Other LWN stuff:
 Daily Updates
 Calendar
 Linux Stocks Page
 Book reviews
 Penguin Gallery

 Archives/search
 Use LWN headlines
 Advertise here
 Contact us

Recent features:
- RMS Interview
- 2001 Timeline
- O'Reilly Open Source Conference
- OLS 2001
- Gaël Duval
- Kernel Summit
- Singapore Linux Conference
- djbdns

Here is the permanent site for this page.

See also: last week's LWN.

Leading items and editorials

The interesting thing, of course, is that many (perhaps even most?) Debian users are not running the 2.2 "potato" release. With a quick configuration file edit and a massive apt-get command, any system can be upgraded to the unstable "sid" release. This is where Debian development is done, and it's anything but stale. If you want the bleeding edge, you'll probably find it there.

The unstable distribution is not for everybody, of course. Your editor once performed an upgrade during a short window when the PAM packages were broken; the result was a system that nobody could log into. Following unstable through a major Perl or Python transition can be a bit of a challenge. And you never know what surprises may lurk within the latest version of your favorite utility. Unstable remains popular, though, and it is interesting to ponder why. There are things to be learned about the free software development process in the dynamics of the unstable distribution.

The first thing worth pointing out, of course, is that the unstable distribution is usually solid as a rock. It's almost too stable, in that users can easily get into the habit of tracking the bleeding edge without watching (and being prepared) for problems. It works almost all the time.

It is fun to be a part of the free software development process, and Debian unstable offers a relatively easy entry point into that process. If you want to see the latest feature in Galeon, check out what new video game has been added to emacs, or find out how badly the new binutils breaks kernel compilation, sid makes it easy. A simple upgrade command brings in the latest version, and all those obnoxious library dependency problems just go away. Anybody who wants to add their eyeballs to the thousands looking for bugs need only run unstable.

Unstable also makes life easy for people who want to try out new software. It is still a rare distribution, for example, that includes Evolution 1.0 or later. When dealing with modern graphical applications, installing a package or building from source leads straight to shared library dependency madness. Sid users, however, need only type an apt-get command. This capability makes a whole range of interesting software available in a hassle-free manner.

Free Software is a living product. As soon as it is burned onto a CD and stuffed into a box, a part of it dies. Half-dead software may be just what is needed for that corporate mail server, but it deprives the user of part of the free software community experience. Distributions like Debian unstable help to bring back part of that experience.

(Debian, of course, also has a "testing" distribution which is not quite so quick to update as sid. Debian is also certainly not the only distributor which makes a development version available. Mandrake Cooker is a great example of a development distribution with an active user community. Red Hat still makes "Rawhide" available, though they do not make it easy to find. Conectiva has a "Snapshot" distribution available, complete with a list of developers who are responsible for the most bugs; Conectiva has an APT interface as well, of course. Most other distributors do not make their development versions available, which is a loss for both the distributor and the users.)

Open source licensing helps racism? The Anti-Defamation league has posted a report on racist video games. Indeed, some of the stuff being circulated out there looks to be seriously vile. What we are interested in here, however, is the ADL's look at how the games were made: Making Ethnic Cleansing was fairly simple. Its designers were able to use a powerful, freely available open-source game program or engine that "drives" the program by providing the basic operating instructions to the computer. The designers then simply plug in their message of hate.

A bit more of where they are going with this argument can be seen in this ZDNet article: Brian Marcus, a researcher in the ADL's Internet monitoring unit and author of the report, acknowledged the difficulty of using software licensing restrictions to limit hate speech, especially among the largely self-policing open-source community.

There is no questioning the evil of racist video games. A proper game, after all, should allow the violent, bloody slaughter of dozens of people of all races. But when people start to point at open source licensing as part of the problem, it is time to get worried.

Should open source licensing prohibit racist uses of the software? The Open Source Definition is explicit on that point: The license must not restrict anyone from making use of the program in a specific field of endeavor. For example, it may not restrict the program from being used in a business, or from being used for genetic research.

...or from being used in appalling, hate-promoting games.

Software developers are already coming under attack for writing code that is seen to promote (or simply fails to prevent) copyright infringement. The last thing we need is to be told that we must not allow our software to be used to promote racism. It's a small step from there to no end of other restrictions. The fight against racism is important and deserves our support, but that fight can not be won through the sacrifice of other rights.

Inside this LWN.net weekly edition:

• Security: Internet draft on responsible security disclosure.
• Kernel: The beginnings of the rmap merge; shared page tables; the net gods are merciful.
• Distributions: TopologiLinux returns; Tinfoil Hat Linux.
• Development: Fenris tracer, Knoda database GUI, CUPS v1.1.14, ASPSeek 1.2.8, Analog 5.21, KDE 3.0 beta2, Gnome on Slackware, Flightgear simulator, Rindolf Perl dialect, Anjuta 0.1.9.
• Commerce: Mandrake Linux Corporate Club launched; Lindows.com Releases Opposition Papers; IDG's spam database.
• Letters: ALSA; Sync and bad assumptions.

This Week's LWN was brought to you by:

• Jonathan Corbet, Executive Editor

See also: last week's Security page.

Security

News and Editorials

Defining a reasonable disclosure process. Steve Christey and Chris Wysopal have released a draft document titled "Reasonable Disclosure Process;" which is in the process to become an IETF standard. This document attempts to lay out the responsibilities of all those who have to deal with security vulnerabilities. Since it touches on the controversial topic of disclosure, there is likely to be some disagreement on what the document says.

As might be expected, the draft tries to balance the interests of vendors, customers, and those who discover security holes. It provides a detailed and formal set of events that is supposed to happen:

1. Avoidance of vulnerabilities in the first place.
2. Discovery of the problem.
3. Vendor notification.
4. Acknowledgement of the notification from the vendor (within seven days).
5. Verification of the problem by the vendor.
6. Resolution of the problem (within 30 days).
7. General release of information on the problem.
8. Follow-up.

In general, people who discover vulnerabilities are not supposed to announce them generally until the release stage has been achieved. The vendor is supposed to provide a status update to the reporter every seven days, and the reporter should keep silence as long as the vendor appears to be making a good faith effort toward a solution. This process could drag on for some time: The Reporter SHOULD recognize that it may be difficult for a Vendor to resolve a vulnerability within 30 days if (1) the problem is related to insecure design, (2) the Vendor has a diverse set of hardware, operating systems, and/or product versions to support, or (3) the Vendor is not skilled in security.

What happens if the vendor is not serious? The draft calls for a "coordinator" role; the coordinator should arbitrate between the reporter and the vendor, and help decide if a disclosure of the vulnerability is called for.

Who are these coordinators? The draft is vague: A Coordinator is an individual or organization who works with the Reporter and the Vendor to analyze and address the vulnerability. Coordinators are often well-known third parties. Coordinators may have resources, credibility, or working relationships that exceed those of the reporter or vendors. Coordinators may serve as proxies for reporters, help to verify the reporter's claims, resolve conflicts, and work with all parties to resolve the vulnerability in a satisfactory manner.

A role which is so vaguely defined seems unlikely to be filled in a manner that is satisfactory to all parties.

Even when a security vulnerability is released, the draft allows a vendor to sit on the details of the problem for 30 additional days. The idea, of course, is to allow time for patches to be applied before more detailed information becomes available. Such a delay may be useful for closed-source code; it won't help much for free software, however.

There is currently an open comment period on this draft; see the announcement for information on how to send in your suggestions.

CRYPTO-GRAM Newsletter. Here's Bruce Schneier's CRYPTO-GRAM Newsletter for February. The main topics covered are Microsoft's security PR and Oracle's not-so-unbreakable system. "In addition to making its protocols and interfaces public, we suggest that Microsoft consider making its entire source code public. We're not advocating that Microsoft make its products open source, but if they really want to impress everyone about their newfound security religion, they will make their code available for inspection."

Security Reports

Debian security updates to hanterm, ncurses. The Debian Project has issued security updates to hanterm (fixing a set of buffer overflow problems) and ncurses (also fixing a buffer overflow).

Buffer overflow in exim. Ehud Tenenbaum has reported a buffer overflow in the exim mailer, versions 3.34 and prior. No known exploits exist at this time.

web scripts. The following web scripts were reported to contain vulnerabilities:

• The "slash" weblog package has a cross-site scripting vulnerability affecting versions prior to 2.2.5. Sites running older versions should upgrade to 2.2.5, which has been out for a couple of weeks.

Updates

Buffer overflow in CUPS. Versions of the Common Unix Print System prior to 1.1.14 have a buffer overflow vulnerability. (First LWN report: February 14).

This week's updates:

• Conectiva (April 3, 2002)

Previous updates:

• Debian (February 13, 2002)
• Mandrake (February 15, 2002)
• Red Hat (March 13, 2002) (Red Hat Powertools)
• SuSE (February 27, 2002)
• SuSE (February 23, 2002) (withdrawn; it introduced an unrelated bug)

Multiple vulnerabilities in SNMP implementations. Most SNMP implementations out there have a variety of buffer overflow vulnerabilities and should be upgraded at first opportunity. See this CERT advisory for more. (First LWN report: February 14).

This week's updates:

• SuSE (April 8, 2002) (ucdsnmp)

Previous updates:

• Caldera (January 22, 2002)
• Conectiva (February 14, 2002)
• Debian (February 28, 2002) (first update caused some problems)
• Debian (February 14, 2002)
• Eridani Linux (February 22, 2002)
• Mandrake (February 15, 2002)
• Red Hat (February 12, 2002)
• Yellow Dog (February 11, 2002)

Multiple vendor telnetd vulnerability. This vulnerability, originally thought to be confined to BSD-derived systems, was first covered in the July 26th Security Summary. It is now known that Linux telnet daemons are vulnerable as well.

This week's updates:

• HP (February 12, 2002)

• Caldera (August 10, 2001)
• Conectiva (August 24, 2001)
• Debian (August 14, 2001) (SSL version)
• Debian (August 14, 2001) (Update for Sparc version)
• Mandrake (August 13, 2001)
• Mandrake (December 17, 2001) (kerberos version)
• Progeny (August 14, 2001)
• Red Hat (February 7, 2002) (Update, for Red Hat 5.2, 6.2, 7.0, and 7.1, to the original advisory, issued August 9, 2001.)
• Red Hat (August 9, 2001)
• Red Hat (August 9, 2001) (kerberos version)
• Slackware (August 9, 2001)
• SuSE (September 3, 2001)
• Yellow Dog (August 10, 2001)
• Yellow Dog (August 10, 2001) (kerberos version)

Remote command execution vulnerability in uucp. The uuxqt utility in the uucp package does not properly check its options, allowing an attacker to run arbitrary commands. (First LWN report: January 24, 2002).

This week's updates:

• Conectiva (February 18, 2002)

Previous updates:

• HP (January 22, 2002)
• Red Hat (January 15, 2002)
• Yellow Dog (January 27, 2002)

Resources

Security: Key Players - HP (IT-Director). IT-Director sees HP as a growing force in computer security. "HP development in the Linux area is concentrated on providing secure compartmentalisation. The target market for this is primarily service providers, who are keen to deploy high specification servers that can support multiple clients. Plainly, there must be strong security separating individual clients. Linux is popular in the service provider market, and there is also interest from SAP."

Linux security week. The and publications from LinuxSecurity.com are available.

Events

Upcoming Security Events.

Date	Event	Location
February 20 - 22, 2002	RSA Conference 2002	San Jose, CA., USA
February 25 - March 1, 2002	Secure Trusted OS Consortium - Quarterly Meeting(STOS)	(Hyperdigm Research)Chantilly, VA, USA
March 11 - 14, 2002	Financial Cryptography 2002	Sothhampton, Bermuda
March 18 - 21, 2002	Sixth Annual Distributed Objects and Components Security Workshop	(Pier 5 Hotel at the Inner Harbor)Baltimore, Maryland, USA
March 18 - 20, 2002	InfoSec World Conference and Expo/2002	Orlando, FL, USA
April 1 - 7, 2002	SANS 2002	Orlando, FL., USA
April 5 - 7, 2002	Rubicon	Detroit, Michigan, USA
April 7 - 10, 2002	Techno-Security 2002 Conference	Myrtle Beach, SC
April 14 - 15, 2002	Workshop on Privacy Enhancing Technologies 2002	(Cathedral Hill Hotel)San Francisco, California, USA
April 16 - 19, 2002	The Twelfth Conference on Computers, Freedom & Privacy	(Cathedral Hill Hotel)San Francisco, California, USA

For additional security-related events, included training courses (which we don't list above) and events further in the future, check out Security Focus' calendar, one of the primary resources we use for building the above list. To submit an event directly to us, please send a plain-text message to lwn@lwn.net.

Section Editor: Jonathan Corbet

LWN Resources


Secured Distributions:
Astaro Security
Castle
Engarde Secure Linux
Immunix
Kaladix Linux
NSA Security Enhanced
Openwall GNU/Linux
Trustix

Security Projects
Bastille
Linux Security Audit Project
Linux Security Module
OpenSSH

Security List Archives
Bugtraq Archive
Firewall Wizards Archive
ISN Archive

Distribution-specific links
Caldera Advisories
Conectiva Updates
Debian Alerts
Kondara Advisories
Esware Alerts
LinuxPPC Security Updates
Mandrake Updates
Red Hat Errata
SuSE Announcements
Turbolinux
Yellow Dog Errata

BSD-specific links
BSDi
FreeBSD
NetBSD
OpenBSD

Security mailing lists
Caldera
Cobalt
Conectiva
Debian
Esware
FreeBSD
Kondara
LASER5
Linux From Scratch
Linux-Mandrake
NetBSD
OpenBSD
Red Hat
Slackware
Stampede
SuSE
Trustix
turboLinux
Yellow Dog

Security Software Archives
munitions
ZedZ.net (formerly replay.com)

Miscellaneous Resources
CERT
CIAC
Comp Sec News Daily
Crypto-GRAM
LinuxLock.org
LinuxSecurity.com
Security Focus
SecurityPortal

See also: last week's Kernel page.

Kernel development

The latest patch from Dave Jones is 2.5.4-dj3; it is caught up to 2.4.18-rc2 and 2.5.5-pre1, and adds a number of small fixes as well.

The current stable kernel release is 2.4.17. The 2.4.18 release is getting closer; Marcelo released the second release candidate on February 18.

Alan Cox's latest patch is 2.4.18-rc2-ac1; it adds version 12f of the reverse mapping VM, an address space accounting system, IBM's JFS journaling filesystem, and a number of fixes.

Other recent 2.4-based kernel trees include 2.4.18-rc1-shawn6 from Shawn Starr (adding rmap, the new IDE code, and the XFS filesystem), and Michael Cohen's 2.4.18-pre9-mjc2, which adds no end of stuff.

For the 2.0 users out there, David Weinehall has released 2.0.40-rc3, which adds one fix to the previous release candidates.

The beginnings of the rmap merge. Rik van Riel's reverse mapping virtual memory implementation was examined on this page one month ago. As of this writing, that patch is still only available for 2.4 kernels; that is a situation that Rik plans to fix soon. Meanwhile, some small parts of the patch have begun to find their way into the 2.5 series.

The patch that Linus included in 2.5.5 is the part that reduces the size of the page structure. The kernel maintains one such structure for every physical page in the system, so its size matters. The patch submitted by Rik (containing mostly work by William Lee Irwin and Christoph Hellwig) shrinks struct page with a hashed page wait queue scheme, the merging of a couple of fields, and the removal of the virtual pointer on systems that do not need it.

The hashed wait queue code was discussed with the rest of the rmap patch back in January. Of course, now that it is in the kernel, William Lee Irwin has come out with a new version based on "operator-sparse Fibonacci hashing." William posted a brief explanation (with an important correction) on how it works: In my own opinion, this stuff borders on numerology, but it seems to be a convenient supply of hash functions that pass chi^2 tests on the bucket distributions, so I sort of tolerate it

The removal of the virtual pointer is a different sort of optimization. That pointer holds the virtual address (in kernel space) for the physical page. It is needed on systems with high memory since that memory, by definition, does not have a static kernel-space mapping. Most systems, however, do not have high memory. For low memory, the kernel virtual address of a page is easily calculated, so a dedicated virtual is wasted. Thus its removal.

This patch does not go near the core of the rmap VM, of course, but it is a step in that direction. Rik does plan to start submitting the rest for inclusion before too long - once he has a working 2.5 kernel on his system again.

The shared page table patch by Daniel Phillips has also been covered on this page. Several versions of this patch have been released over the last week (here's the latest announcement). The patch has some distinct advantages: memory is saved through the sharing of page tables, and the fork() system call can happen in as little as 1/5 the time.

On the other hand, sharing page tables seems to bring in no end of complicated locking problems, especially when pages are being swapped out. As Linus puts it:

The only problem is swapout. And "swapout()" is always a problem, in fact. It's always been special, because it is quite fundamentally the only VM operation that ever is "nonlocal". We've had tons of races with swapout over time, it's always been the nastiest VM operation by _far_ when it comes to page table coherency.

This problems will get worked out, but it won't be surprising if the shared page table patch doesn't get into the kernel right away.

The net gods are not entirely without mercy. To understand this, one need only look at the unpleasant CML2 flamewar on linux-kernel, which was brought to a none-too-soon end when the mailing list went down. This fight begins to look like the interminable devfs battle, which only ended (sort of) when Linus included devfs into the 2.3 development series. Many of the points in the most recent fight (i.e. use of Python) have been seen before, and we stopped reporting on them a while back. There were a couple of interesting arguments that came out this time around, though, that are worth a look. They strike at the core of how kernel development is done.

It all started with this note from Eric Raymond on the kbuild list. Dirk Hohndel, says Eric, was going to "have a chat with Linus" about the new kbuild scheme and Eric's new CML2 configuration subsystem. Eric, of course, is frustrated that CML2 has not yet been integrated into the 2.5 kernel, and he was hoping that Dirk's talk with Linus could help make things happen.

The reaction to this move was fierce - it was perceived as an effort to circumvent the normal linux-kernel peer review and pressure Linus directly. Herein lies one of the interesting questions: just what are the appropriate ways of trying to get a patch into the kernel? It is not uncommon to try to push Linus; for example, Andre Hedrick's transparent efforts to get users to complain about the IDE patch gave the appearance (at least) of being highly effective. It's not clear if the problem was accepting Dirk's offer to talk to Linus, looking for feedback on the kbuild list (rather than linux-kernel), or something else.

Then, there are those who criticize the CML2 work because it is a single, large patch. The kernel way of doing things, it is said, is to evolve the code in small, simple steps that everybody can scrutinize and see are correct. See, for example, Alexander Viro's posting on the subject. Mr. Viro does practice what he preaches, having massively reworked the virtual filesystem layer through hundreds of small patches.

But must all kernel development be done in baby steps? It's hard to imagine introducing ALSA in tiny pieces. Andrea Arcangeli's VM rewrite went in as one big chunk - in a stable series at that. Netfilter was not introduced as a set of incremental patches. CML2 represents a change in both configuration and implementation languages; how does one make that kind of change gradually? The evolutionary approach to development clearly makes sense much of the time, and it may yet be the best way to fixing the configuration subsystem. But there are times when exceptions need to be made.

Some people criticize Eric's code for changing the way configuration is done - their claim is that the first version of CML2 to be integrated should make no user-visible changes. Others complain that Eric has failed to implement desired changes, such as the splitting of global configuration information into smaller, local files. Satisfying both camps is bound to be hard (thus Eric has encountered the violence inherent in the system). This is a case where small patches help: each step can be considered on its own merits and has fewer problems with conflicting goals. Still, nobody insisted that the first ALSA patch look exactly like the old OSS drivers.

Eric's case is also hurt by the fact that a number of people seem to not like him for one reason or other. His presentation of himself as a "hacker of social systems" while he is having such trouble with the kernel development social system doesn't help. And the simple fact is that most people who work with kernel code configure and build kernels every day and don't have a great deal of trouble with the process. There is a real technical discussion of CML2 and its merits going on, and some version may yet get into the 2.5 kernel tree. But the path to that conclusion does not seem entirely clear now.

Other patches and updates released this week include:

Core kernel code:

• Michael Sinz has posted allowing control over the placement and naming of core dump files.

Development tools:

• The Linux Test Project has announced a mailing list for the discussion of test results.

• Rusty Russell has a "trivial patch monkey" - an address where small patches may be sent. He will make a reasonable effort to get patches sent there included into the kernel.

• A tool for the logging of preemption events has been announced by Nigel Gamble.

• A port of the dynamic probes debugging tool to the S/390 was announced by S Vamsikrishna.

Device drivers

• A set of patches implementing a new video device API has been released by Gerd Knorr.

• EVMS 0.9.1, a beta release of the enterprise volume management system, has been announced by Kevin Corry.

• Doug Gilbert has released version 1.58 of the SCSI debug driver.

• Richard Gooch has released devfsd-v1.3.24.

• Jaroslav Kysela has announced the ALSA 0.9.0beta11 release. This patch is also incorporated into 2.5.5.

Filesystems:

• Alexander Viro has pointed out that the 2.5.5 kernel has on porting filesystems to 2.5. "It WILL be kept up-to-date. IOW, submit an API change that may require filesystem changes without a corresponding patch to that file and I will hunt you down and hurt you. Badly."

• Britt Park has released version 0.4 of the UVFS user-space filesystem kit.

• Release 1.0.15 of the IBM journaling filesystem was announced by Steve Best.

• Heinz J. Mauelshagen has announced version 1.0.3 of the logical volume manager system.

• Randy Dunlap has updated his Linux filesystems internals documentation page.

Kernel building:

• Eric Raymond has announced CML2 2.3.0.

Miscellaneous:

• Here is the latest maintainers file from Denis Vlasenko.

• For those who would like an overview of how the kernel handles network packets: Mathieu Lafon has made a diagram describing the major steps.

Networking:

• Version 0.92 of the affix BlueTooth stack has been announced by Dmitry Kasatkin.

• Mike Phillips has announced the availability of a 3c359 token ring adaptor driver.

Section Editor: Jonathan Corbet

For other kernel news, see:

• Kernel traffic
• Kernel Newsflash
• Kernel Trap
• 2.5 Status

Other resources:

• L-K mailing list FAQ
• Linux-MM
• Linux Scalability Effort
• Kernel Newbies
• Linux Device Drivers

See also: last week's Distributions page.

Distributions

News and Editorials

TopologiLinux returns. TopologiLinux somehow managed to get overlooked during the process of moving from the old list to the new list. Thanks to TopologiLinux guru Tobias Svensson, it has returned to the list under the DOS/Windows install heading.

New Distributions

Tinfoil Hat Linux. Tinfoil Hat Linux started as a secure, single floppy, bootable Linux distribution for storing PGP keys and then encrypting, signing and wiping files. At some point it became an exercise in over-engineering. Now at version 1.0, THL is released under a BSD style license. You'll find it in the list under Floppy based distributions.

Here is a vnunet article about Tinfoil Hat. "What started out as a secure, single floppy, bootable Linux distribution for storing PGP keys, and encrypting, signing and wiping files, turned into a useable Linux distribution for the totally paranoid."

Distribution News

Debian News. The Debian Weekly News for February 13 is available, with coverage of the Debian Leader election, the orphaning of PHP4, Security Enhanced Debian, and more.

Here's a release status update for Debian Woody. The bottom line: the worst bugs have been fixed, a release is coming soon, and a whole bunch of "less important" packages are about to be removed if they don't get fixed in a hurry.

We also have a wrap-up on last weekend's 7th Debian Bug-Squashing Party for Woody.

Martin Schulze sent us this note on the progress of the latest revision of the stable Debian distribution. "The plan is to get this revision of Debian GNU/Linux 2.2 (codename `potato') out within the first week of March this year (2002)."

Nominations for Debian project leader are underway now and will remain open until February 27, 2002. This note from the Debian Project Secretary contains more information.

HA Linux. Motorola has paved a way for 6NINES telecom applications with the release of HA Linux 3.0 which boasts "considerable new features and functions".

Mandrake Linux. The February 13th issue (#30) of the Mandrake Linux Community Newsletter contains more information about the Mandrake Linux 8.2 beta2 release, an interview with Frédéric Bastok, and much more.

Red Hat News. Red Hat has issued some bug fix advisories. New modutils packages are available to fix a limitation of argument processing, and to fix problems with GPL-only symbols. Packages are available for Red Hat Linux 7.1 - alpha, i386, ia64 and Red Hat Linux 7.2 - i386, ia64. New initscripts packages are available for Red Hat Linux 7.2 (i386, ia64). These new packages fix various bugs, including those dealing with changing the IP addresses of network interfaces.

Slackware Linux. There is a new version of binutils-2.11.93.0.2 available for the Slackware current Intel branch. See the changelog for details.

Minor Distribution updates

Astaro Security Linux. Astaro Security Linux has released v2.022 with some major security fixes.

GENDIST. GENDIST (the Linux Distribution Generator) has released v0.9.7. Support for ISOLINUX-based bootable CDs was added with this release.

OpenNA Linux. OpenNA Linux has released a Beta 3 development version with some major bug fixes.

proxyfloppy Linux distribution. Proxyfloppy has released v1.1 with minor security fixes.

ttylinux. ttylinux has released v1.19 with minor bug fixes.

Distribution Reviews

Installing Libranet 2.0 (Linux Journal). Linux Journal reviews Libranet, a Debian based distribution. "All in all, Libranet is a very pleasant Debian installation. It still boots remarkably fast despite the 2.4.16 kernel and KDE 2.2.2. The installation is still not ideal for newbies, it remains the domain of the Linux user who understands the mechanics of partitioning."

Mandrake Cooks Up a Winner (or Two). Open for Business reviews Mandrake Linux. "Mandrake Linux is a distribution with an interesting history. Its first edition, based on RedHat Linux 5.1 and aptly named "Linux-Mandrake 5.1," provided essentially nothing more than RedHat with additional packages such as KDE, which the elder distribution had decided not to include. For quite awhile after that, MandrakeSoft spent their time in RedHat's shadow, however in recent years Mandrake Linux has moved on to be a very good distribution in its own right."

Section Editor: Rebecca Sobol

Please note that not every distribution will show up every week. Only distributions with recent news to report will be listed.

Distribution Lists:
LWN List
DistroWatch
ibiblio
Linux.com
LinuxLinks
Woven Goods

See also: last week's Development page.

Development projects

News and Editorials

Michal Zalewski has released what appears to be an interesting new project, Fenris. Fenris is a combined tracer, stateful program analyzer, and partial GCC decompiler. The program is intended to discover information that conventional analysis and debugging tools miss. Fenris can be used to analyze executables, project source code is optional.

"This is not an interactive debugger, and it is not intended to find problems, bugs or security vulnerabilities automatically. But it is supposed to be a reliable, useful tool that works in real world and can deliver valuable information which can be used to detect known problems, but also to spot unique or not so obvious dynamic conditions."

The Fenris README file describes the operation of the tool in detail.

"Fenris is not supposed to find vulnerabilities or bugs, or to guess algorithms or describe protocols. It is supposed to report and analyze the execution path - detect and describe functional blocks, monitor data flow in the program, marking its lifetime, source, migration and destination, analyze how functions work and what conditions are evaluated."

The README file also makes note of the current state of the project:

"While functional, it is probably not tested sufficiently, there are many issues to fix, several known bugs, some portability issues. It is primarily being released to get user feedback, comments, and, most important, to request development support, as my resources are very limited, both in terms of available time and development platforms. This project is and will be distributed as a free software, regardless of projected use, accompanied by complete sources."

Fenris produces its output in a browsable form, analysis of the executed code is provided in a number of different tables.

Fenris has been released with a GPL license. The source code is available here. See the Fenris home page for more information.

Audio Projects

Alsa packages 0.9.0beta11 released. A new release of the Alsa sound driver has been released. Version 0.9.0beta11 contains a new directory tree that is synced with the Linux 2.5 kernel.

Databases

Knoda relational database GUI for KDE. Horst Knorr has announced Knoda 0.5, a GUI for accessing relational databases in KDE. "It comprises a Form generator, a Table and Query generator and a Report Designer. The introduction of the Report Designer is the central highlight of version 0.5. With just a few mouse-clicks it is possible to design reports, optionally including grouped data and subreports, and then print those reports." Knoda currently only supports MySQL, a Postgres driver is planned.

Education

Seul/EDU report for February 18, 2002. The February 18, 2002 edition of the Seul/EDU report is out. Topics include how British closed-source software companies are banding together to fight non-proprietary resources in schools, a report from the Debian-jr project, the Java Interactive Learning Environment, and more.

Embedded Systems

Embedded Linux Newsletter for Feb. 14, 2002. This week's Embedded Linux Newsletter is out. Topics include Sun's Linux announcement, the preemptible Linux kernel patch, installing Linux on a Palm OS device, and more.

Printing Software

CUPS v1.1.14 released. A new version of the CUPS printing system is available. Version 1.1.14 is mainly a security release that fixes several buffer overflow vulnerabilities.

Science

polyXmass: a scientific project for mass spectrometry of all polymers. PolyXmass is a new project that aims to build a set of Gtk/GNOME tools for working with mass spectrometry data. "This project aims at creating an entirely free (GNU GPL) framework where the users will be able to define brand new polymer chemistries and next use these definitions in order to simulate mass data and/or to analyse mass spectrometric data experimentally acquired on these polymers."

MedZope Explained (LinuxMedNews). LinuxMedNews talks about MedZope, a medical record system that is expanding into the areas of web sites and intranets.

FreePM 1.0 beta 6 available (LinuxMedNews). A new version of FreePM, the open source medical practice management system, has been announced. This release fixes some bugs and adds support for Zope 2.5.

System Administration

Understanding NFS (O'Reilly). Michael Lucas introduces NFS, the Network File System, on O'Reilly's onlamp site. "NFS intimidates many junior system administrators, but it's really quite simple once you know what's going on."

Web-site Development

February Zope News available. The Zope News for February 18 is available. It includes coverage of the Tenth Python Conference and many other items of interest to Zope developers and users.

This week's Zope Members News. This week, the Zope Members News mentions Zope book discounts for user groups, a call for papers for the Zope BBQ Europe gathering, and a number of new Zope packages.

ASPSeek 1.2.8 released. A new version of the ASPSeek web site search engine is available. The changes in version 1.2.8 include new Apache module support, bug fixes, and lots more.

Analog version 5.21. Version 5.21 of the Analog web log analyzer is available. This version adds a few minor changes.

Introducing Cocoon 2.0 (O'Reilly). O'Reilly's XML.com site features an article on the Cocoon 2.0 documentation system by developer Stefano Mazzocchi. "Cocoon was designed as an abstract engine that could be connected to almost anything, but it ships with servlet and command line connectors. The servlet connector allows you to call Cocoon from your favorite servlet engine or application server. You can install it beside your existing servlets or JSPs. The command line interface allows you to generate static content as a batch process. It can be useful to pre-generate those parts of your site that are static, some of which may be easier to create by using Cocoon functionalities than directly"

Documentation

LDP Weekly News for February 12, 2002. The Linux Documentation Project weekly news shows no new documents, several updated documents, and sadly, many unmaintained documents this week.

Application Links
GIMP
Mozilla
Galeon
High Availability
ht://Dig
mnoGoSearch
MagicPoint
Wine
Worldforge
Zope

Open Source Code Collections
Berlios
Freshmeat
OpenSourceDirectory
Savannah
Le Serveur Libre
SourceForge
Sweetcode

Desktop Development

Web Browsers

Mozilla Development Roadmap. Brendan Eich has published the latest Mozilla development road map, proposing a release schedule for the post-1.0 releases. There is life after 1.0 -- stay tuned!

Mozilla 0.9.9 Tree Closes (mozillaZine). MozillaZine has announced the closure of the Mozilla 0.9.9 tree. "Mozilla 0.9.9 is the last major milestone prior to 1.0, and includes numerous bugfixes in composer, history, and other areas. Along with this, likely new features that will be in the milestone include a new full screen window mode, set image as wallpaper, and composer publishing."

Desktop Environments

Cooperation with KDE. Gnotices features a discussion on the sharing of themes between KDE and Gnome, and the possible benefits from such cooperation.

Second KDE 3.0 beta available. The second beta of KDE 3.0 has been released; see the announcement for details. It's getting close to the last chance to find problems for the real 3.0 release comes out.

People of KDE: Dwayne Bailey. This week, the People of KDE series focuses in on Dwayne Bailey. Dwayne has worked on the translation of KDE into the eleven languages of South Africa.

Gnome and Slackware. For those of you who want to run Gnome under the Slackware distribution, a gnome-slackware mailing list has been announced. "The goal of the list is to provide an help for using gnome in slackware. It will also be the coordination place of the gnome packaging effort."

Understanding the KParts component architecture (IBM developerWorks). David Faure writes about KParts on IBM's developerWorks. "This article discusses KParts, an architecture for graphical components, found in KDE, the K Desktop Environment. KParts allows applications requiring the same functionality to share a component by embedding the graphical component into the application's window. This article compares KParts with other component models, such as CORBA, and describes the main concepts used in KParts, including actions, plug-ins, part managers, and GUI merging."

Games

New Flightgear flight simulator. A new version of the Flightgear open-source flight simulator project has been released. The changes include some bug fixes and documentation work. (Thanks to Alex Perry.)

Perl Chess Mailing List Created (use Perl). To support the recent activity in the Perl Chess::* hierarchy, a Perl Chess mailing list has been created.

GUI Packages

Colored MultiTabs widget for FLTK. Alexey Parshin has released version 0.8 of his Multi Row Tabs widget package for FLTK.

Interoperability

Wine license change clarification. Jeremy White has clarified his position on the recent Wine license change to the LGPL. "So, with each and every one of my major customers over the past three years, I have had a major, knock down, drag out fight over licensing. I have always insisted that changes we make to Wine be returned to Wine. This has meant (while in a sales situation) explaining the complexities of BSD versus GPL licenses."

Alexandre Julliard has posted the results of a vote taken in the Wine community, the majority of respondents support the switch to a Copyleft license.

Multimedia

First Broadcast 2000, now Cinelerra. Cinelarra is (or was) a product used in producing motion pictures on Linux PCs. Now the Cinelerra website simply says, "It's not here anymore. Why don't you go to this award winning page.", with a link to Microsoft.com (of all places). Cinelarra was a product of Heroine Virtual who may have simply wrapped Cinelarra code into other products.. "As the size and complexity of our software has grown, it is no longer possible to release it under individual's names because of these privacy issues. Credit is given as dictated by the GPL but our original code is released under the name Heroine Virtual Ltd." (Thanks to Wes Felter)

We're still hoping that someone will carve the excellent audio recorder/editor software out of Broadcast 2000 and make a new project. The Broadcast 2000 source code is still available here.

Gnome-Media 1.176.0 released. A new version of Gnome-Media has been released. Version 1.176.0 features improvements to Gnome-CD, CDDBSlave2, and GMix.

Programming Languages

Caml

Caml Weekly News for February 12-19, 2002. This week's Caml Weekly News looks at Ocamlcl, packaging, Active-DVI, mlgmp, and a WDialog license change.

This week's Caml Hump. This week, the Caml Hump looks at an OCaml Regexp library, an OCaml/Java interface called CamlJava, the WDialog web applications framework, the ActiveDVI TeX slide presenter, and the ThreadSocket server and client project.

Java

Java finally catches up to Perl (and Python, Tcl) (use Perl). Use Perl reports on Sun's Java 2 SDK version 1.4, which now features native support for regular expressions.

XML in Java: Java document model usage (IBM developerWorks). Dennis M. Sosnoski discusses techniques for the creation of XML from Java. "In this article, XML tool watcher Dennis Sosnoski compares the usability of several Java document models. It's not always clear what the tradeoffs are when you choose a model, and it can require extensive recoding to switch if you later change your mind. Combining sample code with analysis of the model APIs, the author gives recommendations for which models may really make your job easier. Includes code samples that show the methods for the five different document models."

Expiring Data with Hashbelts (O'Reilly). William Grosso writes about the use of Hashbelts in Java. "In this article I will show you how to use the hashbelt algorithm by using two distinct examples: implementing session keys and reimplementing the RemoteStubCache class from my previous articles on command objects in RMI. By the end of this article, you should feel comfortable using hashbelts in your code and understand when it is appropriate to do so."

Lisp

Two Lisp updates. Paolo Amoroso has sent us two new items from the world of Lisp, CL-PDF version 0.45 is an update to the Common Lisp PDF generation library, and CLAWK is a common Lisp superset of AWK functionality.

Perl

Rindolf - A Perl Dialect (use Perl). Use Perl looks at Rindolf, a dialect of Perl 5 that Shlomi Fish is working on. "What is Rindolf? Rindolf to Perl 5 is like Java is to C++, or Arc is to LISP. I.e: not as much a revolution but rather a re-organization of the language to make it cleaner, more consistent and more fun."

perl-i18n Mailing List (use Perl). A new mailing list has been created for discussion of internationalization (i18n) issues in Perl.

PHP

PHP Weekly Summary for February 18, 2002. The latest PHP Weekly Summary contains articles on a number of bug fixes, Sybase formats, PHP streams, reference macros, and a number of new extensions.

Python

Dr. Dobb's Python-URL!. This week's Dr. Dobb's Python-URL! is out. Topics include reports from the 10th International Python Conference, Python/Java benchmarks, and much more.

Stackless Reincarnate (O'Reilly). Stephen Figgins delves into the issues behind stackless Python. "Stackless was a controversial modification to Python, separating its execution stack from the C execution stack, the C-stack. With Stackless you could set up multiple execution chains, switch between them, change them, or restart them. Uncoupled from the C-stack, you could capture the control flow of your Python program and manipulate it any way you wanted to."

This week's Daily Python entries. The latest Daily Python contents include articles on Zope, the PyTheater media player, the tdmagic procedural modeling and animation library, an object-oriented persistent storage system called OOPS, ACS templating, the Gnosis XML Utilities, and more.

pySerial multiplatform serial port library. Chris Liechti has released pySerial, a multi-platform Python library for accessing serial ports.

Ruby

The Ruby Garden. This week's Ruby Garden looks at Brian Foote and Joseph Yoder's amusing article on the Big Ball of Mud coding system. Also, the hunt is on for a Powered by Ruby Logo.

Ruby Weekly News. The February 18, 2002 Ruby Weekly News looks at the Ruby Documentation Extractor for C (RUDE4C), RDoc, REXML, and RubyStudio, among other things.

Tcl/Tk

Dr. Dobb's Tcl-URL! for February 19. Here is the latest Tcl-URL! with news and links for the Tcl/Tk community.

Integrated Development Environments

Anjuta 0.1.9 released. A new version of the Anjuta Integrated Development Environment (IDE) has been released. This version features a new message manager, an embedded terminal, a project import wizard, a new application wizard, support for libglade, bug fixes, and more.

Section Editor: Forrest Cook

See also: last week's Commerce page.

Linux and Business

Mandrake Linux Corporate Club launched. MandrakeSoft has announced the launch of the Mandrake Linux Corporate Club, another way of supporting the development of the Mandrake Linux distribution. "If you use Mandrake Linux in a commercial context and profit from its use, we ask that you contribute to Mandrake Linux development by joining the Mandrake Corporate Club. The most important benefit of Club membership is that your membership fee is directly used to boost the development of the Mandrake Linux distribution."

Lindows.com Releases Opposition Papers. In the ongoing battle with Microsoft over the use of its trade name, Lindows.com has released its Opposition Papers. "According to a statement posted at their website, Lindows.com claims Microsoft is trying to prevent the public from using a descriptive English word 'windows' which has had meaning in the computer industry for years prior to Microsoft's use."

IDG's spam database. IDG has a little added bonus for LinuxWorld attendees: inclusion in their one million address direct mail database. "Derived from subscribers and attendees from publications and events such as CIO, Computerworld, InfoWorld, Network World, PC World, LinuxWorld Conference & Expo, and Macworld Conference & Expo, IDG's new e-mail database provides addresses for IT buyers who have given permission to receive third party e-mail transmissions." Always be sure to check those opt-out boxes...

EuroLinux on MPEG 4 licensing. Here's a EuroLinux press release on the plans to impose per-hour licensing fees on MPEG 4 video streams in Europe. "The MPEG LA strategy leads to levying a tax on all cultural goods and is a typical example of the way patents on Internet standards are a tool for private taxing of all economic activities."

Nokia Unveils Linux-based mobile network servers. Nokia has announced its new "FlexiServer" and "FlexiGateway" systems for the implementation of mobile networks; they are based on Linux.

Turbolinux Releases PowerCockpit Software Developers' Toolkit and PowerCockpit Version 1.1. Turbolinux has announced the general availability of the PowerCockpit Software Developers' Toolkit (SDK), as well as a new release of its PowerCockpit server provisioning and management software.

'Running Weblogs with Slash' from O'Reilly. O'Reilly has announced the release of Running Weblogs With Slash, by chromatic, Brian Aker, and Dave Krieger.

Linux Stock Index for February 15 to February 20, 2002.
LSI at closing on February 15, 2002 ... 27.88
LSI at closing on February 20, 2002 ... 26.03

The high for the week was 27.88
The low for the week was 26.03

Press Releases: