[LWN Logo]
[LWN.net]

Bringing you the latest news from the Linux World.
Dedicated to keeping Linux users up-to-date, with concise news for all interests


Sections:
 Main page
 Security
 Kernel
 Distributions
 Development
 Commerce
 Linux in the news
 Announcements
 Linux History
 Letters

Other LWN stuff:
 Daily Updates
 Calendar
 Linux Stocks Page
 Book reviews
 Penguin Gallery

 Archives/search
 Use LWN headlines
 Advertise here
 Contact us

Recent features:
- RMS Interview
- 2001 Timeline
- O'Reilly Open Source Conference
- OLS 2001
- GaŽl Duval
- Kernel Summit
- Singapore Linux Conference
- djbdns

Here is the permanent site for this page.

See also: last week's LWN.

Leading items and editorials


Interesting court cases is the theme of the week. Some LWN readers have been heard to grumble that we spend too much time on licensing and legal issues. Perhaps that is true, but these issues are crucial: free software is very much at the mercy of the legal environment in which it operates. The law can either help free software's success, or it can make free software illegal and impractical.

Thus, the outcomes of the three cases described below are important. Even if they are limited in scope, they point toward where we could be going in the future. Non-U.S. readers may feel uninterested in purely U.S. results, but the fact remains that conclusions reached here - both good and bad - have a tendency to leak out toward the rest of the world. So read on...

Source code is speech, or so concludes a California state appeals court in the Bunner DVD case. Bunner is "the other DVD case," distinct from the (higher-profile) New York case. The defendant, Andrew Bunner, had been taken to task for posting the DeCSS code on his web site, and ordered by a lower court to take it down. In his appeal, he claimed that the injunction violated his free speech rights. In its ruling (available in PDF format), the court agreed:

Like the CSS decryption software, DeCSS is a writing composed of computer source code which describes an alternative method of decrypting CSS-encrypted DVDs. Regardless of who authored the program, DeCSS is a written expression of the author's ideas and information about decryption of DVDs without CSS. If the source code were "compiled" to create object code, we would agree that the resulting composition of zeroes and ones would not convey ideas.... That the source code is capable of such compilation, however, does not destroy the expressive nature of the source code itself. Thus we conclude that the trial court's preliminary injunction barring Bunner from disclosing DeCSS can fairly be characterized as a prohibition of "pure" speech.

So, code is speech. That is an interesting conclusion, but it does not automatically lead to the conclusion that Mr. Bunner is entitled to publish that speech. American constitutional law is firm in its protection of speech, but there are still many exceptions. To what extent will the designation of code as speech address the various legal problems that free software has encountered recently?

The precedent set by this case, unfortunately, does not help as much as one would like. The Bunner case differs from the New York case in an important aspect: the complaint in Bunner is based entirely on trade secret law. Copyright (and the DMCA) are not part of the argument. That distinction is a key part of the court's reasoning:

Thus, the availability of injunctive relief against copyright infringement is supported by justifications that are inapplicable to trade secrets. Both the First Amendment and the Copyright Act are rooted in the United States Constitution, but the UTSA [trade secret law] lacks any constitutional basis. The prohibition on disclosure of a trade secret is of infinite duration while the copyright protection is strictly limited in time, and there is no "fair use" exception as there is for copyrighted material. These significant distinctions between copyright and trade secret protections explain why courts have concluded that the First Amendment is not a barrier to injunctive relief in copyright infringement cases.

In other words, a first amendment ("free speech") argument beats trade secret law (at least sometimes), but copyright law has a different stature. So, for example, "code is speech" defenses are not automatically assured of success against DMCA prosecutions, since the DMCA is a copyright law.

Finally, the decision in this case applies only to "prior restraint" of speech - the blocking of such speech before it can be proved that damage has been done. With code seen as speech, denial of prior restraint was an easy conclusion for the court to reach ("Indeed, the Supreme Court has never upheld a prior restraint, even faced with the competing interest of national security or the Sixth Amendment right to a fair trial."). The door remains open, however, to injunctions or damages against Bunner down the road, if the DVDCCA can prove that law has been violated and harm has been sustained. So this case is not yet over.

License agreements and first sale doctrine. Below the radar of much of the free software community, another interesting case was coming to a conclusion in U.S. District Court in California. In this case, our old buddy Adobe Software was pushing for an injunction against SoftMan Systems. Softman, it seems, has been buying Adobe software collections, splitting them into their component parts, and selling those parts independently. Adobe's claim is that this reselling activity violates the end-user license agreement (EULA) covering the program, and is thus a copyright violation.

The court disagreed (this ruling, too, is available in PDF format). Essentially, the court has said that the EULA does not apply to SoftMan, for a couple of interesting reasons. One is that SoftMan never agreed to the EULA, and is thus not bound by its terms:

In the instant case, the Court finds that there is only assent on the part of the consumer, if at all, when the consumer loads the Adobe program and begins the installation process. It is undisputed that SoftMan has never attempted to load the software that it sells. Consequently, the Court finds that SoftMan is not subject to the Adobe EULA.

The ruling also casts doubt on whether agreeing to a click-through license can truly be binding to the consumer.

The other aspect of the court's ruling is that the software was sold - not licensed - to SoftMan:

The Court understands fully why licensing has many advantages for software publishers. However, this preference does not alter the Court's analysis that the substance of the transaction at issue here is a sale and not a license.

Since this transaction is a sale, the first sale doctrine applies:

In short, the terms of the Adobe EULA at issue prohibit licensees from transferring or assigning any individual Adobe product that was originally distributed as part of a Collection unless it is transferred with all the software in the original Collection. This license provision conflicts with the first sale doctrine in copyright law, which gives the owner of a particular copy of a copyrighted work the right to dispose of that copy without the permission of the copyright owner.

These conclusions are interesting, in that they have the potential to tilt the interpretation copyright law a little toward the rights of users of copyrighted material. For example:

  • Both DVD cases depend, partly, on the claim that a commercial DVD package was "improperly" reverse engineered. It is the software's EULA, however, that prohibits that reverse engineering. If the code is reverse engineered without installing it and agreeing to the EULA (by, say, disassembling it on a Linux system), the EULA does not apply. The Bunner case, in particular, could be affected by this ruling.

  • Reselling that unwanted Windows installation on your new computer should be legal.

  • Electronic books, too, are subject to first sale; it should be possible to resell them.
The ruling gives an out to software companies that wish to continue to "license" rather than sell a copy of their software. The transaction is considered a sale when it involves a single payment and use of the software for an unlimited time. Thus, the "rent-a-program" schemes being proposed by many are untouched.

This affirmation of the first sale doctrine is a welcome strengthening of the rights of consumers of copyrighted material. Here is an interesting scenario, though: suppose an unethical vendor obtains a copy of a program licensed under the GPL, makes a change, and resells the product under a proprietary license? Consider, for example, a Linux distribution where the C library has been replaced with a proprietary, value-added package. The vendor could argue that the tweaked copy can be resold under the first sale doctrine. Massive distribution could be made possible by "purchasing" a new copy of the GPL code for each copy sold. We may never see a vendor attempting this approach, but the possibility exists.

The settlement. Tempting though it may be to ignore it, the settlement between that proprietary software company and the U.S. government is worthy of a mention. For the most part, the settlement looks like it will change little for the free software community. Microsoft will continue to exist as a single company, and will have relatively few constraints on what it can do. Business as usual.

The settlement does make it harder for Microsoft to prevent vendors from selling dual-boot systems. Dual-boot boxes may thus become available from some vendors, which may encourage a few people to try out Linux. For the most part, however, dual-boot systems are of limited utility,and their wider availability will not change a whole lot.

In theory, the settlement requires Microsoft to (eventually) document its protocols. However, as the Samba team has pointed out, it's far from clear that such documentation will be forthcoming. The settlement gives Microsoft a great deal of latitude in what it will, and will not, release.

Then, there is the more ominous view of this settlement. Consider, for example, this Dan Gillmor column:

Is it possible that Microsoft and the government have made some secret arrangements that will be couched under 'anti-terrorism' rhetoric when or if they emerge into the public light? The government's new surveillance powers would be far easier to carry out if Microsoft became a government ally in this area.

Also expressing concern is Dave Winer:

Microsoft had a lot of power to offer to the government. The government has been granted new electronic surveillance power by Congress. Now how do they implement it? Microsoft can help. In my mind I'm not so naive to believe this was an arms-length deal, I'm certain there are aspects to the partnership between Microsoft and the US government that we can't see.

It would be easy to achieve an excessive amount of paranoia here, but, at the same time, these concerns are worth considering. Whether or not anything is really happening here, a network dominated by closed source software is vulnerable to government manipulation and surveillance.

Meanwhile, several U.S. states may refuse to join the settlement; if they remain outside, the case will remain alive. The European Union is still pondering what it may do. This story is far from over. No matter how it comes out, though, one presumes that free software will continue to progress and see wider use. No legal settlement is required for that to happen.

Inside this LWN.net weekly edition:

  • Security: OpenSSH 3.0; another kernel vulnerability.
  • Kernel: Toward 2.5; authoritative hooks denied; thrashing /proc.
  • Distributions: Linux Counter - The distribution of Distributions; Red Hat on Top; Debian runs a close second.
  • Development: Sweetcode site, new Alsa releases, ivtools-1.0, Gnumeric 0.75, and lots of XML stuff.
  • Commerce: Sharp announces Linux PDA; IBM open sources Eclipse; MontaVista goes digging for oil.
  • History: Stop terrorism. Use free software; Microsoft ruled a monopoly; More software patents.
  • Letters: The risks of documenting security fixes; reporting bugs.
...plus the usual array of reports, updates, and announcements.

This Week's LWN was brought to you by:


November 8, 2001

   

Sections:
 Main page
 Security
 Kernel
 Distributions
 Development
 Commerce
 Linux in the news
 Announcements
 Linux History
 Letters

See also: last week's Security page.

Security


News and Editorials

OpenSSH 3.0 released. OpenSSH version 3.0 has been released. It includes a great many new features, including smartcard support, improved Kerberos support, dynamic forwarding, and more.

CERT advisory on lpd vulnerabilities. CERT has issued an advisory regarding several vulnerabilities in the lpd print system. Most of the problems are old; the purpose of the advisory is to remind people to apply their upgrades.

Security Reports

Trouble with netfilter and syncookies. Just when you had installed a new kernel and thought that the security problems were behind you, a new one turns up. It's an obscure problem, but, in many cases, worth fixing anyway. Essentially, the "syncookies" mechanism, developed to defend against SYN flood attacks, can be exploited by a clever attacker to circumvent netfilter firewall rules that block incoming connections. Since many firewall setups depend on blocking these connections, this vulnerability could seriously compromise the protection of the system or network. A short-term workaround is to turn off syncookies:

  echo 0 > /proc/sys/net/ipv4/tcp_syncookies
Syncookies will be reset at the next reboot; the system will also be more vulnerable to SYN flood (denial of service) attacks while syncookies are disabled. The real fix, of course, is to apply another kernel update. Here's the ones we've seen so far:

Webalizer tag vulnerability. The "webalizer" logfile analysis program has a vulnerability which can allow an attack to place arbitrary HTML tags into the reports. When the reports are viewed, these tags can be used toward unpleasant ends, including cross-site scripting attacks. A fix is available which closes the vulnerability.

Updates seen so far:

Red Hat updates ghostscript. Red Hat has issued a security update to ghostscript fixing an interesting problem. When ghostscript is used as part of the print spooling system (a common configuration), a clever attacker can use its PostScript file commands to read any file that is accessible to the print spooler. The update disables those commands in that context. There is also a more comprehensive printer update available from Red Hat which includes this fix, a number of others, and tosses in the IBM Omni printer drivers for good measure.

Denial of service vulnerability in Tux. The Tux kernel-based web server has a denial of service vulnerability which can allow a remote attacker to crash the host system. Most systems do not run Tux; those which do should apply the Red Hat kernel update for the syncookie problem; it also fixes this vulnerability.

Caldera security update for libdb. Caldera has released a security update that fixes the libdb package. The update fixes vulnerabilities from an unsafe version of the snprintf and vsnprintf that can be exploited by local and remote attacks.

Format string vulnerability in rwhoisd. The "rwhoisd" whois server has a format string vulnerability which can be used by a remote attacker to run arbitrary code. A patch is available which should be quickly applied by anybody running this server; no distributor updates have been seen as of this writing.

Updates

Configuration file vulnerability in ht://Dig. The ht://Dig search engine contains a vulnerability which allows a remote user to specify an alternate configuration file. If that user is able to place a suitable file in a location where ht://Dig can read it, the system may be compromised. See the original report from the ht://Dig project for details. This vulnerability first appeared in the October 11 LWN security page.

This week's updates:

Previous updates: Procmail race conditions. See the July 26 Security page for the initial report.

This week's updates:

Previous updates:

Vulnerabilities in tetex. The tetex package has a temporary file handling vulnerability; this problem was first reported in the July 12, 2001 LWN security page.

This week's updates:

Previous updates:

Several vulnerabilities in ucd-snmp. The ucd-snmp package has a number of vulnerabilities, including buffer overflows, format string problems, and temporary file races. This problem was first reported in the August 23 LWN security page.

This week's updates:

Previous updates:

Improper credentials from login. A problem with the login program (in the util-linux package) can, in some situations, cause a user to be given the credentials of another user at login. Use of the pam_limits module, in particular, can bring about this problem. In general, distributions using the default PAM configuration are not vulnerable; an upgrade is probably a good idea anyway. This problem was first reported in October 18 LWN security page.

This week's updates:

Previous updates:

Resources

Linux Security Week for November 5 from LinuxSecurity.com is now available.

Events

Upcoming Security Events.
Date Event Location
November 8, 20018th ACM Conference on Computer and Communication Security(CCS-8)Philadelphia, PA, USA
November 13 - 15, 2001International Conference on Information and Communications Security(ICICS 2001)Xian, China
November 19 - 22, 2001Black Hat BriefingsAmsterdam
November 21 - 23, 2001International Information Warfare SymposiumAAL, Lucerne, Swizerland.
November 24 - 30, 2001Computer Security MexicoMexico City
November 29 - 30, 2001International Cryptography InstituteWashington, DC
December 2 - 7, 2001Lisa 2001 15th Systems Administration ConferenceSan Diego, CA.
December 5 - 6, 2001InfoSecurity Conference & ExhibitionJacob K. Javits Center, New York, NY.
December 10 - 14, 2001Annual Computer Security Applications ConferenceNew Orleans, LA

For additional security-related events, included training courses (which we don't list above) and events further in the future, check out Security Focus' calendar, one of the primary resources we use for building the above list. To submit an event directly to us, please send a plain-text message to lwn@lwn.net.

Section Editor: Jonathan Corbet


November 8, 2001

LWN Resources


Secured Distributions:
Astaro Security
Castle
Engarde Secure Linux
Immunix
Kaladix Linux
NSA Security Enhanced
Openwall GNU/Linux
Trustix

Security Projects
Bastille
Linux Security Audit Project
Linux Security Module
OpenSSH

Security List Archives
Bugtraq Archive
Firewall Wizards Archive
ISN Archive

Distribution-specific links
Caldera Advisories
Conectiva Updates
Debian Alerts
Kondara Advisories
Esware Alerts
LinuxPPC Security Updates
Mandrake Updates
Red Hat Errata
SuSE Announcements
Turbolinux
Yellow Dog Errata

BSD-specific links
BSDi
FreeBSD
NetBSD
OpenBSD

Security mailing lists
Caldera
Cobalt
Conectiva
Debian
Esware
FreeBSD
Kondara
LASER5
Linux From Scratch
Linux-Mandrake
NetBSD
OpenBSD
Red Hat
Slackware
Stampede
SuSE
Trustix
turboLinux
Yellow Dog

Security Software Archives
munitions
ZedZ.net (formerly replay.com)

Miscellaneous Resources
CERT
CIAC
Comp Sec News Daily
Crypto-GRAM
LinuxLock.org
LinuxSecurity.com
Security Focus
SecurityPortal

   

Sections:
 Main page
 Security
 Kernel
 Distributions
 Development
 Commerce
 Linux in the news
 Announcements
 Linux History
 Letters

See also: last week's Kernel page.

Kernel development


The current kernel release is 2.4.14, which was released on November 5. The 2.4.14 patches are all oriented toward stability, with the notion of, finally, producing a 2.4 kernel that really works for everybody. So there's no surprising changes to be found therein...

...almost. Linus has said with the 2.4.14-pre8 release that he would add no major changes before the final release, "per popular demand." Nonetheless, a last-minute tweak went in that broke the loopback driver; a small patch must be applied before the kernel will build properly.

Alan Cox's latest is 2.4.13-ac7, released on November 3. It contains a number of fixes and updates, including a large IDE driver update. Alan is, for now, working on merging his changes into 2.4.14 rather than pushing forward the "ac" series.

On the 2.2 front, Alan has released 2.2.20-pre12.

The path to 2.5 and the resolution of the VM divergence are starting to look a little clearer, thanks to some postings from Linus and Alan.

On 2.5: here's the latest from Linus:

My not-so-cunning plan is actually to try to figure out the big problems now, then release a reasonable 2.4.14, and then just stop for a while, refusing to take new features.

Then, 2.4.15 would be the point where I start 2.5.x, and where Alan gets to do whatever he wants to do with 2.4.x. Including, of course, just reverting all my and Andrea's VM changes ;)

There are, of course, those who would argue that Linus should have stopped taking new features a year or so ago...better late than never.

On the stability front, it is beginning to look like 2.4 is getting there. With the exception of the build problem mentioned above, there have been few complaints about this kernel. Stability, perhaps, is at hand.

Interestingly, it appears that Alan Cox will not be the maintainer of 2.4 once Linus moves on. In a posting to Advogato, Alan states that the 2.4 mantle will be passed to Marcelo Tosatti, who has been active in the kernel maintenance area for some time. Alan, instead, will adopt a slightly lower profile and be "spending more time concentrating on Red Hat customer related needs." Alan has always had a strong sense of what people area really using Linux for, and kernel development has benefitted from that. Refreshing his view into user needs is probably a useful thing for him to do.

Regarding the virtual memory subsystem: the 2.4 kernel will almost certainly stay with the new Arcangeli implementation. This is not a particularly surprising conclusion at this point. All along, there has been very little criticism of Andrea's implementation - though there is a persistent, low-level grumbling that some more documentation would be nice. Even Alan, while not including it into his "ac" series, has never claimed that the new VM was poorly done.

The complaining, instead, has been about process: many people were simply amazed that Linus would completely replace such a fundamental component in the middle of a stable kernel series. Even Linus, while defending his choices, has acknowledged that concern:

2.5.x will obviously use the new VM regardless, and I actually believe that the new VM simply is better. I think that Alan will see the light eventually, but at the same time I clearly admit that Alan was right on a stability front for the last month or two ;)

In retrospect, the real mistake seems easy to pick out: 2.4.0 should never have been released without a rock-solid VM implementation. Even if the 2.4.0 VM implementation could have been fixed with further work (and the "ac" series was making serious progress in that regard), that degree of fixing should not have been necessary. With luck, some of the lessons that have been learned here will be applied during 2.5 development.

Authoritative hooks: permission denied. The security module patch has been under development for six months or so; its purpose is to create a standard framework for the addition of security code to the kernel. The NSA's SELinux distribution has already been reworked to use this patch. It is generally considered to be in a ready state, waiting only for the 2.5 series to start before it is proposed for inclusion into the kernel.

Until recently, however, there has been one outstanding issue: authoritative hooks. The security module patch allows modules to hook into almost any operation performed by the kernel and make security decisions. But those decisions are all restrictive: a security module can only exercise its power by vetoing an operation that would, otherwise, have been allowed. Security modules, thus, can only make security policies tighter.

There is a patch out there, however, which would add "authoritative" hooks. An authoritative hook has the ability to give a process credentials and access that it would not otherwise have had. Many security policies can be implemented without authoritative hooks, but others cannot. Access control lists (ACLs) are an example of a security mechanism requiring authoritative hooks: an ACL can grant access to a file that would otherwise be denied by the standard permission bits. If a security module can not override those bits, via an authoritative hook, then it can not implement ACLs.

The debate over authoritative hooks has simmered on the security module list for some time. This week, it reached a conclusion of sorts when it was decreed that authoritative hooks would not be incorporated into the security module patch before that patch is submitted for inclusion in 2.5. There are various reasons for this decision, but they boil down to:

  • A security module patch implementing only restrictive hooks is far less likely to introduce security problems of its own. If security modules can increase privileges, there is a lot more latitude for mistakes that open up vulnerabilities.

  • The security module developers fear that the inclusion of authoritative hooks will make it less likely that the security module patch will be accepted into 2.5.
The door remains open for authoritative hooks sometime in the future, after the basic security module patch is part of the mainline kernel. For now, though, they will be left out.

Of course, not everybody is happy with this decision. In particular, a couple of developers from SGI (who are working on an ACL patch) have made it clear that they think the decision is wrong:

It is our position that the LSM group has decided to compromise the product in order to make the sale. We believe this is poor practice from both political and technical directions.

The authoritative hook developers worry that compatibility issues will prevent the patch's inclusion in the future. The patch changes the security module interface, and, if included later, will break existing modules. Over the course of 2.5 development, however, the kernel developers may be more than willing to pay that price if authoritative hooks seem worthwhile.

Fixing up /proc. It all started with a posting from Rusty Russell giving a proposal (and patch) for a new /proc implementation. Rusty's patch is aimed mostly at the kernel interface to /proc - what is required for code in the kernel to export an interface via that filesystem. It is indeed true that the current /proc API, though much improved over earlier versions, is unwieldy to work with and requires a lot of supporting code. The proposed replacement simplifies that interface greatly, to the point of requiring a single line of code for a module that wishes to export a simple variable via /proc.

The new API drew a few comments, but most people seemed to not be particularly concerned about it. Almost nobody is attached to the current way of doing things, after all. On the other hand, everybody seems to have ideas about how to change the other side of the interface: how /proc appears to user space.

There is a great deal of frustration with the current /proc. There is no standard for files in that directory: how they are named, what they contain, how they are formatted, etc. As a result, /proc is messy and inconsistent, and it is difficult to write applications that work well with it. The format of /proc files has also tended to change unpredictably over time, adding compatibility headaches for application writers.

So, the kernel list has seen a substantial discussion on what a new /proc should look like on the application side. At a minimum, people would like to see a set of defined standards for what goes in that directory. A set of informal standards already exists: /proc is supposed to be moving toward a scheme where files are in structured subdirectories, and each file contains exactly one value. Others would like to be far more formal, however; see postings by Kai Henningsen and Stephen Satchell which attempt to nail down how each /proc file should look.

Then again, if you want to impose a format on /proc, why not make it fully buzzword compliant and use XML? The xmlprocfs project has done just that, providing an implementation with enough angle brackets for everyone. See, for example, the XML version of /proc/devices for an example of how it looks. There are numerous XML supporters out there, but most kernel developers seem to think that XML is overkill.

Another contingent thinks that the fundamental idea behind /proc - human-readable, ASCII data - is incorrect. Instead, they would make /proc files into binary data, one value per file. The argument behind this approach is that eliminates the need for the kernel to ASCII encode everything and the need for applications to have decoders. Why not just pass the data directly? All that overhead will be eliminated, as well the hassles of keeping up with unstable /proc formats and the ongoing potential for buffer overflow problems.

Daniel Phillips did some profiling, and found that, when "top" is running, the kernel spends a significant amount of its time using sprintf() to encode values. So it appears that the cost of an ASCII /proc is worth thinking about.

Nonetheless, a binary /proc will not be making an appearance anytime soon; Linus has made that clear:

In short: /proc is ASCII, and will so remain while I maintain a kernel. Anything else is stupid.

Chances are, actually, that /proc in 2.5 will look very similar to what users seen now in 2.4. Massive changes in that interface are not only controversial; they also are guaranteed to break no end of applications. People really don't like it when their programs break. The kernel developers may not hesitate to break internal interfaces, but they are far more careful about causing problems in user space. That inertia alone is likely to ensure that massive /proc changes don't happen anytime soon.

A new devfs. The devfs device filesystem has never been an uncontroversial development. Kernel hackers argued for years over whether it should find a place in the mainline kernel; even after Linus settled that issue, the debate has gone on. In more recent times, however, the focus has been on the quality of the code - or the lack thereof. Even devfs author Richard Gooch has admitted that devfs, as it appears in current kernels, has substantial problems with race conditions and holes.

Some developers have been strongly critical of Richard for allowing these problems to persist. Richard has not helped the situation by being more focused on adding new features than fixing bugs.

With luck, this chapter, too, may be coming to a close. Richard has posted a new devfs core implementation which works enough reference counting and locking into the code to, one hopes, eliminate the problems. The changes are large, and Richard is not currently presenting the code as being ready for production. Nonetheless, he's more than interested in hearing about problems that brave testers might find. Once this code seems solid, it will be sent to Linus as a replacement for the existing devfs code in 2.4. (The most recent version of this patch, as of this writing, is here).

Other patches and updates released this week include:

  • Nathan Scott has posted a proposal for an extended attributes API. Among other things, this API allows access control lists for both XFS and ext2 to work with the same user space interface.

  • Speaking of ACL's, Andreas Gruenbacher has released version 0.7.22 of the ext2 ACL implementation.

  • A design document for the ReiserFS v4 transaction subsystem, written by Joshua MacDonald and Hans Reiser, is now available.

  • Version 0.9.0beta9 of the ALSA sound driver system is available.

  • Pavel Machek has posted a new swsusp patch for the 2.4.13 kernel. (swsusp will suspend a running Linux system to disk).

  • User-mode Linux 0.50-2.4.13 has been released by Jeff Dike.

  • Keith Owens has released version 1.5 of the new kernel build mechanism.

  • The High Resolution Timers project has released the first version of its patch.

  • The latest preemptible kernel patch is available from Robert Love. Among other things, this patch now supports the ARM architecture.

  • Derek Glidden has announced an analysis of the two 2.4 VM implementations, along with the 2.2 version. He concludes that some work remains to be done, but both 2.4 versions are better than what was available in 2.2. Also, a look at the swap performance of the 2.4 VM implementations has been made available by "safemode."

  • Daniel Phillips has gotten back to his ext2 directory index patch and released a new patch. "Still for use on test partitions only." He has also posted a set of test results with the new patch which show some nice performance improvements.

  • William Irwin has posted a new, bitmap-based boot-time memory allocator.

  • Version 0.2.2 of the enterprise volume management system has been released by Kevin Corry.

  • kdb v1.9 for 2.4.14 has been announced by Keith Owens.

  • Andrew Morton has released version 0.9.15 of the ext3 filesystem for the 2.4.14 kernel.

  • The November 5 security module patch is available; included now is a pair of example modules.

  • Version 1.4g of the loop-AES filesystem encryption patch is available.

  • The first release from the OpenGFS project - version 0.0.91 - has been announced.

Section Editor: Jonathan Corbet


November 8, 2001

For other kernel news, see:

Other resources:

   

Sections:
 Main page
 Security
 Kernel
 Distributions
 Development
 Commerce
 Linux in the news
 Announcements
 Linux History
 Letters

See also: last week's Distributions page.

Note: The list of Linux distributions has moved to its own page.

Distributions


Please note that security updates from the various distributions are covered in the security section.

News and Editorials

Linux Counter - The distribution of Distributions. Many people will already be aware that Linux Counter recently updated its database of registered Linux users. Entries that had not been updated in over two years were removed, deleting thousands of entries. So it seems like a good time to look at their view of which distributions are the most popular, while the data is relatively fresh. Here's how it looks:
Tux wearing a Red Hat

Red Hat 26.76%
Debian 22.32%
Mandrake 17.32%
Slackware 14.65%
SuSE 8.94%
Other 10.01%

The picture of 'Tux wearing a Red Hat' and other 'Linux Geeks', drawn by Franck Alcidi, can be found in Linux User Caricatures at Linux Gazette.

Red Hat on Top. Linux Counter's statistics can only reflect those Linux users that have actually registered and entered a distribution in the survey. No doubt there are thousands (millions?) of Linux users that have not been counted, and many of those thousands probably don't run Red Hat. Still, there is no question that Red Hat Linux is a major force among Linux distributions, and is likely to remain so for some time. Therefore it seems appropriate to continue with some Red News.

Hewlett-Packard and Red Hat, Inc. announced grants of Red Hat Linux Software to selected universities as part of HP and Intel Corporation's Itanium-based Systems Grants program. Red Hat Linux 7.1 and a one-year subscription to Red Hat Network will be provided to the 40 universities that received grants from the program.

Red Hat Linux 7.2 and Red Hat Linux Professional are available in stores and other outlets. Key new features of Red Hat Linux 7.2 include:

  • The 2.4.7 Linux kernel for increased scalability
  • Ext3 Journaling file system for data reliability
  • Network Configuration, User Management, and Hardware Viewing tools for infrastructure and development
  • Firewall Configuration during installation and Red Hat Network for added security

Shipping with RH 7.2 are the Forte for Java integrated development environment (IDE) from Sun Microsystems and integrated support for Broadcom Corporation's e-Commerce security solutions.

Red Hat Linux also turned up the winner in PC Magazine's Editor's choice awards. Read Choosing Linux for reviews of Red Hat and other Linux distributions.

Turbolinux 7 Server on December 7. Turbolinux users may not have registered at Linux Counter, but they are out there. Fans will be happy to see Turbolinux 7 Server, to be released on December 7. Advertised features include large file support, the logical volume manager, and, they say, the first distribution to conform to the LI18NUX internationalization specification.

Distribution News

Debian runs a close second. Debian users are probably not surprised that their favorite distribution ranks a close second in Linux Counter's statistics. The loosely knit group of volunteers that spend their free time working on the Debian Project have put together an outstanding distribution, whichever flavor you chose.

The Debian Weekly News for November 8th, 2001 contains news about 2.2r4 (potato), the freeze, recognizing IRC channels, the default Mail Transport Agent, and much more.

Debian GNU/Linux 2.2r4 has been released. This is a bug fix update, containing mostly security updates and fixes for a few serious problems.

The sixth Debian Woody Bug-Squashing Party will be held on the weekend of November 9 through 11, 2001. Squash those bugs, but make waves because there's a freeze in place.

Freeze Update! Woody has been frozen. Any further changes to packages need to be made by unanimous agreement amongst all the maintainers the change will affect.

Red Hat Bugfix advisories. The following are bugfix or enhancement advisories:

Slackware. There were several packages updated in Slackware-current (Intel) this week.

  • gcc-3.0.2/: Note that Slackware packages are still being built with gcc-2.95.3.
  • htdig-3.1.5/: Added a patch to resist a DoS attack.
  • kde-2.2.1/: Recompiled against openssl-0.9.6b
  • koffice-1.1/: Rebuilt against rebuilt kde-2.2.1.
  • openssl-0.9.6b/: Upgraded to openssl-0.9.6b.
  • openssh-2.9.9p2/: Upgraded to openssh-2.9.9p2, built against openssl-0.9.6b.
See the ChangeLog for notes and additional details.

New Distributions

Aurora Sparc Project. The Aurora Sparc Project has been announced. The Aurora Sparc Project is building a Sparc system starting with Red Hat 7.2. Build 0.1 includes the basic pieces needed. Glibc, kernel-headers, gcc 2.96, X, gnome-libs, perl, python, and bash.

Minor Distribution updates

Astaro Security Linux. Astaro Security Linux is not really a full distribution. It is more of a proprietary firewall product, but it is Linux 2.4-based. Version 2.015, released November 5, contains a major bugfix in the virus-scan detection engine.

Devil-Linux 0.5 Beta 2 released. Devil-Linux 0.5 Beta 2 has been released with lots of changes. Devil-Linux is a special Linux distribution, used for firewalls/routers and released under the GNU GPL.

mkLinux. Updates for BIND (9.1.3), OpenSSH (2.9p2), and OpenSSL (0.9.6b) are available on ftp.mklinux.org. These not really security fixes, but these are packages you want to have up-to-date.

Distribution Reviews

Big OSes can learn from OpenBSD (ZDNet). Here's an introduction to OpenBSD from ZDNet. "Unlike other operating systems, with the exception of close relative NetBSD, the open source OpenBSD was built from the ground up to be secure. How do they do it? In no small part, it's by constantly auditing the operating system's code for potential security problems."

Redhat 7.2 launch eclipsed by XP blitz (CNN). CNN reviewed Red Hat 7.2. "A week of daily Redhat 7.2 use has shown it to be a stable platform with only a few minor issues. There's a wide range of fonts, and a hard-to-read script-like font sometimes becomes the default in the wrong places."

RedHat Linux 7.2 Review (LinuxLookup). LinuxLookup was (mostly) impressed with Red Hat 7.2. "Installation was a snap. Be sure to pay close attention, especially if you want to migrate your old ext2 partitions over to ext3. The new and improved disk druid was pretty slick. When you clicked on an older partition it would provide you its old mount point. But I just have to say this again, migrating file systems is the biggest plus yet! A full installation of RedHat 7.2 yields over 2 gigabytes!"

Section Editor: Rebecca Sobol


November 8, 2001

Please note that not every distribution will show up every week. Only distributions with recent news to report will be listed.

   

Sections:
 Main page
 Security
 Kernel
 Distributions
 Development
 Commerce
 Linux in the news
 Announcements
 Linux History
 Letters

See also: last week's Development page.

Development projects


News and Editorials

Sweetcode.org A new code repository site has been brought to our attention, sweetcode.org. The site is devoted to innovative free software, and features links to a bunch of interesting projects.

[sweetcode] Sweetcode has started off with a nice selection of open-source programs, here's a small sample:

  • the Tulip Project is a graphical visualization system which is useful for plotting very complex images.
  • Picker is a Java program that is used to derive data points from gif images of graphs, it is apparently useful for reverse engineering scientific publications.
  • Jazz is a toolkit for building zoomable user interfaces. Jazz is based on the Java 2D API. "Imagine that the computer screen is a section of wall about the size of a typical bulletin board or whiteboard. Any area of this surface can then be accessed comfortably without leaving one's chair. Imagine further that by applying extraordinarily good eyesight and eye-hand coordination, a user can both read and write as comfortably on any micron wide section of this surface as on any larger section."
  • Tempest For Eliza is a program by Erik Thiele that causes your video card to generate dot clocks at specified frequencies, for the purpose of making your monitor generate short wave radio signals. Apparently, the program broadcasts a Beethoven piece.
  • Swirlies are "algorithmically generated images which look continuous when tiled", interesting eye-candy, indeed.
Hopefully, the site will keep up the good work and gets a lot of support from the open-source developer community.

Audio Projects

New releases from the Alsa project. The Alsa sound driver project has announced several new releases, the 0.9.0beta9 version of the development release and the 0.5.12 version of the stable release. The Linux Music site features a detailed review of the Alsa changes.

Databases

New #gnome-db IRC channel. A new IRC channel has been announced for discussing GNOME-DB issues.

pyPgSQL 2.0 released. Version 2.0 of pyPgSQL is available. PyPgSQL is a Python based interface to PostgreSQL databases. The release notes indicates that this is the first "real" release of the package.

Introduction to Native XML Databases (xml.com). Kimbro Staken introduces Native XML Databases on O'Reilly's xml.com. "The term "native XML database" (NXD) is deceiving in many ways. In fact many so-called NXDs aren't really standalone databases at all, and don't really store the XML in true native form (i.e. text). To get a better idea of what a NXD really is, let's take a look at the NXD definition offered by the XML:DB Initiative, of which the author is a participant."

Electronics

Icarus Verilog snapshot released. A new snapshot of the Icarus Verilog electronic simulation language compiler has been released. The release notes mention new support for multiple root modules, improved port error checking, and bug fixes.

Embedded Systems

Embedded Linux Newsletter for Nov. 1, 2001. The November 1, 2001 edition of the Embedded Linux Newsletter is available. Stories include LinuxDevices.com's 2nd birthday, a review of the Sharp Zaurus Linux PDA, Commercial YOPY PDAs about to ship, and more.

Network Management

gnutellavision: Real Time Visualization of a Peer to Peer Network . Rachna Dhamija, Danyel Fisher and Ka-Ping Yee have published a paper on gnutellavision, a network monitoring tool for monitoring Gnutella usage. The paper is part of a collection of works on information visualization that were done at UC Berkeley.

Science

Live from the AMIA conference in Wash. D.C.(LinuxMedNews). LinuxMedNews' Ignacio Valdez reports on the open-source side of the American Medical Informatics Association conference.

Web-site Development

Midgard Weekly Summary for October 30, 2001. A new Midgard Weekly Summary is out. Topics include a discussion of scripting foundations, a Midgard FAQ system, a command line interface for client/server administration, and more.

PHP Review Development Version 1.0.1. In what they are calling a milestone release, version 1.0.1 of the PHP Review book reviewing project has been released. The WHATSNEW file documents all of the changes.

mnoGoSearch-php-3.2.0.beta0. Version 3.2.0.beta0 of mnoGoSearch-php, a PHP search front end, is available. The ChangeLog file lists a number of changes including support for mnogosearch-3.2.x, Unicode support, word highlighting, and bug fixes.

Zope 2.4.3 beta 1 released. Zope 2.4.3 beta 1 has been released. The changes include WebDAV mods, ZCatalog fixes, and other bug fixes.

The latest Zope Members News. The most recent items from the Zope Members News include a Comdex Zope BOF, Zope 2.4.3 beta 1, CMF Tracker, and CMFGUM.

Miscellaneous

This week in DotGNU number 3. The third This week in DotGNU has been published. Topics include the Mercury programming language, GNU Common C++, webservices, and cashbox, an ecommerce webservice application.


November 8, 2001


Application Links
GIMP
Mozilla
Galeon
High Availability
ht://Dig
mnoGoSearch
MagicPoint
Wine
Worldforge
Zope

Open Source Code Collections
Berlios
Freshmeat
OpenSourceDirectory
Savannah
Le Serveur Libre
SourceForge
Sweetcode

   

 

Desktop Development


Browsers

Mail/News Performance Effort Underway (mozillaZine). Seth Spitzer has posted an update that describes the Mozilla Mail/News work that is needed prior to the release of Mozilla 1.0 and the preceding milestones. Footprint and performance issues will be the main focus, as will crashes and data loss issues.

Desktop Environments

GNUstep weekly editorial for November 2, 2001. A new GNUstep weekly editorial has been published, with all of the latest news from that project.

Kernel Cousin KDE For 2 November, 2001. The November 2, 2001 Kernel Cousin KDE is out. Topics include C Bindings for KDE3, Power Management at KDE Shutdown, DCOP Gets Major Facelifts and Additions, Alsa 0.9 Support in aRts, CSS Media Support, Synchronous KIO, Konqueror Context Menu Plugins and KPilot Releases for KDE2 and KDE3.

Graphics

ivtools-1.0 released. A commercial company, Vectaport, has released version 1.0 of its open-source ivtools graphics package. The ivtools drawtool is based on an ancient, but powerful and easy to use drawing package, the Interviews idraw program.

Interoperability

Wine Weekly News for November 2, 2001. The November 2, 2001 edition of the Wine Weekly News is available. This week's topics include problem With VirtualDub, Borland OWL, and WINE and Haxial programs.

Office Applications

Gnumeric 0.75 released. Gnumeric 0.75 has been released. They're looking for the last bugs before they can put out a stable gnumeric release; if you can make it crash, they'll buy you "a beverage of your choice."

AbiWord Weekly News. The AbiWord Weekly News for November 1, 2001 has been released with the latest info and stats from the AbiWord project. The November 6 issue is also available.

Miscellaneous

Gnome-pilot 0.1.63 released. Version 0.1.63-1 of gnome-pilot has been released. This version fixes a bug in the previous version that caused the pilot to crash in some situations. Upgrades are advised. The code is available here.

 
Desktop Environments
GNOME
GNUstep
KDE
XFce
XFree86

Window Managers
Afterstep
Enlightenment
FVMW2
IceWM
Sawfish
WindowMaker

Widget Sets
GTK+
Qt
   

 

Programming Languages


Caml

Caml Weekly News for November 6, 2001. The November 6, 2001 issue of the Caml Weekly News is out. Topics include new versions of the shared library patch and the real arithmetic module for ocaml.

The latest from the Caml Hump. The latest articles in the Caml Hump include pointers to PsiLAB and Creal, two Objective Caml based mathematical tools.

Lisp

Free The X3J Thirteen! for October, 2001. The October, 2001 edition of Free The X3J Thirteen! is out, with lots of Common Lisp news. Topics include: "a release roadmap for Maxima, initial work on a Simple-streams implementation for CMU CL and the MorphiCL user interface, the releases of OpenMCL 0.8 and LISA 1.1, open projects related to ECLS and a list of new packages in cCLan (C[T|P]AN for Common Lisp). It also includes a review of the Eclipse window manager written in Common Lisp."

Perl

The Lighter Side of CPAN (O'Reilly). Alex Gough reviews some fun Perl modules from the CPAN site. Learn how to use weird dates, turn error messages into haikus, and more.

The Perl Journal back issues. The Perl Journal has put all of their back issues online. Twenty one issues are currently available.

PHP

PHP Weekly Summary for November 5, 2001. The November 5, 2001 issue of the PHP Weekly Summary is out. Topics include fixes to MySQL 4.0.0 and phpinfo(), the empty ("0") bug, Windows XP, new Clibpdf function, echo vs. html output, new dbtcp extension, and PCRE stack overflows.

Python

Python-URL for November 1, 2001. The November 1, 2001 Python-URL has arrived. Topics include a new Python Eggs page, SkunkWeb 3.1.3, selecting random items from a list, and more.

Python Cookbook online. ActiveState and O'Reilly have built a collaborative website called the Python Cookbook. The site contains a lot of example Python code. "This living collection will allow programmers to be more productive with Python, and will provide a dynamic space for the rapid content development of a cookbook."

Ruby

The latest from the Ruby Garden. This week, the Ruby Garden features a discussion of a draft Ruby Coding Convention by Takahashi Masayoshi, as well as articles on other Ruby topics.

Tcl/Tk

This week's Tcl-URL. Here's Dr. Dobb's Tcl-URL for November 5, with the usual collection of interesting happenings from the Tcl/Tk community.

XML

Building an XML-based message server (IBM developerWorks). George Franciscus talks about the development of an XML based message server on IBM's developerWorks. "This article shows how to code a lightweight, transport-protocol-agnostic, XML-based message server that not only allows clients to place and pick up messages on queues, but also transform messages using XSL. Written in the Java language, eight code listings take you from opening a client connection to invoking XSL transformations on messages."

XML::Checker::Parser (use Perl). Redsquirrel discusses Perl based XML tools. "Once I had a few XML documents under my belt, I headed off to CPAN to pick up some tools. XML::Parser was the first module I came across. Due to my laziness, though, I quickly became disheartened at the number of styles, handlers, and constructor arguments I had to deal with."

Asmo XML taglib processor 1.0 released. Version 1.0 of Asmo, a Python based simple XML taglib processor, has been released. "Asmo is a simple XML taglib processor. It reads in an XML document and, based on XML namespaces, chooses a library to handle the part of the XML tree within that namespace. The result is an XML document containing whatever data output by the libraries chosen. You can optionally perform XSLT processing on the output."

Building XML-RPC Clients in C (xml.com). Joe Johnston takes a look at Eric Kidd's XML-RPC C library in an O'Reilly xml.com article. "XML-RPC is a wire protocol that describes an XML serialization format that clients and servers use to pass remote procedure calls to each other. There are two features that make this protocol worth knowing. The first is that the details of parsing the XML are hidden from the user. The second is that clients and servers don't need to be written in the same language."

Miscellaneous

Linux System Failure Post-Mortem (O'Reilly). Jennifer Vesperman writes about debugging Linux system crashes on O'Reilly's OnLamp site.

Section Editor: Forrest Cook

 
Language Links
Caml
Caml Hump
Tiny COBOL
Erlang
g95 Fortran
Gnu Compiler Collection (GCC)
Gnu Compiler for the Java Language (GCJ)
Guile
Haskell
IBM Java Zone
Jython
Free the X3J Thirteen (Lisp)
Use Perl
O'Reilly's perl.com
Dr. Dobbs' Perl
PHP
PHP Weekly Summary
Daily Python-URL
Python.org
Python.faqts
Python Eggs
Ruby
Ruby Garden
MIT Scheme
Schemers
Squeak
Smalltalk
Why Smalltalk
Tcl Developer Xchange
Tcl-tk.net
O'Reilly's XML.com
Regular Expressions
   

Sections:
 Main page
 Security
 Kernel
 Distributions
 Development
 Commerce
 Linux in the news
 Announcements
 Linux History
 Letters

See also: last week's Commerce page.

Linux and Business


Sharp announces Linux PDA. The Zaurus SL-5000D PDA from Sharp Electronics Corporation is the hot new toy of the week. Naturally, Sharp had lots of help, and everyone involved put out a press release.

Pre-orders for the unit are being accepted now from U.S. customers.

IBM open sources Eclipse. IBM has announced the release of its "Eclipse" development code under an open source license. Eclipse is a Java-based system designed to help integrate development tools into a single environment; IBM has somehow set its value at $40 million.

VA Linux announces SourceForge Enterprise Edition 3.0. VA Linux Systems has announced the availability of SourceForge Enterprise Edition 3.0. "SourceForge 3.0's expanded monitoring and reporting capabilities help both development and business managers monitor the full spectrum of development activities through comprehensive and customizable reports."

Borland ships Kylix 2. The release of the Kylix 2 rapid development environment for Linux has been announced by Borland.

MontaVista goes digging for oil. Varco International has announced that it will be using MontaVista's Hard Hat Linux in its line of oil rig floor equipment controllers.

Linux NetworX cluster at Fermilab. Linux NetworX has announced that one of its clusters is being used to identify particles at the Fermi National Accelerator Laboratory.

Software patents move forward in Europe. Here's a release from the EuroLinux Alliance (also available in French) on a "coup" at the European Patent Office. Said office, it seems, has just put out a new examination directive which enables patents on software, business models, and mathematics. "This decision constitutes a violation of the European democracy and a provocation against European governments which had publicly stated last November 2000 that they wanted tighter political control over the European Patent Office and decided to preserve the exception for computer programmes."

Open Robot Control Software gains IST-program funding. Tobias Benedikt Hoevekamp has been tracking the European Commission's funding of open source projects. He has recently added the Open Robot Control Software project to the list.

The October 2001 Netcraft Web Server Survey. The October 2001 Netcraft Web Server Survey has been published, with Apache stats slightly lower than last month. Read the report for an analysys of the changes.

Linux Stock Index for November 01 to November 07, 2001.
LSI at closing on November 01, 2001 ... 26.06
LSI at closing on November 07, 2001 ... 27.52

The high for the week was 27.52
The low for the week was 25.62

Press Releases:

Open source products

Proprietary Products for Linux

Hardware and bundled products

Products and Services Using Linux

Products With Linux Versions

Books & Training

Partnerships

Personnel & New Offices

Linux At Work

Other

Section Editor: Rebecca Sobol.


November 8, 2001

   

Sections:
 Main page
 Security
 Kernel
 Distributions
 Development
 Commerce
 Linux in the news
 Announcements
 Linux History
 Letters

See also: last week's Linux in the news page.

Linux in the news


Recommended Reading

Torvalds, Cox Agree on the Future Kernel (eWeek). eWeek reports on the seeming resolution of the VM dispute in the Linux kernel. "The news comes as a relief, especially for Linux kernel developers, who were being forced to support both versions of the 2.4 kernel because of the differences between them, including differing disk cache systems and incompatible quota code. The accord also ends speculation that a fragmented Linux community would be doomed in the face of Windows." Just where this "speculation" came from is not specified. (Thanks to Andrew Clyde).

All you ever wanted to know about the DoJ's Windows cave in ( Register). The Register looks at the Microsoft settlement. "So there you go, free at last. It ought to be fairly cheap and simple for the big PC companies who allegedly support Linux to ship dual boot systems, and it wouldn't cost them any more if they made all of their machines, or at least all in particular lines, dual boot."

Microsoft Gets Off Easy. Here are a couple of articles that look at the conclusion of the Microsoft antitrust case:

Movie industry dealt DVD-cracking blow (CNET). A California court has decided that DeCSS is legal under the First Amendment. "A California court has dealt a potentially serious setback to the movie industry's attempt to rid the online world of software that can help break through copy protections on DVDs.

The appeals court released a decision Thursday overturning an earlier order that barred hundreds of people from publishing the code for a software program called 'DeCSS' online. Posting the code is just like publishing other types of controversial speech and is protected by the constitution, the appellate judges said." (Thanks to Anders S. Buch)

More coverage of this announcement can be found on the following sites:

Linux goes to the movies (Salon.com). Linux is making movies and making it big in Hollywood. 'Dreamworks' 2001 summer blockbuster "Shrek!" was rendered -- a technical term referring to the process of creating computer-generated animation -- using racks upon racks of PCs running Linux. In total more than 1,000 computers running Red Hat Linux were used in a single giant cluster, or "render farm."' (Thanks to Paul Hewitt)

Gartner: Linux future still murky (ZDNet). This Gartner Viewpoint still questions the future of Linux. "Currently, the low end doesn't offer financial benefits focused on the operating system itself. Vendors such as IBM, Oracle and Veritas bet that as Linux moves up the enterprise food chain, the operating system will drive ample opportunities for value-based products and services."

XP Equals eXtra Proprietary (Red Hat). Red Hat CTO Michael Tiemann pans Windows XP in an article on the Red Hat site. "Not one, but two courts have ruled against Microsoft's monopolistic practices, and the company has had its appeal to the Supreme Court denied. It might make one wonder why Microsoft is being so bold with its exclusionary, eXtra Proprietary technologies. It's because Microsoft believes that time is on its side; the 1995 abuses are only now being judged, and there's no remedy or no penalty in sight."

Companies

Commentary: Eclipse, a developer's dream? (News.com). News.com is running a Gartner pronouncement on IBM's Eclipse release. "Eclipse is an ambitious project and an ambitious product foundation. If it succeeds, it will revive the concept of best tools combined in a single workbench--an application developer's dream."

IBM Efforts Both Help, Hurt Free Software Initiative (Compute rWorld). ComputerWorld talks to Bradley Kuhn, vice president of the Free Software Foundation, about IBM's contributions to free software. "The FSF distinguishes between work done in the open-source community that permits proprietary extensions to free code and software that is truly free. Kuhn says that proprietary software, by nature, will necessitate charges to end users, which is anathema to free software advocates."

Red Hat suite makes e-commerce easy (ZDNet). ZDNet reviews Red Hat's E-Commerce suite. "Red Hat's $2,995 package is a slick, well thought out and comprehensive solution that's well worth your consideration. And with all the value-added handholding Red Hat includes with the package, it's almost impossible not to achieve the e-commerce solution you seek."

Red Hat chases mainframe Linux leaders (ZDNet). Red Hat will soon release versions of Linux for several IBM mainframes. IBM's iSeries special-purpose servers, pSeries Unix servers and zSeries mainframes will join the xSeries Intel servers already support by Red Hat.

Business

Investing in Linux. Infoworld is running an article on Boscov's Department Store's switch from Windows to Linux. "Boscov's was adding an average of one server per month the last few years, Roberts says, swelling its production servers to about 50, plus another 50 nonproduction servers. In addition to the complexity and expense of backing up a growing server farm, Roberts had to add a server administrator for every 10 servers, boosting his head count costs as well.

'Not to be overly critical of Microsoft, but because of the way they produce things, you need to apply patches regularly or you are at risk. What was driving me was to stop adding bodies to my staff and to stem the use of Microsoft server software, because it is just too expensive to upgrade every two years', Roberts says." (Thanks to Martin Eskildsen.)

Companies shy away from the penguin (News.com). News.com reports on a survey saying that businesses aren't jumping into Linux. "Almost every large company has at least thought about Linux, and many of them are running pilot projects or even day-to-day (albeit nonessential) systems on the open-source operating system. And because the economy is still weak, many tech observers believe Linux--and its price tag of 'free'--will attract more businesses looking to cut costs. At least that's the theory. Practice indicates something else."

Reviews

The Perfect Browser (Rubber Turnip). Rubber Turnip has done a review of the Galeon browser. "Yesterday, about 15 minutes before I was due to finish work for the day, I had something of an epiphany as I realised that Galeon 0.12.6, the first release candidate of the Mozilla based browser for GNOME, is as close to my perfect browser as I've ever seen. Some explanation for this bizarre statement would seem to be in order."

Interviews

KernelTrap interviews John Levon. KernelTrap speaks with John Levon, the author of OProfile and a contributer to KernelNewbies. "oprofile provides the opportunity for developers to profile the entire system, from interrupt routines, all the way down to user-space processes. It does all this at a very low performance overhead when compared to other profilers. It is already being used to analyse the networking stack, drivers, and user-space programs, and is carefully approaching a production release."

Miscellaneous

Geeks on the Half Shell: Cruising the Caribbean (Linux Journal). The Linux Journal's Doc Searls writes about the recent Carribean cruise with top Open-Source and Linux luminaries. "Dinner followed. Two nights out of our seven at sea were formal, and a major hoot. One of the few times I've ever seen Maddog actually appear to exemplify his dangerous name was when he showed up for dinner at our table in a perfectly tailored tux, hair slicked back over his enormous beard, sporting a brass-handled cane that turned out to conceal a small beaker of liquid improvement for the evening's four-course meal. He looked like Diamond Jim Brady."

Linux Lunacy: A Photo Essay (Linux Journal). The Linux Journal has posted a set of photos from the recently completed "Geek Cruise."

Section Editor: Forrest Cook


November 8, 2001

   

Sections:
 Main page
 Security
 Kernel
 Distributions
 Development
 Commerce
 Linux in the news
 Announcements
 Linux History
 Letters

See also: last week's Announcements page.

Announcements


Resources

Deconstructing software copyright, 30 years of bad logic. Greg Aharonian, the author of the Internet Patent Newsletter, has put together a detailed study of U.S. legal reasoning around software copyrights. His conclusion: "In short, today's global software copyright laws are not based on logic or science, but the forty year-old anti-patent wishes of hardware companies who now increasingly earn their profits from their non-hardware products and services. Software copyright, where it is not illogical, is based on outdated economic policy considerations. Globally, software copyright laws should be abolished."

Configuring TCP/IP under Linux (IBM developerWorks). This tutorial reviews the origins of TCP/IP and how it works, including IP addresses, subnets, and routing. Registration is required.

Events

The Third Annual Extreme Beowulf Bash!. Join the supercomputing fun at the Third Annual Extreme Beowulf Bash!, to be held on Monday, November 12, 2001 in Denver, Colorado after the first day of the SC2001 event.

Events: April 26 - June 21, 2001.
Date Event Location
November 8, 2001LinuxWorld MalaysiaKuala Lumpur, Malaysia
November 8, 2001NLUUG Annual Autumn conferenceDe Reehorst, Ede, Netherlands
November 8 - 9, 2001XFree86 Technical Conference(Oakland Convention Center)Oakland, CA
November 8, 2001Java Information Days, EuropeFrankfurt
November 8, 2001Embedded Linux Expo & Conference(Sheraton Reston Hotel)Reston, VA
November 8 - 10, 2001Annual Linux Showcase(ALS)(Oakland Marriott City Center)Oakland, California
November 9, 2001Open Source in Banking and Finance(OSBAF)(Baltimore Engineering Society)Baltimore, Maryland
November 9, 2001Java Information Days, EuropeZurich
November 10 - 16, 2001SC2001Denver, Colorado
November 12, 2001Third Annual Beowulf BashDenver, Colorado
November 17, 2001Lightweight Languages Workshop 2001(LL1)(MIT Artificial Intelligence Lab)Cambridge MA
November 25, 2001The Business of Open Source Software(BOSS)(Ottawa Public Library)Ottawa Ontario, Canada
November 28 - 30, 2001Linux-Kongress 2001(University of Twente)Enschede, The Netherlands.
December 7 - 9, 2001PLUTO MEETING 2001Terni, Italy

Additional events can be found in the LWN Event Calendar. Event submissions should be sent to lwn@lwn.net in a plain text format.

Section Editor: Forrest Cook.


November 8, 2001

   

 

Software Announcements


Here are this week's Freshmeat software announcements. Freshmeat now offers the announcements sorted in two different ways:

The Alphabetical List and Sorted by license

 

Our software announcements are provided courtesy of FreshMeat

   

Sections:
 Main page
 Security
 Kernel
 Distributions
 Development
 Commerce
 Linux in the news
 Announcements
 Linux History
 Letters

See also: last week's Linux History page.

This week in Linux history


Correction. Last week we said that "Unisys has never tried to enforce its patent" on the LZW compression algorithm used in GIF images. We didn't do our homework very well on that. Don Marti wrote in to set us straight. Software patents show up again in the year 2000 this week.

Three years ago (November 12, 1998 LWN): Stop terrorism. Use free software.

Brad Smith, Microsoft general counsel international, says he has seen a still more ominous element in the software piracy food chain. "I'm not prepared to talk about specifics," he says, "but we have seen organized criminal groups using the proceeds from software counterfeiting to pay for terrorist operations overseas. We have seen a couple of terrorist organizations get involved in software counterfeiting."
-- PCWorld.com

The current development kernel release was 2.1.127. This kernel drew some complaints, mostly about compilation errors. Alan Cox released an -ac1 patch containing numerous minor tweaks seemingly aimed at the "jiffies wraparound" problem, MCA stuff, and an apparent return of the AVL tree for mapping virtual memory areas.

The Halloween documents were covered last week, but they remained in the press. Robert Cringely's take, at PBS.org, is worth reading.

What a week ago was a discussion about the inroads Linux and Apache have made against commercial software has suddenly and instantly been redefined into a discussion of the threat Microsoft poses to Linux and Apache, and what those two development efforts have to do to survive. The very fact that we are talking this way means Microsoft is successful in redefining our way of looking at the whole subject. This is both dangerous and wrong. While Linux and Apache may be threats to Microsoft, the truth is that Microsoft in no way represents a threat to either Linux or Apache. No threat, none, zilch, nada.

Two years ago (November 11, 1999 LWN): RedHat and Oracle announced a collaborative distribution based on RedHat Linux that was intended to be aimed at high volume e-commerce sites.

U.S. District Judge Thomas Penfield Jackson's findings of fact revealed that Microsoft had a monopoly in the operating system business. In the ruling, Linux was written off as a viable alternative:

Fortunately for Microsoft, however, there are only so many developers in the world willing to devote their talents to writing, testing, and debugging software pro bono publico.... It is unlikely ... that a sufficient number of open-source developers will commit to developing and continually updating the large variety of applications that an operating system would need to attract in order to present a significant number of users with a viable alternative to Windows.

Publicly traded Linux stocks jumped up in price after the announcement. Cobalt Networks fortuitously chose this week to go public, and immediately jumped to $130/share - then the third biggest opening day "pop" ever.

Rumors circulated that Red Hat would buy Cygnus - these turned out to be true.

Journaling for ReiserFS was released by Hans Reiser. Another Journaling filesystem, Stephen Tweedie's ext3 version 0.0.2c filesystem was released.

The freeze of Debian 2.2 was pushed back - until January of 2000. That seemed like a long time away, but the eventual 2.2 release was even further away.

One year ago (November 9, 2000 LWN): FreeDevelopers.net announced its existence.

FreeDevelopers is a democratic entity for the development of free software. The free company, probably the first of its kind in the world, will be owned and run by developers worldwide on a democratic basis in a sacred trust for the benefit and protection of the world's citizens. It will pay all developers to work on free software, and all developers will receive company shares and stock options

As an official 2.4.0 grew ever closer to reality, the "getting close to release time" ritual of last-minute queries as to why some particular subsystem is out of date and working poorly, focused on the IrDA (infrared) subsystem. This rant pointed out that the version in the mainline kernel not only didn't work, it could crash your system as well. In this case it was not that IrDA was not maintained; the problem was just that the patches are not getting into the kernel. Linus wasn't getting patches in the way he wanted them. The IrDA developers did learn to send small, clear patches frequently, instead of large chunks of code at long intervals, which were inevitably ignored. After a few months IrDA patches started getting into the 2.4.2 kernel.

LWN looked at a LynuxWorks patent covering loadable kernel modules.

But the basic claim is "A computer operating system that can be flexibly constructed by inclusion of any of a plurality of processing components." That, of course, would describe many of the operating systems created over the last twenty years. This patent is not so old, however - it was granted last June. One can only assume that the company will not attempt to enforce it.

As far as we know, this one has not been enforced. No doubt someone will tell us if we are wrong.

ZDNet interviewed Raph Levien on software patents. The following quote comes from patches by Raph in response to the article.

So it was something of a surprise when Levien posted a notice on his Web site earlier this year, offering a free license to anyone who uses his patented ideas in software protected by the Gnu Public License. In other words, anyone who shares "open source" or free software doesn't have to worry about Levien suing for patent infringement.

Wrong. The patent grant is for GPL software only. If you want to release software under a non-GPL open source license, I'd love to have a discussion with you about royalty payments.

The LWN Linux Stock Index was upgraded to include stocks traded in currencies other than US dollars.

Section Editor: Rebecca Sobol.


November 8, 2001

LWN Linux Timelines
1998 In Review
1999 In Review
2000 In Review
2001 In Review

   

Sections:
 Main page
 Security
 Kernel
 Distributions
 Development
 Commerce
 Linux in the news
 Announcements
 Linux History
 Letters

See also: last week's Letters page.

Letters to the editor


Letters to the editor should be sent to letters@lwn.net. Preference will be given to letters which are short, to the point, and well written. If you want your email address "anti-spammed" in some way please be sure to let us know. We do not have a policy against anonymous letters, but we will be reluctant to include them.

November 8, 2001

   
From:	 Gleef <gleef@ybten.net>
To:	 ripl@yahoo.com, letters@lwn.net
Subject: Re: DMCA Issues
Date:	 Thu, 1 Nov 2001 14:03:07 -0500

In Rip Linton's letter dated October 25, 2001, he writes:
>
> The DMCA does not stop us from documenting bugs or security
> problems. It only prevents us from publishing code that bypasses the
> security of an "effective" security device.

The problem here is in this case there *is* accompanying code that
bypasses an effective security device.  Alan Cox's release notes
aren't made in a vacuum, they are accompanying source code in the form
of a patch to a kernel.

Taking the Linux kernel source code and a security patch prior to that
kernel release, and running "patch -R" with that security patch, can
easily be argued to bypass the security of an effective security
device.

In my mind, it's far less of a leap to call a fixed security hole
effective security than to call security measures in CSS or eBooks
effective.  In the case of kernel security fixes, The fix is a
critical part of its own exploit.

The confusing bit is that Alan's patches fix the security holes, but
he doesn't talk about the details.


The legal thing to do is to refrain from patching security holes.  I
would also consider this highly unethical.

The ethical thing to do is to patch security holes.  This is what Alan
Cox is doing.

If patching security holes is an ethical necessity yet illegal, than
it should be recognized for what it is.  Civil Disobedience.  Civil
Disobedience is far more effective if it's highly visible.

Don't be quiet about security fixes.  Shout them.  Point out how this
is illegal.  Taunt the FBI to respond.  Otherwise they win just by
standing still.

I urge anyone interested to read "Civil Disobedience", by Henry David
Thoreau (1849).  A copy can be found at:
   http://eserver.org/thoreau/civil.html
This copy is split in two, be sure to read both sections.

Yes, the scope of the injustices is less than those addressed by
Thoreau, King or Ghandi.  That doesn't change the fact that they are
unjust, and injustice must be addressed.


To address Alan Cox's release notes directly, yes the DMCA prohibits
programs.  The US Government acts as if code is equivalent to
programs, and seems to act (in spite of Professor Felton's efforts) as
if speech is not.  Since Alan publishes code already, the extra speech
about the code should not change whether or not the FBI would take an
interest in prosecuting him.

Alan is neither a US citizen nor a US resident, and should not bear
the brunt of fighting a US law; I consider his stance of staying away
from the US, until the DMCA no longer threatens him, prudent.  That
being said, whether he speaks about security issues or keeps silent
does not change his legal status, and the security issues do need to
be discussed.

If he continues in his current mode (releasing security information
only to non-Americans), and someone (within or outside the US) can
help me access the security information, I will happily "smuggle" the
information in and post them here (if the editorial staff would accept
them) and in any other forum that will have them.

-Gleef

"What I have to do is to see, at any rate, that I do not lend myself
to the wrong which I condemn."
   -Thoreau

"First they ignore you, then they laugh at you, then they fight you,
then you win."
   -Ghandi

-- 
 
   
From:	 Mark Koek <mark.koek@stelvio.nl>
To:	 letters@lwn.net
Subject: Response to letter to LWN
Date:	 Fri, 02 Nov 2001 18:26:32 +0100
Cc:	 Rip Linton <ripl@yahoo.com>

Rip Linton <ripl@yahoo.com> wrote:

 > The DMCA does not stop us from documenting bugs or security
 > problems. It only prevents us from publishing code that
 > bypasses the security of an "effective" security device.

The whole point is that those two things may be one and the same. Source 
code is speech, and consequently, some speech is source code. The 
description of a security bug is an excellent example of something that 
may be trivial to convert to source code and thus, in practical terms, 
*is* code. And it's not just code, it's code that can be used to 
circumvent an access control system. Code, in other words, that it is 
illegal to publish under DMCA-like laws.

Alan is not being as paranoid as it seems. I agree that it's unlikely 
that he'll ever be prosecuted for publishing details of a security bug, 
but I also think he is making a good point by stating that it is 
perfectly possible for the US DoJ to do it if they wanted to.


Mark

   
From:	 "David Joffe" <email suppressed>
To:	 lwn@lwn.net
Subject: Re: Halloween revisited
Date:	 Fri, 2 Nov 2001 06:40:36 +0200

Interesting article, I just want to add one point:

> One could argue that future features in open source code could be
> more credible, not less. Features in Microsoft code are hidden from
> public view until they spring, fully developed, from the head of
> Bill. Until a product is released, nobody really knows how
> development is progressing 

It should be pointed out that this (MS springing fully developed 
features on an unsuspecting public) is most likely more due to 
Microsoft's monopoly than due to any natural side effect of commercial, 
proprietary software development in general. Microsoft's monopoly means 
that they *don't have to give a damn* what customers *really* want, 
instead, they are free to put into their software whatever is in 
*their* best interests (a good example is the recent "smart links" 
fiasco). These features are not there because they are best for 
customers but because they are best for Microsoft, but the only reason 
Microsoft can get away with doing this is (1) the public usually 
doesn't *know* any better, and (2) the public has no alternatives. In a 
truly competitive environment, software features would probably align 
more closely to what customers want. Right now the public will simply 
swallow whatever is dished up onto their plates.

 - David Joffe

   
From:	 bryanh@giraffe-data.com (Bryan Henderson)
To:	 letters@lwn.net
Subject: bug reporting in noncommercial software
Date:	 Tue, 6 Nov 2001 18:22:25 -0800

David Kastrup tells a great story in a letter to LWN about his
inability to get his users to report bugs.  People do, however
complain about his program on Usenet and in personal emails.  And
maybe fix them privately.

It's a catch 22 problem.  Users don't waste their time reporting bugs
because programmers don't fix them.  Programmers can't fix bugs
because people don't report them, or don't report them well.

I myself rarely report bugs.  I hate living with bugs, but I hate even
more wasting my time.  I don't want to spend 10 minutes gathering
information, finding the bug reporting system, or typing into a form
if I don't know there's someone listening.  Experience shows there
usually isn't.

When I do break down and, as a last resort, report a bug, I write a
very brief report -- one of those things tech support people laugh at
because there's not enough information to do anything with it.  But
the point is that if I get a human being to respond and say, "I'm not
aware of any problem like this and if you'll give me more information,
I'll work on it," then I'm ready to cooperate.

Kastrup wants to fix his bugs, so wants his users to report them.  I
have a suggestion: put some words in the bug reporting instructions
giving the users confidence that there's some reason to report.
E.g. "I fix every bug that is reported, usually within a week."  Also,
I myself always report a bug if there is a bug tracking system.  I can
see that 25 people haven't already reported it; I can see if bugs are
routinely fixed; and even if I'm ignored, I have the good feeling that
I'm telling the next guy who encounters the bug not to waste his time.

-- 
Bryan Henderson                                    Phone 408-621-2000
San Jose, California
   
From:	 "Knut Stolze" <stolze@us.ibm.nospam.com>
To:	 David.Kastrup@t-online.de
Subject: Re: Regarding: Open Source programmers stink at error handling
Date:	 Fri, 2 Nov 2001 15:57:11 -0800
Cc:	 letters@lwn.net

David,

Basically, I agree with you.  But I believe you cannot generalize things
the way you are doing.

For example, I reported a few bugs to the KDE team.  The result was that
one (where KDE crashed the X server) got rejected right away with the
comment "user error".  From others, I never heard what was going on
(accepted/fixed/not-fixed); others were rejected as "duplicates" but I
didn't get any information about the duplicate, nor did I find anything in
KDE's defect database; other bugs got fixed quickly, which was nice to see.
But overall that's not very encouraging and one could easily consider it a
waste of time trying to submit bug reports.

In general, I still try to find some decent debugging environment
integrated into the products, or see an automated test environment to
prevent regressions.  It might very well be that the products that have it
are so stable for me that I never had a problem.  So take this with a grain
of salt, now...

What I would expect is a specialized memory management and trace facility.
I, as a developer myself, would like to know where in the code was a memory
block allocated but never freed, including stack traceback; I would like to
have direct control over the amount of memory allocated by using special
heaps;  I would like to have a first fault data capture facility (basically
a log), which collects all the information it could get if something goes
wrong (trap files etc.); I would like to see a program gracefully shut down
in severe errors instead of simply core-dumping; I would like to have
initial debug information via a trace, which the user can easily provide me
with, if the problem is reproducable.  I am used to that, and I think it is
invaluable in the long run to get better code.  Unfortunately, there is not
much there that I found - I would admire the developers for their skills if
there were no problems in the code.

In my personal experience, high quality software should have a much higher
focus.  New features are nice, but they don't help anyone if things don't
work in general.  For example, for a long time I did not know and
understand what a "buffer overflow" was, until I found a comment in some
open source code that did a check to prevent such an overflow.  It never
occured to me to be so sloppy while programming.

So is it just the user's fault?  No, it is also the developer's fault in
(a) providing the necessary infrastructure, (b) educating the user that any
bug is bug that should and _will_ be fixed, and (c) having the
self-discipline to do high-quality work, even if it takes longer.

Programming is just engineering - not an art - and a major task of
programming is error handling.

p.s: I firmly believe that this point of view is independent of open vs.
closed source.  It is just that one can learn a lot (what one should and
should not do) from open source because the source code is available.

--
Knut Stolze

   
Eklektix, Inc. Linux powered! Copyright © 2001 Eklektix, Inc., all rights reserved
Linux ® is a registered trademark of Linus Torvalds