Other LWN stuff:
 Daily Updates
 Calendar
 Linux Stocks Page
 Book reviews
 Penguin Gallery

 Archives/search
 Use LWN headlines
 Advertise here
 Contact us

Recent features:
- RMS Interview
- 2001 Timeline
- O'Reilly Open Source Conference
- OLS 2001
- Gaël Duval
- Kernel Summit
- Singapore Linux Conference
- djbdns

Here is the permanent site for this page.

See also: last week's LWN.

Leading items and editorials

Remember the Halloween memo? The Halloween memo, remember, was an internal Microsoft document that was leaked to Eric Raymond right about on Halloween, 1998. It was a look at open source software as a competitive threat to Microsoft, and it was, in a way, the first externally-visible sign that Microsoft was getting worried. It was a big deal at the time; there was much curiosity about how Microsoft would react to Linux and free software. The Halloween memo seemed to give some answers to that question; as was stated in Salon:

Still, the approach [author Vinod] Valloppillil outlines is consonant with Microsoft's previous behavior. Don't be surprised if the strategies he outlines play out in the headlines over the next two or three years.

Well, it is three years later, and, thus, a good time to look back and see how things have really gone. Here is a retrospective on some of the Halloween highlights.

One of the first conclusions made in the document was:

Commercial software development processes are hallmarked by organization around economic goals. However, since money is often not the (primary) motivation behind Open Source Software, understanding the nature of the threat posed requires a deep understanding of the process and motivation of Open Source development teams. In other words, to understand how to compete against OSS, we must target a process rather than a company.

That observation certainly remains true. Much more open source work is done with a commercial motivation these days, but the process, at its best, remains. Open source software can not be killed off by destroying companies.

Here's an interesting claim that nobody really challened back in 1998:

Like commercial software, the most viable single OSS project in many categories will, in the long run, kill competitive OSS projects and `acquire' their IQ assets. For example, Linux is killing BSD Unix and has absorbed most of its core ideas (as well as ideas in the commercial UNIXes). This feature confers huge first mover advantages to a particular project

Offhand, we would guess that users and developers of the BSD variants would take exception to the claim that Linux is "killing" them. KDE's "first mover" advantage has not kept GNOME from picking up large-scale developer and company support. It is, in fact, quite rare than one open source project "kills" another. There is indeed competition between projects, but it takes a different form.

Here's a fundamental conclusion of the document:

Loosely applied to the vernacular of the software industry, a product/process is long-term credible if FUD tactics can not be used to combat it. OSS is Long-Term Credible. OSS systems are considered credible because the source code is available from potentially millions of places and individuals.

In other words, free software, unlike the proprietary variety, does not simply disappear if things go wrong. There is no better example than the recent Nautilus release; the company that created Nautilus is gone, but the software remains and continues to improve. HP's OpenMail vanished when the company ceased to support it; sendmail is (unfortunately, some might say) here forever.

Microsoft has indeed found that FUD (fear, uncertainty, and doubt) attacks against Linux tend to be ineffective. At their best, they are laughable; at their worst, they make up a task list of things for Linux developers to quickly address - the Mindcraft report, for example, worked in this way. The company seemed to hold out a bit more hope for FUD attacks against free software licenses, but those, too, have subsided recently.

On project management:

The biggest roadblock for OSS projects is dealing with exponential growth of management costs as a project is scaled up in terms of rate of innovation and size. This implies a limit to the rate at which an OSS project can innovate.

Some free software projects are huge - think KDE, GNOME, Mozilla, OpenOffice, or the kernel. Certainly some of those projects have shown management problems at times - for example, the "Linus burnout" episodes in 2.1 kernel development. There are two things to keep in mind, though:

• Proprietary software projects are not exactly famous for their lack of management problems, and
• The problems encountered by free software projects tend to get worked out over time.

Is free software future credible?

A very sublime problem which will affect full scale consumer adoption of OSS projects is the lack of strategic direction in the OSS development cycle. While incremental improvement of the current bag of features in an OSS product is very credible, future features have no organizational commitment to guarantee their development.

Proclamations from open source developers on future features may or may not be credible - think about Linus's "2.5.x looks like it will open in a week or two" comment from last June. That may be part of why open source developers tend to be reluctant to make promises about what will come. They tend to let the code speak for itself in its current state.

One could argue that future features in open source code could be more credible, not less. Features in Microsoft code are hidden from public view until they spring, fully developed, from the head of Bill. Until a product is released, nobody really knows how development is progressing. Those interested in how a free software development is coming along can look at the code, run a development version, and see exactly where things stand.

What does it mean for the Linux community to "sign up" to help build the Corporate Digital Nervous System? How can Linux guarantee backward compatibility with apps written to previous API's? Who do you sue if the next version of Linux breaks some commitment? How does Linux make a strategic alliance with some other entity?

Hmm...one hears a lot less about digital nervous systems these days... And who, exactly, do you sue if Microsoft breaks a commitment?

There were few answers to the last question above at the time, but now the answer appears obvious. "Some other entity" can make a "strategic alliance" with a free software project by joining in the development process. Thus, for example, a number of distributors have built "strategic alliances" with the kernel developers - by employing them.

The memo concluded that Linux was unlikely to be a threat on the desktop. There were a few reasons for that; first:

OSS development process are far better at solving individual component issues than they are at solving integrative scenarios such as end-to-end ease of use.

Three years later, there is perhaps some truth to that. The desktop projects are getting a better handle on integration and ease of use, however. Detailed user testing, for example, has begun to be a part of their process, though they could do more.

Switching desktops is hard and a challenger must be able to prove a significant marginal advantage. Linux's process is more focused on second-mover advantages (e.g. copying what's been proven to work) and is therefore unlikely to provide the first-mover advantage necessary to provide switching impetus.

For the purposes of most desktop users, this claim is probably true. Reproducing what is available on a Microsoft desktop will win some users, but it is not enough. It may yet turn out, however, that Microsoft's licensing will provide that impetus to switch.

Ease of use must be engineered from the ground up. Linux's hacker orientation will never provide the ease-of-use requirements of the average desktop user.

The desktop projects are being engineered from the ground up. It remains true that ease of use is not always at the top of many hackers' priorities, however.

So, how was Microsoft to beat Linux?

Fold extended functionality into commodity protocols / services and create new protocols. Linux's homebase is currently commodity network and server infrastructure. By folding extended functionality (e.g. Storage+ in file systems, DAV/POD for networking) into today's commodity services, we raise the bar & change the rules of the game.

This was the core of the document's strategy: move toward proprietary protocols and services. The antitrust trial may have slowed this process down, but it's happening: .NET and HailStorm provide ample evidence. The world, however, is increasingly suspicious of proprietary protocols, and this will still prove to be a hard battle. In three years, Microsoft has not gotten too far with it.

The document took a look at Mozilla, predicting that it would continue to drop behind Internet Explorer. Much controversy came from the document's use of declining traffic on the Mozilla lists as evidence that development was slowing. Mozilla-general went from 1862 postings in April, 1998 to 687 in June. Mozilla-ui went from 285 to 76. For the curious, Mozilla-general seems to have bottomed out with 211 messages in October, 1999; it carried 1451 postings in September, 2001. Mozilla-ui carried 243 messages, and appears to be headed toward double that in October.

In other words, three years later, Mozilla is alive and well, and reaching the point where it can do numerous interesting and novel things. While IE development has slowed, Mozilla has picked up. For many, Mozilla or its derivatives (Galeon, Skipstone, etc.) are the browser of choice. Mozilla and IE have not yet come to a real "battle;" it will be interesting to see what comes out when that happens. But it's clear that Mozilla will be there for that battle.

Heading toward a conclusion, the report asked how Microsoft could "capture" the benefits of open source development. The recommendations included putting more source out there, something that Microsoft is experimenting with in its "shared source" program. Also included were a number of internal changes - radical things like giving the Excel team access to the Windows source. It is, of course, harder to know if such changes have happened within the company. Then, of course, there was the famous recommendation:

OSS projects have been able to gain a foothold in many server applications because of the wide utility of highly commoditized, simple protocols. By extending these protocols and developing new protocols, we can deny OSS projects entry into the market.

Microsoft has certainly made efforts in this area, and will continue to do so. Most of the important protocols remain free, however, for now. How that will play out in the future remains to be seen.

The report concluded with a list of "interesting links," one of which was LWN.net. Three years later, we're still trying to be interesting...

Penguin Gallery Update. The LWN Penguin Gallery has been updated again. Head penguin wrangler Dennis Tenney reports:

Today's update added eight penguins. Two of the penguins are from a really nice collection of desktop backgrounds from the German magazine C't, at http://www.heise.de/ct/motive/. This site would be worth a mention on the desktop page, if we had one.

Inside this LWN.net weekly edition:

• Security: 2.2 kernel updates, the ANX secure network, openssh, squid, and uucp updates.
• Kernel: Kernel page on vacation. Expect a final 2.2.20 soon.
• Distributions: Caldera Openlinux 64 Release 3.1 for Itanium; SuSE 7.3 ships.
• Development: Netscape 6.2, scary Ghostscript install, OSDN Printing Summit, Gnumeric 0.72, TinyCOBOL 0.55, Erlang R8B, OpenMCL 0.8.
• Commerce: SuSE Linux Announces Distribution Agreement For IBM Software on Linux; Red Hat Embedded Linux Developer Suite Now Available.
• History: Linux 2.2 - almost; Burn all GIFs day; Python embraces Zope Corp.
• Letters: ZDNet mining Gartner?; Booting emacs; DMCA and censorship.

This Week's LWN was brought to you by:

• Jonathan Corbet, Executive Editor

See also: last week's Security page.

Security

News and Editorials

An ultra-secure network that actually works. O'Reilly's Andy Oram looks at ANX, a secure network that uses internet protocols over leased lines as a solution to government security problems.

Security Reports

Mandrake 2.2 kernel security update. MandrakeSoft has issued a security update to its 2.2 kernel: Mandrake (October 26, 2001) It fixes the recent security bugs there. (Mandrake's 2.4 kernel was updated a couple of weeks ago).

SuSE security update to the kernel. Here is SuSE's kernel update: SuSE (October 26, 2001) It fixes the recently-found security problems there. As always with kernel updates, read the instructions carefully - it's a relatively complicated upgrade.

Updates

OpenSSH restricted host vulnerability. Versions of OpenSSH prior to 2.9.9 have a vulnerability that can allow logins from hosts which have been explicitly denied access. The fix is to upgrade to OpenSSH 2.9.9. This problem first appeared in  the October 4 LWN security page.

This week's updates:

• SuSE (December 6, 2001)
• SuSE (December 3, 2001)
• Conectiva (October 24, 2001)
• Immunix (October 17, 2001)
• Mandrake (October 16, 2001)
• Red Hat (October 19, 2001) (Adds support for version 7.2).
• Red Hat (October 9, 2001)
• Trustix (October 17, 2001)

This week's updates:

• SuSE (October 30, 2001)

Previous updates:

• Red Hat (October 16, 2001) (adds an updated package for 7.2).
• Yellow Dog (July 25, 2001)
• Caldera (August 9)
• Linux-Mandrake (August 2)
• Immunix (July 26)
• Trustix (July 26)
• Red Hat (July 26)

New updates:

• Debian (February 8, 2002) (update to the original advisory issued September 24, 2001.)

• Caldera (September 7, 2001)
• Conectiva (September 11, 2001)
• Debian (September 24, 2001)
• Mandrake (September 21, 2001)
• Progeny (October 5, 2001)
• SuSE (October 31, 2001)

Events

Upcoming Security Events.

Date	Event	Location
November 5 - 8, 2001	8th ACM Conference on Computer and Communication Security(CCS-8)	Philadelphia, PA, USA
November 13 - 15, 2001	International Conference on Information and Communications Security(ICICS 2001)	Xian, China
November 19 - 22, 2001	Black Hat Briefings	Amsterdam
November 21 - 23, 2001	International Information Warfare Symposium	AAL, Lucerne, Swizerland.
November 24 - 30, 2001	Computer Security Mexico	Mexico City
November 29 - 30, 2001	International Cryptography Institute	Washington, DC
December 2 - 7, 2001	Lisa 2001 15th Systems Administration Conference	San Diego, CA.
December 5 - 6, 2001	InfoSecurity Conference & Exhibition	Jacob K. Javits Center, New York, NY.
December 10 - 14, 2001	Annual Computer Security Applications Conference	New Orleans, LA

For additional security-related events, included training courses (which we don't list above) and events further in the future, check out Security Focus' calendar, one of the primary resources we use for building the above list. To submit an event directly to us, please send a plain-text message to lwn@lwn.net.

Section Editor: Forrest Cook

LWN Resources


Secured Distributions:
Astaro Security
Castle
Engarde Secure Linux
Immunix
Kaladix Linux
NSA Security Enhanced
Openwall GNU/Linux
Trustix

Security Projects
Bastille
Linux Security Audit Project
Linux Security Module
OpenSSH

Security List Archives
Bugtraq Archive
Firewall Wizards Archive
ISN Archive

Distribution-specific links
Caldera Advisories
Conectiva Updates
Debian Alerts
Kondara Advisories
Esware Alerts
LinuxPPC Security Updates
Mandrake Updates
Red Hat Errata
SuSE Announcements
Turbolinux
Yellow Dog Errata

BSD-specific links
BSDi
FreeBSD
NetBSD
OpenBSD

Security mailing lists
Caldera
Cobalt
Conectiva
Debian
Esware
FreeBSD
Kondara
LASER5
Linux From Scratch
Linux-Mandrake
NetBSD
OpenBSD
Red Hat
Slackware
Stampede
SuSE
Trustix
turboLinux
Yellow Dog

Security Software Archives
munitions
ZedZ.net (formerly replay.com)

Miscellaneous Resources
CERT
CIAC
Comp Sec News Daily
Crypto-GRAM
LinuxLock.org
LinuxSecurity.com
Security Focus
SecurityPortal

See also: last week's Kernel page.

Kernel development

The current kernel release is still 2.4.13. At the beginning of the week Linus released prepatch 2.4.14-pre1 - sort of. Instead of a changelog, however, there was only a warning not to use it unless you apply a little patch - "I uploaded an old diff, and since it's 4:30 AM I'm too tired to generate the correct one." A look at the patch shows a bunch of ACPI updates, various driver tweaks (parallel port in particular), and some memory management changes. Dave Jones put up a quick changelog on KernelNewbies which was incorporated into the official changelog.

Fixes and merges from the "ac" tree became part of pre2 and Alan merged the 2.4.13 stable release into 2.4.13-ac1. The ac2 patch added another set of relatively obscure fixes. Additional fixes and updates were released, ending the week with Alan's "ac" branch at 2.4.13-ac5 and Linus' prepatch series at 2.4.14-pre6.

The current stable kernel release is 2.2.19. Alan Cox has released 2.2.20pre12. These are the final pieces, he says. Expect version 2.2.20 to be released this weekend.

Section Editor: Rebecca Sobol

For other kernel news, see:

• Kernel traffic
• Kernel Newsflash
• Kernel Trap
• 2.5 Status

Other resources:

• L-K mailing list FAQ
• Linux-MM
• Linux Scalability Effort
• Kernel Newbies
• Linux Device Drivers

See also: last week's Distributions page.

Note: The list of Linux distributions has moved to its own page.

Distributions

Distribution News

Caldera Presents Openlinux 64 Release 3.1 for Intel Itanium Processor-Based Systems. Caldera International, Inc. announced the availability of OpenLinux(R)64 Release 3.1.

Debian. The Debian Weekly News for October 30th, 2001 includes MPEG in a Console; the next Debian conference; some feedback from RMS; and more.

More news can be found in the latest edition (#112) of Kernel Cousin Debian Hurd. Topics include: Paving The Way For Diskless Hurd, Video Memory Access From OSKit-mach, and much more.

Mandrake Linux Community Newsletter - Issue #17. The Mandrake Linux Community Newsletter for October 30, 2001 covers the availability of Mandrake Linux 8.1 boxes, as well as ML 8.1 for Itanium, a possible ML 8.1 Gamers Edition, and much more.

Slackware. Slackware fans may be interested in knowing that SlackPack v0.2.1 and v0.2.1a were released this week. Version 0.2.1 includes major feature enhancements. Version 0.2.1a is a minor bugfix release.

SuSE Linux. SuSE Linux 7.3 now shipping! Look for the latest version of SuSE in retail outlets. See below for a review of SuSE Linux 7.3 Professional.

Minor Distribution updates

2-Disk Xwindow System . The 2-Disk Xwindow System made some minor feature enhancements to its 1.0rc050 version, and released v1.0 on October 25, 2001. This product has some licensing restrictions, but is free for use.

Astaro Security Linux. Astaro Security Linux released version 2.014 on October 30. Bugs in the HTTP Proxy ActiveX Filter were squashed. Also problems with icon display in the HTTP Proxy FTP utility were fixed.

Redmond Linux. Redmond Linux build 41b has been released.

Sorcerer GNU Linux. Sorcerer GNU Linux v.20011026 has the 2.4.13 kernel. With version 20011030, the menu driven installer supports installing SGL onto ext2, reiserfs, and now ext3 filesystems.

Trustix Secure Linux. The TSL team is running a survey to find out how people are using TSL. So help them out, and help yourself to a better TSL by taking a minute to fill it out.

Distribution Reviews

Mandrake Linux 8.1 Reviewed (Linux.com). Linux.com takes a look at Mandrake Linux 8.1. "Among some of the new installation options is the choice of several new file systems during disk partitioning. ReiserFS, ext3 and JFS are all easily implemented during installation. These new file systems provide incredible stability and security with almost no data fragmentation. Users are also given the option to install several different languages in addition to his or her primary language."

SuSE Linux Professional 7.3 Review (FirstLinux). FirstLinux takes a look at SuSE Linux Professional 7.3. "SuSE Linux Professional 7.3 is an excellent distribution and comes with our strongest recommendation for anyone who has ever installed Linux before. As the Professional edition has so much software, a Linux newbie may feel overwhelmed by the choice on offer; for this reason we recommend that a Linux beginner try the Personal edition first."

Section Editor: Rebecca Sobol

Please note that not every distribution will show up every week. Only distributions with recent news to report will be listed.

See also: last week's Development page.

Development projects

News and Editorials

Netscape 6.2 released. This week saw the release of Netscape 6.2, the third release based on Mozilla. The release notes list a number of new features.

Features that affect the Linux version include improved auto-completion, improved downloading, with the ability to handle more file types, and a new address book tab for quicker access to addresses.

Netscape 6.2 may be downloaded here.

Databases

XML and Databases? Follow Your Nose (O'Reilly). Leigh Dodds talks about XML database issues and opinions from the XML-DEV community in an article on O'Reilly's XML.com.

Education

SEUL/Edu report #56. The October 29, 2001 edition of the SEUL/Edu Linux in Education report is out. Topics include looking at word processor fonts, patent problems with UK wireless attendance programs, the Nepalese Ganesha's Project, a French course writing system called Logidèe-tools, and more.

Electronics

gerbv 0.0.4 released. A new version of gerbv, the Gerber file Viewer, is available. Gerbv allows printed circuit CAD/CAM files to be viewed. This release features support for the broken Gerber files generated by EagleCad, and adds some minor code changes.

Embedded Systems

Embedded Linux Newsletter (LinuxDevices). The LinuxDevices.com Embedded Linux Newsletter for October 25 is out, with the usual roundup of news from the embedded Linux community.

This week also marks the second anniversary of the LinuxDevices site, a lot has happened in the embedded linux arena in the last two years.

Printing Systems

Ghostscript installation truly terrifying. The Ghostscript site mentions the truly scary experience that one user had when installing Ghostscript. Of course, what testimonial is complete without an accompanying cartoon.

Notes from the OSDN Printing Summit 2001. Grant Taylor from LinuxPrinting.org is attending the OSDN Printing Summit 2001, and has written some notes on the conference. The summit is covering all kinds of current open-source printing issues. "Ben then launched into a presentation of admin issues. He led in with an apalling 40% stat for administrator time spent on printers."

Web-site Development

Zope 2.5 alpha 2 released. The 2.5 alpha 2 version of Zope has been released. The Zope 2.5 change list includes one bug fix for the alpha 2 release and a much longer list of features and squashed bugs for the alpha 1 release.

The latest Zope Members News. This week's News from the Zope members contains discussions on Using non-ascii character sets with Structured Text, Zope 2.5.0 alpha 2, ZBabel 2.0.0 beta 2, zQuest 1.1.0 beta 1, XMLKit, and more.

Notes from the first ObjectWeb conference. Stefane Fermigier has sent us his notes from the first ObjectWeb conference. (in French)

Application Links
GIMP
Mozilla
Galeon
High Availability
ht://Dig
mnoGoSearch
MagicPoint
Wine
Worldforge
Zope

Open Source Code Collections
Berlios
Freshmeat
OpenSourceDirectory
Savannah
Le Serveur Libre
SourceForge
Sweetcode

Desktop Development

Browsers

Mozilla adds a Calendar project. OEone Corporation has donated some pieces of their calendar system to the Mozilla project.

The latest projects from Mozdev. The latest Mozdev projects include the new projects pIXPCOM and Optimoz and updates for Jslib, Rpgtools, and Abimoz.

Galeon 0.12.6 available. Following on the heels of last week's 0.12.5 release, Galeon 0.12.6 is now available. This version is the first release candidate leading up to Galeon 1.0 and it includes a few new bug fixes.

Desktop Environments

Gdk-pixbuf updates. Two new releases of Gdk-pixbuf have been released this week. The Wensleydale 0.12.0 release, with some missing functionality for the BMP and ICO loaders. Wensleydale was quickly followed by the Roquefort 0.13.0 release, which featured a fix for a "really stupid bug" in the ICO loader. The Venezuelan Beaver Cheese release can't be too far off.

GNOME Summary for October 26, 2001. The latest Gnome Summary looks at accessibility, GNOME-LOVE, the Control Center 2.0 port, Guppi 0.40, the Unofficial GNOME I18N Development Guidelines, and more.

South African language translation effort for KDE. Dwayne Bailey sent us an announcement for a project that aims to add support for eleven South African languages to KDE and other open source projects.

gtkmm-1.3 alpha released. Gtkmm-1.3, the "first unstable alpha of the gtkmm C++ language binding for GTK+2.0" has been released.

Games

Civil v0.50 released. Version 0.50 of Civil is available. Civil is "a cross-platform, real-time, networked strategy game, developed using Python, PyGame and SDL--allowing players to take part in scenarios set during the American Civil war".

GUI Packages

FLTK News. The latest releases from the FLTK (Fast Light ToolKit) project include FLTK 1.1.0b4, Fl_SevenSeg 1.0, and HTMLDOC 1.8.15.

Graphics

Gimp-Print 4.1.99-b4 released. Gimp-Print version 4.1.99-b4 has been released. This release requires Gimp 1.2 and includes improved performance for existing printers and support for some new printers.

Office Applications

Gnumeric 0.72 released. Gnumeric 0.72, aka 'squish', has been released. "This is a bug fix release. All reproducible crashes and redraw errors have now been fixed." Also included is the ability to reference named expressions in other sheets and books.

AbiWord Weekly News for October 30, 2001. The October 30, 2001 edition of the AbiWord Weekly News is available with the latest status from the AbiWord project.

Miscellaneous

This week in DotGNU. This Week In DotGNU for October 26 is out. Covered topics include the Portable.NET 0.2.0 release, the competition between virtual identity projects, and more.

Programming Languages

Caml

Caml Weekly News for October 30, 2001. The October 30, 2001 edition of the Caml Weekly News is out. Covered topics include the Ocaml 3.0.4 alpha MinGW port, the Caml Consortium, otags 2.0, and a search for a new CWN editor.

COBOL

TinyCOBOL version 0.55 released. A new version of TinyCOBOL has been released. Downloads and release notes are available here.

Erlang

Erlang Release 8B. A new release of Erlang, version 8B, has been released. The release highlights indicate improvements in the capabilities of Erlang on high end systems with better multi-threaded I/O, memory handling, and disk and memory based tables. This version now supports native compilation on Solaris and Linux x86. Online documentation has also been improved, in addition to many other things.

Erlsnoop 1.0 released. Gordon Beaton has released Erlsnoop 1.0, a utility for sniffing Erlang messages on a local network.

Haskell

HaXml. David Mertz looks at XML processing with HaXml on IBM's developerWorks. "Consider Haskell in lieu of DOM, SAX, or XSLT for processing XML data. The library HaXml creates representations of XML documents as native recursive data structures in the functional language Haskell. HaXml brings with it a set of powerful higher order functions for operating on these 'datafied' XML documents. Many of the HaXml techniques are far more elegant, compact, and powerful than the ones found in familiar techniques like DOM, SAX, or XSLT."

Java

XML Data Binding with Castor (O'Reilly). Dion Almaer looks at Castor, an open-source data binding framework for Java. "In this article, we will walk through marshalling data to and from XML, using a XML data-binding API. The first question is, why? Why not use SAX or DOM? Personally, when I sit down to work with XML, I get frustrated with the amount of code that you need to write to do simple things."

Java 2 gets a new focus subsystem (IBM developerWorks). Bertrand Portier examines JDK 1.4 from the Java 2 platform.

Lisp

OpenMCL 0.8 released. Version 0.8 of OpenMCL has been released. This version improves support for the PPC architecture, and adds some bug fixes and performance improvements.

Perl

Providing Feedback to Module Authors (use Perl). Use Perl mentions a news posting from Jonathan Stowe that discusses improving user feedback to authors of Perl modules: "The basic premise is that all of us who use modules from CPAN should at least once in a while provide some feedback to the authors of those modules. I don't think that the authors do what they do for adulation and praise, but I do think they are interested in what people think of there creations and what the use them for."

Apache::Emulator (use Perl). Mwetters has written a Perl module that emulates the Apache request object from CGI. The code looks to be useful for debugging CGI scripts.

Perl 5 Porters for October 21, 2001. Better late than never, the October 21, 2001 edition of Perl 5 Porters is now available. This edition talks about a Perl 5.8.0 TODO list, Sean M. Burke's POD documentation rewrite efforts, Taint issues, AUTOLOAD and packages, B::Parrot, and more.

Perl 6 Porters for October 13, 2001. Also better late than never, the October 13, 2001 Perl 6 Porters came out this week. Topics include NaN (Not a Number) issues, Numerical Strings, hyperoperator ( ^ ) reduction, and Parrot Magic Cookies.

PHP

PHP Weekly News for October 29, 2001. The October 29, 2001 edition of the PHP Weekly Summary is out. Issues this week are bugs with trans-sid, ob_* and $_POST, discussions of extensions and static libraries, SMTP and mail(), and more.

Python

Noisy Python (O'Reilly). Stephen Figgins looks at some Python based sound apps on O'Reilly's OnLamp site. Solfege, Snack, MusicKit, and PyGame are examined.

Preview of the [anygui] project (IBM developerWorks). David Mertz examines the Anygui project. "A very interesting project in the Python world has entered early development. The [anygui] project is intended as a wrapper API for a large number of underlying graphic toolkits. Once fully developed, a Python programmer will be able to call a common [anygui] function -- for example, to create a window -- then have the 'best available' toolkit do the work."

Daily Python-URL items. The latest from the Daily Python-URL includes a look at Asmo for processing XML, an updated draft of Andrew Kuchling's What's New in Python 2.2 document, dbdoc, "A simple Python API for inspecting database schemas to generate documentation.", and " From Logo to Python in Two Decades", an article from Warren Keuffel.

Ruby

An Introduction to Ruby (O'Reilly). Colin Steele introduces Ruby on O'Reilly's Linux Devcenter. "I can already hear you grumbling, 'Oh, great, another language.' Why should you care? You're already up to your elbows in technologies to learn, right? Well, call your significant other and tell him or her you're going to be late tonight. And go get another Jolt. You're going to be hooked on Ruby for the simple reason that Ruby makes programming fun again (and that's what really counts)."

The Ruby Garden. This week, The Ruby Garden features articles about SqlRelay for tweaking databases, the attr_initializer shortcut for def initialize(...), Double Dispatching vs Clumsy Coercing, an event-based Ruby parser called Ripper, and more.

Tcl/Tk

Tcl-URL for October 29, 2001. The latest edition of the Tcl-URL contains articles on floating point representations, exec tricks, program launchers, WIMP bindings, dealing with window managers, and more.

XML

The Selfish Tag (O'Reilly). Ed Dumbill discusses evolving XML standards on O'Reilly's XML.com site: "The current received wisdom has corrupted the desirability of open standards into the notion that the developer is helpless and must wait for standards to emerge before progressing. In fact much criticism of XML is based on this misconception, that somehow if you choose to use XML 1.0 you're immediately beholden to anything that emerges from W3C, OASIS, or others."

Miscellaneous

Solaris-to-Linux porting guide (IBM developerWorks). Malcom Zung and Brian Thomson cover the issues involved in porting Solaris applications to Linux. "Linux source code is freely available. Any developer who has struggled with debugging a problem that involves someone else's proprietary code knows how much easier it is when you can actually see for yourself what that code is doing. And if you find a problem there or want a feature added, you can modify Linux, provided you follow the provisions of the GNU General Public License. You aren't forced to wait for an operating system supplier to work on your problem for you. This isn't just a theoretical advantage."

Section Editor: Forrest Cook

See also: last week's Commerce page.

Linux and Business

SuSE Linux Announces Distribution Agreement For IBM Software on Linux. SuSE Linux announced an agreement with IBM to distribute IBM's entire line of software for Linux* in Europe, Middle East and Africa (EMEA) as a Value Added Linux Distributor (VALD).

Benchmark: Oracle on SuSE is Faster Than NT2000. A company called Fastcenter has released the result of a set of Oracle performance tests. It turns out that Oracle running on SuSE Linux Enterprise Server 7 is significantly faster than Oracle over Windows 2000 on the same hardware.

Red Hat Embedded Linux Developer Suite Now Available. Red Hat has announced its Red Hat Embedded Linux Developer Suite, based on Red Hat Linux 7.2.

Gatespace and Jungo announce residential gateway. Gatespace and Jungo have announced that they will be producing a "residential gateway" system based on Linux. It is envisioned that this system will provide services varying from "information / entertainment" to security and telemedicine.

Linux NetworX to Unveil Innovative ICE Box Cluster Hardware Appliance at SC2001 Trade Show. Linux NetworX will be showing off its new ICE Box 1500 showing off its new ICE Box 1500 cluster management hardware appliance at the SC2001.

Study on Open Source Software use in public administrations in Europe. The European Union's "Interchange of Data between Administrations" (IDA) agency has put up the results of a study on the use of open source software in European governments. The results take the form of four PDF files; they are a detailed look at the available software and how governments in each EU country are responding to free software. The abstract is also available in French. Worth a read. (Thanks to Stéfane Fermigier).

LPI News -October 2001. Here's the monthly newsletter from the Linux Professional Institute. This issue salutes Teresa Yuey - Volunteer of the Month; looks at where to get training for LPI certification; and much more.

Linux Stock Index for October 25 to October 31, 2001.
LSI at closing on October 25, 2001 ... 25.77
LSI at closing on October 31, 2001 ... 25.45

The high for the week was 26.36
The low for the week was 25.33

Press Releases:

Section Editor: Rebecca Sobol.

See also: last week's Linux in the news page.

Linux in the news

Recommended Reading

How Linux saved Amazon millions (News.com). A migration to a Linux-based technology platform has saved Amazon.com millions of dollars, according to the company's recent SEC filing. "Amazon's disclosure could provide hard data for Linux proponents who have long argued that the open-source software can save corporations money over the Microsoft alternative. A Microsoft representative, however, warned that short-term savings seen by Amazon could turn into a long-term increase in costs."

LinuxUser issue 15 - Smooth iron. LinuxUser is running an article, Smooth Iron, about Telia Net's move to Linux on a mainframe. Ten months later they find it saves big money. "Reliability was also important to Telia Net when searching for a replacement solution - any downtime on its hosting system meant a loss not only of money but also of reputation. 'We asked a lot of vendors, one of which was of course IBM, how to consolidate all of this, how to bring out the flexibility of Linux but with the very stable production platform underneath,' says Henrik Wulff Riedl, CFO of Telia Net. 'So that's why we came out of the discussions with IBM and decided to go with Linux running on the mainframe.'"

The Law and Open-Source Software (TechWeb). This article looks at open source licensing, and finds a few legal quagmires. "At one time, developers had to worry only about software dependencies and incompatibilities. Now they need to worry about license incompatibilities among open-source projects. For example, Mozilla includes four different licenses. Contributing to this project requires attention to license conflicts."

.comment: The Distribution We Need (LinuxPlanet). LinuxPlanet argues for the adoption of the NSA SELinux kernel by the distributors. "There having never been a reason for a wide-open box, and now there being greater reason than ever for a box that's really locked down, seems to me that there is wisdom in distributions working toward adoption of SELinux as the standard kernel or at minimum an option at install. Indeed, in many respects SELinux can be seen as a government grant to defeat Microsoft where it is weakest. It would be plain foolish for distributions not to avail themselves of the help."

Leaving SourceForge (Advogato). Advogato worries about the future of SourceForge. "Free software is robust and decentralized enough that I doubt the closing of SourceForge will have much long-term impact. If nothing else, it will result in a much needed 'garbage collection' of hopeless projects. All projects worth their salt will find a new home without much difficulty."

Quick release for new Linux kernel (ZDNet). ZDNet reports on the 2.4.13 release. "The quick pace of releases has some Linux users questioning their quality. Version 2.4.11 was released with a flaw major enough to warrant its replacement two days later, and 2.4.13 arrives less than two weeks after its predecessor."

Companies

IBM Roils Linux Waters (ComputerWorld). ComputerWorld sees IBM and Linux taking a bite out of Microsoft. "IBM's first Linux technology came in December 1998 from an unsanctioned effort by IBM programmers in Germany, who ported the Linux kernel to the System/390 (now the zSeries mainframe) in their spare time, according to Dan Frye, director of the IBM Linux Technology Center."

VA drops Linux name, boots out Kuro5hin (Register). The Register covers VA's proposed name change and adds that the company will drop Kuro5hin from OSDN. "K5's founder Rusty Foster told us there was "no fear" that the site would not continue. K5 is looking to adopt the classified advertising model that's proved pretty successful so far for the MetaFilter blog."

Business

Taking the Bazaars out of the Cathedral (Linux Journal). This article provides an economic analysis of open source software, examining some of the myths and realities of how to succeed in free software business. "Let's say, for argument's sake, that the software Goliath did succeed in convincing its government to ban open-source software. What would happen then? Not much. Such laws stop at a nation's borders, and in a world where most countries have yet to build an information infrastructure, this would quickly lead to incompatibility and balkanization. It is the software equivalent of economic protectionism--indeed, it is economic protectionism--the same kind that created disastrous economic conditions for the United States in the 1930s."

The coming 'open monopoly' in software (News.com). Here's a News.com opinion piece stating that the Microsoft monopoly will soon be replaced by an open source monopoly. "What is different, however, is that in an open-source monopoly the barriers to participation and influence will disappear. This will be a different kind of monopoly--an 'open monopoly'--from which no vendor can be excluded from participating, including the big companies now joining the open-source movement. They have much more to gain by breaking the existing monopoly and replacing it with the new open monopoly."

Reviews

The Lindows Conundrum (PC Magazine). John C. Dvorak takes a look at Lindows. "One reason I have high hopes for the Lindows OS is that there is a 20-person team working on it, not a 20,000-person team. Starting with the base Linux OS gave the Lindows team a nice head start, after which all the team had to do was translate Windows app-to-OS hooks. The open-source WINE project helped out there. But the Lindows team still must make its OS run the key versions of Microsoft Office. Once the Lindows team starts talking about running StarOffice applications, then you'll know the developers have failed." (Thanks to Peter Link)

Interviews

Interview with Sleepycat President and CEO, Michael Olson (Winterspeak.com). Michael Olson talks about Sleepycat Software, Berkeley DB, and how to make money selling free software. "Sleepycat Software was founded in 1996 to develop, maintain and support the open source Berkeley DB product. Our approach to business has been very different from that of many other software companies that started during the past several years. We've always been funded by our revenues, and have never taken any capital from outside investors. We've been profitable since inception."

KernelTrap Interviews Keith Owens. Another profile interview has been released at KernelTrap. This time it's a talk with Keith Owens about his contributions to Linux including work on XFS, kbuild 2.5, ksymoops, modutils and kdb. "JA: Can you offer more reflection on the 2.5 Kernel Developer's conference?

Keith Owens: Although the talks were useful, the biggest advantage was getting together around a whiteboard and arguing technical points. Email is fine up to a point but sooner or later you need a whiteboard. I find that local conferences are useful for the same reason, get a few kernel hackers together and you can sort out a lot of problems very quickly."

Miscellaneous

Humanity - the Bazaar Way of Making a Movie. The Humanity - The Movie project is aiming to make a movie by using techniques modeled after open-source software projects. "'Humanity' is a parody about humanity and modern life in particular. It tells the story of a Semitic city circa 500 B.C. through its elements: the Cathedral (actually a priest with an altar), the Bazaar, the Well, the Wall, the Gate, etc. There is a very interesting twist in the end."

Section Editor: Forrest Cook

See also: last week's Announcements page.

Announcements

Resources

New S/390 Linux documents. IBM has released several new documents concerning Linux on the S/390 mainframe: the Linux for S/390 FAQ, (PDF) and the Linux for S/390 and zSeries porting hints and tips document, which is in html.

Linux PDA reference guide (ZDNet). Rick Lehrbaum has put together a Linux PDA reference guide. More handheld linux devices keep popping up all the time.

Events

Mozilla Developer Day. November 9, 2001 will be the next Mozilla Developer Day at the Netscape campus in Mountain View, CA.

Australian Debian Conference. The Australian Debian Conference has been announced for February 4 to 5 in Brisbane, Australia. It will thus join onto linux.conf.au, which starts on the sixth.

Events: November 1, - December 27, 2001.

Date	Event	Location
November 1, 2001	LinuxWorld Germany	Frankfurt, Germany
November 5 - 10, 2001	Annual Linux Showcase(ALS)	(Oakland Marriott City Center)Oakland, California
November 6 - 10, 2001	Annual Linux Showcase and Conference	Oakland, CA
November 6 - 8, 2001	LinuxWorld Malaysia	Kuala Lumpur, Malaysia
November 6, 2001	Java Information Days, Europe	Paris
November 7, 2001	Java Information Days, Europe	Amsterdam
November 8, 2001	NLUUG Annual Autumn conference	De Reehorst, Ede, Netherlands
November 8 - 9, 2001	XFree86 Technical Conference	(Oakland Convention Center)Oakland, CA
November 8, 2001	Java Information Days, Europe	Frankfurt
November 8, 2001	Embedded Linux Expo & Conference	(Sheraton Reston Hotel)Reston, VA
November 9, 2001	Open Source in Banking and Finance(OSBAF)	(Baltimore Engineering Society)Baltimore, Maryland
November 9, 2001	Java Information Days, Europe	Zurich
November 10 - 16, 2001	SC2001	Denver, Colorado
November 10 - 16, 2001	Supercomputing 2001 conference(SC2001)	(Denver Convention Center)Denver, CO
November 12, 2001	Third Annual Beowulf Bash	Denver, Colorado
November 17, 2001	Lightweight Languages Workshop 2001(LL1)	(MIT Artificial Intelligence Lab)Cambridge MA
November 25, 2001	The Business of Open Source Software(BOSS)	(Ottawa Public Library)Ottawa Ontario, Canada
November 28 - 30, 2001	Linux-Kongress 2001	(University of Twente)Enschede, The Netherlands.
December 7 - 9, 2001	PLUTO MEETING 2001	Terni, Italy

Additional events can be found in the LWN Event Calendar. Event submissions should be sent to lwn@lwn.net in a plain text format.

Section Editor: Forrest Cook.

Software Announcements

The Alphabetical List and Sorted by license

Our software announcements are provided courtesy of FreshMeat

See also: last week's Linux History page.

This week in Linux history

Three years ago (November 5, 1998 LWN): The first of the infamous Halloween memos from Microsoft was leaked to the public. See this week's front page for more details.

The Linux 2.2 kernel was poised for release, but the NFS implementation was known to be substandard. This problem has plagued Linux for a long time. That problem was finally corrected - two years later.

Matthew Szulik became President of Red Hat. That was the beginning of the change of guard, with the gradual departure of most of the Red Hat founders from the very top. Here's the current Red Hat Executive bios.

Red Hat 5.2 was announced. LWN's impressions of the release were mostly positive, but it contained so many security-related bugs and unnecessary setuid programs that Chris Evans set up a website just to track them and harass Red Hat to fix them. That website survived through the Red Hat 6.0 release and its subsequent series of updates, but now reports "no known issues".

The Debian 2.1 freeze began. Debian 2.1 was finally released four months later, in early March, 1999.

Supercomputing 1998 hosted Beowulf talks for the first time. This year SC 2001 begins on November 10, 2001 with the 3rd Annual Beowulf Bash on November 12th.

And, not to be forgotten, Worldforge, a project to develop a complete system for massive multiplayer on-line role-playing games, came into being. They celebrated their first birthday a year later.

Two years ago (November 4, 1999 LWN): The DeCSS source code was made publicly available. The repercussions from this are ongoing. The curtailment of free speech peaked with a federal judge ruling that linking to a site that contained the source code was also prohibited by the Digital Millennium Copyright Act. Things have not really improved on that front.

Last year, Don Marti and others organized Burn All GIFs day, an event planned to eliminate all GIFs on the Internet, in protest of the Unisys patent. Many GIFs went away, including some on the LWN site, but many, many more remain. Unisys has never tried to enforce its patent.

64GB memory on the IA-32 became a reality! Support for up to 64GB of memory slipped into the 2.3 kernel series, courtesy of Ingo Molnar. This removed an embarrassing limitation of the Linux kernel. Each individual process, though, can only use up to 4GB of virtual memory.

Red Hat announced the Red Hat Center for Open Source. Money for the new center was donated, in cash and stock, by Red Hat and three of the initial founders. The Red Hat Center has focused primarily on awarding grants for activities to entities such as the Electronic Frontier Foundation. While Red Hat's Bob Young and Marc Ewing remain on the current board, the renamed Center for the Public Domain is somewhat divorced from Red Hat.

Slackware 7.0 was announced. Patrick Volkerding also explained his decision to "join the crowd" and jump Slackware from 4.0 to 7.0.

The planned feature freeze for Debian 2.2 was postponed, finally occurring almost three months later, in January of 2000. The official release of Debian 2.2 happened eight months after that, in August this year.

LinuxDevices.com was launched. LinuxDevices celebrates with this 2001 Halloween Memo.

At the time when LinuxDevices.com was launched, the use of Linux as an embedded operating system was virtually unheard of. Lineo, MontaVista, and Zentropix (who all participated in the announcement of the site's launch) had barely announced themselves as sources of embeddable versions of Linux, and Embedded Linux hadn't yet arrived on the radar screens of embedded market analysts like VDC, IDC, and EDC.

In short, two years ago the "Embedded Linux Market" simply didn't exist.

One year ago (November 2, 2000 LWN): The Python team got out from under BeOpen's corporate umbrella and moved to Digital Creations. Digital Creations, now called Zope Corporation, has proved to be a good home for Python Labs. After all, Zope Corporation's premier product, Zope, is the Python-based, open source web application. Zope Corp. remains the sponsor of Python Labs, but with the move, a newly formed non-profit organization (the "Python Software Foundation") was also created to hold the copyrights to the core Python code.

Turbolinux Inc. filed for IPO, however they remain a privately held company.

The current development kernel release was 2.4.0-test10. A 2.4.0 kernel seemed as close then as a 2.5.0 kernel seems now.

A Princeton team cracked SDMI.

Q. Still, wouldn't it have been better for opponents of SDMI if you let SDMI go ahead and deploy a flawed technology, so music lovers could teach them a lesson by copying music despite the technology?

Of course not. This is scientific research: it is not our goal to engage in tactics such as tricking the industry into choosing a flawed system. Our goal is simply to analyze security systems and share our results openly with the scientific community.

Again, researchers who crack cryptosystems and security systems are not motivated by a desire to exploit these flaws later. They are merely subjecting systems to analysis, motivated instead by a desire to increase the existing body of knowledge about security systems.

Secondly, if the technology is cracked in deployment, rather than on the drawing board, everyone loses to some extent. The recording industry obviously, device manufacturers most certainly, but even opponents of SDMI. Even pirates! To an opponent of SDMI, even a broken, circumventable SDMI system is worse than no SDMI system at all.

Finally, see below. The DMCA may have prohibited analysis outside the challenge deadline. -- Princeton team FAQ

The first Progeny Linux Beta shipped.

Trolltech announced they were going to add GPL licensing to Qt/Embedded.

Section Editor: Rebecca Sobol.

LWN Linux Timelines
1998 In Review
1999 In Review
2000 In Review
2001 In Review

See also: last week's Letters page.

Letters to the editor

From:	 Paul Komarek <komarek@andrew.cmu.edu>
To:	 letters@lwn.net
Subject: Gartner and Linux
Date:	 Thu, 25 Oct 2001 01:19:12 -0400

I suppose that Gartner's tone probably depends on who is paying it for the
research.  I don't care to say anything about facts, if "facts" even exist
in modern computing.  The only times I've read nice things about GNU/Linux
from Gartner, the article was on ZDNet.  Maybe ZDNet is mining Gartner for
pro-GNU/Linux research, hoping to attract more page views. Just like when
Jesse Berst trolls for page views.  ;^)

-Paul Komarek

From:	 Eric Smith <eric@brouhaha.com>
To:	 letters@lwn.net
Subject: booting Emacs 21 directly
Date:	 25 Oct 2001 18:09:20 -0000

Gentlemen,

In your 25-October-2001 issue, you wrote "the rumor that one can now boot
directly into emacs from LILO or GRUB, and thus avoid the need for an
operating system entirely, proves to be unfounded."

Although I'm no longer doing it, in the late 1980s I routinely used emacs
as my login shell.  I found it to be quite practical on text-only
terminals, and could bring up a "normal" shell in an emacs buffer when
needed.

Sincerely,
Eric Smith

From:	 tom poe <tompoe@renonevada.net>
To:	 lwn@lwn.net
Subject: Alan's Going Too Far?
Date:	 Thu, 25 Oct 2001 20:34:01 -0700

Hello:  This from your front page of this week:

"Even so, one might be forgiven for wondering if Alan is taking things a 
little too far here. Censored changelogs will attract a bit of attention, but 
are unlikely to really change much. Besides, as readers of NTK know, the 
U.K.'s laws are not much better than those in the U.S. with regard to things 
like "circumvention devices." "

Much more appropriate, I think, would have you say, " Folks, get ready, 
because IT's COMING!.  AND, this is what IT looks like!"

What we need, I think, is an Open Source Summit, right now.  Linus, Alan, 
Larry Wall, whoever is heading BugTraq, and others to meet, discuss, and 
announce a period of time, a day, a week, a month, when everyone puts on 
their DMCA/SSSCA/EuroCopyright, hats and gives the world community a "TASTE" 
of the future!  I think Alan is RIGHT ON.  I'll betcha our friend, Eric 
Raymond, would think this is about the right time for something similar to be 
staged.  I agree wholeheartedly with Alan, and those who have had to make 
life-decisions as a result of legislative idiocy.  You saw the kind of crap 
M$ puts out with its XP, along with its double-digit patch, this week.  
Imagine how sloppy it will be, as he gains even more of a foothold in the 
future.  Everyone with a computer will be lined up to work one-on-one to 
bring their dossiers up-to-date before they'll be able to use their 
computers.  Weird.  Idiotic, and I have to stop, now.   Tom

From:	 Rip Linton <ripl@yahoo.com>
To:	 letters@lwn.net
Subject: DMCA Issues
Date:	 Thu, 25 Oct 2001 06:55:56 -0500

From your front page on Oct. 25, 2001:

"In the long run, if the Powers That Be are determined to
prevent the discussion of security vulnerabilities, they
will seek a way to block the exchange of the code as well."

As one who has read all 94 pages of the DMCA, I must be
missing something. No one has yet provided a reference to
the DMCA that supports the thought that discussion of
security vulnerabilities violates the DMCA. While I do not
like the DMCA, I think that this political statement, by
Allen Cox, can only hurt efforts to get Linux into the
mainstream.

The DMCA does not stop us from documenting bugs or security
problems. It only prevents us from publishing code that
bypasses the security of an "effective" security device.

That means that we can discuss the problems and faults of
something like CSS all we want. We just can not publish, in
any form, a program that bypasses CSS.

That, also, means that we can discuss the problems and
faults of the Adobe software. We can not publish, in any
form, a program that bypasses the copy protection built in
to the software.

In all of the DMCA cases, programs to bypass the security
features were published. The DeCSS issues revolved
around the release and publication of DeCSS code not the
discussion of the faults in the CSS software. Sklyarov was
arrested for a program that was offered for sale, not for
documenting or discussing the flaws in Adobe's software
protection.

In my opinion, DMCA would not come in to play with an open
source program exploit that only affected that software.
However, if Allen Cox feels that it does, all he has to do
is avoid publishing the code, in any form, that takes
advantage of that exploit.

From: "Andy Elvey" 
To: letters@lwn.net
Subject: Comments on the DMCA
Date: Fri, 26 Oct 2001 20:09:47 +1300

Hi al! !  

 I've just been reading your latest column - a **great** read , as always ! 

 I've been mulling over the DMCA and its possible impacts.  One of the
 things that got me thinking was your (very good) comment that the
 Stanford Checker people haven't (yet) got around to censoring their
 bug reports.

  I think there is an area that seems to have been *very much*
  overlooked by many people.  That is , the area of *safety* as it
  applies to software.   I think it would be quite possible for a
  software bug to have effects not only on security, but on **safety**
  as well.

    If a programmer discovers a serious bug that not only compromises
    *security* , but also *safety* as well (think nuclear power
    plants) , what does he now do (given the DMCA and all that ) ?
    And lets face it - **who now decides**  whether a bug is a
    security issue, a safety issue , or both?   I suggest that a
    programmer is in the best position to judge that , but the DMCA
    and similar laws seem to put the lawyers in the "deciding seat" ,
    as it were.   Mmmm .... not a great move, really ........ :-/ 

 I wonder if there will now be (at some time in the future)  a
 disaster which could have been prevented if the programmer had felt
 free to reveal a particular software bug ( **and** its fix ! ) .
 Who knows ?

  Anyway - just my two cents worth !  

  ( oh - btw - I would like my email address to be anti-spammed !  Thanks ! )

From:	 Matthew Miller <mattdm@mattdm.org>
To:	 matt@bluelinux.org
Subject: Common Linux Installer and Anaconda
Date:	 Thu, 25 Oct 2001 01:04:42 -0400
Cc:	 lwn@lwn.net

Hi! I read the bit about your Common Linux Installer Group project on LWN
with some interest. I'm the lead developer of Boston University Linux, which
is a Red Hat Linux-derived distribution. Our installer is a customized
version of Anaconda. I couldn't load the <http://clig.bluelinux.org/> page
from your original announcement, but I did read your response the LWN's
initial criticisms, and I have a few comments on those.

First, going through and changing Red Hat-specific messages and paths is
actually not as difficult as you make it seem -- took me about half an hour,
and that's including changing some of the help text. Second, and more
importantly, Anaconda actually *does* have a strong separation of
functionality and display. This is how they implement both text and X-based
install modes. Since the whole thing is written in object-oriented Python,
it already is very modular in design.

It's definitely easy to make changes like the "default-to-following-
dependencies" idea you suggest -- that's exactly the sort of change we make
for BU Linux. And, since the code is modular, I don't think it would be
unreasonably difficult to make even drastic changes like supporting
packaging systems other than RPM.

Anaconda is a proven package with a lot of testing in the real world, doing
a task which is difficult to get right in every case. There's a lot of very
different machines out there! Note the vast improvement between the 6.1
installer -- the first Anaconda -- and that of 7.2, or even 7.1. A Common
Linux Installer can take advantage of this and not have to re-invent the
wheel.

I strongly urge you to take a fresh look at this. I'd be very interested in
working on community project based on Anaconda.

-- 
Matthew Miller           mattdm@mattdm.org        <http://www.mattdm.org/>
Boston University Linux      ------>                <http://linux.bu.edu/>

From:	 Rainer Weikusat <weikusat@mail.uni-mainz.de>
To:	 letters@lwn.net
Subject: I am getting really tired of this
Date:	 27 Oct 2001 09:30:55 +0200

@@ -520,6 +532,8 @@
        bprm->dumpable = 0;
        if (current->euid == current->uid && current->egid == current->gid)
                bprm->dumpable = !bprm->priv_change;
+       else
+               current->dumpable = 0;
        name = bprm->filename;
        for (i=0; (ch = *(name++)) != '\0';) {
                if (ch == '/')
@@ -533,8 +547,10 @@
        flush_thread();
 
        if (bprm->e_uid != current->euid || bprm->e_gid != current->egid ||
-           permission(bprm->dentry->d_inode, MAY_READ))
+           permission(bprm->dentry->d_inode, MAY_READ)) {
                bprm->dumpable = 0;
+               current->dumpable = 0;
+       }
 
        current->self_exec_id++;
 
@@ -552,12 +568,11 @@
 }


That's the one (minus architecture specific changes) of them.
Am I the only person capable of reading patches that's left in the
world?

-- 
near
                        distant

From:	 David.Kastrup@t-online.de (David Kastrup)
To:	 letters@lwn.net
Subject: Regarding: Open Source programmers stink at error handling
Date:	 26 Oct 2001 09:59:45 +0200
Cc:	 nicholas.petreley@linuxworld.com


Let me tell you that Open Source *users* stink at error reporting.  I
have recently published a LaTeX editing environment for Emacs
(<URL:http://preview-latex.sourceforge.net>)  and have taken pains to
ensure that
a) error reporting instructions are in READMEs and other relevant
files.
b) an error reporting command is available which collects most of the
useful data a user tends to forget, and makes out a bug report to a
special bug reporting address.  This command is described in all the
instructions.
c) when internal runs of GhostScript fail, you get a button in your
document making all relevant error messages display so that you can
cut and paste those for a report.

Only after I had this infrastructure in place did I make the first
release.

Result?  Almost no usable error reports, particularly when taking into
account the download numbers.  I got more when things just
mysteriously and silently failed so that people could get absolutely
no handle on why this happened.  If people now report errors at all,
they usually send one uninformative Email to my personal Email account
(which is harder to come by in the documentation than the error
reporting instructions).  I never got reports at all about how and
when and which versions of GhostScript fail once the error reporting
interface was in place: people obviously use the feature to debug
their problems away (usually by upgrading GhostScript, I assume)
without telling me.  I get more bugs "reported" (which I subsequently
fix) by snide remarks on Usenet Groups of the "I tried that but
that-and-that did not work as expected" kind than by actual bug
reports.  Mostly of the "I did not consider a bug report because I
figured out that the software is buggy, anyway" variety.  What sort of
a reason is that?

It seems that Open Source users are too accustomed to either living
with bugs or fixing them themselves without telling anybody as to
stoop to reporting any problem.

Either the problem is minor, then they ignore or circumvent it and
make snide remarks on Usenet groups, or it is major, then they don't
use the software at all.  Reporting a bug seems to be an option you
cannot make acceptible.  Not even when you auto-generate an Email
where only few lines needed adding.

Is this remnant from the times where using software was usually the
same as having illegally acquired it and where you feared a bug report
would send you to jail?

Make my day: install my software and report a bug...  And consider
reporting a bug whenever you encounter one in any piece of Open Source
software.

Make it a boy scout motto: one good bug report a week.  People
complain all the time about buggy software.  Make it a habit to
complain where you are supposed to.

Thank you,

-- 
David Kastrup, Kriemhildstr. 15, 44793 Bochum
Email: David.Kastrup@t-online.de