[LWN Logo]
[LWN.net]

Bringing you the latest news from the Linux World.
Dedicated to keeping Linux users up-to-date, with concise news for all interests


Sections:
 Main page
 Security
 Kernel
 Distributions
 Development
 Commerce
 Linux in the news
 Announcements
 Letters

Other LWN stuff:
 Daily Updates
 Calendar
 Linux Stocks Page
 Book reviews
 Penguin Gallery

 Archives/search
 Use LWN headlines
 Advertise here
 Contact us

Recent features:
- RMS Interview
- 2001 Timeline
- O'Reilly Open Source Conference
- OLS 2001
- GaŽl Duval
- Kernel Summit
- Singapore Linux Conference
- djbdns

Here is the permanent site for this page.

See also: last week's LWN.

Leading items and editorials


The SSSCA under any other name smells just as foul. U.S. Senator Ernest Hollings ("the Senator from Disney") has submitted his latest payback to the entertainment industry as the "Consumer Broadband and Digital Television Promotion Act," which goes under the awkward acronym of CBDTPA. This proposed law would have far-reaching effects for the free software community, and is thus worth a close look. For those wanting more information, a look at the full text of the bill is worthwhile. We'll go over the relevant portions here.

The bill begins with a set of 23 "findings," intended to justify the new law. They talk about the plight of the poor content providers, who just can't bring themselves to make their wares available on the net (or via digital television) without guaranteed protection. Current protection schemes are inadequate because:

...those agreements do not prevent the continued use and manufacture of digital media devices that fail to incorporate such security measures.

In other words, we're being told that the government must step in and make content controls mandatory for all "digital media devices." And what benefit do they "find" we will get from this?

The secure protection of digital content is a necessary precondition to the dissemination, and on-line availability, of high quality digital content, which will benefit consumers and lead to the rapid growth of broadband networks.

Many of our readers may have been unaware of the fact that any problems with the growth rate of broadband networks are due to the lack of mandatory copy protection schemes. Or that there is no high quality digital content on the net. All we have to do is to turn the net into another form of television, and these problems will go away.

Of course, the DMCA, too, was brought in with promises that it would enable a flood of wonderful digital products for us to buy...

The core of the CBDTPA is new restrictions on what a "digital media device" can do. According to the bill, a "digial media device" is (emphasis added):

The term "digital media device" means any hardware or software that: (A) reproduces copyrighted works in digital form; (B) converts copyrighted works in digital form into a form whereby the images and sounds are visible or audible; or (C) retrieves or accesses copyrighted works in digital form and transfers or makes available for transfer such works to hardware or software described in subparagraph (B).

This is, of course, a very broad definition. Any computer, which has no trouble "reproducing copyrighted works in digital form," certainly qualifies. Importantly, a "device" can be software. A Linux distribution falls under this definition, and would be bound by the requirements of this law.

The operative part of the CBDTPA falls into two phases: (1) the establishment of "security system standards," and (2) the requirement that all "digital media devices" follow those standards.

The establishment of the standards is supposed to be done in the private sector, which will be given a year to accomplish the task. Should the private sector fail to get its act together, the government (in the form of the Federal Communications Commission) will jump in and set the standards instead. Either way, there's a set of criteria to be met, defined in these vague terms:

  • reliable
  • renewable
  • resistant to attack
  • readily implemented
  • modular
  • applicable in multiple technology platforms
  • extensible
  • upgradable
  • not cost prohibitive

These terms are not further defined in the proposed law. There is one other, interesting requirement: "any software portion of such standards is based on open source code." Of course, "open source" is not defined for the purposes of this law either; still, in theory, it means that we should at least be able to see the code for the "security systems" that are being forced onto our computers.

There is a token nod toward fair use, saying that security systems must not interfere with fair use rights. The penalties for noncompliance with this section, though, are very small - far smaller than those for selling a noncompliant device or stripping protective codes. It does not look like it is meant to be taken seriously.

Once the standards are set, industry has one more year to implement them, then the enforcement stage begins. There is a section requiring ISPs to pass through protected content intact, but the core of the law is Section 5:

A manufacturer, importer, or seller of digital media devices may not: (1) sell, or offer for sale, in interstate commerce, or (2) cause to be transported in, or in a manner affecting, interstate commerce, a digital media device unless the device includes and utilizes standard security technologies that adhere to the security system standards adopted under Section 3.

In other words, unless your Linux distribution (which is a "digital media device," remember?) implements the security standards, it is now illegal - at least, if you want to sell it or transport it over state lines. (The emphasis on "interstate commerce" is the hook that gives the federal government the authority to regulate the movements of "digital media devices").

So how can free software function in this legal environment? Given that the code implementing the security standards is supposed to be open source, it could conceivably be incorporated into a Linux distribution. (Note, however, that nothing in the proposed law requires a patent-free or royalty-free standard). Such work would have to be done by a distributor; it's hard to imagine the kernel maintainers willingly incorporating this stuff into the mainline code. Then Linux users could simply remove that code. Then again, maybe not; Section 6 says:

No person may knowingly remove or alter any security technology in a digital media device lawfully transported in interstate commerce...

So one of the fundamental freedoms of free software would be stripped away: you would not legally be able to modify your system to fit your needs.

But then, can a system based on free software ever meet the standards being set by this law? A source-available system, where users can remove the corporate big brother code at will, can never be "reliable" or "resistant to attack" in the eyes of CBDTPA supporters. If that interpretation holds, Linux systems become illegal whether or not they include the security code.

What about downloading a Linux distribution from a non-US server? The legality of such an act will depend on a court's interpretation: is a user, by virtue of having performed a download, an "importer"? If so, downloading Linux from outside the U.S. is not allowed; otherwise it is legal. Either way, people would be at risk of prosecution until the precedents had been set.

The absurdity of this legislation stretches belief. It's not clear what chances it has to become law; the Senate seems well beholden to the entertainment industry, but the House seems to be less enthusiastic. We should not count on the House to put this one out of its misery, though; those of us who are in the U.S. need to let our Senators know what we think of this thing. See this EFF advisory for more information on how to do that.

iSCSI and patented technology. The IETF IP Storage working group is charged with the task of defining standards for accessing storage devices (i.e. disks) directly over an IP network. This is an increasingly interesting area: as computing systems become more distributed over ever-faster networks, why not avoid expensive "storage area network" interconnects and use the existing, cheap technology? It may well be that, not too long from now, disk drives (and arrays) will just plug into your household gigabit Ethernet next to the printer. It will be desirable, of course, for Linux systems to be able to make use of these drives.

Perhaps the most prominent standard coming out of the IPS working group is iSCSI, the encapsulation of SCSI commands within the TCP protocol. The draft iSCSI standard is nearing completion; it will go to the internet standards "last call" stage shortly. So, one would hope, there would not be any major outstanding issues with the standard at this point. Unfortunately, that is not quite true - there is a patent issue with iSCSI that has the potential to make free software implementations difficult or impossible.

An important part of the iSCSI standard is authentication. Just because you have placed a disk drive on the network does not, after all, mean that you want to let anybody have access to it. Network drives need a strong and secure authentication protocol, and the working group has tried to provide one.

The choice for authentication is the "Secure Remote Password" (SRP) protocol, which is described in RFC 2945. It looks like a reasonable protocol, providing both authentication and secure key exchange. There is only one problem: SRP appears to be covered by three separate patents, with three holders.

  • Stanford has an SRP patent. Stanford has offered a royalty-free license (PDF format) that would appear to offer no obstacles to a free software implementation.

  • Phoenix claims that its "SPEKE" patent may apply to SRP. The company will make a license available on RAND ("reasonable and non-discriminatory") terms - not royalty-free.

  • Lucent also has two patents which may be applicable to SRP. This company has made vague promises to make the patents available "in accordance with normal Lucent licensing practices," which are not RAND, much less royalty free. Lucent is not currently committing itself to a position on whether it believes a license is necessary to use SRP.

The uncertainty behind Lucent's position, in particular, has given the iSCSI working group cause to worry about the use of SRP. At a working group meeting last week, the decision was made to demote SRP from an implemention requirement to an option. Instead, another protocol (perhaps CHAP augmented by a key exchange protocol) will be made mandatory.

That could all change, though, and not for the better. According to the SRP summary from the working group meeting:

Lucent continues to be approached with requests to be more cooperative. Lucent's actions (or lack thereof) are the primary cause of this delay to iSCSI.

In other words, the working group is not bothered by the Phoenix patent, which would require the purchase of a license under RAND terms. If Lucent becomes "more cooperative," we could find ourselves faced with an iSCSI standard which is encumbered by patents. That would not be a good thing for the free software community.

For more information, see the IPS working group's web page, which has pointers to the relevant draft standards and a mailing list for discussions.

Inside this LWN.net weekly edition:

  • Security: Format string exploits in libsafe; Apache security and bug fix release
  • Kernel: Can close() fail?; cleaning up include files.
  • Distributions: Sorcerer, Sorcery, and Lunar-Penguin.
  • Development: Parrot 0.0.4, HPIJS 1.0.4, Apache 1.3.24, Analog 5.22 security fix, mpg321 0.2.10, Net Hack 3.4.0, FLTK 1.1.0b12, Evolution 1.0.3, Advance 0.7.2, Gtk2Hs, mod_lisp 2.2, CPANPLUS 0.01, Python .2.1c2.
  • Commerce: The HRP-2P Linux-powered humanoid robot; Linux software store for Zaurus Handheld; IBM and SuSE to offer 'enterprise ready' Linux services.
  • Letters: Hurd, GPL, devexit_p.
...plus the usual array of reports, updates, and announcements.

This Week's LWN was brought to you by:


March 28, 2002

   

Sections:
 Main page
 Security
 Kernel
 Distributions
 Development
 Commerce
 Linux in the news
 Announcements
 Letters

See also: last week's Security page.

Security


News and Editorials

Apache 1.3.24 Released. Apache version 1.3.24 has been released. "This version of Apache is principally a security and bug fix release."

Security Reports

Format string exploits in libsafe Libsafe versions prior to 2.0-12 are vulnerable to format string exploits. "Libsafe protection against format string exploits may be easily bypassed using flag characters that are implemented in glibc but are not implemented in libsafe." The current version is libsafe 2.0-13. Steve Beattie pointed out that the Immunix FormatGuard tool is not vulnerable to these kinds of attacks.

Squid proxy cache security update. Squid-2.X releases up to and including 2.4.STABLE4 are vulnerable to attack from a malicous DNS server. The problem is fixed in Squid-2.4.STABLE6 problem.

Debian Security Advisory - mtr. A buffer overflow problem in mtr may allow an attacker to gain access to the raw socket, which makes IP spoofing and other malicious network activity possible.

Redhat update for imlib. Red Hat has released a security update for imlib that fixes "potential problems loading untrusted images", this vulnerability is exploitablie via the NetPBM package.

Mandrake security alert for kdm. MandrakeSoft has issued a security alert for kdm; it seems that the default configuration allows XDMCP connections from anywhere. The workaround is to make a small configuration file change; see the alert for details.

Komba Samba share browser password disclosure vulnerability. The problem is fixed in Komba2 0.7.3. All prior versions are vulnerable.

Webmin local privilege escalation vulnerabilities. The webmin 0.93 release fixes local privilege escalation vulnerabilities in the /var/webmin and /etc/webmin/servers/ directories.

web scripts. The following web scripts were reported to contain vulnerabilities:

Proprietary products. The following proprietary products were reported to contain vulnerabilities:

Updates

zlib corrupts malloc data structures via double free. This vulnerability impacts all major Linux vendors. It may impact every Linux installation on Earth. Updates are required to zlib and any packages that were statically built with the zlib code. (First LWN report: March 14).

LinuxSecurity describes the vulnerability and coordinated distributor efforts in detail. "Packages including X11, rsync, the Linux kernel, QT, mozilla, gcc, vnc, and many other programs that have the ability to use network compression are potentially vulnerable."

Updating is recommended. As always, please proceed with caution when applying updates to the kernel.

This week's updates:

Previous updates:

See also: articles in ZDNet and The Register about the zlib vulnerability. And, these reports from ZDNet and Vnunet on this vulnerability in some of Microsoft's major applications.

Both PHP3 and PHP4 have vulnerabilities in their file upload code which can lead to remote command execution. This one could be ugly; sites using PHP should apply updates at the first opportunity. If an update isn't available for your distribution, users of PHP 4.0.3 and later are encouraged to consider disabling file upload support by adding this directive to php.ini:

  
	file_uploads = Off

CERT has issued this advisory on the problem. This article in the Register also talks about the vulnerability. (First LWN report: March 7).

Developers using the 4.2.0 branch, are not vulnerable because because file upload support was completely rewritten for that branch.

This week's updates:

Previous updates:

Update: Despite some concern expressed in an earlier report by LWN, these updates do, in fact, fix the problem. The original update from the php team fixes the security hole but introduces a "rare segfault condition" that is not a security problem.

Resources

RAV AntiVirus v8.5 for Linux Review (LinuxLookup). Here is a review of RAV AntiVirus v8.5 for Linux. "RAV AntiVirus v8.5 for Linux Mail Servers, Servers, and Workstations is flexible and scalable, allowing independent configuration of the scanning module, fully independent from the Mail Server. In the configuration file you can customize the actions to be taken by RAV when detecting a virus - clean, move, copy, rename, delete, ignore, reject - and benefit of advanced features, like warning the sender, warning the receiver or warning a third party (the server administrator when detecting an external threat)."

Getting Started with Gnu Privacy Guard (Open for Business). Here is a HOWTO article on using GNU Privacy Guard (GPG). "The idea of signing your key is to create a "web of trust," where if John trusts Jim's identity, and Jim trusts Nancy's identity, then John knows he can trust the identity of Nancy too. Most often, signing is reciprocal, so John and Jim probably signed each other's keys, and Jim and Nancy did the same."

Linux security week. The publication from LinuxSecurity.com is available.

Events

UniNet announced the 1st Information Security Conference at UniNet, InfoSec 2002, which will run from April 15th to 19th on the UniNet IRC network (irc.uninet.edu) in the channel #infosec.

Upcoming Security Events.
Date Event Location
April 1 - 7, 2002SANS 2002Orlando, FL., USA
April 5 - 7, 2002RubiconDetroit, Michigan, USA
April 7 - 10, 2002Techno-Security 2002 ConferenceMyrtle Beach, SC
April 14 - 15, 2002Workshop on Privacy Enhancing Technologies 2002(Cathedral Hill Hotel)San Francisco, California, USA
April 15 - 19, 2002InfoSec 2002UniNet IRC network (irc.uninet.edu) - channel #infosec
April 16 - 19, 2002The Twelfth Conference on Computers, Freedom & Privacy(Cathedral Hill Hotel)San Francisco, California, USA
April 23 - 25, 2002Infosecurity Europe 2002Olympia, London, UK
May 1 - 3, 2002cansecwest/core02Vancouver, Canada
May 4 - 5, 2002DallasConDallas, TX., USA
May 12 - 15, 20022002 IEEE Symposium on Security and Privacy(The Claremont Resort)Oakland, California, USA
May 13 - 14, 20023rd International Common Criteria Conference(ICCC)Ottawa, Ont., Canada
May 13 - 17, 200214th Annual Canadian Information Technology Security Symposium(CITSS)(Ottawa Congress Centre)Ottawa, Ontario, Canada
May 27 - 31, 20023rd International SANE Conference(SANE 2002)Maastricht, The Netherlands

For additional security-related events, included training courses (which we don't list above) and events further in the future, check out Security Focus' calendar, one of the primary resources we use for building the above list. To submit an event directly to us, please send a plain-text message to lwn@lwn.net.

Section Editor: Dennis Tenney


March 28, 2002

LWN Resources


Secured Distributions:
Astaro Security
Castle
Engarde Secure Linux
Immunix
Kaladix Linux
NSA Security Enhanced
Openwall GNU/Linux
Trustix

Security Projects
Bastille
Linux Security Audit Project
Linux Security Module
OpenSSH

Security List Archives
Bugtraq Archive
Firewall Wizards Archive
ISN Archive

Distribution-specific links
Caldera Advisories
Conectiva Updates
Debian Alerts
Kondara Advisories
Esware Alerts
LinuxPPC Security Updates
Mandrake Updates
Red Hat Errata
SuSE Announcements
Turbolinux
Yellow Dog Errata

BSD-specific links
BSDi
FreeBSD
NetBSD
OpenBSD

Security mailing lists
Caldera
Cobalt
Conectiva
Debian
Esware
FreeBSD
Kondara
LASER5
Linux From Scratch
Linux-Mandrake
NetBSD
OpenBSD
Red Hat
Slackware
Stampede
SuSE
Trustix
turboLinux
Yellow Dog

Security Software Archives
munitions
ZedZ.net (formerly replay.com)

Miscellaneous Resources
CERT
CIAC
Comp Sec News Daily
Crypto-GRAM
LinuxLock.org
LinuxSecurity.com
Security Focus
SecurityPortal

   

Sections:
 Main page
 Security
 Kernel
 Distributions
 Development
 Commerce
 Linux in the news
 Announcements
 Letters

See also: last week's Kernel page.

Kernel development


The current development kernel release is 2.5.7. Linus is on vacation, so no 2.5.8 prepatches have been released.

Dave Jones released 2.5.7-dj1 on March 21. "Resync, add compile fixes, simmer for 30 mins on low heat. Add random pending patches to taste. Still untested beyond 'it compiles', handle with care."

Here is Guillaume Boissiere's 2.5 status summary for March 27.

The current stable kernel release is 2.4.18; the current 2.4.19 prepatch from Marcelo remains 2.4.19-pre4; released on March 20.

Alan Cox's latest prepatch is 2.4.19-pre4-ac2. It includes a great many fixes and a lot of USB updates, but there have been no major changes since the new IDE code went in last week.

When close() goes bad. The close() system call is defined with the usual sort of return value: zero on success, nonzero otherwise. Most programmers do not look too closely at the return value from close(); after all, when you are closing a file descriptor, the useful work has generally been accomplished. But a close can return a failure code. This code does not generally refer to the close operation itself (which must succeed); instead, it can be used to indicate a failure in some other, perhaps related device operation. A CDROM driver could return a failure status if it is unable to unlock the drive door, for example. Other devices may still have operations outstanding, and the return value from close() is the only way to report problems with those operations.

Inside the kernel, close() maps to a function called release() in the file_operations structure. That function, too, has a return value. So Axel Kittenberger was surprised to find out that there was no connection between the release() return value and what the application gets back from close(). Instead, that value is discarded, and close() always succeeds. He has posted a patch which fixes the situation by passing the release() return value through.

Not everybody agrees that this is the right thing to do, interestingly. It has been stated that the fsync() call should be used by applications which are interested in any last-minute errors. But that approach doesn't address errors that happen in the close process itself. It is also a little strange to have return values from the operation that do not mean anything. So, while there are people who suggest that the release() function should be changed to return void, it's probably more likely that this patch will be applied.

Straightening out the header files. People who dig around in the kernel source code tend to notice one thing early on: the header files are a bit of a mess. Figuring out which headers to include - and in which order - can be a pain. And it often seems necessary to include a large number of (seemingly) unrelated files to get a piece of code to compile.

Daniel Phillips has started attacking one of the header file problems: the unstructured intermixing of definitions of data structures and the functions that use those structures. Many of the header files have "evolved" over time into fairly long and twisted things; programmers have thrown new definitions in over the years, often without any sort of overall design for the header file itself.

Numerous problems have their roots in this untidiness, but Daniel has picked out one in particular: it can be hard to define inline functions that use certain kernel data structures. Such functions often get defined before the structures they reference; this, of course, does not work if the function needs to know anything specific about the data structure. Rearranging the definitions can be hard, so programmers tend to give up on inline functions and fall back on the use of macros. Macros work, but they are inelegant, and, crucially, they do not offer the same sort of type checking that inline functions do.

The solution, according to Daniel, is to split out the definitions of fundamental data structures into their own header files. These small headers can then be placed early in the list of files to include, and their structures are available for use in inline functions later. He has posted a patch which makes this change for struct page, a fundamental data structure used in the management of physical memory. This change allows a couple of former macros (_pa, which converts kernel-space virtual addresses to physical addresses, and _va, which does the opposite) into inline functions. Says Daniel:

As soon as I had the inline version of __pa, it picked up an oversight where Jeff [Dike] uses virtual addresses in his page tables instead of physical addresses. It works in the case of uml, but it's quite unexpected and has only gone unnoticed this long because of weak type checking due to use of macros.

The code changes required for this sort of patch are not small, since a fair amount of rearranging can be required. It appears that it may be worth the effort, though. For any ambitious folk who would like to take on other kernel headers, Daniel has posted his algorithm for accomplishing the task. It is, he says, "slightly painful, but not horribly excruciatingly painful." With such inspirational words, who can resist the urge to jump in and help out?

Other patches and updates released this week include:

Kernel trees:

  • J.A. Magallon's latest is 2.4.19-pre4-jam1.

  • Marc-Christian Petersen has released 2.4.18-WOLK3.1. This kernel now has over 90 patches; some of the latest additions are TUX, User-mode Linux, the Linux Trace toolkit, and more.

Core kernel code:

  • Hubertus Franke has posted a patch to the code that assigns IDs to new processes. The current method of finding an unused PID is very inefficient, especially if there are large numbers of processes running on the system. With this patch, process ID assignment is faster on systems with at least 25,000 processes running - so most people won't need it for their desktop systems.

  • Andrew Morton has released a new set of reworked VM patches (as originally written by Andrea Arcangeli and covered here last week).

  • A new radix tree page cache patch has been released by Christoph Hellwig.

Device drivers

  • Jens Axboe has released support for "Mt. Rainier" CD-RW drives. See here for the latest version.

  • Richard Gooch has released devfsd v1.3.25 and devfs 199.10.

  • Patrick Mochel has updated his device model code to build an ordered list of all devices on the system. A set of functions has been supplied which can use that list to suspend, resume, or shut down all devices in the system in the proper order.

Filesystems:

  • Roger Gammans has written some documentation for the JBD (journaling) layer.

  • Anton Altaparmakov has released a completely rewritten, read-only NT filesystem implementation.

  • Version 0.8.23 of the access control list patch has been released by Andreas Gruenbacher.

Kernel building:

  • Roman Zippel has released a specification for his new kernel configuration system.

Miscellaneous:

Ports:

  • Here is the announcement for the latest NCR Voyager port from James Bottomley.

Section Editor: Jonathan Corbet


March 28, 2002

For other kernel news, see:

Other resources:

   

Sections:
 Main page
 Security
 Kernel
 Distributions
 Development
 Commerce
 Linux in the news
 Announcements
 Letters

See also: last week's Distributions page.

Distributions


Please note that security updates from the various distributions are covered in the security section.

News and Editorials

Sorcerer, Sorcery, and Lunar-Penguin. Last week we reported that Sorcerer GNU/Linux (SGL) was no longer available. Numerous people wrote in with additional information, so this week we have a more complete story to tell. It's the kind of story that illustrates that a good open source project is difficult (if not impossible) to kill.

SGL was first released by Kyle Sallee in April 2001 and in just a few months it became one of the most popular source-based Linux distributions around. Gaining in popularity also meant gaining a larger development team, as is the nature of free software. Unfortunately though, not everyone shared the same vision of SGL and its future. Without getting into all the nasty details, we'll just jump to the part where Kyle left the project and removed the source code from its accustomed repository (and the mirrors). He apparently did try to stop the other SGL team members from going on with the project from there, but as we mentioned, it's very hard to stop a good software project. The source was already out there. So, from the ashes of Sorcerer grew two new distributions. Kyle doesn't seem to be working with either one at this time, but we wish him well on his next project (whatever that is). Most of all, we'd like to thank all the people who wrote to LWN with additional links and information.

Lunar-Penguin has its roots in SGL, but it's quickly evolving into something else. If you like SGL, but want something a bit faster paced, more leading edge, then LP could be just for you. Current SGL users should be able to switch to LP now, but that's guaranteed not to last for long. LP released the ISO image lunar-20020321.iso.bz2 on March 21, 2002.

Sorcery GNU/Linux or possibly Sorcerer GNU/Linux is project created by former team members of SGL, after Kyle's departure. It strives to remain a popular, source-based distribution. Sorcery 0.1.2 was released into cvs on March 19, 2002, and a new Sorcery tarball, 0.1.3, has been released since. This posting at the Sorcery Linux site contains some additional information on the birth of Sorcery, and talks about some future development plans for the new SGL.

The site SorcererLinux.org was created as an impartial resource, with links to both new projects, and other Sorcerer resources including a link to the original Sorcerer documentation.

Distribution News

Debian News. The Debian Weekly News for March 20 is out, with coverage of the Debian Leader election, the latest boot floppies, offensive content, CeBIT, and more.

Debian users will now find cryptographic software in the main archive. Anthony Towns provides an explanation of why it wasn't there before, and what can be found there now.

There is another revision of 'potato', Debian GNU/Linux 2.2r6 due out at the beginning of April 2002.

The Call For Votes is out now. "NOTE: The vote must be GPG signed (or PGP signed) with your key that is in the debian keyring."

The Kernel Cousin Debian Hurd #115 For March 19, 2002 is available.

Mandrake Linux News. The Mandrake Linux Community Newsletter #35 for March 20, 2002 talks about Mandrake Linux 8.2 (Intel version available; a note from the Developers; 8.2 PPC Status Report) and more.

The release of a second beta version of Mandrake Linux 8.2 for the PowerPC architecture has been announced.

MandrakeSoft has announced the availability of StarOffice 6.0 Final for its MandrakeClub "Silver" members and above. This ZDNet article clarifies Mandrake's download policy.

Red Hat Linux Advanced Server. Red Hat has announced the launch of its "Red Hat Linux Advanced Server" distribution, "the first enterprise-class Linux operating system." It starts at $800, and includes a one-year Red Hat Network subscription, a 12-month (minimum) release cycle, a number of kernel patches (i.e. asynchronous I/O), a Java-based web console for cluster management, and more.

Skipjack - the latest Red Hat beta. We mentioned it last week, but here's the official announcement on the release of "Skipjack," Red Hat's latest beta release. "As always, we do not recommend the use of beta software on mission critical or production systems. In fact, we may laugh at those who try."

SuSE Linux. usr local bin is a new site dedicated to updated RPM packages for SuSE Linux, mainly offering GNOME software builds.

Yellow Dog Linux 2.2 ships. Terra Soft Solutions has announced the release of Yellow Dog Linux 2.2. It's based on Red Hat Linux 7.2, but, of course, it runs on the PowerPC.

Minor Distribution updates

2-Disk Xwindow System. The 2-Disk Xwindow System has released v1.2.9 with minor feature enhancements.

Astaro Security Linux. Astaro Security Linux has released v3.041 with major feature enhancements.

Icepack Linux. Icepack Linux has released v2.0, "a complete rewrite of our version 1.0, but of course still offering the features you appreciated in our first release".

Leka Rescue Floppy. Leka Rescue Floppy has released v0.6.0 with minor bug fixes.

Recovery Is Possible!. Recovery Is Possible! (RIP) has released v51 with minor feature enhancements.

ttylinux. ttylinux has released v2.0 with minor bug fixes.

Wolverine. The Wolverine firewall and VPN product (based on Embedded Coyote Linux) has released Alpha 3 (Build 153) with major feature enhancements.

Distribution Reviews

Mandrake 8.2 First Impressions. Anthony Barker reviews Mandrake Linux 8.2. "Mandrake has done a lot of work cleaning up the user interface and making Linux more intuitive. Moreover, it is supposed to be more stable - the kernel as well as Mandrake's tools ( although I have not experience that so far). Perhaps I have been a bit harsh because I lost my data directory (my own fault - but of course I internally blame the vendor). Overall, I think mdk 8.2 is the best Mandrake release so far, a candidate for the best linux distribution, and perhaps my favorite desktop operating system."

Section Editor: Rebecca Sobol


March 28, 2002

Please note that not every distribution will show up every week. Only distributions with recent news to report will be listed.

Distribution Lists:
LWN List
DistroWatch
ibiblio
Linux.com
LinuxLinks
LDP English-language GNU/Linux distributions on CD-ROM
Woven Goods

   

Sections:
 Main page
 Security
 Kernel
 Distributions
 Development
 Commerce
 Linux in the news
 Announcements
 Letters

See also: last week's Development page.

Development projects


News and Editorials

Parrot 0.0.4 is Released

Use Perl reports on the release of Version 0.0.4 of the Parrot compiler, which is at the heart of the new Perl 6 language.

We now have a working JIT compiler, thanks primarily to Daniel Grunblatt. Gregor Purdy produced something he calls 'predereferencing', which rearranges Parrot bytecode in memory to give a 22% speedup over the normal Parrot run. Dan Sugalski himself has provided a fast arena-based memory allocation system, and a copying garbage collector to match. We're starting to look like a real interpreter, and to prove it, Clinton Pierce has written an XML parser in Parrot bytecode.

Also included in Parrot 0.0.4 is Alex Gough's bignum library, code cleanup by Jason Gloudon, and "rudimentary regular expression support" contributed by Brent Dax.

Here is the full list of changes for the new Parrot.

The latest version of Parrot may be downloaded here. See the Parrot 0.0.4 readme file for the necessary build instructions.

Additionally, Simon Cozens has handed off the duties of Parrot project leader, or "Parrot Pumpking" to Jeff Goff.

Electronics

New Icarus Verilog simulator (gEDA). The gEDA site lists a new development version of the Icarus Verilog electronic simulation language compiler. In addition, a new stable version 0.6 was also released recently.

Embedded Systems

Embedded Linux Newsletter (LinuxDevices). The LinuxDevices.com Embedded Linux Newsletter for March 21 is available, with the usual roundup of events from the embedded Linux community.

The preempt patch vs the low-latency patch (LinuxDevices). LinuxDevices has posted a white paper that compares two methods for achieving low kernel latency. "In this whitepaper on Linux Scheduler Latency, Clark Williams of Red Hat Inc. compares the performance of two popular ways to improve kernel Linux preemption latency -- the preemption patch pioneered by MontaVista and the low-latency patch pioneered by Ingo Molnar -- and discovers that the best approach might be a combination of both."

Opening Up the PlayStation 2 with Linux (O'Reilly). Howard Wen reviews the Sony PlayStation 2 Linux development environment on O'Reilly. "Besides the sheer geek thrill of being able to do it, there's a practical reason for running Linux on a PlayStation 2. A lot of people expressing interest in this kit are hobbyists looking to gain experience in developing for a major game console."

Printing Software

HPIJS 1.0.4 released (Linux Printing). Linux Printing mentions the new release of the HPIJS inkjet printer drivers. Version 1.0.4 includes a new high resolution mode, support for A3 and A5 paper, and bug fixes.

Web-site Development

Apache 1.3.24 Released. Apache version 1.3.24 has been released. "This version of Apache is principally a security and bug fix release." (Thanks to Jonas Eriksson.)

mnoGoSearch-php-3.2.0.beta2 available. A new version of mnoGoSearch-php, a PHP interface to the mnoGoSearch search engine is available. The Change Log file lists all of the changes.

Zope Members' News. This week's Zope Members' News items include a look at the MailBoxer mailing list manager, the QuotaFolder 0.1 quota system, the ZFireBirdDA database adapter, the Logger 1-0-2 Zope logging system interface, and more.

Analog Security Hole. Version 5.22 of the Analog web log analyzer fixes a cross-site scripting security hole in which Javascript code can be arbitrarily inserted into web logs. The log entries can then be viewed by arbitrary browsers.

mod_perl in 30 minutes (O'Reilly). Stas Bekman gives a speedy introduction to mod_perl on O'Reilly. "In this article I'll show step-by-step installation and configuration scenarios, and chances are you will be able to run the basic statically compiled mod_perl setup without reading any other documents."

Documentation

LDP Weekly News. The March 26, 2002 LDP Weekly News mentions a new "documents" category. New documents cover creating high quality Linux applications, backing up and restoring data, intrusion protection, physical security, securing data in transit, and an introduction to viruses and virus hoaxes.


March 28, 2002


Application Links
GIMP
Mozilla
Galeon
High Availability
ht://Dig
mnoGoSearch
MagicPoint
Wine
Worldforge
Zope

Open Source Code Collections
Berlios
Freshmeat
OpenSourceDirectory
Savannah
Le Serveur Libre
SourceForge
Sweetcode

   

 

Desktop Development


Audio Applications

mpg321 version 0.2.10 released. A new version of mpg321, the free MP3 player, has been released. Version 0.2.10 features a number of bug fixes and useability improvements.

Ardour progress continues. Work continues on the Ardour multi-track audio recording package. Generalized undo/redo operations have been added, stability and usability enhancements have been added, and Ardour now works as a Jack client.

Web Browsers

Mozilla Independent Status Reports. The latest Mozilla Independent Status Reports feature new releases of LiveSidebar, SVG Graphs, the Mozilla Translator, mozCalc, Annozilla, Mozblog, and BrowserG!.

Desktop Environments

Ximian GNOME on a low-resources machine. Linux and Main looks at software bloat and its effects on running Gnome on a Pentium-166. "Hear me out. It's true that we have all kinds of nifty desktops and applications. This is great. It is also, sadly, true that as the capacity of hardware has increased -- bigger drives, more memory, faster processors, an actual reduction in price -- coding has fallen slack. We do just about the same stuff at just about the same speed, even though our machines should, if the coding standard of even two or three years ago were in place, literally scream with speed."

Kernel Cousin KDE number 36. Kernel Cousin KDE Issue #36 is available. Topics include advanced media streaming, KParts and Streaming Data, Moving Day for Wallpapers, KOffice publicity, KDE 3.0 status, KOffice graphics, Addressbook transitioning, and more.

KDE 3.0RC3: Prepare to Fall in Love (KDE.News). KDE.News reports on the newly released KDE 3.0 RC3 with much enthusiasm: "...yesterday morning I installed KDE 3.0rc3 and, to be honest, it is truly magnificent! Konqueror is fast, fast, fast! Never seen anything like it (except maybe Lynx) in the main browsers - even long pages in my Most Often Visited list all but instantly popped into place.

The rest of KDE 3 is simply spectacular, too. Everything is snappier, from menus (despite the addition of cool menu icons) and dialogs (these pop up much faster) to applications, and the look is even more professional than KDE 2. Wowwww, I am in total awe. Superb, excellent, amazing job, guys, KDE 3 absolutely rules!"

People of KDE: Eva Brucherseifer. This week's People of KDE features Eva Brucherseifer, one of the founders of KDE-Women, KDE-Edu, and the KDE-Solaris mailing list.

Games

Net Hack Version 3.4.0. Version 3.4.0 of the classic NetHack game has been announced. This release features bug fixes, better portability, enhanced configuration file processing, and lots more.

Pygame updates. This week, the Pygame site features SCAM, the Sprite Collision and Mechanics Library. "SCAM is a library that provides easy to use pixel-perfect collision detection. It is a C extension module and has support for python and pygame."

GUI Packages

FLTK 1.1.0b12 Available. Version 1.1.0b12 of the Fast Light ToolKit (FLTK) has been announced. This release features bug fixes and working drag-n-drop support, among other things.

Office Applications

Ximian releases Evolution 1.0.3. "Ximian Evolution version 1.0.3 is now available. Evolution 1.0.3 resolves a number of smaller issues discovered in the previous release, and includes enhanced compatibility with the forthcoming Ximian Connector for Microsoft Exchange. You can expect to see improved performance and stability in this release, especially for addressbook functions over LDAP."

Advance 0.7.2 released. Version 0.7.2. of the Advance Personal Information Manager (PIM) is available. This version is a functional beta release. (Thanks to Bryan Brunton.)

Kernel Cousin GNUe #21. Issue #21 of Kernel Cousin GNUe looks at analytical processing, web browser compatibility, international support, GNUe for Red Hat and Debian, and more.

AbiWord Weekly News. The March 26, 2002 AbiWord Weekly News covers the new AbiWord 0.99.3 release as well as other progress in AbiWord development.

 
Desktop Environments
GNOME
GNUstep
KDE
XFce
XFree86

Window Managers
Afterstep
Enlightenment
FVMW2
IceWM
Sawfish
WindowMaker

Widget Sets
GTK+
Qt
   

 

Programming Languages


Caml

The Caml Hump. The "latest adds" on The Caml Hump include lox, a library framework for concurrent, single-threaded Internet application services, and Ant, which aims to be a Caml replacement for the TeX typesetting system.

The Caml Weekly News. The March 26, 2002 edition of the Caml Weekly News is out. Topics include weak hash tables, Ensemble 1.35, and ant V0.3pre.

Haskell

The Gtk2Hs Haskell binding for Gtk2. Axel Simon has announced Gtk2Hs, a rewrite of the gtk+hs Haskell binding for Gtk. Improvements include automatic memory management, nearly complete coverage of widget functions and signals, Unicode support, Object-oriented calling conventions, and more. (Thanks to Jens Petersen.)

Java

Tetris meets the Java bean (IBM developerWorks). Scott Clee uses Java beans to implement the Tetris game. "IBM Software Engineer -- and gamer at heart -- Scott Clee provides a simple way to take the Tetris game model and wrap it up as a reusable Java bean component. Once the game elements have been broken down into Java objects, they can be reassembled to form the complete game model bean, enabling it to be plugged into virtually any Tetris GUI."

Micro-Tuning Step-by-Step (O'Reilly). Jack Shirazi gives some tips on optimizing Java performance. "Micro-tuning is a term often used to mean speeding up small sections of code out of context, by profiling and analyzing that code and using some of the many techniques available to make code run faster. In contrast, macro-tuning looks at the program in context, and tries to improve performance by altering the algorithms, data structures, or interactions between components or subsystems."

Lisp

mod_lisp 2.2 released. Version 2.2 of the mod_lisp Apache web server module, has been released. "This version allows more than one Set-Cookie".

CLSQL initial public version released. The first public version of CLSQL, a Common Lisp interface to the PostgreSQL and AODBC database engines, has been released.

Perl

CPANPLUS 0.01 Released (use Perl). Version 0.1 of the CPANPLUS Perl module management system has been released.

PHP

PHP 4.2.0 rc 1 (PHP News). PHP News looks at the new PHP 4.2.0 rc1 release. Testers are being solicited, the official PHP 4.2.0 is scheduled for release on April 22, 2002.

PHP Weekly Summary for March 25, 2002. The March 25, 2002 PHP Weekly Summary features a preview of Zend Engine 2, PHP 4.2.0 rc 1, removal of PAM code from PHP, bug fixes, Java serialization, and Crypto++.

Python

Dr. Dobb's Python-URL!. Here's the Dr. Dobb's Python-URL! for March 26, 2002. Topics include exception handling, serving MS SQL with Python, the Python-bz2 compression library, and more.

PyKDE2: KDE Bindings for Python (O'Reilly). Stephen Figgins talks about a project that was built with PyKDE2, the KDE bindings for Python.

The Daily Python-URL. The latest entries on the Daily Python-URL include articles on Reportlab Toolkit version 1.13, an Introduction to Jython, NormalDate, python-bz2, and more.

Python 2.2.1c2. A second release candidate for the next Python bugfix release has been announced. "There haven't been many changes since 2.2.1c1, just a few fixes."

Ruby

The Ruby Garden. This week's Ruby Garden looks at modifying mkmf.rb to support frameworks, and mentions a Linux Journal article on Ruby.

Meanwhile, the Ruby Garden's Ruby Weekly News has announcements for ByteCodeRuby 0.1.1, vimRubyX, RubyMail 0.8, RubyFilter 0.8, rpkg 0.3.2, REXML 2.0.2, RUDL 0.6, FXRuby-1.0.3, and Rubyzip 0.4.1.

Tcl/Tk

This week's Tcl-URL!. The March 25, 2002 Tcl-URL! features a number of Tcl tips, obtaining #include capability, paths and package loading, supergrid, an Icon library, the Toucan IDE for the Palm platform, the State Machine Compiler, and more.

XML

Exploring XML Encryption, Part 1 (IBM developerWorks). Bilal Siddiqui introduces XML encryption on IBM's developerWorks. "XML Encryption provides end-to-end security for applications that require secure exchange of structured data. XML itself is the most popular technology for structuring data, and therefore XML-based encryption is the natural way to handle complex requirements for security in data interchange applications."

What's New in XPath 2.0 (O'Reilly). Evan Lenz compares XPath 2.0 to XPath 1.0. "A better way of describing XPath 2.0 is as an expression language for processing sequences, with built-in support for querying XML documents."

Web Service Sublimation (O'Reilly). Martin Gudgin and Timothy Ewald talk about the current state of Web Services on O'Reilly. "In the broadest possible sense, Web Services are an attempt to use XML to build distributed information processing systems that work across the Internet without necessarily requiring a browser as the client. Many present Web Services as a silver bullet that makes building this sort of system easy, but this view is naive. "

Integrated Development Environments

GNUstep Weekly Editorial. The March 22, 2002 GNUstep Weekly Editorial looks at the initial launch of the GNUstep developers' release, which splits the project into stable and an unstable trees.

Miscellaneous

Jext 3.1 pre2. A new version of the Jext programmer's editor has been released. This version replaces the stable version and features an updated ProjectMaster plugin.

Section Editor: Forrest Cook

 
Language Links
Caml
Caml Hump
Tiny COBOL
Erlang
g95 Fortran
Gnu Compiler Collection (GCC)
Gnu Compiler for the Java Language (GCJ)
Guile
Haskell
IBM Java Zone
Jython
Free the X3J Thirteen (Lisp)
Use Perl
O'Reilly's perl.com
Dr. Dobbs' Perl
PHP
PHP Weekly Summary
Daily Python-URL
Python.org
Python.faqts
Python Eggs
Ruby
Ruby Garden
MIT Scheme
Schemers
Squeak
Smalltalk
Why Smalltalk
Tcl Developer Xchange
Tcl-tk.net
O'Reilly's XML.com
Regular Expressions
   

Sections:
 Main page
 Security
 Kernel
 Distributions
 Development
 Commerce
 Linux in the news
 Announcements
 Letters

See also: last week's Commerce page.

Linux and Business


The HRP-2P Linux-powered humanoid robot. [Linux robot] Longtime LWN friend Maya Tamiya has sent us a description of a new Linux-powered "hackable" humanoid robot called the HRP-2P; it is produced by Kawada Industries and AIST. There are press releases available from Kawada and AIST; they are in Japanese but the pictures are cool. The robot was built with a real-time Linux variant called ART-Linux.

Sharp and Handango announce Linux software store Zaurus Handheld. Sharp Electronics Corp. and Handango announced an alliance to provide Linux and Java software to users of Sharp's Linux-based Zaurus SL-5500 series handheld.

IBM and SuSE to offer 'enterprise ready' Linux services. IBM and SuSE have announced a deal wherein they will collaborate to provide "enterprise ready" Linux services to their customers. Among other things, the PR says "IBM will package and support turnkey implementations of SuSE Linux Enterprise Server (SLES), backed by SuSE's expert development, maintenance, and support teams."

CodeWeavers launches CrossOver Office. CodeWeavers has announced the launch of its "CrossOver Office" product, which allows Linux users to run Microsoft Office and Lotus Notes on their systems without a Windows license.

A Closer Look at Linux: Executives Gadre and DeWitt discuss Sun's Open Source strategy. Sun Microsystems has posted a page detailing the company's plans for Linux.

Protecting Creative Works in a Digital Age. The Senate Committee on the Judiciary has jurisdiction over intellectual property issues in the US Senate, including such issues as the DCMA. The Committee is working to craft copyright policies that advance the complementary goals of protecting copyrighted works, serving consumers and the public interest, and promoting the development of innovative technologies. They are inviting public comment. (Thanks to Jeffrey Burkeen)

The Book of SAX released. No Starch Press has announced the release of The Book of SAX, which covers the Simple API for XML.

Linux Based POS Terminals Increase 80% in 2001 According to IHL Consulting Group. The population of Retail Point of Sale Terminals running Linux in North America increased 80% according to a study from IHL Consulting Group.

Linux Stock Index for March 21 to March 27, 2002.

Press Releases: