Sections: Main page Security Kernel Distributions On the Desktop Development Commerce Linux in the news Announcements Linux History Letters All in one big page See also: last week's Letters page. |
Letters to the editorLetters to the editor should be sent to letters@lwn.net. Preference will be given to letters which are short, to the point, and well written. If you want your email address "anti-spammed" in some way please be sure to let us know. We do not have a policy against anonymous letters, but we will be reluctant to include them. |
May 17, 2001 |
From: Richard Stallman <rms@gnu.org> To: Bernard.Lang@inria.fr Subject: Re: [Freesw] priorart.org Date: Fri, 11 May 2001 23:42:05 -0600 (MDT) Cc: kmself@ix.netcom.com, fsb@crynwr.com, freesw@conecta.it There are major problems with priorart.org. Actually, two problems--one tactical, and one strategic. In the US patent system, if the PTO looked at certain prior art and decided to issue the patent anyway, the court is supposed to presume the PTO was right to regard that prior art as insufficient. But if the PTO was unaware of the prior art, then the court can look at it with an unbiased eye. As a result, prior art is more effective against patents if the PTO does not know about it. For potential patent victims to inform the PTO about prior art is a self-defeating project. The effect of this is worse than you might think, because of the way the PTO uses prior art. The question they are suppose is, "Is this idea unobvious given the known prior art?" But their threshold of "unobvious" is so low, that in practice the tiniest difference from the known prior art is enough excuse for them to issue a patent. The courts are much more likely to apply a sensible definition of "unobvious", if they are not blocked by a prior PTO decision about the same prior art. Then there is the strategic problem. I have seen publicity associated with this activity, and it serves as an excuse to whitewash the system of software patents. The publicity suggests that we could live with software patents, if only we "work to make the system function" in this way. It encourages people to think that the only problem in software patents is when non-novel ideas are patented, and that software patents on new ideas (some brilliant, most pedestrian) are ok. And that will undermine the efforts now under way in Europe to prevent software patents there. Organized efforts to collect prior art could be useful if they avoid these two problems. But if they have these problems, they can easily do more harm than good. | ||
From: "Eric S. Raymond" <esr@thyrsus.com> To: wire-service@thyrsus.com Subject: Reliance on closed source for security considered harmful Date: Mon, 14 May 2001 17:43:21 -0400 Today, Yahoo is carrying the news that Microsoft has admitted the existence of a back door in its IIS webserver that could affect hundreds of thousands of websites worldwide [1]. This comes barely two weeks after the revelation [2] that another, unrelated bug in IIS permitted crackers to gain root access to sites running IIS 5.0 and Windows 2000 -- the latest, greatest versions of Microsoft's flagship OS and web server. It's not exactly news that Microsoft's products are hideously insecure; these really serious incidents are taking place against a background that includes almost weekly announcements of some new macro virus or attachment trojan propagated through Microsoft Outlook. One might almost be tempted to yawn if these bugs weren't annually costing computer users worldwide billions of dollars worth of downtime, lost opportunities, and skilled man-hours. But there is something about this incident that deserves special attention. This most recent security hole was *not* a bug -- it was a deliberate back door inserted by Microsoft engineers. When Microsoft spokespeople said that the back door was "absolutely against our policy," they were doubtless intending to be reassuring. But on second thought, that statement should strike fear into the heart of any MIS manager relying on Microsoft products. Because the inevitable next question is this: if backdoors can find their way into Microsoft's production releases against Microsoft's own policy, *how many more undiscovered ones are there*? Microsoft doesn't know. Nor does anyone else. The only people who could tell us are other rogue Microsoft employees like the unnamed culprits behind today's backdoor. And they aren't talking. Back doors and security bugs, like cockroaches, flee the sunlight. There is only one way for software consumers to have reasonable assurance that they will not become victims of a back door -- open source code. The Apache web server that IIS competes against has never had a back door, because its code is routinely reviewed and inspected by a worldwide developer community alert to the possibility. Any developer tempted to insert one knows that it would be discovered and traced to him in short other -- thus, it's never even been tried. Ths illustrates a larger point. When you use closed source for a security- critical application, you must blindly trust *everyone* in the chain of transmission -- the developers who wrote it, the company that marketed it, and the people who made and shipped the physical media. Bad actors or simple mistakes at *any* of these stages can leave you with a computer begging to be owned by the first script kiddie who wanders along. With open source, you have a check on the system. You can see inside; you know what's going on. This changes the behavior of everyone upstream of you; the higher probability that a bug or backdoor will be exposed keeps them honest even *before* the code is reviewed. If Microsoft's IIS had been open, whoever was responsible for todaty's back door would never have dared to insert it. The few MIS managers who aren't alreedy evaluating open-source software need to wake up and smell the coffee. Today's backdoor demonstrates that Microsoft can't control its own employees well enough to be trusted with your critical data. More fundamentally than that, though, it reveals how deeply foolish and dangerous it is to rely on closed-source software for any security-critical use. As the security advantages of open source become clearer, managers who persist in this mistake may find they are putting their own jobs at risk. And deserving to lose them... [1] <http://smallbusiness.yahoo.com/entrepreneur.html?s=smallbiz/articles/20010514/microsoft_ackno> [2] <http://www.eeye.com/html/Research/Advisories/AD20010501.html> (Re-distribute and publish freely.) -- <a href="http://www.tuxedo.org/~esr/">Eric S. Raymond</a> "The bearing of arms is the essential medium through which the individual asserts both his social power and his participation in politics as a responsible moral being..." -- J.G.A. Pocock, describing the beliefs of the founders of the U.S. | ||
From: Bohn Christopher <cbohn@computer.org> To: "'letters@lwn.net'" <letters@lwn.net> Subject: Regarding the Caldera/SCO deal Date: Thu, 10 May 2001 07:33:46 -0400 I find it just a little amusing, now that Caldera International owns UnixWare and OpenServer, that software with a direct lineage to a Microsoft product (XENIX) is now owned by a Linux company. Christopher A. Bohn | ||
From: jerry <jerry@pc-intouch.com> To: letters@lwn.net Subject: Date: Thu, 10 May 2001 12:13:29 -0700 (PDT) Cc: wa6cvl@qsl.net Caldera's Mr Love just announced that the GPL is a Linux weakness. and several others have agreed. BSD advogates have long been stressing the better copyright that they have... Linux is NOT necessarily superior to FreeBSD, but it has a few advantages,of which the GPL IS THE MAJOR ADVANTAGE. If Mr. Love wants the BSD style license, why not use FreeBSD. I would not have a problem with that. BSD is a competent and useful OS. I use it myself. This is not a very complicated issue, if you want the BSD-style license, USE FreeBSD. Leave Linux alone. From a Microsoft users point of view, the Linux and FreeBSD operate the same. The same software packages run on both. The charm of Linux is TIED to the GPL. The sparkling differences in the Linux attitudes, the early adoption of interfaces, the freewheeling diverse packageing, the 180 different distributions, ARE ALL A RESULT OF GPL.. VIVA GPL... de Jerry Sharp | ||
From: "Jonathan Day" <jd9812@my-deja.com> To: letters@lwn.net Subject: Thoughts about the GPL, ZDNet, et al Date: Fri, 11 May 2001 06:12:13 -0700 Hi, The first thing that ZDNet forgets are the basic rules of selling ANY product or idea: 1) A foot in the door is worth two in the mouth. 2) You can't sell mindshare. But, without mindshare, you can't sell anything. 3) Profit is a function of actual gains versus actual expense. The only one I need to explain is the third. Profit = What you get - What you give to get it. In other words, doubling what you get (eg: by selling a distribution under a non-GPL licence) is of no value if you've also doubled what you have to give (better promotion, better packaging, better sales department, better tech support, etc). If your costs increase at the same rate as your profits, you've gained NOTHING. You're NO better off than if you'd sold a GPLed Linux for $5 in every market stand in the country. (In fact, you'd probably end up much richer doing that!) Trying to sponge customers reduces your audience, and increases the amount of effort it'd take to reach them. There IS an optimum. That optimum is what Linux already uses. The GPL. ZDNet is used to "classical" thinking. Thinking that brought us the wonders of the recent energy crisis. Thinking that spawned global recession in the 80's and 90's. Thinking that brought on the Great Depression in the 30's. It's thinking that the rest of humanity doesn't need. Jonathan Day ------------------------------------------------------------ --== Sent via Deja.com ==-- http://www.deja.com/ | ||
From: John Morris <jmorris@beau.lib.la.us> To: <letters@lwn.net> Subject: The "free flow of cryptographic information" Date: Fri, 11 May 2001 14:47:46 -0500 (CDT) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I certainly hope that was sarcasm in this weeks's LWN history page, because I can't see how things have changed a whit. Three years ago all the crypto was kept on an overseas server and had to be manually patched into the system. This week I added crypto to my laptop. Yup, I did it by downloading the International Crypto Patch from www.kerneli.org and rebuilding the kernel and several of the user space tools. Even if we can't get the actual crypto code included in mainstream distros' kernels, I'd be real interested in knowing what reasons the various distribution packagers give for not including the patches in the user space tools like mount and losetup. Those tools only need to be built with the ability to convert the names of the cyphers into numbers for the crypto api so there shouldn't be any export issues, especially in this environment of a "free flow of cryptographic information". - -- John M. http://www.beau.org/~jmorris This post is 100% M$ Free! Geek code 3.0:GCS C+++ UL++++$ P++ L+++ W++ N++ w--- Y+ 5+++ R tv- b++ e* r -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (GNU/Linux) Comment: Made with pgp4pine 1.76 iEYEARECAAYFAjr8QekACgkQqME6bvnsqA/XTQCeIoY0nQk43OBpB7UZpu/ci+/0 314AoK92QWgABqrlqpn7CV9a3jxdgqbs =eEJT -----END PGP SIGNATURE----- | ||
From: <mschwarz@alienmystery.planetmercury.net> To: letters@lwn.net Subject: Wrong way to look at it Date: Fri, 11 May 2001 15:52:19 -0500 (CDT) In you "On The Desktop" section this week you said "Older hardware tends to amplify the effects of slowness." I think this is the wrong way to look at it. Rather say "newer hardware tends to mask the effects of poor design and excessive cruft." I cut my programming teeth on 8-bit embedded applications; much of what I wrote had to fit into 2716 and 2732 EPROMs (2k and 4k respectively). You learn not to waste there. One of the most amazing feats of software design was Visicalc. The 6502 was an incredibly limited processor. And yet the whole class of "spreadsheet" applications was created within those limits. Look at how much memory, disk, and CPU cycles Visicalc consumes, then compare it to MS Excel and ask yourself if Excel really does three orders of magnitude more for its users than Visicalc did. I hate feeling like Abraham Simpson (I'm only 34 years old for goodness' sake), but too many people are too addicted to big memory, big disk, and big clock speeds. I use a Z80 and CP/M emulator to maintain an embedded application for a local ham radio group. That emulator runs eight times fater than any real Z80! Can you imagine how fast software would be if the same rigor were applied to today's software as was applied then? Of course, there are whole classes of aplpication that you couldn't write without the faster speeds. I'd hate to do 3d rendering on 1MHz 6502! But such programs are not the bloatware. They are still constrained, so their authors still strive for every cycle and every byte. My overwhelming reaction to the most recent KDE release was "My God, they really slowed this down!" The advantage is, with Free Software, you can find the bottlenecks that really bug you, and do something about it. Anyways, my point is that at least some though should be put into size and speed efficiency. I think peiople make a big mistake when they buy powerful machines for software development. I do most of my programming on a 200MHz machine. If it runs well there, It'll blind people on 1G Athlons! -- Michael A. Schwarz mschwarz@sherbtel.net | ||
From: James Dixon <jdixon@mail.westco.net> To: letters@lwn.net Subject: Dell and Linux Date: Sat, 12 May 2001 13:23:52 -0400 (EDT) Quoting from your "Three years ago.." section: > Dell claimed that none of their customers wanted Linux in this ZDNet > article. LWN received an open letter from Jim Dennis to Dell telling > them that their customers were already using Linux on Dell computers. > Dell still isn't completely convinced. To this day the main Dell site > does not mention Linux and won't even point you to the Dell Linux > site. Oh, I think Dell is convinced. See this quote from Michael Dell's keynote speech at the Linux World Expo last year: "Linux has grown from about four percent of all Dell servers sold in the first quarter of 1999 to almost ten percent of all servers sold in the first quarter of this year." Assuming normal Linux growth rates, we can guess that Linux accounts for roughly 15-20% of Dell server sales at this time. However, they have a problem. Microsoft based systems still account for the remaining 80-95% of server sales and 95% of personal computer sales. If they highlight they're Linux systems, they alienate Microsoft. Michael Dell is not about to take that risk. He knows how vindictive Microsoft can be, and he has employees and shareholders to worry about. Aggravating Microsoft is not in their best interest. For this simple reason, it will still be a few years till Dell can safely highlight their Linux systems. Expect them to remain low profile in the meantime. James Dixon jdixon@pobox.com | ||
|