Convention Center, Washington, D.C.
October 30 - October 31, 2000. Open Source Database Summit Hayes Mansion Conference Center, San Jose, California.
October 30, 2000. First Annual Federal GNU and Linux Users' Conference And Awards Presentation Washington, D.C.
October 30 - November 1, 2000. Linux Expo Canada Metro Toronto Convention Center, Toronto, Ontario.
November 1 - November 5, 2000. IT.COM2000 Palace Grounds, Bangalore, India
November 4 - November 10, 2000. SC2000 - SuperComputing Dallas Convention Center, Dallas, TX.
November 7 - November 9, 2000. Embedded Systems Conference Europe Maastricht, Netherlands.
November 12 - November 15, 2000. XML DevCon Fall 2000 San Jose, California.
November 13 - November 17, 2000. LINUX Business Expo Sands Convention Center, Las Vegas, Nevada.
November 25, 2000. Australian Open Source Symposium Adelaide, Australia.
November 28 - December 1, 2000. IEEE International Conference on Cluster Computing Technische Universität Chemnitz, Saxony, Germany.

Additional events can be found in the LWN Event Calendar. Event submissions should be sent to lwn@lwn.net in a plain text format.

Web sites

LuteLinux adopts ShowMeLinux. LuteLinux announced the addition of ShowMeLinux to their family of services. LuteLinux will be hosting future issues and will take over as publisher of ShowMeLinux, an on-line magazine.

eLance redesigns Web site. eLance, Inc. announced the release of its newly redesigned professional services marketplace site at www.elance.com.

User Group News

ILUG Bangalore. "The September 2000 meeting of the ILUG Bangalore was held in the midst of bandh's, postponements and pouring rain. The meeting began at 6:30pm on 30th September with an all-time low - only 46 attendees!" So begins this wrapup of ILUG Bangalore's last meeting. (Thanks to Atul Chitnis)

Geek Day Out. The Linux Users Group of Victoria is organizing a Geek Day Out. A festival gala for the Information Technology community, with an emphasis on open source software. In Victoria, Australia Friday October 20, 2000. This event kicks off ACE 2000 (see the events table above).

Linux Community pavilion at Bangalore IT.COM 2000. The Linux Community of India has announced that it will be hosting a Linux pavilion at Bangalore IT.COM 2000. This is a huge event, with 350,000 attendees; the Linux area is expected to be one of the largest at the event.

LUG Events: October 12 - October 26, 2000.
Date Event Location
October 12, 2000. Boulder Linux Users Group NIST Radio Building, Boulder, CO.
October 12, 2000. Phoenix Linux Users Group Sequoia Charter School, Phoenix, AZ.
October 12, 2000. Linux Introduction Delfzijl, Netherlands.
October 14, 2000. Route 66 Linux Users Group La Verne, California.
October 15, 2000. Omaha Linux User Group Omaha, Nebraska.
October 15, 2000. Beachside Linux User Group Conway, SC.
October 16, 2000. Linux Users' Group of Davis Z-World, Davis, CA.
October 17, 2000. Bay Area Linux Users Group Four Seas Restaurant, Chinatown, San Francisco, CA.
October 17, 2000. Kansas City Linux Users Group Kansas City Public Library, Kansas City, MO.
October 18, 2000. Linux User Group of Groningen Groningen, Netherlands.
October 18, 2000. Arizona State University Linux Users Group Tempe, AZ.
October 19, 2000. Rice University Linux Users Group Rice University, Houston, TX.
October 21, 2000. Silicon Valley Linux Users Group Installfest Computer Literacy Bookshop, 2590 N. First Street, San Jose.
October 21, 2000. Eugene Unix and GNU/Linux User Group Eugene, Oregon.
October 25, 2000. Linux User Group of Assen Assen, Netherlands.

Additional events can be found in the LWN Event Calendar. Event submissions should be sent to lwn@lwn.net in a plain text format.

October 12, 2000



Software Announcements

Here are this week's Freshmeat software announcements. Freshmeat now offers the announcements sorted in two different ways:

Sorted by section and Sorted by license


Our software announcements are provided courtesy of FreshMeat


 Main page
 Linux in the news
 Back page

See also: last week's Back page page.

Linux Links of the Week

Atheos is a free operating system for Intel boxes. It has its own kernel, written from scratch, and its own window system. It is POSIX enough to run bash, but the window system is not compatible with X. It's intended to be a desktop system; worth a look if Linux is getting old and boring.

[TUX] "The face of the world has changed in 2076. Go figure. The evil multi-national corporate conglomerate empire MegaSoft® reached out and nuked someone (just about everyone, as it turns out) in 2023 with a nuclear-capable e-mail virus, designed to stop anti-trust suits. It worked, really, really well. Evil wins." Into this grim situation steps TermUnitX (TUX) to save the day. It is, of course, an online comic book, and it's wild. Worth a look.

Section Editor: Jon Corbet

October 12, 2000



This week in history

Two years ago (October 15, 1998 LWN): The word went around that Oracle was about to launch its own Linux distribution. Two years later, one can probably say that the rumor has not stood the test of time.

If Microsoft could crush us, it would already have done so. It is now several months too late for them to succeed.

Their window began to close when the first of the enterprise database announcements hit the streets. With Oracle's announcement of a bundled, supported, Oracle-over-Linux combination on CD-ROM offering the 24/7 reliability unattainable with NT, it has effectively slammed shut. [...]

Not only can't they crush us, but it will take a reversal of present trends for them to avoid a collapse into irrelevance within eighteen months.

-- Eric Raymond, in LWN's "Letters to the Editor" column.

Well, it seemed that way at the time...

Larry Wall was the recipient of the first Free Software Foundation Award.

The development kernel was 2.1.125; Linus announced that the last of the showstopper bugs had been fixed, and that it was about time to move into the pre-2.2 series. Meanwhile, one kernel hacker decided to go looking for foul language in the kernel source, and was not pleased with the results. We posted the resulting linux-kernel posting with a warning that it wasn't for the easily offended; it was one of the most popular files we have ever put up.

And no, the kernel source has not gotten any cleaner, at least not in the comments. User-visible output is held to a "suitable for children" standard, but comments in the source itself are unregulated...

One year ago (October 14, 1999 LWN): TurboLinux racked up its first big round of equity financing. Longstanding retailer LinuxMall.com also pulled in a sizeable investment from SCO, which was clearly beginning to realize that it needed to take Linux more seriously. Both of these investments were announced at the Atlanta Linux Showcase, which was underway.

Mr. Miller says that about 40 investors have approached Turbolinux, offering a total of nearly $200 million in potential funding. A lot has changed since Mr. Miller and his wife founded Turbolinux seven years ago.
-- The Red Herring, October 11, 1999

OpenSSH 1.0 was released; it was the first free ssh release in a very long time.

VA Linux Systems, O'Reilly & Associates, and SGI announced plans to produce a commercial, boxed version of the Debian distribution.

VA also filed for its initial public offering of stock, setting in motion what was to be the most spectacular IPO of the year.

In making such a bold move (Solaris is their core product) Sun is embracing everything that has made the Open Source movement such a success. Everything, that is, except that bit about opening up their source code.
-- Feed Magazine was unimpressed by the Solaris code "release."



Letters to the editor

Letters to the editor should be sent to letters@lwn.net. Preference will be given to letters which are short, to the point, and well written. If you want your email address "anti-spammed" in some way please be sure to let us know. We do not have a policy against anonymous letters, but we will be reluctant to include them.
Date: Thu, 5 Oct 2000 13:24:37 -0400
From: Eric Kidd <eric.kidd@pobox.com>
To: letters@lwn.net
Subject: Source Forge concerns

I'm the lead developer of a SourceForge-hosted project, and I have two
concerns about the site.

* Silly ranking schemes

SourceForge now uses the Advogato trust metric to assign developer
rankings. Unfortunately, the Advogato trust metric is fairly broken, even
on Advogato. (I say this as someone who has undeserved "Master"
credentials, and would prefer to be a mere "Journeyer".)

Quite frankly, the SourceForge implementation of this idea is tacky and
juvenile. I'd prefer to opt out of the ranking systems, and just use
SourceForge as a development tool.

But if I can't do that, I'd like to take my projects elsewhere. Which
brings me to my next concern...

* Exporting

I can't export my project (at least not easily). I can export the CVS
repository, the web site, and some of the data. But there's no obvious way
to dump the bug tracker, forums, etc.

So even though the SourceForce code is available, and you can run it on
your own server, there's no obvious way to move a SourceForge project
elsewhere without losing data.

How to fix it: A nice, big "Export Project as XML" button on the project
administrator screen would make me sleep better at night. ;-)

It's not that I don't trust the SourceForge folks--they're remarkably
helpful--it's just that hosting a project on somebody else's servers
requires an extraordinary amount of trust.

Date: Tue, 10 Oct 2000 14:40:53 -0400
From: "Jay R. Ashworth" <jra@baylink.com>
To: letters@lwn.net
Subject: GCC/RedHat Imbroglio and Version Numbering

In this weeks' Daily News, an item was posted wherein the GCC steering
committee effectively says "you shouldn't have included 2.96 in any product
release; that's not a real production release."

I have no particular sympathy for their complaint, frankly; that's what that
get for using a "real" release number.  This is a topic on which I've
ranted before; had they called that GCC 3.0alpha1, everyone would have
known better, I think.  I hope...

-- jra
Jay R. Ashworth                                                jra@baylink.com
Member of the Technical Staff     Baylink
The Suncoast Freenet         The Things I Think
Tampa Bay, Florida     http://baylink.pitas.com                +1 727 804 5015

Date: Thu, 05 Oct 2000 06:46:24 -0400 (EDT)
From: Arlen Carlson <adcarlso@visinet.ca>
To: letters@lwn.net
Subject: Commercial "Debian"-style security

In this week's (Oct. 5) LWN, it seems that there is disappointment that the
commercial companies have not filled in the Debian security support...However
it should be noted that the commerical companies point their security updates
to the Debian mirrors.  Thus the apparent lack of "security patches" on their
own servers.

There is no real lack of interest on the part of the commercial
companies...they've just chosen to go the "Debian way".

Arlen Carlson <adcarlson@iname.com>

"Love is an ideal thing, marriage a real thing; a confusion of the real with 
the ideal never goes unpunished."
                -- Goethe

This message was sent by XFmail (Linux)


The penguins are coming...
         the penguins are coming...
To: Branden Robinson <branden@debian.org>
Subject: Re: Outrage at Debian dropping security for 2.1
Date: Thu, 05 Oct 2000 13:31:39 +0100
From: Tethys <tet@isengard.europe.dg.com>

Branden Robinson writes:

> Does Mr. Peacock expect Debian to provide security updates for Debian
> 2.0, 1.3, 1.2, or 1.1?  Does he expect, say, Red Hat, to provide security
> updates for 6.0?  How about 5.0?  4.2?  1.0?

I can't speak for Mr. Peacock, but yes, *I* expect security updates
for non-current versions of an OS. Fortunately, Red Hat does provide
them, and currently supports its 5.x, 6.x and 7.x releases.

As pointed out on LWN's front page this week, administrators are
reticent to upgrade an OS that's working well, when a smaller
security update would do just as well. Until Debian realise this,
their distribution will never gain widespread acceptance in
commercial environments. Maybe that's not one of their goals,
but it's something they currently don't seem to be aware of.

Date: Thu, 5 Oct 2000 09:22:30 +0200
From: Marko Schulz <in6x059@public.uni-hamburg.de>
To: letters@lwn.net
Subject: Debian drops slink security updates

It makes me angry and sad, if people are accused, because they speak
the truth. 

When the previous version of debian (2.1 aka slink) was released, the
next security update, didn't even mention the version before that (2.0
aka hamm). Now the folks from debian are even making a published
deadline and they get slammed for it. If they would have dropped
updates for slink silently nobody would have cried.

If one wants a secure system, he has to stay mildly current. The worst
bugs still get eliminated from 2.0.X-kernels, but there are others in
it, that just won't be removed, because it would take too much. I
expect the same for old versions of distributions, may they be called
SuSe, Red Hat or Mandrake. I too don't follow the newest-version-craze
and stay with older versions for quite some time, but I wouldn't rely
on them as being too secure.

marko schulz

 "Sind Comics Kunst?"    "Ist doch scheißegal!"
                        Stefan Dinters Antwort auf eine Podiumsfrage,
                        Comicsalon 1997 in Hamburg
Date: Fri, 6 Oct 2000 15:26:38 -0400
To: letters@lwn.net
Subject: Upgrading Debian
From: Zygo Blaxell <zblaxell@feedme.hungrycats.org>

>apt-get update
>apt-get dist-upgrade
>apt-get clean

The Debian Mantra.  ;-)

I'm a Debian advocate.  I use Debian on all of my Linux systems at home,
and I've successfully introduced it as an upgrade path at work at two
companies--there will be no more new Red Hat systems, and the old
ones will be replaced rather than upgraded.  

Frankly, the reason why I advocate Debian (stable) as my first choice,
and Debian (unstable) as my second choice, is because of the nice
semi-automated update mechanism, and because of the half-legion of
developers behind it.  On my own desktop and laptop systems, where the
entire user population (i.e. me and my spouse) has eight years of Linux
development experience combined with root access and a bootable rescue
CD, Debian is close to perfect.  On mission-critical systems, Debian's
'stable' distribution with daily upgrades to keep current with security
patches is definitely the way to go.

That said, even I, a rabid Debian fan and developer wanna-be, who runs
dist-upgrade in parallel on dozens of machines at a time every day, do
NOT blindly run dist-upgrade on the day after a Debian release without
testing it on non-critical machines first!

The first problem with this idea is that the Debian FTP archive layout
changed in the last release, so you can't get past 'apt-get upgrade'
without manual intervention if you're using cryptographically-enhanced
packages from non-US (and who isn't, really?).

Changes to NSS in glibc alone are enough to cause serious, widespread,
and downright weird problems during and after the upgrade.  Any package
that relies on a lot of shared library components is going to be
confused for several minutes, and the ones that aren't confused are
likely to be simply unavailable during that time.  Daemons are
problematic--some will stop at some arbitrary point during the upgrade
and restart at some arbitrary point after, others will continue to
function throughout the upgrade, and some will fail in unpredictable
ways depending on the exact timing of races between external user
access and dpkg's manipulation of the filesystem.  Some packages rely
on scripts to rewrite configuration files as the programs that use them
change syntax--we can only hope that those scripts preserve exactly the
semantics of the old configuration files.  dpkg itself has been known
to crash during large upgrades--especially upgrades that affect itself
or its own dependencies--and dpkg or apt-get sometimes crash while their
own dependencies are not satisfied, which means you can't use either
of these fine tools to clean up the mess afterwards.  

Hopefully, you won't be forced to recover the system using 'ar', 'zcat',
and 'tar'.  If you're smart, you install 'sash', and avoid several
failure modes that might result in having to dig out the boot floppies.

Upgrading Debian is a whole lot easier than upgrading other distributions,
but it is by no means perfect.

And so far we're only talking about Debian packages, not any third-party
or local packages that might have been installed outside of the Debian
package management system.  apt-get does not consider at all the
possibility of breaking installed packages that it doesn't know about
(how can it?), and will happily break them.  Even third-party packages
packaged as .deb files sometimes have useless or missing Depends: fields,
which effectively makes them invisible to apt-get.

This kind of widespread system reconfiguration can't be bug-free.
It may, in fact, be less prone to failure than back-porting many security
patches at the source level, but in practice there are a tiny number
of security-related patches compared to the total number of revisions
between stable releases, so the trade-off doesn't pay off.

A single back-ported security patch is a single, localized change,
designed to fix a single, specific problem--as a rule of thumb, there's
roughly an 85% chance of doing it successfully.  A full dist-upgrade
rarely leaves any installed non-documentation packages untouched--the
probability of making hundreds of changes, each at 85% probability of
success, without making any mistakes, is left as an exercise to the reader.

Date: Sat, 7 Oct 2000 14:11:54 -0700 (PDT)
From: Patrick Ennis <DzuSwei@excite.com>
To: lwn@lwn.nwt, letters@lwn.net
Subject: For shame!

Dear Sirs,
Please do not malign the good folks at Libranet. They make it VERY CLEAR
that this is a DEBIAN distro, only compartamentalized to make it more
accessible to those of us who aren't 24 hour users. Please make it clear
that Libranet is simply making the fine Debian distro more user-friendly and
accessible, they aren't yet a true distro in their own right. And so any
user updates are through APT, ust like Debian... because it IS Debian. To
portray the fine folks at Libranet as being unconsciencious is simply a
complete falacy on your part. Their support is both the best, and the
quickest, of any Linux outfit. Period. The folks at Libranet are, quite
simply, everything Linux should be! They love linux, give it to anyone who
asks and makes it known to any who BOTHER TO ASK. And to be quite honest,
they are the only one of the four 'major' Canadian distros (Corel, Stormix,
MaxOS, and Libranet) that treats the user as a thinking human being, and
gives them the option of either mindlessly installing linux or masterfully
guiding it onto your computer to the Nth degree. Who else lets you do this?
Like this? To this degree? NO ONE! So please, valued Sirs, try Libranet
before you malign it so easily. In my opinion, it is linux as Linus meant it
to be! If there is a fault, which I question, it is with the folks at
Debian.org themselves. And even then, a simple run of APT will plug the gap.
In short, if any Libranet user is concerened about any of their update
needs, they need only run Apt to get the 'latest and greatest'. Do not
malign the folks at Libranet. They do more, better, for free, than anyone
else in linux.

Thank you,

Patrick Ennis


Date: Wed, 11 Oct 2000 14:26:55 -0500
From: Dub Dublin <dub@infowave.com>
To: letters@lwn.net
Subject: Electronic, not digital signatures - there's a difference

Your report last week of digital signatures becoming law is inaccurate.
As I understand it (not a lawyer and all that), what became law on
October 1st was electronic signatures, not digital signatures.  There's
a very important difference:  electronic signatures are used to make
electronic contracts enforceable, like click-through license agreements
and online puchasing or services agreements.  Unlike digital signatures
(which rely on some sort of cryptographic method of providing
authentication, non-repudiation, and content integrity), electronic
signatures are simply an entry in a database somewhere - but with this
law, that database now has the full force of a paper signature,
regardless of its own accuracy or security.  (This may well turn out to
have far larger implications for online rights than DMCA or UCITA ever

This is a crucial difference, and the reason that electronic signatures
were opposed by some consumer advocates and the handful of congressmen
who bothered to read and understand the bill.  It boggles the mind that
this legislation passed 426-4.  (Three Republicans and only a single
Democrat voted against it, about the typical ratio for privacy issues,
but a very poor turnout.)  To be fair, the bill does provide for
informing customers of paper alternatives (if any), and contains some
other notification provisions as well, but these are obviously far, far,
short of the protection that would be provided by a true digital
signature, even one based on questionable cryptographic methods.

In short, there's a big difference between electronic and digital
signatures, and we need to use the correct terminology in both
discussing the issue and in framing a response.

Dub Dublin

To: letters@lwn.net
Subject: ECN
From: Graham Murray <graham@webwayone.co.uk>
Date: 05 Oct 2000 07:00:30 +0000

ECN, while still new and experimental, has the potential to be a very
useful protocol which by greatly reducing the number of resent packets
could improve bandwidth utilisation which would be to everyone's
advantage. However to do this it needs to be widely accepted and
implemented. This will not happen while high profile sites reject
connection which indicate that they are willing to use ECN. 

So, I think it is a pity that we are being forced to disable it in
order to communicate with certain sites. While I accept that this is,
at least in the short-term, necessary, I think that we should also be
informing the "offending" sites of the error of their ways. 
Date: 10 Oct 2000 23:46:55 -0000
From: Eric Smith <eric@brouhaha.com>
To: letters@lwn.net
Subject: Synopsys on Linux


On October 10 you reported on Synopsys making more of their ASIC tools
available on Linux.  You referenced an EE Times article in which Gary
Smith, chief EDA analyst at Dataquest said "64-bit Linux isn't yet
available".  Gary needs a wakeup call.  64-bit Linux has been available
for *years* on Alpha platforms, and is also available on Sparc and MIPS
platforms.  In fact, it's even available for Intel's upcoming IA-64
chips (e.g., Merced), despite the fact that the chips aren't even

However, I hope that Mr. Smith is correct in his statement that "Linux
is knocking NT out of the design world".  I've seen numerous cases of
companies trying to do EDA (or any kind of engineering) on Windows NT
boxes, largely based on false Total Cost of Ownership claims by
Microsoft, and discovering the hard way that Windows NT is *abysmal* as
an engineering platform.

In the same article, Mike Glenn of Avanti Corp. says of Linux that "it
won't replace the Unix environment".  Mr. Glenn needs to wake up and
smell the coffee.  More and more companies are discovering that Linux
works just as well as (or, in many cases, better than) proprietary Unix
solutions, and yet has much lower costs (both purchase and support).

Despite some silly statements by analysts and vendors, it is now clear
that Linux-based EDA is an idea whose time has come.

Raul Camposano was quoted as expecting to find "Windows NT strong only
in FPGA design".  One of the leading FPGA chip vendors has stated that
they have no plans to support Linux.  Interestingly enough several of
their competitors are working on FPGA support.  As an engineer, given
the choice between otherwise coparable chips, I'll pick the ones which I
can develop for without using Windows NT.  The choise is a no-brainer.

Eric Smith
From: Mark_Wiley@marcam.com
To: letters@lwn.net
Date: Fri, 6 Oct 2000 12:09:11 -0400
Subject: TUX and beyond

With the recent release of the TUX 1.0 Kernel HTTP Server, I was thinking
about the future of such an offering. TUX is a Linux kernel space HTTP
server. Its primary function is to serve up static pages and images and
pass along more complex requests to user space programs, such as Apache.
Its current design is to minimize the impact of current web server
implementations. Apache doesn't know there is anything going on, just
some configuration changes.

As I look at the growing importance of Web services and review the
equally important growth of the underlying TCP/IP protocol a few decades
ago, I must wonder about the directions that TUX or implementations like
it will take.

Consider. TCP/IP is only a communications protocol and protocol stack.
All that really needs to be in the kernel is the network card driver.
But we recognize the importance of TCP/IP, the complexity and wide use
of its services. To make dealing with it easier, we made several adaptations.

   1. The stack is in the kernel for speed and security.
   2. The TCP/IP stack is capable of dealing with multiple IP addresses on
each of multiple network adaptors.
   3. Security is handled through an administrator interface allowing
detailed settings for each adaptor/address.
   4. We give it a friendly usable API that allows any process to register
itself as being a service in the TCP/IP space (Sockets/Accept). User space
programs don't have to deal with raw network packets.

The result is that the stack does not need to be individually configured
for any new services. The services register themselves. The general
configuration and security of the stack can be controled by an administrator.

Lets take a similar approach to web services. Lets make a web service stack:

   1. The web stack should be capable of providing multiple service
hierarchies with different protocols (http, https, other...) configured
individually to IP-Range / TCP Port. Java has a model for plugable protocol
handlers that might be useful. When new protocols are needed, plug in a
protocol handler that understands it.
   2. Each service hierarchy has its own security interface for what
request source IP address it accepts, what authentication it expects,
where its WebRoot is, what programs/users may register as active content

   3. An API is provided for userspace programs to register themselves as
active content providers. These API would allow a program to enumerate what
service hierarchies are currently active. It would allow a program to select
one service hierarchy and register itself to it. The program would then specify
where in the hierarchy its address space would begin. Finally the API would
provide a blocking wait for service requests similar to the socket accept.
There are already models for server components out there with Request and
Response interfaces for service control (Java Servlet, ASP, ...). Make
something similar available from the kernel server through the API.

This whole interface requires the replacement of many current web apps
with versions that use the new API, but in the end it would make web
applications as portable and plugable as TCP/IP applications are now.
It would also make writing web applications easier and more modular.

TUX is already a good starting point. It can be expanded to include more
features. But more importantly, it is in a good position to become the
implementation standard for such a model. Do it right in an Open Source
fasion before some company gets into the act and tries to poke a lot of
propriatery requirements into the mix. Make the standard Open first.
Then let it catch on elsewhere.

Mark Wiley.

Date: Fri, 06 Oct 2000 07:53:39 +0800
From: Leon Brooks <leon@brooks.smileys.net>
To: letters@lwn.net
Subject: You don't see much Linux

Steve Ballmer is quoted as saying:
> You don't see much Linux in (business) customers. You see some Linux
> in Web sites and application service providers, but it's less than
> the press hype." 

There are two points worthy of note here, either or both of which explain how
Steve can say this without too much crossing of the fingers behind the back.

Firstly, and this really has been done to death: where Linux is working and
where Linux is seen are two quite different concepts.

Many managers and CEOs are quite shocked to discover either that the backbone of
their IT shop has been Linux for the last three years or that the reason their
[insert favourite service here] has either sped up or stopped crashing, or given
up being taken out regularly by crackers (or all of the above) in recent days is
that it's no longer based on Windows. Bill Gates himself would not have been
pleased to discover that every computer in the campus' new Bill Gates building
was running Linux while he was touring it during the opening ceremony.

It is especially pleasing to see FreeBSD, OpenBSD et al springing up more and
more often in the ground plowed by ``media darling'' Linux. Repeat the mantra:
``choice is good.''

Secondly, I'm not sure how often Microsoft's boss would *expect* people to show
him Linux systems: he lives in a Microsoft-saturated environment, and would have
to go about anonymous and disguised to have a hope of seeing any reality.

The reality is that something like half of all web servers are Linux-based, and
something like a quarter of them are Microsoft-based.

Compounding the issue, he lives right at the heart of Microsoft country.
Internet head-counts show Microsoft more often in the USA and in corporate
culture than anywhere else. The further up the corporate ladder you look, the
more Microsoft you find. Microsoft has spent a lot of time and money making it
so. This is where Steve lives and gads about. Note the parable of the blind men
and the elephant (http://www.anointedlinks.com/elephant.html) for it applies

In Germany, Microsoft servers are nearly a third less common than average.
Non-US domains also seem to have a less pronounced ``us and them''
Apache-against-IIS focus. Educational domains also seem more willing than
average to use something other than Apache, IIS or Netscape.

What ``we'' (Open Source oriented people) need to be aware of is that this
blindness is just as true for us as for Steve and Bill.

We use Linux (replace with your chosen OS-OS as appropriate) daily to solve
problems, automate drudgery and banish the three apocalyptic horsemen
(Bluescreen, Virus and Cracker) from our world. Often, all we see is Linux - so
all we know is Linux.

We lose touch with people who use Microsoft products daily, to whom three
crashes a day and living in fear of viruses is normal, to whom Word
spontaneously electing to no longer display a task-bar is a major issue, and for
whom the sight of an AfterSTEP or Enlightenment desktop is very disturbing.

#include <signal.h>
#include <time.h>
main(){srandom(time(0));for(;;){int pid=random()%30000;if(pid>1
Eklektix, Inc. Linux powered! Copyright © 2000 Eklektix, Inc., all rights reserved
Linux ® is a registered trademark of Linus Torvalds