See also: last week's Letters page.

Letters to the editor

From:	 Richard Stallman <rms@gnu.org>
To:	 Bernard.Lang@inria.fr
Subject: Re: [Freesw] priorart.org
Date:	 Fri, 11 May 2001 23:42:05 -0600 (MDT)
Cc:	 kmself@ix.netcom.com, fsb@crynwr.com, freesw@conecta.it

There are major problems with priorart.org.  Actually, two
problems--one tactical, and one strategic.

In the US patent system, if the PTO looked at certain prior art and
decided to issue the patent anyway, the court is supposed to presume
the PTO was right to regard that prior art as insufficient.
But if the PTO was unaware of the prior art, then the court can look
at it with an unbiased eye.

As a result, prior art is more effective against patents if the PTO
does not know about it.  For potential patent victims to inform the
PTO about prior art is a self-defeating project.

The effect of this is worse than you might think, because of the way
the PTO uses prior art.  The question they are suppose is, "Is this
idea unobvious given the known prior art?"  But their threshold of
"unobvious" is so low, that in practice the tiniest difference from
the known prior art is enough excuse for them to issue a patent.  The
courts are much more likely to apply a sensible definition of
"unobvious", if they are not blocked by a prior PTO decision about the
same prior art.

Then there is the strategic problem.  I have seen publicity associated
with this activity, and it serves as an excuse to whitewash the system
of software patents.  The publicity suggests that we could live with
software patents, if only we "work to make the system function" in
this way.  It encourages people to think that the only problem in
software patents is when non-novel ideas are patented, and that
software patents on new ideas (some brilliant, most pedestrian) are
ok.  And that will undermine the efforts now under way in Europe to
prevent software patents there.

Organized efforts to collect prior art could be useful if they avoid
these two problems.  But if they have these problems, they can easily
do more harm than good.

From:	 "Eric S. Raymond" <esr@thyrsus.com>
To:	 wire-service@thyrsus.com
Subject: Reliance on closed source for security considered harmful
Date:	 Mon, 14 May 2001 17:43:21 -0400

Today, Yahoo is carrying the news that Microsoft has admitted the
existence of a back door in its IIS webserver that could affect
hundreds of thousands of websites worldwide [1].  This comes barely
two weeks after the revelation [2] that another, unrelated bug in IIS
permitted crackers to gain root access to sites running IIS 5.0 and
Windows 2000 -- the latest, greatest versions of Microsoft's flagship
OS and web server.

It's not exactly news that Microsoft's products are hideously
insecure; these really serious incidents are taking place against a
background that includes almost weekly announcements of some new macro
virus or attachment trojan propagated through Microsoft Outlook.  One
might almost be tempted to yawn if these bugs weren't annually costing
computer users worldwide billions of dollars worth of downtime, lost
opportunities, and skilled man-hours.

But there is something about this incident that deserves special
attention.  This most recent security hole was *not* a bug -- it was a
deliberate back door inserted by Microsoft engineers.

When Microsoft spokespeople said that the back door was "absolutely against
our policy," they were doubtless intending to be reassuring.  But on second
thought, that statement should strike fear into the heart of any MIS manager
relying on Microsoft products.  Because the inevitable next question is this:
if backdoors can find their way into Microsoft's production releases against
Microsoft's own policy, *how many more undiscovered ones are there*?

Microsoft doesn't know.  Nor does anyone else.  The only people who
could tell us are other rogue Microsoft employees like the unnamed
culprits behind today's backdoor.  And they aren't talking.

Back doors and security bugs, like cockroaches, flee the sunlight.
There is only one way for software consumers to have reasonable assurance
that they will not become victims of a back door -- open source code.
The Apache web server that IIS competes against has never had a back door,
because its code is routinely reviewed and inspected by a worldwide 
developer community alert to the possibility.  Any developer tempted
to insert one knows that it would be discovered and traced to him in
short other -- thus, it's never even been tried.

Ths illustrates a larger point.  When you use closed source for a security-
critical application, you must blindly trust *everyone* in the chain of
transmission -- the developers who wrote it, the company that marketed it,
and the people who made and shipped the physical media.  Bad actors or simple 
mistakes at *any* of these stages can leave you with a computer begging to be
owned by the first script kiddie who wanders along.

With open source, you have a check on the system.  You can see inside;
you know what's going on.  This changes the behavior of everyone
upstream of you; the higher probability that a bug or backdoor will be
exposed keeps them honest even *before* the code is reviewed.  If
Microsoft's IIS had been open, whoever was responsible for todaty's
back door would never have dared to insert it.

The few MIS managers who aren't alreedy evaluating open-source
software need to wake up and smell the coffee.  Today's backdoor
demonstrates that Microsoft can't control its own employees well
enough to be trusted with your critical data.  More fundamentally than
that, though, it reveals how deeply foolish and dangerous it is to
rely on closed-source software for any security-critical use.

As the security advantages of open source become clearer, managers who
persist in this mistake may find they are putting their own jobs at
risk.  And deserving to lose them...

[1] <http://smallbusiness.yahoo.com/entrepreneur.html?s=smallbiz/articles/20010514/microsoft_ackno>

[2] <http://www.eeye.com/html/Research/Advisories/AD20010501.html>

(Re-distribute and publish freely.)
-- 
		<a href="http://www.tuxedo.org/~esr/">Eric S. Raymond</a>

"The bearing of arms is the essential medium through which the
individual asserts both his social power and his participation in
politics as a responsible moral being..."
        -- J.G.A. Pocock, describing the beliefs of the founders of the U.S.

From:	 Bohn Christopher <cbohn@computer.org>
To:	 "'letters@lwn.net'" <letters@lwn.net>
Subject: Regarding the Caldera/SCO deal
Date:	 Thu, 10 May 2001 07:33:46 -0400


I find it just a little amusing, now that Caldera International owns
UnixWare and OpenServer, that software with a direct lineage to a Microsoft
product (XENIX) is now owned by a Linux company.

Christopher A. Bohn

From:	 jerry <jerry@pc-intouch.com>
To:	 letters@lwn.net
Subject: 
Date:	 Thu, 10 May 2001 12:13:29 -0700 (PDT)
Cc:	 wa6cvl@qsl.net

	Caldera's Mr Love just announced that the GPL is a Linux weakness.
and several others have agreed. 
	BSD advogates have long been stressing the better copyright that
they have... Linux is NOT necessarily superior to FreeBSD, but it has a few 
advantages,of which the GPL IS THE MAJOR ADVANTAGE. 
	If Mr. Love wants the BSD style license, why not use FreeBSD. I
would not have a problem with that. BSD is a competent and useful OS. I 
use it myself. 
	This is not a very complicated issue, if you want the BSD-style 
license, USE FreeBSD.
	Leave Linux alone. From a Microsoft users point of view, the Linux
and FreeBSD operate the same. The same software packages run on both. The 
charm of Linux is TIED to the GPL. The sparkling differences in the Linux
attitudes, the early adoption of interfaces, the freewheeling diverse 
packageing, the 180 different distributions, ARE ALL A RESULT OF GPL..
VIVA GPL...
 de Jerry Sharp

From:	 "Jonathan Day" <jd9812@my-deja.com>
To:	 letters@lwn.net
Subject: Thoughts about the GPL, ZDNet, et al
Date:	 Fri, 11 May 2001 06:12:13 -0700

Hi,

The first thing that ZDNet forgets are the basic rules of selling ANY
product or idea:

1) A foot in the door is worth two in the mouth.
2) You can't sell mindshare. But, without mindshare, you can't sell anything.
3) Profit is a function of actual gains versus actual expense.

The only one I need to explain is the third.

Profit = What you get - What you give to get it.

In other words, doubling what you get (eg: by selling a distribution under
a non-GPL licence) is of no value if you've also doubled what you have to
give (better promotion, better packaging, better sales department, better
tech support, etc).

If your costs increase at the same rate as your profits, you've gained
NOTHING. You're NO better off than if you'd sold a GPLed Linux for $5 in
every market stand in the country. (In fact, you'd probably end up much
richer doing that!)

Trying to sponge customers reduces your audience, and increases the amount
of effort it'd take to reach them. There IS an optimum. That optimum is
what Linux already uses. The GPL.

ZDNet is used to "classical" thinking. Thinking that brought us the wonders
of the recent energy crisis. Thinking that spawned global recession in the
80's and 90's. Thinking that brought on the Great Depression in the
30's. It's thinking that the rest of humanity doesn't need.

Jonathan Day




------------------------------------------------------------
--== Sent via Deja.com ==--
http://www.deja.com/

From:	 John Morris <jmorris@beau.lib.la.us>
To:	 <letters@lwn.net>
Subject: The "free flow of cryptographic information"
Date:	 Fri, 11 May 2001 14:47:46 -0500 (CDT)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I certainly hope that was sarcasm in this weeks's LWN history page,
because I can't see how things have changed a whit.  Three years ago all
the crypto was kept on an overseas server and had to be manually patched
into the system. This week I added crypto to my laptop. Yup, I did it by
downloading the International Crypto Patch from www.kerneli.org and
rebuilding the kernel and several of the user space tools.

Even if we can't get the actual crypto code included in mainstream
distros' kernels, I'd be real interested in knowing what reasons the
various distribution packagers give for not including the patches in the
user space tools like mount and losetup.  Those tools only need to be
built with the ability to convert the names of the cyphers into numbers
for the crypto api so there shouldn't be any export issues, especially in
this environment of a "free flow of cryptographic information".

- -- 
John M.      http://www.beau.org/~jmorris        This post is 100% M$ Free!
Geek code 3.0:GCS C+++ UL++++$ P++ L+++ W++ N++ w--- Y+ 5+++ R tv- b++ e* r
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (GNU/Linux)
Comment: Made with pgp4pine 1.76

iEYEARECAAYFAjr8QekACgkQqME6bvnsqA/XTQCeIoY0nQk43OBpB7UZpu/ci+/0
314AoK92QWgABqrlqpn7CV9a3jxdgqbs
=eEJT
-----END PGP SIGNATURE-----

From:	 <mschwarz@alienmystery.planetmercury.net>
To:	 letters@lwn.net
Subject: Wrong way to look at it
Date:	 Fri, 11 May 2001 15:52:19 -0500 (CDT)

In you "On The Desktop" section this week you said "Older hardware tends
to amplify the effects of slowness."

I think this is the wrong way to look at it.  Rather say "newer hardware
tends to mask the effects of poor design and excessive cruft."

I cut my programming teeth on 8-bit embedded applications; much of what I
wrote had to fit into 2716 and 2732 EPROMs (2k and 4k respectively).  You
learn not to waste there.

One of the most amazing feats of software design was Visicalc.  The 6502
was an incredibly limited processor.  And yet the whole class of
"spreadsheet" applications was created within those limits.  Look at how
much memory, disk, and CPU cycles Visicalc consumes, then compare it to MS
Excel and ask yourself if Excel really does three orders of magnitude more
for its users than Visicalc did.

I hate feeling like Abraham Simpson (I'm only 34 years old for goodness'
sake), but too many people are too addicted to big memory, big disk, and
big clock speeds.

I use a Z80 and CP/M emulator to maintain an embedded application for a
local ham radio group.  That emulator runs eight times fater than any real
Z80!  Can you imagine how fast software would be if the same rigor were
applied to today's software as was applied then?  Of course, there are
whole classes of aplpication that you couldn't write without the faster
speeds.  I'd hate to do 3d rendering on 1MHz 6502!  But such programs are
not the bloatware.  They are still constrained, so their authors still
strive for every cycle and every byte.

My overwhelming reaction to the most recent KDE release was "My God, they
really slowed this down!"  The advantage is, with Free Software, you can
find the bottlenecks that really bug you, and do something about it.

Anyways, my point is that at least some though should be put into size and
speed efficiency.  I think peiople make a big mistake when they buy
powerful machines for software development.  I do most of my programming
on a 200MHz machine.  If it runs well there, It'll blind people on 1G
Athlons!

--
Michael A. Schwarz
mschwarz@sherbtel.net

From:	 James Dixon <jdixon@mail.westco.net>
To:	 letters@lwn.net
Subject: Dell and Linux
Date:	 Sat, 12 May 2001 13:23:52 -0400 (EDT)


Quoting from your "Three years ago.." section:

>   Dell claimed that none of their customers wanted Linux in this ZDNet
>   article. LWN received an open letter from Jim Dennis to Dell telling
>   them that their customers were already using Linux on Dell computers.
>   Dell still isn't completely convinced. To this day the main Dell site
>   does not mention Linux and won't even point you to the Dell Linux
>   site.

Oh, I think Dell is convinced.  See this quote from Michael Dell's
keynote speech at the Linux World Expo last year:

 "Linux has grown from about four percent of all Dell servers
  sold in the first quarter of 1999 to almost ten percent of all
  servers sold in the first quarter of this year."

Assuming normal Linux growth rates, we can guess that Linux accounts
for roughly 15-20% of Dell server sales at this time.

However, they have a problem.  Microsoft based systems still account
for the remaining 80-95% of server sales and 95% of personal computer
sales.  If they highlight they're Linux systems, they alienate
Microsoft.  Michael Dell is not about to take that risk.  He knows
how vindictive Microsoft can be, and he has employees and shareholders
to worry about.  Aggravating Microsoft is not in their best interest.
For this simple reason, it will still be a few years till Dell can
safely highlight their Linux systems.  Expect them to remain low
profile in the meantime.

James Dixon
jdixon@pobox.com