[LWN Logo]
[LWN.net]

Bringing you the latest news from the Linux World.
Dedicated to keeping Linux users up-to-date, with concise news for all interests


Sections:
 Main page
 Security
 Kernel
 Distributions
 Development
 Commerce
 Linux in the news
 Announcements
 Linux History
 Letters

Other LWN stuff:
 Daily Updates
 Calendar
 Linux Stocks Page
 Book reviews
 Penguin Gallery

 Archives/search
 Use LWN headlines
 Advertise here
 Contact us

Recent features:
- RMS Interview
- 2001 Timeline
- O'Reilly Open Source Conference
- OLS 2001
- Gaël Duval
- Kernel Summit
- Singapore Linux Conference
- djbdns

Here is the permanent site for this page.

See also: last week's LWN.

Leading items and editorials


The RTLinux patent is back in the news. LWN first covered this patent in the February 10, 2000 issue, and revisited it in the context of the rivalry between RTLinux and RTAI in the September 14, 2000 weekly edition. Since then, Victor Yodaiken (the patent holder) has issued a new license for the use of the patent; not everybody is happy about the terms found therein. [RTLinux] Our coverage will come in two parts; this article looks at the patent and the associated license; the following one will look at the implications of the new license.

The patent itself is relatively simple as these things go. It covers the particular method used by RTLinux to achieve real time performance. Two techniques are called out as the core of what RTLinux does:

  • Running a general-purpose operating system (i.e. Linux) as a low-priority process under a real-time system. The general purpose system is not allowed to block the real-time system from executing whenever it needs to.

  • Placing an emulation layer between hardware interrupts and the general-purpose system. Linux thinks it is working with interrupts as always, but RTLinux is pulling the strings behind the scenes.
The patent contains a bunch of other stuff, of course, but these techniques are at the heart of it.

As things stand now, if you have a real-time system that uses the above techniques, you are subject to Mr. Yodaiken's patent - at least, in the United States. So the patent license may just be of interest.

The license allows for royalty-free use of the patented technology in two situations. They are:

  • If the software involved is licensed under the GPL.

  • If the software is running with the "Open RTLinux Execution Environment" as distributed by FSMLabs - Mr. Yodaiken's company. Note that this exemption applies only to an unmodified version of RTLinux. Even though RTLinux is licensed under the GPL, making modifications to it forfeits the right to royalty-free use of the patent if your software is proprietary.

Anybody who uses the RTLinux technology is required to send a message to FSMLabs giving their contact information and indicating agreement with the terms of the license. Anybody who makes commercial use of the patented technology, or makes a commercial distribution of software that uses that technology is required to keep "complete and accurate records" and to make them available to FSMLabs on demand. Any use of the technology must also include labeling that says "Used, under license, U.S. Patent No. 5, 995,745," and must include a copy of the license itself. Failure to comply with any of the above can result in the termination of the ability to use the technology.

For more information on the patent and licensing terms, see this article on LinuxDevices.com by Jerry Epplin.

What are the implications of the RTLinux patent and its license? There are a few aspects of this issue that are worth looking at.

What is Victor Yodaiken attempting to do with this patent? Mr. Yodaiken was kind enough to talk with us while waiting for a dentist appointment (some things are even less appealing than talking to the press). His position is that he has made an innovation that he has a right to exploit. Nonetheless, he wishes to make it freely available to anybody who is working with code licensed under the GPL. He sees this as a fulfillment of his obligation to the free software community.

Those who want to use the RTLinux method and do not want to license their code under the GPL are, according to Mr. Yodaiken, doing proprietary work. Such people should be both willing and able to pay for the previous proprietary work (such at the RTLinux patent) that they make use of. He sees people who wish to use RTLinux in proprietary products without paying as would-be free riders, and sees no justification for any complaints that they might make.

The only reasons to be upset about the RTLinux patent, he says, are (1) you are absolutely opposed to software patents in general, or (2) you want to do proprietary work without paying. Mr. Yodaiken expresses respect for those who are opposed to software patents (while disagreeing with them), but has little patience for those who wish to make money off other peoples' work.

A concise statement of his position may be found in this posting to the realtime list:

In summary: my opinion is that I owe the GPL community a license to use the RTLinux method for GPL code. And I owe RTLinux users a license to use RTLinux. I don't see any reason why I must otherwise subsidize other people's proprietary software projects.

Next question: what does this patent mean for RTAI? RTAI is a competing real-time Linux project headed up by Paolo Mantegazza in Milan, Italy. It differs from RTLinux in numerous ways, but uses the same fundamental technique as RTLinux. It is, thus, arguably subject to the RTLinux patent.

RTAI could offer no end of difficulties with regard to this patent. It is licensed under the LGPL, not the GPL. There are companies that have an interest in making proprietary products with RTAI; Lineo, for example, is an RTAI supporter. RTAI does not acknowledge the RTLinux patent, and it is unlikely that many RTAI users have sent in their acceptance messages.

Relations between RTLinux and RTAI, and especially between Mr. Yodaiken and Mr. Mantegazza, have always been rather tense. Each side claims the better technology, while simultaneously complaining that ideas and code have been stolen by the other. Some RTAI users have feared for some time that the real purpose of the RTLinux patent was to shut down the competition.

Certainly the RTAI camp does not intend to change much in recognition of this patent. LWN had a conversation with Mr. Mantegazza, and he was quite clear on what he thought: "Mr. Yodaiken has only been allowed to patent air, but air has been around forever with nobody thinking to patent it."

When asked if RTAI users should register with FSMLabs and indicate their acceptance of the patent license, he responded:

Not in your dreams, they should act as if there were nothing there.... RTAI will continue as if the patent did not exist. Remember that the patent is valid only in the USA, and the USA is not the world. Plus...the patent could also vanish like a soap bubble at the first legal test.

From Italy, that is an easy position to take. Companies in the U.S., however, may need to be more careful. We asked Lineo how it plans to handle this issue. The company is not talking much about it, but we did hear from Ryan Tibbits, Lineo's general counsel: "Lineo questions the validity of the patent, especially in the spirit of the open source community."

Mr. Yodaiken has long avoided committing himself on exactly what the status of RTAI is. Talking with LWN, he stated that he welcomes competing projects that take his GPL code and explore new paths, and that those using RTAI with GPL code need not worry about their right to do so. With regard to whether RTAI users need to accept the patent license and register, he responded:

As of the current moment, individual users need to determine whether they are using the RTLinux process and whether they need to register. Questions can be sent to licensequestions@fsmlabs.com

Not the clearest of answers. But Mr. Yodaiken has stated that he has no wish to cause trouble for RTAI, and hopes to come to an "amicable settlement."

Finally: what does this whole situation imply for the free software industry? As free software companies cast around looking for reliable ways to make money, it would not be surprising to see more of them turning to the sorts of intellectual property protection that this community has traditionally disliked. The free software industry, thus far, has been refreshingly different from the intellectual property driven proprietary world, and it will be discouraging if proprietary techniques and code make a comeback. That is not the "revolution" we were hoping to see.

This episode could also have an immediate effect on the adoption of free software: companies looking at real-time platforms may decide that the situation looks too messy and pass over Linux altogether. There are several well established, proprietary real-time solutions available; if RTAI is under a patent cloud and RTLinux is, itself, proprietary, why not look at the whole range of options? It is not inconceivable that this patent could relegate Linux to a very small role in the hard real-time sector.

LWN has long held that software patents are damaging and best done without. It remains to be seen if this particular patent turns out to be a problem or not; its owner does appear to be sincere in his desire not to cause problems for (pure) GPL applications. But the mixture of software patents and free software can only lead to software that is less free; this is not an example that we would like to see repeated.

Interview: David Sifry. [David] While at LinuxWorld, LWN editor Michael J. Hammel interviewed David Sifry, CTO and co-founder of Linuxcare. The discussion wandered over a large range of topics, including the troubles Linuxcare has experienced over the last year, the company's plans for the future and the merger with Turbolinux, the Linux Standard Base, and more.

Feature: a look at djbdns. Last week's LWN weekly edition makes the point that the net needs free alternatives to BIND. A number of users of the djbdns DNS server complained (politely) that our overview did not do justice to that package, which they see as a viable alternative to BIND. It turns out they were right.

In an effort to set things straight, we put together a detailed look at djbdns as a separate feature article. Therein we examine the design of djbdns and conclude that it may well be ready to challenge BIND, though some other factors may limit its adoption.

Inside this week's Linux Weekly News:

  • Security: SSH trademark issue surfaces, XFree86 fixes show up, finally, and more SSH security problems are aired.
  • Kernel: Zero-copy networking meets the powder rule; user-mode Linux.
  • Distributions: ODS Linux and NBROK Linux.
  • Development: ZRadiale, GNOME 2.0 plan, KDE 2.1 schedule, Apache-Tcl.
  • Commerce: 'Business Ethics' in the Open Source Community?, Conflict emerges among Free Software Companies.
  • History: Three years since "Fired for choosing Linux?"; complaints about "open source."
  • Letters: Ssh trademark; we get taken to task for underestimating djbdns.
...plus the usual array of reports, updates, and announcements.

This Week's LWN was brought to you by:


February 15, 2001

   

Sections:
 Main page
 Security
 Kernel
 Distributions
 Development
 Commerce
 Linux in the news
 Announcements
 Linux History
 Letters

See also: last week's Security page.

Security


News and Editorials

SSH Communications opens SSH trademark issue. This week, Tatu Ylonen opened up a trademark issue involving terms "ssh" and "secure shell". He sent notes out to two public mailing lists, including this note, posted to the openssh-unix-dev@mindrot.org development list, and this note to BugTraq. In them, he requests that the OpenSSH and ScanSSH projects cease to use the string "SSH" as part of their product names.

[Editor note: We have confirmed that the second posting was sent to BugTraq, but rejected by the moderator due to lack of relevance. ScanSSH author Niels Provos reports he never received a copy of the note before it was posted publicly to NewsForge. He also stated that ScanSSH was created in September of 2000 in order to allow an assessment of the adoption rate of the SSH 2 protocol and he was never made aware of any IP issue at the time.]

You'll find additional coverage and reader postings on this issue on both Slashdot and LinuxToday. In addition, you'll find letters to the editor on the topic already in this week's Letters to the Editor section.

Two opposed viewpoints are represented in these community exchanges. On one hand, many people consider Tatu's notes to have been politely worded and are sympathetic with confusion caused by multiple products containing the word "SSH". They feel his request for name changes is reasonable and have already moved forward to suggesting alternatives (SHH, FRESH, ESH, Secure Telnet, ...)

On the other hand, many people don't consider the name change request reasonable, regardless of the wording (and the politeness of the wording can be argued if you look at statements like, "OpenSSH is doing a disservice to the whole Internet security community by lengthing the life cycle of the fundamentally broken SSH1 protocols", which is not particularly polite, nor necessarily accurate). The arguments on their side include:

  1. The word SSH is used both to refer to the protocol SSH as well as to products from SSH Communications. Trademarking the name of a standard is a tricky business; it can be viewed as an attempt to monopolize a standard, a bit of a contradiction in terms.

  2. SSH Communications has waited a long time before coming forward to enforce their trademark. Their registration of "SSH" dates back to 1996, yet products such as TGssh, authored in 1997, were never asked not to use the name.

  3. The license for ssh 1.2.12, upon which OpenSSH is based, states, "Any derived versions of this software must be clearly marked as such, and if the derived work is incompatible with the protocol description in the RFC file, it must be called by a name other than 'ssh' or 'Secure Shell'". OpenSSH is compatible with the protocol descriptions, therefore this license can be read to have granted them the right to use the terms 'ssh' and 'Secure Shell'.

So which is it? A reasonable request that ought to be granted to prevent legal wrangles? Or an unreasonable attempt to punish well-founded competing projects by restricting them from using the name of the protocol that they implement in their products?

For the good of the community, we, of course, would rather see some compromise between these two positions that would result in all of us ceasing to wrangle about it and getting a chance to move on with developing better software and improving security. The search for such a compromise is difficult, though, given the strong emotional reactions that are cropping up on both sides, at least initially.

So let's look at a couple of possible scenarios and their long-term impact.

  1. First, imagine that the community reaction against trademarking the name of a standard protocol is strong enough that SSH Communications decides to drop their request and not to pursue legal action. In this case, the status quo continues. SSH Communications continues to, in their belief, potentially lose customers due to the confusion between the OpenSSH and SSH Communications products.

    Unfortunately, we don't actually believe that SSH Communications is losing customers due to the confusions between the two products but instead due to the well-understood differences between the products. From what we have seen, the people who choose to use OpenSSH instead of SSH Communications SSH do so because it is Free Software. The license for SSH Communications SSH makes it free to use and distribute on BSD and Linux platforms, and for non-commercial use on other platforms, but restricts commercial usage on other platforms. That makes it "not-free" and people have a right to vote against such a license by using an alternative.

    In addition, the history of licensing changes to SSH Communications SSH should be enough to give pause to any company that is considering using it. The license has been opened, closed, and opened again over the years. Do you want to bet your company on a product whose license might change again next year? With the release of SSH Communications SSH 3.X?

  2. Second, imagine, instead, that OpenSSH and ScanSSH and all the other existing programs decide to accede to this request and change their names. How will you find these programs under their new names? Can they use the term "SSH" as a keyword? Can they describe their products as compatible with the "SSH" protocol?

    What, indeed, will the impact be on the standardization process for the SSH protocol? It must be considered important for SSH Communications for the SSH protocol to be adopted as a standard. Providing products based on an acknowledged standard is an important part of their company's worth and reputation. Right now, the SSH Protocol is currently under review by the Internet Engineering Task Force. We spoke with Bill Sommerfeld, currently the working group chair. In this note, he provides links to information about the IETF standards process and touches carefully on the impact of the SSH trademark issue. "In practice, IETF working groups tend to "engineer around" troublesome IPR [Intellectual Property] issues; for instance, the SSH version 2 protocol was changed to use DSS instead of RSA to avoid the (now expired) RSA patent. I can't predict how the working group will react to this -- I only know that it will slow things down. Needless to say, added delay in the standards process does not help the end user."

    The trademark dispute is potentially impairing the standards process which should be of critical important to SSH Communications.

  3. If neither side backs down, this situation is likely to end up in the hands of lawyers. That is actually the worst situation of all. OpenSSH is an open source product that brings in no revenue for OpenBSD. Embroiling them in an expensive legal wrangle will not reflect well on SSH Communications' public image, whether they win or lose. They may well lose, due to the length of time they've taken to start enforcing their trademark.

    Most important, all of us lose, due to the wasted time and energy.

Looking at all the options above, we would most like to see a fourth option created, that would recognize the concerns voiced by Tatu Ylönen, without trade-marking the name of an Internet standard, particularly one as important to all of us as the SSH protocol standard is.

Standards are developed in order to produce interoperability and foster competition. Trade-marking the name of the standard is simply incompatible with those goals.

Fixes for XFree86 vulnerabilities show up from Debian. XFree86 security issues were a common theme throughout the year 2000. Unfortunately, distribution updates fixing such problems had a tendency to show up late, if ever. For example, in October, 2000, we discussed a list of XFree86 security issues, many of them reported by Chris Evans. Between then and now, we've only reported one distribution update in response to that extensive report. It was from Conectiva and only addressed one of the security problems.

This week, Debian has come out with their XFree86 security update. It addresses twelve XFree86 security issues in XFree86 3.3.6 reported by "Chris Evans, Joseph S. Myers, Michal Zalewski, Alan Cox, and others". The fixes are also authored by a numerous and well-known group, "including Aaron Campbell, Paulo Cesar Pereira de Andrade, Keith Packard, David Dawes, Matthieu Herrb, Trevor Johnson, Colin Phipps, and Branden Robinson".

The massive size of this set of fixes gives some glimpse into the question as to why distributions have been so slow in getting updates out. Nonethless, with the release of the Debian updates, it is to be hoped that updates from other distributions will follow much more quickly.

This week's updates:

Security Reports

ssh daemon remotely-exploitable integer overflow. A remotely-exploitable integer overflow was reported this week in ssh daemons that include deattack.c. This includes SSH Communications' ssh 1.2.24 and later (but not their ssh 2.X products) and versions of OpenSSH prior to 2.3.0. This vulnerability can lead to a remote attacker executing arbitrary code locally under the uid of the ssh daemon (usually root). OpenSSH users are encouraged to upgrade immediately to 2.3.0. Users of SSH Communications' ssh daemon are encouraged to upgrade to SSH Comunications SSH 2.4 (with ssh1 support disabled).

This week's updates:

Multiple Linux kernel 2.2 and 2.4 vulnerabilities. Caldera Systems issued an advisory this week reporting two security problems affecting both the Linux 2.2 and 2.4 kernel trees. The first vulnerability allows large parts of Linux kernel memory to be read by passing a negative offset to sysctl. The second vulnerability is a race condition where ptrace is attached to a setuid program and used to modify that program.

Following this report, Red Hat issued their advisory, which included their fixes for the sysctl and ptrace problems, as well as a fix for an unspecified vulnerability specific to the Pentium III patch. Note that the Red Hat advisory credits Solar Designer for discovering the sysctl bug, but this in incorrect. Solar Designer posted a note stating that Chris Evans discovered and reported the sysctl bug.

The security fixes for sysctl and ptrace have been integrated into 2.2.19pre9; the Pentium III bug only affects the 2.2 kernel series if the Pentium III patches have been applied.

Linux 2.4 was not vulnerable to the ptrace issue. Fixes for the sysctl and Pentium III bugs have been integrated into the -ac development tree.

This week's updates:

ja-xklock local root compromise. FreeBSD reported a local root compromise in ja-xklock, a "localized" xlock clone which is part of the FreeBSD ports. ja-xklock does not appear to be popular under Linux, but may show up on other BSD systems.

mars_nwe potential remote root compromise. FreeBSD reported a potential remote root compromise in their mars_nwe port, due to a format string vulnerability. Mars_nwe is Novell Netware server emulator. This vulnerability is not specific to FreeBSD.

elvis-clone exploitable buffer overflow. A remote root compromise is possible due to an exploitable buffer overflow in two elvis-clones in FreeBSD, ja-elvis and ko-helvis. The buffer overflow was found in the elvrec utility, as a result of an internal audit. This vulnerability is not specific to FreeBSD.

dc20ctrl locally-exploitable buffer overflow. dc20ctrl, a program for controlling Kodak DC20 digital cameras, contains a buffer overflow that can be exploited locally, reports FreeBSD. The overflow can be exploited to gain access to the serial port devices on FreeBSD, however the program itself is not specific to FreeBSD.

FreeBSD-specific advisories. FreeBSD released the following advisories this week for vulnerabilities specific to FreeBSD:

m4 buffer overflow. A buffer overflow in m4 has been reported and confirmed on Slackware 7.1.0 and Red Hat 6.1. Oddly enough, there has been no follow-up to these reports and no update to m4 has been published.

LICQ/GnomeICU denial-of-service vulnerability. Sending an RTF (Rich Text Format) file to LICQ or GnomeICU on a target computer will crash the application, reports No Strezzz Cazzz. Both are applications that support ICQ-based communications. No updates to to LICQ have been published. GnomeICU 0.95.1 and 0.95.2 have been released, but the descriptions of these updates do not indicate whether or not this problem has been solved.

Note that a similar problem was reported in kicq and a patch for it has been released.

MySQL buffer overrun. MySql version 3.23.33 was released this week and contains a fix for two buffer overruns, one in the libmysqlclient library and the other in DROP DATABASE.

Web scripts. The following Web scripts were reported to contain vulnerabilities:

  • Phpnuke is reported to be exploitable remotely to read files, and, depending on the remote configuration, execute PHP code or other arbitrary code on the server. The author is aware of the problem and has released a patched version.
  • An additional problem with PHPNuke was reported by rain forest puppy. After a long, detailed exploration of the problem, amounting to almost a full security audit, he indicates that he communicated the problems to the author, PHP-Nuke 4.4 was released 40 days later and he does not yet know whether his suggested improvements/fixes have been incorporated.

Commercial products. The following commercial products were reported to contain vulnerabilities:

  • IBM's IBM Net.Commerce package, including IBM Net.Commerce and IBM WebSphere Commerce Suite, are reported to contain a remote arbitrary command execution vulnerability due to macros that do not validate user input properly. Net.Commerce Versions 3.2 and WebSphere Commerce Suite 4.1 contain corrected versions of the macros. Note that although IBM Websphere includes Apache, Apache itself is not impacted by this report.

Updates

SSH protocol 1.5 key session recovery vulnerability. Check last week's LWN Security Summary for the initial report.

Note that our original coverage contained errors due to our incorrect interpretation of the original advisory. We reported that OpenSSH 2.3.0 and earlier were vulnerable (in addition to ssh1.2.31 and earlier), because a patch to correct the problem had been introduced into the OpenSSH tree. We received feedback this week from Theo de Raadt, Iván Arce and Markus Friedl correcting that impression. In fact, OpenSSH 2.2.0 and later are not exploitable via this vulnerability. The maximum number of concurrent unauthenticated connections is automatically defaulted to 10 and random early drop can also be enabled.

Multiple vulnerabilities in bind 8.2.2 and bind 4. Check the February 1st LWN Security Summary for the initial reports. Bind 8.2.3 contains fixes for the problems with 8.2.2. Bind 4 fixes are also available, but an upgrade to bind 8 or even bind 9 is generally considered a preferable approach.

This week's updates:

Previous updates:

Multiple vulnerabilities in ProFTPD. Check the February 8th, 2001 LWN Security Summary for details. ProFTPD 1.2.0rc3 contains fixes for all the above problems.

This week's updates:

Previous updates:
  • Cobalt, unofficial package updates (February 8th)

man -l format string vulnerability. Check the February 8th LWN Security Summary for details. Note that only distributions with a man command that supports the "-l" option are affected. This would include SuSE, Debian and distributions derived from them.

This week's updates:

Secure Locate buffer overflow. Check the November 30th, 2000 LWN Security Summary for the original report of this problem.

This week's updates:

Previous updates:

Netscape 4.75 buffer overflow. First spotted via this FreeBSD advisory and reported on November 9th, a buffer overflow in Netscape 4.75 enables a client-side exploit. Check the November 9th LWN Security Summary for our original report. Netscape 4.76, which was released on October 24th, fixes the problem.

This week's updates:

Previous updates:

Resources

ScanSSH. Niels Provos has released a protocol scanner, currently named ScanSSH, which can be used to help find vulnerable SSH daemons so they can be upgraded quickly.

Ramenfind 0.4. A new version of the Ramenfind script was released this week. It handles a new Ramen variant that showed up this past week. That should also be a reminder to everyone to apply your security updates, the best way to protect against the Ramen worm.

Events

Call for Papers: New Security Paradigms Workshop (NSPW). Crispin Cowan sent out the Call-For-Papers for this year's New Security Paradigms Workshop, which is being held September 11th through the 14th, 2001, in Cloudcroft, New Mexico, USA. "In order to preserve the small, focused nature of the workshop, participation is limited to authors of accepted papers and conference organizers. Because we expect new paradigms we accept wide-ranging topics in information security. Any paper that presents a significant shift in thinking about difficult security issues or builds on a previous shift is welcomed."

Upcoming security events.
Date Event Location
February 19-22, 2001. Financial Cryptography 2001 Grand Cayman, BWI.
February 19-22, 2001. VPN Con San Jose, CA, USA.
February 24-March 1, 2001. InfoSec World 2001 Orlando, FL, USA.
March 3-6, 2001. EICAR and Anti-Malware Conference Munich, Germany.
March 27-28, 2001. eSecurity Boston, MA, USA.
March 30-April 1, 2001. @LANta.CON Doraville, GA, USA.
April 6-8, 2001. Rubi Con 2001 Detroit, MI, USA.

For additional security-related events, included training courses (which we don't list above) and events further in the future, check out Security Focus' calendar, one of the primary resources we use for building the above list. To submit an event directly to us, please send a plain-text message to lwn@lwn.net.

Section Editor: Liz Coolbaugh


February 15, 2001

LWN Resources


Secured Distributions:
Astaro Security
Castle
Engarde Secure Linux
Immunix
Kaladix Linux
NSA Security Enhanced
Openwall GNU/Linux
Trustix

Security Projects
Bastille
Linux Security Audit Project
Linux Security Module
OpenSSH

Security List Archives
Bugtraq Archive
Firewall Wizards Archive
ISN Archive

Distribution-specific links
Caldera Advisories
Conectiva Updates
Debian Alerts
Kondara Advisories
Esware Alerts
LinuxPPC Security Updates
Mandrake Updates
Red Hat Errata
SuSE Announcements
Turbolinux
Yellow Dog Errata

BSD-specific links
BSDi
FreeBSD
NetBSD
OpenBSD

Security mailing lists
Caldera
Cobalt
Conectiva
Debian
Esware
FreeBSD
Kondara
LASER5
Linux From Scratch
Linux-Mandrake
NetBSD
OpenBSD
Red Hat
Slackware
Stampede
SuSE
Trustix
turboLinux
Yellow Dog

Security Software Archives
munitions
ZedZ.net (formerly replay.com)

Miscellaneous Resources
CERT
CIAC
Comp Sec News Daily
Crypto-GRAM
LinuxLock.org
LinuxSecurity.com
Security Focus
SecurityPortal

   

Sections:
 Main page
 Security
 Kernel
 Distributions
 Development
 Commerce
 Linux in the news
 Announcements
 Linux History
 Letters

See also: last week's Kernel page.

Kernel development


The current kernel release is still 2.4.1. Linus's 2.4.2 prepatch is up to 2.4.2pre3; there is, as he put it, "nothing too radical" there. 2.4.2pre2 had been a bit more radical, however, with the addition of support for an entirely new architecture: a port to the Axis ETRAX 100LX embedded network CPU. Alan Cox, meanwhile, is up to 2.4.1ac13; this patch contains much more stuff.

On the 2.2 front, work toward the 2.2.19 release continues with 2.2.19pre12. There has been no word on when the stable release might happen.

Zero-copy networking encounters the powder rule. David Miller has released yet another version of his zero-copy networking patch. He claims to be happy with this one: there are "no known bugs" at this point. There does remain, however, a performance penalty for normal network writes that do not use the zero-copy mechanism; that is something they plan to work on in the future.

For the moment, however, David has invoked the "powder rule": six feet (just under 2m for you non-US folks) of new snow at Lake Tahoe means that not much work is going to get done for a while. All is not lost, however; David will be taking his laptop and working on the code when the lifts are not running...

Cool tool: User-mode Linux. A useful tool which has been around for a while now, but which, perhaps, has not received the attention it should is User-mode Linux. This package, which goes by the acronym UML (despite the possibility of [UML logo] confusion with the Unified Modeling Language known to object-oriented designers), should be in the toolkit of just about anybody who likes to play with kernels or with the Linux system in general.

UML, technically, is a port of the Linux kernel to a new architecture. Most ports move the kernel to a new processor; the UML port, instead, uses the Linux system call interface as its "instruction set." Thus, the UML kernel will run underneath an existing Linux kernel. It runs as a set of user processes, and pops up one or more xterm windows as its virtual consoles. Its "disk drives" map to files on the filesystem.

Why is this interesting? Consider some of the things that can be done with User-mode Linux:

  • It is a beautiful environment for many kinds of kernel hacking. A UML kernel that crashes can not corrupt a real system, so recovery is quick. Even better, though, is the fact that every process running on the UML kernel is, in fact a process on the host system. Thus, those looking to debug weird problems need only point their favorite interactive debugger at the right process. For many problems, the need for lots of printk() calls or for kdb and its low-level interface is past.

  • Experimenting with new distributions. The system running under the UML kernel need not run the same distribution as the host system. In fact, the UML distribution provides root disk images for several distributions. It's a trivial task to boot up a new distribution and see what it looks like without needing to actually go through an installation or risk what you currently have installed.

  • Trying out other software. If you're not sure what a program might do to your system, you can install it on a UML system and find out. Even the nastiest of malware will be hard put to escape from the UML jail.

  • Playing with network services. UML includes a virtual network interface which can be connected to other running UML kernels, thus allowing the creation of a virtual network on a single host. Want to play with networking code on an unattached laptop in a ski lodge? With UML, you can.

UML in its current form still has some limitations. It can not, for example, simulate a multiprocessor system - a feature that would be nice for many developers. There is also no way, currently, to give a UML kernel controlled access to a real device on the host system, meaning that UML is still not all that useful for developing device drivers. UML developer Jeff Dike tells us that both of these capabilities are on the wishlist, with SMP simulation being at the top.

Currently, UML exists as a separate patch to the Linux kernel. The word is that both Linus and Alan Cox would like to see it added to the mainline kernel tree, however. Mr. Dike hopes to see it go into 2.4 before the next development series starts. As a separate "architecture," UML should be relatively easy to add, even to a stable kernel series, without creating problems.

IBM open-sources Mwave modem driver. The IBM Mwave ACP modem page shows that, as of today, the driver for these "WinModems" is now available under the GPL. This modem is used in IBM ThinkPad 600E systems. It's taken a long time, but WinModems are increasingly supported devices on Linux. (Thanks to Thomas Hood).

Other patches and updates released this week include:

Section Editor: Jonathan Corbet


February 15, 2001

For other kernel news, see:

Other resources:

   

Sections:
 Main page
 Security
 Kernel
 Distributions
 Development
 Commerce
 Linux in the news
 Announcements
 Linux History
 Letters

See also: last week's Distributions page.

Lists of Distributions
distrowatch
ibiblio
Kernelnotes
Linux.com
LinuxLinks
Woven Goods

Embedded Distributions:
3ilinux
Bifrost

BluePoint Embedded
Compact Linux
Coollinux
DSPLinux
ELinOS
ELKS
Embedded Debian
Embedix
Etlinux
FlightLinux
Hard Hat Linux
Jailbait
Linux/Coldfire
LEM
Midori
NeoLinux
OnCore Systems
PeeWeeLinux
RedBlue Linux
RedIce-Linux
Royal Linux
RTLinux
Tynux
uClinux
White Dwarf Linux

Handhelds/PDAs
Agenda-VR
Familiar (iPAQ)
Intimate (iPAQ)
Linux DA
PocketLinux
PsiLinux

Secured Distributions:
Astaro Security
Castle
Engarde Secure Linux
Immunix
Kaladix Linux
NSA Security Enhanced
Openwall GNU/Linux
Trustix

Special Purpose/Mini
2-Disk Xwindow System
Mindi Linux
SmoothWall

Floppy-based
Brutalware
BYLD
Coyote Linux
DLX
Fd Linux
Fli4l (Floppy ISDN/DSL)
floppyfw
Floppix
FREESCO
Linux in a Pillbox (LIAP)
Linux Router Project
LOAF
muLinux
Nuclinux
Proxyfloppy
ShareTheNet
Small Linux
Tomsrtbt
Viralinux_II

CD-based
BasicLinux
BBLCD Toolkit
CDLinux
Crash Recovery Kit
DemoLinux
Devil-Linux
Finnix
Gibraltar
innominate Bootable Business Card
Linuxcare Bootable Business Card
LNX-BBC
MkCDrec
RunOnCD
Sentry Firewall
SuperRescue
Timo's Rescue CD
Ututo
Virtual Linux

Zip disk-based
NBROK
ZipSlack

Small Disk
hal91
MicroLinux
--> Peanut Linux
PKLinux
Relax Linux
TA-Linux
Tomukas
ttylinux
VectorLinux

Wireless
Bambi Linux
Flying Linux

Hardware-specific
(ARM)
ARM Linux
(Beowulf)
Scyld Beowulf
(IBM)
Think Blue Linux
(Oracle's NIC)
NIC Linux
(PA-RISC)
PA-RISC Linux
(Playstation)
Runix
(PowerPC)
Black Lab Linux
LinuxPPC
MkLinux
Yellow Dog
(Sparc)
Splack
UltraLinux
(Older Intel)
ClarkConnect
Monkey Linux
TINY

DOS/Windows install
Armed Linux
DragonLinux
Phat Linux

Diskless Terminal
GNU/Linux TerminalServer for Schools
K12LTSP
LTSP
Pygmy
Xdenu

Distributions


Please note that security updates from the various distributions are covered in the security section.

News and Editorials

ODS Linux. ODS Linux announced its existence this week. The company plans on selling preconfigured versions of the Linux operating system, with support and service. Using a web-based GUI, users can preconfigure a Debian Linux distribution for an existing system. The user tells the ODS system about the hardware they have and the software they want and ODS will ship out a package consisting of a custom boot floppy, manuals and software CDs. Versions of the service for other Linux distributions are planned..

Distribution Reviews

OpenBSD 2.8 (DukeOfUrl). The DukeOfUrl reviews OpenBSD 2.8. "OpenBSD is designed for security, and is "secure by default" (as their motto states), users wishing to have a functional and secure server need not toil with permissions and services, and in some cases, one needs to do nothing more than install the operating system and watch in awe as it does its work. Having worked on securing many Linux servers, believe me, OpenBSD is quite a vacation for both the system administrator or even just a user concerned with his or her security."

SuSE Linux 7.1. Here's a review of SuSE Linux 7.1 on SuSE's Linux Knowledge Portal. "Purists and Linux oldies might regard this abundance of graphical functions as an unnecessary concession to the colorful realm of contemporary desktops and its mass market. However, it is a great help for Linux newcomers and former users of other operating systems, who would be quite baffled by rather cryptic configuration files. Yet, this should not hinder any of the newcomers to try to acquire some background knowledge to understand them :-)"

New Distributions

NBROK Linux. NBROK Linux is a small Linux distribution which fits on a ZIP-100 drive.

General-Purpose Distributions

Linux-Mandrake News. Here's a press release from MandrakeSoft and Macmillan USA proclaiming that, according to PC Data, Linux-Mandrake 7.2 was the best selling Linux distribution in December, 2000; it had a 28% market share. The PR is not explicit, but one assumes they are looking at the U.S. market.

Cooker CD images available. ISOs of the current Linux-Mandrake development version, "Cooker", (eventually Linux-Mandrake version 8.0), have been made available on the ISO mirrors. "These ISOs represent a development version, a lot of work is still needed, however you can see what chosen directions are, and give your feedbacks and comments about the present choices. Please be aware that this version is not considered as stable, and should not in any way be used in a production environment."

Debian Weekly News. The Debian Weekly News for February 13 is out. It covers the continuing campaign for the next project leader (four candidates now), changes to the new maintainer process, troubles with the "testing" distribution, and more.

Debian net-tools. Debian reported that the new version of net-tools in unstable is completely and utterly broken. However, if you have iproute installed you can still get your network up and running.

Kernel Cousins. The Debian Kernel Cousin Issue #22 contains "Wishful Thinking About Package Management", "Translation of Install Messages" and other topics. The Debian Hurd Kernel Cousin Issue #79 contains "Hurd Ports" and more.

Debian OpenBSD? Andreas Schuldei has announced his intent to create a "Debian OpenBSD" distribution. His purpose is to create a highly secure system with the feel of a Debian system - using the Debian package manager, SysV init scripts, etc. It would be based, however, on the OpenBSD kernel and userland utilities (i.e. no GNU tools).

Needless to say, this suggestion raised some eyebrows. Debian has always been an overtly GNU system; would it still be Debian without the GNU tools? Might not it be better to just port dpkg to OpenBSD, if OpenBSD is what you want to use? Or, could not the effort of making this distribution be used to perform an OpenBSD-style security audit of the existing Debian distribution?

The overall reception was skeptical, to say the least. Mr. Schuldei may find it difficult to attract enough developers to build his distribution in the near future. Everybody, however, agreed that he has the right to try...

Astaro Security Linux. Astaro Security Linux has a new version based on a specially hardened Linux 2.4 kernel.

Embedded Distributions

Lineo releases uCdimm. Lineo, Inc. announced the availability of the uCdimm microcontroller module for the DragonBall VZ microcontroller and uCevolution, a new host platform which gives developers a quick way to cross port a variety of processors. These two new products will be bundled in the Lineo uClinux Development Kit.

M-Systems and TUXIA Announce Support for DiskOnChip. M-Systems Flash Disk Pioneers Ltd. and TUXIA announced support for DiskOnChip(R) within TASTE (TUXIA Appliance Synthesis Technology Enabled), an embedded Linux distribution.

Coyote Linux. The Coyote Linux Windows Disk Creator has been updated a couple of times this week. Also Coyote Linux v1.28 has been released and is available for download. This version fixes a security exploit in the SSHd daemon and adds the ICQ and H.323 masquerading modules. Anyone with a version of Coyote Linux prior to 1.28 that is using the SSH daemon should upgrade.

Section Editor: Rebecca Sobol


February 15, 2001

Please note that not every distribution will show up every week. Only distributions with recent news to report will be listed.


Leading
Caldera OpenLinux
Debian GNU/Linux
Linux-Mandrake
Red Hat
Slackware
SuSE
TurboLinux

Also well-known
ASPLinux
Best Linux
Conectiva Linux
e-smith

Progeny
Rock Linux

Non-technical desktop
easyLinux
Icepack Linux
Independence
LibraNet
Redmond Linux
WinSlack

Education
Boston University
kmLinux
LinuxFromScratch
OpenClassroom
Red Escolar

General Purpose
Alzza Linux
aXon Linux
Bad Penguin Linux
BearOps
Black Cat Linux
BluePoint Linux
BYO Linux
CAEN Linux
Cafe Linux
ChainSaw Linux
Circle MUDLinux
cLIeNUX
Complete Linux
Console Linux
Corel Linux
CRUX
Darkstar Linux
DLite
easyLinux
Elfstone Linux
ESware Linux
Eurielec Linux
eXecutive Linux
Fried Chicken
FTOSX
FullPliant
Gentoo
Go!Linux
HA Linux
Halloween Linux
HispaFuentes
IceLinux
Ivrix
ix86 Linux
J-LINUX
JBLinux
Jurix
KRUD
KSI-Linux
Lanthan Linux
Laonux
LASER5
Leetnux
Linpus Linux
Linux Cyrillic Edition
Linux MLD
LinuxOne OS
LinuxPPP
Linux Pro Plus
Linux-SIS
LNX System
LoopLinux
LSD
Lute Linux
MageNet
Mastodon
MaxOS
minilinux
MSC.Linux

NoMad Linux
Omoikane GNU/Linux
PingOO Linux
Plamo Linux
PLD
Project Ballantain
PROSA
Rabid Squirrel
Repairlix
Root Linux
Scrudgeware
Serial Terminal
Sorcerer
spyLinux
Stampede
Stataboware
TechLinux
TimeSys Linux/RT
Tom Linux
Trinux
Turkuaz
Ute-Linux
VA-enhanced Red Hat
Vine Linux
Virtual Linux
WholeLinux
WinLinux 2000
XTeamLinux
ZipSpeak

Country-specific
Argentina
GNU/Linux Ututo
Britain
Definite Linux
Eridani
China
COSIX
Red Flag
France
Linux/MNIS
Italy
LinuxEspresso
Madeinlinux
Vedova
Spain
Linux Esware
Thailand
Kaiwal Linux
Thai Linux Extension

Related Projects
Chinese Linux Extension

Historical (Non-active)
Dualix
Gentus
Giotto
MCC Interim Linux
OS2000
Storm Linux


   

Sections:
 Main page
 Security
 Kernel
 Distributions
 Development
 Commerce
 Linux in the news
 Announcements
 Linux History
 Letters

See also: last week's Development page.

Development projects


Browsers

Mozilla Weekly Independent Status Report. A new Mozilla Weekly Independent Status Report is available. Topics include Hermes, Sherlock, Galeon, Jabberzilla, and Chameleon.

Databases

Controlling Data Display with ORDER BY (ONLamp.com). John Paul Ashenfelter writes about SQL's ORDER BY clause in this ONLamp article. This is one in a series of articles on SQL which introduce database concepts to software developers.

Education

SEUL/edu Linux in Education Report for February 12, 2001. The February 12, 2001 issue of the SEUL/edu Linux in Education Report is out. Topics include a new SEUL/edu wiki page, teaching Perl to 9th and 10th graders, building diskless Linux kiosks for school labs, embedded Linux robots, and more.

Embedded Systems

Embedded Linux Newsletter for Feb. 8, 2001. The LinuxDevices Embedded Linux Journal for February 8, 2001 is available with the latest news from the world of embedded Linux.

Linux BIOS/bootloader for AMD Elan now released under GPL (Linux Devices). Telos announced the first public release of its alios Linux boot loader under the GPL license. "alios has been designed to completely eliminate the need for a BIOS and to load the Linux kernel image from solid state memory such as Flash ROM. Optionally, a RAM disk image may be loaded from ROM then as well."

Games

WorldForge releases Acorn 0.3. The WorldForge project has announced the release of Acorn 0.3. This release brings a great many improvements to this game, which is intended to be a demonstration of what the WorldForge framework can do at this point.

Pygame-0.9 available. A new version of the pygame package has been announced with a 1.0 release scheduled for the near future. "Pygame is a set of python modules written to help create games in Python."

Network Management

OpenNMS update for February 13. Here is the OpenNMS update for February 13, detailing the latest with the network management software project. Among other things, it talks about the 0.6 release, which was released on February 14, 2001. The new version may be obtained from the OpenNMS download page.

Office Applications

ZRadiale - a free contact manager. A free contact manager system called "ZRadiale" has just been released. The announcement is in French, but the the project's web site is in English. ZRadiale is based on Zope, is licensed under the GPL, and is available now.

Gimp's tools: selection and color correction (LinuxFocus). Yves Ceccone has put together a tutorial on the Gimp tools for selection and color correction. The tutorial is full of useful information.

New Gimp site: gimpforce.org. The Gimp User Group has put together Gimpforce, a web site that features Gimp related galleries, tutorials, news, and more.

On the Desktop

Planning GNOME 2.0. Miguel de Icaza has posted a document describing how he thinks the GNOME 2.0 development process should go. He is arguing for a relatively conservative approach to new features and such; apparently the switch to the Gtk 2.0 toolkit is going to present enough challenges as it is. "Besides, GNOME 2.0 is not the end of GNOME. GNOME 2.0 is just the next major release of GNOME. There is always a chance for us to redeem our pride as programmers, hackers and architects with GNOME 3.0 and GNOME 4.0." A new Goals for Gnome 2.0 document has also been released.

Anti-aliasing in GNOME. The Gnotices site reports on the availability of anti-aliasing code for GNOME, implemented with Keith Packard's Render extension by Jacob Berkman and Vladimir Vukicevic.

KDE 2.1 release schedule. The KDE 2.1 release schedule has been posted; it currently calls for a one-week delay, putting the final release on February 26.

The People Behind KDE: Jono Bacon. The People Behind KDE series continues with a look at Jono Baco, the maintainer of Kafka and the developer of KDE Developer Center and KCVSApplet.

Printing Systems

Updated Source distribution for CUPS. A new source distribution for the CUPS print system has been announced. A number of security fixes are included as well as some SuSE compatibility additions.

Web-site Development

The Apache-Tcl project launches. Here is the announcement of the launch of the Apache-Tcl project, which will be working toward the integration of the Apache web server and the Tcl scripting language.

And Then Came Zope ... (SD Times). SD Times looks at Zope. "SD Times is written for software development managers, not for hackers, and we columnists try to maintain a professional tone about technologies and products, but there's no accurate way to talk about Zope without liberal use of exclamation marks and hyperbole. Zope is sick insane!!!!! It's the greatest thing since Bind!!!!! It's the finest language innovation since Guido van Rossum decided to use indenting for scoping!!! And so forth."

PHP Weekly News for February 12, 2001. The February 12, 2001 issue of the PHP Weekly News is out. Topics include PAM support, a safe mode redesign, database abstraction extensions, tiny PHP support, and more.

Section Editor: Forrest Cook


February 15, 2001


Application Links
GIMP
Mozilla
Galeon
High Availability
ht://Dig
mnoGoSearch
MagicPoint
Wine
Worldforge
Zope

Open Source Code Collections
Berlios
Freshmeat
OpenSourceDirectory
Savannah
Le Serveur Libre
SourceForge
Sweetcode

   

 

Programming Languages


ERLANG

xmerl 0.12. A new release of xmerl, an ERLANG based XML toolkit is available. Other new Erlang contributions are also available on the same site.

Haskell

Haskell Language Developments. Several announcements have recently been posted concerning the Haskell language. Among them are:

To be technically accurate, GHC really stands for the Glasgow Haskell Compiler (Thanks to Julian Seward).

Java

Struts, an open-source MVC implementation (IBM developerWorks). Malcolm Davis has written an IBM developerWorks article on the Struts Framework. "This article introduces Struts, a Model-View-Controller implementation that uses servlets and JavaServer Pages (JSP) technology. Struts can help you control change in your Web project and promote specialization. Even if you never implement a system with Struts, you may get some ideas for your future servlets and JSP page implementations."

Perl

Perl 5 Porters for February 12, 2001. The February 12, 2001 edition of the Perl 5 porters list is available. Topics include updates to the Perl FAQ, Namespace for IO Layers, Memory Leak Plumbing, Shared functions, Perl 6, and more.

Makerpm 0.200 released. A new version of makerpm has been announced. Makerpm is a utility that turns perl modules into RPM files.

Python

Python-dev summary for January 31. A.M. Kuchling's Python-dev summary for January 31 is out. It covers a number of development issues, including a pointer to his What's New in Python 2.1 document. It is also the last one he plans to write; he does not think that the Python-dev summary has had the effect he was after (making the Python development process more transparent). Python-dev has been a great resource; it will be missed.

The Python-crypto mailing list. A new mailing list for the development of cryptographic software in Python has been announced. It's hosted in the Netherlands, due to continued nervousness about what U.S. policy on crypto software really is.

Transforming Python performance data (IBM devloperWorks). Chimezie Thomas-Ogbuji discusses how to profile Python programs with XML and XSLT in an IBM developerWorks article. "This article covers how to use XML technologies to build a better profiling tool for Python programs. It also describes how to generate an XML call tree from collected profile data, including function call information, such as the number of calls and cumulative time spent in function calls. The article includes sample code for building a DOM tree, an XSLT style sheet that transforms the XML tree of profile data into an informative HTML page, and other sample code."

This week's Python-URL. Here is the February 14, 2001 edition of the Dr. Dobb's Python-URL. Discussions include a CPAN-like service for Python, pure-Python encryption tools, a Python powered QuakeWorld server, and boolean COM properties.

Python Books Online (O'Reilly). Stephen Figgins writes about online Python books in an O'Reilly Python Devcenter article. "The high quality of online tutorials for both beginning and experienced programmers is an extension of the supportive Python community. It's one more thing that sets Python apart from other scripting languages."

Python Megawidgets 0.8.5 released. A new version of Python Megawidgets has been announced. This version is mainly a bug-fix release. "Pmw is a toolkit for building high-level compound widgets in Python using the Tkinter module."

Tcl/Tk

This week's Tcl-URL. Here is the Dr. Dobb's Tcl-URL for February 14. Topics this week include a tcl binary scan, tclperl-2.1, moodss 13.1, an open-source interface builder, and more.

tclperl-2.1 released. A new version of tclperl has been announced. Tclperl allows the execution of Perl code from a Tcl interpreter.

Software Development Tools

Cervisia, a graphical frontend for the CVS client. A new version of Cervisia, version 1.1, has been announced. Cervisia gives CVS a graphical front end under KDE. Cervisia is distributed under the Q Public License.

Documentation

'The Art of Unix Programming' gets two new chapters. Eric Raymond's The Art of Unix Programming is a slow-moving, open book that he is writing with input from folks on the net. Eric has just announced the addition of chapters 3 and 4. Chapter 3 covers the various programming languages available on Unix systems, while chapter 4 gets into other development tools. As always, he is looking for feedback and suggestions.

Linux Documentation Project News. Here is the latest news from the Linux Documentation Project. Included is a new document on securing Apache under RedHat Linux. Numerous other documents have also been updated. (Thanks to David Merrill).

Section Editor: Forrest Cook

 
Language Links
Caml
Caml Hump
Tiny COBOL
Erlang
g95 Fortran
Gnu Compiler Collection (GCC)
Gnu Compiler for the Java Language (GCJ)
Guile
Haskell
IBM Java Zone
Jython
Free the X3J Thirteen (Lisp)
Use Perl
O'Reilly's perl.com
Dr. Dobbs' Perl
PHP
PHP Weekly Summary
Daily Python-URL
Python.org
Python.faqts
Python Eggs
Ruby
Ruby Garden
MIT Scheme
Schemers
Squeak
Smalltalk
Why Smalltalk
Tcl Developer Xchange
Tcl-tk.net
O'Reilly's XML.com
Regular Expressions
   

Sections:
 Main page
 Security
 Kernel
 Distributions
 Development
 Commerce
 Linux in the news
 Announcements
 Linux History
 Letters

See also: last week's Commerce page.

Linux and Business


'Business Ethics' in the Open Source Community?. KDE developers Kurt Granroth and Andreas Pour were searching for KDE links on Google when they encountered a sponsored link to Ximian, a developer of "that other desktop", GNOME. That prompted this open letter on Ximian's tactic of buying KDE-oriented keywords on the Google search engine. "Tactics like this are considered 'legal risks' in the cut-throat proprietary business world. They almost always result in lawsuits due to trademark infringement. Is that what what the open source community has devolved into? Has the old fraternity based on integrity, pride and 'settling it with code' been replaced by greed, deception and 'we'll see you in court'?"

Ximian then posted this response to complaints about its sponsored links on Google, and to the open letter from Kurt Granroth and Andreas Pour in particular. "Ximian designed its advertising strategy in good faith, and had no intention to offend or deceive anyone. Pour and Granroth, too, had sought in good faith to avoid confusion between the KDE and GNOME products, rather than to sow controversy." Among other things, the sponsored links have been removed.

This particular dispute has been resolved successfully and it is nice to see that the open source community can resolve issues without lawsuits and recriminations. It provides a happy contrast to the patent and trade-mark issues discussed on both the Front page and on the Security page this week.

Conflict Emerges among St. Louis-Area Free Software Companies (St. Louis Post-Dispatch). The St. Louis Post-Dispatch has put up an article on the dispute between SAIR and LinuxGruven. "Meanwhile, a Wave subsidiary, Sair Linux of Oxford, Miss., has suspended Linuxgruven as one of its accredited centers for learning Linux. Sair Linux says Linuxgruven failed to hire instructors that have passed Sair's tests on using its teaching materials. In addition, critics have lodged complaints on the Internet and with the Better Business Bureau, charging Linuxgruven with deceptive advertising. Linuxgruven recently advertised a $45,009-a-year job that appeared to be a come-on for its training courses."

O'Reilly releases new CatB. O'Reilly has announced the release of a revised and expanded version of Eric Raymond's The Cathedral and the Bazaar. Among other things, it has new essays on "the economics of open source" and "open source as a competitive weapon."

O'Reilly 2001 P2P Industry Overview. O'Reilly is getting into the fancy research report business. The company has just announced the availability of the '2001 P2P Industry Overview', describing where they think the peer-to-peer industry is going. Introductory price: $895.

Opera 5.02b6 for Linux available. Opera Software has announced the availability of the Opera 5.02 browser (6th beta version) for Linux. The "ad-supported version" can be downloaded for free, or one can pay $39 for a version without ads.

Caldera and SCO change acquisition agreement. Caldera Systems and SCO have announced some changes in the terms of their acquisition deal. Caldera now gets complete ownership of the OpenServer line, and will be paying more: $23 million in cash up front, $8 million more later on, and 16 million shares in stock. They expect to close in the second quarter of this year.

Caldera OpenLinux eServer now preloaded on Compaq servers. Caldera Systems has announced that Compaq will be selling OpenLinux eServer preloaded on some of its ProLiant servers.

Teaching Penguins to Fly (IT Forecaster). IDC's IT Forecaster has put up an article on the future of Linux support services. They expect the market to grow in a big way. "Members of open source communities are used to freely helping one another to solve technical problems. This distributed model of self-help breaks down as Linux slips into user organizations, where IT managers may have few connections to the corps of coders and may have little input beyond bug reports to give back to the movement."

For your amusement: Windows 2000 clusters. Found on the Microsoft site: this page on "Industry-Standard Clusters from Microsoft and Intel." "Now anyone with massive computing needs can create clusters using commercial off-the-shelf (COTS) PCs and a shrink-wrapped version of Windows 2000. This is a first in computing history and means that inexpensive industry-standard components can now scale to the highest levels of performance." A "first in computing history" indeed...

Linux Stock Index for February 08 to February 14, 2001.

LSI at closing on February 08, 2001 ... 40.44
LSI at closing on February 14, 2001 ... 38.31

The high for the week was 40.44
The low for the week was 37.95

Press Releases:

Open Source Products

Unless specified, license is unverified.
  • Nevrax (Nevrax France) has released a new version of the game NeL. NeL is available under the terms of the GNU General Public License.

  • Oki Data (MOUNT LAUREL, N.J.) announced it worked with IBM to develop the new open source Omni Linux Drivers that are compatible with more than two-dozen OKI Impact Printers.

Distributions and Bundled Products

  • Knox Software (Carlsbad, California) announced that the Free Version of its flagship product, Arkeia, is included with SuSE's 2nd Generation eMail Server II.

  • Linux2order (PROVO, UT) announced it will donate 20% of its CD-ROM sales, gross revenues, from the new co-branded site kde.Linux2order.com to the KDE project.

Proprietary Products for Linux

  • AccuSoft Corporation announced that its imaging toolkit, ImageGear, is now available for UNIX platforms: AIX, Sun Solaris and Linux.

  • Beta Computronics Pvt. Ltd. announced that IVRS, Interactive Voice Response System, can built around a voice modem and Linux. The perl module to implement the various IVRS functions like Voice Mail, Tele banking, Product information, Fax on demand and Call center is available at http://search.cpan.org/search?mode=module&query=ivrs.

  • Enhanced Software Technologies Inc. (PHOENIX) announced its newest data protection product for Linux-centric networks, BRU-Pro.

  • FineGround Networks, Inc. (PHOENIX, DEMO 2001) unveiled its patent-pending Condensation technology for accelerating dynamic web content. The FineGround Condenser is available immediately on Linux platforms. Pricing starts at $50,000.

  • Hyperion Software announced its first games release for Linux. You can order the game now from Tux Games for $26.

  • MUSICMATCH (SAN DIEGO) released the gold version of MUSICMATCH Jukebox Plus for Linux.

Products and Services Using Linux

  • I-Logix Inc. (ANDOVER, Mass.) announced Rhapsody 3.0, with capabilities that allow developers to bridge the gap between design-level and code-level testing.

  • Kreatel Communications (CAMPBELL, Calif.) is in full production with its Tornado/K5 digital set-top box which runs on a Linux operating system with Mozilla Web browser.

  • Lexra (SAN JOSE, Calif.) introduced its new LX-PB20K Hardware/Software Development Board. Lexra has partnered with AMIRIX to provide embedded Linux for the LX-PB20K board.

  • Rauch Medien (New York, USA) announced the release of their RM Internet Server Appliance. The RM Internet Server Appliance offers a complete Internet (HTTP, FTP, and EMAIL) server solution based on the Linux OS in a 1U chassis.

  • Virata Corporation (SANTA CLARA, Calif.) announced that its Lithium communications processor, Magnesium DSP, and vCore voice software package have been selected by TGF Linux Communications, Inc. for use in its integrated Linux server designed to streamline voice and data applications.

Products with Linux Versions

  • Insightful Corporation (CHICAGO), formerly MathSoft, Inc., announced the release of S-PLUS Analytic Server, software that delivers enterprise information to decision-makers using Java software or via the Web.

  • Jungo announced the beta version of WinDriver and KernelDriver version 5.0, its driver development tools which offer hardware access and code generation capabilities, through a rich API.

  • Platform Computing Corporation (TORONTO) introduced LSF (Load Sharing Facility) version 4.1 with new features that incorporate support for all Linux versions and expanded capabilities for parallel processing.

  • Smart Storage Inc. (ANDOVER, Mass.) announced major upgrades to several products in their On-Line Archive product family. SmartStor Archive v. 4.0 and SmartStor Jukeman v. 3.0, offer significant new functionality over previous versions, including Linux support.

  • WebPartner (CUPERTINO, CA) announced WebPartner Performance Suite, a comprehensive enterprise solution that includes both front-end and back-end IT performance monitoring and management.

  • Willamette HDL, Inc. (BEAVERTON, Ore.) began shipping AccurateC, a language rule checker developed for C/C++-based electronic design and the system-level design modeling platform, SystemC.

Java Products

  • HP (PALO ALTO, Calif.) introduced HP MicrochaiVM, the micro edition of HP ChaiVM, a Java application environment for intelligent appliances. The developer's release of HP MicrochaiVM with CLDC is available now. Linux, PalmOS, and PocketPC are the supported platforms.

  • ONTOS, Inc. (ANDOVER, Mass.) released the Professional version of ObjectSpark 4.5, a software tool that automates the generation of high-performance, transactional data components.

Partnerships

  • American Power Conversion (WEST KINGSTON, R.I.) announced that APC has been named the provider of power protection solutions for Penguin Computing Inc..

  • Lineo and PointBase, Inc. (LINDON, Utah) announced that they will form a strategic partnership to target the embedded systems market. As part of the strategic agreement, the companies will integrate PointBase's 100% Pure Java object-relational database management software with the Lineo Embedix SDK.

  • Macmillan Software (INDIANAPOLIS) announced its new partnership with NeTraverse, a developer of Windows application support software for the Linux operating system. Through this partnership, NeTraverse will gain the distribution capabilities of Macmillan Software, while Macmillan Software will enhance its menu of Linux operating systems, applications, and tools.

Investments and Acquisitions

  • Google Inc. (MOUNTAIN VIEW, Calif.) announced that it has acquired Deja.com's Usenet Discussion Service. This acquisition provides Google with Deja's entire Usenet archive (dating back to 1995), software, domain names including deja.com and dejanews.com, company trademarks, and other intellectual property. Financial terms of this transaction were not released.

Personnel

  • eOn Communications Corporation (ATLANTA) announced changes to its senior management team, the restructuring of operations and product lines to improve profitability, and measures to focus operating resources on its Linux-based communications systems and software business.

  • Webb Interactive Services, Inc. (DENVER) announced the appointment of Rob Balgley as President and CEO of its Jabber.com, Inc. subsidiary.

Linux At Work

  • ACTS Corporation (KINGSLAND, Texas) announced a cost effective, Web-based testing solution with the release of TestManager, an advanced Web-based examination, evaluation and administration tool. TestManager is hosted on an IBM S/390 platform running Linux.

  • Blackstone Technology Group, Inc. (WORCESTER, Mass.) announced that it has built an introductory distributed supercomputing solution for Pfizer, Inc., a large pharmaceutical company. Blackstone's solution runs on the Linux operating system on Intel-based processors.

  • Interface Concept (PARIS & SUNNYVALE, Calif.) has selected the Hard Hat Linux operating system from MontaVista Software to run the company's new high performance LAN-WAN remote access communications server and Ethernet switches.

  • weather.com (ATLANTA) announced site enhancements. The new site uses Linux, ORACLE, IBM WebSphere and other technologies.

Other

  • Linux Journal (NEW YORK, NY), the monthly print magazine, won the LinuxWorld Expo Show Favorite award for "Best Publication".

  • VA Linux Systems, Inc. (FREMONT, Calif.) announced that SourceForge OnSite received top honors at last week's LinuxWorld Expo.

Section Editor: Rebecca Sobol.


February 15, 2001

   

Sections:
 Main page
 Security
 Kernel
 Distributions
 Development
 Commerce
 Linux in the news
 Announcements
 Linux History
 Letters

See also: last week's Linux in the news page.

Linux in the news


Recommended Reading

Gnutella is Dead (ZDNet). ZDNet reports on gnutella's scalability problems. "But essentially, if user A makes a request for a file from user B, who is offline, the software sends a 'push' packet broadcast to all the other computers connected to user A instead of routing it back to where it came from. This lack of routing and pushing when the host is offline contributes to more than 50 percent of the total traffic on bad days."

Herbert Simon Dies (PG News). The PG News site is carrying a brief article on the death of Herbert Simon. Mr. Simon worked primarily in economics, but had a large influence on Computer Science and AI as well. Anybody who hasn't read The Sciences of the Artificial should go out and get a copy now...

Landmark Linux Tome Updated (Wired). Wired News has put up an article on the revised version of The Cathedral and the Bazaar. "Think you've read it already? You probably haven't. [Eric] Raymond has often said that the book is an ongoing project that will probably never be finished, and he's recently updated the book again with significant new material." (Thanks to Jay R. Ashworth).

Linux World

A walk on the Embedded side ... of LinuxWorld NY (LinuxDevices.com). LinuxDevices.com has put together a lengthy summary of LinuxWorld from an embedded systems point of view. "In fact, I'll venture a (self-serving?) prediction that this year is shaping up to be 'the year of Linux in Devices' -- with products like Linux-based PDAs, cell phones, web pads, and set-top entertainment systems hitting the market in growing numbers as the year rolls on."

Companies

Microsoft investigated for Corel investment (News.com). News.com has run a brief article on the investigation of Microsoft's investment in Corel. "One of the concerns of antitrust investigators is Ottawa-based Corel's decision to shed most of its Linux computer-operating system business since the investment..."

Microsoft's Linux 'message' (ZDNet). Here's a brief ZDNet article on Microsoft's approach to Linux. "Finally, the implication that software users need a company like Microsoft to provide innovation is just so much leftover spin from the DOJ trial. The fact is that a completely decentralized, noncorporate coalition delivered Linux as it stands today. Now that's innovation."

Microsoft looks for Linux inspiration (Fairfax IT). Fairfax IT looks at Microsoft's latest recruiting tactic in Australia. "An international recruiter from Microsoft's Redmond headquarters has approached Linux user groups in Sydney, Melbourne and Adelaide seeking software developers interested in joining the company's Windows core networking team."

Internet consortium to launch fee-based security alert service (NW Fusion). Network World Fusion looks at ISC's plans to set up a fee-based forum for BIND security information. "'ISC found that speaking to vendors through the CERT advisory process was somewhat awkward and made for extra work on both sides' [Paul] Vixie said. 'The next time we learn, through CERT or otherwise, that there is an attackable bug in code that we've published, we hope to have a direct and very private communications forum with the people who run the Internet infrastructure or who need lead time to prepare patches for their customers.'" (Thanks to Cèsar A. K. Grossmann).

Falling revenue spurs Turbolinux layoffs (News.com). News.com reports on events at Turbolinux. "However, the company has lost some of technical staff recently, including Samba programmer John Terpstra, who moved to rival Caldera Systems, and Peter Braam, a Linux file system programmer who along with former Turbolinux Chief Executive Cliff Miller founded Mountain View Data."

TurboLinux going through layoffs and restructuring today (NewsForge). NewsForge reports that it's Turbolinux's turn to go through layoffs, again. "Jerry Greenberg, senior marketing v.p., says, 'We built the company on the expectation of doubling every quarter. We're growing well, but not at that rate. We had to respond to it.'"

Linux seller SuSE slashes U.S. staff (News.com). News.com reports on the layoffs at SuSE. "It's been an era of belt-tightening as the evaporation of Linux hype forces Linux companies to adopt more down-to-earth plans for capitalizing from the software's popularity."

Another Linux love feast (ZDNet). This ZDNet article looks at Caldera's strategy with UnixWare. "Caldera executives say partners should expect a new product-branding strategy. Specifically, Caldera's platforms will be branded by functionality (database server, Web server, etc.) instead of by operating system. The partner push will involve cross-selling and cross-development between the UnixWare and Linux communities."

Business

Sun vs. Microsoft -- until when? (ZDNet). ZDNet attended a speech by Sun CEO Scott McNealy and was not impressed. "In this business, the only real open industry standard in the computer industry is Linux, which thankfully remains beyond the clutches of the moguls. Everything else is hokum designed to lock developers (and by extension, customers) into proprietary corners of the computing constellation."

Resources

Linux Audio Plug-Ins: A Look Into LADSPA (ONLamp). Here's an ONLamp article on the LADSPA audio plugin architecture. "LADSPA's design is based upon the extensive research that has already gone into applications such as Csound and other MusicV software synthesis environments. The LADSPA architects have provided a lightweight, flexible API based upon those long-established technologies and have created a plug-in architecture as useful for software sound synthesis and mixing as it is for modular effects processing."

Reviews

Assessing Linux's progress on the desktop (ZDNet). ZDNet looks at Linux on the desktop. "Evolution is nearly identical in look and feel to Microsoft Outlook, faithfully reproducing even the annoying Outlook Bar--something I hide in new installations of that Microsoft application even before I disable the hated Office Assistant."

Interviews

How SuSE Carries Its Big Stick (Linux Planet). Linux Planet talks with SuSE CTO Dirk Hohndel. "Now that recent events have seen a financial downturn for the Linux wave of hype, Hohndel explained, he is very encouraged by the fact that Linux has not gone away and that customer interest in Linux is going up. This, to him, is a sure sign that Linux is not just a fair-weather technology subject to the whims of financial and corporate hype."

Interview: Linux Disrupts The Status Quo (TechWeb). TechWeb interviews Red Hat CTO Michael Tiemann. "We're fundamentally trying to change the economics of the computer industry by putting power into the hands of users, which is something Microsoft and other members of the proprietary-system industry are not willing to do. We aren't going to butt heads with Microsoft because we're not really on the same path."

Miscellaneous

Netscape browser ratchets up to version 6.01 (News.com). News.com reports on the Netscape 6.01 release. "In a strange twist, AOL Time Warner faces potential competition from Netscape's open-source browser project--that is, if the operation can ever get a browser out the door. Mozilla.org has labored for about three years to deliver a next-generation browser, in an effort to demonstrate that open-source programmers from different companies can collaborate to deliver a viable commercial product."

Section Editor: Forrest Cook


February 15, 2001

   

Sections:
 Main page
 Security
 Kernel
 Distributions
 Development
 Commerce
 Linux in the news
 Announcements
 Linux History
 Letters

See also: last week's Announcements page.

Announcements


Resources

Kernel Traffic (and cousins) move to new site. Zack Brown has announced that the Kernel Traffic site, along with its various "cousins," have moved to a new site. The author's email address has rather abruptly changed as well, as part of the "restructuring" at Linuxcare.

Unix family tree. Worth a look: this Unix family tree posted by Éric Lévénez. It's highly detailed, and available in PostScript format so you can print up your own, 12-page version. (Thanks to Jay R. Ashworth).

What Are You Gonna Do? 'Make' Me?. LinuxLookup looks at 'make'. "Make can execute compiler/linker commands, shell commands, other makefiles, and even has some nifty scripting features of its own."

Where Do I Put Startup Commands In Debian?. Linuxnewbie.org looks at Debian startup commands.

Tip of the Week: C Program Declarations. Linuxlookup's tip of the week looks at C Program Declarations.

Events

LinuxTag 2001 call for papers. LinuxTag 2001 will be held in Stuttgart on July 5-7, 2001. The call for papers has gone out, for those who would like to present there; talks can be in either German or English. The CFP gives February 8 (i.e., last week) as the due date for abstracts, but, given the lateness of the notice, one would hope that they would accept submissions for just a little longer.

Linux@work in 12 cities in Europe in 2001. LogOn Technology Transfer is organizing the 3rd annual Linux@work series. These are 1-day Linux events which will take place in 12 European venues in May and June of 2001.

Events - February 15 - April 12, 2001.
Date Event Location
February 14 - February 16, 2001. O'Reilly Peer-to-Peer Conference Westin St. Francis Hotel, San Francisco, California.
February 21 - February 23, 2001. XML DevCon Europe 2001 Novotel London West Hotel and Convention Centre, London, England.
February 28 - March 2, 2001. 3rd German Perl Workshop Sankt Augustin, Germany.
March 3, 2001. LinuxForum 2001 Copenhagen, Denmark.
March 5 - March 7, 2001. BangLinux 2001 Indian Institute of Science, Bangalore, India.
March 5 - March 8, 2001. The 9th International Python Conference Long Beach, California.
March 5 - March 9, 2001. Networld+Interop 2001 Sydney Convention and Exhibition Centre, Sydney, Australia.
March 7 - March 9, 2001. Linux Open Source Conference and Business Expo. Sydney Convention and Exhibition Centre, Sydney, Australia.
March 15. 2001 Linux convention (in Icelandic). Iceland.
March 19 - March 22, 2001. SGI Global Developer Conference Burlingame, California.
March 20 - March 22, 2001. FOSE 2001 Washington DC Convention Center.
March 21 - March 24, 2001. Singapore Linux Conference / LinuxWorld 2001 Singapore.
March 22 - March 23, 2001. Linux Accessibility Conference Los Angeles, California.
March 28 - March 29, 2001. LinuxBazaar 2001 Czech Republic.
March 29 - March 30, 2001. Colorado Linux Info Quest Denver Marriott Tech Center, Denver, Colorado.
April 4 - April 5, 2001. Linux Expo Madrid Palacio de Congresos, Madrid, Spain.
April 4 - April 6, 2001. ApacheCon 2001 Santa Clara, California.
April 6 - April 8, 2001. GNOME Users And Developers European Conference (GUADEC) 2001 Copenhagen, Denmark.
April 8 - April 11, 2001. XML DevCon Spring 2001 New York Marriott Marquis, New York City.
April 9 - April 13, 2001. Embedded Systems Conference San Francisco, California.

Additional events can be found in the LWN Event Calendar. Event submissions should be sent to lwn@lwn.net in a plain text format.

User Group News

Tucson Free Unix Group Installfest!. It's time for the TFUG 3rd Annual Installfest. "When members of the local Free Unix community come together and offer their time and expertise to help install and configure Linux or BSD for new users and interested observers, and then do it again and again and again - usually accompanied by pizza - you have an Installfest!" February 25, 2001 in Tucson, Arizona.

LUG Events: February 15 - March 1, 2001.
Date Event Location
February 15, 2001. Linux User Support Team, Taegu (LUST-T) Taegu, Korea.
February 15, 2001. St. Louis Unix Users Group (SLUUG) - Linux SIG St. Louis County Library, Indian Trails Branch, St. Louis, Missouri.
February 16, 2001. Rock River Linux Users Group (RRLUG) Rockford College, Rockford, Illinois.
February 17, 2001. North Texas Linux Users Group (NTLUG) Nokia Centre, Irving, Texas.
February 17, 2001. Silicon Valley Linux Users Group Installfest Computer Literacy Bookshop, San Jose, CA.
February 17, 2001. Eugene Unix and GNU/Linux User Group Eugene, Oregon.
February 18, 2001. Beachside Linux User Group Conway, South Carolina.
February 19, 2001. Front Range Pythoneers. tummy.com offices, Ft. Collins, CO.
February 19, 2001. Linux Users' Group of Davis (LUGOD) Z-World, Davis, CA.
February 21, 2001. Arizona State University Linux Users Group (ASULUG) Tempe, AZ.
February 20, 2001. Kansas City Linux Users Group Installfest (KCLUG) Kansas City Public Library, Kansas City, MO.
February 21, 2001. Linux User Group of Groningen Groningen, Netherlands.
February 21, 2001. Central Iowa Linux Users Group (CIALUG) West Des Moines, IA.
February 22, 2001. Maybe Rice University Linux Users Group (RLUG) Rice University, Houston, TX.
February 24, 2001. Greater London Linux User Group (GLLUG) Eisai Lounge, University College, London, UK.
February 24, 2001. Consortium of All Bay Area Linux (CABAL) Menlo Park, California.
February 25, 2001. Tucson Free Unix Group (TFUG) Installfest Tucson, AZ.
February 28, 2001. Hazelwood Linux User Group (HZLUG) Prairie Commons Branch Library, Hazelwood, Missouri.
February 28, 2000. Central Ohio Linux User Group (COLUG) Columbus, Ohio.
February 28, 2001. Linux User Group of Assen Assen, Netherlands.
March 1, 2001. Edinburgh Linux Users Group (EDLUG) Holyrood Tavern, Edinburgh, Scotland.

Additional events can be found in the LWN Event Calendar. Event submissions should be sent to lwn@lwn.net in a plain text format.


February 15, 2001

   

 

Software Announcements


This week's Freshmeat software announcements are available as
an Alphabetical list or
Sorted by license.
 

Our software announcements are provided courtesy of FreshMeat

   

Sections:
 Main page
 Security
 Kernel
 Distributions
 Development
 Commerce
 Linux in the news
 Announcements
 Linux History
 Letters

See also: last week's Linux History page.

This week in Linux history


Five years ago: Caldera announced its "Network Desktop 1.0" distribution.

The Call For Papers for Linux-Expo 1996 (hosted by "Linux Users' Group (LUG) at North Carolina State University (NCSU)") went out.

Three years ago (February 19, 1998 LWN): Richard Stallman weighed in against the new term "open source":

The main argument for the term "open source" is that "free software" makes some people uneasy. That's true: talking about freedom, about ethical issues, about responsibilities as well as convenience, can trigger discomfort. This asks people to think about things they might rather keep out of mind. It does not follow that society would be better off if we stop talking about these things.

It is the third anniversary of the (in)famous Jesse Berst Fired for Choosing Linux? article:

Okay, Linux may have a low, low cost. And many technical merits. And lots of help for do-it-yourselfers. But can it pass the all-important "cover your ass" test? I'm not so sure. There's no single company behind Linux. No single source of support. No sales rep you can call in and yell at if Linux fails unexpectedly, leaving you without an operative Web site. Nobody to blame, in other words. Except you, if you were the person who recommended this product.

It is also, more or less, the third anniversary of Don Marti's Operating System Sucks-Rules-O-Meter.

Two years ago February 18, 1999 LWN): Windows Refund Day came and went. Turnout was small, refunds were nonexistent.

Bruce Perens got fed up with "open source" and said it's time to talk about free software again:

Most hackers know that Free Software and Open Source are just two words for the same thing. Unfortunately, though, Open Source has de-emphasized the importance of the freedoms involved in Free Software. It's time for us to fix that. We must make it clear to the world that those freedoms are still important, and that software such as Linux would not be around without them.

Fortune reported on Microsoft's "Linux Defense", which was relatively new at that time.

But no moment has been quite so Alice in Wonderland as the one we're about to see.... The video begins. "Hello," chirps an effervescent young Microsoft employee. "This is a demonstration of the Caldera OpenLinux operating system." Caldera is a small company that, in a delicious irony, is currently suing Microsoft on antitrust grounds. The young Microsoftie continues: "The demonstration will show that Caldera's operating system provides effective functionality for end users."

Debian 2.0r5 was released. Glibc 2.1 was released, then withdrawn "until some political issues are worked out." The problem, it seems, is that gcc 2.8 could not compile it (it compiled with egcs). The gcc/egcs split, happily, has long since gone away.

The Burlington Coat Factory announced that it would install Linux in 250 stores; this was one of the first high-profile Linux deployment announcements.

One year ago (February 17, 2000 LWN): IDC released a study showing that Linux was the number-two server operating system, with 25% of the market. Windows NT came out on top, with 38%. Linux and Unix systems together, however, showed up on more systems than NT.

Development kernel 2.3.46 came out; included therein was Richard Gooch's devfs system. The inclusion of devfs had been the subject of flame wars for almost two years. One year later, it remains to be seen whether the distributors will set up their systems to use devfs or not.

Andrew Leonard's Free Software Project launched on Salon. A year later, progress seems to have slowed, but there is a bunch of good writing there.

The UCITA "shrink wrap software" law passed in Virginia. UCITA got off to a quick start, but appears to have stalled since then.

One way to make "open source" look good:

Am I the only one to see that Torvalds and other open-source software revolutionaries are acting out the finale of George Orwell's Animal Farm? Orwell's farmhouse is full of open-source pigs, which are now almost indistinguishable from the proprietary humans they recently overthrew. It's true that I have been unkind to the "open sores" movement. But to be clear, anyone is welcome to beat Microsoft with better software, even a utopian community of volunteer programmers. May the best software win.
-- Bob Metcalfe, InfoWorld

   

Sections:
 Main page
 Security
 Kernel
 Distributions
 Development
 Commerce
 Linux in the news
 Announcements
 Linux History
 Letters

See also: last week's Letters page.

Letters to the editor


Letters to the editor should be sent to letters@lwn.net. Preference will be given to letters which are short, to the point, and well written. If you want your email address "anti-spammed" in some way please be sure to let us know. We do not have a policy against anonymous letters, but we will be reluctant to include them.

February 15, 2001

   
To: ylo@ssh.com, letters@lwn.net
Subject: Your legal threats concerning the SSH trademark
Date: Wed, 14 Feb 2001 13:06:01 -0500 (EST)
From: Don Barry <don@astro.cornell.edu>

Dear Mr. Ylonen,

First, I wish to thank you for designing the first SSH protocol and 
working with international standardization bodies to create what is now
an official as well as unofficial standard for secure communications between
computers.  I also thank you for beginning this effort under an open 
source license, which I hope you realize was an essential part of your
contribution being accepted as a standard.

Now to the criticism.  I was very disappointed when you took your product
in a commercial direction: I frankly found it a predatory maneuver to 
establish a project in an open source manner and then proprietize it after
having it accepted as a standard.  I gave you the benefit of the doubt and
presumed this behavior was accomplished by business denizens who by then 
controlled the destiny of your company.

I see now that I was wrong.  Even if my original presumption was 
correct, by lending your own name now to a legal effort to throw confusion
into the arena of SSH protocol products, you have confirmed the worst 
suspicions of many of us.

Actually, I find essentially all users of SSH and OpenSSH are quite clear 
about the origins and distinctions between these programs.  The downturn
in your commercial fortune is not due to a "confusion" between these two
products -- it is in fact due to a *recognition* that the open source
version is superior, and the desire of users to not choose a product 
offered by a developer and company which has shown erratic and greedy 
behavior in the past.  Frankly, I wish they had developed this product
in the GPL fashion, because this *free source* technique is even superior
and would prevent would-be pirates (like you are free to do) 
from generating proprietary code forks.

The confusion and doubt which you mention is not in the use of the OpenSSH
designation to describe a well-known code base, it is actually your attempt to
generate confusion among those who would use the open alternative to your
product, by obfuscating its identity.

Finally, your statement claiming fundamental insecurities in the 
SSH1 compatibility mode of the OpenSSH product (something, I might add, now
offered by your *own* product after a failed attempt to do a full proprietary
transition) is a classic example of Fear, Uncertainty, and Doubt in action.
The theoretical vulnerabilities of the SSH1 protocol to insertion attacks
would prove extremely difficult to mount in practice, and the actual 
CERT vulnerabilities you mention deal with more mundane affairs such as
buffer overflows -- something your *own* product has also suffered from.
These real-world vulnerabilities are of course the primarily exploitable ones,
and are a factor of the quality of the code base, not the algorithms.
And, of course, the OpenSSH software does implement both SSH1 and SSH2 
protocols.

In my own academic capacity, I have succeeded in impressing on my colleagues
the importance of using secure communications in our activities.  We use
both the SSH and OpenSSH codes in my department.  If you wish to compete in this
arena, do it through the creation of superior software, preferably in the
open (or better yet, *free*) domain, and not through legal maneuvers.
Henceforth, should you not choose a more moderate and cooperative path in
working with the community of coders producing for the public good, I will do my
best to make sure that your product is found on not one of our machines, and
that people know exactly the reason why.

Cheers,

Don Barry, Ph.D.
Space Infrared Telescope Facility Team
Cornell University
   
To: letters@lwn.net
From: Jim Dennis <jimd@starshine.org>
Subject: Tatu Ylonen's message to the OpenSSH developers
Date: Wed, 14 Feb 2001 17:16:23 -0800


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


 I personally applaud Tatu Ylonen's restraint and tact in his message
 to the OpenSSH developers list.  I think it's long overdue.

 It's a pity that SSH(TM) isn't completely free.  It's a pity that
 Tatu hasn't found a revenue model that would allow him to release
 under the GPL or BSD licenses, or to create a DFSG compliant license.
 Obviously, revenue models are a hard problem for free software -- and
 some people do need to live off their programming labors.  I can't
 begrudge Tatu (or others) that.

 However, it's equally a pity that no one has come out with a fully
 independent protocol compatible re-implementation.  Tatu published
 his sources, and a full description of the protocols (both versions?) 
 and has actively encouraged (through his participation in the IETF)
 an independent implementation.  (IETF guidelines strongly suggest,
 nigh onto *require* multiple independent and interoperable
 implementations of all new Internet standards).  lsh/psst
 (http://www.net.lut.ac.uk/psst/) seems to be a moribund project; the
 fact that it hasn't even become available as a Debian package in
 unstable is testimony to that.

 (I also think that it's a pity that SSH(TM) and its ilk are still
 necessary.  Unfortunately the deployment of IPSec and especially
 secure DNS still lags to the point where opportunistic encryption and
 transparent authentication are still distant dreams).

 Unfortunately I think that Tatu will be castigated for his message
 and I'd like to go on record as saying that all the complainers
 should stuff it!  Go help Martin Hamilton and the rest of the psst
 team if you insist a fullly GPL version of an ssh(TM) compatible
 package.  (Or help get InterNIC to adopt a secure DNS version of BIND
 *and* to publish keys and sign their top level zone data --- and
 otherwise help us realize IPSec).

 Meanwhile the OpenSSH [sic] team should probably consider renaming
 their package OpenSecsh (possibly to be pronounced like a drunk
 commenting on "promiscuous sex").  I suspect that Tatu would have no
 complaint about their use of the IETF name for the protocol --- and
 he hasn't even asked them/us to change the name of the binary.

 I'd, nonetheless recommend that they/we rename the binary, and
 include a wrapper script called ssh that does something like
 reasonable.  ( Something like:

	    #!/bin/sh
	    echo "SSH is a trademark of SSH Inc and Tatu Ylonen" 2&>1
 	    /usr/bin/secsh "$@"


	... or a C binary wrapper to that effect; would suffice.

 Acknowleging the author and trademark holder when calling the program
 under it's traditional name seems appropriate and anyone who thinks
 this onerous (or finds that it's causing their scripts to break) can
 simply make their own alias or wrapper, or change to the new name.

 Tatu (copied on this), thank you for your patience and tolerance in
 this matter. Also, I'd like to thank you for writing an indispensable
 piece of software that has truly made the Internet safer.  The thing
 that will help further is its continued development, the accelerated
 demise/upgrade of the obsolete versions, and more ubiquitous use.

- --
Jim Dennis               
Software Analyst		
Axis Personal Trainers			http://www.axispt.com

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (GNU/Linux)
Comment: Processed by Mailcrypt 3.5.5 and Gnu Privacy Guard <http://www.gnupg.org/>

iEYEARECAAYFAjqLLd0ACgkQIGV97BI+xjGUjgCfZV+K5nyOQhLFvQIoXiqdAJYA
IuMAn2UkVoFWDTZZNYcj2Q1lFZ6V2fcc
=dZ7F
-----END PGP SIGNATURE-----
   
Subject: HTML email privacy
To: editor@lwn.net
Date: Thu, 8 Feb 2001 13:51:04 +0000 (GMT)
From: Alan Cox <alan@lxorguk.ukuu.org.uk>

The article you point to on html email privacy is actually quite misleading.
Disabling javascript will not protect against most email privacy attacks.

A simple 

	<IMG src="http://evil.mailtracking.scum.org/cgi-bin/track?id=123456">

type tag will allow the tracking of the host used to read each email. The
information that most browsers will hand back generally provides the ip
address and other basic system factors (including monitor size with some
browsers).

It is also possible to use the rlogin: URL to extract usernames from browsers
because the rlogin client will pass username information as part of the 
connection setup. From this and the IP address you can normally deduce an
awful lot about the user.

No javascript required.

Alan
   
From: Hubert Tonneau <hubert.tonneau@heliosam.fr>
To: letters@lwn.net
Subject: DNS servers list: Pliant is missing
Date: Thu, 08 Feb 2001 11:05:49 GMT

In february the 8th issue of LWN, you listed several alternatives to Bind,
but forgot Pliant (http://pliant.cx/)

Pliant DNS server is:
. released under GPL,
. very compact (less than 1000 lines)
. using Pliant database engine for reliably storing configuration files
. remotely administrated using a web browser over Pliant strong crypto
  secured channel.

It's not suited for first level domains such as (.com or .fr), but for
hosting second level domains of your compagny or your organization
(pliant.cx or heliogroup.fr), it should work just fine.
Of course, it can also act as a caching DNS for your site or your computer.

Regards,
Hubert Tonneau

   
From: Russell Nelson <nelson@crynwr.com>
Date: Thu,  8 Feb 2001 10:46:03 -0500 (EST)
To: lwn@lwn.net
Subject: not true


   From the above list, one can conclude that BIND's competitors have
   some ground to cover yet. Energetic hackers looking for a project may
   want to consider the creation of a viable competitor to BIND; the net
   will be a safer place when we have one.

Why?  djbdns is a viable competitor to BIND.  The author's personality
is irrelevant to the quality of the software, the author considers
your inability to redistribute modified versions to be a feature (and
given the track record of some vendor-modified versions of sendmail
and bind, he's got a point), and the code is only difficult to read
because it uses many functions from Dan's library.  Said library by
design discourages buffer overruns.  Did I mention that it discourages
buffer overruns, which are irresponsible for 50% of all Unix security
lapses?  It's not C, it's the C library.

And djbdns could serve the .com zone using 3GB of memory, as opposed
to the 8GB used by ISC's root zone server.  Is that a large enough
zone for you?

-- 
-russ nelson <sig@russnelson.com>  http://russnelson.com
Crynwr sells support for free software  | PGPok | "This is Unix...
521 Pleasant Valley Rd. | +1 315 268 1925 voice | Stop acting so helpless."
Potsdam, NY 13676-3213  | +1 315 268 9201 FAX   | --Daniel J. Bernstein
   
Date: 8 Feb 2001 10:09:49 -0000
From: cpb@log2.net
To: letters@lwn.net
Subject: Asbestos for you

On the LWN front page of Feb. 8, 2001, you state that the djbdns DNS server
"lacks some capabilities (TCP service, zone transfers, ...), making it not
necessarily suitable for larger domains."

Please print this email on asbestos and add it to the truckload of asbestos
you will need should someone with more knowledge of djbdns and the desire
to demonstrate that knowledge choose to come after you with email flames!

I have the knowledge, but not the desire.                   - Chris Bopp

P.S. If djb himself writes, you will need more than a truckload!

   
Date: Thu, 8 Feb 2001 08:54:12 +0100
From: Frank Tegtmeyer <fte@fte.to>
To: lwn@lwn.net
Subject: errors about djbdns on your front page

Hi,

while I am glad you mentioned djbdns as a secure alternative to
BIND, I have to point out at least two errors:

"djbdns also lacks some capabilities (TCP service, zone transfers, ...),
making it not necessarily suitable for larger domains."

djbdns (formerly dnscache) contains axfrdns since January 2000. Therefor
your statement about TCP and zone transfers is not true and has to be seen
as misinformation. Making these false statements you come to the conclusion
that djbdns is "not necessarily suitable for larger domains". This is
ridiculous and not backed by any facts.

I invite you to join the djbdns mailinglist and ask for large companies
using djbdns or for ISP with a big number of zones using djbdns.

The point is that djbdns doesn't lack features of BIND - it is simply
different. You have to stop "BIND thinking" when handling djbdns.
I agree that you can get into some trouble because of the mentioned
"monoculture" at the Internet today when using djbdns. But there
are enough people using djbdns that prove your statements wrong.
I expect the necessary corrections at your page.

With kind regards,
Frank Tegtmeyer
   
Date: Thu, 8 Feb 2001 19:05:45 -0500
From: "Jay R. Ashworth" <jra@baylink.com>
To: letters@lwn.net
Subject: DJB and his DNS

In the special on djbdns, the editor wrote:
> In the end, though, you need not like Mr. Bernstein to make good use
> of his software.

That's a comforting assertion, but I'm not sure whether it's correct or
not.  I can see many reasons why the attitude of a software package's
maintainer is a pertinent issue in selecting what you're going to
deploy in your network, be that network 2 machines or 200,000.

Even in the free software world, it would seem to be an issue.  While
the old "you have the source, you can fix your own problems" argument
will surely be made here, of course, it's not true for everyone:
especially something as hirsute as a DNS server is not code that
everyone will be able to do anything with.

One of the projects that I'm involved with (when I can find time and
manage not to be ill) is the open fax server software system HylaFAX,
originally written by Sam Leffler when he was at Silicon Graphics, and
now available under a reasonably open license (I believe it's either
strict or slightly modified BSD).  <http://www.hylafax.org>

While the package has a fairly decent sized user community -- frankly,
we don't know how big it is because most of the installations Just Work
:-) -- finding good developers who can work on it is hard.

That's because it's a) soft-real-time code and b) written in C++.

We're lucky to have the 4 or 5 people we do, when they can spare the
time, but it sure wouldn't hurt if there were a few more.

What *is* safe to say, though, based on the support queries I see on
our user mailing list, is that the vast majority of the people who
{are,would like to be} deploying it are *not* equipped to do more than the
slightest little bit of hacking on it around the edges.  And there's
nothing wrong with that; in fact, it's essential.

Luckily, the development community on this project, headed by Mr.
Arlington Hewes, is much more personable and easy to get along with
than DJB is reputed to be (I've never worked with the man, but I heard
the sparks around the edges of maildir format support when I was on the
mutt-devel list.)

So perhaps, just having good code *isn't* enough; we geeks are going to
have to come out into the real world, too.

Damn.

What a shame.  :-)

Cheers,
-- jra
-- 
Jay R. Ashworth                                                jra@baylink.com
Member of the Technical Staff     Baylink
The Suncoast Freenet         The Things I Think
Tampa Bay, Florida        http://baylink.pitas.com             +1 727 804 5015
   
Date: Thu, 8 Feb 2001 21:08:55 +0000
From: Alain Williams <addw@phcomp.co.uk>
To: lwn@lwn.net
Subject: The case for competition

I will not labour the well sung refrains that competition is good because:
it leads to the evolution of good solution(s); heterogeneity engenders
robustness in the face of cracking attacks; choice for the solution that is
right for you; ...

There seems to be a curious belief that everyone involved in Open Source
is, somehow, supposed to be working together, that we are all part of some
big global organisation or company. That belief naturally leads to the
assertion that different (but similar) Open Source projects are really
branches of this one organisation are competing/working against each
other. The mental analogy is as if different departments in
IBM/Microsoft/...  worked to produce competing: word processors, compilers,
...

There is also the reinforcing notion that if it comes from one
organisation, then it was all written by that place. People see Linux as
being an organisation, and so think that the different Linux distributions
are probably something to do with the supply chain; putting a slightly
different badges on *one* product made by some higher up company.

The idea of software being produced by a ``for profit'' company is deeply
ingrained. One frequent question that I get asked is something like: ``If
it is given away how does Linux pay for the development ?''. The idea of a
community sharing resources seems hard to grasp.

With this one company gestalt it is hardly surprising that competing
projects (be that desktops or MTAs) are seen as a flaw in the Open Source
``business'' model. These same people would have no problem in accepting
different companies competing to produce the better product and so gain
market share and so, presumably, profit. Most people don't understand the
Open Source ``business'' model. Whereas a conventional business survives by
competition, Open Source survives by cooperation.

Another problem is that many people do not like choice. They just want to
know ``the way to do XXXX'', if there is choice then they need to think,
and most people don't want to think about the choices in how to use
computers -- this is not a derogatory remark, it is recognition that for
most people a computer is a tool with which to do a job; for most people
that is the right attitude.

But people love choice when it comes to cars, refrigerators, video
recorders; so why not computer software ? I think that one big reason is
the learning effort that goes into changing the computer software that you
use. The learning effort for changing the other things is trivial; well,
maybe I was wrong to talk about video recorders - but you get the idea.

In summary: we, the technical community, have to beware trying to judge
other people's view of us (and our actions) from our own points of
view. Let us try to see ourselves as others see us; if we don't like what
we see then maybe we need to change the way that we present ourselves (and
our passions) to the rest of the world. Ie we need to learn to communicate.

-- 
Alain Williams
   
Date: Thu, 8 Feb 2001 14:05:12 -0600
From: David Fries <dfries@umr.edu>
To: letters@lwn.net
Subject: proving compliance

Lets say you or your company does go with GPL or free software.  How
do you prove that?  I think it is harder than it sounds.  It is easy
for them to say you have software you can't show a license, but it is
a harder job to show you don't have the software.  What are they going
to go though every megabyte on your drive and make you decrypt all
data?  

I'm for free software, but I don't think it will prevent a raid and is
there any way for someone to get back at them for disrupting a
business that is in compliance?

-- 
		+---------------------------------+
		|      David Fries                |
		|      dfries@umr.edu             |
		+---------------------------------+
   
Eklektix, Inc. Linux powered! Copyright © 2001 Eklektix, Inc., all rights reserved
Linux ® is a registered trademark of Linus Torvalds