[LWN Logo]

Bringing you the latest news from the Linux World.
Dedicated to keeping Linux users up-to-date, with concise news for all interests

 Main page
 Linux in the news

Other LWN stuff:
 Daily Updates
 Linux Stocks Page
 Book reviews
 Penguin Gallery

 Use LWN headlines
 Advertise here
 Contact us

Recent features:
- RMS Interview
- 2001 Timeline
- O'Reilly Open Source Conference
- OLS 2001
- GaŽl Duval
- Kernel Summit
- Singapore Linux Conference
- djbdns

Here is the permanent site for this page.

See also: last week's LWN.

Leading items and editorials

Elcomsoft and the independence of Cyberspace. Remember John Perry Barlow's A Declaration of the Independence of Cyberspace? Back in the mid-90's, the Declaration struck a responsive chord with phrases like:

We have no elected government, nor are we likely to have one, so I address you with no greater authority than that with which liberty itself always speaks. I declare the global social space we are building to be naturally independent of the tyrannies you seek to impose on us. You have no moral right to rule us nor do you possess any methods of enforcement we have true reason to fear.

These strong words have taken on a dated feel for some time as the world evolved and governments proved unwilling to give up their "tyrannies" so easily. One would think that the Elcomsoft case would have been one of the final nails in the Declaration's coffin. After all, Dmitry Sklyarov certainly discovered that there were "methods of enforcement" worthy of fear. 25 years in jail is a potent threat.

So it is more than interesting to see that Elcomsoft, in the preliminary stages of its trial for violating the DMCA, is taking an approach that is seemingly inspired by Barlow's Declaration. Consider this Wired News article, which contains a preliminary hearing quote from Elcomsoft attorney Joseph Burton:

Burton said that the Internet is an international, "ambient" realm, meaning that it is "everywhere and nowhere" and that it "transcends the idea of being only physical." Therefore, he said, conduct that occurs on the Internet is "extraterritorial" of U.S. laws, specifically the Digital Millennium Copyright Act, the 1998 law that Elcomsoft is charged with violating.

Wouldn't it be nice if this view were upheld by the court? Perhaps even more than the net as a whole, the free software community likes to see itself as independent of country, company, or location. Where, exactly, was the Linux kernel developed? Who owns KDE? Whose laws govern Gnutella? Wouldn't it be nice if free software, by virtue of its "extraterritorial" nature, could be free of the increasing number of ill-advised and truly obnoxious laws being passed worldwide?

Meanwhile, back on Earth, things just aren't going to happen that way. It is a rare government that will willingly give up its coercive power over anything - much less anything as fundamental and important as the net. Elcomsoft has also not helped its case by selling the Advanced eBook Processor via a server in Chicago. That bit of U.S. presence may well prove enough to allow the court to ignore much of Elcomsoft's motion to dismiss.

And that is unfortunate, because the jurisdiction issue really does matter. The U.S. would like to export its laws worldwide, and some of those laws are repressive in a big way. Dmitry Sklyarov or Johan Johansen should be able to write code in their home countries without fearing U.S. laws. Kernel hackers should be able to document security fixes without risking a stay in the U.S. prison system. American citizens, who have no desire to be bound by Chinese, Iranian, French, or even Canadian laws have no right to impose their legal code on conduct that occurs elsewhere. One can only hope that a U.S. court will eventually come to that conclusion; unfortunately, the Elcomsoft case appears unlikely to be the one that brings such a ruling about.

No GPL test case, for now. MySQL AB certainly does not believe that software companies are beyond the reach of U.S. copyright law. The company traveled across the ocean from Sweden in an attempt to obtain a couple of injunctions against NuSphere. The company's first argument, based on trademark law, was successful. But MySQL AB's attempt to deprive NuSphere of its right to distribute MySQL as a result of past GPL violations was not. Is this a defeat for the GPL?

The truth is that there has been no ruling on the GPL at all. MySQL AB was seeking a preliminary injunction which would take place before the real trial. Since the trial itself has not yet happened, the standards for preliminary injunctions are high: the party requesting the injunction must demonstrate that it will suffer immediate and irreparable harm if the injunction is not granted. MySQL AB was not able to convince the judge that this harm would happen, so no injunction was issued for now. The issue will probably be revisited when the full trial begins.

See also: the FSF's press release on the results of the preliminary hearing.

Digital rights management - on both sides of the Atlantic. The Senate hearing on digital rights management took place on February 28 - just as the previous LWN.net Weekly Edition hit the net. The reports from that hearing are not good. It was a showcase for the U.S. motion picture industry, which was able to press forward its agenda without any real discussion.

As an example of the level of the debate that took place in that room, see Mike Godwin's report:

Consumer and civil-liberties groups were not represented on the witness list, but they were in the room, as were representatives of many companies that would be affected by schemes like the one that might be mandated by Senator Hollings. Most audience members were visibly amused or distressed when [Disney CEO] Eisner confessed that the only reason he could think of for Michael Dell not to build in ubiquitous copyright-policing functions in his products was that Dell wants to sell his products to infringers.

The situation was bad enough that Intel VP Leslie Vadasz felt the need to send out an open letter to Senator Hollings clarifying Intel's position:

What the content community fails to recognize is that these utilities - the ability to copy content, remix and manage it and port it to other storage media for personal use in a protected fashion - are features that consumers have come to expect. The ability to rip, mix and burn in a protected manner is not piracy, it is simply fair use of content as permitted by law.

It is nice to see Intel standing up for fair use, at least, but one should not be too encouraged. Intel is happy to work on digital rights management schemes; the company would just rather do it without the threat of MPAA-written legislation.

Those who see this kind of stuff as a uniquely American sort of craziness would be well advised to not be too complacent. This Politech posting describes a meeting of a European Commission working group on digital rights management systems. Enthusiasm for such systems runs high there as well, and the composition of the people invited to the debate is not much different.

Also available is this working paper (in PDF format) describing the EC's approach to digital rights management. It starts by listing all of the usual problems associated with DRM systems: vulnerability, ease of use, fair use, privacy, etc. But, no matter:

The Commission Services should continue to encourage all players to develop operational, open, and interoperable DRM solutions and to deploy them rapidly.

And how is this encouragement to happen? Among other things:

Legal safeguards are essential to support technological measures and protect them against unlawful circumvention and these are already in place.

This, of course, sounds very SSSCA-like.

The problem is that free software is seen by many of these people as a sort of circumvention device. Systems with freely available source can not be relied upon to enforce other peoples' claimed digital rights. As SSSCA-like laws begin to be passed, the legal climate for free software - regardless if it is used for "unlawful circumvention," is going to get uglier.

A new home for LWN.net. Some of you may have noticed a bit of weirdness on the site last Friday. That was a result of the cutover to our new server, which has been kindly provided for us by the people at Rackspace. It's a nice box; many thanks to Rackspace for helping LWN stay on the net!

The return of banners. Occasionally over the last few weeks we have gotten an inquiry from a concerned reader about the lack of banner ads on the site. We certainly do not wish to ignore requests from our readers, so we are pleased to announce that banners will shortly be returning to LWN.net. We have a couple of advertisers signed up, and can only assume (and hope) that more are on their way. With luck, we'll be able to run more interesting banners than have been seen on this site in the past.

A couple of relevant things:

  • Since the beginning, we've wanted to run banners for development projects and other community-oriented sites. Now, at last, we will be able to do that. If you run a community site and would like to drop a banner into our rotation, please drop a note to banners@lwn.net and we'll get you set up.

  • We are, with a certain amount of urgency, looking for more advertisers. If you have a company that would benefit from exposure to LWN.net's audience, please contact us at sales@lwn.net.
Now back to our regular programming...

Inside this LWN.net weekly edition:

  • Security: PHP file upload; Apache mod_ssl; several new resources
  • Kernel: IDE "cleanups"; BitKeeper protest; Delayed block allocation.
  • Distributions: Linux From Scratch; LFSMake; LRs-Linux.
  • Development: Web 100 alpha, new jack API, Sun opens Abicheck, spam filters, WaveSurfer 1.3, Sketch 0.6.13, Open64 0.14, GNU CLISP 2.28, Perl 5.7.3, Ruby 1.6.7.
  • Commerce: Software Patents: France Accuses EC of Misleading e.Europe; AMD announces Linux support for the x86-64.
  • Letters: StarOffice; cruft; Microsoft and the GPL.
...plus the usual array of reports, updates, and announcements.

This Week's LWN was brought to you by:

March 7, 2002


 Main page
 Linux in the news

See also: last week's Security page.


News and Editorials

Flaw weakens Linux security software (News.com). News.com looks at the Netfilter security problem. "Security is a nagging concern for the computer industry, which must juggle new features with the risk that they open up new problems. While the firewall problem the Netfilter programmers discovered is limited to a few versions of Linux, a more serious problem emerged earlier this month affecting numerous operating systems using standard network management software."

Building a Virtual Honeynet (LinuxSecurity). This LinuxSecurity article describes the author's experiences with building a virtual honeynet on his existing Linux box. "A honeynet is only one type of honeypot which is supposed to emulate a real production network, while a honeypot is a single host designed as a lure-and-log system (i.e. a system with a packet sniffer and a keylogger to log all activity on it, and most likely programs that simulate vulnerable services)."

Security Reports

Both PHP3 and PHP4 have vulnerabilities in their file upload code which can lead to remote command execution. This one could be ugly; sites using PHP should apply updates at the first opportunity. If an update isn't available for your distribution, users of PHP 4.0.3 and later are encouraged to consider disabling file upload support by adding this directive to php.ini:

	file_uploads = Off

CERT has issued this advisory on the problem. This article in the Register also talks about the vulnerability.

Developers using the 4.2.0 branch, are not vulnerable because because file upload support was completely rewritten for that branch.

Distributor updates seen so far:

Further complicating the matter, the updates may not fix the problem yet...

Apache mod_ssl buffer overflow vulnerability. According to this announcement "modssl versions prior to 2.8.7-1.3.23 (Feb 23, 2002) make use of the underlying OpenSSL routines in a manner which could overflow a buffer within the implementation. This situation appears difficult to exploit in a production environment[...]."

Distributor updates seen so far:

Two denial of service vulnerabilities in Cistron RADIUS versions 1.6.5 and prior are described in this CERT advisory for RADIUS. "They are remotely exploitable, and on most systems result in a denial of service."

Updates are available for:

Security vulnerability in Zope. There is available. It seems that the calculation of user privileges is not always done as it should be, and users could, in some situations, get access to things they shouldn't be allowed to touch.

Debian Security Advisory - xsane. Debian has released an update for xsane. Tim Waugh found several insecure uses of temporary files in the xsane program, which is used for scanning. This was fixed for Debian/stable by moving those files into a securely created directory within the /tmp directory.

Debian security update to cfs. Here is this cfs update from Debian fixing a set of buffer overflows there.

Debian Security Advisory for CVS. Updated packages are available to fix an improper variable initialization in the CVS server. This problem has been fixed in version 1.10.7-9 for the stable Debian distribution and in versions newer than 1.11.1p1debian-3 for the testing and unstable distribution of Debian.

DCP-Portal content management system information path disclosure vulnerability. This Bugtraq post describes the vulnerability which may "enable a remote user to reveal the absolute path to the web root and also more information about the system might be revealed."

web scripts. The following web scripts were reported to contain vulnerabilities:

  • Multiple vulnerabilities in the AeroMail Web-based email client (implemented in PHP) are described in this Bugtraq post.


Cyrus SASL format string vulnerability. A format string bug in the Cyrus SASL authentication API for mail clients and servers may be remotely exploitable. (First LWN report: November 29, 2001).

This week's updates:

Previous updates:

Multiple vulnerabilities in SNMP implementations. Most SNMP implementations out there have a variety of buffer overflow vulnerabilities and should be upgraded at first opportunity. See this CERT advisory for more. (First LWN report: February 14).

This week's updates:

Previous updates:

Multiple security vulnerabilities in squid. Here is a security advisory for the Squid proxy server reporting several vulnerabilities in versions up to and including 2.4.STABLE3. At the minimum, the vulnerabilities could facilitate denial of service attacks; the potential for worse also exists. Sites running squid probably should apply the update sooner rather than later. (First LWN report: February 28th).

This week's updates:

Previous updates:

Fixes 8 available from SmoothWall. The SmoothWall Project has released fixes 8, which provides major upgrades to Apache, OpenSSL, OpenSSH and applies counter controls to theoretical exploits which could potentially affect many Linux distributions.


The CERT Coordination Center (CERT/CC) has issued the quaterly CERT summary "to draw attention to the types of attacks reported to our incident response team, as well as other noteworthy incident and vulnerability information." The last regularly scheduled CERT summary was issued in November 2001.

"Fingerprinting Port 80 Attacks: A look into web server, and web application attack signatures: Part Two." by Zenomorph is available from here. The paper "deals with detecting web application/web server attacks along with figuring out what it may mean" to the "average administrator. and developer."

The draft Guidelines on Securing Public Web Servers is available for public comment from the United States National Institute of Standards and Technology (NIST). NIST is seeking comments and suggestions on this draft. If you are interested, the document is available from NIST.

Open Source Security Testing Methodology Manual 2.0 has been posted for peer-review. More information is available in the announcement. The manual is available for download from here.

Linux security week. The and publications from LinuxSecurity.com are available.

IT Security Cookbook Now Available (LinuxSecurity). LinuxSecurity talks with Sean Boran, author of "IT Security Cookbook". "LinuxSecurity.com: Why is it important for IT professionals to read your cookbook?

Sean Boran: Because it starts at the top (policies) and goes all the way down to technical recommendations."


RAID 2002 Last Call for Papers. The Fifth International Symposium on Recent Advances in Intrusion Detection has issued this last call for papers. RAID 2002 will be held in Zurich, Switzerland October 16-18, 2002. It is organized by Swiss Federal Institute of Technology and IBM Research Division. The deadline for submissions is the end of March 2002.

DEF CON TEN Call for Papers. DEF DON TEN has issued this call for papers. "Papers and presentations are now being accepted for DEF CON TEN, the largest 'hacking' convention on the planet. Papers and requests to speak will be received and reviewed from NOW until July 1st."

Upcoming Security Events.
Date Event Location
March 11 - 14, 2002Financial Cryptography 2002Sothhampton, Bermuda
March 18 - 21, 2002Sixth Annual Distributed Objects and Components Security Workshop(Pier 5 Hotel at the Inner Harbor)Baltimore, Maryland, USA
March 18 - 20, 2002InfoSec World Conference and Expo/2002Orlando, FL, USA
April 1 - 7, 2002SANS 2002Orlando, FL., USA
April 5 - 7, 2002RubiconDetroit, Michigan, USA
April 7 - 10, 2002Techno-Security 2002 ConferenceMyrtle Beach, SC
April 14 - 15, 2002Workshop on Privacy Enhancing Technologies 2002(Cathedral Hill Hotel)San Francisco, California, USA
April 16 - 19, 2002The Twelfth Conference on Computers, Freedom & Privacy(Cathedral Hill Hotel)San Francisco, California, USA
April 23 - 25, 2002Infosecurity Europe 2002Olympia, London, UK
May 1 - 3, 2002cansecwest/core02Vancouver, Canada
May 4 - 5, 2002DallasConDallas, TX., USA
May 12 - 15, 20022002 IEEE Symposium on Security and Privacy(The Claremont Resort)Oakland, California, USA
May 13 - 14, 20023rd International Common Criteria Conference(ICCC)Ottawa, Ont., Canada
May 13 - 17, 200214th Annual Canadian Information Technology Security Symposium(CITSS)(Ottawa Congress Centre)Ottawa, Ontario, Canada

For additional security-related events, included training courses (which we don't list above) and events further in the future, check out Security Focus' calendar, one of the primary resources we use for building the above list. To submit an event directly to us, please send a plain-text message to lwn@lwn.net.

Section Editor: Dennis Tenney

March 7, 2002

LWN Resources

Secured Distributions:
Astaro Security
Engarde Secure Linux
Kaladix Linux
NSA Security Enhanced
Openwall GNU/Linux

Security Projects
Linux Security Audit Project
Linux Security Module

Security List Archives
Bugtraq Archive
Firewall Wizards Archive
ISN Archive

Distribution-specific links
Caldera Advisories
Conectiva Updates
Debian Alerts
Kondara Advisories
Esware Alerts
LinuxPPC Security Updates
Mandrake Updates
Red Hat Errata
SuSE Announcements
Yellow Dog Errata

BSD-specific links

Security mailing lists
Linux From Scratch
Red Hat
Yellow Dog

Security Software Archives
ZedZ.net (formerly replay.com)

Miscellaneous Resources
Comp Sec News Daily
Security Focus


 Main page
 Linux in the news

See also: last week's Kernel page.

Kernel development

The current development kernel release is 2.5.5. Linus's latest prepatch is 2.5.6-pre3; it contains a fair amount in the way of fixes and updates, but the most visible change will be the integration of the JFS journaling filesystem from IBM. Also included are ARM and X86-64 updates, USB updates, VFS updates, IDE driver reworking (see below), a parport update, and more.

Dave Jones's latest prepatch is 2.5.5-dj3. It is caught up to 2.5.6-pre2 and 2.4.19-pre2, and throws in several more fixes as well.

Guillaume Boissiere's 2.5 status summary for March 6 is available.

The current stable kernel release is 2.4.18. The current 2.4.19 prepatch from Marcelo is 2.4.19-pre2. It contains the struct page shrinkage patch, but otherwise confines itself to fixes and cleanups.

Alan Cox's current prepatch is 2.4.19-pre2-ac2; the most significant addition in that patch is Ingo Molnar's O(1) scheduler, which has been in the 2.5 series for some time. Also from Alan is 2.4.18-ac3, which adds a much smaller set of fixes to 2.4.18.

Other kernel trees which have been released in the past week include:

  • Andrea Arcangeli's 2.4.19-pre1-aa1 includes the latest version of his VM code which will probably be heading for Marcelo's tree before too long. (Andrea has proposed it for inclusion, but Marcelo has asked for it to be split into small, documented pieces).

  • JŲrg Prante has released 2.4.18-jp6, a heavily patched version of 2.4.18. Among other things, it includes the new VM and scheduler, the preemptable kernel patch, the new IDE driver, FreeS/Wan, XFS, JFS, and the lm_sensors patch. (Note that lm_sensors can, apparently, be fatal to some IBM laptops).

  • 2.4.19-pre2-jam2 comes from J.A. Magallon; it merges the latest Arcangeli VM and a couple of other patches.

  • The contender for the longest name is 2.4.19-pre2-ac2-xfs-shawn9 from Shawn Starr; it is a mixture of Rik van Riel's reverse mapping VM and SGI's XFS filesystem. (Here's where to get it.)

How clean should the IDE code get? A regular feature on the linux-kernel list over the last few weeks has been a series of "IDE cleanup" patches by Martin Dalecki. These patches have been aimed at making the IDE driver code easier to read, and at removing duplicated and unnecessary code. They have been, for the most part, uncontroversial, and Linus has merged most of them into his recent releases. (Of course, Andre Hedrick, the author of much of the IDE code, is not pleased with this work, but that's a story in its own right...)

Things changed a bit, however, with the posting of IDE cleanup 16 which, among other things, takes away direct access (via ioctl()) to the IDE taskfile commands. Martin didn't like providing the ability for userspace programs to talk to the drives directly in that manner, and he complained about the command parsing code that was there as part of that functionality. According to Martin, the taskfile ioctl has only been there since 2.5.3, and is used by nobody.

That reasoning ignores one important little fact: Andre's IDE patches have been around for some time, and have been extensively used despite the fact that they only now have found their way into a mainline kernel. There are users who have found reasons to employ the TASKFILE interface, and they are not pleased at its disappearance. To many, this change goes beyond a simple "cleanup."

Martin seems to have come to agree that some sort of taskfile access is necessary. That issue will thus probably come to a resolution, but there is still a larger question that needs answering. Martin appears to have performed a hostile takeover of the maintainership of the IDE code. Is he truly the IDE maintainer now, and how far does his mandate for change extend?

Protesting BitKeeper. The only surprise is how long it took for this to happen. A group of Ohio State students has posted a petition protesting the increasing use of BitKeeper by the kernel development community. In particular, the petitioners fear that the day will come when use of BitKeeper will be required to participate in the kernel development process.

The problem, of course, is that the BitKeeper license is not a free software license. The BitKeeper source (or a version of it, anyway) is available, and modifications and redistribution are allowed. But there are certain things that you can not do (in particular: disabling the "open logging" feature); thus the software is not free. (See LWN's 1999 BitKeeper coverage or Jack Moffitt's critique of the BitKeeper license for more information).

The response to the petition has ranged from weak to hostile. There are certainly kernel hackers who choose not to use BitKeeper as a result of its licensing, but few seem to be worried about their continued ability to contribute, and none feel the need to impose their decisions on others. BitKeeper seems to be winning converts in the kernel development community, and petitions are unlikely to change that.

Linux device number registration resumes. Back in May of 2001, Linus decreed that no more major device numbers would be handed out; his goal was to force the kernel developers to come up with a reasonable alternative to static numbers. Now John Cagle, who has taken over management of the Linux device list, has announced that device number registrations will resume - at least for kernels released by Marcelo Tosatti and Alan Cox (i.e. in the 2.4 series). Linus is presumably still not accepting new numbers for 2.5, so any numbers allocated now could well not show up in 2.6 until Linus passes it on to a new maintainer.

(See the May 17, 2001 LWN Kernel Page for coverage of the moratorium on new device numbers).

Delayed disk block allocation. When a Linux process writes data to a disk file, the kernel calls into the appropriate filesystem code to get disk space allocated for that data. This allocation happens even though the kernel could (and often does) decide to not actually write that data to disk for some time. The early allocation offers simplicity and reliability - it is nice to know where the data will eventually end up - and it has been good enough for the Linux kernel until now.

Early allocation is not ideal, however, for a few reasons. Foremost among those is that early allocation makes it hard for the filesystem code to optimize the layout of files on disk. The best performance is achieved when the blocks of a file are placed contiguously on the disk; they can then be read or written in a single, fast operation. If the filesystem allocates new blocks one at a time, however, contiguous placement can be hard to accomplish. In particular, if multiple processes are writing files in the same filesystem simultaneously, their data may end up being interleaved on the disk.

Another worthwhile consideration is that some files never get written to disk at all. Many applications create short-lived temporary files that are deleted before their blocks are ever committed to the drive. For such files, it is better to never bother with the allocation of blocks at all.

These concerns argue for delaying the allocation of blocks for files until it is absolutely necessary. A proper delayed allocation implementation should have a measurable impact on performance. That assertion has now been put to the test, as Andrew Morton has posted a patch implementing delayed allocation for the 2.5.6-pre kernels.

Delayed allocation, of course, requires cooperation from the filesystem code, since that is where the allocation actually occurs. It is important, after all, to know that the required disk blocks will be available when the system finally does get around to allocating them - applications want to know right away if their writes are not going to work. Andrew's patch thus extends the address_space_operations structure with a few new methods. When a process writes into a new file block, the kernel can call the reservepage method to tell the filesystem to set some space aside. Later on, the new writeback_mapping method can be called to commit blocks to disk, allocating the space at that time.

A fair amount of effort (and code) has gone into trying to handle those writebacks in an intelligent way. A set of tunable thresholds determine when (and to what extent) the kernel will go out of its way to write dirty pages to disk. At the lowest level, writebacks will start happening as a kernel background task. If the number of dirty pages reaches a substantial portion of the total, processes performing writes can be blocked while their pages are written out synchronously.

Much of the writeout is intended to happen in the background mode, however. To this end, the delayed allocation patch introduces yet another set of kernel threads, called "pdflush." The number of pdflush threads will go up as the amount of writeback work increases - their number is managed through a simple, apache-style pool scheme. The purpose of having multiple threads is to try to keep multiple disk devices busy, even if one is doing most of the work.

How well does the patch work? Randy Hron, kernel benchmarker extraordinaire, has compiled an extensive set of results. The bottom line: for disk operations, and heavy writes in particular, the delayed allocation patch increases performance by 20-25%. Probably worth the trouble, in other words. As one kernel hacker put it: "My only comment is: how fast can we get delalloc into 2.5.x for further testing and development?"

Other patches and updates released this week include:

Core kernel code:

Development tools:

Device drivers

  • Gerd Knorr has posted the third iteration of his video device redesign. He's looking for comments soon before he sends the patch to Linus.

  • David Miller has announced the sixth beta version of the new Tigon3 driver.


  • A new access control list patch has been posted by Andreas Gruenbacher.

  • Craig Christophel has announced an extensive set of patches (actually written by Jan Kara) which completely rework the Linux disk quota subsystem.



  • Version 0_94 of the Affix BlueTooth stack was announced by Dmitry Kasatkin.

Section Editor: Jonathan Corbet

March 7, 2002

For other kernel news, see:

Other resources:


 Main page
 Linux in the news

See also: last week's Distributions page.


Please note that security updates from the various distributions are covered in the security section.

News and Editorials

Linux From Scratch. Linux From Scratch is in the "Education" section of the LWN Distributions List because:

The most important reason for LFS's existence is teaching people how a Linux system works internally. Building an LFS system teaches you about all that makes Linux tick, how things work together, and depend on each other. And most importantly, how to customize it to your own taste and needs.
LFS Introduction.

An LFS system can be very large, if you want to add lots of extra software. It can also be very small; some LFS installations are less than 8Mb.

Linux From Scratch doesn't come on a CD or a floppy. You need to have an existing Linux system before you can install LFS. Mostly, LFS is book of instructions.

This book describes the process of creating a Linux system from scratch from an already installed Linux distribution, using nothing but the sources of the software that we use.
LFS 3.2-rc2.

These instructions are tested continually and revised as necessary. (See the change log for details.) LFS 3.2-rc2 was released this week.

LFS intends to be platform independent, however development does take place on x86 hardware. The book will tell you where to download the source tarballs; how to build a partition for your LFS system; what to do with the kernel packages (3.2-rc2 uses Kernel-2.4.17); how to compile, link and install packages; and how to build boot scripts. When you are done you'll have a customized Linux system, optimized for your hardware. Maybe not the easiest installation around, but one that will teach you quite a lot about Linux internals.

LFSMake. LFSMake is a related project consisting of a set of makefiles to automate the installation of a "Linux From Scratch" system. Version 3.1 of LFSMake is out; a long-overdue update that brings LFSMake up-to-date with the LFS 3.1 book.

LRs-Linux. It is said that imitation is the sincerest form of flattery, and if that's true LFS should be flattered by the appearance of LRs-Linux. LRs-Linux is based on LFS. In contrast to LFS and most common distributions, LRs Linux has the ability to compile directly from the CD. This means that binaries can be natively compiled for the target host during the install, enhancing the performance of the resultant system. The install process is largely automated. LRs-Linux was initially released at version 0.2.5 on February 27, 2002.

New Distributions

Audio Bookshelf. Including the Enigma Audio Bookshelf here is stretching the definition of a Linux distribution just a bit. But this is a bootable CD product, which contains enough of a Linux operating system to turn a PC into a book reader. Any PC meeting the minimum requirements can be turned into a Linux based book reader, regardless of the OS installed on the hard drive. Read the book yourself, or have the computer read to you. We've added it to our list under 'Special Purpose/Mini' distributions.

Keeper Linux. Here is an announcement for Keeper Linux. It comes on two floppy disks and it's designed to meet specific application needs. Current applications include the security of internal networks linked to DSL/cable modem and dial-up connections. Others include administration of remote servers. We've listed it with the "Floppy based" distributions.

OEone HomeBase 1.2 Software for Internet Computer to Debut Shipping. OEone has announced the release of HomeBase 1.2. HomeBase, essentially, is an ultra user-friendly distribution with a Mozilla-based desktop. OEone also sells low-cost hardware running this distribution.

PUPLinux. The Audio Bookshelf might have been a stretch, but as long as we're stretching things, we'll stretch a bit further and introduce PUPLinux, Personable UniProcessor Linux, 1.2.14 umbilical snip version. Why is this a stretch? Because there really is no such beast, only this posting to the Linux kernel mailing list. Enjoy.

Distribution News

Debian News - Elections, Woody release status. The Debian Weekly News for February 27 is available; it looks at the latest Woody release news, crypto support in Debian, progress with OpenOffice, LSB compliance, the Debian leader elections, and more.

The nomination period has ended and three candidates will run for Debian Project Leader. The candidates are: Bdale Garbee, RaphaŽl Hertzog, and Branden Robinson. Next week we'll have a brief profile of the candidates.

The search for Debian Project Leader panelists is complete. Four panelists and a moderator have been chosen. These people will facilitate the Project Leader debate.

Meanwhile, here's last Sunday's Woody release status update. Additional release status updates can be found by searching for "release status update" in these list archives. A running list of Release Critical bugs can be found at http://bugs.debian.net/ and a graph of the freeze progress (in terms of remaining RC bugs) can be seen at http://bugs.debian.org/release-critical/.

Plans are coming together for Debconf 2 to be held in Toronto July 5 - 7, 2002.

Lycoris Now Offering HP PCs PreLoaded With Desktop/LX. Lycoris announced the availability of Hewlett Packard PCs Pre-Loaded with Desktop/LX.

Mandrake Linux News. Mandrake Linux 8.2 beta4 is out. Beta testers should read this first. Then, focus tests on the following areas:

Look for MandrakeSoft at CeBIT, Hannover, Germany - March 13-20.

Wasabi Introduces NetBSD for Intel IOP321. Wasabi Systems, the NetBSD Company, announced its support for the Intel IOP321 I/O processor based on the Intel XScale core.

Red Hat Updates to 5.6.1 (use Perl). Red Hat now has RPMs for Perl 5.6.1 available.

Minor Distribution updates

PeeWeeLinux. PeeWeeLinux has released version 0.61.1. This version removes the requirement for ncurses4. The pwlconfig tool now works correctly with newer Linux distributions.

ROOT Linux. ROOT Linux has released 1.3pre2 with major bug fixes and package upgrades.

Trustix Secure Linux Bugfix Advisories. Trustix Secure Linux has released the following bug fix advisories.

  • samba: a new upstream version for TSL 1.5.
  • gnupg: TSL has updated their public key.
  • swup: Swup uses the new key (see above) for validation of the TSL-packages.
  • apache: The httpd init script in the apache-1.3.23-1tr contained a faulty chkconfig line which caused the apache web server to be started on bootup. This could be a security risk for TSL 1.5 systems.

Distribution Reviews

Lycoris Linux (ExtremeTech). ExtremeTech reviews Lycoris Linux (the distribution formerly known as Redmond Linux). "All the apps in this distro were chosen for their quality, dependability and strength. You will not be obliged to sift through a 'dumping' of half-developed applications to find one that 'almost' works. Everything in Lycoris Desktop/LX works. Since I installed Lycoris a few weeks ago, I used their automatic updating system once. It works without a hitch and installs everything automatically."

Casting spells with a Linux distro written especially for sysadmins (LinuxWorld). LinuxWorld reviews Sorcerer GNU/Linux (SGL). "[SGL creator Kyle] Sallee based the name (and the names of many of its features) on the notion that sysadmins are wizards, and much of what they accomplish is, to the common user, magic. Sorcerer's magic allows you to build and maintain a Linux system based on the very latest stable source code for each component, from the kernel to X, compiled on and for your machine."

Linux open Sorcerer casts its spell (vnunet). Here is another review of Sorcerer GNU/Linux. "To accomplish the 'magic' seen by the uninitiated end user, the wizard is able to 'cast' application spells. Using the command line "cast [application]" will locate the latest stable source for the relevant application, perhaps the author's homepage, and download, configure, compile and install it."

RedFlag Linux Reviewed. Tummy.com's Sean Reifschneider has sent around this review of RedFlag Linux. "Greetings. I spent the weekend downloading RedFlag Linux (the one from China), and thought I'd give a quick review of it. This is largely related to the installer and boot process."

Section Editor: Rebecca Sobol

March 7, 2002

Please note that not every distribution will show up every week. Only distributions with recent news to report will be listed.

Distribution Lists:
LWN List
Woven Goods


 Main page
 Linux in the news

See also: last week's Development page.

Development projects

News and Editorials

Web100 Releases its first Alpha Version

LWN first covered the Web100 project back in 1999. This project seeks to optimize TCP/IP stacks (starting with Linux) for top performance over high-speed, wide-area networks; it is aimed at the needs of scientific laboratories and others who need to move massive amounts of data around.

The Web100 project has announced its alpha 1.0 release. The work so far seems to be mostly oriented toward instrumenting the Linux TCP/IP stack so that its performance can be monitored and improved. The implementation is defined by the Web100 TCP Kernel Instrumentation Set (TCP-KIS).

The project leaders are aiming to achieve fairly wide usage of their efforts:

In addition to the software release, Web100 programmers continue to refine TCP software so that users can automatically achieve the highest possible transfer rate. This effort has already led to a first draft of a new Internet Engineering Task Force standard. As the development of new standards progresses, Web100 researchers hope that other operating system vendors will adopt the Web100 enhancements. Such changes will make increased TCP traffic flows easier to handle and more transparent for the users of high-speed networks.

The Web100 software currently consists of two components, a kernel patch that works with Linux kernel 2.4.16, and a shared user-space library of utilities known as the Userland. The alpha 1.1 version of Userland was just released, and features a few bug fixes and documentation updates.

The Web100 software may be downloaded here.

Audio Projects

JACK API enhancements. The JACK Audio Connection Kit API has been improved. "The JACK API now includes provisions for shared transport control, including looping. Substantial improvements to stability have been achieved, as well as some architectural changes to support new "drivers". The ALSA PCM driver has been modified to support use for playback only, greatly helping those with consumer audio interfaces."


Linux in education report #65. The Linux in education report number 65 is out. The Audio Bookshelf linux-based CDROM distribution is the featured topic, other educational Linux projects are also covered.

Embedded Systems

Embedded Linux Newsletter for Feb. 28, 2002. The February 28, 2002 Embedded Linux Newsletter is available. Topics include a review of Redsonic's embedded Linux toolkit, the new Intel embedded CPU chips, the ELC's embedded Linux platform specification, and more.

Linux system development on an embedded device (IBM developerWorks). Anand K Santhanam and Vishal Kulkarni describe the components that are needed for developing Embedded Linux applications. "Especially if you're just starting out in embedded development, the wealth of available bootloaders, scaled-down distributions, filesystems, and GUIs can seem overwhelming. But this wealth of options is actually a boon, allowing you to tailor your development or user environment exactly to your needs."


Sun releases ABIcheck (Gnotices). The GNOME Gnotices site mentions that Sun has released the source code to ABIcheck, a tool that checks to make sure that an application uses library ABIs correctly. See the ABIcheck home page on SourceForge for more information. The ABIcheck source has been released under the LGPL.

Mail Software

rbl-milter 0.2 released. Version 0.2 of rbl-milter, a mail filter for sendmail, is available. This version supports multiple RBL lists, adds compatibility with older resolver libraries, and features autoconf configuration.

Stopping Spam with SpamAssassin (Perl.com). Simon Cozens writes about spam filtering on Perl.com. "I get a lot of spam. An absolute massive bucket load of spam. I got way over 100 pieces of spam in the first three days of this month. I get so much spam Hormel Foods send trucks to take it away. And I'm convinced that things are getting worse. We're all being bombarded with junk mail more than ever these days. Well, a couple of days ago I got to breaking point, and decided that the simple mail filtering I had in place up until now just wasn't up to the job. It was time to call in an assassin. "

Web-site Development

PHPmole: Free development environment for Midgard and PHP. PHPmole, an Integrated Development Environment for the Midgard web platform, has been released. "PHPmole aims to provide the free software world with a web development environment comparable to DreamWeaver and MS Visual Studio, with additional content management functionalities.

Unlike most Midgard applications and development tools, PHPmole is a native client-side program designed for the the GNOME desktop environment." (Thanks to Henri Bergius.)

Zope 2.6 features wiki. Brian Lloyd has announced a new Zope 2.6 wiki site that has been created for the purpose of discussing Zope 2.6 development.

The latest Zope Members' News. This week's entries on the Zope Members' News include Zope 2.5.0 support for the Wing IDE, TCPWatch 1.1, Emil email client v.0.5, and more.


LDP Weekly News. The March 5, 2002 edition of the LDP Weekly News covers the new version of the GNU Free Documentation License. New documentation includes a Linux Complete Backup and Recovery HOWTO, and a Spanish translation of the Linux Network Administrators Guide, 2nd Edition.

March 7, 2002

Application Links
High Availability

Open Source Code Collections
Le Serveur Libre



Desktop Development

Audio Applications

AlsaPlayer 0.99.54 released. Version 0.99.54 of the AlsaPlayer PCM player is available. The change log lists improvements to libalsaplayer, a new preferences system, improvements to the JACK interface, code cleanups, and a few more features.

WaveSurfer 1.3 released. Version 1.3 of the WaveSurfer audio file editor has been released. The changes include support for separate sound windows, linear, exponential, and logarithmic fade filters, faster plotting, bug fixes, and more.

XMMS 1.2.7 released. Version 1.2.7 of XMMS, the X MultiMedia System, has been released. This version features visual enhancements, cddb server connectivity improvements, mpg123 stability improvements, and more.

Web Browsers

Encompass 0.4.5 released (Gnotices). A new version of the Encompass web browser has been announced. Version 0.4.5 features bug fixes and the ability to download files.

Mozilla Independent Status Reports (MozillaZine). MozillaZine features a number of Mozilla Independent Status Reports, including a report from the Second European Mozilla Developers Meeting, and updates on the ThinSkin, Abzilla, and mozCalc projects.

Desktop Environments

People of KDE: Falk Brettschneider. This week's People of KDE interview features Falk Brettschneider, author of QextMDI and contributor to KDevelop 2.

Kernel Cousin KDE #34. Issue #34 of Kernel Cousin KDE covers Project Crystal, KMenu side image colors, aRts, a FAQ that promotes KDE, and the Karbon vector graphics program.


Sketch 0.6.13 Released. Version 0.6.13 of the Sketch vector drawing tool has been released. This version adds multi-line text handling, new import filters and conversion tools, simple color separation, an eps security fix, and more.

Office Applications

Kernel Cousin GNUe #17 and #18. Two new editions of Kernel Cousin GNUe are available. Issue #17 looks at GNUe error messages, installing GNUe on Red Hat, using Forms with the Application Server, Forms issues, and more.

Issue #18 covers a General Ledger schema, European privacy laws, Debian packages, ERP standards, and more.


Nautilus File Manager Scripts. A collection of scripts that can be used by the GNOME Nautilus file manager have been published. Many scripts are available for archiving, execution, querying, processing, file system management, dealing with multimedia, and more.

Desktop Environments

Window Managers

Widget Sets


Programming Languages


Open64 Compiler v0.14 released. Version 0.14 of the Open64 C, C++, and Fortran90/95 compiler for the Itanium processor has been released. "It includes all the modifications made by the ORC team."


Caml Weekly News. The Caml Weekly News for March 5, 2002 looks at the ARM OCaml cross-compiler, WDialog-2.00-test2, O'Caml DLL-hell, Report 0.3, and tools from the C-- project.

The Caml Hump. This week's entries on the Caml Hump include the oclisp minimal lisp interpreter, OCCamlBurg for generating code from pattern matching specifications, OCamlError for dissecting stack traces, the OCamlARM cross compiler, and more.


Chapter 4: The Java Platform (O'Reilly). O'Reilly has put chapter 4 of the book Java in a Nutshell by David Flanagan online. "This chapter switches gears and covers the Java platform -- a vast collection of predefined classes available to every Java program, regardless of the underlying host system on which it is running. The classes of the Java platform are collected into related groups, known as packages."

Understanding JTS - An introduction to transactions (IBM developerWorks). Brian Goetz discusses the Java Transaction Service (JTS) on IBM's developerWorks. "The Java Transaction Service is a key element of the J2EE architecture. Together with the Java Transaction API, it enables us to build distributed applications that are robust to all sorts of system and network failures."


Condition Handling in the Lisp Language Family. Kent Pitman has published his paper on Condition Handling in the Lisp Language Family. "The Lisp family of languages has long been a rich source of ideas and inspiration in the area of error handling. Here we will survey some of the abstract concepts and terminology, as well as some specific language constructs that Lisp has contributed."

GNU CLISP 2.28 released. GNU CLISP Version 2.28 has been released. Some of the changes include the implementation of a number of new ANSI CL functions support for weak hash tables and internationalized lisp programs, and the UI language can be changed dynamically.


The Perl Review. A new downloadable (PDF) Perl magazine makes its debut this month. The Perl Review has articles on Perl one liners, extreme publishing, parroty bits, singletons, and camels & needles.

perl 5.7.3 Available (use Perl). Intended to be the last developer release before Perl 5.8.0, Perl 5.7.3 has been announced. The developers are looking for help testing the release out. "The less common platform you have, the more important this is, since the Perl developers do not have access to all the possible platforms, or the required programming and debugging experience on those platforms."

Perl 6 Porters for March 2, 2002. The latest Perl 6 Porters digest has articles on topicalizers in Perl 6, garbage collection, .NET CLR, PDDs, Parrot Magic Cookie assignments, and more.


PHP Weekly Summary. The March 4, 2002 PHP Weekly Summary looks at PHP 4.1.2, QA testing, MySQL constants, and more.


Dr. Dobb's Python-URL! for March 4. This week's Python-URL is out, with news and links for the Python community. Topics include Unicode in Python, playing MP3 files, the Papercut news server, a TWAIN scanner interface for Python, and more.

The Daily Python-URL. This week's entries on The Daily Python-URL looks at the new PyZine technical journal, the Ly Literate Programming engine, the Gumbie GUI generator for Jython, the Python Sound Project, the U.N. Bot game, Guido's "Introduction to Python" tutorial, and much more.


The Ruby Garden. This week, the Ruby Garden features a new version 1.6.7 release of Ruby, and a redesigned Ruby Garden Wiki.

Ruby Weekly News. The March 4, 2002 Ruby Weekly News looks at the JTTui textmode user interface, the rpkg package tool, RDoc for turning documents into XML, the FOX GUI Toolkit, and more.


Two weeks of Tcl-URL. Here's Dr. Dobb's Tcl-URL for February 27, with the latest from the Tcl/Tk development community. Topics include portable Tcl, the risks of Visual Basic, MetaKit, and more.

The Dr. Dobb's Tcl-URL for March 6 is also available. The issue looks at Wiki references, Tk selection deficiencies, the new Tcl 8.4a4 release, dealing with .pbm images, and working with threads.


The Visual Display of Quantitative XML (O'Reilly). Fabio Arciniegas A. talks about the visual display of XML data. "While quantitative XML data is everywhere, a less common thing to find is examples of effective ways to display such information. Most resources will merely show you how to use XSLT to convert XML data to HTML, which is often not nearly enough when you need to explain complex or large sets of data. This article discusses the creation of useful graphical presentations of quantitative XML data using XSLT and SVG."

Integrated Development Environments

GNUstep Weekly Editorial. The March 1, 2002 GNUstep Weekly Editorial mentions the new GNUstep web site, looks at efforts to make a GNUstep window manager, and discusses changes in gnustep-make, among other things.

Developing C/C++ Applications with the KDevelop IDE (Linux Journal). The Linux Journal walks us through KDevelop. "In the treeview on the left side, you should see some books that you can unfold and that contain documentation included with KDevelop--almost 500 pages that can help you in almost every development situation. The second folder in that tree contains books with the API documentation of the Qt and KDE libraries."

Revision Control Systems

The State of Arch. Tom Lord has sent out a pointer to an online survey concerning the development of the arch revision control system. "arch is briefly (re)introduced. The primary goals for arch are stated and its state assessed. Three possible ways for development on arch to continue are presented along with a survey to help me choose from among them."

Section Editor: Forrest Cook

Language Links
Caml Hump
g95 Fortran
Gnu Compiler Collection (GCC)
Gnu Compiler for the Java Language (GCJ)
IBM Java Zone
Free the X3J Thirteen (Lisp)
Use Perl
O'Reilly's perl.com
Dr. Dobbs' Perl
PHP Weekly Summary
Daily Python-URL
Python Eggs
Ruby Garden
MIT Scheme
Why Smalltalk
Tcl Developer Xchange
O'Reilly's XML.com
Regular Expressions

 Main page
 Linux in the news

See also: last week's Commerce page.

Linux and Business

Software Patents: France Accuses EC of Misleading e.Europe. The Government of France sent a vigourous letter to the European Commission in which it complains about the proposed directive on software patents.

AMD announces Linux support for the x86-64. SuSE will be working with AMD to bring Linux to the new x86-64 "Hammer" processor.

Mission Critical Linux Announces New Financing and Renewed Focus on High Availability Products. Mission Critical Linux announced that it will restructure its business to concentrate on its Convolo family of High Availability software products and will exit the general Linux operating system support and professional services business. The company has secured new financing and will continue to do business as Mission Critical Linux.

Linux Stock Index for March 01 to March 06, 2002.
LSI at closing on March 01, 2002 ... 27.17
LSI at closing on March 06, 2002 ... 28.42

The high for the week was 28.42
The low for the week was 27.17

Press Releases: