See also: last week's Letters page.

Letters to the editor

From:	 kevin lyda <kevin@suberic.net>
To:	 letters@lwn.net
Subject: linux is a virgo...
Date:	 Thu, 7 Jun 2001 10:50:49 -0400

on the whole i think ballmer's comments - and any other comments by ms
on free software - should be ignored.  obviously facts should be stated
where lies have been offered, but that should be enough.

however, one fact has not been corrected in most accounts i've read:
linux is not a cancer, it's a virgo.  linux was released on august the
25th, 1991.

personally i would love to hear of the following exchange:

reporter: mr. ballmer, were you aware linux was released on the 25th of
          august, 1991?
mr. ballmer: yes.  ok.  whenever.
reporter: then why did you say it was a cancer?
mr. ballmer: er...
reporter: do you use astrology a lot in your business decision making?

kevin

From:	 tet@accucard.com
To:	 Tres Melton <class5@pacbell.net>
Subject: Re: License trouble everywhere.
Date:	 Thu, 07 Jun 2001 12:24:56 +0100
Cc:	 letters@lwn.net


Tres Metlon writes:

> The only places that I would forgo this freedom is in the area of
> security.

This is the one place, above all others, where it's absolutely
*essentail* to have that freedom. Not doing so places you at the
mercy of the vendor, whether that be Dan Bernstein, Linux Torvalds,
or some nameless corporation. If a security flaw is found, you need
the right to modify the code and distribute the changes to guard
against a lack of responsiveness from your vendor. And sisnce you have
the source, you can always audit the changes yourself, or if you lack
the skill or desire, pay a third party to do the audit for you.

Tet

From:	 Tres Melton <class5@pacbell.net>
To:	 tet@accucard.com
Subject: Re: License trouble everywhere.
Date:	 Thu, 07 Jun 2001 16:38:14 -0600
Cc:	 letters@lwn.net, djb@cr.yp.to

tet@accucard.com wrote:

 
> This is the one place, above all others, where it's absolutely
> *essentail* to have that freedom. Not doing so places you at the
> mercy of the vendor, whether that be Dan Bernstein, Linux Torvalds,
> or some nameless corporation. If a security flaw is found, you need
> the right to modify the code and distribute the changes to guard
> against a lack of responsiveness from your vendor. And sisnce you have
> the source, you can always audit the changes yourself, or if you lack
> the skill or desire, pay a third party to do the audit for you.
> 
> Tet

I understand your point of view, completely.  I think it has more 
relevence to Microsoft products than to others that come with source. 
DJB's programs come with source, come with a license provision that 
allows changes to be made and allows those changes to be distributed in 
'patch' form.  If you look at the history of his programs security, to 
my knowledge, has never been compromised.  If you look at his WWW page 
for qmail he lists several patches that are available to filter spam and 
add extra functionality but since he has not thoroughly audited the 
code, and more importantly
they provide functions that are not within the scope of the relevent 
RFC's, he has limited their distribution to patches against his original 
source.  As far as vendor responsiveness is concerned, I suggest that 
you first find a security flaw and then see how responsive he is.

Tres

From:	 "David A. Wheeler" <dwheeler@dwheeler.com>
To:	 letters@lwn.net
Subject: Re: License trouble everywhere.
Date:	 Thu, 7 Jun 2001 11:03:40 -0400

Mr. Bernstein and some others have stated that they don't want modified
versions of their programs being distributed on the Internet without their
blessing.  However, by prohibiting free redistribution, their code
is no longer open source nor free software.

Thankfully, there are at least two simple, well-established legal tools
that can be used to meet both needs: trademarks and certification marks.
To use a trademark, just trademark the name of the program, and state that
modified redistributions may not use the name without permission
(without permission, they'll have to use a different name).
For example, Red Hat (http://www.redhat.com/about/corporate/trademark) and
Abiword (http://www.abiword.org/tm_guide.phtml) do this, and the
open source definition (point 4) _explicitly_ permits this.
To use a certification mark, create a certification mark and attach it
only to "blessed" programs.  Certification
marks let unblessed modified programs use the same name, but users then
have to look for the certification mark if they want a "blessed" version.

So that people can follow the rules, make sure you
put information about this in the program documentation
(and, if you're using a trademark, suggest types of names that are preferred
for unblessed versions).  You don't need to change the license -- in fact,
changing the GPL or LGPL license would make the code incompatible with other
LGPL/GPL software.  Instead, you just have to note the existence of
the trademark/certification mark and explain what that means.

You can also include prohibiting the use of certain names in the license
itself.  Apache does this (http://www.apache.org/LICENSE-1.1), but
according to some this creates an incompatibility with other software.

Of course, a cracker can ignore the legalese and distribute an unmarked
infected program.. but they can do that with licenses that
prohibit modification, too.

This way, developers can make sure that users know what they're getting,
while the program remains open source/free software.

A caveat: I'm not a lawyer.  But the use of trademarks in particular
is well-established practice, by organizations who DO have lawyers.

From:	 dps@io.stargate.co.uk
To:	 letters@lwn.net
Subject: Non-modification licences and security
Date:	 Fri, 8 Jun 2001 00:03:41 +0100

If one claims that modification restrictions are required for security,
I think they are missing the point. What is required is control over the
"official" version and people not being able to prevent trojanised versions
as the original or mainstream versions.

My checkps package is obviously in need of this control becuse it runs as
root and when it reacts your system has been cracked. Obviously trusting
almost anything is presumably a bug... in fact I hope that smart admins
will spot nything I missed. Source control is easy---my official versions
have seperate PGP signatures and I keep the keys required to generate
an official signture to myself.

(If I m unable to distingish between insecure and secure patches then
you would be well advised to avoid my security software. I like to
imgine checkps is paranoid enough to scupper all attempts to exxploit
it. Being open source the curious can examine the code to gauge the
reliability of my assertion...)

From:	 Chris Lawrence <chris@lordsutch.com>
To:	 Tres Melton <class5@pacbell.net>, letters@lwn.net, djb@cr.yp.to,
	 rms@stallman.org
Subject: Licensing (from LWN)
Date:	 Thu, 7 Jun 2001 20:52:37 -0500

I think the central goal of assuring end-users that they have the
"real McCoy" version of free/nearly-free software, that has been
audited by the author or some other source, can be accomplished a
number of ways:

- Licensing: Only permit limited redistribution.  DJB and Pine take
this approach.

- Trademarks: The AbiWord developers only permit releases of their
GPLed software that they build to carry the AbiWord name and certain
proprietary logos.  Ximian may fall into this camp too, but their
policy is more ambiguous, I think.

- Digital Signatures: The builder/distributor can sign the archived
software in some way (usually with GnuPG/PGP).  Ximian does this too;
many providers of RPMs sign packages; Debian signs release information
and is going to start signing packages too.  If the signature isn't
from the distributor, or there is no signature, you don't trust it.

None of these approaches will stop a determined person from
distributing non-real-McCoy software; I could put build binaries from
modified versions of DJB's sources and stick them in Freenet, and
probably live to tell about it, and at least one person has modified
Pine sources and binaries packaged for Debian on a website.  The
trademark approach is also problematic; people will often just
misappropriate trademarks (www.helixcode.co.uk to name one example).
Signatures have the best chance of working, but only if end-users or
adminstrators care who built the package (presumably they do if they
are security-conscious).  The latter two approaches do have the
advantage (or disadvantage, if you're the Pine folks or DJB) of
allowing scrupulous distributors to distribute the software, albeit in
modified form.

I think the real question is whether people benefit more from limited
distribution with no changes or unlimited distribution with possible
deviations from the initial author's intent (including possibly the
always-dreaded fork).  As a Debian developer (not speaking for the
project), I tend to think that the latter is preferable to the former.
There are reasonable licensing restrictions that can be made to
alleviate upstream concerns about frivolous support problems caused by
the distributor (forced renaming of modified versions; requiring
modified versions to include distributor support information instead
of upstream's, etc.) without foreclosing all modification.  Similarly,
concerns about package layout on different systems can be alleviated
through symbolic links.  I think we all benefit when more people can
hack on and use software, and truly free (open source) licenses help
ensure this freedom.


Chris
-- 
Chris Lawrence <chris@lordsutch.com> - http://www.lordsutch.com/chris/

From:	 andrew@pimlott.ne.mediaone.net (Andrew Pimlott)
To:	 Charles Hethcoat <CHETHCOA@oss.oceaneering.com>
Subject: Re: On the auditing of free software
Date:	 Thu, 7 Jun 2001 12:30:08 -0400
Cc:	 letters@lwn.net

Charles Hethcoat wrote:

> I think your outlook on auditing of code is a tad pessimistic.

It's hard to observe the state of computer security without becoming
pessimistic.

> Sure, code may sit there for years, but I feel it probably gets
> the attention that it warrants.  That is, if it gets little
> attention, then it's probably doing its job pretty well.

This is a dangerous fallacy, if you're talking about security
auditing.  "Doing its job" usually means that the common codepaths
work with common inputs.  Security holes typically involve uncommon
codepaths and unusual inputs.  We should have learned this lesson:
many free software packages have "done the job" for years, all the
while sporting serious vulnerabilities.

Open code may encourage auditing, but you're under illusions if you
think that more than a small fraction of security-relevant free
software has received the equivalent of a thorough audit.

> Having open code helps assure that the number of bugs steadily
> approaches zero over time.

This is a risible assertion--see http://bugs.debian.org/ (down right
now--due to hardware failure, not bugs!) for starters.  The only
method I know for achieving this is to have Donald Knuth write the
software.

> Look at how the immortal DOS and Windows bugs remain a part of the
> landscape forever, even though they are widely known to have
> caused all sorts of problems for people.

You have highly selective vision.  Read the SANS Top Ten
(http://www.sans.org/topten.htm) and cry.

Andrew

From:	 Steve Jorgensen <stevej@intertecservices.com>
To:	 "'letters@lwn.net'" <letters@lwn.net>
Subject: Comment in response to "Linux gladiators duel for desktop crown (ADTMag.com)"
Date:	 Fri, 8 Jun 2001 11:36:36 -0700

Following your link to "Linux gladiators duel for desktop crown 
(ADTMag.com)" and seeing that they have no kind of "talk back" feature, I 
thought I would post a reponse to you instead.

One thing that was left out of the comparison between GNOME and KDE is that 
there still is a Qt licensing issue with KDE, and it is of more than simple 
philosophical consequence.  I am working with a team desiring to produce a 
powerful, general-purpose, GPL-licensed database front end program that 
will run on both Linux and Windows.

The X version of Qt is free software, but the Windows UI version is not, so 
using KDE as a framework will not be an option for us.  We have, thus, had 
no choice but to use GNOME instead.  I think others wanting to develop 
GPL-licensed, cross-platform software will be coming to the same 
conclusion.

Note that I am not a rabid idealist, and I like KDE.  I just can't use it 
for what I'm trying to do because of the remaining Qt license conflicts.

From:	 Marcin Krol <mark@btweng.krakow.pl>
To:	 letters@lwn.net
Subject: Open source and common mistake of naive economics
Date:	 Mon, 11 Jun 2001 12:10:04 +0200

Hello LWN,

I wanted to point to a problem related to open source
and its economics that is frequently misunderstood
and important at the same time. In June 7th edition of
LWN in Security section you quote (I believe) Kaladix
developer:

"I am aware that it is not possible to relicense GPL
licensed software. Taking into respect that I do not
like companies that make money from my work, I thought
of licensing Kaladix Linux free for non-commercial
use according to the following assumption: [...]"

The above line of reasoning is oft-repeated fallacy.

Anybody who sells proprietary, closed-source
modified version B of program A is only able
to sell it for the sake of modifications made;
otherwise there's no point in buying/using
B at all, since A is available for $0, with
source code.

Typically, nobody moves A out of reach of public
by modifying A to B and selling B (note: it doesn't
even matter whether modified source code is available
or not). If so, the only thing that this company or
person makes money on is his own added value.




Regards,

Marcin Krol

From:	 Joe Klemmer <klemmerj@webtrek.com>
To:	 <letters@lwn.net>
Subject: Linux Handhelds
Date:	 Thu, 7 Jun 2001 16:19:04 -0400 (EDT)


	I just wanted to write a little about the Agenda VR3 that just
arrived in my hot-little-hands a couple of days ago.  This shouldn't be
considered a review, per se, but more of one man's experience.

	The VR3 is one cute little thing and it really is fun watching X
boot up on it.  The GUI isn't bad at all, FLTK is a nice and crisp toolkit
for X and it is small.  Having an xterm is definitely very cool.  The next
thing to do is to try and run an app off of the VR3 on my linux desktop.
:-)

	The only major down side to the thing is that Agenda should have
picked a much heftier processor for it.  The 66 MHz chip in there is darn
right pokey.  Think of running X on a 386 with 16 meg RAM (for those of
you old enough to have actually done this with Linux).

	The handwriting recognition doesn't work the way the manual says
but it does work, though I found it faster to use the on screen keyboard
for most of the stuff.  I haven't tried the sound part of things but I'm
an aboration, it seems, in that I don't care for MP3 players or any of
that stuff.

	Having seen PocketLinux running at last years ALS and seeing the
VR3 now I do think that the future for Linux PDA's is bright.  I don't
know if they will replace PalmOS PDA's anytime soon, though, but it looks
like they're off to a decent start.

---
If I actually _could_ spell I'd have spelled it right in the first place.

From:	 Dominic Mitchell <dom@semantico.com>
To:	 letters@lwn.net
Subject: Linux and the Palm Pilot
Date:	 Thu, 7 Jun 2001 10:13:25 +0100

I'd like to point out that you missed one useful tool for connecting
your palm pilot: coldsync <URL:http://www.ooblick.com/software/coldsync/>.

This is a command line tool, but it is very handy for quick backups as
well as syncing.  It's more of a "bare-bones" tool, you may have to
write your own scripts to get things done the way you want, but it's
very flexible and independent of pilot-link.

It also supports the Visor USB connection (but not, alas my new CLIE :-(  ).

-Dom

-- 
| Semantico: creators of major online resources          |
|       URL: http://www.semantico.com/                   |
|       Tel: +44 (1273) 722222                           |
|   Address: 33 Bond St., Brighton, Sussex, BN1 1RD, UK. |

From:	 Phil Cameron <pcameron@crescentnetworks.com>
To:	 letters@lwn.net
Subject: Kpilot Visor Mandreake 8.0
Date:	 Fri, 08 Jun 2001 09:42:58 -0400

Kpilot supports the Visor in Mandrake 8.0. I have been using it for a
couple of weeks now. I performed a backup and several syncs. You have to
start kpilot and hit the sync button at the same time for it to work.
Otherwise it just hangs.

phil

From:	 "Bryan O'Sullivan" <bos@serpentine.com>
To:	 letters@lwn.net
Subject: GTK+ text anti-aliasing support
Date:	 Thu, 7 Jun 2001 14:07:54 -0700

As a footnote to your article this week, it's worth pointing out that
both Jacob Berkman and I released patches to support Xft text
anti-aliasing under GTK+ 1.2 at the beginning of this year.  The
initial work is easy (obviously, since there are at least three
separate, independent patches out there); fixing broken GTK+
applications that do their own text rendering is a pain.

With GNOME 2.0 slouching towards Bethlehem, the level of motivation
needed to really tidy up and polish these patches into a coherent
whole is higher than any of us seems able to muster, alas.

	<b

From:	 Matt Dillon <dillon@earth.backplane.com>
To:	 letters@lwn.net
Subject: For Letters to the editor, re: "Is BSD getting lost amid the open source salvos?"
Date:	 Tue, 12 Jun 2001 18:10:36 -0700 (PDT)

    I feel compelled to comment on this ZDNet piece which showed up on
    LWN's Daily Updates page, because I think it approaches the issue of
    BSD, GPL and Microsoft from a fundamentally flawed direction... it
    considers them in opposition but I have only seen this from the fringe
    community.  I have never seen any such manifestation in the vast majority
    of programmers (except may you know who) who work on GPLd and BSD
    projects.  The copyright an author puts on his own work is simply a
    personal preference, nothing more.  I have never once seen the type
    of copyright prevent an open source author from contributing to a
    project he has an interest in.  Many linux authors contribute to the
    FreeBSD kernel and many FreeBSD authors help support the linux kernel.
    There is far more collaboration between the alleged 'camps' then
    is implied by press accounts, perhaps because those of us who do a lot
    of programming also tend to do less talking.  Or we try, anyway. 
    It is lost on many people that a huge portion of what makes up a BSD
    system is GPLd, just not certain core pieces.  A good 20 or 30% of
    the utilities and probably 80% (my guess) of the largest utilities
    are GNU and other vendor imports into our CVS tree.  Over 13MB of the
    source code in our tree is gnu alone, and another 130MB is contributory
    (mostly GPLd, like GCC).  The rest is BSD.  Whoopie, big deal.

    In terms of BSD being more commercial friendly then GNU... well, that is
    certainly true on a relative scale.  I even argue the point myself
    sometimes... but we are in total agreement that GPL does not particularly
    handcuff commercial interests.  Most commercial interests can use GPL'd
    code just as easily as they can use BSD code without having to worry
    about the copyright. 

    In regards to forcing more open standards, my opinion... and keep in
    mind that this is just my opinion, is that a BSD style license has as
    great an impact on pushing commercial interests to use open standards
    as the GPL does, it just goes about it in a different way.  You have
    to ask the question: Why would a company use open source in the first
    place verses building it themselves?  The answer is usually because
    they don't want to spend the resources building it themselves.  Well,
    just because a company can hide modified BSD code does not mean they
    are now suddenly willing to spend an enormous amount of resources
    making fundamental changes to aid code when they weren't willing to
    write the program from scratch in the first place!  The same reasoning
    applies, which is why you see a company like Microsoft 'steal'
    Kerberos but then use it almost verbatim, despite having tens of
    billions of dollars of cash lying around that could easily fund a
    complete replacement (hmmm... of course, finding sufficient talent
    might not be so easy even with billions of dollars, eh?).  Kerberos
    forced MS to go 95% of the way to an open-source solution, which is
    better then the 0% we would have gotten if Kerberos had been GPL'd. 
    And now that MS has done it, they have to support it.  Look at
    TCP/IP - Microsoft is being forced to essentially throw away a
    decades worth of proprietary networking protocols and use an open
    standard, and the GPL has nothing to do with the reason why.  LDAP,
    DBMS, etc etc etc... they all have similar effects and as much as MS
    tries to proprietize them, the simple truth is that they fail much
    more often then they succeed.  Even when they succeed it is usually
    by playing dirty tricks (like intentionally degrading MP3 audio in their
    player to force people to use their own formats) and has little to do
    with copyrights.

    My personal favorite is BSD, for the reasons above and because I don't
    really care if someone makes money off my code -- I am under no illusion
    that I can stop people from abusing my code no matter the copyright
    so I might as well not worry about it.  More power to them I say! 
    I get what I want, they get what they want.  Everyone is happy.  But, hey,
    that's just my personal preference and it certainly does not prevent me
    from pushing into conversations on linux-mm and other linux groups from
    time to time, nor does it prevent me from using or contributing to GPL'd
    code, or writing it (I wrote one of the original replacements for Vixie
    cron under Linux, called dcron!).  I like Linux too, but there are
    only 24 hours in the day and I need at least a few to sleep!

    Those of us associated with the BSD project know that Linux pushes our
    cause as much as it pushes its own.  Open source is open source, after
    all, and Linux is essentially UNIX no matter what the fringe elements
    say - open source projects compile up (natively) on FreeBSD as easily
    as it does on linux and we have our linux emulation for binary-only
    distributions!   KDE?, GNome?, Samba? yup... got all that, and a spiffy
    cool ports system that makes them easy to build and install too!

    Linux has the moment, and the momentum in the press, but it certainly
    isn't pulling developers away from the other BSD projects.  Everything
    is growing together in the open-source movement.  I see no reason to
    try to split the world's attention and neither do most other BSD focused
    developers.  We all win either way and that, perhaps, is one reason why
    we don't speak up as much as we could.  Linus speaks for us too!

						-Matt

From:	 deivu@tomigaya.shibuya.tokyo.jp (David Moles)
To:	 letters@lwn.net
Subject: Nine reasons
Date:	 Thu, 14 Jun 2001 04:47:15 +0900 (JST)
Cc:	 bhenning@aboutlinux.com, david_coursey@zdnet.com


Dear editors:

David Coursey set a trap
('Want Linux on your desktop? Nine reasons to forget about it'
http://www.zdnet.com/anchordesk/stories/story/0,10738,2773365,00.html)
and I'm afraid Bill Henning fell right into it ('Linux Myths and
Mythconceptions 101' http://aboutlinux.com/art_linmyth101_a.html).
We in the Linux community have still not learned to separate
advocacy from observation and accuracy from wishful thinking. Mr
Coursey's article is not always a model of clear reasoning, but
Mr Henning's response will do little more than to strengthen Mr
Coursey's opinions on Linux 'zealotry'.

The first point Mr Coursey makes in his editorial is a bit
convoluted but comes down to saying that Linux is not ready for
the desktop and until it is ready for the desktop there'll be no
financial incentive for companies to *make* it ready for the
desktop. Mr Henning's response is to say that Linux *is* ready
for the desktop, and this demonstrates that financial incentive
isn't necessary to make it so.

While I think in the long run Mr Henning's second assertion --
that good software can be developed outside of corporate labs --
will prove to be correct, I have to disagree with his first. Not
so much because Gnome and KDE aren't good user environments --
they are, or at least can be configured to be (see the Sun
usability tests at
http://developer.gnome.org/projects/gup/usabilitytests.html ) --
but because Mr Coursey is dead right about the applications.

The examples Mr Henning cites are telling: WordPerfect Office,
StarOffice, Kylix. (I confess to being unsure which AppGen he's
talking about.) Every one of those came out of a corporate lab;
and Kylix is a developer's tool, not a desktop application.
WordPerfect Office and StarOffice are both missing crucial
features for hard-core office users (MS Word's outline mode is
the one that's kept me tied to MS for ten years now) and have
compatibility and ease-of-use issues (font handling and printing,
for instance) as well. 'Almost-as-good-as-MS' is not going to put
Linux on the desktop of anyone but us 'zealots'. (That said, I
have high hopes for StarOffice's GPLed successor OpenOffice -- by
some time in 2003 or 2004 it might be quite nice.)

Mr Coursey also makes the point that if Linux is enough of a
threat to MS that it will spur MS to try harder to make their
customers happy, making it even more difficult for Linux to catch
up. Mr Henning's response is to claim that MS is more likely to
make their customers even unhappier than to make them happy. I
think this is going to turn out to be wishful thinking. I don't
like the idea of software rental, closed audio standards,
hardware-locked licenses, or appropriation of my email copyright
any more than Mr Henning does. However, with the exception of the
last -- which, as Mr Henning admits, MS has already given up on
-- I don't think the average desktop user claims about the first
three at all. Hardware-locked licenses aren't a problem to
someone (be they an individual or a company) who replaces
machines every three years and buys a complete new set of
software with each new machine. Closed audio standards aren't a
problem if you're only sharing audio with other MS users. And
software rental is not that far from the situation MS users are
already in -- paying $200 every 18 months for a basically
unavoidable MS Office upgrade.

Many of Mr Coursey's other points are, as Mr Henning says, not
really relevant. Mr Coursey's point about the threat of Linux
becoming Balkanized, however, is something the Linux community is
going to have to work hard to avoid. We'd better hope that the
major Linux vendors (and other interested parties such as Ximian)
take Mr Henning's 'Solution #3' -- the Linux Standards Base --
seriously. His other solutions are not promising. RPMs still
can't always be relied on cross-distribution without the
occasional '--nodeps' or '--replacefiles' ('cross your fingers
and hope it doesn't break anything'), and './make; ./configure;
./install' is hardly worth laughing at. This is the *desktop
market* we're talking about.

Which comes back around to Mr Coursey's main point -- that Linux
is not, so far, ready for the desktop. It is still too complex
for anyone but a power user -- and a power user who's willing to
take the time to learn its ins and outs. (I know professional
programmers with years not only of Windows background but Solaris
as well who have given up on getting Linux to work with their
hardware.) The desktop applications are not up to snuff and not
well integrated with the desktop environments. And we have yet to
see whether the free software model (or open-source model if you
prefer) can produce complex applications that address all the
needs of non-technical users. I still have hope that some day
Linux will get to that point, but it isn't there yet.

--David Moles

P.S. I suppose there is one rather depressing 'bright side' for
Linux -- which is that Windows, with a consistently inferior user
experience, has nonetheless been able to stay far ahead of the
Macintosh among desktop users. Perhaps the Linux community can
learn something from Windows' 'success'.