Bringing you the latest news from the Linux World.
Dedicated to keeping Linux users up-to-date, with concise
news for all interests
Sections: Main page Security Kernel Distributions Development Commerce Linux in the news Announcements Linux History Letters
Other LWN stuff:
Archives/search
Recent features: Here is the permanent site for this page. See also: last week's LWN.
|
Leading items and editorialsThe RTLinux patent is back in the news. LWN first covered this patent in the February 10, 2000 issue, and revisited it in the context of the rivalry between RTLinux and RTAI in the September 14, 2000 weekly edition. Since then, Victor Yodaiken (the patent holder) has issued a new license for the use of the patent; not everybody is happy about the terms found therein. Our coverage will come in two parts; this article looks at the patent and the associated license; the following one will look at the implications of the new license. The patent itself is relatively simple as these things go. It covers the particular method used by RTLinux to achieve real time performance. Two techniques are called out as the core of what RTLinux does:
As things stand now, if you have a real-time system that uses the above techniques, you are subject to Mr. Yodaiken's patent - at least, in the United States. So the patent license may just be of interest. The license allows for royalty-free use of the patented technology in two situations. They are:
Anybody who uses the RTLinux technology is required to send a message to FSMLabs giving their contact information and indicating agreement with the terms of the license. Anybody who makes commercial use of the patented technology, or makes a commercial distribution of software that uses that technology is required to keep "complete and accurate records" and to make them available to FSMLabs on demand. Any use of the technology must also include labeling that says "Used, under license, U.S. Patent No. 5, 995,745," and must include a copy of the license itself. Failure to comply with any of the above can result in the termination of the ability to use the technology. For more information on the patent and licensing terms, see this article on LinuxDevices.com by Jerry Epplin. What are the implications of the RTLinux patent and its license? There are a few aspects of this issue that are worth looking at. What is Victor Yodaiken attempting to do with this patent? Mr. Yodaiken was kind enough to talk with us while waiting for a dentist appointment (some things are even less appealing than talking to the press). His position is that he has made an innovation that he has a right to exploit. Nonetheless, he wishes to make it freely available to anybody who is working with code licensed under the GPL. He sees this as a fulfillment of his obligation to the free software community. Those who want to use the RTLinux method and do not want to license their code under the GPL are, according to Mr. Yodaiken, doing proprietary work. Such people should be both willing and able to pay for the previous proprietary work (such at the RTLinux patent) that they make use of. He sees people who wish to use RTLinux in proprietary products without paying as would-be free riders, and sees no justification for any complaints that they might make. The only reasons to be upset about the RTLinux patent, he says, are (1) you are absolutely opposed to software patents in general, or (2) you want to do proprietary work without paying. Mr. Yodaiken expresses respect for those who are opposed to software patents (while disagreeing with them), but has little patience for those who wish to make money off other peoples' work. A concise statement of his position may be found in this posting to the realtime list: In summary: my opinion is that I owe the GPL community a license to use the RTLinux method for GPL code. And I owe RTLinux users a license to use RTLinux. I don't see any reason why I must otherwise subsidize other people's proprietary software projects.
Next question: what does this patent mean for RTAI? RTAI is a competing real-time Linux project headed up by Paolo Mantegazza in Milan, Italy. It differs from RTLinux in numerous ways, but uses the same fundamental technique as RTLinux. It is, thus, arguably subject to the RTLinux patent. RTAI could offer no end of difficulties with regard to this patent. It is licensed under the LGPL, not the GPL. There are companies that have an interest in making proprietary products with RTAI; Lineo, for example, is an RTAI supporter. RTAI does not acknowledge the RTLinux patent, and it is unlikely that many RTAI users have sent in their acceptance messages. Relations between RTLinux and RTAI, and especially between Mr. Yodaiken and Mr. Mantegazza, have always been rather tense. Each side claims the better technology, while simultaneously complaining that ideas and code have been stolen by the other. Some RTAI users have feared for some time that the real purpose of the RTLinux patent was to shut down the competition. Certainly the RTAI camp does not intend to change much in recognition of this patent. LWN had a conversation with Mr. Mantegazza, and he was quite clear on what he thought: "Mr. Yodaiken has only been allowed to patent air, but air has been around forever with nobody thinking to patent it." When asked if RTAI users should register with FSMLabs and indicate their acceptance of the patent license, he responded: Not in your dreams, they should act as if there were nothing there.... RTAI will continue as if the patent did not exist. Remember that the patent is valid only in the USA, and the USA is not the world. Plus...the patent could also vanish like a soap bubble at the first legal test.
From Italy, that is an easy position to take. Companies in the U.S., however, may need to be more careful. We asked Lineo how it plans to handle this issue. The company is not talking much about it, but we did hear from Ryan Tibbits, Lineo's general counsel: "Lineo questions the validity of the patent, especially in the spirit of the open source community." Mr. Yodaiken has long avoided committing himself on exactly what the status of RTAI is. Talking with LWN, he stated that he welcomes competing projects that take his GPL code and explore new paths, and that those using RTAI with GPL code need not worry about their right to do so. With regard to whether RTAI users need to accept the patent license and register, he responded: As of the current moment, individual users need to determine whether they are using the RTLinux process and whether they need to register. Questions can be sent to licensequestions@fsmlabs.com Not the clearest of answers. But Mr. Yodaiken has stated that he has no wish to cause trouble for RTAI, and hopes to come to an "amicable settlement." Finally: what does this whole situation imply for the free software industry? As free software companies cast around looking for reliable ways to make money, it would not be surprising to see more of them turning to the sorts of intellectual property protection that this community has traditionally disliked. The free software industry, thus far, has been refreshingly different from the intellectual property driven proprietary world, and it will be discouraging if proprietary techniques and code make a comeback. That is not the "revolution" we were hoping to see. This episode could also have an immediate effect on the adoption of free software: companies looking at real-time platforms may decide that the situation looks too messy and pass over Linux altogether. There are several well established, proprietary real-time solutions available; if RTAI is under a patent cloud and RTLinux is, itself, proprietary, why not look at the whole range of options? It is not inconceivable that this patent could relegate Linux to a very small role in the hard real-time sector. LWN has long held that software patents are damaging and best done without. It remains to be seen if this particular patent turns out to be a problem or not; its owner does appear to be sincere in his desire not to cause problems for (pure) GPL applications. But the mixture of software patents and free software can only lead to software that is less free; this is not an example that we would like to see repeated. Interview: David Sifry. While at LinuxWorld, LWN editor Michael J. Hammel interviewed David Sifry, CTO and co-founder of Linuxcare. The discussion wandered over a large range of topics, including the troubles Linuxcare has experienced over the last year, the company's plans for the future and the merger with Turbolinux, the Linux Standard Base, and more. Feature: a look at djbdns. Last week's LWN weekly edition makes the point that the net needs free alternatives to BIND. A number of users of the djbdns DNS server complained (politely) that our overview did not do justice to that package, which they see as a viable alternative to BIND. It turns out they were right. In an effort to set things straight, we put together a detailed look at djbdns as a separate feature article. Therein we examine the design of djbdns and conclude that it may well be ready to challenge BIND, though some other factors may limit its adoption. Inside this week's Linux Weekly News:
This Week's LWN was brought to you by:
|
February 15, 2001
|
Sections: Main page Security Kernel Distributions Development Commerce Linux in the news Announcements Linux History Letters See also: last week's Security page. |
SecurityNews and EditorialsSSH Communications opens SSH trademark issue. This week, Tatu Ylonen opened up a trademark issue involving terms "ssh" and "secure shell". He sent notes out to two public mailing lists, including this note, posted to the openssh-unix-dev@mindrot.org development list, and this note to BugTraq. In them, he requests that the OpenSSH and ScanSSH projects cease to use the string "SSH" as part of their product names.
[Editor note: We have confirmed that the second posting was sent to BugTraq, but rejected by the moderator due to lack of relevance. ScanSSH author Niels Provos reports he never received a copy of the note before it was posted publicly to NewsForge. He also stated that ScanSSH was created in September of 2000 in order to allow an assessment of the adoption rate of the SSH 2 protocol and he was never made aware of any IP issue at the time.] You'll find additional coverage and reader postings on this issue on both Slashdot and LinuxToday. In addition, you'll find letters to the editor on the topic already in this week's Letters to the Editor section. Two opposed viewpoints are represented in these community exchanges. On one hand, many people consider Tatu's notes to have been politely worded and are sympathetic with confusion caused by multiple products containing the word "SSH". They feel his request for name changes is reasonable and have already moved forward to suggesting alternatives (SHH, FRESH, ESH, Secure Telnet, ...) On the other hand, many people don't consider the name change request reasonable, regardless of the wording (and the politeness of the wording can be argued if you look at statements like, "OpenSSH is doing a disservice to the whole Internet security community by lengthing the life cycle of the fundamentally broken SSH1 protocols", which is not particularly polite, nor necessarily accurate). The arguments on their side include:
So which is it? A reasonable request that ought to be granted to prevent legal wrangles? Or an unreasonable attempt to punish well-founded competing projects by restricting them from using the name of the protocol that they implement in their products? For the good of the community, we, of course, would rather see some compromise between these two positions that would result in all of us ceasing to wrangle about it and getting a chance to move on with developing better software and improving security. The search for such a compromise is difficult, though, given the strong emotional reactions that are cropping up on both sides, at least initially. So let's look at a couple of possible scenarios and their long-term impact.
Standards are developed in order to produce interoperability and foster competition. Trade-marking the name of the standard is simply incompatible with those goals. Fixes for XFree86 vulnerabilities show up from Debian. XFree86 security issues were a common theme throughout the year 2000. Unfortunately, distribution updates fixing such problems had a tendency to show up late, if ever. For example, in October, 2000, we discussed a list of XFree86 security issues, many of them reported by Chris Evans. Between then and now, we've only reported one distribution update in response to that extensive report. It was from Conectiva and only addressed one of the security problems.This week, Debian has come out with their XFree86 security update. It addresses twelve XFree86 security issues in XFree86 3.3.6 reported by "Chris Evans, Joseph S. Myers, Michal Zalewski, Alan Cox, and others". The fixes are also authored by a numerous and well-known group, "including Aaron Campbell, Paulo Cesar Pereira de Andrade, Keith Packard, David Dawes, Matthieu Herrb, Trevor Johnson, Colin Phipps, and Branden Robinson". The massive size of this set of fixes gives some glimpse into the question as to why distributions have been so slow in getting updates out. Nonethless, with the release of the Debian updates, it is to be hoped that updates from other distributions will follow much more quickly. This week's updates: Security Reportsssh daemon remotely-exploitable integer overflow. A remotely-exploitable integer overflow was reported this week in ssh daemons that include deattack.c. This includes SSH Communications' ssh 1.2.24 and later (but not their ssh 2.X products) and versions of OpenSSH prior to 2.3.0. This vulnerability can lead to a remote attacker executing arbitrary code locally under the uid of the ssh daemon (usually root). OpenSSH users are encouraged to upgrade immediately to 2.3.0. Users of SSH Communications' ssh daemon are encouraged to upgrade to SSH Comunications SSH 2.4 (with ssh1 support disabled).This week's updates: Multiple Linux kernel 2.2 and 2.4 vulnerabilities. Caldera Systems issued an advisory this week reporting two security problems affecting both the Linux 2.2 and 2.4 kernel trees. The first vulnerability allows large parts of Linux kernel memory to be read by passing a negative offset to sysctl. The second vulnerability is a race condition where ptrace is attached to a setuid program and used to modify that program.Following this report, Red Hat issued their advisory, which included their fixes for the sysctl and ptrace problems, as well as a fix for an unspecified vulnerability specific to the Pentium III patch. Note that the Red Hat advisory credits Solar Designer for discovering the sysctl bug, but this in incorrect. Solar Designer posted a note stating that Chris Evans discovered and reported the sysctl bug. The security fixes for sysctl and ptrace have been integrated into 2.2.19pre9; the Pentium III bug only affects the 2.2 kernel series if the Pentium III patches have been applied. Linux 2.4 was not vulnerable to the ptrace issue. Fixes for the sysctl and Pentium III bugs have been integrated into the -ac development tree. This week's updates: ja-xklock local root compromise. FreeBSD reported a local root compromise in ja-xklock, a "localized" xlock clone which is part of the FreeBSD ports. ja-xklock does not appear to be popular under Linux, but may show up on other BSD systems. mars_nwe potential remote root compromise. FreeBSD reported a potential remote root compromise in their mars_nwe port, due to a format string vulnerability. Mars_nwe is Novell Netware server emulator. This vulnerability is not specific to FreeBSD. elvis-clone exploitable buffer overflow. A remote root compromise is possible due to an exploitable buffer overflow in two elvis-clones in FreeBSD, ja-elvis and ko-helvis. The buffer overflow was found in the elvrec utility, as a result of an internal audit. This vulnerability is not specific to FreeBSD. dc20ctrl locally-exploitable buffer overflow. dc20ctrl, a program for controlling Kodak DC20 digital cameras, contains a buffer overflow that can be exploited locally, reports FreeBSD. The overflow can be exploited to gain access to the serial port devices on FreeBSD, however the program itself is not specific to FreeBSD. FreeBSD-specific advisories. FreeBSD released the following advisories this week for vulnerabilities specific to FreeBSD:
m4 buffer overflow. A buffer overflow in m4 has been reported and confirmed on Slackware 7.1.0 and Red Hat 6.1. Oddly enough, there has been no follow-up to these reports and no update to m4 has been published. LICQ/GnomeICU denial-of-service vulnerability. Sending an RTF (Rich Text Format) file to LICQ or GnomeICU on a target computer will crash the application, reports No Strezzz Cazzz. Both are applications that support ICQ-based communications. No updates to to LICQ have been published. GnomeICU 0.95.1 and 0.95.2 have been released, but the descriptions of these updates do not indicate whether or not this problem has been solved.Note that a similar problem was reported in kicq and a patch for it has been released. MySQL buffer overrun. MySql version 3.23.33 was released this week and contains a fix for two buffer overruns, one in the libmysqlclient library and the other in DROP DATABASE. Web scripts. The following Web scripts were reported to contain vulnerabilities:
Commercial products. The following commercial products were reported to contain vulnerabilities:
UpdatesSSH protocol 1.5 key session recovery vulnerability. Check last week's LWN Security Summary for the initial report.Note that our original coverage contained errors due to our incorrect interpretation of the original advisory. We reported that OpenSSH 2.3.0 and earlier were vulnerable (in addition to ssh1.2.31 and earlier), because a patch to correct the problem had been introduced into the OpenSSH tree. We received feedback this week from Theo de Raadt, Iván Arce and Markus Friedl correcting that impression. In fact, OpenSSH 2.2.0 and later are not exploitable via this vulnerability. The maximum number of concurrent unauthenticated connections is automatically defaulted to 10 and random early drop can also be enabled. Multiple vulnerabilities in bind 8.2.2 and bind 4. Check the February 1st LWN Security Summary for the initial reports. Bind 8.2.3 contains fixes for the problems with 8.2.2. Bind 4 fixes are also available, but an upgrade to bind 8 or even bind 9 is generally considered a preferable approach.This week's updates: Previous updates:
Multiple vulnerabilities in ProFTPD. Check the February 8th, 2001 LWN Security Summary for details. ProFTPD 1.2.0rc3 contains fixes for all the above problems.This week's updates: Previous updates:
man -l format string vulnerability. Check the February 8th LWN Security Summary for details. Note that only distributions with a man command that supports the "-l" option are affected. This would include SuSE, Debian and distributions derived from them.This week's updates: Secure Locate buffer overflow. Check the November 30th, 2000 LWN Security Summary for the original report of this problem.This week's updates: Previous updates:
Netscape 4.75 buffer overflow. First spotted via this FreeBSD advisory and reported on November 9th, a buffer overflow in Netscape 4.75 enables a client-side exploit. Check the November 9th LWN Security Summary for our original report. Netscape 4.76, which was released on October 24th, fixes the problem.This week's updates: Previous updates:
ResourcesScanSSH. Niels Provos has released a protocol scanner, currently named ScanSSH, which can be used to help find vulnerable SSH daemons so they can be upgraded quickly. Ramenfind 0.4. A new version of the Ramenfind script was released this week. It handles a new Ramen variant that showed up this past week. That should also be a reminder to everyone to apply your security updates, the best way to protect against the Ramen worm. EventsCall for Papers: New Security Paradigms Workshop (NSPW). Crispin Cowan sent out the Call-For-Papers for this year's New Security Paradigms Workshop, which is being held September 11th through the 14th, 2001, in Cloudcroft, New Mexico, USA. "In order to preserve the small, focused nature of the workshop, participation is limited to authors of accepted papers and conference organizers. Because we expect new paradigms we accept wide-ranging topics in information security. Any paper that presents a significant shift in thinking about difficult security issues or builds on a previous shift is welcomed." Upcoming security events.
For additional security-related events, included training courses (which we don't list above) and events further in the future, check out Security Focus' calendar, one of the primary resources we use for building the above list. To submit an event directly to us, please send a plain-text message to lwn@lwn.net. Section Editor: Liz Coolbaugh |
February 15, 2001
LWN Resources | ||||||||||||||||||||||||||
Sections: Main page Security Kernel Distributions Development Commerce Linux in the news Announcements Linux History Letters See also: last week's Kernel page. |
Kernel developmentThe current kernel release is still 2.4.1. Linus's 2.4.2 prepatch is up to 2.4.2pre3; there is, as he put it, "nothing too radical" there. 2.4.2pre2 had been a bit more radical, however, with the addition of support for an entirely new architecture: a port to the Axis ETRAX 100LX embedded network CPU. Alan Cox, meanwhile, is up to 2.4.1ac13; this patch contains much more stuff. On the 2.2 front, work toward the 2.2.19 release continues with 2.2.19pre12. There has been no word on when the stable release might happen. Zero-copy networking encounters the powder rule. David Miller has released yet another version of his zero-copy networking patch. He claims to be happy with this one: there are "no known bugs" at this point. There does remain, however, a performance penalty for normal network writes that do not use the zero-copy mechanism; that is something they plan to work on in the future. For the moment, however, David has invoked the "powder rule": six feet (just under 2m for you non-US folks) of new snow at Lake Tahoe means that not much work is going to get done for a while. All is not lost, however; David will be taking his laptop and working on the code when the lifts are not running... Cool tool: User-mode Linux. A useful tool which has been around for a while now, but which, perhaps, has not received the attention it should is User-mode Linux. This package, which goes by the acronym UML (despite the possibility of confusion with the Unified Modeling Language known to object-oriented designers), should be in the toolkit of just about anybody who likes to play with kernels or with the Linux system in general. UML, technically, is a port of the Linux kernel to a new architecture. Most ports move the kernel to a new processor; the UML port, instead, uses the Linux system call interface as its "instruction set." Thus, the UML kernel will run underneath an existing Linux kernel. It runs as a set of user processes, and pops up one or more xterm windows as its virtual consoles. Its "disk drives" map to files on the filesystem. Why is this interesting? Consider some of the things that can be done with User-mode Linux:
UML in its current form still has some limitations. It can not, for example, simulate a multiprocessor system - a feature that would be nice for many developers. There is also no way, currently, to give a UML kernel controlled access to a real device on the host system, meaning that UML is still not all that useful for developing device drivers. UML developer Jeff Dike tells us that both of these capabilities are on the wishlist, with SMP simulation being at the top. Currently, UML exists as a separate patch to the Linux kernel. The word is that both Linus and Alan Cox would like to see it added to the mainline kernel tree, however. Mr. Dike hopes to see it go into 2.4 before the next development series starts. As a separate "architecture," UML should be relatively easy to add, even to a stable kernel series, without creating problems. IBM open-sources Mwave modem driver. The IBM Mwave ACP modem page shows that, as of today, the driver for these "WinModems" is now available under the GPL. This modem is used in IBM ThinkPad 600E systems. It's taken a long time, but WinModems are increasingly supported devices on Linux. (Thanks to Thomas Hood). Other patches and updates released this week include:
Section Editor: Jonathan Corbet |
February 15, 2001 For other kernel news, see: Other resources: |
Sections: Main page Security Kernel Distributions Development Commerce Linux in the news Announcements Linux History Letters See also: last week's Distributions page.
Lists of Distributions |
DistributionsPlease note that security updates from the various distributions are covered in the security section. News and EditorialsODS Linux. ODS Linux announced its existence this week. The company plans on selling preconfigured versions of the Linux operating system, with support and service. Using a web-based GUI, users can preconfigure a Debian Linux distribution for an existing system. The user tells the ODS system about the hardware they have and the software they want and ODS will ship out a package consisting of a custom boot floppy, manuals and software CDs. Versions of the service for other Linux distributions are planned.. Distribution ReviewsOpenBSD 2.8 (DukeOfUrl). The DukeOfUrl reviews OpenBSD 2.8. "OpenBSD is designed for security, and is "secure by default" (as their motto states), users wishing to have a functional and secure server need not toil with permissions and services, and in some cases, one needs to do nothing more than install the operating system and watch in awe as it does its work. Having worked on securing many Linux servers, believe me, OpenBSD is quite a vacation for both the system administrator or even just a user concerned with his or her security." SuSE Linux 7.1. Here's a review of SuSE Linux 7.1 on SuSE's Linux Knowledge Portal. "Purists and Linux oldies might regard this abundance of graphical functions as an unnecessary concession to the colorful realm of contemporary desktops and its mass market. However, it is a great help for Linux newcomers and former users of other operating systems, who would be quite baffled by rather cryptic configuration files. Yet, this should not hinder any of the newcomers to try to acquire some background knowledge to understand them :-)" New DistributionsNBROK Linux. NBROK Linux is a small Linux distribution which fits on a ZIP-100 drive. General-Purpose DistributionsLinux-Mandrake News. Here's a press release from MandrakeSoft and Macmillan USA proclaiming that, according to PC Data, Linux-Mandrake 7.2 was the best selling Linux distribution in December, 2000; it had a 28% market share. The PR is not explicit, but one assumes they are looking at the U.S. market. Cooker CD images available. ISOs of the current Linux-Mandrake development version, "Cooker", (eventually Linux-Mandrake version 8.0), have been made available on the ISO mirrors. "These ISOs represent a development version, a lot of work is still needed, however you can see what chosen directions are, and give your feedbacks and comments about the present choices. Please be aware that this version is not considered as stable, and should not in any way be used in a production environment." Debian Weekly News. The Debian Weekly News for February 13 is out. It covers the continuing campaign for the next project leader (four candidates now), changes to the new maintainer process, troubles with the "testing" distribution, and more. Debian net-tools. Debian reported that the new version of net-tools in unstable is completely and utterly broken. However, if you have iproute installed you can still get your network up and running. Kernel Cousins. The Debian Kernel Cousin Issue #22 contains "Wishful Thinking About Package Management", "Translation of Install Messages" and other topics. The Debian Hurd Kernel Cousin Issue #79 contains "Hurd Ports" and more. Debian OpenBSD? Andreas Schuldei has announced his intent to create a "Debian OpenBSD" distribution. His purpose is to create a highly secure system with the feel of a Debian system - using the Debian package manager, SysV init scripts, etc. It would be based, however, on the OpenBSD kernel and userland utilities (i.e. no GNU tools). Needless to say, this suggestion raised some eyebrows. Debian has always been an overtly GNU system; would it still be Debian without the GNU tools? Might not it be better to just port dpkg to OpenBSD, if OpenBSD is what you want to use? Or, could not the effort of making this distribution be used to perform an OpenBSD-style security audit of the existing Debian distribution? The overall reception was skeptical, to say the least. Mr. Schuldei may find it difficult to attract enough developers to build his distribution in the near future. Everybody, however, agreed that he has the right to try...
Astaro Security Linux. Astaro Security Linux has a new version based on a specially hardened Linux 2.4 kernel. Embedded DistributionsLineo releases uCdimm. Lineo, Inc. announced the availability of the uCdimm microcontroller module for the DragonBall VZ microcontroller and uCevolution, a new host platform which gives developers a quick way to cross port a variety of processors. These two new products will be bundled in the Lineo uClinux Development Kit. M-Systems and TUXIA Announce Support for DiskOnChip. M-Systems Flash Disk Pioneers Ltd. and TUXIA announced support for DiskOnChip(R) within TASTE (TUXIA Appliance Synthesis Technology Enabled), an embedded Linux distribution. Coyote Linux. The Coyote Linux Windows Disk Creator has been updated a couple of times this week. Also Coyote Linux v1.28 has been released and is available for download. This version fixes a security exploit in the SSHd daemon and adds the ICQ and H.323 masquerading modules. Anyone with a version of Coyote Linux prior to 1.28 that is using the SSH daemon should upgrade. Section Editor: Rebecca Sobol |
February 15, 2001
Please note that not every distribution will show up every week. Only distributions with recent news to report will be listed.
|
Sections: Main page Security Kernel Distributions Development Commerce Linux in the news Announcements Linux History Letters See also: last week's Development page. |
Development projectsBrowsersMozilla Weekly Independent Status Report. A new Mozilla Weekly Independent Status Report is available. Topics include Hermes, Sherlock, Galeon, Jabberzilla, and Chameleon. DatabasesControlling Data Display with ORDER BY (ONLamp.com). John Paul Ashenfelter writes about SQL's ORDER BY clause in this ONLamp article. This is one in a series of articles on SQL which introduce database concepts to software developers. EducationSEUL/edu Linux in Education Report for February 12, 2001. The February 12, 2001 issue of the SEUL/edu Linux in Education Report is out. Topics include a new SEUL/edu wiki page, teaching Perl to 9th and 10th graders, building diskless Linux kiosks for school labs, embedded Linux robots, and more. Embedded SystemsEmbedded Linux Newsletter for Feb. 8, 2001. The LinuxDevices Embedded Linux Journal for February 8, 2001 is available with the latest news from the world of embedded Linux. Linux BIOS/bootloader for AMD Elan now released under GPL (Linux Devices). Telos announced the first public release of its alios Linux boot loader under the GPL license. "alios has been designed to completely eliminate the need for a BIOS and to load the Linux kernel image from solid state memory such as Flash ROM. Optionally, a RAM disk image may be loaded from ROM then as well." GamesWorldForge releases Acorn 0.3. The WorldForge project has announced the release of Acorn 0.3. This release brings a great many improvements to this game, which is intended to be a demonstration of what the WorldForge framework can do at this point. Pygame-0.9 available. A new version of the pygame package has been announced with a 1.0 release scheduled for the near future. "Pygame is a set of python modules written to help create games in Python." Network ManagementOpenNMS update for February 13. Here is the OpenNMS update for February 13, detailing the latest with the network management software project. Among other things, it talks about the 0.6 release, which was released on February 14, 2001. The new version may be obtained from the OpenNMS download page. Office ApplicationsZRadiale - a free contact manager. A free contact manager system called "ZRadiale" has just been released. The announcement is in French, but the the project's web site is in English. ZRadiale is based on Zope, is licensed under the GPL, and is available now. Gimp's tools: selection and color correction (LinuxFocus). Yves Ceccone has put together a tutorial on the Gimp tools for selection and color correction. The tutorial is full of useful information. New Gimp site: gimpforce.org. The Gimp User Group has put together Gimpforce, a web site that features Gimp related galleries, tutorials, news, and more. On the DesktopPlanning GNOME 2.0. Miguel de Icaza has posted a document describing how he thinks the GNOME 2.0 development process should go. He is arguing for a relatively conservative approach to new features and such; apparently the switch to the Gtk 2.0 toolkit is going to present enough challenges as it is. "Besides, GNOME 2.0 is not the end of GNOME. GNOME 2.0 is just the next major release of GNOME. There is always a chance for us to redeem our pride as programmers, hackers and architects with GNOME 3.0 and GNOME 4.0." A new Goals for Gnome 2.0 document has also been released. Anti-aliasing in GNOME. The Gnotices site reports on the availability of anti-aliasing code for GNOME, implemented with Keith Packard's Render extension by Jacob Berkman and Vladimir Vukicevic. KDE 2.1 release schedule. The KDE 2.1 release schedule has been posted; it currently calls for a one-week delay, putting the final release on February 26. The People Behind KDE: Jono Bacon. The People Behind KDE series continues with a look at Jono Baco, the maintainer of Kafka and the developer of KDE Developer Center and KCVSApplet. Printing SystemsUpdated Source distribution for CUPS. A new source distribution for the CUPS print system has been announced. A number of security fixes are included as well as some SuSE compatibility additions. Web-site DevelopmentThe Apache-Tcl project launches. Here is the announcement of the launch of the Apache-Tcl project, which will be working toward the integration of the Apache web server and the Tcl scripting language. And Then Came Zope ... (SD Times). SD Times looks at Zope. "SD Times is written for software development managers, not for hackers, and we columnists try to maintain a professional tone about technologies and products, but there's no accurate way to talk about Zope without liberal use of exclamation marks and hyperbole. Zope is sick insane!!!!! It's the greatest thing since Bind!!!!! It's the finest language innovation since Guido van Rossum decided to use indenting for scoping!!! And so forth." PHP Weekly News for February 12, 2001. The February 12, 2001 issue of the PHP Weekly News is out. Topics include PAM support, a safe mode redesign, database abstraction extensions, tiny PHP support, and more. Section Editor: Forrest Cook |
February 15, 2001
|
|
Programming LanguagesERLANGxmerl 0.12. A new release of xmerl, an ERLANG based XML toolkit is available. Other new Erlang contributions are also available on the same site. HaskellHaskell Language Developments. Several announcements have recently been posted concerning the Haskell language. Among them are:
JavaStruts, an open-source MVC implementation (IBM developerWorks). Malcolm Davis has written an IBM developerWorks article on the Struts Framework. "This article introduces Struts, a Model-View-Controller implementation that uses servlets and JavaServer Pages (JSP) technology. Struts can help you control change in your Web project and promote specialization. Even if you never implement a system with Struts, you may get some ideas for your future servlets and JSP page implementations." PerlPerl 5 Porters for February 12, 2001. The February 12, 2001 edition of the Perl 5 porters list is available. Topics include updates to the Perl FAQ, Namespace for IO Layers, Memory Leak Plumbing, Shared functions, Perl 6, and more. Makerpm 0.200 released. A new version of makerpm has been announced. Makerpm is a utility that turns perl modules into RPM files. PythonPython-dev summary for January 31. A.M. Kuchling's Python-dev summary for January 31 is out. It covers a number of development issues, including a pointer to his What's New in Python 2.1 document. It is also the last one he plans to write; he does not think that the Python-dev summary has had the effect he was after (making the Python development process more transparent). Python-dev has been a great resource; it will be missed. The Python-crypto mailing list. A new mailing list for the development of cryptographic software in Python has been announced. It's hosted in the Netherlands, due to continued nervousness about what U.S. policy on crypto software really is. Transforming Python performance data (IBM devloperWorks). Chimezie Thomas-Ogbuji discusses how to profile Python programs with XML and XSLT in an IBM developerWorks article. "This article covers how to use XML technologies to build a better profiling tool for Python programs. It also describes how to generate an XML call tree from collected profile data, including function call information, such as the number of calls and cumulative time spent in function calls. The article includes sample code for building a DOM tree, an XSLT style sheet that transforms the XML tree of profile data into an informative HTML page, and other sample code." This week's Python-URL. Here is the February 14, 2001 edition of the Dr. Dobb's Python-URL. Discussions include a CPAN-like service for Python, pure-Python encryption tools, a Python powered QuakeWorld server, and boolean COM properties. Python Books Online (O'Reilly). Stephen Figgins writes about online Python books in an O'Reilly Python Devcenter article. "The high quality of online tutorials for both beginning and experienced programmers is an extension of the supportive Python community. It's one more thing that sets Python apart from other scripting languages." Python Megawidgets 0.8.5 released. A new version of Python Megawidgets has been announced. This version is mainly a bug-fix release. "Pmw is a toolkit for building high-level compound widgets in Python using the Tkinter module." Tcl/TkThis week's Tcl-URL. Here is the Dr. Dobb's Tcl-URL for February 14. Topics this week include a tcl binary scan, tclperl-2.1, moodss 13.1, an open-source interface builder, and more. tclperl-2.1 released. A new version of tclperl has been announced. Tclperl allows the execution of Perl code from a Tcl interpreter. Software Development ToolsCervisia, a graphical frontend for the CVS client. A new version of Cervisia, version 1.1, has been announced. Cervisia gives CVS a graphical front end under KDE. Cervisia is distributed under the Q Public License. Documentation'The Art of Unix Programming' gets two new chapters. Eric Raymond's The Art of Unix Programming is a slow-moving, open book that he is writing with input from folks on the net. Eric has just announced the addition of chapters 3 and 4. Chapter 3 covers the various programming languages available on Unix systems, while chapter 4 gets into other development tools. As always, he is looking for feedback and suggestions. Linux Documentation Project News. Here is the latest news from the Linux Documentation Project. Included is a new document on securing Apache under RedHat Linux. Numerous other documents have also been updated. (Thanks to David Merrill). Section Editor: Forrest Cook |
Language Links Caml Caml Hump Tiny COBOL Erlang g95 Fortran Gnu Compiler Collection (GCC) Gnu Compiler for the Java Language (GCJ) Guile Haskell IBM Java Zone Jython Free the X3J Thirteen (Lisp) Use Perl O'Reilly's perl.com Dr. Dobbs' Perl PHP PHP Weekly Summary Daily Python-URL Python.org Python.faqts Python Eggs Ruby Ruby Garden MIT Scheme Schemers Squeak Smalltalk Why Smalltalk Tcl Developer Xchange Tcl-tk.net O'Reilly's XML.com Regular Expressions |
Sections: Main page Security Kernel Distributions Development Commerce Linux in the news Announcements Linux History Letters See also: last week's Commerce page. |
Linux and Business'Business Ethics' in the Open Source Community?. KDE developers Kurt Granroth and Andreas Pour were searching for KDE links on Google when they encountered a sponsored link to Ximian, a developer of "that other desktop", GNOME. That prompted this open letter on Ximian's tactic of buying KDE-oriented keywords on the Google search engine. "Tactics like this are considered 'legal risks' in the cut-throat proprietary business world. They almost always result in lawsuits due to trademark infringement. Is that what what the open source community has devolved into? Has the old fraternity based on integrity, pride and 'settling it with code' been replaced by greed, deception and 'we'll see you in court'?" Ximian then posted this response to complaints about its sponsored links on Google, and to the open letter from Kurt Granroth and Andreas Pour in particular. "Ximian designed its advertising strategy in good faith, and had no intention to offend or deceive anyone. Pour and Granroth, too, had sought in good faith to avoid confusion between the KDE and GNOME products, rather than to sow controversy." Among other things, the sponsored links have been removed. This particular dispute has been resolved successfully and it is nice to see that the open source community can resolve issues without lawsuits and recriminations. It provides a happy contrast to the patent and trade-mark issues discussed on both the Front page and on the Security page this week. Conflict Emerges among St. Louis-Area Free Software Companies (St. Louis Post-Dispatch). The St. Louis Post-Dispatch has put up an article on the dispute between SAIR and LinuxGruven. "Meanwhile, a Wave subsidiary, Sair Linux of Oxford, Miss., has suspended Linuxgruven as one of its accredited centers for learning Linux. Sair Linux says Linuxgruven failed to hire instructors that have passed Sair's tests on using its teaching materials. In addition, critics have lodged complaints on the Internet and with the Better Business Bureau, charging Linuxgruven with deceptive advertising. Linuxgruven recently advertised a $45,009-a-year job that appeared to be a come-on for its training courses." O'Reilly releases new CatB. O'Reilly has announced the release of a revised and expanded version of Eric Raymond's The Cathedral and the Bazaar. Among other things, it has new essays on "the economics of open source" and "open source as a competitive weapon." O'Reilly 2001 P2P Industry Overview. O'Reilly is getting into the fancy research report business. The company has just announced the availability of the '2001 P2P Industry Overview', describing where they think the peer-to-peer industry is going. Introductory price: $895. Opera 5.02b6 for Linux available. Opera Software has announced the availability of the Opera 5.02 browser (6th beta version) for Linux. The "ad-supported version" can be downloaded for free, or one can pay $39 for a version without ads. Caldera and SCO change acquisition agreement. Caldera Systems and SCO have announced some changes in the terms of their acquisition deal. Caldera now gets complete ownership of the OpenServer line, and will be paying more: $23 million in cash up front, $8 million more later on, and 16 million shares in stock. They expect to close in the second quarter of this year. Caldera OpenLinux eServer now preloaded on Compaq servers. Caldera Systems has announced that Compaq will be selling OpenLinux eServer preloaded on some of its ProLiant servers. Teaching Penguins to Fly (IT Forecaster). IDC's IT Forecaster has put up an article on the future of Linux support services. They expect the market to grow in a big way. "Members of open source communities are used to freely helping one another to solve technical problems. This distributed model of self-help breaks down as Linux slips into user organizations, where IT managers may have few connections to the corps of coders and may have little input beyond bug reports to give back to the movement." For your amusement: Windows 2000 clusters. Found on the Microsoft site: this page on "Industry-Standard Clusters from Microsoft and Intel." "Now anyone with massive computing needs can create clusters using commercial off-the-shelf (COTS) PCs and a shrink-wrapped version of Windows 2000. This is a first in computing history and means that inexpensive industry-standard components can now scale to the highest levels of performance." A "first in computing history" indeed... Linux Stock Index for February 08 to February 14, 2001.
LSI at closing on February 08, 2001 ... 40.44
The high for the week was 40.44
Press Releases:Open Source ProductsUnless specified, license is unverified.
Distributions and Bundled Products
Proprietary Products for Linux
Products and Services Using Linux
Products with Linux Versions
Java Products
Partnerships
Investments and Acquisitions
Personnel
Linux At Work
Other
Section Editor: Rebecca Sobol. |
February 15, 2001
|
Sections: Main page Security Kernel Distributions Development Commerce Linux in the news Announcements Linux History Letters See also: last week's Linux in the news page. |
Linux in the newsRecommended ReadingGnutella is Dead (ZDNet). ZDNet reports on gnutella's scalability problems. "But essentially, if user A makes a request for a file from user B, who is offline, the software sends a 'push' packet broadcast to all the other computers connected to user A instead of routing it back to where it came from. This lack of routing and pushing when the host is offline contributes to more than 50 percent of the total traffic on bad days." Herbert Simon Dies (PG News). The PG News site is carrying a brief article on the death of Herbert Simon. Mr. Simon worked primarily in economics, but had a large influence on Computer Science and AI as well. Anybody who hasn't read The Sciences of the Artificial should go out and get a copy now... Landmark Linux Tome Updated (Wired). Wired News has put up an article on the revised version of The Cathedral and the Bazaar. "Think you've read it already? You probably haven't. [Eric] Raymond has often said that the book is an ongoing project that will probably never be finished, and he's recently updated the book again with significant new material." (Thanks to Jay R. Ashworth). Linux WorldA walk on the Embedded side ... of LinuxWorld NY (LinuxDevices.com). LinuxDevices.com has put together a lengthy summary of LinuxWorld from an embedded systems point of view. "In fact, I'll venture a (self-serving?) prediction that this year is shaping up to be 'the year of Linux in Devices' -- with products like Linux-based PDAs, cell phones, web pads, and set-top entertainment systems hitting the market in growing numbers as the year rolls on." CompaniesMicrosoft investigated for Corel investment (News.com). News.com has run a brief article on the investigation of Microsoft's investment in Corel. "One of the concerns of antitrust investigators is Ottawa-based Corel's decision to shed most of its Linux computer-operating system business since the investment..." Microsoft's Linux 'message' (ZDNet). Here's a brief ZDNet article on Microsoft's approach to Linux. "Finally, the implication that software users need a company like Microsoft to provide innovation is just so much leftover spin from the DOJ trial. The fact is that a completely decentralized, noncorporate coalition delivered Linux as it stands today. Now that's innovation." Microsoft looks for Linux inspiration (Fairfax IT). Fairfax IT looks at Microsoft's latest recruiting tactic in Australia. "An international recruiter from Microsoft's Redmond headquarters has approached Linux user groups in Sydney, Melbourne and Adelaide seeking software developers interested in joining the company's Windows core networking team." Internet consortium to launch fee-based security alert service (NW Fusion). Network World Fusion looks at ISC's plans to set up a fee-based forum for BIND security information. "'ISC found that speaking to vendors through the CERT advisory process was somewhat awkward and made for extra work on both sides' [Paul] Vixie said. 'The next time we learn, through CERT or otherwise, that there is an attackable bug in code that we've published, we hope to have a direct and very private communications forum with the people who run the Internet infrastructure or who need lead time to prepare patches for their customers.'" (Thanks to Cèsar A. K. Grossmann). Falling revenue spurs Turbolinux layoffs (News.com). News.com reports on events at Turbolinux. "However, the company has lost some of technical staff recently, including Samba programmer John Terpstra, who moved to rival Caldera Systems, and Peter Braam, a Linux file system programmer who along with former Turbolinux Chief Executive Cliff Miller founded Mountain View Data." TurboLinux going through layoffs and restructuring today (NewsForge). NewsForge reports that it's Turbolinux's turn to go through layoffs, again. "Jerry Greenberg, senior marketing v.p., says, 'We built the company on the expectation of doubling every quarter. We're growing well, but not at that rate. We had to respond to it.'" Linux seller SuSE slashes U.S. staff (News.com). News.com reports on the layoffs at SuSE. "It's been an era of belt-tightening as the evaporation of Linux hype forces Linux companies to adopt more down-to-earth plans for capitalizing from the software's popularity." Another Linux love feast (ZDNet). This ZDNet article looks at Caldera's strategy with UnixWare. "Caldera executives say partners should expect a new product-branding strategy. Specifically, Caldera's platforms will be branded by functionality (database server, Web server, etc.) instead of by operating system. The partner push will involve cross-selling and cross-development between the UnixWare and Linux communities." BusinessSun vs. Microsoft -- until when? (ZDNet). ZDNet attended a speech by Sun CEO Scott McNealy and was not impressed. "In this business, the only real open industry standard in the computer industry is Linux, which thankfully remains beyond the clutches of the moguls. Everything else is hokum designed to lock developers (and by extension, customers) into proprietary corners of the computing constellation." ResourcesLinux Audio Plug-Ins: A Look Into LADSPA (ONLamp). Here's an ONLamp article on the LADSPA audio plugin architecture. "LADSPA's design is based upon the extensive research that has already gone into applications such as Csound and other MusicV software synthesis environments. The LADSPA architects have provided a lightweight, flexible API based upon those long-established technologies and have created a plug-in architecture as useful for software sound synthesis and mixing as it is for modular effects processing." ReviewsAssessing Linux's progress on the desktop (ZDNet). ZDNet looks at Linux on the desktop. "Evolution is nearly identical in look and feel to Microsoft Outlook, faithfully reproducing even the annoying Outlook Bar--something I hide in new installations of that Microsoft application even before I disable the hated Office Assistant." InterviewsHow SuSE Carries Its Big Stick (Linux Planet). Linux Planet talks with SuSE CTO Dirk Hohndel. "Now that recent events have seen a financial downturn for the Linux wave of hype, Hohndel explained, he is very encouraged by the fact that Linux has not gone away and that customer interest in Linux is going up. This, to him, is a sure sign that Linux is not just a fair-weather technology subject to the whims of financial and corporate hype." Interview: Linux Disrupts The Status Quo (TechWeb). TechWeb interviews Red Hat CTO Michael Tiemann. "We're fundamentally trying to change the economics of the computer industry by putting power into the hands of users, which is something Microsoft and other members of the proprietary-system industry are not willing to do. We aren't going to butt heads with Microsoft because we're not really on the same path." MiscellaneousNetscape browser ratchets up to version 6.01 (News.com). News.com reports on the Netscape 6.01 release. "In a strange twist, AOL Time Warner faces potential competition from Netscape's open-source browser project--that is, if the operation can ever get a browser out the door. Mozilla.org has labored for about three years to deliver a next-generation browser, in an effort to demonstrate that open-source programmers from different companies can collaborate to deliver a viable commercial product." Section Editor: Forrest Cook |
February 15, 2001 |
Sections: Main page Security Kernel Distributions Development Commerce Linux in the news Announcements Linux History Letters See also: last week's Announcements page. |
AnnouncementsResourcesKernel Traffic (and cousins) move to new site. Zack Brown has announced that the Kernel Traffic site, along with its various "cousins," have moved to a new site. The author's email address has rather abruptly changed as well, as part of the "restructuring" at Linuxcare. Unix family tree. Worth a look: this Unix family tree posted by Éric Lévénez. It's highly detailed, and available in PostScript format so you can print up your own, 12-page version. (Thanks to Jay R. Ashworth). What Are You Gonna Do? 'Make' Me?. LinuxLookup looks at 'make'. "Make can execute compiler/linker commands, shell commands, other makefiles, and even has some nifty scripting features of its own." Where Do I Put Startup Commands In Debian?. Linuxnewbie.org looks at Debian startup commands. Tip of the Week: C Program Declarations. Linuxlookup's tip of the week looks at C Program Declarations. EventsLinuxTag 2001 call for papers. LinuxTag 2001 will be held in Stuttgart on July 5-7, 2001. The call for papers has gone out, for those who would like to present there; talks can be in either German or English. The CFP gives February 8 (i.e., last week) as the due date for abstracts, but, given the lateness of the notice, one would hope that they would accept submissions for just a little longer. Linux@work in 12 cities in Europe in 2001. LogOn Technology Transfer is organizing the 3rd annual Linux@work series. These are 1-day Linux events which will take place in 12 European venues in May and June of 2001. Events - February 15 - April 12, 2001.
Additional events can be found in the LWN Event Calendar. Event submissions should be sent to lwn@lwn.net in a plain text format. User Group NewsTucson Free Unix Group Installfest!. It's time for the TFUG 3rd Annual Installfest. "When members of the local Free Unix community come together and offer their time and expertise to help install and configure Linux or BSD for new users and interested observers, and then do it again and again and again - usually accompanied by pizza - you have an Installfest!" February 25, 2001 in Tucson, Arizona. LUG Events: February 15 - March 1, 2001.
Additional events can be found in the LWN Event Calendar. Event submissions should be sent to lwn@lwn.net in a plain text format. |
February 15, 2001 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
Software AnnouncementsThis week's Freshmeat software announcements are available as an Alphabetical list or Sorted by license. |
Our software announcements are provided courtesy of FreshMeat
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Sections: Main page Security Kernel Distributions Development Commerce Linux in the news Announcements Linux History Letters See also: last week's Linux History page. |
This week in Linux historyFive years ago: Caldera announced its "Network Desktop 1.0" distribution. The Call For Papers for Linux-Expo 1996 (hosted by "Linux Users' Group (LUG) at North Carolina State University (NCSU)") went out. Three years ago (February 19, 1998 LWN): Richard Stallman weighed in against the new term "open source": The main argument for the term "open source" is that "free software" makes some people uneasy. That's true: talking about freedom, about ethical issues, about responsibilities as well as convenience, can trigger discomfort. This asks people to think about things they might rather keep out of mind. It does not follow that society would be better off if we stop talking about these things.
It is the third anniversary of the (in)famous Jesse Berst Fired for Choosing Linux? article: Okay, Linux may have a low, low cost. And many technical merits. And lots of help for do-it-yourselfers. But can it pass the all-important "cover your ass" test? I'm not so sure. There's no single company behind Linux. No single source of support. No sales rep you can call in and yell at if Linux fails unexpectedly, leaving you without an operative Web site. Nobody to blame, in other words. Except you, if you were the person who recommended this product.
It is also, more or less, the third anniversary of Don Marti's Operating System Sucks-Rules-O-Meter. Two years ago February 18, 1999 LWN): Windows Refund Day came and went. Turnout was small, refunds were nonexistent. Bruce Perens got fed up with "open source" and said it's time to talk about free software again: Most hackers know that Free Software and Open Source are just two words for the same thing. Unfortunately, though, Open Source has de-emphasized the importance of the freedoms involved in Free Software. It's time for us to fix that. We must make it clear to the world that those freedoms are still important, and that software such as Linux would not be around without them.
Fortune reported on Microsoft's "Linux Defense", which was relatively new at that time. But no moment has been quite so Alice in Wonderland as the one we're about to see.... The video begins. "Hello," chirps an effervescent young Microsoft employee. "This is a demonstration of the Caldera OpenLinux operating system." Caldera is a small company that, in a delicious irony, is currently suing Microsoft on antitrust grounds. The young Microsoftie continues: "The demonstration will show that Caldera's operating system provides effective functionality for end users."
Debian 2.0r5 was released. Glibc 2.1 was released, then withdrawn "until some political issues are worked out." The problem, it seems, is that gcc 2.8 could not compile it (it compiled with egcs). The gcc/egcs split, happily, has long since gone away. The Burlington Coat Factory announced that it would install Linux in 250 stores; this was one of the first high-profile Linux deployment announcements. One year ago (February 17, 2000 LWN): IDC released a study showing that Linux was the number-two server operating system, with 25% of the market. Windows NT came out on top, with 38%. Linux and Unix systems together, however, showed up on more systems than NT. Development kernel 2.3.46 came out; included therein was Richard Gooch's devfs system. The inclusion of devfs had been the subject of flame wars for almost two years. One year later, it remains to be seen whether the distributors will set up their systems to use devfs or not. Andrew Leonard's Free Software Project launched on Salon. A year later, progress seems to have slowed, but there is a bunch of good writing there. The UCITA "shrink wrap software" law passed in Virginia. UCITA got off to a quick start, but appears to have stalled since then. One way to make "open source" look good: Am I the only one to see that Torvalds and other open-source software revolutionaries are acting out the finale of George Orwell's Animal Farm? Orwell's farmhouse is full of open-source pigs, which are now almost indistinguishable from the proprietary humans they recently overthrew. It's true that I have been unkind to the "open sores" movement. But to be clear, anyone is welcome to beat Microsoft with better software, even a utopian community of volunteer programmers. May the best software win.
| |
Sections: Main page Security Kernel Distributions Development Commerce Linux in the news Announcements Linux History Letters See also: last week's Letters page. |
Letters to the editorLetters to the editor should be sent to letters@lwn.net. Preference will be given to letters which are short, to the point, and well written. If you want your email address "anti-spammed" in some way please be sure to let us know. We do not have a policy against anonymous letters, but we will be reluctant to include them. |
February 15, 2001 |
To: ylo@ssh.com, letters@lwn.net Subject: Your legal threats concerning the SSH trademark Date: Wed, 14 Feb 2001 13:06:01 -0500 (EST) From: Don Barry <don@astro.cornell.edu> Dear Mr. Ylonen, First, I wish to thank you for designing the first SSH protocol and working with international standardization bodies to create what is now an official as well as unofficial standard for secure communications between computers. I also thank you for beginning this effort under an open source license, which I hope you realize was an essential part of your contribution being accepted as a standard. Now to the criticism. I was very disappointed when you took your product in a commercial direction: I frankly found it a predatory maneuver to establish a project in an open source manner and then proprietize it after having it accepted as a standard. I gave you the benefit of the doubt and presumed this behavior was accomplished by business denizens who by then controlled the destiny of your company. I see now that I was wrong. Even if my original presumption was correct, by lending your own name now to a legal effort to throw confusion into the arena of SSH protocol products, you have confirmed the worst suspicions of many of us. Actually, I find essentially all users of SSH and OpenSSH are quite clear about the origins and distinctions between these programs. The downturn in your commercial fortune is not due to a "confusion" between these two products -- it is in fact due to a *recognition* that the open source version is superior, and the desire of users to not choose a product offered by a developer and company which has shown erratic and greedy behavior in the past. Frankly, I wish they had developed this product in the GPL fashion, because this *free source* technique is even superior and would prevent would-be pirates (like you are free to do) from generating proprietary code forks. The confusion and doubt which you mention is not in the use of the OpenSSH designation to describe a well-known code base, it is actually your attempt to generate confusion among those who would use the open alternative to your product, by obfuscating its identity. Finally, your statement claiming fundamental insecurities in the SSH1 compatibility mode of the OpenSSH product (something, I might add, now offered by your *own* product after a failed attempt to do a full proprietary transition) is a classic example of Fear, Uncertainty, and Doubt in action. The theoretical vulnerabilities of the SSH1 protocol to insertion attacks would prove extremely difficult to mount in practice, and the actual CERT vulnerabilities you mention deal with more mundane affairs such as buffer overflows -- something your *own* product has also suffered from. These real-world vulnerabilities are of course the primarily exploitable ones, and are a factor of the quality of the code base, not the algorithms. And, of course, the OpenSSH software does implement both SSH1 and SSH2 protocols. In my own academic capacity, I have succeeded in impressing on my colleagues the importance of using secure communications in our activities. We use both the SSH and OpenSSH codes in my department. If you wish to compete in this arena, do it through the creation of superior software, preferably in the open (or better yet, *free*) domain, and not through legal maneuvers. Henceforth, should you not choose a more moderate and cooperative path in working with the community of coders producing for the public good, I will do my best to make sure that your product is found on not one of our machines, and that people know exactly the reason why. Cheers, Don Barry, Ph.D. Space Infrared Telescope Facility Team Cornell University | ||
To: letters@lwn.net From: Jim Dennis <jimd@starshine.org> Subject: Tatu Ylonen's message to the OpenSSH developers Date: Wed, 14 Feb 2001 17:16:23 -0800 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I personally applaud Tatu Ylonen's restraint and tact in his message to the OpenSSH developers list. I think it's long overdue. It's a pity that SSH(TM) isn't completely free. It's a pity that Tatu hasn't found a revenue model that would allow him to release under the GPL or BSD licenses, or to create a DFSG compliant license. Obviously, revenue models are a hard problem for free software -- and some people do need to live off their programming labors. I can't begrudge Tatu (or others) that. However, it's equally a pity that no one has come out with a fully independent protocol compatible re-implementation. Tatu published his sources, and a full description of the protocols (both versions?) and has actively encouraged (through his participation in the IETF) an independent implementation. (IETF guidelines strongly suggest, nigh onto *require* multiple independent and interoperable implementations of all new Internet standards). lsh/psst (http://www.net.lut.ac.uk/psst/) seems to be a moribund project; the fact that it hasn't even become available as a Debian package in unstable is testimony to that. (I also think that it's a pity that SSH(TM) and its ilk are still necessary. Unfortunately the deployment of IPSec and especially secure DNS still lags to the point where opportunistic encryption and transparent authentication are still distant dreams). Unfortunately I think that Tatu will be castigated for his message and I'd like to go on record as saying that all the complainers should stuff it! Go help Martin Hamilton and the rest of the psst team if you insist a fullly GPL version of an ssh(TM) compatible package. (Or help get InterNIC to adopt a secure DNS version of BIND *and* to publish keys and sign their top level zone data --- and otherwise help us realize IPSec). Meanwhile the OpenSSH [sic] team should probably consider renaming their package OpenSecsh (possibly to be pronounced like a drunk commenting on "promiscuous sex"). I suspect that Tatu would have no complaint about their use of the IETF name for the protocol --- and he hasn't even asked them/us to change the name of the binary. I'd, nonetheless recommend that they/we rename the binary, and include a wrapper script called ssh that does something like reasonable. ( Something like: #!/bin/sh echo "SSH is a trademark of SSH Inc and Tatu Ylonen" 2&>1 /usr/bin/secsh "$@" ... or a C binary wrapper to that effect; would suffice. Acknowleging the author and trademark holder when calling the program under it's traditional name seems appropriate and anyone who thinks this onerous (or finds that it's causing their scripts to break) can simply make their own alias or wrapper, or change to the new name. Tatu (copied on this), thank you for your patience and tolerance in this matter. Also, I'd like to thank you for writing an indispensable piece of software that has truly made the Internet safer. The thing that will help further is its continued development, the accelerated demise/upgrade of the obsolete versions, and more ubiquitous use. - -- Jim Dennis Software Analyst Axis Personal Trainers http://www.axispt.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (GNU/Linux) Comment: Processed by Mailcrypt 3.5.5 and Gnu Privacy Guard <http://www.gnupg.org/> iEYEARECAAYFAjqLLd0ACgkQIGV97BI+xjGUjgCfZV+K5nyOQhLFvQIoXiqdAJYA IuMAn2UkVoFWDTZZNYcj2Q1lFZ6V2fcc =dZ7F -----END PGP SIGNATURE----- | ||
Subject: HTML email privacy To: editor@lwn.net Date: Thu, 8 Feb 2001 13:51:04 +0000 (GMT) From: Alan Cox <alan@lxorguk.ukuu.org.uk> The article you point to on html email privacy is actually quite misleading. Disabling javascript will not protect against most email privacy attacks. A simple <IMG src="http://evil.mailtracking.scum.org/cgi-bin/track?id=123456"> type tag will allow the tracking of the host used to read each email. The information that most browsers will hand back generally provides the ip address and other basic system factors (including monitor size with some browsers). It is also possible to use the rlogin: URL to extract usernames from browsers because the rlogin client will pass username information as part of the connection setup. From this and the IP address you can normally deduce an awful lot about the user. No javascript required. Alan | ||
From: Hubert Tonneau <hubert.tonneau@heliosam.fr> To: letters@lwn.net Subject: DNS servers list: Pliant is missing Date: Thu, 08 Feb 2001 11:05:49 GMT In february the 8th issue of LWN, you listed several alternatives to Bind, but forgot Pliant (http://pliant.cx/) Pliant DNS server is: . released under GPL, . very compact (less than 1000 lines) . using Pliant database engine for reliably storing configuration files . remotely administrated using a web browser over Pliant strong crypto secured channel. It's not suited for first level domains such as (.com or .fr), but for hosting second level domains of your compagny or your organization (pliant.cx or heliogroup.fr), it should work just fine. Of course, it can also act as a caching DNS for your site or your computer. Regards, Hubert Tonneau | ||
From: Russell Nelson <nelson@crynwr.com> Date: Thu, 8 Feb 2001 10:46:03 -0500 (EST) To: lwn@lwn.net Subject: not true From the above list, one can conclude that BIND's competitors have some ground to cover yet. Energetic hackers looking for a project may want to consider the creation of a viable competitor to BIND; the net will be a safer place when we have one. Why? djbdns is a viable competitor to BIND. The author's personality is irrelevant to the quality of the software, the author considers your inability to redistribute modified versions to be a feature (and given the track record of some vendor-modified versions of sendmail and bind, he's got a point), and the code is only difficult to read because it uses many functions from Dan's library. Said library by design discourages buffer overruns. Did I mention that it discourages buffer overruns, which are irresponsible for 50% of all Unix security lapses? It's not C, it's the C library. And djbdns could serve the .com zone using 3GB of memory, as opposed to the 8GB used by ISC's root zone server. Is that a large enough zone for you? -- -russ nelson <sig@russnelson.com> http://russnelson.com Crynwr sells support for free software | PGPok | "This is Unix... 521 Pleasant Valley Rd. | +1 315 268 1925 voice | Stop acting so helpless." Potsdam, NY 13676-3213 | +1 315 268 9201 FAX | --Daniel J. Bernstein | ||
Date: 8 Feb 2001 10:09:49 -0000 From: cpb@log2.net To: letters@lwn.net Subject: Asbestos for you On the LWN front page of Feb. 8, 2001, you state that the djbdns DNS server "lacks some capabilities (TCP service, zone transfers, ...), making it not necessarily suitable for larger domains." Please print this email on asbestos and add it to the truckload of asbestos you will need should someone with more knowledge of djbdns and the desire to demonstrate that knowledge choose to come after you with email flames! I have the knowledge, but not the desire. - Chris Bopp P.S. If djb himself writes, you will need more than a truckload! | ||
Date: Thu, 8 Feb 2001 08:54:12 +0100 From: Frank Tegtmeyer <fte@fte.to> To: lwn@lwn.net Subject: errors about djbdns on your front page Hi, while I am glad you mentioned djbdns as a secure alternative to BIND, I have to point out at least two errors: "djbdns also lacks some capabilities (TCP service, zone transfers, ...), making it not necessarily suitable for larger domains." djbdns (formerly dnscache) contains axfrdns since January 2000. Therefor your statement about TCP and zone transfers is not true and has to be seen as misinformation. Making these false statements you come to the conclusion that djbdns is "not necessarily suitable for larger domains". This is ridiculous and not backed by any facts. I invite you to join the djbdns mailinglist and ask for large companies using djbdns or for ISP with a big number of zones using djbdns. The point is that djbdns doesn't lack features of BIND - it is simply different. You have to stop "BIND thinking" when handling djbdns. I agree that you can get into some trouble because of the mentioned "monoculture" at the Internet today when using djbdns. But there are enough people using djbdns that prove your statements wrong. I expect the necessary corrections at your page. With kind regards, Frank Tegtmeyer | ||
Date: Thu, 8 Feb 2001 19:05:45 -0500 From: "Jay R. Ashworth" <jra@baylink.com> To: letters@lwn.net Subject: DJB and his DNS In the special on djbdns, the editor wrote: > In the end, though, you need not like Mr. Bernstein to make good use > of his software. That's a comforting assertion, but I'm not sure whether it's correct or not. I can see many reasons why the attitude of a software package's maintainer is a pertinent issue in selecting what you're going to deploy in your network, be that network 2 machines or 200,000. Even in the free software world, it would seem to be an issue. While the old "you have the source, you can fix your own problems" argument will surely be made here, of course, it's not true for everyone: especially something as hirsute as a DNS server is not code that everyone will be able to do anything with. One of the projects that I'm involved with (when I can find time and manage not to be ill) is the open fax server software system HylaFAX, originally written by Sam Leffler when he was at Silicon Graphics, and now available under a reasonably open license (I believe it's either strict or slightly modified BSD). <http://www.hylafax.org> While the package has a fairly decent sized user community -- frankly, we don't know how big it is because most of the installations Just Work :-) -- finding good developers who can work on it is hard. That's because it's a) soft-real-time code and b) written in C++. We're lucky to have the 4 or 5 people we do, when they can spare the time, but it sure wouldn't hurt if there were a few more. What *is* safe to say, though, based on the support queries I see on our user mailing list, is that the vast majority of the people who {are,would like to be} deploying it are *not* equipped to do more than the slightest little bit of hacking on it around the edges. And there's nothing wrong with that; in fact, it's essential. Luckily, the development community on this project, headed by Mr. Arlington Hewes, is much more personable and easy to get along with than DJB is reputed to be (I've never worked with the man, but I heard the sparks around the edges of maildir format support when I was on the mutt-devel list.) So perhaps, just having good code *isn't* enough; we geeks are going to have to come out into the real world, too. Damn. What a shame. :-) Cheers, -- jra -- Jay R. Ashworth jra@baylink.com Member of the Technical Staff Baylink The Suncoast Freenet The Things I Think Tampa Bay, Florida http://baylink.pitas.com +1 727 804 5015 | ||
Date: Thu, 8 Feb 2001 21:08:55 +0000 From: Alain Williams <addw@phcomp.co.uk> To: lwn@lwn.net Subject: The case for competition I will not labour the well sung refrains that competition is good because: it leads to the evolution of good solution(s); heterogeneity engenders robustness in the face of cracking attacks; choice for the solution that is right for you; ... There seems to be a curious belief that everyone involved in Open Source is, somehow, supposed to be working together, that we are all part of some big global organisation or company. That belief naturally leads to the assertion that different (but similar) Open Source projects are really branches of this one organisation are competing/working against each other. The mental analogy is as if different departments in IBM/Microsoft/... worked to produce competing: word processors, compilers, ... There is also the reinforcing notion that if it comes from one organisation, then it was all written by that place. People see Linux as being an organisation, and so think that the different Linux distributions are probably something to do with the supply chain; putting a slightly different badges on *one* product made by some higher up company. The idea of software being produced by a ``for profit'' company is deeply ingrained. One frequent question that I get asked is something like: ``If it is given away how does Linux pay for the development ?''. The idea of a community sharing resources seems hard to grasp. With this one company gestalt it is hardly surprising that competing projects (be that desktops or MTAs) are seen as a flaw in the Open Source ``business'' model. These same people would have no problem in accepting different companies competing to produce the better product and so gain market share and so, presumably, profit. Most people don't understand the Open Source ``business'' model. Whereas a conventional business survives by competition, Open Source survives by cooperation. Another problem is that many people do not like choice. They just want to know ``the way to do XXXX'', if there is choice then they need to think, and most people don't want to think about the choices in how to use computers -- this is not a derogatory remark, it is recognition that for most people a computer is a tool with which to do a job; for most people that is the right attitude. But people love choice when it comes to cars, refrigerators, video recorders; so why not computer software ? I think that one big reason is the learning effort that goes into changing the computer software that you use. The learning effort for changing the other things is trivial; well, maybe I was wrong to talk about video recorders - but you get the idea. In summary: we, the technical community, have to beware trying to judge other people's view of us (and our actions) from our own points of view. Let us try to see ourselves as others see us; if we don't like what we see then maybe we need to change the way that we present ourselves (and our passions) to the rest of the world. Ie we need to learn to communicate. -- Alain Williams | ||
Date: Thu, 8 Feb 2001 14:05:12 -0600 From: David Fries <dfries@umr.edu> To: letters@lwn.net Subject: proving compliance Lets say you or your company does go with GPL or free software. How do you prove that? I think it is harder than it sounds. It is easy for them to say you have software you can't show a license, but it is a harder job to show you don't have the software. What are they going to go though every megabyte on your drive and make you decrypt all data? I'm for free software, but I don't think it will prevent a raid and is there any way for someone to get back at them for disrupting a business that is in compliance? -- +---------------------------------+ | David Fries | | dfries@umr.edu | +---------------------------------+ | ||