Bringing you the latest news from the Linux World.
Dedicated to keeping Linux users up-to-date, with concise
news for all interests
Sections: Main page Security Kernel Distributions Development Commerce Linux in the news Announcements Back page
Other LWN stuff:
Archives/search
Recent features: Here is the permanent site for this page. See also: last week's LWN.
|
Leading items and editorialsAnd so the year comes to the close. And what a year! 2000 stands out for highs and lows for Linux and Free Software. This is the time of year when we take a step back and try to get an overall perspective, as well as some guesses as to what lies ahead. For those of you interested in previous such efforts, feel free to check out the end-of-year coverage from 1999 and 1998 as well. Also along the same lines, if you haven't yet checked out the year 2000 LWN Timeline, now is your chance. Note that this is a work in progress; comments and feedback from our readers is essential in order to complete the timeline. Reader contributions are kept in a log, so credit will be given where due. A final version of the Timeline will be released in early January. What were the major trends for Linux and Open Source/Free Software in 2000? Using a broad rule of thumb, we searched for repeating themes that came up virtually every month and found five of them:
Note that the change mentioned above is political in nature and could be just as easily reversed. On the legal front, a good step forward was made in April, when the United States Court of Appeals for the Sixth Circuit published its decision regarding Peter Junger's challenge to the Export Administration Regulations which prevented him from posting information on the Internet that contained cryptographic example code. Most critical in the ruling: "Because computer source code is an expressive means for the exchange of information and ideas about computer programming, we hold that it is protected by the First Amendment." If this verdict holds, it should provide a more solid ground for the safety of cryptographic development in the US, as well as a wonderful precedent for future software- and freedom-related lawsuits. VA Linux's Sourceforge must stand out as another notable success. Announced in January, Sourceforge has grown to host over 12,000 software development projects, all of them Free/Open Source. That is estimated to be over 75% of the "free software universe". Although we wish them the best, we'll reiterate our stance in favor of competition and hope to see a staunch Free Software advocate or two come out with a comparable system in the coming year.
Some major development milestones we'd like to celebrate: XFree86 4.0, KDE 2.0, Perl 5.6.0, PHP 4.0, PostgreSQL 7.0, Gnucash 1.4, Python 1.6 and 2.0, and Netscape 6 (the first based on Mozilla). Some exciting products not yet to a stable release included Helix Code's Evolution and Eazel's Nautilus, both exciting projects for the future of the desktop. Don't shoot us for leaving out the other 99% -- this edition would never have made it out the door. Now for the hard part. What will the next year bring? Well, we'll refrain from any attempt to predict the overall economic health of the US or any other country in the world. Nonetheless, we will predict that Free Software and the value of the concepts behind it will weather both good news and bad. In the midst of a massive loss of value for Linux stocks on the NASDAQ exchange, IBM announced plans to pour a billion US dollars into Linux next year and more billions of dollars over the years to come. Dell has announced major commitments to the Linux platform. All of the major software companies out there are focused on Linux and Free Software, no longer as a get-rich trick, but as an essential part of their business plan. Do heavy investments from the big companies presage the end or failure of small Linux-based companies? Highly unlikely. Just as the success of Microsoft spawned many small companies looking to make money off of integration, add-ons, support, etc., the heavy use of Linux and Open Source at IBM, HP, Compaq, Dell and, dare we say, Sun, will produce a fertile field for small companies. That arena will be particularly fertile because Open Source protects the rights and opportunities of all comers, providing natural obstacles to monopolies. Correspondingly though, the likelihood of one of those small companies growing large enough to push the entrenched beasts out of the field is much less likely. What else, then, will next year bring? Continued progress on the desktop. We're not ready to plan for a victory celebration in 2001, though. A lot of work remains to be done to provide all the tools that desktop customers need and want, particularly tools that meet our standards: full-featured, high-performance and robust. We must not only match our competitors but exceed them. Continued growth within corporate business plans. When times are tight and people are examining the bottom line carefully, the long-term advantage of using Free Software will shine. More and more companies will also see the legal advantage of Open Source. It will help protect them from lawsuits based on the number of copies of a piece of software they may be using. It will protect them from increasing software costs. It will provide a safe environment for collaboration and cooperation between companies, for strategic partnerships and more. We'll take another step down the road towards becoming a ubiquitous part of "how things are done". More mergers and acquisitions. The reality is that many companies are not yet making a profit. The new business climate demands that they do so, or at least clearly chart how quickly they are going to get there. Companies that cannot do one or the other will be looking either at failure or a sale. Given those options, sales will be much more popular. Of course, the prices we'll be seeing won't match the types of sales and acquisitions we saw during the IPO boom; bargain-basement prices are much more likely, particularly for companies that are not yet in the black. A lot of fun. It hasn't stopped being fun yet. That's an important part of this community. So this isn't a prediction so much as a wish; let the fun continue forever (even if we can't predict its form!). Inside this week's Linux Weekly News:
This Week's LWN was brought to you by:
|
December 28, 2000
|
Sections: Main page Security Kernel Distributions Development Commerce Linux in the news Announcements Back page See also: last week's Security page. |
SecurityNews and EditorialsSo what was different in 2000?. The end of the year has come, and with it, an opportunity to look back on the year from a security perspective. After examining many potential topics and discarding them, the question was asked, what has changed the most since 1999? From the perspective of writing this column, the sheer volume of information that is being reported stands out as the largest change. It is amazing to look back on some of the LWN Security Summaries from 1999 and find some that display in a single page view or contain no more than six paragraphs of information. It seemed worthwhile to see if we couldn't produce some rough numbers to illustrate this change. To do so, we looked at two pieces of information: the number of open source software vulnerability reports covered and the size of the LWN Security Summary. Starting with the first item, we quickly scanned through old issues and estimated the number of new vulnerabilities we reported each month for both 1999 and 2000. Lacking a proper database, we make no claims for absolute accuracy. We excluded vulnerabilities in commercial software and web scripts, since our coverage of those issues was not consistent between 1999 and 2000. Given those parameters, we found that the average number of vulnerabilities reported per month in 1999 was 13.67, while the equivalent number in 2000 was 26.41, almost exactly double. For the second item, we found the average size of a security summary in 1999 to be around 6.2KB, while in 2000, the average was 16.1KB, an even larger growth. Of course, although sizes are easy to calculate accurately, they are less reliable as an indication of increased activity; maybe we are just getting more loquacious. Nonetheless, our rough numbers strongly back up the assertion that security activity has more than doubled over the past year. Why? Well, like most statistics, you can use them to bolster just about any theory you might have, but our personal guess is that the increase is a simple demonstration of the result of more eyes on the code. Linux and free software is gaining in popularity, more and more people are using and scrutinizing the software, therefore more problems are being found and reported. However, it does give us a kind of scary feeling about 2001 ... NSA security-enhanced Linux available. The U.S. National Security Agency has made its security-enhanced version of Linux available for download. The site describes what has been done, though in fairly abstract terms. It's available under the GPL, of course. (See also: Ted Ts'o's comments on Slashdot on this release). Stephen Smalley also posted an excellent short summary of the features of the Flask architecture, used by Security-Enhanced Linux, and a comparison with RSBAC (Rule Set Based Access Control) for Linux, another Open Source security extension. "RSBAC appears to have similar goals to the Security-Enhanced Linux. Like the Security-Enhanced Linux, it separates policy from enforcement and supports a variety of security policies. RSBAC uses a different architecture (the Generalized Framework for Access Control or GFAC) than the Security-Enhanced Linux, although the Flask paper notes that at the highest level of abstraction, the the Flask architecture is consistent with the GFAC. However, the GFAC does not seem to fully address the issue of policy changes and revocation, as discussed in the Flask paper." Vendor security information update. Spurred by this excellent post by Matt Power (Bindview) to BugTraq this past week, the security links listed in our right-hand column have had a major overhaul. BSD information has been added, now that our BSD coverage is officially included, and a new section with pointers to web pages that contain subscription information for security and security announcement lists for various distributions is now available as well. The security of RSA's SecurID token emulator is challenged. SecurID from RSA is a proprietary two-factor Authentication process, utilizing a combination of a password and a security card, on which RSA has based products for remote access and e-business. A SecurID module is available for Apache, for example. This week, I.C. Wiener published a SecurID token emulator, prompting a discussion on BugTraq of the implications. Adam Shostack commented that such code has been in the wild since 1996 and that its current publication will have the value of allowing a real test of the assertion that the numbers on the SecurID card do not reveal sufficient information to determine the card's secret. Group crafts rating system for server security (CNet). A new, 71-member organization, the Center for Internet Security, plans to build benchmarks and rating methodologies in order to provide "a "security ruler" defining a minimum level of security and then incrementally greater levels of security from which an organization can choose the desired level of security for its systems". Their plans are covered in this CNet article. Note that the benchmarks are to be released to the public domain.It will be interesting to see how this venture does. The center itself is not-for-profit, so we presumably shouldn't see expensive fees for getting products or systems "rated" by the center. On the other hand, members of the center will be the ones reviewing and approving new benchmarks and ratings as they come out, so it may well be difficult to both move forward in a timely manner and prevent bias toward member products. Security Reportsdialog lockfile symlink vulnerability. Matt Kraai reported a symlink problem with the manner in which dialog handles lockfiles. The Debian advisory below is the first and only reference to the problem we have found so far.This week's updates: More stunnel vulnerabilities. More stunnel vulnerabilities have been reported, in addition to the ones discussed last week. One such vulnerability involves the logging of the stunnel process id to a non-existent directory. More stunnel updates are being released to address these additional problems.One additional stunnel vulnerability that apparently does not impact Linux or BSD systems is the reported weak encyrption vulnerability. This week's updates: halflifeserver. Multiple buffer overflows and format string vulnerabilities have been reported in the halflifeserver. This week's updates:Kerberized telnetd. Telnetd's allowance of arbitrary environment variables and a buffer overflow in the kerberos v4 library combined to allow a local root exploit on NetBSD. Note that this problem has not been confirmed on other BSD or Linux systems.This week's updates: cgi-bin scripts. The following cgi-bin scripts were reported to contain vulnerabilities:
Commercial products. The following commercial products were reported to contain vulnerabilities:
UpdatesGnuPG web of trust circumvention. A couple of new GnuPG security problems were covered in last week's LWN Security Summary. A security patch against gnupg-1.0.4 was also issued.Note that the discussion last week mentioned two vulnerabilities but only discussed one of them, a problem with trust circumvention. Also fixed with the security patch was a problem with detached signatures, which could cause false-positive verfications. This week's updates: Previous updates:ProFTPD memory leak. Last week, we mentioned a potential memory lead in ProFTPD. After further discussion on the list, the official position is that the bug is not reproduceable.BSD ftpd single byte buffer overflow. A one-byte buffer overflow was reported last week in the ftpd server provided with BSD.This week's updates: Previous updates:
DNS-based IRC server denial-of-service vulnerabilities. Check the December 14th LWN Security Summary for the original report of denial-of-service vulnerabilities and more in multiple IRC clients, including BitchX 1.0c17-2 and earlier.This week's updates: Previous updates:
ethereal buffer overflow. Check the November 23rd LWN Security Summary for the initial report of this problem. An update to ethereal 0.8.14 should fix this problem.This week's updates: Previous updates:ResourcesICMP Usage In Scanning. Ofir Arkin has released version 2.5 of his ICMP Usage In Scanning research paper. EventsRAID 2001 - Call for Papers. The Call for Papers for the Fourth International Symposium on the Recent Advances in Intrusion Detection (RAID 2001) has been released. The event will be held October 10-12, 2001, in Davis, CA, USA. Upcoming security events.
For additional security-related events, included training courses (which we don't list above) and events further in the future, check out Security Focus' calendar, one of the primary resources we use for building the above list. To submit an event directly to us, please send a plain-text message to lwn@lwn.net. Section Editor: Liz Coolbaugh |
December 28, 2000
LWN Resources | ||||||||||||||||||
Sections: Main page Security Kernel Distributions Development Commerce Linux in the news Announcements Back page See also: last week's Kernel page. |
Kernel developmentThe current development kernel release is still 2.4.0-test12. The -test13 series saw one new prepatch this week, test13-pre4, which includes the LVM update, the netfilter fix and more Makefile cleanups. For those of you following Alan's patches to the prepatch system, his latest patch is 2.4.0test13pre4ac2. He's currently working on merging the 2.2.18 fixes into the 2.4.0 tree. The current stable kernel release is still 2.2.18. One new prepatch for 2.2.19 has been released this week, 2.2.19pre3. A run_task_queue fix, resolving a lockup problem some people have been seeing, should be welcome. Other, minor discussions. This was a relatively light week for the linux-kernel mailing list, with about half of the normal volume of posts. Here are a couple of discussion items that came up this week:
|
December 28, 2000 For other kernel news, see: Other resources: |
Sections: Main page Security Kernel Distributions Development Commerce Linux in the news Announcements Back page See also: last week's Distributions page.
Lists of Distributions |
DistributionsPlease note that security updates from the various distributions are covered in the security section. News and EditorialsLinux Mandrake donates to the Free Software Foundation. MandrakeSoft announced a donation of 2500 Euro to the Free Software Foundation Europe, the acknowledged sister organization of the Free Software Foundation in the United States. The Free Software Foundation Europe is currently in creation and it is planned to take up work in Germany, France, Sweden and Italy within the first quarter of 2001. Lunar Penguin bites the dust. The Lunar Penguin distribution has been removed from the LWN Distributions list upon confirmation from project founder Chuck Smead that the project is dead. "I may resurrect it later but it's gone for now... :-(". This distribution was first discussed in the January 13th, 2000 Distributions Summary and was aimed at ISPs and e-business customers. (Thanks to Joseph Klemmer). The First Annual PPC/Linux Community Awards. PenguinPPC.org presents a roast/toast for the year 2000. There are mock awards followed by a serious recognition of those who have worked hard on the project. Distribution ReviewsReview: Best Linux 2000 R3 (Duke of URL). The latest distributions review from the Duke of URL covers Best Linux 2000 R3. "The install routine is arguably one of the better ones out there, rivaled by Mandrake and Caldera. This is an installation routine a neophyte could use. It is much closer to what the new user needs - an install program that holds your hand and gets you into the system as soon as possible." General-Purpose DistributionsRedmond Linux beta 2 released. Redmond Linux beta 2 has been announced. Redmond Linux is a Caldera-based distribution with a target audience for non-technical desktop customers. See the August 3rd, 2000 LWN Distributions Summary for a link to an interview with Redmond project organizer Joseph Cheek. Major differences in beta 2 include glibc2.2, 2.4.0-test10 kernel and post-2.0.1 kde. Slackware SPARC Development Tree Now Available. The "-current" tree for the Slackware SPARC port is now available on ftp.slackware.com in /pub/slackware/sparc. Debian needs developers. Debian sent out two reports on December 22, 2000. The first report lists the packages that are looking for a maintainer. There are 71 packages up for adoption. The second report is a bug stamp list. A total of 485 release-critical bugs need to be stamped out. Red Hat Bug Fix Advisories. The MySQL packages shipped in Red Hat Linux 7 as well as the updates had bugs which caused the DB engine to return bad results or crash. There is a new R-base package available. All R-base packages, including errata, released for Red Hat Powertools 7 experience problems with gcc optimizations. A new version of Update Agent is available which has more features and fixes many bugs present in the existing Agent. Additionally, the "new" Red Hat Network-aware Update Agent that first shipped with Red Hat Linux 7.0 is now available for Red Hat Linux 6.2. Section Editor: Rebecca Sobol |
December 28, 2000
Please note that not every distribution will show up every week. Only distributions with recent news to report will be listed.
|
Sections: Main page Security Kernel Distributions Development Commerce Linux in the news Announcements Back page See also: last week's Development page. |
Development projectsBrowsersNew Mozilla roadmap posted (Mozilla.org). A new Mozilla Roadmap has been posted by Brendan Eich on Mozilla.org. This document gives a good idea of where the Mozilla project is headed in 2001. Embedded SystemsEmbedded Linux Newsletter for December 21, 2000. The weekly Embedded Linux Newsletter from LinuxDevices.com has been published. Stories covered this past week included the fundamentals of real-time linux software design, an update on Indrema's linux-based set-top game console, and the launch of several embedded Linux training programs. Hacking the iPAQ with Linux, for fun and profit (LinuxDevices). This article is the second in a LinuxDevices.com series by Jerry Epplin that explores Linux on PDAs and handheld devices. This installment looks at the contribution made by handhelds.org. "Before you attempt to use any of the add-on development toolkits, I recommend that you first install the handhelds.org environment, and become familiar with its resources. That's because the add-ons rely heavily on the handhelds.org environment as a base for many of their services. " Office ApplicationsAbiWord 0.7.12 released. AbiWord 0.7.12 has been released. From the announcement: "This release represents a huge step forward for the AbiWord team. The new features, Gnome-integration, and bugfixes are too numerous to list here. If you've held off on using AbiWord because you felt that it was 'too unstable' or not well integrated with Gnome, this release might be right for you." Bluefish 0.6 released. Version 0.6 of the Bluefish html editor is now available. This version has lots of bug fixes and new features. Gnumeric 0.61 released. Gnumeric 0.61, aka the "your mother was a hamster" release, is now available. This version is released as a high priority upgrade with fixes for some problems with Cell Comments and Sheet Objects. On the DesktopPeople of KDE: Stefan Taferner. Stefan Taferner, co-author of KMail and a main contributor to central technologies in the KDE project, was the latest contributor profiled in the People Behind KDE series. "In the last edition for the Year 2000 of the People Behind KDE series, Tink introduces us to Stefan Taferner, co-author of KMail and a main contributor to central technologies in the KDE project. The new, festive appearance of Tink's site greets us with the photo of a happy Konqi". Embedding external parts into KDE. The KPart component model is extended to allow embedding of any process within a KDE window, including GTK+ based applications like Mozilla, in this white paper. KDE and GNOME Interoperability Advances (KDE dot News). KDE dot News discusses the release of the QGtkWidget and QGtkApplications classes, which facilitate the interoperability of KDE and Gnome applications. "QGtkWidget and QGtkApplications are classes for combining Qt and Gtk widgets in a single application. While this sort of thing doesn't make much sense under normal circumstances, it can be used to help KDE and GNOME applications interact better (think of adding GNOME control-center plugins to KControl and vice versa)." Wei Zhong Oriental Language Environment. WZOLE, the Wei Zhong Oriental Language Environment, is available free of charge for non-commercial use. This is a package that renders Chinese, Japanese, and Korean text on a VGA screen (not running the X window system). WZOLE supports large character sets. Printing SystemsLPR. Patrick Powell, developer of the LPRng Unix printing system has sent us an article entitled LPD is Dead that discusses Gerald Carter's article, LPD Must Die! Mr. Powell discusses the use of LPRng to achieve Mr. Carter's goals of featherweight printing, simple filters, security, and print status reporting. Web-site DevelopmentZope Weekly News for December 21, 2000. The December 21, 2000 edition of the Zope Weekly News is available. Upcoming releases of Zope 2.2.5 and Zope 2.3 alpha are discussed. The Zope team will also have a presence at the Linux World Expo in New York on January 31 through February 2, 2001. Le choix de Zope comme plateforme d'enseignement à distance. Jérôme Alet of the Faculté de Médecine de Nice has posted a lengthy study (in French) on the use of Zope in remote teaching applications. It is an extensive work, looking at Zope's capabilities and disadvantages (the main one being the well-known difficulty of mastering the system). Here's a Babelfish link to translate the front page into English, but using Babelfish on a document of this length is an unrewarding activity. (Thanks to Stéfane Fermigier). Midgard 1.4 "Bifrost" released. A new release of the Midgard content management system has been announced. Midgard 1.4 "Bifrost" provides object-oriented handling for all data, introduces Repligard, a powerful XML-based replication system, and now sports multiple virtual database support, a new administration interface (Asgard) and more. Section Editor: Forrest Cook |
December 28, 2000
|
|
Programming LanguagesJavaJavaScript&DOM Factory Version 0.9. Version 0.9 of the JavaScript&DOM Factory is available. This is a tool that aids in the debugging of JavaScript and DOM code by providing object reference materials. The information is licensed under the GNU Free Documentation License. Markup LanguagesXHTML 1.0 reference with examples. Miloslav Nic has provided this XHTML 1.0 reference on zvon.org, the document describes the reformulation of HTML 4.0 as an XML 1.0 application. PerlInline 0.30 released. Version 0.30 of Inline has been released. "Inline lets you write Perl subroutines in other programming languages like C. You don't need to compile anything. All the details are handled transparently so you can just run your Perl script like normal." PythonPython-dev summary. Here is A.M. Kuchling's Python-dev summary for December 15. It covers a number of development topics, including unit testing, the proposed (and rejected) __findattr__ extension, and the progress of several enhancement proposals. Jython 2.0 Alpha 3 released. A new release of Jython, the Java implementation of Python, has been announced. Numerous bugs have been fixed with this release. High Profile Python Projects. Jerry Spicklemire posted this list of high-profile Python projects to the comp.language.python newsgroup. If you want to convince your boss that Python is good for serious projects, this list will certainly help. Tcl/tkDr. Dobbs' Tcl-URL (Dec. 26th). The latest issue of Dr. Dobb's Tcl-URL is now available. Recent links of interest include a Tcl binding for the gdk-pixbuf image manipulation library and a new mailing list for TclPro contributors. Tk: The Forgotten Language (Linux.com). Linux.com's Mark Stone discusses Tcl/Tk and discusses the process of writing a graphical network configuration utility. Section Editor: Forrest Cook |
Language Links Caml Caml Hump Tiny COBOL Erlang g95 Fortran Gnu Compiler Collection (GCC) Gnu Compiler for the Java Language (GCJ) Guile Haskell IBM Java Zone Jython Free the X3J Thirteen (Lisp) Use Perl O'Reilly's perl.com Dr. Dobbs' Perl PHP PHP Weekly Summary Daily Python-URL Python.org Python.faqts Python Eggs Ruby Ruby Garden MIT Scheme Schemers Squeak Smalltalk Why Smalltalk Tcl Developer Xchange Tcl-tk.net O'Reilly's XML.com Regular Expressions |
Sections: Main page Security Kernel Distributions Development Commerce Linux in the news Announcements Back page See also: last week's Commerce page. |
Linux and BusinessRed Hat Unveils New Open Source Simulation Tool. Red Hat has introduced SID, a framework for building computer system simulations. Simulated systems may range from a CPU's instruction set to a large multi-processor embedded system. SID has been released under the GNU General Public License. It includes a growing library of components for modeling hardware and software parts, and can represent some specific systems. Red Hat is looking software testers and debuggers and other help with the project. You can find out more at Red Hat's SID page. EL/IX finds a home on NetSilicon SoCs (LinuxDevices). NetSilicon announced they will be adding support for Red Hat's EL/IX API and eCos OS on their System On Chip (SOC) designs. Transvirtual Integrates Jabber Into PocketLinux Platform. Jabber.com, Inc. is the developer of Jabber, an open source XML-based instant messaging system. Transvirtual Technologies, Inc. is the developer of PocketLinux, an embedded distribution. LWN looked at PocketLinux running on the Compaq iPAQ color palmtop at Comdex, last November. We were impressed by the WAP-XML based multimedia applications that were running with the Jabber protocol. Now Jabber.com has announced that Transvirtual Technologies, Inc. has completed their integration of the Jabber instant messaging system into the PocketLinux Platform. Yet another cool application running on a handheld device. Loki's game gets a review. Loki's Myth II: Soulblighter is examined in this selection of video and computer game reviews. "The sequel to 1997's acclaimed Myth: The Fallen Lords brings a rich, 3-D experience to Linux war games. The folks at Loki have set out to prove the Linux 2.x kernel and glibc2 can render special effects that rival anything seen on Windows. And they achieve their goal with verve." IDG's Network World Names Industry's Most Influential Companies, Players and Trends. Eric Raymond made it into the list of the 25 most powerful executives in Networking, according to Network World, based on his role as President of the Open Source Initiative. The link provided is just to the press release; the full coverage is likely only available in the print magazine, at least for now. Press Releases:Open Source ProductsUnless specified, license is unverified.
Proprietary Products for Linux
Products and Services Using Linux
Products with Linux Versions
Books and Training
Partnerships
Financial Results
Personnel
Linux At Work
Other
Section Editor: Rebecca Sobol. |
December 28, 2000
|
Sections: Main page Security Kernel Distributions Development Commerce Linux in the news Announcements Back page See also: last week's Linux in the news page. |
Linux in the newsRecommended ReadingOpen Source and 'Sexy' Projects (osOpinion). What makes an application "sexy"? This osOpinion piece gives some answers. "Some hackers are writing an open source Cobol, something I never expected would happen (I have a January 1993 copy of the GNU's Bulletin, pg. 11, quote: "?but no one has volunteered to do Cobol yet."). People are building an open source Delphi community -- and Delphi is a development of Pascal, a wonderful learner's language, but with limitations for serious work." CompaniesBirth of a new Embedded Linux company (LinuxDevices). Tuxia in Augsburg, Germany launched itself into the Embedded Linux market. "Tuxia's initial Embedded Linux product family, expected to become available early in 2001, is a software suite called "TASTE" (which stands for Tuxia Appliance Synthesis Technology Enabled). TASTE derives from Infomatec's JNT Internet appliance oriented Embedded Linux technology." E-smith Launches Partner Program (ZDNet). ZDNet reports on e-smith's partner program. "E-smith targets small businesses 5 to 100 users with its Linux wares. Local and regional integrators and resellers as well as system builders represent the company's primary channel to reach that customer set. E-smith's partner program initially has signed up 19 companies." Open source stalwart Sendmail looks to wireless for profits (Upside). Here's an article in Upside looking at Sendmail's acquisition of Nascent Technologies. "Sendmail, you'll remember, was the first open source to win backing by major investors way back in 1998 when it secured a $6 million round of financing from the Silicon Valley investment group Band of Angels." BusinessLinux: A Contender for The Enterprise Market (DB2). DB2 Magazine has taken a look at Linux as a contender in the Enterprise Market. After examining the reasons for choosing Linux, they move on, not too surprisingly, to talking about the combination of Linux and DB2. "For a true test of the installation process, I went to a local college and recruited a student who was completely new to Linux and databases. I handed him all the necessary how-to information and asked him to come by my computer lab when he thought he could install Linux and DB2. When he stopped by that evening, I set up the same two systems and had him install Red Hat 6.1, which took about 30 minutes, and then the DB2 database on both Red Hat boxes. It took him longer to fill in his information and download the source code from IBM than it took for him to install and configure the DB2 database on the Linux box. If that isn't ease of use, I don't know what is." Also from DB2 Magazine: Serving Up Linux, with details on the beta version of IBM's DB2 Universal Database Enterprise-Extended Edition (DB2 UDB EEE) for Linux. (Thanks to Cesar A. K. Grossmann). The year for open source (Upside). Upside names the year 2000 as the "Year for Open Source" in a two part series covering the first half and second half of the year. "Gone is the talk about changing the software industry as we know it. In its place stands a familiar set of the goals: earning money, building market share, maximizing shareholder return and, of course, keeping an even keel in case this New Economy thing was everything it was made out to be three years ago." Linux companies beat Microsoft in Itanium support (News.com). C|Net's News.com reports on Linux beating Windows to the Itanium punch. "Itanium is scheduled to ship in the first half of 2001, but a new version of Windows tailored for the chip won't arrive until the second half, Intel and Microsoft representatives said. Meanwhile, compatible production versions of Linux from Red Hat, Turbolinux and Caldera Systems are scheduled to debut at the same time as the chip itself, the Linux companies said." ResourcesLinux Laptop SuperGuide (ZDNet). The staff at the Linux Hardware Database have put together the ultimate guide to finding the perfect Linux laptop. ReviewsHelix Gnome: Linux on the Desktop, Part 1 (Computer Source). The Helix Gnome installer and basic features are examined in this article from Computer Source Magazine. "This is an impressive desktop. The icons are beautiful, and the menus are well-coordinated. Although the default color scheme was pleasing, I was able after a few minutes to choose an alternative one I liked better. The menus, except for the inclusion of no less than five text editors/word processors, was complete and yet not overbearing." A Sneak Preview of Emacs 21.0 (LinuxPlanet). LinuxPlanet plays with an emacs 21.0 prerelease. "On starting the program up, I immediately understood where the rumors of Emacs' GNOMEification had come from: where the program used to present a very sparse, black and white window with simple, unadorned, menus it now has a toolbar providing a set of basic buttons familiar to anyone who's ever used GNOME or a GTK app. The splash screen, I also noticed, showed something besides fixed-width fonts for a change: Emacs has support for scaled, proportional fonts." MiscellaneousLinux is too much (ZDNet). Here's a ZDNet opinion piece claiming that Linux is too big and too complicated. "Does the average user really need a bunch of terminal apps, several hex editors, a mail and Web server, and a bevy of compilers? Heck, the average developer doesn't even need all that." Instant Messaging on GNU/Linux (Linux Orbit). John Gowin from Linux Orbit writes about various Instant Messaging programs for Linux. "In this article series, we're going to take a look at some of the IM clients available for GNU/Linux and rate them. Were also going to look at some of the new universal clients available for GNU/Linux that let you use AOL, MSN, Yahoo and ICQ all at the same time, with only one client. In Part 1 of this series, we'll look at the AOL IM service and the Linux clients available." Their gain, your pain (ZDNet). ZDNet's Evan Leibovitch looks at "Open licensing" schemes. "So what is an 'open license'? The term apparently evolved from what most folks refer to as volume purchasing: buying software licenses in bulk without the extra boxes and CD-ROMs. With an open license, instead of all that packaging, all you need to keep track of are license numbers or unlocking keycodes - and those can even be delivered by e-mail." Section Editor: Forrest Cook |
December 28, 2000 |
Sections: Main page Security Kernel Distributions Development Commerce Linux in the news Announcements Back page See also: last week's Announcements page. |
AnnouncementsEventsRichard Stallman visits MandrakeSoft. Here's a report on Richard Stallman's talk at MandrakeSoft on the Linux-Mandrake forum site. "Stallman finished the 'serious part' of his speech by stating that 'freedom isn't granted, we have to fight for it', and 'Battle isn't won yet, it's only beginning', and asking for our help - primarily in helping the FSF to reach as many GNU/Linux users as possible, and evangelising the 'freedom of software' whenever possible." Open Source and Free Software Developers' European Meeting. The OSDEM is happening February 3 - 4, 2001 at the Universite Libre De Bruxelles. The web site has been recently updated and contains all the info you need about schedules, topics, speakers, sponsors, sign ups and more. linux.conf.au. Here's the latest news on linux.conf.au in Sydney, Australia, January 17 - 20, 2001. This announcement includes the list of speakers and other important information for attendees. "Readers in Australia, New Zealand and elsewhere had better make sure to arrange their travel and be sure to bring adequate sunscreen and beachwear. The weather at nearby Coogee Beach has been brilliant recently!" December/January/February events.
Additional events can be found in the LWN Event Calendar. Event submissions should be sent to lwn@lwn.net in a plain text format. User Group NewsLUG Events: December 28 - January 11, 2001.
Additional events can be found in the LWN Event Calendar. Event submissions should be sent to lwn@lwn.net in a plain text format. |
December 28, 2000 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
Software AnnouncementsHere are this week's Freshmeat software announcements. Freshmeat now offers the announcements sorted in two different ways: |
Our software announcements are provided courtesy of FreshMeat
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Sections: Main page Security Kernel Distributions Development Commerce Linux in the news Announcements Back page See also: last week's Back page page. |
Linux Links of the WeekThe as-yet undelivered stable Linux 2.4 Kernel made #4 on Wired's Vaporware 2000, along with a mention of Linux-based organizers. Honors were shared with the Y2K bug, Microsoft's .NET strategy, wireless web pads, Bluetooth and Max OS X, which got the top, or to be more accurate, the bottom honors.
Section Editor: Forrest Cook |
December 28, 2000 |
|
This week in historyTwo years ago The LWN staff took a much needed break. One year ago (December 30, 1999 LWN): LWN took a close look at the LinuxOne amended S-1 filing, and noted some suspicious claims within. Despite the large wave of Linux based IPOs going on at the time, that one failed to materialize. The development kernel was version 2.3.35 and the stable kernel was still version 2.2.13, but the fix of a major IDE bug would allow version 2.2.14 to move forward. Support for the IBM S/390 was to be included in version 2.2.14. The inclusion of the kernel based web server, khttpd, was debated. The discussion centered on whether adding the complexity of a web server to the kernel was justifiable, even if it produced an incredibly fast web server. Tiny Linux, intended for small, obsolete computers, was released. Version 1.0 came out in April, 2000 and the project is still active. LWN mentioned a Salon article that questioned the stability of the Linux and dot com stock market frenzy: "Sooner or later, dot-com mania must be headed for a fall -- whenever you see this many lemmings gathered together in one place, you just know a steep cliff has got to be nearby. Could the rush to invest in companies which base their business models on free software be the last straw? Certainly, many observers who have long looked askance at the last few years of Internet insanity have seized upon the VA Linux IPO as just the latest, freakiest example of how crazy things are getting. " Last, but not least, the dark gloom of impending disaster loomed heavily over sys-admins and programmers everywhere, just a few hours until all hell would break loose due to zillions of unfixed Y2K Bugs. All of the advance work paid off and computers all around the world sailed smoothly into year 19100. | |
|
Letters to the editorLetters to the editor should be sent to letters@lwn.net. Preference will be given to letters which are short, to the point, and well written. If you want your email address "anti-spammed" in some way please be sure to let us know. We do not have a policy against anonymous letters, but we will be reluctant to include them. | |
Date: Thu, 21 Dec 2000 00:43:31 -0800 (PST) From: Matt Dillon <dillon@earth.backplane.com> To: letters@lwn.net Subject: Yet more on Elevator algorithms and write ordering I'm afraid there is considerable confusion over write ordering in a filesystem. The confusion stems from an assumption that dependant operations are queued to the disk device all together. This assumption is not true of FFS with softupdates. FFS with softupdates turned on will queue all *NON* dependant buffers to disk all at once and doesn't care in the least whether the kernel, the disk device, or the physical disk itself reorders the writes. Dependant buffers are not queued until non-dependant buffers have completed their I/O's. FFS without softupdates will use synchronous writes where necessary to (try to) ensure that dependant buffers are not queued until after such I/O's have completed. EXT2FS is roughly similar to FFS. However, both EXT2FS and FFS (without softupdates) have cases related to directories, inodes, and file blocks where *NO* write ordering is correct even if you do things synchronously. Filesystems are more complex then they seem. Softupdates deals with these interdependant cases by actually unrolling portions of the buffers when writing them to disk to guarentee consistency on-disk, allowing it to operate almost completely asynchronously without endangering the filesystem A log-structured filesytem deals with such cases by writing a sequential log, but there is nothing preventing even a log structured filesystem from writing a bunch of log blocks in random order as long as it doesn't try to recover past any holes created due to a crash or commit the file structure until after the (asynchronous) log block I/O has completed. What this means is that a kernel, disk device, and physical disk should be allowed to reorder blocks however they please. It is up to the filesystem code to handle dependant operations. -Matt | ||
Date: Thu, 21 Dec 2000 10:44:44 +0000 From: Edmund GRIMLEY EVANS <edmundo@rano.org> To: letters@lwn.net Subject: problems in /tmp You'll probably get a lot of letters like this one ... http://lwn.net/2000/1221/security.php3: > Into this model was introduced /tmp, a shared directory to which > anyone had write privileges and the ability to delete files created by > other users. Since it is amazing how many otherwise experienced people don't know about the "sticky bit" on directories, you really should have mentioned here that /tmp is usually created with permissions 1777, which means it is "append-only": you can't delete other people's files. This would also have been a good place to educate some of your readers about what exactly the "problems in /tmp" are. AFAIK, the main problem is a "symlink attack": if an attacker can guess that a program might open the file /tmp/foo for writing, they can create a symbolic link from /tmp/foo to /etc/passwd, say. If the program is running as root, it overwrites the password file, unless the program was clever enough to use O_EXCL, but even then, there may be a possibility for a denial-of-service of attack. See the man pages for mktemp and mkstemp. On SCO UnixWare a brute-force solution to this problem is used: the kernel does not allow symbolic links to be created in a directory with the sticky bit set which does not belong to the caller. I don't know of any legitimate application that require symbolic links in /tmp, so this solution should perhaps be considered as an option for Linux. Edmund | ||
Date: Thu, 21 Dec 2000 11:09:18 +0000 (GMT) From: Joey Maier <maierj@home.com> To: lwn@lwn.net Subject: to: Liz Coolbaugh Hi Liz, First off, thanks for the good work. You do a great job with the security page at LWN. I especially like your editorializing of bugtraq threads...this week's comments on the /tmp discussion is a great example. I stopped following the thread (and the offshoots from it) after the first few posts seemed to say the same thing. If you hadn't linked to it in LWN, this would have caused me to miss Kris Kennaway's post. Anyway, I really like your work, and I appreciate the fact that you don't snub OpenBSD users ;-) WRT, the Kaspersky Lab virus review, you said: >...or, perhaps, it's the fact that it takes a little more than >a bogus email attachment in the Linux environment...? I suspect that you made the above comment because the email attatchment can only run in the context of the user reading the mail, and that user should not be root. While this is correct, it simply means that malware is limited in the amount of damage that it can do to the system configuration. A malicious program in a unix environment could still destroy all of the files of the user. Most corporate environments have decent backup policies for end users, but home users typically don't back up files as often as they should, and a piece of malware that destroyed local user files could be very nasty for them. It is also important to note the increase in the tendancy for unix desktop user to prefer HTML-rendering mail clients. Many of these clients - especially the ones that are incorporated into a browser - may have active scripting vunerabilies that could allow manipulation or deletion of the user's local files. I suspect that the reason we have not seen more email-born malware in the unix environment is not due to the slightly limited scope of the damage that can be done. (Loss of data can be enough of a problem, even if the system configuration is unharmed.) Instead, I suspect that the currently heterogenious use of email clients make it more difficult to write a virus that will affect a large number of people in the way the Outlook-dominated Windows platform can be affected. If the *nix world starts to be predominated by a single email client, it will start to attract malware authors. This is especially true if the client is HTML/active scripting aware. Unfortunately, noone seems to be taking this seriously, and I have not seen any viable solutions offered. -- "When you understand UNIX, you will understand the world. When you understand NT....you will understand NT" - Richard Thieme http://www.slothnet.com - is currently unavailable :( | ||
Date: Thu, 21 Dec 2000 11:13:20 -0500 From: Joe Louderback <jlouder@wfu.edu> To: letters@lwn.net Subject: Defamation of Fortran In this forum Mr. Kastrup took Linus Torvalds to task for incorrectly claiming arrays in Pascal start at 1. He then wrote, "Most probably Mr. Torvalds is confusing Pascal with Fortran which indeed has its arrays starting at 1." Ahem. real atone(50) integer atminusthree(-3:50) logical atsix(6:50) Joe Louderback, itinerant physicist and occasional Fortran programmer | ||
Date: Tue, 26 Dec 2000 13:04:42 -0800 From: Davina Armstrong <davina@lickey.com> To: letters@lwn.net Subject: Rick Collette's "petition" to British Telecom I was very interested in your coverage of British Telecom's patent infringement lawsuit against Prodigy (LWN 12/21/00). I happily clicked on the link to Rick Collette's "petition" to British Telecom, thereby myself infringing upon their patent (or at least contributing to your infringement). I was anxious to add my signature to what I assumed would be a petition to British Telecom urging them to drop their absurd lawsuit. Instead, I found the following: "British Telecom is claiming they own the rights to the Hyperlink. That's saying that everything you click on a website, the method used to bring you from one page to another, belongs to them. They are currently suing Prodigy for this, and it's only going to worsen. We must stand up and put a stop to this craziness. The signatures collected here will be sent to the Linux Journal, deepLINUX, MSN, and any other media outlet that I can think of." This is *not*, in fact, a petition. This is merely a statement of fact. Why would anyone sign it? Webster's Dictionary defines a petion as "1 a solemn, earnest supplication or request to a superior or deity or to a person or group in authority; prayer or entreaty" OR "2 a formal writing or document embodying such a request, addressed to a specific person or group and often signed by a number of petitioners". This "petition" is not addressed to British Telecom and does not actually make any request. When someone starts a real petition to British Telecom about this issue, I will be more than happy to add my signature to it. Regards, Davina Armstrong | ||