[LWN Logo]
[LWN.net]

Bringing you the latest news from the Linux World.
Dedicated to keeping Linux users up-to-date, with concise news for all interests


Sections:
 Main page
 Security
 Kernel
 Distributions
 Development
 Commerce
 Linux in the news
 Announcements
 Back page

Other LWN stuff:
 Daily Updates
 Calendar
 Linux Stocks Page
 Book reviews
 Penguin Gallery

 Archives/search
 Use LWN headlines
 Advertise here
 Contact us

Recent features:
- RMS Interview
- 2001 Timeline
- O'Reilly Open Source Conference
- OLS 2001
- GaŽl Duval
- Kernel Summit
- Singapore Linux Conference
- djbdns

Here is the permanent site for this page.

See also: last week's LWN.

Leading items and editorials


Leagues and Foundations. As had been rumored, the KDE League announced its existence at Comdex on November 15. Now both KDE and GNOME have their supporting organizations, though KDE is claiming that its League has a substantially different function.

The KDE League is being positioned very much as a public relations group. From the KDE League FAQ:

KDE has come a long way on the strength of it's [sic] open development and talented developers. But volunteers can do only so much when it comes to promoting a product to a larger market. For cases like this, professional public relations and marketeers are needed.

The League is clearly intended to provide said "public relations and marketeers."

KDE tries to differentiate its League, however, by saying that the League will have no influence over KDE development. From the FAQ again:

The direction of KDE will always be decided by the developers that actually work on the code. No amount of influence or money in the KDE League will have any effect on this.

That intent is clearly sincere, and no doubt the KDE developers are determined to make things turn out that way. But in a world where many of those developers are employed by League members, what is going to happen when the League starts to claim that its PR and marketing goals would be helped if certain development directions were taken? One can see a distinct potential for conflict.

The following is a table showing the initial membership of the both the KDE League and the GNOME Foundation (actually, in the Foundation's Advisory Committee):

Company GNOME
Foundation
KDE
League
Caldera Systems  *
Corel  *
Fujitsu-Siemens  *
KDE.com  *
Klaralvdalens Datakonsult  *
theKompany.com  *
SuSE  *
Trolltech  *
Borland **
Compaq **
Hewlett-Packard **
IBM **
MandrakeSoft **
Turbolinux **
Eazel * 
Free Software Foundation * 
Gnumatic * 
Helix Code * 
Henzai * 
Object Management Group * 
Red Hat * 
Sun Microsystems * 
VA Linux Systems * 

For the most part, the League's membership is what one would expect - the various companies that have already committed themselves to KDE in one way or another.

It's worth noting that there is some significant overlap in the membership of the two organizations (which grew with this week's announcements from MandrakeSoft and Borland that they were joining the GNOME Foundation). This brings up an interesting question. The stated purpose of both groups is PR and advocacy of their respective desktops. Not stated, but clearly implicit, is that each is promoting its system in competition with the other. The KDE League is not (at this point) promoting KDE over Windows, and it is not (they say) influencing development. Its target, for now at least, is GNOME.

What, then, is the position of the companies that have joined both groups? Do they really intend to advocate for both projects simultaneously? There is a bit of a conflict there that will need to be worked out. An interesting result of this overlap (which is likely to grow over time) could be closer cooperation between KDE and GNOME, facilitated by the two advocacy groups which will look increasingly alike. It will be interesting to watch.

On the GNOME Foundation front, meanwhile, the preliminary results for the board of directors have been released. Those elected were Miguel de Icaza, Havoc Pennington, Owen Taylor, Jim Gettys, Federico Mena Quintero, Bart Decrem, Daniel Veillard, Dan Mueth, Maciej Stachowiak, John Heard, and Raph Levien. Anybody calling for a manual recount will be ruthlessly suppressed.

One wonders, meanwhile, just how far the League/Foundation trend will go. Will there come a time when all free software projects feel the need for an associated branch for PR, funding, and development? We already have the Apache Foundation, Python Consortium, and others. Watch this space in the future for news on the XFree86 Front, Emacs Alliance, Vi Squad, PostGreSQL Partisans, Gimp Group, Cron Cabal, Xbill Exercise, etc...

Book Review: Secrets & Lies. [Book cover] LWN's irregular series of book reviews continues with this review of Bruce Schneier's Secrets & Lies. The summary: this book, in which Bruce Schneier paints a dark picture on the future of digital security, should be required reading for anybody with an interest in security issues. Mr. Schneier convincingly demonstrates that technical, preventive measures will never be able, on their own, to adequately secure digital systems. A much more comprehensive approach, which includes strong detection and response, is required. With relatively low technical content, lots of case studies and occasional humor, the book is a quick and interesting read.

Digital Creations announced a $12 million funding round on November 13. This is an interesting announcement, in that it possibly hints at how successful free software companies will look and operate in the near future.

Digital Creations (DC) first came into prominence in the Linux community almost exactly two years ago, when it announced that its well-respected [Digital Creations logo] Principia product would be released as open source. What struck a lot of people at the time was that DC made this move on advice from its venture capital funding source. Principia, of course, became Zope, arguably the first big Python "killer app." DC has since become the home of the Python development team as well (see the November 2 LWN weekly edition).

The details of the investment are as laid out in this press release. $12 million came in from a group of investors including Whitney & Co., the Intel 64 Fund, and Opticality Ventures. Opticality is the current investment vehicle for Hadar Pedhazur, the original investor in DC.

This, of course, is not the easiest of times in which to get funding for a free software company. Almost anybody who has invested in such a company recently has probably not been entirely happy with the results. So how did a little company like DC manage to scare up this sort of funding?

Numerous companies that are trying to get people to buy their stock emphasize their "path to profitability." DC, instead, is profitable now. Contrary to what a lot of people have been saying, it is possible to make money with free software, and DC is a good example. Through a combination of branding and a clever choice of market, DC has found a formula that works.

Anybody who has seen Bob Young talk has heard a lot about branding. DC's story is similar. Much effort has gone into the creation and promotion of the "Zope" brand. As interest in Zope increases, customers naturally would like to work with the company that created Zope in the first place. So DC will always be on the short list of companies that are contemplating Zope deployments.

And an increasing number of companies are doing just that. The Zope Case Studies Page highlights a number of sites using Zope; they include some Navy sites and HireTechs.com. Bruce Perens' Technocrat site is also based on Zope, as is the VistaSource site.

Owning the Zope brand gets customers for DC, but that, in itself, does not necessarily lead to profitability. The services business can be harder than it seems, once all of the non-billable overhead gets folded in. The key is to pick a market where the perceived value is high enough. DC CEO Paul Everitt tells us:

The biggest reason is that we have chosen a market where people stroke big checks based on perceived value, not consumed manhours. This lets us be a service company without being a body shop. Our engagements are structured to let us profit from being fast and brilliant, rather than being punished. This also rewards us for reuse

By using the Zope platform, DC can bring in nice revenue while still undercutting the proprietary alternatives and providing all of the advantages that an open source platform has to offer.

With this new investment, DC plans to get larger - significantly so. A new office building is already in the works. The core of the company's plans, however, is to expand its offerings into the full "content management" business. From Paul Everitt again:

We'll provide consulting, integration, and in some cases site operations for customers who want fresh approaches to content and want it soon. Our basic approach is to take a rich idea of content (HTML, graphics, word files, discussion posts, custom types), apply rich services (membership, security, cataloging, workflow, clustering, syndication, etc.), and deliver to rich platforms (web browsers, PDAs, perl scripts, etc.)

The new investments, of course, will be used to staff up for this new business. As DC moves up toward these bigger jobs, it will certainly face a number of challenges - nobody ever said this was easy. But the company has a lot of the right tools to make it work.

One of those, of course, is the Python group. Picking up Guido and the others makes more sense than ever in the light of this investment. Remember that part of DC's strategy is to be seen as the champion of an interesting open source tool; having the PythonLabs crowd around can only help to build that perception. Combine that leadership position with a well-chosen market and revenue model, and with good business management, and you may well have an open source company that makes money.

(See also: Paul Everitt's announcement on the Zope list ("Though this is still a David vs. Goliath, David now has a slingshot, and a bit of steel in his eye") and our discussion with Paul on the investment and where DC is going).

Thursday, November 23, is Thanksgiving in the U.S. LWN has typically taken the opportunity to skip a weekly edition on Thanksgiving Thursday. Last year that led to some bizarre mail from people who thought that, because it wasn't a holiday in their country, we shouldn't take one either. We were, um, amused. It is true, however, that the Linux world doesn't stop just because the U.S. does. So this year we'll do things a little differently, and publish next week's Weekly Edition on Wednesday instead.

Inside this week's Linux Weekly News:

  • Security: Jay Beale joins MandrakeSoft, kha0s Linux officially retired from the list.
  • Kernel: Randy Dunlap steps down; Security troubles with dynamic module loading.
  • Distributions: Linux Distributors in India, deepLinux is no more.
  • Development: Art vs. Craft, Netscape 6.
  • Commerce: Open source taxed in Poland, Ball and Penguin Computing sign a deal.
  • Back page: Linux links, this week in Linux history, and letters to the editor
...plus the usual array of reports, updates, and announcements.

This Week's LWN was brought to you by:


November 16, 2000

   

Sections:
 Main page
 Security
 Kernel
 Distributions
 Development
 Commerce
 Linux in the news
 Announcements
 Back page

See also: last week's Security page.

Security


News and Editorials

MandrakeSoft hires Jay Beale as security group director. MandrakeSoft has announced the hiring of Jay Beale, the lead developer of the Bastille Linux Project, as the director of its security group.

Jay's fit with MandrakeSoft is fairly clear; all of the work he has done with Bastille for securing Red Hat Linux should carry over to Linux-Mandrake without much of a problem. Meanwhile, it is good to see security becoming more and more of an area where the different Linux distributions wish to distinguish themselves. The first such arena was in the installation program; the war for the easiest distribution to install continues, egged on by distribution reviews that primarily target the installation.

Meanwhile, though, each Linux distribution vendor must look for other arenas where they can distinguish their product, within the bounds of their Free Software licenses. Security is one such area; better security does not break standards, it enhances them. In addition, improvements in security are fairly measurable. If a distribution is not keeping up, the evidence is easy to find. Just check the list of vulnerabilities on this page, for example, or in the BugTraq database and look for the names that are missing from the list of responses to a problem. More importantly, of course, it is also to see what distributions respond quickly and frequently.

We are also starting to see the next step unfold. A few of the vulnerabilities reported recently have cropped up during internal audits at Red Hat, Caldera and SuSE, and others. This is an extremely promising sign. Following in the footsteps of OpenBSD, aggressive code auditing is a critical piece in the puzzle of producing an acceptably secure operating system.

Security red alert (eWEEK). Lisa Kosan at eWEEK took a look at business responses to security alerts this week. "The ability to react appropriately to the blizzard of security alerts received every day by most organizations is becoming an increasingly important art for IT and security managers. That's because, as software becomes more complex and more people-bad guys and good-go online, the number of security alerts is going through the roof".

Kha0s Linux retired from the list. Several of our readers pointed out in September that the Kha0s Linux had officially closed down. We are generally fairly conservative about removing distributions from our list, but the site remains shut down two months later, so we've officially retired Kha0s Linux from our distributions and secure distributions lists.

From the website:

We thank you for your interest in kha0s Linux. Unfortunately, we have decided to stop development due to lack of interest from the community at large and our core developers. Thank you for your time.

Security Reports

Local root exploit problem in modutils. Sebastian Krahmer and Michal Zalewski discovered and verified a bug in modutils which can be used locally to gain root privileges. Modutils maintainer Keith Owens has acknowledged the problem and provided a patch which was then rolled into modutils 2.3.19. Note, however, that further discussion proved that this patch did not fix all the problems. Check coverage of this issue on this week's kernel page and expect to see the release of 2.3.20 soon.

Modutils 2.1.121 and earlier is not vulnerable. Wichert Akkerman also posted a note stating that modutils 2.3.11 was also not impacted. Presuming this is correct, then Debian 2.2 and later are not vulnerable.

This week's updates:

Hostile server vulnerability in OpenSSH. It turns out that there is a security bug in OpenSSH prior to 2.3.0 wherein a hostile server can gain access to the client-side X server, even if X forwarding has been disabled. Upgrading to 2.3.0 is recommended.

This week's updates:

fetchmail AUTHENTICATE GSSAPI bug. An error in fetchmail's implementation of the AUTHENTICATE GSSAPI command was found exposed when Red Hat released their new IMAP server (see below) this week. Updated fetchmail packages have been released.

tcsh symlink vulnerability. A /tmp symbolic link vulnerability was reported in tcsh on October 29th. Check BugTraq ID 1926 for more details. This week's updates:

gaim buffer overflow. A buffer overflow in gaim, a GTK-based AOL instant messenger application, can be remotely exploited to execute commands on the server, according to this BugTraq posting from Stan Bubrouski. A patch to fix the problem has been made available and has been applied to the gaim CVS tree as of November 10th, 2000.

Star Office 5.2 temporary directory usage. StarOffice 5.2 uses a directory under /tmp which it creates with permissions "777" and maintains as permissions "777", presumably in order to allow the same directory to be used by multiple users in a networked situation. This creates the opportunity for easy mischief, pointed out Christian on BugTraq this week. Star Office 5.2 SP1 is reported to include a fix and a patch for Star Office 5.2 is also promised.

Meanwhile, if you are using StarOffice in a non-standable environment, you'll want to set the environment variable "TMP" to a directory you own, to avoid unpleasant side-effects.

potential telnetd denial-of-service vulnerability. In case you needed another reason to disable the telnetd service, beyond the inadvisability of using plaintext passwords across the Internet, FreeBSD issued an advisory describing how telnetd could be used to gobble up CPU and disk cycles by a remote attacker with no authenticated access to the server. A patch to fix the problem is included.

Commercial products. The following commercial products were reported to contain vulnerabilities:

Updates

SuSE Miscellaneous updates. Due to the recent volume of security alerts, SuSE combined the latest information in this miscellaneous advisory. Note that we have linked this advisory into the relevant tables, where appropriate.

This advisory also marks the addition of Sebastian Krahmer to the SuSE Security team.

Topics:
  1. SuSE security staff
  2. packages:
    gpg (update information)
    bind8 (status: update avail, announcement pending)
    pine (status: testing new version 4.30)
    dump (status: not vulnerable)
    phf (status: not vulnerable)
    gs (status: pending)
    global (status: building)
    crontab (status: not vulnerable)
    vlock (status: not vulnerable)
    tcpdump (status: update avail, testing)
    tcsh (status: update+announcement pending)
    modules (status: more updates for older distributions)

BIND 8.2.2-P5 denial-of-service. A denial-of-service vulnerability was reported in BIND 8.2.2-P5. Check the November 9th LWN Security Summary for the initial report. BIND 8.2.2-P7 was released this week with a fix for the problem.

This week's updates:

format vulnerability in BSD top. In last week's LWN Security Summary, we included a link to a FreeBSD advisory about a format string vulnerability in the "top" utility. We stated that other BSD and Linux systems might be impacted. Joseph Zbiciak and Harry Henry Gebel kindly pointed out that top under Linux generally uses /proc to get the information it needs, circumventing the need for gid privileges. As a result, few, if any, Linux systems should be impacted.

vlock vulnerability. Last week, we reported on a possible vulnerability in vlock. We still have not received a confirmation of this problem, just reports of systems tested and confirmed not vulnerable.

This week's updates:

  • SuSE, not vulnerable
Previous updates:
  • Red Hat 6.x, unofficially reported not vulnerable

nss_ldap race condition. Check the November 2nd LWN Security Summary for the original report and last week's LWN Security Summary for a correction to our original report.

This week's updates:

Previous updates:

dump-0.4b15 local root access. Check the November 2nd LWN Security Summary for the original report. This exploit only affects dump/restore if they are installed setuid root. As of dump-0.4b18, dump and restore no longer require setuid root. dump 0.4b20 was released this week with a fix for the problem.

This week's updates:

  • SuSE, not vulnerable
Previous updates:

Multiple buffer overflows in tcpdump. Multiple buffer overflows in tcpdump were reported in our November 2nd edition.

This week's updates:

Previous updates:

GnuPG false signature verification. GnuPG fails to correctly validate multiple signatures in a file. Check the October 19th Security Summary for details. GnuPG 1.0.4 has been released and contains the fix for this problem. Anyone using GnuPG will want to upgrade their package as soon as possible.

This week's updates:

Previous updates:

usermode inherited environment variable vulnerability. Check the October 12th LWN Security Summary for details.

This week's updates:

  • Red Hat, updated advisory with fixes for an incorrect specification in the /usr/bin/shutdown wrapper and an additional security vulnerability in the userhelper binary.
Previous updates:

ncurses buffer overflow. Check the October 12th LWN Security Summary for the initial report of this problem. Updates for this vulnerability continue to trickle in more slowly than usual.

This week's updates:

Previous updates:

Pine buffer overflow vulnerability. An exploitable buffer overflow in Pine was reported to BugTraq in early October. The problem involves Pine's handling of incoming mail during an open session. Check the October 5th LWN Security Summary for the initial report. Pine 4.30 contains a fix for the problem. Note that the updates released this week contain new versions of both pine and IMAP, the latter of which was apparently also vulnerable to the same problem.

This week's updates:

  • Slackware, official advisory
  • Red Hat, includes the introduction of SSL support.
Previous updates:

Resources

Red Hat Kerberos packages. Red Hat started included Kerberos 5 with its distribution as of Red Hat 6.2. They've now also released Kerberos packages for Red Hat 6.0 and 6.1.

Events

Computer Security 2000. More details on next week's Computer Security 2000 conference, and their plans for International Computer Security Day (November 30th) were posted this week. Speakers will include Simson Garfinkel, Alan Paller, Gene Schultz, Linda McCarthy and Theo de Raadt.

Upcoming security events.
Date Event Location
November 19-21, 2000. Privacy by Design Le Chateau Montebello, Quebec, Canada.
November 26-December 1, 2000 Computer Security 2000 and International Computer Security Day (DISC 2000) Mexico City, Mexico
December 3-7, 2000. Asiacrypt 2000 Kyoto, Japan.
December 3-8, 2000. LISA 2000 New Orleans, LA, USA.
December 10-13, 2000. INDOCRYPT 2000 Calcutta, India.
December 11-15, 2000. 16th Annual Computer Security Applications Conference New Orleans, LA, USA.
December 20-21, 2000. The Third International Workshop on Information Security University of Wollongong, NSW, Australia.
December 27-29, 2000. Chaos Communication Congress Berlin, Germany.

For additional security-related events, included training courses (which we don't list above) and events further in the future, check out Security Focus' calendar, one of the primary resources we use for building the above list. To submit an event directly to us, please send a plain-text message to lwn@lwn.net.

Section Editor: Liz Coolbaugh


November 16, 2000

LWN Resources


Secured Distributions:
Astaro Security
Castle
Engarde Secure Linux
Immunix
Kaladix Linux
NSA Security Enhanced
Openwall GNU/Linux
Trustix

Security Projects
Bastille
Linux Security Audit Project
Linux Security Module
OpenSSH

Security List Archives
Bugtraq Archive
Firewall Wizards Archive
ISN Archive

Distribution-specific links
Caldera Advisories
Conectiva Updates
Debian Alerts
Kondara Advisories
Esware Alerts
LinuxPPC Security Updates
Mandrake Updates
Red Hat Errata
SuSE Announcements
Turbolinux
Yellow Dog Errata

BSD-specific links
BSDi
FreeBSD
NetBSD
OpenBSD

Security mailing lists
Caldera
Cobalt
Conectiva
Debian
Esware
FreeBSD
Kondara
LASER5
Linux From Scratch
Linux-Mandrake
NetBSD
OpenBSD
Red Hat
Slackware
Stampede
SuSE
Trustix
turboLinux
Yellow Dog

Security Software Archives
munitions
ZedZ.net (formerly replay.com)

Miscellaneous Resources
CERT
CIAC
Comp Sec News Daily
Crypto-GRAM
LinuxLock.org
LinuxSecurity.com
Security Focus
SecurityPortal

   

Sections:
 Main page
 Security
 Kernel
 Distributions
 Development
 Commerce
 Linux in the news
 Announcements
 Back page

See also: last week's Kernel page.

Kernel development


The current development kernel release is still 2.4.0-test10. Work continues on 2.4.0-test11, with the current prepatch being 2.4.0-test11-pre5. Test11 consists mostly of driver fixes (including, finally, the big IrDA update); there is also a fix for an obscure wait queue bug that could cause wakeups to be missed in certain situations.

Note that -test5 includes a change to /proc/cpuinfo which breaks VMWare and perhaps some other programs as well.

Ted Ts'o posted an updated 2.4 TODO list on November 12.

The current stable kernel release is still 2.2.17. The current 2.2.18 prepatch is 2.2.18pre21; it's getting closer to release but a couple of outstanding issues are still in need of resolution.

Randy Dunlap steps down as USB maintainer. Randy Dunlap announced that his job (at Intel) is taking him away from USB work, with the result that he needs to transfer the USB maintainer role to somebody else. Randy is the first person to have served in that role - previously USB changes had gone straight to Linus, which wasn't scaling well. Under Randy's leadership the USB project has grown and thrived, to the point that Linux now has a highly functional USB subsystem. Congratulations are due to him (and to the USB team as a whole) for a great job.

Randy's replacement will be Johannes Erdfelt, currently employed at VA Linux Systems.

Trouble with modutils. Thanks to the work of Sebastian Krahmer and Michal Zalewski, a severe security bug has been found in the way the modutils package and the kernel interact. With help from a program like ping, it is possible for a hostile user to obtain root privileges on the system - not good.

The problem is interesting to look at, since it shows how hard it can be to get things right.

The kernel can be configured to dynamically load modules when needed, and almost all distributions ship kernels with that capability. To implement dynamic loading, the kernel provides a simple function:

    int request_module(const char *module);
A kernel function which wants to load the driver for the eth0 Ethernet interface will thus call:
    request_module("eth0");
to cause that load to happen. request_module, in turn, eventually ends up creating a separate kernel thread which runs the command:
    /sbin/modprobe -s -k eth0
(Where eth0 is whatever was actually passed to request_module). The modprobe utility is supposed to make sure that the module gets loaded into the system.

The core of the problem is that whatever is passed to request_module ends up directly on the modprobe command line, with no sanity checking. An additional problem that made things worse is that modprobe implements filename expansion on the module argument by passing it to echo - meaning that the string passed to request_module ends up being passed to a shell. Thus, if some crafty user can figure out a way to get the kernel to call request_module with a specific string, there will be no end of opportunities for mischief.

The ping command has an option -I, which tells it to use a specific network interface. ping will try to configure that interface; if it doesn't exist, the kernel will try to set it up with, yes, request_module. Thus the exploit for this problem is:

    ping -I ';chmod o+w .'
This exploit takes advantage of modprobe's filename expansion; the actual chmod command will be executed by the shell as root, and will change the permissions on the root directory. A bit of cleverness from there will allow an attacker to open up the system completely.

One could argue about whether modprobe should be performing the filename expansion. But the real problem is that the kernel, by running modprobe in a privileged mode with unchecked data, is essentially giving privilege to arbitrary user input.

Keith Owens released modutils-2.3.19, which fixes the exploit above and which is the basis of SuSE's security update (see this week's Security page). It works by turning off the filename expansion, but, as it turns out, it's not a complete solution. Consider this variant:

    ping -i '-C/my/config/file'
Here there is no reliance on filename expansion; instead, modprobe simply gets a new (hostile) configuration file and anything can happen. So modutils 2.3.20 is on its way, and will likely be available by the time you read this; it works by treating all kernel-supplied data as entirely untrustworthy - all it can be is an exact name of a module found in the standard search path.

Even that doesn't fix the problem that the hostile user can cause the system to load any module that exists in the search path. This could be a problem if a security bug turns up in a standard module, or if the attacker is somehow able to insert a hostile module in modprobe's path. There is no easy way around this one, other than to disable dynamic module loading.

It seems strange that modprobe should have to treat information that comes directly from the kernel as potentially hostile. The sad truth is that validating user input is hard - especially when that input is a character string which is to be passed to an external program. The kernel could perform some basic sanity checks on that string, but the kernel does not really know how to interpret the string - that is what modprobe is for. A complete solution to the problem is likely to be hard to come by.

Code from IBM. The source for OpenAFS is now available. OpenAFS is the version of the Andrew File System which IBM is releasing under its "IPL" license. (Thanks to David Magda).

IBM has also released the first "reference implementation" of its Enterprise Volume Management System. EVMS is a logical volume manager, like LVM (which is already in the kernel). Unlike OpenAFS, EVMS is released under the GPL.

Other patches and updates released this week include:

  • Harald Welte has put together a netfilter FAQ based on questions he has seen on the netfilter mailing lists.

  • Greg KH posted a USB driver for the Empeg car MP3 player; the driver, evidently, was written by Gary Brubaker.

Section Editor: Jonathan Corbet


November 16, 2000

For other kernel news, see:

Other resources:

   

Sections:
 Main page
 Security
 Kernel
 Distributions
 Development
 Commerce
 Linux in the news
 Announcements
 Back page

See also: last week's Distributions page.

Lists of Distributions
distrowatch
ibiblio
Kernelnotes
Linux.com
LinuxLinks
Woven Goods

Embedded Distributions:
3ilinux
Bifrost

BluePoint Embedded
Compact Linux
Coollinux
DSPLinux
ELinOS
ELKS
Embedded Debian
Embedix
Etlinux
FlightLinux
Hard Hat Linux
Jailbait
Linux/Coldfire
LEM
Midori
NeoLinux
OnCore Systems
PeeWeeLinux
RedBlue Linux
RedIce-Linux
Royal Linux
RTLinux
Tynux
uClinux
White Dwarf Linux

Handhelds/PDAs
Agenda-VR
Familiar (iPAQ)
Intimate (iPAQ)
Linux DA
PocketLinux
PsiLinux

Secured Distributions:
Astaro Security
Castle
Engarde Secure Linux
Immunix
Kaladix Linux
NSA Security Enhanced
Openwall GNU/Linux
Trustix

Special Purpose/Mini
2-Disk Xwindow System
Mindi Linux
SmoothWall

Floppy-based
Brutalware
BYLD
Coyote Linux
DLX
Fd Linux
Fli4l (Floppy ISDN/DSL)
floppyfw
Floppix
FREESCO
Linux in a Pillbox (LIAP)
Linux Router Project
LOAF
muLinux
Nuclinux
Proxyfloppy
ShareTheNet
Small Linux
Tomsrtbt
Viralinux_II

CD-based
BasicLinux
BBLCD Toolkit
CDLinux
Crash Recovery Kit
DemoLinux
Devil-Linux
Finnix
Gibraltar
innominate Bootable Business Card
Linuxcare Bootable Business Card
LNX-BBC
MkCDrec
RunOnCD
Sentry Firewall
SuperRescue
Timo's Rescue CD
Ututo
Virtual Linux

Zip disk-based
NBROK
ZipSlack

Small Disk
hal91
MicroLinux
--> Peanut Linux
PKLinux
Relax Linux
TA-Linux
Tomukas
ttylinux
VectorLinux

Wireless
Bambi Linux
Flying Linux

Hardware-specific
(ARM)
ARM Linux
(Beowulf)
Scyld Beowulf
(IBM)
Think Blue Linux
(Oracle's NIC)
NIC Linux
(PA-RISC)
PA-RISC Linux
(Playstation)
Runix
(PowerPC)
Black Lab Linux
LinuxPPC
MkLinux
Yellow Dog
(Sparc)
Splack
UltraLinux
(Older Intel)
ClarkConnect
Monkey Linux
TINY

DOS/Windows install
Armed Linux
DragonLinux
Phat Linux

Diskless Terminal
GNU/Linux TerminalServer for Schools
K12LTSP
LTSP
Pygmy
Xdenu

Distributions


Please note that security updates from the various distributions are covered in the security section.

News and Editorials

Linux Distributors vie for the India Linux market. Our unofficial correspondent in India, Atul Chitnis, sent us some interesting links this week. It appears that Red Hat and SuSE are simultaneously expanding into India. Red Hat has announced a joint venture with Clover Technologies Pvt Limited to open a Red Hat branch, Red Hat India Pvt Limited.

Meanwhile, SuSE is setting up base in India as well. Acknowledging that Red Hat is currently the most popular version of Linux in India, they are busy educating people about SuSE. "SuSE's London-based commercial director Jasmin Ul-Haque said, 'Linux was launched in 1991. SuSE was created in 1992. We're older than Red Hat (another popular Linux distribution, which has a large market in India). And recent IDC figures say ours is the leading Linux distribution in Europe'".

deepLINUX is no more. [deepLINUX] Well, to be accurate, the deepLINUX distribution from Rick Collette is officially no more. Rick was the original developer of Spiro Linux. He left that project back in March, then started up deepLINUX, with a planned focus on embedded products.

Well, without knowing and therefore commenting on the legal issues, Rick has abandoned his previous deepLinux distribution plans after protests from the folks at Spiro Linux. The deepLinux site lives on, now as a news site, slashdot-style.

General-Purpose Distributions

Debian News. The first point release to Debian 2.2 ("potato") has been announced. It contains a number of fixes, both security-related and otherwise. Apparently, however, a number of other fixes are outstanding, and there will be a 2.2r2 release within a couple of weeks.

This week's Debian Weekly News covers issues in the Debian 2.2r1 release in a bit more detail. In a break from the past, 2.2r1 contains not only bug fixes and security fixes, but some other new and updated packages as well. "Release manager Anthony Towns explains: 'I'm treating updates to stable under two principles: they should make users notably better off; and they shouldn't ever make it harder for users to do anything they were doing before'". This has caused some controversy, and some errors in Debian 2.2r1 that wouldn't have been there otherwise, but no statement that the same policy won't be used for the next point release.

The Debian Project has announced that over 100 new maintainers have been admitted to the project since the process was reopened. "This represents a major milestone in the new procedure, indicating that the machinery is in full operation and doorway into Debian is fully open once again."

Linux-Mandrake News. The Duke of URL has written an extended review of Linux Mandrake 7.2. "Also added right from the installation is mouse wheel support. No longer do you need to go in and edit your XF86Config file by hand. Mandrake's installer detects most wheel mice and can get them working right off the bat for you. My only gripe here is that it doesn't allow you to configure your mouse for more than the typical 5 buttons (2 of which are accolated to the wheel) from the installation. Hopefully they'll consider adding this on the next release."

Macmillan has announced the release of its version of Linux-Mandrake 7.2. There are three variants available: "Complete," "PowerPack Deluxe", and "Professional Suite."

LinuxPPC News. LinuxPPC has announced the availability of a beta version of its forthcoming release; it includes an installer that can be used to upgrade to this beta from any RPM-based PowerPC distribution - including SuSE.

Progeny Linux News. DebianPlanet has posted responses from Ian Murdoch to comparisons between Debian and Progeny (as well as other "commercial" versions of Debian). "we are aware that many members of the Debian community feel disappointed by earlier commercial Debian offerings. We do not intend to make the same mistakes that others have made. We intend to maintain strong, friendly relations with the larger Debian community, and to contribute to the community and make Debian a better system for all users. By design, being the founder of Debian does not give me any special position in the project-Debian long ago grew beyond me. However, I do hope that my past actions are an indication of my sincerity".

SuSE News. SuSE Linux 7.0 PowerPC edition available. SuSE has announced the availability of the PowerPC version of its 7.0 release.

Linux.com took a detailed look at installing SuSE Linux 7.0. "Windows 98 can recognize large disk sizes, so these days most computers ship with a hard drive formatted as a single partition. This means that you'll need to: defragment your hard drive; resize the existing partition to fill only part of the drive, and add a second partition on the newly freed up space."

Last, but not least, Linux In Brazil took a look at SuSE Linux 7.0 as well. Here is their review in Portuguese and via babelfish. The package they tested provided some Portguese support, though not sufficient to allow them to recommend SuSE Linux for any but experienced users.

Turbolinux News. Unicon 3.0 has been released by Turbolinux, demonstrating their understanding that the expansion of Linux in the international arena is dependent, in large part, on its ability to support native languages well. Unicon has provided Chinese language support for some time, but now also provides Linux console support for double-byte characters, expanding its area of expertise to many additional Asian languages. Unicon is licensed under the GPL.

Embedded Distributions

NeoLinux News. NeoLinux 2.0 has been announced. It contains two new features, ezConnect, for making connections to Windows servers, and ezSnap, a software distribution capability for updating software features on an appliance across a network, without requiring an entire operating system update.

LinuxDevices.com also took a look at NeoLinux, via a conversation with Neoware CEO Mike Kantrowitz. "According to Kantrowitz, a handful of Neoware "e-z" products is largely responsible for differentiating the company's NeoLinux operating system from the other Linux implementations that are available today, allowing Neolinux to uniquely satisfy the needs of a broad spectrum of 'appliance computing' applications."

REDICE-Linux News. REDSonic has announced the availability of the "RED-Probe" monitoring and profiling tool, which is part of its REDICE-Linux distribution.

Minor Distribution updates

The following updates have been released for other Linux distributions:

Section Editor: Liz Coolbaugh


November 16, 2000

Please note that not every distribution will show up every week. Only distributions with recent news to report will be listed.


Leading
Caldera OpenLinux
Debian GNU/Linux
Linux-Mandrake
Red Hat
Slackware
SuSE
TurboLinux

Also well-known
ASPLinux
Best Linux
Conectiva Linux
e-smith

Progeny
Rock Linux

Non-technical desktop
easyLinux
Icepack Linux
Independence
LibraNet
Redmond Linux
WinSlack

Education
Boston University
kmLinux
LinuxFromScratch
OpenClassroom
Red Escolar

General Purpose
Alzza Linux
aXon Linux
Bad Penguin Linux
BearOps
Black Cat Linux
BluePoint Linux
BYO Linux
CAEN Linux
Cafe Linux
ChainSaw Linux
Circle MUDLinux
cLIeNUX
Complete Linux
Console Linux
Corel Linux
CRUX
Darkstar Linux
DLite
easyLinux
Elfstone Linux
ESware Linux
Eurielec Linux
eXecutive Linux
Fried Chicken
FTOSX
FullPliant
Gentoo
Go!Linux
HA Linux
Halloween Linux
HispaFuentes
IceLinux
Ivrix
ix86 Linux
J-LINUX
JBLinux
Jurix
KRUD
KSI-Linux
Lanthan Linux
Laonux
LASER5
Leetnux
Linpus Linux
Linux Cyrillic Edition
Linux MLD
LinuxOne OS
LinuxPPP
Linux Pro Plus
Linux-SIS
LNX System
LoopLinux
LSD
Lute Linux
MageNet
Mastodon
MaxOS
minilinux
MSC.Linux

NoMad Linux
Omoikane GNU/Linux
PingOO Linux
Plamo Linux
PLD
Project Ballantain
PROSA
Rabid Squirrel
Repairlix
Root Linux
Scrudgeware
Serial Terminal
Sorcerer
spyLinux
Stampede
Stataboware
TechLinux
TimeSys Linux/RT
Tom Linux
Trinux
Turkuaz
Ute-Linux
VA-enhanced Red Hat
Vine Linux
Virtual Linux
WholeLinux
WinLinux 2000
XTeamLinux
ZipSpeak

Country-specific
Argentina
GNU/Linux Ututo
Britain
Definite Linux
Eridani
China
COSIX
Red Flag
France
Linux/MNIS
Italy
LinuxEspresso
Madeinlinux
Vedova
Spain
Linux Esware
Thailand
Kaiwal Linux
Thai Linux Extension

Related Projects
Chinese Linux Extension

Historical (Non-active)
Dualix
Gentus
Giotto
MCC Interim Linux
OS2000
Storm Linux


   

Sections:
 Main page
 Security
 Kernel
 Distributions
 Development
 Commerce
 Linux in the news
 Announcements
 Back page

See also: last week's Development page.

Development projects


News and Editorials

Art vs. Craft. osOpinion carried a story this week on software style and review, the difference between coding as an art and designing and engineering code. What prompted the article was the author's examination of code for various Linux based USENET clients, aka news readers.

What I found both amazed and dismayed me -- most of the code I looked at was a mess. Badly commented (if at all), patched, crufted, and generally bolted together. It looked like the developers had no design at all in mind before they began; they just threw code at the wall and kept what stuck.

Shock of shocks. While I won't defend the programming style of some open source developers, I can't say it produces significantly worse code than some I've seen in many other places. At Samsung there was no coding standard and developers in both the US and Korea - let your mind wander for a moment. At Dell coding standards were optional, and frequently ignored. At EMASS (now ADIC), well, spaghetti looked more uniform.

But while these projects were formatted badly, they all seemed to work fine (mostly). What coding standards bring isn't more stable code, just the ability to more easily maintain projects. Coding standards work well for larger organizations, especially spread across multiple development sites, because you never know who will end up maintaining the code at some given point in the future.

Sounds like open source, don't you think?

Open source projects often start with someone with an itch and a spare minute. Design isn't the goal - results are. Interestingly enough, that's often true of successful proprietary projects as well. The need for processes and standards comes with project maturity. Software is like humanity - we like change less and less with age. But any change we do accept needs definitive rules and order. Code needs to be clean to provide extension and maintenance. But seldom is it that way from day one.

So while open source offers many advantages over proprietary solutions, it isn't all that different in the larger picture. Style is important, in its own time. What open source forces us to do is examine our processes for proprietary projects and understand just why they develop the way they do. Youth motivates change while maturity forms stability.

Browsers

Netscape 6 Browser Launches. It's official: Netscape 6 is publicly available for download.

Things have changed a little in the installation process. Now you download only an installer application which will grab the software components from Netscape automatically for you and install them locally. Once that finishes, you launch into registration - yes, registration.

If you had a Netscape NetCenter account before you'll need your password to register; otherwise you can create a new one. After registering with NetCenter. you'll be up and running. Fairly painless, but that registration thing is annoying. And what's worse - it's not even required. You can use the "I forgot my password" link which takes you to a page with a Help button. Clicking on that pops open a browser window with a full menu bar that you can use to exit the registration process. When you do, a new browser opens and you're ready to start browsing. Alternatively, if you have no qualms about being 13 or younger, you can choose that option and Netscape will happily ignore your need to register. Oh, to be young again.

Once you get past that first registration you're into the new and improved Netscape. It's flashy and gimmicky, and at least to this reviewer bounces up and down like a billiard ball on a granite floor. And be prepared for lots of debug messages on the console. Someone forgot to turn those off in the production distribution.

While Netscape deserves kudos for continuing to provide and enhance for the Linux platform, this was not its best work. It shows terrific promise, but there are some stability issues to shake out first. If Netscape is anything like Red Hat, version 6.2 should be terrific.

(See also: this review of Netscape 6 sent to us by Jay Ashworth).

Netscape's open source browser ready at last (Upside). Here is Upside's take on the Netscape 6 release. "Netscape 6 is based on the Netscape Gecko browser engine, an ongoing technology that has evolved to support a number of Web standards, operating systems and platforms. Netscape built its newest browser based on open standards, a process that spanned more than two years and enlisted the help of thousands of open source geeks."

Mozilla status 2000-11-08. Of course, Netscape isn't the only Mozilla-based browser. The November 8, 2000 Mozilla Status Report for the open source Mozilla project is out. Issues of interest include plans for post Netscape 6 integration of PSM into the Mozilla build system, a report that describes memory consumption over time and and a huge number of bug squashes.

Databases

Paul DuBois of MySQL Joins NuSphere. New Riders "MySQL" author Paul DuBois, who has also contributed heavily to the official MySQL documentation, has joined NuSphere.

Open Source Databases: As The Tables Turn (PHPBuilder). Tim Perdue takes a real world look at the differences between MySQL and PostgreSQL in this article on PHPBuilder's site.

With that in mind, I decided to test out a full port of SourceForge.net to Postgres. The site was written with a database abstraction layer and it turned out to be a cinch to get it up and running on Postgres, including a full import of all production data from MySQL.

Not only did the site come up on the first attempt, but it ran fine! In fact, our very first benchmarks showed Postgres running 6x faster than MySQL on a very database-intensive page (the "My Personal Page" for logged-in users).

PostgreSQL v7.0.3 and rumors of a book. The PostgreSQL Global Development Group announced this week the release of PostgreSQL v7.0.3. There have been several fixes in this release from v7.0.2, but, being a minor release, there have been *no* changes that will require a dump/restore. For more info and a list of changes, check out the latest news.

It's also probably worth noting that Bruce Mimjian's Addison-Wesley book on PostgreSQL is supposed to hit the shelves any day. Currently it's free on the net at http://www.postgresql.org/docs/awbook.html

Electronics

Icarus Verilog snapshot. The gEDA project announced this week a new Icarus Verilog snapshot: 20001112.

Games

Nevrax Introduces NeL: An Open Source Platform for Massively Multiplayer Games. Looks like World Forge may have competition. Nevrax is a European company that, according to its .com web site, is aimed at producing massively multiplayer games under an open source (GPL) license. The first product is scheduled for shipment in 2002. In conjunction with that work, Nevrax has opened a .org web site for NeL, the Nevrax Library that contains a framework, a 3D engine, an AI engine and a Network engine aimed at running massively multi-user entertainment in a 3D environment over the Internet. NeL is also GPL.

Embedded Systems

The joys and perils of open-source life (LinuxDevices.com). LinuxDevices.com is running a guest column by Karim Yaghmour, on the development of the Linux Trace Toolkit. "As described above, LTT has progressed at a phenomenal rate, in a very short time -- AND with lots of outside help. It has been said that LTT has already surpassed many available tracing tools. This is confirmed by the large number of Fortune 500 companies that currently use LTT to develop Linux based applications."

Free Embedded Telephony project started (LinuxDevices.com). uCommon is a new project designed to build a library of tools for use as network services for tiny footprint embedded Linux kernel based systems

Qt/Embedded and Qt Palmtop Environment (LinuxDevices.com). Trolltech announced the released of their Qt/Embedded and Qt Palmtop windowing environments this week.

Embedded Linux Newsletter, November 9th 2000. The latest edition of the Embedded Linux Newsletter is out with a story on Linux and PDAs and device profiles on Gateway's Connected Touch Pad and Sony's SNT-V304.

Interoperability

WINE Weekly News for November 13th, 2000. This week's WINE Weekly News has been published. Items of interest include an implementation for generation of import stubs, overlapped (asynchronous) I/O for serial port objects, and discussions of building WINE without X.

Network Management

OpenNMS update. Here is the OpenNMS update for November 15. Topics covered include the software stress test in progress, and the stress on the development staff as well.

Office Applications

LyX Development News. Here is the LyX Development News for November 15, with the latest from the LyX hacker community.

AbiWord Weekly News. The AbiWord Weekly News is back with its first issue since early September.

On the Desktop

KDE, Gnome And The Media. LinuxToday Australia carried a story this week about the sensationalism often poured over KDE vs GNOME issues by the news media.

Others have told me that we journalists view the world more in terms of black and white than the wider population. There is a reason for this. News writing is, in effect, the first draft of history. Or in more scientific terms, it is simply the first approximation to the truth. By its very nature it has to be simplified, we can't spend hours chasing down every loose fact because there are deadlines. And we can't lard our stories with qualifications to every statement because it makes them unreadable. This drive for speed and clarity leads towards a dualistic view.

People Behind KDE: Sandy Meier. In another in its series of developer profiles, the People Behind KDE talks with Sandy Meier. Sandy is the maintainer of the KDevelop package, including the project Web site and mailing list.

Kasbar update. Kasbar author Richard Moore has written up his plans for Kasbar, the KDE taskbar replacement, and posted them to KDE Dot News.

Balsa 1.0.0 released. The 1.0 release of the GNOME Mail client, Balsa, which sports a Eudora-like interface, has finally arrived. New features include multiple address book support (both local vCard and remote LDAP books), CRAM and GSSAPI Kerberos authentication, spell checking, support for gnome-print and various other items.

Gnumeric 0.58. has been released. Jody Goldberg sent us a brief release announcement.

GTK+ News. GUI developers who grew up with Motif may be asking themselves what all the fuss is about GTK+. In this article from SunWorld, authors Cameron Laird and Kathryn Soraiz look at the positives and negatives of GTK+. "There's inertia, of course; other toolkits are as much as a decade older, and thus more trusted. But perhaps the most frequent complaint about GTK+ is its mediocre support of Win32. While GTK+ 2.0 includes a framework that addresses this problem, GTK+'s Windows support hasn't ripened like Qt's and Tk's. A couple of ports to Mac OS of GTK+ have also been started, but seem stalled in a far less usable state than the Win32 GTK+."

In a related story, Havoc Pennington has posted to the rumors section of the Red Hat Advanced Development Labs site that GTK+ 2.0 is considered to be "just about feature complete". A few months of bug fixing is in order before it hits the streets. We can't wait for the new text widget...

What up, gPhoto?. gPhoto is being evolved into its next incarnation - gPhoto2. Linux.com carried an article this week on what gPhoto is and will be. "With new cameras added constantly, this is arguably the fastest moving digital camera project in the world. Far outpacing and outperforming anything available under Microsoft's Windows or Apple's MacOS platforms, gPhoto2 promises to deliver compatibility with many cameras to developers, leaving them free to create any user interface they can dream of."

Science

FreeMed 0.2 released. LinuxMedNews reports this week that FreeMed 0.2.0, the GPL'd Electronic Medical Record and Practice Management system, has been released onto SourceForge.

Web-site Development

Midgard Weekly Summary. Here is the Midgard Weekly Summary for November 10 with the latest in development news from the Midgard project.

Zope Weekly News, November 8th. The November 8th edition of the Zope Weekly News has been published. News includes the "Wiki for now" proposal, aimed at resolving some of the immediate shortcomings of the current Wiki product regarding its use for dev.zope.org, news on the the HiperDom project, and an update on documentation efforts.

Section Editor: Michael J. Hammel


November 16, 2000


Application Links
GIMP
Mozilla
Galeon
High Availability
ht://Dig
mnoGoSearch
MagicPoint
Wine
Worldforge
Zope

Open Source Code Collections
Berlios
Freshmeat
OpenSourceDirectory
Savannah
Le Serveur Libre
SourceForge
Sweetcode

   

 

Programming Languages


Java

Blackdown releases JMF 2.1.1-beta2 Performance Pack. The Blackdown Java Linux Team has announced the release of the Java Media Framework 2.1.1-beta2 Performance Pack for Linux. JMF is a streaming media package for Java applications and applets.

Perl

Beginning Perl Book Review. LinuxLookup posted a very brief review this week of Simon Cozens with Peter Wainwright's "Beginning Perl" book.

This week on perl5-porters (08 Nov -- 14 Nov 2000). Perl5 Porters posted their latest newsletter. Some of the topics covered include "stat vs lstat," threads and POSIX, and a discussion on locales.

use Perl; modules updates. use Perl; has quite a few modules updates this week, including Image Info and an IP telephone.

PHP

PHP Weekly Summary. The PHP Weekly Summary for November 13th has been published. Highlights include a new Qt XML extension and a discussion on the RFC for PHP's release cycle.

Python

This week's Python-URL. Here is Dr. Dobb's Python-URL for November 13 with the usual summary of events in the Python development community.

Charming Python: Reloading on the fly. IBM developerWorks has another in the Charming Python series, this one covering dynamically reloading modules in long-running processes.

Suppose you want to run a process on your local machine, but part of your program logic lives somewhere else. Specifically, let us assume that this program logic is updated from time to time, and when you run your process, you would like to use the most current program logic. There are a number of approaches to addressing the requirement just described; this article walks you through several of them.

Tcl/tk

This week's Tcl-URL. Here is Dr. Dobb's Tcl-URL for November 14 with a number of goodies from the Tcl development community.

Software Development Tools

GNU Autoconf text online. The new book from New Riders Publishing, GNU Autoconf, Automake, and Libtool, which was to be published in October, has also been placed online from Red Hat's site. At the time of this writing the link to the text of the book within the body of the page was incorrect, but the link in the upper right corner has the proper URL.

Inprise takes its Linux app tool open source (ZDNet). Along with its release of JBuilder, Inprise (now Borland) is rumored (by ZDNet) to be releasing the code to Kylix to the GNOME foundation. "Inprise also is joining the foundation and will participate in the Bonobo out-of-process component specification, as well as add support for Bonobo to Kylix, which is in beta."

UDI reference implementation for Linux. A UDI (Uniform Driver Interface) environment has been made available in binary format for Red Hat and Caldera Linux distributions from Software Technologies Group. Source releases are expected later.

Section Editor: Michael J. Hammel

 
Language Links
Caml
Caml Hump
Tiny COBOL
Erlang
g95 Fortran
Gnu Compiler Collection (GCC)
Gnu Compiler for the Java Language (GCJ)
Guile
Haskell
IBM Java Zone
Jython
Free the X3J Thirteen (Lisp)
Use Perl
O'Reilly's perl.com
Dr. Dobbs' Perl
PHP
PHP Weekly Summary
Daily Python-URL
Python.org
Python.faqts
Python Eggs
Ruby
Ruby Garden
MIT Scheme
Schemers
Squeak
Smalltalk
Why Smalltalk
Tcl Developer Xchange
Tcl-tk.net
O'Reilly's XML.com
Regular Expressions
   

Sections:
 Main page
 Security
 Kernel
 Distributions
 Development
 Commerce
 Linux in the news
 Announcements
 Back page

See also: last week's Commerce page.

Linux and Business


Poland taxes free software as a donation. Here's an article from the debian-devel list on how a "local fiscal office" in Poland has levied a tax on a company which is using Linux on its servers. Evidently the Linux software is supposed to be recognized as a donation, with a value comparable to Microsoft products. More information is available, for those who can read Polish, in this ComputerWorld Poland article.

Bull and Penguin Computing sign deal. Bull and Penguin Computing have announced a deal where they will cooperate in the sales and support of Linux systems in Europe. This cooperation will cover everything from manufacturing to phone support. Bull is already an investor in Penguin, so this deal just deepens their relationship. If it helps Penguin get a foothold in Europe, it could prove to be a good thing indeed.

Red Hat appoints new CFO. After several months, Red Hat has announced that it finally has a new chief financial officer. It's Kevin Thompson, who joined the company way back in October as VP of operations.

Turbolinux EnFuzion cracks NT passwords in a minute at Comdex. Here's a press release from Turbolinux on its demonstration of its EnFuzion clustering software at Comdex. To demonstrate what EnFuzion can do, the company chose the task of cracking NT passwords - something that the cluster evidently can do in one minute. "Turbolinux does not endorse breaking passwords on Microsoft software or any other products."

Borland delivers free edition of JBuilder 4. Inprise/Borland has announced that the "JBuilder 4 Foundation" Java development environment is available for free download.

FreeDevelopers.net on voting software. FreeDevelopers.net (profiled in last week's LWN Weekly Edition) has put out a press release stating that it has an open source electronic voting system which can prevent a repeat of the current electoral joy currently being experienced here in the U.S.

Atipa Now Offering Free Online 'Test Drives' of Beowulf Clusters. Atipa apparently has two 4-node clusters, one AMD and one Intel, which it has opened to customers for test drives. The systems, called Ascendance, have been configured with Wulfkit, Myrinet, Ethernet and Gigabit Ethernet so the clusters can be tested with any of these options between nodes.

Guru.com and Red Hat launch Linux marketplace. Guru.com has announced the launch of a "Linux marketplace," in cooperation with Red Hat. It is oriented around Guru.com's "gig matching" services for contractors.

Cyclades taps Hard Hat Linux for new access server. Cyclades has announced the availability of the TS2000 terminal server, which runs MontaVista's Hard Hat Linux internally.

Press Releases:

Commercial Products for Linux

Products and Services Using Linux

  • Gateway Inc. (NEW YORK) announced its Crusoe-based web pad, and a bunch of other stuff.

  • HostNYC, Inc. (NEW YORK) has new service plans for its (Linux-based) hosting business.

  • James River Technical, Inc. (RICHMOND, Va.) launched "Availigence", a MSP that helps small- to medium-size businesses monitor and manage their infrastructure.

  • M-Systems (LAS VEGAS) announced that its DiskOnChip flash device is used in Inter-Con/PC, Inc.'s Linux-based set-top box.

  • M-Systems (LAS VEGAS) also announced that Chip PC is using DiskOnChip in its Xtreme PC.

  • Tvia, Inc. (LAS VEGAS) had its processor used in Acer's Linux-based set-top box.

  • Vibrance Networks (LAS VEGAS) released the second generation of its Linux-based VNIA Internet appliance platform.

  • WebMachines (LAS VEGAS) announced its "iaNetwork server infrastructure solution" for the management of Internet appliances.

Products with Linux Versions

  • Agfa Monotype Corporation (LAS VEGAS) released its iType font scaling system.

  • Bakbone (LAS VEGAS) released version 2.23e of its MagnaVault optical storage management software.

  • Capslock (SAN JOSE, Calif.) announced its "Secure Wireless Access Technology."

  • Central Command (MEDINA, Ohio) announced AntiVirus eXpert, a virus scanning package.

  • Cycore (SAN MATEO, Calif.) optimized Cult3D for Pentium 4 processors.

  • Infoteria Corporation (TOKYO, and BOSTON) released a version of its iPEX XML development platform that supports Java.

  • Microline Corporation (ALIQUIPPA, Pa.) released BackupEDGE 01.01.08build6.

  • MindMaker, Inc. (SAN JOSE, Calif.) released a beta of FlexSpeech, a speech recognition system.

  • MindMaker, Inc. (SAN JOSE, Calif.) also announced its "FlexVoice TTS Farm" speech generation system.

  • Objectivity, Inc. (MOUNTAIN VIEW, Calif.) released Objectivity/DB 6.0.

  • Paradigm3 Internet Software (SAN JOSE, Calif.) announced its software license management package.

  • Pixami, Inc. (SAN RAMON, Calif.) released "Photo Edges," which adds edge effects to digital photos.

  • SpiderCache, Inc. (VANCOUVER, B.C.) released its web caching product for Linux.

  • Teamware Group announced a 90-day evaluation version of Teamware Office 5.3 for Linux-Mandrake 7.2.

  • ThoughtShare Communication Inc. (LAS VEGAS, NV) released its "bViewer" "knowledge management" product.

  • Trend Micro (CUPERTINO, Calif.) announced InterScan eManager 3.5, a mail filtering and virus scanning utility. Linux version due "later this year."

  • WebMachines (LAS VEGAS) released its iaClient internet appliance software for Linux.

Java Products

  • RSW Software (WALTHAM, Mass.) announced Bean-test 3.1, a Java Bean testing utility.

  • SL Corp. (CHICAGO) announced the availability of SL-GMS J/Net, a graphical network management package.

Books and Training

  • Zero Knowledge Systems (MONTREAL); their cryptographer Dr. Stefan Brands has published an MIT Press book on public key infrastructures and digital certificates.

Partnerships

  • Bluepoint Linux Software Corp. (LOS ANGELES) is partnering with Guangdong Shijilong Holding Co. Ltd. to build Internet data centers.

  • eOn Communications Corporation (ATLANTA) has an OEM agreement with Indyme Electronics.

  • Enterprise and PartnerAxis (LAS VEGAS) are launching an electronic marketplace for Linux solutions.

  • Merlin Software (LAS VEGAS) has a new partner program called "Pure Magic."

  • METASes (CHICAGO) is working with SecurityFocus.com to provide a managed security service offering.

  • Netword Inc. and Chilliware Inc. (GAITHERSBURG, Md.) announced that Chilliware will be packing Networds with its desktop products.

  • Proxim, Inc. and iRobot Corp. (SUNNYVALE, Calif.) will build Proxim's Symphony home networking technology into iRobot's home robot.

  • Sangoma.com (TORONTO) is working with DY 4 Systems to develop a Linux-based network appliance.

  • SecuGen Corporation (SAN JOSE, Calif.) is integrating its biometric authentication software into Novell's Modular Authentication Service.

  • SGI And Mercantec (MOUNTAIN VIEW, Calif. and NAPERVILLE, Ill.) will be partnering to provide turnkey Linux- (and IRIX-) based e-commerce solutions.

Investments and Acquisitions

Financial Results

Personnel

  • LinuxWizardry Systems, Inc. (BOCA RATON, Fla.) appointed W. J. Skelton as VP of Corporate Development.

  • NuSphere (BEDFORD, Mass.) announced the hiring of MySQL hacker Paul Dubois.

Other

  • Caldera Systems (OREM, Utah) announced the availability of free Linux training at Comdex.

  • HouseHold Direct (NEW YORK) has a new e-commerce site built on the (Open Source) ArsDigita Community System.

  • Inprise Corporation (SCOTTS VALLEY, Calif.) is changing its name to Borland Software Corporation.

  • VMware, Inc. (PALO ALTO, Calif.) won PC Magazine's Technical Excellence award.

Section Editor: Rebecca Sobol.


November 16, 2000

   

Sections:
 Main page
 Security
 Kernel
 Distributions
 Development
 Commerce
 Linux in the news
 Announcements
 Back page

See also: last week's Linux in the news page.

Linux in the news


Recommended Reading

Survey finds aggressive Linux deployments planned (ZDNet). Zona Research interviewed 109 IT professionals and found half are expecting up to 25% increases in Linux users in their firms, while in the small business sector increases as much as 50% percent were expected by up to 1/3 of the respondents. "The report also estimated that, over the next two years, the deployment of Linux commerce applications, commercial and in-house-developed desktop applications, and general office automation applications will double at respondents' organizations."

Linux 2.4 kernel

Linux 2.4 To Go Gold In December (InternetWeek). Internet Week reports on the upcoming 2.4.0 release. "Torvalds, for his part, has his own reasons for ensuring that the kernel makes it out the door in December -- or this month, if possible. 'Of course, I'm also expecting my third daughter in late November, so if I can release it before that I'll be happy,' he said."

Essence of Distributed Work: the Case of the Linux Kernel (First Monday). First Monday has run a detailed study of the development of the Linux kernel. "Does every successful large-scale distributed project require one 'great person' to be in charge? Clearly this was important in the Linux case. Yet other successful open-source development projects have had different leadership models."

Torvalds: The Truth Shall Make You ... Rich? (TechWeb). TechWeb reports on Linus Torvalds' comments at a Comdex panel on Linux. "One 'company' that used to hold the truth was the Catholic Church. The church made a lot of money by having a proprietary truth. All the richest people were religious people. The Pope had a lot more money than the scientists. The analogy is that the truth became open, like open source, and the truth was science. I believe open source and Linux is about the same thing."

Embedded Linux

Linux looks to avoid fragmentation (EE Times). Here's an EE Times article reporting from the Embedded Linux Conference. "The implications of a Unix-like 'forking,' or fragmenting, of Linux were brought home by chief technology officer Tim Bird of Lineo (Salt Lake City). In a keynote address at the conference, Bird asserted that the open-source developer community cannot fulfill all of the embedded market's needs, because the 'network effects' that drive open-source development tend to be reduced in many areas of embedded technology."

The joys and perils of open-source life (LinuxDevices.com). LinuxDevices.com is running a guest column by Karim Yaghmour, on the development of the Linux Trace Toolkit. "As described above, LTT has progressed at a phenomenal rate, in a very short time -- AND with lots of outside help. It has been said that LTT has already surpassed many available tracing tools. This is confirmed by the large number of Fortune 500 companies that currently use LTT to develop Linux based applications."

Linux Seeks To Ward Off Fragmentation (TechWeb). Worries about Linux fragmentation from the point of view of the embedded Linux market are discussed in this article from TechWeb. In a keynote address, [Lineo CEO Tim] Bird said the open source developer community cannot fulfill all of the embedded market's needs, because the "network effects" that drive open source development tend to be reduced in many areas of embedded technology.

Toshiba server appliance to debut next year (News.com). News.com looks at the new Linux-based server appliance from Toshiba. "The machine will use Red Hat's version of Linux, the spokeswoman added, but Toshiba declined to say which company's CPU is inside."

Transmeta shows off a handful of embedded Linux successes (ZDNet). ZDNet reports from Transmeta's Comdex demonstration. "In all, the company showcased eleven customer applications -- including five notebook computers, five webpad devices, and one Internet server appliance. Of these, all but the notebook computers and server appliance were based on Transmeta's Crusoe-based webpad reference design combined with Mobile Linux, a Transmeta-developed port of the Linux operating system to Crusoe."

Linux sets its sights on the PDA market (LinuxDevices.com). Yopi, Agenda VR3, PocketLinux, Microwindows - a quick review of Linux-based PDA offerings and systems designed to support them is offered in this article from LinuxDevices.com.

Device profile: Sony SNT-V304 Video Network Station (LinuxDevices.com). Here's another device profile on LinuxDevices.com; this one looks at the Sony SNT-V304 Video Network Station. "The compact device, which contains an embedded Linux operating system running on an Axis ETRAX system-on-chip processor, combined with video processing technologies developed by Axis, transmits images generated by analog video cameras to remote locations where they can be viewed using ordinary GUI-based web browsers."

Linux in Use

Cookin With Linux (ZDNet). ZDNet has published a case study, looking at what happened when First Communications decided to deploy Linux. "In the end, First Comm found that simply biting into a popular Linux-based Internet server solution doesn't work. Linux itself is inexpensive, but implementing a solution, especially without completely understanding the situation, can be as expensive as any commercial setup."

FreePM Forges into a Wide Open Frontier (LinuxNews.com). The medical world is taking steps towards the open source movement, and Tim Cook is helping make sure it does. His FreePM project aims to make practice management software more interoperable.

Barriers to Open Source Use in Medicine Persist (LinuxNews.com). LinuxNews.com is carrying an article exploring the limits of to the use of open source in the medical industry. "With its variety of specialized needs, its mission-critical nature and its unique--and largely non-technical--clientele, the health care industry presents a singular and profound challenge to software developers. This challenge may best be met by the open source development model, whose responsiveness and flexibility could surmount many of these specific difficulties."

Linux Advocacy

Commentary: Watching the world get Linux (ZDNet). Evan Leibovitch recounts his travels in Jamaica promoting Linux. "You can almost freeze the moment when you see the change in people's eyes as they 'get it.' You see it coming from the kinds of questions, skeptical at first, then curious, then people nodding while taking an increasing amount of notes."

ALS Review (Troubleshooters.com). In one of the few reviews of this years Atlanta Linux Showcase that has hit the ether, Troubleshooters.com interviews notable Linux figure Jon "maddog" Hall and his view of making money with Linux, talks with Peter Salus about Unix history and the future of Linux, and looks briefly at the XFree86 movement, plus various views in and around the conference and exhibit floor.

Linux use flourishing (ZDNet). ZDNet looks at the spread of Linux in non-US markets, especially in government offices. "[TurboLinux] had also entered into contracts with China's space agency and Japan's post office. The increasing utilization of Linux at this level abroad would have positive ramifications within the U.S. government down the line, [vice president of marketing Lonn] Johnston said."

Open Source Applications

KDE backers to form a league of their own (ZDNet). ZDNet reports on the expected announcement of the KDE League. "Many of the same companies that lent their name to the GNOME cause are also expected to be on hand when KDE rolls out its organization. Expected KDE League founders include Caldera, Compaq Computer Corp., Corel Corp., IBM Corp., SuSE, and TrollTech, according to sources."

Open Source Of Woe (ZDNet). ZDNet took a look at the reactions from the open source community to Netscape's apparent lack of existing standards support in their upcoming Netscape 6.0 browser. "The controversy was the direct result of the open source development model Netscape used to build the core of the new browser. Ironically, the alleged bugs in Navigator 6 - its most significant browser release in two years - might not have attracted significant attention if Netscape had kept its code secret from the outside world."

Corel: We're still full-speed ahead on Linux (ZDNet). Corel says it is refocusing its plans for Linux after its deal with Microsoft, in this article from ZDNet. "'If we end up porting our Linux products to .Net, we will be acting as a consulting arm to Microsoft,' [CEO Derek] Burney explained. He added that Corel is actively talking to Microsoft's developer division -- the unit currently leading the .Net charge for Microsoft -- but is continuing to actively compete with Microsoft in the desktop applications space.'"

Netscape's open source browser ready at last (Upside). Here is Upside's take on the Netscape 6 release. "Netscape 6 is based on the Netscape Gecko browser engine, an ongoing technology that has evolved to support a number of Web standards, opperating systems and platforms. Netscape built its newest browser based on open standards, a process that spanned more than two years and enlisted the help of thousands of open source geeks."

Who's in Charge Here, Anyway? (ZDNet). ZDNet has published an article by Cameron Laird on how the Tcl project is run. "Yet, the degree of professional support for Tcl is often not recognizable to beginners, and I realize that this can be an important factor in its development, since initial impressions create powerful realities in the marketing-intensive world of computing systems."

He speaks hacker (Upside). Here's an Upside article about Great Bridge and its PostGreSQL plans. "Comparisons between community-based software and community-based journalism go only so far, however. By employing members of the PostgreSQL team, Great Bridge possesses the power to destroy the very project that serves as its economic foundation. One of the first hurdles is learning how to adjust to the open source notion of contributing to a project without controlling it."

Eazel/Nautilus

Software aims to ease Linux use (Boston Globe). The Boston Globe reports on Eazel's "sneak preview" release. "The announcement is important because up until now, Linux users have dealt with a clunky interface that contrasts sharply with the look and feel of, say, the Macintosh with its user-friendly menus and buttons."

Preview: Nautilus PR2 (LinuxPlanet). Eazel's PR2 release of Nautilus is reviewed by Linux Planet. " Unfortunately there's a dependency conflict between the two at the moment, at least for Debian users. Nautilus is a little further along the curve in terms of the version of Bonobo, GNOME's new backend libraries, than Evolution. At this point, it's one or the other for the curious, not both."

Eazel Nautilus Preview2 impresses, frustrates (ZDNet). While reported to be feature-complete, ZDNet says Eazel's Nautilus Preview2 lacks performance optimizations and cross platform support. "Slow performance was evident on both machines, with Nautilus taking several seconds to launch and another several seconds to build the icons in each window. This may be due in large part to Nautilus' reliance on a build of Mozilla that still has a lot of debugging code running, however."

Business

VA Linux investors back away (Upside). Upside examines VA Linux Systems' prospects after its disappointing quarterly numbers. "Viewed through the prism of flattening consumer demand, the Sun-VA Linux showdown appears much more ominous. Add the fact that VA's second quarter traditionally has been the slowest, thanks to the annual IT spending slowdown during the holiday season, and you get a situation where the company might not have any good financial news to report for another six months."

Caldera lures Linux guru away from rival (News.com). News.com reports on John Terpstra's move to Caldera Systems. "Caldera Systems chief executive Ransom Love confirmed the move Tuesday, saying that Terpstra would help Caldera's effort to standardize how the open-source Linux operating system works, but declining further comment."

Portland, Ore., College Could Be Tapped to House New Linux Lab (Oregonian). According to this article in The Oregonian, Portland State University is expected to be named the home for the open source development lab being set up by IBM, HP and Intel.

Red Hat: Big company forms big alliances (O Linux). O Linux interviews Red Hat's Erik Troan. "Our capabilities run the entire computing spectrum from servers and high availability clustering to embedded devices and handhelds. We have server enterprise customers such as Home Depot and Toyota as well embedded customers such as Sony, Ericcson and Samsung."

Linux products, services make play for e-markets (ZDNet). ZDnet says that Linux, while established as a Web/Mail server and firewall solution, is still not a player in the e-marketplace. "Though it is gaining in popularity, some still question whether Linux can handle the high numbers of transactions commonplace in business-to-business marketplaces." Then again, they also say "more IT people are trained on Windows, giving the platform a greater support system." Does size equal quality?

French Linux company following Red Hat model (News.com). Linux Mandrake is turning from a product based business model to one similar to Red Hat's, according to this article from C|Net's News.com. "It's very difficult to charge a lot of money for a product that's available for free," [Chief Executive Henri] Poole said. "We expect most of our revenue in the long term to come from services."

What will MandrakeSoft pull out of it's sleeve next? (LinuxToday). The Australian LinuxToday profiles MandrakeSoft. "However, MandrakeSoft appears to be one of the first Linux companies to offer it's software in America's Wal-Marts - basically the equivalent of Australia's Woolworths or Big W. Stacked along the shelves, next to food, groceries, and common every day items, you can find copies of Linux-Mandrake 7.2. Revolutionary? What better place to sell this software?"

Other

Under Construction (ZDNet). So what happened to Internet2, the solution to our tangled web of communications that is the current Internet? ZDNet looks at what has been done - and why we won't see it for awhile. "Researchers also caution that the efforts under way to create improved network technologies and applications are not intended to create a sort of "replacement Internet" that will be put into service all at once. Rather than some kind of giant switch being thrown one day, at which point the old Internet dies and a new one replaces it, the process will be far more gradual, as new technologies begin to take over for existing ones."

Section Editor: Rebecca Sobol


November 16, 2000

   

Sections:
 Main page
 Security
 Kernel
 Distributions
 Development
 Commerce
 Linux in the news
 Announcements
 Back page

See also: last week's Announcements page.

Announcements


Resources

Free KDE 2.0 Development Book Now Available. The entire source to the upcoming KDE 2.0 Development is now available online. The book can be read online in HTML or offline in HTML or PDF.

Linux/Free Software Jobs

If you'd like to live in Toronto, CanadaStartups.com is looking for a Linux System Adminstrator.

Events

November/December events.
Date Event Location
November 13 - November 17, 2000. LINUX Business Expo Sands Convention Center, Las Vegas, Nevada.
November 25, 2000. Australian Open Source Symposium Adelaide, Australia.
November 28 - December 1, 2000. IEEE International Conference on Cluster Computing Technische Universitšt Chemnitz, Saxony, Germany.
December 2 - December 3, 2000. LinuxCertified's Linux for beginners Cupertino, CA.
December 3 - December 5, 2000. Wireless DevCon 2000 San Jose Doubletree Hotel, San Jose, CA.
December 3 - December 8, 2000. LISA 2000 New Orleans, LA.
December 5 - December 6, 2000. LinuxUser 2000 Conference Chelsea Village, London, England.

Additional events can be found in the LWN Event Calendar. Event submissions should be sent to lwn@lwn.net in a plain text format.

User Group News

Boise LUG looks for sponsors. The Boise Linux User Group, in Boise, Idaho, is looking for sponsors to help them in their task of educating people about Linux and providing them with resources.

LUG Events: November 16 - November 30, 2000.
Date Event Location
November 17, 2000. Rice University Linux Users Group Rice University, Houston, TX.
November 18, 2000. Silicon Valley Linux Users Group Installfest Computer Literacy Bookshop, San Jose, CA.
November 18, 2000. Eugene Unix and GNU/Linux User Group Eugene, Oregon.
November 18, 2000. The Linux Users' Group of Davis Linux Demonstration Davis, CA
November 19, 2000. Beachside Linux User Group Conway, South Carolina.
November 19, 2000. The Linux Users' Group of Davis Linux Installfest Davis, CA
November 20, 2000. Linux Users' Group of Davis Z-World, Davis, CA.
November 21, 2000. Kansas City Linux Users Group Kansas City Public Library, Kansas City, MO.
November 21, 2000. Bay Area Linux User Group Chinatown, San Francisco, California.
November 22, 2000. Linux User Group of Assen Assen, Netherlands.
November 25, 2000. Central Ohio Linux User Group Columbus, Ohio.

Additional events can be found in the LWN Event Calendar. Event submissions should be sent to lwn@lwn.net in a plain text format.


November 16, 2000

   

 

Software Announcements


Here are this week's Freshmeat software announcements. Freshmeat now offers the announcements sorted in two different ways:

Sorted by section and Sorted by license

 

Our software announcements are provided courtesy of FreshMeat

   

Sections:
 Main page
 Security
 Kernel
 Distributions
 Development
 Commerce
 Linux in the news
 Announcements
 Back page

See also: last week's Back page page.

Linux Links of the Week


TheGeek.org is another amusing news site, apparently relatively new. Check them out now, before they get popular...

The plug was apparently just pulled on the last Multics machine. Multics had a great influence over many of the systems that followed, including Linux. Have a look at this RISKS posting by Peter Neumann on the goals of the Multics project; more can then be found at the Multicians.org site.

Section Editor: Jon Corbet


November 16, 2000

   

 

This week in history


Two years ago (November 19, 1998 LWN): Trolltech announced that the Qt library would be released under an open source license. That license, the QPL, was truly open source, but remained controversial anyway. The Qt licensing issue didn't really die down until the library was relicensed under the GPL this year.

Bruce Perens warned about the danger of trojan horse software. Two years later, there have been very few trojan incidents, but the danger is probably more real than ever.

Stable kernel 2.0.36 was released with the first known application of "holy penguin pee." According to Linus:

This, btw, is not something I would suggest you do in your living room. Getting a penguin to pee on demand is _messy_. We're talking yellow spots on the walls, on the ceiling, yea verily even behind the fridge. However. I would also advice against doing this outside - it may be a lot easier to clean up, but you're likely to get reported and arrested for public lewdness. Never mind that you had a perfectly good explanation for it all.

The Linux Journal Editor's Choice Awards went out...the product of the year was Netscape Communicator, the "most desired port" Quark Xpress, and the best new hardware was the Corel Netwinder. Some awards just don't stand the test of time...

Slackware 3.6 was released. Both Red Hat and SuSE announced support programs for their distributions. Red Hat hired Matthew Szulik to be the company president.

VA Research (now VA Linux Systems) received a venture investment from Sequoia Capital, and Netscape purchased "NewHoo," which has since become the Open Directory Project.

FUD of the week:

Linux may be a great way for computer-literate individuals to get under the hoods of their computers for little cost, but it's nothing more than a convenient form of protest and public relations for the major software vendors that plan to support it. If nothing else, the Linux community has an influence beyond its numbers, and getting on its good side might help sales elsewhere. As long as Linux remains a religion of freeware fanatics, Microsoft (and other NOS vendors) have nothing to worry about.
-- Michael Surkan, ZDNet.

One year ago (November 18, 1999 LWN): The first Linux Business Expo happened as part of Comdex in Las Vegas. The Linux Professional Institute completed its first certification exam, finally.

SuSE 6.3 was announced - though it was not due to hit the net until December. Mozilla M11 was released.

Rumors were circulating of a new company to be formed by GNOME hackers Miguel de Icaza and Nat Friedman. Red Hat's purchase of Cygnus Solutions was confirmed. VA Linux Systems decreed that its IPO would happen at $11-13 per share - rather short of the $30 that it eventually went out at (but fairly close to today's price).

Scary thought of the week:

I don't think people realize just how close we came to a Microsoft-dominated Web. If Microsoft, having trounced Netscape, hadn't been surprised by the unexpected strength of Apache, Perl, FreeBSD and Linux, I can easily imagine a squeeze play on Web protocols and standards, which would have allowed Microsoft to dictate terms to the Web developers who are currently inventing the next generation of computer applications.
-- Tim O'Reilly in Salon.

Advogato hit the net.

 
   

 

Letters to the editor


Letters to the editor should be sent to letters@lwn.net. Preference will be given to letters which are short, to the point, and well written. If you want your email address "anti-spammed" in some way please be sure to let us know. We do not have a policy against anonymous letters, but we will be reluctant to include them.
 
   
Date: Fri, 10 Nov 2000 09:53:40 -0800
From: Jean Tourrilhes <jt@bougret.hpl.hp.com>
To: lwn@lwn.net
Subject: IrDA status in 2.4

	Hi,

	I'm writting to Jonathan Corbet, about the blurb he wrote in
this section of the LWN :
		http://lwn.net/2000/1109/kernel.php3

	You assesment of the IrDA in kernel 2.4 situation is both
premature and innacurate :

	1) Don't take all Linus words for granted, patch size is not
the only issue :
http://www.uwsg.indiana.edu/hypermail/linux/kernel/0011.1/0023.html

	2) This is not a "last minute query", there has been an
ongoing process of trying to get IrDA in the kernel in the last 6
month (I personally sent mails/patches to Linus in August), it was
just private.

	3) Don't underestimate the difficulty of feeding patch to
Linus when he give absolutely no feedback whatsoever and totally
ignore what you are doing. Alan Cox is much easier to work with.

	4) Don't over estimate the ability of Linus to understand and
appreciate patches for a large body of code he is unfamiliar with and
in a area where he doesn't have experience.

	5) This kind of flame is unfortunately the only way to get
things moving. I don't like it.

	That's it !

	Jean
   
From: Zygo Blaxell <zblaxell@genki.hungrycats.org>
Date: Tue, 14 Nov 2000 13:00:35 -0500
To: letters@lwn.net
Subject: Re: Linux's security


Kevin Breit <battery841@mypad.com> wrote:
>I know that the Linus and Co. think it's nazi-admin, but enable wheel
>group on Linux distributions by default.

Funny, I've been called a Nazi administrator more than once, but I 
don't agree.  :-)

Wheel-group just trades setuid security holes for setgid security holes,
without solving the real problems:  buggy programs (setuid or not) with
privileges, plaintext passwords, and unsecured communications channels.
On the other hand, wheel-group introduces new administration procedures
and interoperation difficulties.

Better to remove the setuid bits entirely from /bin/login and /bin/su,
and disable or completely remove from the system any software that
allows login as root in ways not explicitly approved by the "wheel"
people.  The vast majority of users are much better off if they can only
get root privileges by logging into the console (or via ssh, if remote
root access is a requirement).
>But Linux definatly doesn't touch OpenBSD's quality in regards to
>security, and I feel it's arguable that it has some catchup to do with
>FreeBSD.

I've been following both the FreeBSD and Debian (GNU/)Linux security
situation for some time now.  My experience suggests that Debian and
FreeBSD are fairly evenly matched (within a few weeks of each other)
in terms of security issues.

Both distributions consist of three categories of packages: essential
software, optional but installed-by-default software, and
optional but not-installed-by-default software.  There is little
security distinction between Debian and FreeBSD within each category:
both sets of essential software tend to be very secure, while both sets of
non-essential software tend to have multiple exploitable vulnerabilities
exposed every week, and both sets of installed-by-default optional
software fall somewhere in between.

Every now and then, a vulnerability is found even in the essential
software category, but when that happens both Debian and FreeBSD release
upgrades within days (if not hours) of each other.  Both Debian and
FreeBSD feature some kind of mostly automatic upgrade mechanism for end
users which can be used to install security patches in a painless and
timely manner.

Now that I've said all that:  there is a gap between Debian and other
Linux distributions, and it goes both ways.  Some Linux distributions
are as fanatical about security as the OpenBSD people (although they
don't have OpenBSD's four year head start).  On the other hand, I'm
sure we all know of at least one Linux distribution where some trivial
but essential task is by default performed with the "assistance" of
millions of lines of unaudited GUI code cobbled together from two or
three competing X11 toolkits, written by people who barely understand
C, let alone concepts like system() exploits or /tmp races, all running
under root privileges and 'xhost +'.  Heck, even Debian has optional
packages like that if you want to install them.  ;-)

Granting software the freedom to evolve guarantees only different results,
not better ones.  ;-)
   
Date: Thu, 09 Nov 2000 14:29:23 +0100
From: Simone Lazzaris <sw2@task84.it>
To: letters@lwn.net
Subject: Again about Microsoft Network compromise

Hi all
I just want to make some remarks about the recent network compromise at 
Microsoft and to reply to some letters read here on lwn about the "not 
so exceptional" security in linux-based systems.
I think that, while it's true that almost all big distro ships with big 
security holes, the impact of this exploit  is not just about the 
reliability of an OS, but falls into the realms of the security paradigm.
I mean, we all know that every system can be breaked. It's just a matter 
of time. But hiding security holes, encrypting password with XOR, 
putting security bits in quirk places - in other words, security through 
obscurity - that Microsoft preaches cannot be hold if the source code 
can be exposed.
And with this network compromise we all know that the source code can 
(and maybe was) be exposed.
They don't have any more excuses. We cannot trust Microsoft on security 
subject. Full Stop. (Not that *I* ever trusted them. But this is another 
story).
---
Simone Lazzaris                               simone@omni.it

   
Date: Thu, 09 Nov 2000 08:40:54 -0600
From: Michael Coyne <coynem@airwire.com>
To: lwn@lwn.net
Subject: GNOME Office: StarOffice vs. Abiword

Having used both Staroffice's word processor and Abiword extensively
since their early days, I would not really be in favour of Staroffice
becoming the de facto word processing standard under Gnome--it's large,
clunky and slow.  Abiword is small, lightweight, and does what I need--I
also find it far easier to use.

I think it would be a real shame if Abiword died out because of
Staroffice--but I don't think it will.  Let Sun concentrate on
Staroffice.  I think that we in the free software community should
concentrate on things like Abiword and gnumeric.  Do we really want to
be dependent on Sun for our office software?  Sure, it's open
source--but the code remains Sun's property, even if we write it.  Sun
is a big proponent of Linux right now, but I wouldn't be surprised to
see them drop it like a hot potato if the marketplace changes.


Regards,
Michael
--
Michael Coyne
coynem@airwire.com
   
To: letters@lwn.net
Subject: AbiWord vs. OpenOffice: Who's Gnomey?
From: Alan Shutko <ats@acm.org>
Date: 09 Nov 2000 11:18:03 -0500

In reference to 

    AbiWord does not really see itself as a GNOME project - they want
    to produce "the world's word processor." Thus, AbiWord runs on
    platforms not supported by GNOME - things like BeOS and, yes,
    Windows. There is little or no desire on their part to narrow
    their focus at this point.

At this point, both the AbiWord and OpenOffice developers have their
eyes set on producing a cross-platform application.  The OpenOffice
mailing list archives hold a number of examples where something was
done to ensure cross-platform builds or functionality.  

IMO, it's too early right now to try to predict how either application
will fit into "GNOME Office".  Many of the technologies being
developed (bonobo, for instance) are under rapid development, and it
will be a while before the best ways to use them are understood.
Eventually we (as a community) will be able to decide the best way to
proceed.

(Me, I'm patient.  I remember when nobody thought a "word processor"
project could succeed, because so many had started and died.  The
amount of progress made in the last couple years is amazing.)

-- 
Alan Shutko <ats@acm.org> - In a variety of flavors!
1 days, 23 hours, 26 minutes, 37 seconds till we run away.
Never trust an operating system.
   
From: "Mason, Gerard" <gm95015@GlaxoWellcome.co.uk>
To: "'letters@lwn.net'" <letters@lwn.net>
Subject: Eazel Online Storage
Date: Fri, 10 Nov 2000 17:49:27 -0000

Since Nautilus is GPL'd, does anyone know if it is easy, or even possible,
to replace Eazel's Online Storage facility (and perhaps, though it is not so
important, the Software Catalog facility), with A.N. Other ISP's? Ideally
the user would simply have to change a line in a configuration file.

It wouldn't matter too much if ISPs had to do a fair bit of implementation
to support this, since they would only have to do it once. Is the
server-side source code (assuming there is any) also GPL'd?


Gerard Mason.

   
Eklektix, Inc. Linux powered! Copyright © 2000 Eklektix, Inc., all rights reserved
Linux ® is a registered trademark of Linus Torvalds