[LWN Logo]

Bringing you the latest news from the Linux World.
Dedicated to keeping Linux users up-to-date, with concise news for all interests

 Main page
 Linux in the news

Other LWN stuff:
 Daily Updates
 Linux Stocks Page
 Book reviews
 Penguin Gallery

 Use LWN headlines
 Advertise here
 Contact us

Recent features:
- RMS Interview
- 2001 Timeline
- O'Reilly Open Source Conference
- OLS 2001
- GaŽl Duval
- Kernel Summit
- Singapore Linux Conference
- djbdns

Here is the permanent site for this page.

See also: last week's LWN.

Leading items and editorials

Not good enough. A look at this week's LWN Security Page shows that it has been a busy week. The PHP updates were still wandering in when problems turned up with OpenSSH and the zlib library. This is a scary set of vulnerabilities.

PHP is present on, according to the PHP usage page, well over 7 million domains. OpenSSH can be found on most security-conscious systems. And the zlib library finds its way into no end of applications, and even the Linux kernel. Each of these vulnerabilities has instantly exposed a large portion of the entire installed base of Linux (and Unix) systems. (In all fairness, it's not clear that the OpenSSH bug is exploitable remotely, and the zlib problem looks like a hard one to take advantage of). This is the stuff that large-scale damaging worms are made of.

It is fortunate, in other words, that nobody with the requisite skills felt the whim to take down the Internet with these vulnerabilities. The cause of Linux World Domination would certainly be set back a bit if vast numbers of Linux systems simultaneously fell prey to a vicious attack. One of these days, a widespread vulnerability will be discovered by somebody with hostile intent; that will not be a good day.

The security of open source software may well be better than that of proprietary code, but it's clearly not good enough. We are all exposed to vulnerabilities lurking in code that we depend on every day. The free software community has to improve its security performance soon, or somebody is going to rub our noses in how bad it really is.

The GNU HURD will be ready by the end of the year, or so says Richard Stallman in this PC World article. Says Richard:

We actually have the GNU kernel working, and we can now produce the GNU system, as opposed to the GNU/Linux system that people have been using so far.

The HURD, of course, is the operating system kernel built by the GNU project, which is based on the Mach microkernel. It has been under development since 1990, and many have despaired of seeing it ever reach a releasable state. But most have paid little attention; the Linux and BSD kernels have been more than adequate for a long time. What is the point of releasing a GNU kernel now?

There's a few obvious reasons that come to mind. One is that it is, in a real sense, the completion of the GNU project as laid out by Richard Stallman almost 20 years ago. The microkernel architecture is seen by some as being inherently superior to the monolithic design of the Linux kernel (though there is hardly a consensus on that point). Finally, one should not overlook this other quote from the PC World article:

Distributions of GNU/Linux include commercially licensed software, and that diverts the user and developer community from the goal of freedom, according to Stallman. "One of the reasons we are looking forward to having the GNU system finally available from the GNU Project is that it will be only free software," Stallman added.

It will take an interesting interpretation of the GPL and LGPL to keep proprietary software off the GNU kernel, but it appears that RMS is planning to try.

The chances are that no mainstream commercial software house would try to challenge a "free software only" edict for the HURD kernel. Linux and BSD both, after all, have no problem with proprietary applications. Thus, it seems unlikely that the HURD will mount a substantial challenge to the established free kernels anytime soon.

Unless, of course, the claims of technical superiority turn out to be true. If the HURD really is that much better, we may yet find it on our desktops, and "the GNU/Linux system that people have been using so far" could find itself consigned to history. But the HURD will have to be a lot better...

Running a free software business with donations. MandrakeSoft, the publisher of the Mandrake Linux distribution, has put out its strongest call yet for donations to help keep the business going:

As a company, we make our revenue by selling packaged versions of the distribution and by delivering services such as consulting, training, etc. -- but our development costs and community-based services are not yet covered by income. It is estimated that we will "break even" by the end of 2002, but it is unlikely that MandrakeSoft can remain unchanged during these next few months without drastically cutting costs unless additional revenue is generated quickly.

The company is hoping to generate that additional revenue through memberships in the Mandrake Linux Users Club and Corporate Club. Without these memberships (i.e. donations), MandrakeSoft will likely have to take further staff cuts, with the company's various free software developments being among the first things to go.

Could it really be true that the open source business model is fundamentally broken, that the only way for an open source business of any size to survive is by asking its users for tips? MandrakeSoft claims that is not the case:

The company's long term prospect are very good, but we are still paying for the "sins" of the previous management.

According to the posting, if MandrakeSoft can get past its current short-term problems, it should be in good shape for the long run. One can only hope that this claim is true. MandrakeSoft is perhaps the most community-oriented of the large commercial distributors. The company's openness to its users and commitment to free software are unparalleled. If MandrakeSoft were to fail, or to change its community-oriented approach, the community would suffer a great loss. It will be a sad sign if a company that builds such high-quality products and that is so responsive to its customers were not a viable operation.

But, then, perhaps it is appropriate that the user community should be asked to support this sort of corporation directly. Mandrake users derive a real and substantial benefit from that distribution; it is not too much to ask that they help fund its development. Making donations to support the software that one uses makes all kinds of moral sense. It is hard to see a viable way for users to contribute to all the developers of all the free software they use. But helping out a community-oriented distributor seems like a good start.

Supporting LWN. There's another community-oriented free software business which could use your help: LWN.net. We, too, are facing a short-term cash crunch and need some income to keep the site on the air for the next few months while longer-term initiatives mature. To that end, we have a couple of ways in which you, our readers, can help out:

  • Donations. Numerous readers have asked us over the last few months whether we would accept donations. We may be distressingly slow in responding to such an obviously good thing, but we eventually get there. We're glad to announce our donation page, where interested readers can contribute to LWN via Paypal. (Yes, we realize that not everybody has or wants a Paypal account; we are working on other alternatives).

  • Advertising. LWN could use some more advertisers. If you have a small business or other endeavor that you would like to advertise on LWN, please have a look at our self-service advertising page. A small amount of money can yield a great deal of exposure to LWN's readers.
We thank you, as always, for your support. Dealing with our readers has always been the greatest reward of working on LWN.

Inside this LWN.net weekly edition:

  • Security: Significant zlib vulnerability; OpenSSH release; Java VMs and Linux
  • Kernel: The IDE hostile takeover; taskfile and filtering; ultra-fast kernel compiles.
  • Distributions: Debian Project Leader Elections; New - Arch Linux; LFS 3.2 is out.
  • Development: GTK+ 2.0, GNOME 2.0b2, mpg321 0.2.9, Mozilla 0.9.9, Galeon 1.2, Gimp 1.3.4, Samba 2.2.3a, GnuCash 1.6.6, oprofile 0.1, Valgrind memory debugger.
  • Commerce: HP Announces Global Consortium; Embedded Linux Market enters era of standardization.
  • Letters: France and patents; SSSCA; AOL and Linux.
...plus the usual array of reports, updates, and announcements.

This Week's LWN was brought to you by:

March 14, 2002


 Main page
 Linux in the news

See also: last week's Security page.


News and Editorials

OpenSSH 3.1 released. OpenSSH version 3.1 has been released. The main changes include defining /etc/ssh as the default configuration directory, ssh-keygen now requires a key type to be specified, and X11 forwarding now listens on localhost by default. A number of additional changes have been made.

Users are advised to upgrade to OpenSSH 3.1 (see the security report below), or to apply the included patch.

Latest Security Vulnerability: Java VMs (TechWeb). Security problems in Java virtual machines can impact many platforms, as this TechWeb article describes. "Versions of Netscape's browser, version 6.1 and lower, are also impacted, as are some Solaris and Linux releases that ship with the problematic virtual machine."

Exactly which Linux distributions are impacted is unclear. According to the Sun Microsystems Security Bulletin; "This issue may or may not affect other vendors' Java technology implementations which are derived from Sun's SDK and JDK(TM) source bases." The Java SDK and JRE versions 1.3.0_02 and 1.2.2_010 are vulnerable; the latest versions (1.4, 1.3.1_02 and 1.2.2_011) are not (despite an earlier version of this LWN story which said, erroneously, that they were).

Jac virus targets Linux (vnunet). Here's another one of those new Linux virus stories; this one is on vnunet. "Linux users typically crow about how much more secure it is than the Windows platform, but this time they may be justified as Jac has only been branded as a low threat. It is not expected to spread in the wild and causes little damage."

Security Reports

An off-by-one error in the channel code of OpenSSH versions 2.0 to 3.0.2 has been found. Users are advised to upgrade to OpenSSH 3.1, or to apply the relevant security update. "This bug can be exploited locally by an authenticated user logging into a vulnerable OpenSSH server or by a malicious SSH server attacking a vulnerable OpenSSH client."

Also see the the advisory from Pine for this vulnerability.

Distributor updates seen so far:

zlib corrupts malloc data structures via double free. This vulnerability impacts all major Linux vendors. It may impact every Linux installation on Earth. Updates are required to zlib and any packages that were statically built with the zlib code.

LinuxSecurity describes the vulnerability and coordinated distributor efforts in detail. "Packages including X11, rsync, the Linux kernel, QT, mozilla, gcc, vnc, and many other programs that have the ability to use network compression are potentially vulnerable."

Updating is recommended. Now it the time to prepare; before there are any known exploits. As always, please proceed with caution when applying updates to the kernel.

Distributor updates seen so far:

Note that we have received a last-minute report saying that the Red Hat kernel update does not actually include the zlib fix.

See also: articles in ZDNet and The Register about the zlib vulnerability.

Slackware rsync update. This Slackware upgrade to the rsync packages makes "sure that supplementary groups are removed from a server process after changing uid and gid". It also addresses the zlib double-free bug described above.

Mandrake Linux update for mod_frontpage. Mandrake Linux has released a security update for mod_frontpage.

Debian update for xtell. Updated Debian packages are available for the simple messaging client and server xtell. "In detail, these problems contain several buffer overflows, a problem in connection with symbolic links, unauthorized directory traversal when the path contains '..'. These problems could lead into an attacker being able to execute arbitrary code on the server machine. The server runs with nobody privileges by default, so this would be the account to be exploited."

XTux Arena server DoS vulnerability. XTux Arena is a client server network game for X11 featuring opensource mascots. The XTux server may be subject to DoS attacks as described in this post to Bugtraq.

Multiple Ecartis/Listar vulnerabilities are described by Janusz Niewiadomski and Wojciech Purczynski in this post to Bugtraq. "Listar is a open-source software package that administers mailing lists (similar to Majordomo and Listserv)."

web scripts. The following web scripts were reported to contain vulnerabilities:

  • Directory traversal vulnerability in phpimglist. There is a vulnerabilty in phpimglist which "allows a user to traverse through directories outside the web root." phpimglist 1.2.2 fixes the problem and is available from here.

Proprietary products. The following proprietary products were reported to contain vulnerabilities:

  • CaupoShop 1.30a, and maybe all versions before, may be subject to a nasty cross-site-scripting bug. Caupo has released a new version which fixes the problem.


Apache mod_ssl buffer overflow vulnerability. According to this announcement "modssl versions prior to 2.8.7-1.3.23 (Feb 23, 2002) make use of the underlying OpenSSL routines in a manner which could overflow a buffer within the implementation. This situation appears difficult to exploit in a production environment[...]." (First LWN report: March 7).

This week's updates:

Previous updates:

Both PHP3 and PHP4 have vulnerabilities in their file upload code which can lead to remote command execution. This one could be ugly; sites using PHP should apply updates at the first opportunity. If an update isn't available for your distribution, users of PHP 4.0.3 and later are encouraged to consider disabling file upload support by adding this directive to php.ini:

	file_uploads = Off

CERT has issued this advisory on the problem. This article in the Register also talks about the vulnerability. (First LWN report: March 7).

Developers using the 4.2.0 branch, are not vulnerable because because file upload support was completely rewritten for that branch.

This week's updates:

Previous updates:

Update: Despite some concern expressed in an earlier report by LWN, these updates do, in fact, fix the problem. The original update from the php team fixes the security hole but introduces a "rare segfault condition" that is not a security problem.


Linux security week. The and publications from LinuxSecurity.com are available.


Upcoming Security Events.
Date Event Location
March 14, 2002Financial Cryptography 2002Sothhampton, Bermuda
March 18 - 21, 2002Sixth Annual Distributed Objects and Components Security Workshop(Pier 5 Hotel at the Inner Harbor)Baltimore, Maryland, USA
March 18 - 20, 2002InfoSec World Conference and Expo/2002Orlando, FL, USA
April 1 - 7, 2002SANS 2002Orlando, FL., USA
April 5 - 7, 2002RubiconDetroit, Michigan, USA
April 7 - 10, 2002Techno-Security 2002 ConferenceMyrtle Beach, SC
April 14 - 15, 2002Workshop on Privacy Enhancing Technologies 2002(Cathedral Hill Hotel)San Francisco, California, USA
April 16 - 19, 2002The Twelfth Conference on Computers, Freedom & Privacy(Cathedral Hill Hotel)San Francisco, California, USA
April 23 - 25, 2002Infosecurity Europe 2002Olympia, London, UK
May 1 - 3, 2002cansecwest/core02Vancouver, Canada
May 4 - 5, 2002DallasConDallas, TX., USA
May 12 - 15, 20022002 IEEE Symposium on Security and Privacy(The Claremont Resort)Oakland, California, USA
May 13 - 14, 20023rd International Common Criteria Conference(ICCC)Ottawa, Ont., Canada
May 13 - 17, 200214th Annual Canadian Information Technology Security Symposium(CITSS)(Ottawa Congress Centre)Ottawa, Ontario, Canada

For additional security-related events, included training courses (which we don't list above) and events further in the future, check out Security Focus' calendar, one of the primary resources we use for building the above list. To submit an event directly to us, please send a plain-text message to lwn@lwn.net.

Section Editor: Dennis Tenney

March 14, 2002

LWN Resources

Secured Distributions:
Astaro Security
Engarde Secure Linux
Kaladix Linux
NSA Security Enhanced
Openwall GNU/Linux

Security Projects
Linux Security Audit Project
Linux Security Module

Security List Archives
Bugtraq Archive
Firewall Wizards Archive
ISN Archive

Distribution-specific links
Caldera Advisories
Conectiva Updates
Debian Alerts
Kondara Advisories
Esware Alerts
LinuxPPC Security Updates
Mandrake Updates
Red Hat Errata
SuSE Announcements
Yellow Dog Errata

BSD-specific links

Security mailing lists
Linux From Scratch
Red Hat
Yellow Dog

Security Software Archives
ZedZ.net (formerly replay.com)

Miscellaneous Resources
Comp Sec News Daily
Security Focus


 Main page
 Linux in the news

See also: last week's Kernel page.

Kernel development

The current development kernel release is 2.5.6, which was released on March 8. The final release added little to the prepatches; the main feature of this release from a user's point of view remains the inclusion of IBM's JFS journaling filesystem.

The first 2.5.7 prepatch has been released. It includes Rusty Russell's fast user-space semaphore patch ("futexes"), a thrashup of the VLAN code, the new wireless driver API, a redesigned video device implementation, and numerous fixes and updates.

Dave Jones has released no "dj" patches over the last week. He has presented excuses like moving into a new house as a reason for that.

Guillaume Boissiere's latest 2.5 status summary is available.

The current stable kernel release is 2.4.18. The current 2.4.19 prepatch from Marcelo is 2.4.19-pre3. Along with the usual array of fixes and updates it includes the "new" IDE code - in its original form, not the increasingly reworked version found in the 2.5 kernel. In fact, the -pre3 version is missing some important fixes that went into 2.5 early on - it still has the bug that caused 2.5 to destroy filesystems. There have been no reports of corrupted filesystems with this prepatch, but it should be approached with some care anyway.

Alan Cox's latest prepatch is 2.4.19-pre2-ac4. There is a long list of fixes, but no amazing new features.

Alan has also announced the first 2.2.21 release candidate.

Other kernel trees. The day may yet come when the number of available kernel trees exceeds the number of Linux users...

  • Andrea Arcangeli's latest is 2.4.19-pre3-aa1. It adds his latest VM implementation (vm-31), the X86-64 port, User-mode Linux, and a number of fixes.

  • J.A. Magallon has released 2.4.19-pre2-jam3 with the latest VM code, the O(1) scheduler, the IDE patch, and other performance-oriented fixes.

  • JŲrg Prante has released 2.4.19-pre2-jp7 includes ALSA, the reverse mapping VM, the O(1) scheduler, the preempt patch, the IDE patch, XFS, JFS, various crypto patches, and much more.

  • 2.4.19-pre2-ac4-xfs-shawn10 from Shawn Starr includes XFS, the reverse mapping VM, Jan Kara's reworked quota system, and more.

  • A new entry this week is 2.4.18-mcp3-WOLK from Marc-Christian Petersen, which is inspired by the FOLK patch. It throws in Win4Lin, the preempt patch, the international crypto patch, the IDE patch, JFS, XFS, FreeS/WAN, NWFS, lm_sensors, and a great many other patches.

Linus on BitKeeper. It was already clear, of course, that Linus is not bothered by the BitKeeper license. For anybody who didn't know that, however, he stated his views this week:

And I personally refuse to use inferior tools because of ideology. In fact, I will go as far as saying that making excuses for bad tools due to ideology is _stupid_, and people who do that think with their gonads, not their brains.

Most of the developers seem to be at ease with his position. It is worth pondering, however, on why so many of us insisted on using Linux systems in the early 90's, when it was still clearly inferior to the numerous proprietary Unix systems that were available at the time. Without a certain amount of "gonad thinking," Linux might not have come so far so quickly.

Meanwhile, there has been a small discussion of what features are offered by BitKeeper that really make it worthwhile for the kernel developers. Here's a partial list:

  • Much nicer merging of patches. The three-way merge tool (screenshot) is seriously slick. But the ability to carry merges forward through multiple patch sets is just as important. Merging of patches can be a painful task; having to only do it once can be a real relief.

  • The ability to check in entire patch sets as a single operation.

  • The distributed repository feature is a key to the whole thing. BitKeeper works well with the kernel development style by allowing each developer to set up independent trees and facilitating the movement of patches between those trees.

  • Understanding of directories and operations like renaming; CVS does not handle these well at all.

There are developers out there who are talking about adding these features to the existing free source management systems. It's a nontrivial task, however; the first release is likely to be some time in the future. (Then again, Hans Reiser wants to incorporate version control into the filesystem, and plans to do so with a future ReiserFS release. "Version control has to become just another expected filesystem feature, and one that is so transparent to users that Mom uses it without fear.")

The hostile takeover of the 2.5 IDE code is now officially complete: Martin Dalecki's IDE 18 patch changed the MAINTAINERS file to list him as the person in charge of that subsystem. There were no immediate complaints, but things heated up a bit when he released IDE 19. Therein were comments like:

Apply Pavels Macheks patch for suspend support. Whatever some persons argue that it's not fully implemented, I think that we are in development series right now. I don't buy the mock-up examples for problems with either outdated or broken hardware. Micro Drives are for example expected to be drop in replacements for CF cards in digital cameras and I would rather expect them to be very tolerant about the driver in front of them.

Martin has also been heard to say: "Breakage is the price you have to pay for advancements."

It turns out that some kernel developers are not entirely pleased with the idea of "breakage" in the IDE code - they like their disks to work. There is a feeling that it is better to follow the standards than to expect drives "to be very tolerant about the driver in front of them." Few people have come out in defense of the existing code, but some feel that the current approach to "cleaning up" the IDE code is negligent to the point of carelessness.

The discussion, in fact, involved some of the most unpleasant personal attacks seen on linux-kernel for some time. It also appears to have changed little; Martin continues to crank out IDE patches, and Linus continues to accept them. Perhaps Martin has received a message, however, that standards compliance and stability are important. When it comes to disks, people are not willing to pay for their advancements with any great amount of breakage.

On the future of IDE taskfile commands. The IDE taskfile ioctl (which allows passing arbitrary low-level commands to IDE peripherals) has generally been the source of no end of inflammatory discussions in its own right. Compared to the other IDE threads, however, the current taskfile discussion seems like a new height of civility and technical content.

The issue is not whether low-level commands should be allowed - there is widespread agreement that this capability is occasionally required. Diagnostic code needs it, if nothing else. But when Andre Hedrick first implemented the taskfile capability, he included an IDE command parser to ensure that all commands passed to the drives were legal according to the standards. There never has been a consensus on whether this sort of command filtering is appropriate.

Those in favor of filtering point out that the consequences of executing a malformed IDE command can be severe: loss of data or, in the worst case, having to throw away a brick that was once a working drive. Filtering can thus protect against both programming errors and deliberate attacks. Proponents of filtering also see it as a possible way of defeating future "digital rights management" schemes which may depend on new, undocumented IDE commands.

The opposition points out that most drives have some unique, vendor-specific commands. Unless somebody wants to build (and maintain) a table of all such commands, any filtering is certain to block legitimate commands for some users. The protection against attacks is seen as being weak at best, since a process which is able to execute taskfile commands can also just go and pound on the I/O ports directly. And dealing with DRM schemes is probably not going to be so simple.

For all these reasons, Linus has generally been against IDE command filtering. He also points out that the IDE layer should not be performing any such filtering in any case. The IDE layer, after all, is a driver for the IDE host controller; the commands to be filtered are, instead, aimed at IDE disks. Linus compares IDE filtering to having a network adapter driver perform validity testing and filtering for network protocols.

There are some things that need to be done with low-level commands, however. At a minimum, the buffers they use must be verified. But it would also be a very good idea to better sequence their execution with all of the other IDE commands that may be running at the same time.

So Linus has proposed a new scheme for the handling (and possible filtering) of low-level IDE commands. These commands would be moved out of the IDE driver, into a separate loadable module. Paranoid administrators who do not want those commands executed at all could simply remove the module from their systems entirely. The rest could configure a module which did as much (or little) filtering as they wanted.

This module would not talk directly with the IDE subsystem. Instead, any low-level commands would be run through the drive's request queue along with all the other drive operations. This scheme forces low-level commands to be sequenced along with any other disk activity, and should help ensure that they are executed in a way that doesn't interfere with the other things the system is trying to do.

There have been very few complaints about this proposal. It's implementation would be some work, but there may just be a solution to the problem of the taskfile commands and filtering in sight.

Going for the fastest kernel compile. Martin Bligh posted an interesting note this week. He started with the 2.4.18 kernel and a 16-node NUMA system using 700MHz P3 processors. With that system, he was able to build a kernel in 47 seconds, which would make most of us reasonably happy. Martin wasn't satisfied with that, though, so he applied a series of patches to bring that time down:

  • Various NUMA memory allocation fixes: 27 seconds.
  • The O(1) scheduler from 2.5: 25 seconds.
  • A NUMA-oriented scheduler patch: 24 seconds.
  • A dcache patch which improves cache behavior: 23 seconds.

Compiling a kernel in 23 seconds isn't bad - it looks like a record.

Records, though, are meant to be broken. So Anton Blanchard rose to the challenge with a 24-node "logical partition" on a PowerPC64 system running a patched version of 2.5.6. Building a kernel with the same configuration as Martin's, above, he got the job done in 10.3 seconds. That will be a hard performance to beat, but somebody, somewhere, is certainly working on it.

Other patches and updates released this week include:

Core kernel code:

  • Robert Love has posted a new version of his system call allowing processes to set their processor affinity.

  • A new version of the delayed allocation patch has been posted by Andrew Morton. He might just be looking for people to try it out: "Does anyone know what 'CFT' means? It means 'call for testers'. It doesn't mean 'woo-hoo, it'll be neat when that's merged <delete>'. It means 'help, help - there's no point in just one guy testing this'."

  • Larry Kessler has released an implementation of POSIX event logging for the 2.5.6 and 2.4.18 kernels.

  • Rik van Riel has released a kernel with the reverse mapping VM in RPM format.

  • Erich Focht has posted a new version of his NUMA scheduler.

Development tools:

  • The Linux Test Project ltp-20020307 release is available. Numerous new tests have been added.

  • Keith Owens has released kdb 2.1-2.4.18 for the Sparc64 architecture.

Device drivers

  • The seventh test release of the new Tigon3 driver has been announced by David Miller.

  • A new beta Conexant HCF "linmodem" driver has been announced by Marc Boucher.

Filesystems and related:

  • Kevin Corry has announced version 0.9.2 of the Enterprise Volume Management System.

  • A new, vastly reworked disk quota system has been posted by Jan Kara.

  • Steve Best has announced the release of JFS 1.0.16.

  • Andreas Gruenbacher has released version 0.8.20 of the access control list patch.


  • Rusty Russell has posted a fast userspace read/write lock ("furwock") implementation based on futexes. He has also posted an explanation of how futexes work.


  • This week's release of the Affix BlueTooth stack is version 0_94.

  • Alexander Viro has posted an implementation of the "nfsd" filesystem - a new way of communicating with the NFS server process to perform tasks like exporting filesystems.


  • James Bottomley has posted a new version of his port to the NCR Voyager architecture.

Section Editor: Jonathan Corbet

March 14, 2002

 Main page
 Linux in the news

See also: last week's Distributions page.


Please note that security updates from the various distributions are covered in the security section.

News and Editorials

Debian Project Leader Elections. Most readers of this column will already be aware that the Debian Project elects a new leader each year. Also that Debian Project Leader (DPL) elections are currently underway. The DPL guides Debian policy and Debian development, over the course of his term. Last week we announced the candidates and a panel was selected for the upcoming debate between the candidates. The debate will be held on IRC and has been tentatively scheduled for March 23rd 04:00 UTC. There is a call for questions out now.

Each of the three candidates has written a platform statement which can be found here. We will also provide a summary of the platforms here. It is not too surprising that all three candidates address the release schedule and have some ideas about how to accomplish more frequent releases. They are also all staunch believers in free software and the principles behind the open source movement. But they are also individuals with their own ideas of what it means to the DPL. So, here are the candidates, listed in alphabetical order.

Bdale Garbee joined the Debian community in early 1995, and has been contributing to the project in a variety of ways ever since. In May of 2001 he accepted employment with Hewlett-Packard, as an Engineer/Scientist in the Linux Systems Operation (LSO). Debian is the development platform within the LSO for the kernel and related work required to enable Linux support on HP's hardware, so he spends part of his time working on Debian, particularly the IA-64 port. The job also includes:

* helping make sure HP participates as a good citizen in the Debian and larger Open Source communities
* architecting solutions that enable multi-architecture, multi-distribution Linux installation and support on HP hardware
* leading technical development of HP's Linux Enablement Kit products
* helping form HP Linux strategy

He also gets to travel to and speak at a variety of Linux conferences.

Bdale is a strong believer in Free Software and the Community Development Model, and maintains a vision of Debian as a universal operating system. A universal operating system that runs on many platforms and contains quality code that "just works", with a more predictable release schedule. As DPL he would also work to improve Debian infrastructure, security and Linux Standards Base compliance.

RaphaŽl Hertzog is a student at "INSA de Lyon" (in France) where he is part of the computer science department. He plans on receiving an engineering degree this summer, after which he'll be looking for a job related to free software. (Hopefully one that will leave time for Debian work). His first contact with Linux was with Debian 1.3, in 1997. Since then he tried a few other distributions before coming back to Debian. He has been a Debian developer since 1998. RaphaŽl is very interested in Debian Quality Assurance and is the instigator behind new maintainer sponsorship policy, Perl policy, and the package tracking system. He has a lengthy list of projects he would like to manage during the next year to improve Debian organization, and its internal and external communications.

Branden Robinson has been a Debian Developer since early 1998. He is, perhaps, best known as the maintainer of the XFree86 packages. He is also the Treasurer of Software in the Public Interest, Inc. (SPI), Debian's legal parent organization and manager of the Debian Project's assets. He is also employed as a free software developer. Branden has some very specific ideas about the role of the DPL, and what he would do if elected. These include listening to the ideas of others before making decisions, delegating responsibility where feasible, and consensus building among active Debian developers. Another goal is to better track the active developers, and weed out those who are no longer active. In order to have better Debian representation at events, he would delegate regional Event Coordinators. These people would be responsible for keeping track of trade shows, major Linux User Group events, etc., at which Debian should have a presence and to ensure that someone is available to provide that presence. As DPL he would recruit volunteers on behalf of SPI and attempt to grow the organization. He plans to revitalize the Technical Committee and improve the release cycle as well. Other goals include the initiation of a Debian Legal Team, revision of the Debian Machine Usage Policy, providing a greater "Debian Voice" in the greater political machine, and steering development away from non-free software.

New Distributions

Arch Linux. Arch Linux is an i686-optimized Linux distribution. It is lightweight and contains the latest stable versions of software. Packages are in .tar.gz format and are tracked by a package manager that is designed to allow easy package upgrades. Arch is designed to be streamlined while allowing for a customized configuration, with newer features such as reiserfs/ext3 and devfs. The initial release 0.1 became available March 11, 2002.

Distribution News

More Debian News. Here's the Debian Weekly News for March 6. It looks at the second Debian Conference (Toronto, July 5-7), the Debian leader election, Woody's release status, and more.

Here, also, is the March 10 Woody Release Status Update.

Linux From Scratch. Linux From Scratch has released stable version 3.2 with major bug fixes.

Mandrake Linux Community Newsletter. The Mandrake Linux Community Newsletter for March 5 is available. It looks at the release of Mandrake Linux 8.2 beta 4, a new training offering, MandrakeSoft at CeBIT, and more.

The Mandrake Linux Community Newsletter for March 12 is also out. It looks at the availability of 8.2 RC1, a legislative alert, and more.

SuSE Linux 8.0 Available on April 22nd. SuSE has announced that SuSE Linux 8.0 will hit the shelves on April 22. New features include more security products (i.e.IPSec), a three-step installation procedure, and KDE 3. (Update: SuSE has since sent us a second release with more details on the new features in 8.0).

Minor Distribution updates

Astaro Security Linux. Astaro Security Linux has released 3.031 (Beta) which contains major bug fixes.

ClumpOS. ClumpOS has released R5.4 with major feature enhancements.

Fd Linux. Fd Linux has released 2.1-0 with major feature enhancements.

floppyfw. floppyfw has released development version 1.9.19 which updates the kernel to 2.4.18, and contains minor bug fixes.

LEAF (Linux Embedded Appliance Firewall). LEAF (Linux Embedded Appliance Firewall) has released beta-4 (Bering).

Leka Rescue Floppy. Leka Rescue Floppy has released version 0.5.2 with minor feature enhancements.

Recovery Is Possible. Recovery Is Possible (RIP) released version 50, with minor feature enhancements.

Distribution Reviews

Linux Orbit Reviews Lycoris Desktop/LX distribution. Linux Orbit reviews the Lycoris Desktop/LX distribution. "Lycoris Desktop/LX has really raised the bar for simple Linux installations. What they've done for convenience however may not make an experienced Linux user happy. The number of choices you have for your configuration are limited to those needed to set up a Linux workstation. This is a distribution clearly focused at current Windows users or Linux newbies looking to get the Microsoft license monkey off their back, which is really original for Linux distributions when you think about it."

Section Editor: Rebecca Sobol

March 14, 2002

Please note that not every distribution will show up every week. Only distributions with recent news to report will be listed.

Distribution Lists:
LWN List
Woven Goods


 Main page
 Linux in the news

See also: last week's Development page.

Development projects

News and Editorials

GTK+ 2.0 Released

Version 2.0 of GTK+, the Gimp Toolkit widget set is available. GTK+ was originally developed for The GIMP image manipulation system. It now sees wide use as the toolkit for the popular GNOME desktop.

Some of the more popular GTK+ based applications include the GIMP, the AbiWord word processor, the Dia drawing program, the Glade user interface builder, the GnuCash financial program, and the Gnumeric spreadsheet.

GTK+ consists of three libraries:

  • GLib "is the low-level core library that forms the basis of GTK+ and GNOME. It provides data structure handling for C, portability wrappers, and interfaces for such runtime functionality as an event loop, threads, dynamic loading, and an object system."
  • Pango "is a library for layout and rendering of text, with an emphasis on internationalization. It forms the core of text and font handling for GTK+-2.0."
  • ATK is the library that "provides a set of interfaces for accessibility. By supporting the ATK interfaces, an application or toolkit can be used with such tools as screen readers, magnifiers, and alternative input devices."
GTK+ works with C, C++, Perl, Python, Objective C, and O'Caml, as well as other languages. It is designed to make the addition of support for other languages easy. See the GTK+ FAQ for more information.

GTK+ 2.0 Features

The announcement for GTK+ version 2.0 lists these new features:

  • Enhanced internalization with full Unicode support.
  • A text widget that supports multiple views of a buffer, styled text, and internationalization capabilities.
  • A powerful tree and list display widget.
  • Improved accessibility support via ATK.
  • The ability to load and manipulate images via gdk-pixbuf.
  • Improved programming interfaces as a result of developer feedback.
  • Improved usability including better keyboard navigation.
  • A new default appearance.
  • Type and object abstraction for wider use.
  • A preview version of the Microsoft Windows port.
  • A simplified and enhanced API which is the result of developer feedback.
It is good to see that the GTK+ developers are taking developer feedback into consideration, the temporary instabilities caused by the changes should be outweighed by the eventual gains in coding efficiency. (Thanks to Joel Becker.)

GNOME 2.0 Beta 2.

The second beta of the GNOME 2.0 desktop, which uses GTK+ 2.0, also has been released for testing. The developers are looking for testers to find and fix bugs.


SAPDB Version available. Version of the SAPDB relational database is available. See the release notes for all of the details.

Embedded Systems

The birth of the Embedded Linux Specification. LinuxDevices.com is carrying a call to all Embedded Linux companies to attend the Embedded Linux Consortium meeting on March 12 in San Francisco (during the Embedded Systems Conference). The purpose of the meeting is to start work on the Embedded Linux Specification, a standards effort which looks much like the Linux Standard Base for embedded systems.


Graphics programming with libtiff (IBM developerWorks). Michael Still introduces libtiff, a C library that implements the TIFF graphics standard. "TIFF (Tag Image File Format) is a raster image format that was originally produced by Adobe. Raster image formats store the picture as a bitmap describing the state of pixels, as opposed to recording the length and locations of primitives such as lines and curves. Libtiff is one of the standard implementations of the TIFF specification and is in wide use today because of its speed, power, and easy source availability."

Mail Software

Python milter v0.4.0 released (Milter). A new version of Python milter, a mail filtering utility, has been announced. This version features bug fixes and simplified content scanning in the mime module.

Peer to Peer

Expanding ChatBot's Repertoire (O'Reilly). DJ Adams continues his article on Chatbot, a Perl-based Jabber bot. "Rather than write a silly function that doesn't do much more than say 'Hello World,' let's look at giving ChatBot a facility that has some use beyond this article. Despite the arrival of the Euro currency in Europe, currency conversion still has its uses, especially for those countries (like my homeland) that have not yet taken the plunge. Another use of currency conversion is it allows for discussion of prices of items essential for everyday life, such as MP3 hardware, between the U.K. and the U.S."

Printing Software

LPRng-3.8.9 has been released. Version 3.8.9 of the LPRng print spooling system is available. The changes include bug fixes and new documentation.


XML Biometrics Standards Committee Forms (LinuxMedNews). LinuxMedNews reports on a new standards committee that has formed to define an XML-based standard for biometric information.

Web-site Development

New version of PHP Review. A new version of the PHP Review book review system is available and includes a couple of bug fixes.

Zope Members' News. The latest Zope Members' News includes a report on the rapid growth of FreeZope.org, an announcement for the Zope BBQ, and takes a look at NuxDocument 0.9 and ZCVSFolder 0.2.7b1.

asp2php Version 0.76.1 released. A new version of asp2php is available. This version features a newly rewritten program core. More changes are on the way.

March 14, 2002

Application Links
High Availability

Open Source Code Collections
Le Serveur Libre



Desktop Development

Audio Applications

mpg321 0.2.9 Released. Version 0.2.9 of mpg321, the free replacement for mpg123, has been released. Highlights of this version include Shoutcast support, ID3 tag support, a bug fix for gtoaster, improved network support, and more.

AlsaPlayer 0.99.56 released. Version 0.99.56 of the AlsaPlayer PCM player is available. This release features "lots of small bugfixes".

Web Browsers

Encompass Alpha Release 2 (Gnotices). A second alpha release of the Encompass web browser for GNOME has been announced. "This version contains preliminary support for HTTP POST, HTTP Authentication, and HTTP Proxy via the http_proxy environment variable."

Mozilla 0.9.9 released. Version 0.9.9 of Mozilla has been released. This version now supports MathML by default, it also has an improved JavaScript debugger, SOAP support, TrueType font support, and the ability to disable pop-up messages, as well as many other features. A fix for the recent zlib security vulnerability is also included.

Galeon 1.2 released. Following quickly after Mozilla 0.9.9, it didn't take long for Galeon version 1.2 to be released. Check out the announcement and then hit the Galeon home page for your download.

MozillaZine. The latest MozillaZine looks at Mozilla 0.9.9, the new Mozbot 2.2 IRC bot, and more.

Desktop Environments

GNOME Summary. The GNOME Summary for March 2 is available. Covered topics include the new GNOME software map, reviews of Evolution, Galeon, and Gnumeric, and more.

NEW GNOME Installation Guide And Review For GNOME 2.0 Published. A new version of the Gnome Installation Guide has been announced, this edition features new information on GNOME 2.0.

GARNOME Preview Four: 'Perdon; estoy buscando mis pantalones.'. GARNOME 0.8.0, "the bad-ass, bleeding edge GNOME distribution for testers and tweakers everywhere," has been released. Here's a (relatively) easy opportunity to test out the upcoming GNOME 2.0 desktop and find any remaining problems.

New KDE documentation site. By way of KDE.News, we've learned of the launch of docs.kde.org, a new, comprehensive documentation site for the KDE desktop.

People of KDE: Neil Stevens. This week's People of KDE features Neil Stevens, the person in charge of "Kit, Kaboodle, Megami, and a bunch of hard-to-translate Noatun plugins".

LinuxQuestions Members Choice Awards: KDE Kleans Up. LinuxQuestions.org has picked KDE as their favorite desktop. Applications such as Konqueror and KMail also received high scores.


The Chopping Block for March, 2002. The March, 2002 issue of The Chopping Block is available on the WorldForge Game site. Articles include a description of the WorldForge project, a look at the COAL map handling library, a review of the Kings Feast project, and talk on licensing issues.

Pygame: BOMBERS. This week, the Pygame site features BOMBERS 0.7, a "space shootem up" game.


Gimp 1.3.4 released. Gimp version 1.3.4, which is "targetted for developers and curious users" and not for daily work, has been announced. See the README for details.

GUI Packages

New fltk applications. The FLTK site lists two new applications, SpiralSynthModular 0.0.8, an object oriented modular softsynth / sequencer / sampler, and FL-Inventor 0.9.1, a 3D VR applications toolkit.


Wine 20020310 announced. A new version of Wine has been announced. Version 20020310 is identical to the previous version, except for the change to the GNU Lesser General Public License.

Wine Weekly News. The March 8, 2002 edition of the Wine Weekly News has been published. Topics include Crossover 1.1.0, Wine licensing, an X11-licensed fork, and more.

Samba 2.2.3a released. Version 2.2.3a of Samba has been released. It includes a bug fix for a Windows Explorer bug that showed up in the 2.2.3 release. Upgrades are recommended.


GStreamer 'GUADEC By Foot' 0.3.3 released (Gnotices). Version 0.3.3 of the GStreamer Multimedia framework has been released. "This release contains a lot of nice fixes and updates including a new cothread system, a new autoplugger, many new plugins and more."

Office Applications

Release of GnuCash 1.6.6 (Gnotices). A new version of GnuCash has been released. Version 1.6.6 features new and updated translations, improved exchange rate calculations, bug fixes, and other features.

Two new Gnumeric releases. Gnumeric 1.0.5, a bugfix version of the stable release , has been announced.

Gnumeric 1.1.1, from the development branch, has also been announced, the claim is that this version works as well as stable version 1.0.

Kernel Cousin GNUe #19. Issue #19 of Kernel Cousin GNUe has discussions on the GNUe Application Server v2 (GEAS), using analysis patterns for module proposals, integrating Zope and GNUe, data protection, databases, and more.

AbiWord Weekly News #83. Issue #83 of the AbiWord Weekly News covers the latest developments on the AbiWord word processor.

Desktop Environments

Window Managers

Widget Sets


Programming Languages


Caml Weekly News. The March 12, 2002 edition of the Caml Weekly News looks at WhizzyTeX 1.0 and an ssl library for Ocaml.


g95 status. Progress continues on the g95 FORTRAN compiler project, the current goal is to finish the type resolution system. A Linux binary is available if you want to see how g95 reacts to your FORTRAN code.


Cache-Friendly Web Pages (O'Reilly). Jennifer Vesperman explains the HTML Expires and Cache-Control headers on O'Reilly's Linux Devcenter. "There are a lot of HTTP caches out there. How long are they holding your pages? How long should they hold your pages? RFC 2616 (HTTP/1.1) specifies that caches must obey Expires and Cache-Control headers--but do your pages have them? How do you add them? What happens to your pages if you don't?"


Merlin brings nonblocking I/O to the Java platform (IBM developerWorks). Aruna Kalagnanam and Balu G write about nonblocking I/O in Merlin. "Until JDK 1.4 (aka Merlin), the Java platform did not support nonblocking I/O calls. With an almost one-to-one ratio of threads to clients, servers written in the Java language were susceptible to enormous thread overhead, which resulted in both performance problems and lack of scalability."

Top Ten Cool New Features of Java 2SE 1.4 (O'Reilly). David Flanagan examines Java 2SE 1.4 on O'Reilly's OnJava site. For the impatient, the covered features are: Parsing XML, Transforming XML, Preferences, Logging, Secure Sockets and HTTPS, LinkedHashMap, FileChannel, Non-Blocking I/O, Regular Expressions, and Assertions.


Free The X3J Thirteen! for February, 2002. The February, 2002 edition of Free The X3J Thirteen! is out. "This issue covers a new vendor-neutral package format for cCLan, MK:DEFSYSTEM 4 and CLAWK, the Common Lisp Cookbook project, the SPARC and Alpha ports of SBCL, a new version of CL-PDF, and the forthcoming releases of CMU CL and CLISP."

Universal Foreign Function Interface. UFFI, the Universal Foreign Function Interface is available. UFFI is a tool for interfacing Common Lisp to C-language compatible libraries.


Rindolf Specification Document v0.1.12. A new version of the Rindolf Specification Document has been published by Shlomi Fish. Rindolf is a dialect of Perl. Briefly, "Rindolf aims to be an improved and re-engineered Perl 5".

Perl 6 Porters. The March 12, 2002 Perl 6 Porters looks at an effort to redesign printf, Parrot 0.0.4, version 1 of the proposed Assembler PDD, and multi-method dispatch in Parrot.


PHP Weekly Summary. The March 11, 2002 edition of the PHP Weekly Summary looks at the NAPA XSLT processor, socket re-work, an aggregation function bug, the new build system, a new Universe CORBA extension, the path to version 4.2.0, and more.


The Parade of PEPs. Guido van Rossum has posted The Parade of the PEPs, a look at outstanding Python enhancement proposals and his frank opinion on what should happen with each. It's an interesting read for those following the development of the Python language.

Dr. Dobb's Python-URL!. The March 11, 2002 Dr. Dobb's Python-URL! is out. Topics include seeking fame and fortune developing Python, the Disipyl Python interface to DISLIN, RPy, for interfacing to the R language, processing volume images with BBLImage, the lfm v0.8 midnight commander clone, and more.

Text Processing In Python draft available. David Mertz has announced that a draft of his upcoming book Text Processing In Python, (to be published by Addison Wesley) is available on the web. He is looking for feedback on ways to improve the book, of course.

The Daily Python-URL. This week's accumulation of articles on The Daily Python-URL include an announcement for a new Python Imaging Library, the EDDIE Tool systems administration helper, the disipyl DISLIN wrapper, the BBLimage image processing tools, and more.


The Ruby Garden. This week's Ruby Garden looks at BioRuby.org, which features Ruby libraries for working with DNA data.

The Ruby Weekly News. The March 11, 2002 edition of the Ruby Weekly News looks at DBTalk 0.5, an interactive GUI based tool for database querying, programming, and administration, the RDoc documentation tool, Ruby/SMB, and more.


Dr. Dobbs' Tcl-URL! for March 11. The March 11, 2002 edition of Dr. Dobbs' Tcl-URL! is out. Topics include a cash register application in Tcl, Tcl in embedded systems, the Tk look and feel, garbage collection, and more.


Donald Eastlake on XML Digital Signatures (IBM developerWorks). Larry Loeb interviews Donald Eastlake, editor of the XML Digital Signature (XMLDSIG) RFC. "What is 'truly secure XML?' The phrase is meaningless without a definition of what security properties you are trying to achieve and what your threat model is. XMLDISG provides a building block. It is a flexible mechanism for the cryptographic binding of data to a key."

Integrated Development Environments

GNUstep Weekly Editorial. The GNUstep Weekly Editorial for March 8, 2002 is available. Topics include the CDPlayer application, Objective-C++ support, a gnustep-make roadmap, and more.

Software Testing

oprofile version 0.1 released. Version 0.1 of the oprofile code profiler is available. The release notes lists reporting of more symbols and a better output report, in addition to lots of bug fixes.


Valgrind memory debugger. Valgrind is a memory debugging tool for C/C++ on the x86 platform, it has been used by the KDE development community for debugging libraries and applications. Valgrind has been released under the GPL. (Thanks to Julian Seward.)

Section Editor: Forrest Cook

Language Links
Caml Hump
g95 Fortran
Gnu Compiler Collection (GCC)
Gnu Compiler for the Java Language (GCJ)
IBM Java Zone
Free the X3J Thirteen (Lisp)
Use Perl
O'Reilly's perl.com
Dr. Dobbs' Perl
PHP Weekly Summary
Daily Python-URL
Python Eggs
Ruby Garden
MIT Scheme
Why Smalltalk
Tcl Developer Xchange
O'Reilly's XML.com
Regular Expressions

 Main page
 Linux in the news

See also: last week's Commerce page.

Linux and Business

HP Announces Global Consortium to Enable New Linux Capabilities for Academic and Industrial Research. Hewlett-Packard Company announced the formation of the Gelato Federation, a worldwide consortium focused on enabling open source Linux-based Intel(R) Itanium(TM) Processor Family computing solutions for academic, government and industrial research.

Embedded Linux Market enters era of standardization. The Embedded Linux Consortium (ELC) held an open technical meeting in San Francisco, to discuss the creation of a unified Embedded Linux "platform specification".

Panasonic Invests in MontaVista Software. MontaVista Software has received an equity investment from Matsushita Electric Industrial Co., Ltd. (MEI) through its subsidiary, Panasonic Digital Concepts Center (PDCC).

Linux for the Sony Playstation. A Linux for Playstation 2 kit is being offered for the Sony Playstation 2 game platform. "The LINUX (FOR PLAYSTATION 2) accessory kit allows you to utilize the PlayStation 2 console as a fully-functional desktop computer. Download a wealth of Linux programs -- HTML editors, multimedia players, office solutions and more -- or program your own software to run in the PlayStation 2 Linux environment." Some familiarity with the Linux operating system is recommended. (Thanks to Joe Klemmer.)

LPI holds its annual board election. The Linux Professional Institute has held its annual board election. Jon 'Maddog' Hall will be replacing Tom Peters. CeBit attendants can visit the LPI booth and take discounted exams next week.

Free as in Freedom. O'Reilly is promoting their new biography on Richard Stallman, "Free as in Freedom". "Why would Microsoft executives lie awake at night worrying about the antics of a long-haired, renegade hacker named Richard Stallman? Why do some of the smartest programmers on the planet revere this man as 'St. Ignucius'?"

Linux Stock Index for March 08 to March 13, 2002.
LSI at closing on March 08, 2002 ... 28.40
LSI at closing on March 13, 2002 ... 28.26

The high for the week was 28.90
The low for the week was 28.24

Press Releases: