See also: last week's Letters page.

Letters to the editor

From:	 craig@postnewspapers.com.au
To:	 letters@lwn.net
Subject: re: Galeon release announcement
Date:	 Thu, 20 Dec 2001 17:36:51 +0800

While I know its been done to death, Mr Ashworth's letter about
galeon's dependencies really annoyed me.

Tell me, would you prefer it if the app developers built against old
versions of libraries, without any of the new features or other
improvements, so the app would install on old systems? Or would you like
a faster, more reliable app that you have to update some libs to run?
Perhaps the app developers should just never update their lib support so
that the app can be compiled for Red Hat 1?

You have to draw the line somewhere. I, personally, like "yesterday"
because if you can download the app, you can download its deps too.
There is no reason for an app developer to build against outdated
libraries.

If you want a version of galeon that will install seamlessly, wait 'till
Red Hat package a version for Red Hat 6.2. Its not the Galeon
developer's problem to support various distros, and especially not old
versions of them.

An upgrade to a newer version of a distro is largely painless. You don't
have to pay for an "upgrade licence," you can just borrow the disks if
you don't want to buy them. You don't even have to update the entire
distro, you have the choice of just updating the required libs.

Dependency management is (finially) making its way into RPM based
distros anyway, so hopefully soon you'll be able to "apt-get install
galeon".

-- 
Craig Ringer
IT Manager
POST Newspapers
http://www.postnewspapers.com.au/
http://oberthur.dyndns.org/~craig/
GPG Key Fingerprint: AF1C ABFE 7E64 E9C8 FC27  C16E D3CE CDC0 0E93 380D

From:	 Peter Lawson <peter.w.lawson@noaa.gov>
To:	 letters@lwn.net
Subject: Installing applications
Date:	 Thu, 20 Dec 2001 11:46:04 -0800

To the Community of Linux Developers --

Warning -- this is a rant. I have been using Linux since before the birth
of RedHat, but I am not a sophisticated user.  I am one of those who wants
a stable, capable desktop that is easy to administer.  At this point in my
career I do not want to spend a lot of time learning the innards of my OS
or tinkering to get things working, but I frequently do.  Last month I took
a full day to get my CD-ROM burner running because the HOW-TOs were out of
date and the FAQ answers too terse. Someone with knowledge of the system
could have written a configuration script that would have worked 95% of the
time and saved a lot of users a lot of pain. Today I learned of a nifty
software package that looks like it could make Linux more useful and reduce
my lingering dependence on (shudder) windows for certain tasks.  The
problem is I can't get the damn thing to run, because I either do not have,
or it can't find, certain libraries. I don't feel like I should have to
muck around finding and installing new libraries, breaking dependencies,
configuring PATHs, etc. until this wonderful package stops complaining and
decides to run.  Wash my mouth out with soap, but if I were using windows I
would just double click on setup.exe and trust to the good will and
competence of the author to cram his/her program onto my system without
breaking it.  Usually it works.  Why can't it be that easy in Linux?

If Linux wants to capture more than the recently reported 0.25% of the
desktop market we, as a community, must find a way to make it simple to
install new applications. Most people are not going to pound their heads
against some obscure installation problem in Linux when they can do the
same thing in windows and it *just works*. Linux will become popular on the
street when it becomes easier to use than windows.


-- 
Peter W. Lawson
Fishery Biologist
National Marine Fisheries Service

From:	 "Bill Rugolsky Jr." <brugolsky@yahoo.com>
To:	 letters@lwn.net
Subject: Skylarov and bad US law.
Date:	 Thu, 20 Dec 2001 09:07:32 -0500

In LWN for 011220, you wrote:

   "The end of the Sklyarov prosecution is the loss of, perhaps, the best
   opportunity to mount a powerful constitutional challenge to the DMCA.
   Some have criticized Dmitry for having accepted the agreement, saying
   it was his duty to resist to the end. That criticism does not stand up,
   however. Mr. Sklyarov was a Russian citizen facing 25 years of
   imprisonment in the U.S. To say that his duty to help the American
   people in fighting one of their bad laws overrides his duty to his
   family, or, indeed, to himself, is inappropriate. He did not choose
   this fight, and nobody has the right to tell him that he can not
   withdraw from it."

Thank you for bringing some calm reason to the rantings of the
self-righteous.  Any U.S. citizen who wants to mount a constitutional
challenge to the DMCA is welcome to do so, at the risk of his personal
wealth and liberty.  This is not a difficult task, requiring at most a
few weekends worth of concentrated effort to break the vast majority of
copy-protection schemes in use today.

Regards,

   Bill Rugolsky

From:	 Gareth Bowker <tgb96@aber.ac.uk>
To:	 letters@lwn.net
Subject: Re: Microsoft's security bugs (lwn daily pages 2001-12-21)
Date:	 Fri, 21 Dec 2001 21:25:02 +0000

LWN wrote on 2001-12-21 re Microsoft's security bugs :

> The thing that stands out to some of us, though, is that it took Microsoft
> five weeks to get a fix out.

Martin Schulze (in DWN) wrote:

> On Fixing Security Critical Bugs. Javier Fernández-Sanguino Peña made
> some [4]analysis regarding vulnerabilities detected and posted to the
> Bugtraq list and those sent as [5]Debian Security Announcements
> (DSAs). His analysis reveal that for the last year it has taken Debian
> an average of 35 days to fix security-related vulnerabilites.

Doesn't it seem a little hypocritical to be slating MS for their 35-day
bugfix, when Debian's average is, er, 35 days?

Cheers,

Gareth
(a Debian user)

From:	 "Jay R. Ashworth" <jra@baylink.com>
To:	 letters@lwn.net
Subject: The General Public Virus
Date:	 Tue, 25 Dec 2001 01:32:51 -0500

That's a popular snide comment to make about RMS's baby, the GPL.

There is, as was noted in last weeks' LWN, much discussion, and no
small amount of acrimony about the license.  It's *my* considered
opinion that we owe Linux to it -- at least, Linux as we see it today,
where our plans for World Domination are proceeding precisely on
schedule.

But regardless of that, it's a completly different aspect of it's
virulence I come to talk to you about today.

How many copies of it do you have on your drive?  Need an extra couple
meg of free space?  Try

# find / -name COPYING -exec rm {} \;

I got 2.6MB back.  Think of it as my Christmas present to you all.

Cheers,
-- jra
-- 
Jay R. Ashworth                                                jra@baylink.com
Member of the Technical Staff     Baylink                             RFC 2100
The Suncoast Freenet         The Things I Think
Tampa Bay, Florida        http://baylink.pitas.com             +1 727 647 1274

   "If you don't have a dream; how're you gonna have a dream come true?"
     -- Captain Sensible, The Damned (from South Pacific's "Happy Talk")

From:	 Grant Bowman <grantbow@svpal.org>
To:	 Larry Augustin <lma@valinux.com>
Subject: Concerns about SourceForge Open Edition
Date:	 Thu, 20 Dec 2001 16:13:58 -0800
Cc:	 Eric Raymond <esr@thyrsus.com>, Patrick Fossenier <pfossenier@valinux.com>,
	 Eureka Endo <eureka@valinux.com>, Marla Kramer <mkramer@vasoftware.com>,
	 Amit Chopra <amit.chopra@csfb.com>, James Byers <jbyers@valinux.com>,
	 Patrick McGovern <pat@sourceforge.net>,
	 Jacob Moorman <moorman@users.sourceforge.net>,
	 Dan Bressler <db@valinux.com>, lwn@lwn.net, editors@newsforge.com,
	 coopx@coopx.eu.org, Keith Backman <keith.backman@abnamro.com>,
	 Prakesh Patel <prakesh.patel@wrhambrecht.com>,
	 Betsy Schiffman <bschiffman@forbes.com>,
	 Tish Williams <twilliams@thestreet.com>,
	 Stephen Shankland <stephens@cnet.com>, Jack Bryar <jack_b@newsforge.com>,
	 Jeff Bates <hemos@slashdot.org>

Hello Mr. Augustin, 

I am writing this open letter <http://www.grantbow.com/letter.html> today
regarding my concern for the lack of comprehensive response from VA and
SourceForge staff to inquiries regarding the SourceForge Alexandria project
and/or SourceForge Open Edition collaborative software development (CSD)
software.  A document now removed from your site indicated plans for the
release of the Open Edition.  My intent is to seek the status of present and
future Alexandria/Open Edition source code.  

VA Software Corporation is a public leader in the efforts to legitimize
business use of Open Source software and legitimize business plans promoting
Open Source software.  A lack of comment from any level of your company feels
like something is being covered up or quietly dismissed as unimportant.  I
maintain that the license used by software that hosts so many of the Open
Source community's projects (including one I develop) is highly relevant and
needs to be addressed clearly.

The projects hosted on SourceForge.net all rely on the functioning of the CSD
services (each provided by Open Source components) that your company generously
hosts on SourceForge.net.  The hosted projects rely on the software which
powers SourceForge.net.  I feel an important premise is and has been that the
base software running SourceForge.net will itself be available using an Open
Source license.  Proprietary extensions seem a separate matter.

Good faith efforts to clarify the intentions for Alexandria and the Open
Edition have been made by many people spanning weeks, yet none of them have
received answers.  This includes inquiries on the public forums of the
Alexandria project.  Several forked efforts based on the Alexandria 2.6.1 GPL
version from earlier this year are presently under development due to a lack of
guidance from VA and fear regarding the future actions or lack of action by VA
and SourceForge staff.  These and other actions the community has witnessed
seem out of character for a company that was born from and has supported the
Open Source community in so many other ways.  In the spirit of this holiday
season, I hope that this lack of clarity can be resolved.

I hope you, someone within VA Software or an internal working group will
address the licensing and related issues thoroughly and promptly.  I have tried
to send this and previous emails to people who I hope will be able to respond
or who may be interested in this apparent change in your strategy.  My intent
is to seek the status of present and future Alexandria/Open Edition source
code.  Any help you can provide would be most appreciated.

Regards,

--
-- Grant Bowman                                   <grantbow@svpal.org>

From:	 Leon Brooks <leon@cyberknights.com.au>
To:	 ukgovtalk@citu.gsi.gov.uk
Subject: Open Source Software (1 of 2)
Date:	 Tue, 1 Jan 2002 20:28:16 +0800
Cc:	 letters@lwn.net

I commend the UK government for the courage and foresight to directly address 
new and vital technologies such as Open Source, when many other ``leading'' 
governments are fiddling about while their various IT Romes burn.

I would like to encourage and support you in this effort. You have asked for 
constructive criticism, although it is labelled consultation, and I hope the 
following will be both useful and illustrative.

The page http://www.govtalk.gov.uk/rfc/rfc_document.asp?docnum=429 has an 
obvious oversight in that both of the formats offered for download are 
proprietary, and the whole point of the document is to discuss avoiding 
proprietary software and associate file formats.

To illustrate the Open Source attitude to such shortcomings - namely, fixing 
it is more helpful than whining and sitting back - following is a solution 
for this bug, namely attachments in a variety of different, non-proprietary 
formats. As well as encouraging you, I would encourage all Open Source 
advocates to respond in the spirit or co-operative helpfulness, rather than 
simply nitpicking, as is the general habit of the human race.

The .html file should be pretty much self-explanatory, except that the 
missing characters are non-standard proprietary additions which fall within 
both the ISO-8859-1 and UniCode control character ranges, so have been 
deleted. The .gif and .png files are associated with it and were extracted 
from the Microsoft Word document using OpenOffice.

The .sxw file is an OpenOffice 6 document, the .rtf is in Rich Text Format, 
and the .ps.gz file is compressed PostScript. All represent the same document.

To further illustrate Open Source methods, and to demonstrate that Open 
Source software is able to interoperate with proprietary software if given a 
reasonable chance, I have also returned a patched version of your Microsoft 
Word file.

You will note that the new document is about one third the size of the 
original, but lacks no significant information. It is also absolutely 
guaranteed to be free of Macro Viruses. This is achieved by reading it into 
OpenOffice and saving it back into the original format. OpenOffice takes care 
not to include your passwords, revision information and whatever other junk 
happened to have been sitting around in your computer's memory when Word last 
saved your document. This is one reason why very few lawyers use Word as a 
document interchange format.

As to the content of the document:

> starting to take a significant market share in some specific parts of
> the software infrastructure market.

NetCraft histories show that it has taken a significant market share of most 
parts of the software infrastructure market. Counting by dollars or unit 
sales is not at all relevant when the product is low-cost or free, and can be 
liberally and legally reinstalled, duplicated, handed on and otherwise 
multiplied without sales being documented. It would be fairly true to say 
that it has a significant share in practically every computer market except 
for ``desktop'' systems.

It is also worth noting that much proprietary software (including, by way of 
a significant example, many components of Microsoft's Windows operating 
system) is based on Open Source software which follows the BSD licence style.

> Contracts will be awarded on a value for money basis.

This at first would seem to favour Open Source software, but in reality the 
major OSS cost benefits do not appear up front. They lie in reduced 
maintenance, upgrade and future licencing costs, the absence of licence 
management, and in costs more difficult to quantify which are associated with 
such abstract factors as the market culture associated with each type of 
system.

For a concrete example of a hidden cost, there is generally no place on a 
tender form to specify negative costs for reboots which no longer happen, and 
virussed attachments which no longer clog mail servers, and nor are tenderers 
required to specify how much these things are likely to cost a purchaser.

A further important justification appears to be missing. The authors of Open 
Source products often include citizens of the United Kingdom, and equivalents 
in members of the European Union, and use of OSS serves not only to support 
and encourage their efforts, but also to leave more of the available work in 
the hands of local tradesmen rather than sending it overseas to assist 
someone else's trade balance.

Thank you for the opportunity to comment.

Sincerely yours,


Leon Brooks
Director, CyberKnights Pty Ltd
Western Australia

From:	 Myrddin Ambrosius <imipak@yahoo.com>
To:	 letters@lwn.net
Subject: A commentary on O'Reilley's commentary
Date:	 Sat, 29 Dec 2001 13:11:32 -0800 (PST)

Hi,

   Here's a quick critique of O'Reilley's commentary
on the "Future of the Internet" RFC.

   First, multi-protocol support exists, and has
existed, on the Internet for some time. It's called
"tunneling". Tunnels allow you to connect any two
machines/networks in the world, and transport any
protocol between them. Ok, this uses the IP layer as
an underlying network protocol, but this is irrelevent
as far as support for other protocols is concerned. If
support is layered, parallel, or purple, it's still
support.

   Second, DoS attacks (including distributed ones)
are a pain, but hardly a killer. The Internet
certainly has DoS-stoppers in place -- it's just a
question of people using them.

   Let's start with flooding from a single source. For
this, you want a firewall and a source-based queue.
The firewall will block ICMP floods, and the
source-based queue will kill off TCP flooding from a
specific machine or network. (It also stops the
router/firewall being killed by TCP flooding.) The
queue should be set up to reject overly-large bursts
outright.

   For distributed flooding, you add a CBQ
(Class-Based Queue) + RED (Random Early Detection)
layer AFTER the source-based queues. This will limit
the overall traffic plus the traffic per class.
Flooding simply falls off the class queue, or gets
dumped to prevent network overload. Again, you
configure the queue to reject overly-large bursts.

   Is there any other way to prevent DoS? Certainly.
If you only allow connections from machines with IPSEC
support and valid certificates, then you're not in any
peril of connections from phantom machines (one big
TCP DoS technique). The connection would never be
established, as the IPSEC layer would reject it
outright.

   Ok, you've done all of this, but someone finds some
novel way to overload your poor server, even so. Is
there anything you can do? Again, yes. Run MOSIX, or
some other transparent clustering software, and turn a
group of machines into a mega-server. You've now
raised the bar, substantially. Because the Internet is
a noisy place, at the best of times, packets are going
to be lost in intermediate routers. Doubling the
number of servers doubles your capacity, but doubling
the number of attacking machines will less than double
the number of packets that get through.

   Last, but by no means least, if the OSI standards
are so dead, why is everyone using X.509 certificates,
often served from an LDAP server? I'd check the pulse
again, before burying anything.

Jonathan Day

From:	 Leon Brooks <leon@cclinic.com.au>
To:	 letters@lwn.net
Subject: Between the lines, drawing the lines: a call to action
Date:	 Thu, 3 Jan 2002 09:39:21 +0800

There is a point to this commentary, and an important question at the end.

>From http://www.theregister.co.uk/content/4/23518.html, Brian Valentine 
speaking:

> We have the best d*mn sales force in the world backed by the best
> engineers in the world

The entire email is sales oriented, just as the entire company is sales 
oriented. Features like actual functionality, reliability, security and so on 
are largely irrelevent and don't rate a mention in the email at all.

The attitude is ``we're gonna sell it - oh, and I suppose we'll support it 
too.'' The selling is what drives and controls everything.

> they [Linux] are a competitor and we will compete.

Paul Allen funded the PBS Evolution series, and between the lines we see the 
same attitude here. History is clear that ``compete with'' is Microsoft 
jargon for ``try really hard to exterminate.'' Do you remember ``DOS ain't 
done 'till Lotus won't run?''

> We need to be there when they are making these decisions and prove
> to them the Windows platform is the best platform for them across any
> aspect of their business. 

Note the absence of a case-by-case attitude. Windows is best for everything, 
they say, now let's figure out how to prove that to you and never mind 
whether this reflects reality or not. One-eyed Linux fans have a bad name for 
this kind of thing, but Microsoft are the professionals and the true leaders 
in the field of zealotry.

> Oh -- and you can bet anyplace IBM is talking to your accounts, they
> are saying Linux and switching to higher end non-pc systems. With the
> current economic times we are living in, just about every customer is
> looking into how they can get rid of those over-priced, legacy Unix
> systems and ride the PC economics wave. 

Translation: induce people to stick with crappy PCs. Anything new, 
revolutionary, adventurous that you see: step on it, because we don't own 
that market.

See if you can figure this out: IBM zSeries bad, Windows cluster good. Why? 
Because you have all your eggs in one basket, they say, never mind the 60 
year MTBF, the frightening licencing cost of Microsoft's competing proposals, 
the need for a cluster to even compete on reliability grounds since the 
software is inherently unstable.

If you can't do it right, you must do it over again, and a cluster of 
unreliable servers is basically a demonstration of this.

> It's crucial that you get out there with your TSP/SE/MCS folks and do
> actual walkthroughs in your accounts. Ask open ended questions; find
> out what they're evaluating for both key projects as well as smaller,
> more tactical projects. Ask about the 'connector' pieces -- you'll
> potentially find Linux in these areas.

In other words, poke your nose into your customers' business.

> Much like the support "communities" that define the Linux experience,
> the FCS team will strive to build a community to cooperate in winning
> business against Linux.

I wonder how often Microsoft will ``fire'' them as they did with their Most 
Valued Professionals (MVP) community?

> The DH Brown report will be customer ready and will help your
> customer understand just how competitive Microsoft is in this arena. 

Or else will vanish silently if it turns out that there's no way to fudge 
figures to say what Microsoft wants them to say.

> ETA for this tool is in May and it will be a great tool to help you
> sell the value of Windows solutions over Linux.

It's pretty clear by now that these figures will be puppets, isn't it?

> I want to give you folks all the information I can in a very open way.

Which he hasn't done, listening to the doublespeak in this email.

At first glance, this email looks like the ``same old same old'' but it seems 
to me that an important point could be missed. They're effectively expanding 
their Microsoft Consulting approach, which is to go in after a sale, 
focussing on specific issues to the exclusion of any important and real 
considerations that might speak against Microsoft's products and systems.

With a database.

To misquote a certain donkey, ``I've got a pack of lies and I'm not afraid to 
use it!'' While there are many Linux HOWTOs and advocacy FAQs and the like 
out there, and corporations like Mandrake are helping by actively pursuing 
positive case studies, there seems to be no direct equivalent to Microsoft's 
knowledge-base of tricks to winkle Windows in anywhere you want.

Linux doesn't depend on sales for survival, as Microsoft do. But unless Linux 
and fellow travellers like FreeBSD maintain and extand their share of IT 
space, Microsoft will ``compete'' us into the ground. If a Microsoft lock-in 
inconveniences two percent of all computer users, nothing will be done. If it 
inconveniences 20%, something may be done. If it inconveniences 50%, 
something will be done.

I don't have a suitable server to hand, or more specifically suitable 
bandwidth, to offer a weblog/wiki style service for building a 
how-to-defeat-Microsoft's-tricks knowledge base, but I believe that it is an 
important thing to do, and do soon.

As Be discovered, and the US government appears reluctant to learn this, 
treating Microsoft as just another competitor - albeit a hard-ball player - 
is a lethal mistake. Let's not make it. We won't have a second chance, none 
of their vict^H^H^Hcompetitors ever do.

Cheers; Leon