Sections: Main page Security Kernel Distributions On the Desktop Development Commerce Linux in the news Announcements Linux History Letters All in one big page See also: last week's Letters page. |
Letters to the editorLetters to the editor should be sent to letters@lwn.net. Preference will be given to letters which are short, to the point, and well written. If you want your email address "anti-spammed" in some way please be sure to let us know. We do not have a policy against anonymous letters, but we will be reluctant to include them. |
June 14, 2001 |
From: kevin lyda <kevin@suberic.net> To: letters@lwn.net Subject: linux is a virgo... Date: Thu, 7 Jun 2001 10:50:49 -0400 on the whole i think ballmer's comments - and any other comments by ms on free software - should be ignored. obviously facts should be stated where lies have been offered, but that should be enough. however, one fact has not been corrected in most accounts i've read: linux is not a cancer, it's a virgo. linux was released on august the 25th, 1991. personally i would love to hear of the following exchange: reporter: mr. ballmer, were you aware linux was released on the 25th of august, 1991? mr. ballmer: yes. ok. whenever. reporter: then why did you say it was a cancer? mr. ballmer: er... reporter: do you use astrology a lot in your business decision making? kevin | ||
From: tet@accucard.com To: Tres Melton <class5@pacbell.net> Subject: Re: License trouble everywhere. Date: Thu, 07 Jun 2001 12:24:56 +0100 Cc: letters@lwn.net Tres Metlon writes: > The only places that I would forgo this freedom is in the area of > security. This is the one place, above all others, where it's absolutely *essentail* to have that freedom. Not doing so places you at the mercy of the vendor, whether that be Dan Bernstein, Linux Torvalds, or some nameless corporation. If a security flaw is found, you need the right to modify the code and distribute the changes to guard against a lack of responsiveness from your vendor. And sisnce you have the source, you can always audit the changes yourself, or if you lack the skill or desire, pay a third party to do the audit for you. Tet | ||
From: Tres Melton <class5@pacbell.net> To: tet@accucard.com Subject: Re: License trouble everywhere. Date: Thu, 07 Jun 2001 16:38:14 -0600 Cc: letters@lwn.net, djb@cr.yp.to tet@accucard.com wrote: > This is the one place, above all others, where it's absolutely > *essentail* to have that freedom. Not doing so places you at the > mercy of the vendor, whether that be Dan Bernstein, Linux Torvalds, > or some nameless corporation. If a security flaw is found, you need > the right to modify the code and distribute the changes to guard > against a lack of responsiveness from your vendor. And sisnce you have > the source, you can always audit the changes yourself, or if you lack > the skill or desire, pay a third party to do the audit for you. > > Tet I understand your point of view, completely. I think it has more relevence to Microsoft products than to others that come with source. DJB's programs come with source, come with a license provision that allows changes to be made and allows those changes to be distributed in 'patch' form. If you look at the history of his programs security, to my knowledge, has never been compromised. If you look at his WWW page for qmail he lists several patches that are available to filter spam and add extra functionality but since he has not thoroughly audited the code, and more importantly they provide functions that are not within the scope of the relevent RFC's, he has limited their distribution to patches against his original source. As far as vendor responsiveness is concerned, I suggest that you first find a security flaw and then see how responsive he is. Tres | ||
From: "David A. Wheeler" <dwheeler@dwheeler.com> To: letters@lwn.net Subject: Re: License trouble everywhere. Date: Thu, 7 Jun 2001 11:03:40 -0400 Mr. Bernstein and some others have stated that they don't want modified versions of their programs being distributed on the Internet without their blessing. However, by prohibiting free redistribution, their code is no longer open source nor free software. Thankfully, there are at least two simple, well-established legal tools that can be used to meet both needs: trademarks and certification marks. To use a trademark, just trademark the name of the program, and state that modified redistributions may not use the name without permission (without permission, they'll have to use a different name). For example, Red Hat (http://www.redhat.com/about/corporate/trademark) and Abiword (http://www.abiword.org/tm_guide.phtml) do this, and the open source definition (point 4) _explicitly_ permits this. To use a certification mark, create a certification mark and attach it only to "blessed" programs. Certification marks let unblessed modified programs use the same name, but users then have to look for the certification mark if they want a "blessed" version. So that people can follow the rules, make sure you put information about this in the program documentation (and, if you're using a trademark, suggest types of names that are preferred for unblessed versions). You don't need to change the license -- in fact, changing the GPL or LGPL license would make the code incompatible with other LGPL/GPL software. Instead, you just have to note the existence of the trademark/certification mark and explain what that means. You can also include prohibiting the use of certain names in the license itself. Apache does this (http://www.apache.org/LICENSE-1.1), but according to some this creates an incompatibility with other software. Of course, a cracker can ignore the legalese and distribute an unmarked infected program.. but they can do that with licenses that prohibit modification, too. This way, developers can make sure that users know what they're getting, while the program remains open source/free software. A caveat: I'm not a lawyer. But the use of trademarks in particular is well-established practice, by organizations who DO have lawyers. | ||
From: dps@io.stargate.co.uk To: letters@lwn.net Subject: Non-modification licences and security Date: Fri, 8 Jun 2001 00:03:41 +0100 If one claims that modification restrictions are required for security, I think they are missing the point. What is required is control over the "official" version and people not being able to prevent trojanised versions as the original or mainstream versions. My checkps package is obviously in need of this control becuse it runs as root and when it reacts your system has been cracked. Obviously trusting almost anything is presumably a bug... in fact I hope that smart admins will spot nything I missed. Source control is easy---my official versions have seperate PGP signatures and I keep the keys required to generate an official signture to myself. (If I m unable to distingish between insecure and secure patches then you would be well advised to avoid my security software. I like to imgine checkps is paranoid enough to scupper all attempts to exxploit it. Being open source the curious can examine the code to gauge the reliability of my assertion...) | ||
From: Chris Lawrence <chris@lordsutch.com> To: Tres Melton <class5@pacbell.net>, letters@lwn.net, djb@cr.yp.to, rms@stallman.org Subject: Licensing (from LWN) Date: Thu, 7 Jun 2001 20:52:37 -0500 I think the central goal of assuring end-users that they have the "real McCoy" version of free/nearly-free software, that has been audited by the author or some other source, can be accomplished a number of ways: - Licensing: Only permit limited redistribution. DJB and Pine take this approach. - Trademarks: The AbiWord developers only permit releases of their GPLed software that they build to carry the AbiWord name and certain proprietary logos. Ximian may fall into this camp too, but their policy is more ambiguous, I think. - Digital Signatures: The builder/distributor can sign the archived software in some way (usually with GnuPG/PGP). Ximian does this too; many providers of RPMs sign packages; Debian signs release information and is going to start signing packages too. If the signature isn't from the distributor, or there is no signature, you don't trust it. None of these approaches will stop a determined person from distributing non-real-McCoy software; I could put build binaries from modified versions of DJB's sources and stick them in Freenet, and probably live to tell about it, and at least one person has modified Pine sources and binaries packaged for Debian on a website. The trademark approach is also problematic; people will often just misappropriate trademarks (www.helixcode.co.uk to name one example). Signatures have the best chance of working, but only if end-users or adminstrators care who built the package (presumably they do if they are security-conscious). The latter two approaches do have the advantage (or disadvantage, if you're the Pine folks or DJB) of allowing scrupulous distributors to distribute the software, albeit in modified form. I think the real question is whether people benefit more from limited distribution with no changes or unlimited distribution with possible deviations from the initial author's intent (including possibly the always-dreaded fork). As a Debian developer (not speaking for the project), I tend to think that the latter is preferable to the former. There are reasonable licensing restrictions that can be made to alleviate upstream concerns about frivolous support problems caused by the distributor (forced renaming of modified versions; requiring modified versions to include distributor support information instead of upstream's, etc.) without foreclosing all modification. Similarly, concerns about package layout on different systems can be alleviated through symbolic links. I think we all benefit when more people can hack on and use software, and truly free (open source) licenses help ensure this freedom. Chris -- Chris Lawrence <chris@lordsutch.com> - http://www.lordsutch.com/chris/ | ||
From: andrew@pimlott.ne.mediaone.net (Andrew Pimlott) To: Charles Hethcoat <CHETHCOA@oss.oceaneering.com> Subject: Re: On the auditing of free software Date: Thu, 7 Jun 2001 12:30:08 -0400 Cc: letters@lwn.net Charles Hethcoat wrote: > I think your outlook on auditing of code is a tad pessimistic. It's hard to observe the state of computer security without becoming pessimistic. > Sure, code may sit there for years, but I feel it probably gets > the attention that it warrants. That is, if it gets little > attention, then it's probably doing its job pretty well. This is a dangerous fallacy, if you're talking about security auditing. "Doing its job" usually means that the common codepaths work with common inputs. Security holes typically involve uncommon codepaths and unusual inputs. We should have learned this lesson: many free software packages have "done the job" for years, all the while sporting serious vulnerabilities. Open code may encourage auditing, but you're under illusions if you think that more than a small fraction of security-relevant free software has received the equivalent of a thorough audit. > Having open code helps assure that the number of bugs steadily > approaches zero over time. This is a risible assertion--see http://bugs.debian.org/ (down right now--due to hardware failure, not bugs!) for starters. The only method I know for achieving this is to have Donald Knuth write the software. > Look at how the immortal DOS and Windows bugs remain a part of the > landscape forever, even though they are widely known to have > caused all sorts of problems for people. You have highly selective vision. Read the SANS Top Ten (http://www.sans.org/topten.htm) and cry. Andrew | ||
From: Steve Jorgensen <stevej@intertecservices.com> To: "'letters@lwn.net'" <letters@lwn.net> Subject: Comment in response to "Linux gladiators duel for desktop crown (ADTMag.com)" Date: Fri, 8 Jun 2001 11:36:36 -0700 Following your link to "Linux gladiators duel for desktop crown (ADTMag.com)" and seeing that they have no kind of "talk back" feature, I thought I would post a reponse to you instead. One thing that was left out of the comparison between GNOME and KDE is that there still is a Qt licensing issue with KDE, and it is of more than simple philosophical consequence. I am working with a team desiring to produce a powerful, general-purpose, GPL-licensed database front end program that will run on both Linux and Windows. The X version of Qt is free software, but the Windows UI version is not, so using KDE as a framework will not be an option for us. We have, thus, had no choice but to use GNOME instead. I think others wanting to develop GPL-licensed, cross-platform software will be coming to the same conclusion. Note that I am not a rabid idealist, and I like KDE. I just can't use it for what I'm trying to do because of the remaining Qt license conflicts. | ||
From: Marcin Krol <mark@btweng.krakow.pl> To: letters@lwn.net Subject: Open source and common mistake of naive economics Date: Mon, 11 Jun 2001 12:10:04 +0200 Hello LWN, I wanted to point to a problem related to open source and its economics that is frequently misunderstood and important at the same time. In June 7th edition of LWN in Security section you quote (I believe) Kaladix developer: "I am aware that it is not possible to relicense GPL licensed software. Taking into respect that I do not like companies that make money from my work, I thought of licensing Kaladix Linux free for non-commercial use according to the following assumption: [...]" The above line of reasoning is oft-repeated fallacy. Anybody who sells proprietary, closed-source modified version B of program A is only able to sell it for the sake of modifications made; otherwise there's no point in buying/using B at all, since A is available for $0, with source code. Typically, nobody moves A out of reach of public by modifying A to B and selling B (note: it doesn't even matter whether modified source code is available or not). If so, the only thing that this company or person makes money on is his own added value. Regards, Marcin Krol | ||
From: Joe Klemmer <klemmerj@webtrek.com> To: <letters@lwn.net> Subject: Linux Handhelds Date: Thu, 7 Jun 2001 16:19:04 -0400 (EDT) I just wanted to write a little about the Agenda VR3 that just arrived in my hot-little-hands a couple of days ago. This shouldn't be considered a review, per se, but more of one man's experience. The VR3 is one cute little thing and it really is fun watching X boot up on it. The GUI isn't bad at all, FLTK is a nice and crisp toolkit for X and it is small. Having an xterm is definitely very cool. The next thing to do is to try and run an app off of the VR3 on my linux desktop. :-) The only major down side to the thing is that Agenda should have picked a much heftier processor for it. The 66 MHz chip in there is darn right pokey. Think of running X on a 386 with 16 meg RAM (for those of you old enough to have actually done this with Linux). The handwriting recognition doesn't work the way the manual says but it does work, though I found it faster to use the on screen keyboard for most of the stuff. I haven't tried the sound part of things but I'm an aboration, it seems, in that I don't care for MP3 players or any of that stuff. Having seen PocketLinux running at last years ALS and seeing the VR3 now I do think that the future for Linux PDA's is bright. I don't know if they will replace PalmOS PDA's anytime soon, though, but it looks like they're off to a decent start. --- If I actually _could_ spell I'd have spelled it right in the first place. | ||
From: Dominic Mitchell <dom@semantico.com> To: letters@lwn.net Subject: Linux and the Palm Pilot Date: Thu, 7 Jun 2001 10:13:25 +0100 I'd like to point out that you missed one useful tool for connecting your palm pilot: coldsync <URL:http://www.ooblick.com/software/coldsync/>. This is a command line tool, but it is very handy for quick backups as well as syncing. It's more of a "bare-bones" tool, you may have to write your own scripts to get things done the way you want, but it's very flexible and independent of pilot-link. It also supports the Visor USB connection (but not, alas my new CLIE :-( ). -Dom -- | Semantico: creators of major online resources | | URL: http://www.semantico.com/ | | Tel: +44 (1273) 722222 | | Address: 33 Bond St., Brighton, Sussex, BN1 1RD, UK. | | ||
From: Phil Cameron <pcameron@crescentnetworks.com> To: letters@lwn.net Subject: Kpilot Visor Mandreake 8.0 Date: Fri, 08 Jun 2001 09:42:58 -0400 Kpilot supports the Visor in Mandrake 8.0. I have been using it for a couple of weeks now. I performed a backup and several syncs. You have to start kpilot and hit the sync button at the same time for it to work. Otherwise it just hangs. phil | ||
From: "Bryan O'Sullivan" <bos@serpentine.com> To: letters@lwn.net Subject: GTK+ text anti-aliasing support Date: Thu, 7 Jun 2001 14:07:54 -0700 As a footnote to your article this week, it's worth pointing out that both Jacob Berkman and I released patches to support Xft text anti-aliasing under GTK+ 1.2 at the beginning of this year. The initial work is easy (obviously, since there are at least three separate, independent patches out there); fixing broken GTK+ applications that do their own text rendering is a pain. With GNOME 2.0 slouching towards Bethlehem, the level of motivation needed to really tidy up and polish these patches into a coherent whole is higher than any of us seems able to muster, alas. <b | ||
From: Matt Dillon <dillon@earth.backplane.com> To: letters@lwn.net Subject: For Letters to the editor, re: "Is BSD getting lost amid the open source salvos?" Date: Tue, 12 Jun 2001 18:10:36 -0700 (PDT) I feel compelled to comment on this ZDNet piece which showed up on LWN's Daily Updates page, because I think it approaches the issue of BSD, GPL and Microsoft from a fundamentally flawed direction... it considers them in opposition but I have only seen this from the fringe community. I have never seen any such manifestation in the vast majority of programmers (except may you know who) who work on GPLd and BSD projects. The copyright an author puts on his own work is simply a personal preference, nothing more. I have never once seen the type of copyright prevent an open source author from contributing to a project he has an interest in. Many linux authors contribute to the FreeBSD kernel and many FreeBSD authors help support the linux kernel. There is far more collaboration between the alleged 'camps' then is implied by press accounts, perhaps because those of us who do a lot of programming also tend to do less talking. Or we try, anyway. It is lost on many people that a huge portion of what makes up a BSD system is GPLd, just not certain core pieces. A good 20 or 30% of the utilities and probably 80% (my guess) of the largest utilities are GNU and other vendor imports into our CVS tree. Over 13MB of the source code in our tree is gnu alone, and another 130MB is contributory (mostly GPLd, like GCC). The rest is BSD. Whoopie, big deal. In terms of BSD being more commercial friendly then GNU... well, that is certainly true on a relative scale. I even argue the point myself sometimes... but we are in total agreement that GPL does not particularly handcuff commercial interests. Most commercial interests can use GPL'd code just as easily as they can use BSD code without having to worry about the copyright. In regards to forcing more open standards, my opinion... and keep in mind that this is just my opinion, is that a BSD style license has as great an impact on pushing commercial interests to use open standards as the GPL does, it just goes about it in a different way. You have to ask the question: Why would a company use open source in the first place verses building it themselves? The answer is usually because they don't want to spend the resources building it themselves. Well, just because a company can hide modified BSD code does not mean they are now suddenly willing to spend an enormous amount of resources making fundamental changes to aid code when they weren't willing to write the program from scratch in the first place! The same reasoning applies, which is why you see a company like Microsoft 'steal' Kerberos but then use it almost verbatim, despite having tens of billions of dollars of cash lying around that could easily fund a complete replacement (hmmm... of course, finding sufficient talent might not be so easy even with billions of dollars, eh?). Kerberos forced MS to go 95% of the way to an open-source solution, which is better then the 0% we would have gotten if Kerberos had been GPL'd. And now that MS has done it, they have to support it. Look at TCP/IP - Microsoft is being forced to essentially throw away a decades worth of proprietary networking protocols and use an open standard, and the GPL has nothing to do with the reason why. LDAP, DBMS, etc etc etc... they all have similar effects and as much as MS tries to proprietize them, the simple truth is that they fail much more often then they succeed. Even when they succeed it is usually by playing dirty tricks (like intentionally degrading MP3 audio in their player to force people to use their own formats) and has little to do with copyrights. My personal favorite is BSD, for the reasons above and because I don't really care if someone makes money off my code -- I am under no illusion that I can stop people from abusing my code no matter the copyright so I might as well not worry about it. More power to them I say! I get what I want, they get what they want. Everyone is happy. But, hey, that's just my personal preference and it certainly does not prevent me from pushing into conversations on linux-mm and other linux groups from time to time, nor does it prevent me from using or contributing to GPL'd code, or writing it (I wrote one of the original replacements for Vixie cron under Linux, called dcron!). I like Linux too, but there are only 24 hours in the day and I need at least a few to sleep! Those of us associated with the BSD project know that Linux pushes our cause as much as it pushes its own. Open source is open source, after all, and Linux is essentially UNIX no matter what the fringe elements say - open source projects compile up (natively) on FreeBSD as easily as it does on linux and we have our linux emulation for binary-only distributions! KDE?, GNome?, Samba? yup... got all that, and a spiffy cool ports system that makes them easy to build and install too! Linux has the moment, and the momentum in the press, but it certainly isn't pulling developers away from the other BSD projects. Everything is growing together in the open-source movement. I see no reason to try to split the world's attention and neither do most other BSD focused developers. We all win either way and that, perhaps, is one reason why we don't speak up as much as we could. Linus speaks for us too! -Matt | ||
From: deivu@tomigaya.shibuya.tokyo.jp (David Moles) To: letters@lwn.net Subject: Nine reasons Date: Thu, 14 Jun 2001 04:47:15 +0900 (JST) Cc: bhenning@aboutlinux.com, david_coursey@zdnet.com Dear editors: David Coursey set a trap ('Want Linux on your desktop? Nine reasons to forget about it' http://www.zdnet.com/anchordesk/stories/story/0,10738,2773365,00.html) and I'm afraid Bill Henning fell right into it ('Linux Myths and Mythconceptions 101' http://aboutlinux.com/art_linmyth101_a.html). We in the Linux community have still not learned to separate advocacy from observation and accuracy from wishful thinking. Mr Coursey's article is not always a model of clear reasoning, but Mr Henning's response will do little more than to strengthen Mr Coursey's opinions on Linux 'zealotry'. The first point Mr Coursey makes in his editorial is a bit convoluted but comes down to saying that Linux is not ready for the desktop and until it is ready for the desktop there'll be no financial incentive for companies to *make* it ready for the desktop. Mr Henning's response is to say that Linux *is* ready for the desktop, and this demonstrates that financial incentive isn't necessary to make it so. While I think in the long run Mr Henning's second assertion -- that good software can be developed outside of corporate labs -- will prove to be correct, I have to disagree with his first. Not so much because Gnome and KDE aren't good user environments -- they are, or at least can be configured to be (see the Sun usability tests at http://developer.gnome.org/projects/gup/usabilitytests.html ) -- but because Mr Coursey is dead right about the applications. The examples Mr Henning cites are telling: WordPerfect Office, StarOffice, Kylix. (I confess to being unsure which AppGen he's talking about.) Every one of those came out of a corporate lab; and Kylix is a developer's tool, not a desktop application. WordPerfect Office and StarOffice are both missing crucial features for hard-core office users (MS Word's outline mode is the one that's kept me tied to MS for ten years now) and have compatibility and ease-of-use issues (font handling and printing, for instance) as well. 'Almost-as-good-as-MS' is not going to put Linux on the desktop of anyone but us 'zealots'. (That said, I have high hopes for StarOffice's GPLed successor OpenOffice -- by some time in 2003 or 2004 it might be quite nice.) Mr Coursey also makes the point that if Linux is enough of a threat to MS that it will spur MS to try harder to make their customers happy, making it even more difficult for Linux to catch up. Mr Henning's response is to claim that MS is more likely to make their customers even unhappier than to make them happy. I think this is going to turn out to be wishful thinking. I don't like the idea of software rental, closed audio standards, hardware-locked licenses, or appropriation of my email copyright any more than Mr Henning does. However, with the exception of the last -- which, as Mr Henning admits, MS has already given up on -- I don't think the average desktop user claims about the first three at all. Hardware-locked licenses aren't a problem to someone (be they an individual or a company) who replaces machines every three years and buys a complete new set of software with each new machine. Closed audio standards aren't a problem if you're only sharing audio with other MS users. And software rental is not that far from the situation MS users are already in -- paying $200 every 18 months for a basically unavoidable MS Office upgrade. Many of Mr Coursey's other points are, as Mr Henning says, not really relevant. Mr Coursey's point about the threat of Linux becoming Balkanized, however, is something the Linux community is going to have to work hard to avoid. We'd better hope that the major Linux vendors (and other interested parties such as Ximian) take Mr Henning's 'Solution #3' -- the Linux Standards Base -- seriously. His other solutions are not promising. RPMs still can't always be relied on cross-distribution without the occasional '--nodeps' or '--replacefiles' ('cross your fingers and hope it doesn't break anything'), and './make; ./configure; ./install' is hardly worth laughing at. This is the *desktop market* we're talking about. Which comes back around to Mr Coursey's main point -- that Linux is not, so far, ready for the desktop. It is still too complex for anyone but a power user -- and a power user who's willing to take the time to learn its ins and outs. (I know professional programmers with years not only of Windows background but Solaris as well who have given up on getting Linux to work with their hardware.) The desktop applications are not up to snuff and not well integrated with the desktop environments. And we have yet to see whether the free software model (or open-source model if you prefer) can produce complex applications that address all the needs of non-technical users. I still have hope that some day Linux will get to that point, but it isn't there yet. --David Moles P.S. I suppose there is one rather depressing 'bright side' for Linux -- which is that Windows, with a consistently inferior user experience, has nonetheless been able to stay far ahead of the Macintosh among desktop users. Perhaps the Linux community can learn something from Windows' 'success'. | ||
|