[LWN Logo]
[LWN.net]

Bringing you the latest news from the Linux World.
Dedicated to keeping Linux users up-to-date, with concise news for all interests


Sections:
 Main page
 Security
 Kernel
 Distributions
 Development
 Commerce
 Linux in the news
 Announcements
 Letters

Other LWN stuff:
 Daily Updates
 Calendar
 Linux Stocks Page
 Book reviews
 Penguin Gallery

 Archives/search
 Use LWN headlines
 Advertise here
 Contact us

Recent features:
- RMS Interview
- 2001 Timeline
- O'Reilly Open Source Conference
- OLS 2001
- Gaël Duval
- Kernel Summit
- Singapore Linux Conference
- djbdns

Here is the permanent site for this page.

See also: last week's LWN.

Leading items and editorials


Banks and browsers. The state of Linux-based web browsers has improved in a big way over the last couple of years; Linux users can now use the net with fast, robust, free, state-of-the-art applications and need no longer content themselves with old, proprietary, buggy code. Thanks to the efforts of the Galeon, Mozilla, and Konqueror developers (among others), life has gotten much better.

It has often been pointed out, however, that it is not enough just to have a pile of nice, free code. Without open data formats, the free software community's ability to interoperate with the rest of the world is limited. Anybody who has had to exchange Word documents understands this point well. Open formats, of course, extend to data exchanged on the net, including web pages.

Certain web sites have proved to be difficult to use with Linux-based browsers - free or otherwise. Commerce sites, and banks in particular, can be problematic. The developers of many of these sites do not feel that they have many customers in the Linux world - if they think about Linux at all. As a result, Linux users lose out on some of the functionality of the net.

A few efforts have been made to track which banks have sites that work with Linux browsers, and which do not. Now, a new web page put together by Evan Leibovitch is pulling that information into one place. With a glance, it is possible to see which banks work well with your Linux system, and which do not.

This information is useful on a couple of fronts. In cases where incompatibility is caused by a failure of the bank to follow current web standards, a public display can help members of the community to encourage changes and, if need be, to choose a more customer-friendly bank. Where the problems are caused by bugs in the Linux browser(s), the site can point developers at the problems and help to get them fixed. For the free browsers, anyway.

Linux browser compatibility has gotten better as the browser software itself improves. If AOL really does deploy Mozilla-based browsers to its customers, one can expect things to improve quite a bit more. It will always be necessary to watch out for proprietary formats and "extensions," however, if Linux is not to be relegated to a small, free software backwater.

Time to ban markers. Various schemes for "copy protecting" audio CDs are seeing increasing use, especially in Europe. These techniques generally involve violating the CD standard by putting corrupt data tracks on the outer part of the disk. Audio players ignore that data and play the disk without trouble, but computer drives get confused and refuse. At least, if you are lucky, they refuse: Apple drives, apparently, lock up and must be taken in for service.

The many of us who listen to their legitimately purchased music on computer drives have a new hope, however, in the form of a high-tech circumvention device. Chel van Gennip pointed us at this Chip Online page (in German) which gives detailed instructions on defeating corruption-based protection (a translation into something resembling English is available via Babelfish). There are two techniques, both of which work by preventing a computer drive from trying to read the corrupted data track.

Essentially, all you have to do is cover that track. This can be done with a Post-It note, a piece of electrical tape, or a carefully-drawn line with a heavy marker. All it takes is a few seconds of effort, and the "rip protection" is no more.

It will be interesting to see how the entertainment industry responds to this one. The industry and the U.S. courts have been very clear on their position: a device which circumvents protection schemes is illegal under the DMCA, regardless of any legitimate uses it may have. The industry, it seems, must either (1) take the marker manufacturers to court, or (2) admit that, perhaps, some tools capable of circumvention might have uses that don't involve letting pirates take over the world. Which will it be?

The digital consumer's bill of rights. On a related subject, it is worth taking a look at the bill of rights proposed by the Digital Consumer project. These rights are:

  • The right to time shift content.
  • The right to space-shift content.
  • The right to make backup copies.
  • The right to use content on the platform of their choice.
  • The right to translate content into new formats.
  • The right to use technology to achieve the above rights.
These rights are a good starting point: if they were a part of U.S. copyright law, there would be no DeCSS, Elcomsoft, or personal video recorder cases, and office supply stores could start stocking markers again. It is a good beginning for the definition of "fair use" in the digital age.

This bill of rights would not solve the entire problem, however. We are not just consumers of "content;" increasingly we are all producers as well. As many have pointed out, "content" and "intellectual property" are inputs to the creative process, not just the output. The current expansion of copyright, patent law, and "digital rights management" schemes makes it ever harder to create anything without running into somebody's claimed intellectual property. Thus the original goal of intellectual property laws - to encourage invention and creation - is being thwarted.

Modern technology makes it easier for us all to be producers, not just consumers, and the world is a richer place for it. We very much need a bill of rights which protects our rights as consumers, but we also need a bill of rights which recognizes that we are producers.

No dismissal in Elcomsoft case. Meanwhile, back in the real world, here is a release from the EFF on the latest ruling in the Elcomsoft case. Judge Whyte has refused all of the defense's motions for dismissal. The DMCA, he says, is entirely clear: it means to ban all "circumvention devices" regardless of their legal uses. And, while the program involved qualifies as speech, the government still can regulate it because it is controlling its "function," not its "content." The trial date is May 20.

Inside this LWN.net weekly edition:

  • Security: Superworms; Nessus; dhcp and netfilter vulnerabilities; tcpdump correction
  • Kernel: Kernel web servers; per-driver filesystems; a different approach to asynchronous I/O.
  • Distributions: ALT Linux; Aleph ARM Linux returns.
  • Development: The FOX Toolkit, Mini SQL 3.0 Pre 4.1, WaveSurfer 1.4, Mozilla 1.0 RC2, FLTK 1.1.0rc2, Wine 20020509, AbiWord 1.0.1, Ask Perl 6, PHP 4.2.1, Phpmole 1.3.
  • Commerce: Free software in the Spanish administration; Red Hat opens new facility.
  • Letters: Commercial use of GPL software; total cost of ownership.
...plus the usual array of reports, updates, and announcements.

This Week's LWN was brought to you by:


May 16, 2002

   

Sections:
 Main page
 Security
 Kernel
 Distributions
 Development
 Commerce
 Linux in the news
 Announcements
 Letters

See also: last week's Security page.

Security


News and Editorials

How Can You Defend Against a Superworm? (Linux Journal). Don Marti speaks with Brandon Wiley, coordinator of the Tristero project, about the threat of "superworms" and what might be done to defend against it. "Linux administrators see log files full of failed attack attempts when some other platform is subject to a worm attack. Dumb worms might be a nuisance and a waste of bandwidth. But what if worms were a little smarter about which hosts to attack, when to attack and with what exploit? What if a worm developer could update all the running worms, on the fly, with a new exploit?"

Lock in the Nessus monster (ARNnet). Con Zymaris writes about selling security scanning using nessus as a service. " Here's the crux of the analysis, however: no matter how good these [proprietary] tools are, all pale by comparison to Nessus. In all the security expert reports I have read in the past 18 months, Nessus is considered the best-of-breed security vulnerability scanning product, by a long margin. That it is open source, has long-term viability and is totally free of any licensing or use costs are mere bonuses, and great for reducing our cost of establishing this business service."

Nessus does not call home. Despite some rumors to the contrary at the recent CanSecWest conference, Renaud Deraison reassures us that "Nessus does not call home. It never does, never did and never will. However, the checks [it performs] have a side effect that may have the naughty side effect to sending some packets to nessus.org, which can make people think I have the ability to monitor their scans."

Sending a wake-up call to the W3C (News.com). Rich DeMillo Hewlett-Packard's vice president of technology strategy tells us why "Linux will be the first operating system" HP will port to their Secure Platform Architecture (SPA). " We think it makes great sense to do this in the town square by calling on the trust-enhancing ability of the open-source community with its rigorous peer review, open publishing and testing methodologies."

Security Reports

DHCP remotely exploitable format string vulnerability. The May 8, 2000 release of ISC DHCP 3.0p1 fixes this serious vulnerability in ISC DHCPD 3.0 to 3.0.1rc8 inclusive. So far, the only distributor update we have seen for this vulnerability is this one from Conectiva.

We encourage dhcp users to upgrade, disable dhcp or, at a minimum, consider using ingress filtering as described in the CERT advisory.

Netfilter NAT/ICMP information leak. "Netfilter ("iptables") can leak information about how port forwarding is done in unfiltered ICMP packets. The older "ipchains" code is not affected." The bug exists in the iptables package in all versions of the 2.4.4 kernel up to "(at least) 2.4.19-pre6".

A sufficient workaround is to filter out untracked local icmp packets using the following command:

  iptables -A OUTPUT -m state -p icmp --state INVALID -j DROP

Updates which fix the problem were released this week by:

Red Hat advisory for sharutils. Updated packages for sharutils are available which fix potential privilege escalation using the uudecode utility.

Red Hat Security Advisory. Updated perl-Digest-MD5 packages are available which work around a bug in the utf8 interaction between perl-Digest-MD5 and Perl.

Gaim arbitary email reading vulnerability. Gaim 0.57 has a bug which allows a local attacker to gain full access to other gaim users hotmail accounts. A fix is available. The problem has been fixed in the nightly CVS, and will be fixed in version 0.58. "Gaim is an all-in-one IM client that resembles AIM. Gaim lets you use AIM, ICQ, Yahoo, MSN, IRC, Jabber, Napster, Zephyr, and Gadu-Gadu, all at once. Gaim is NOT endorsed by or affiliated with AOL, Yahoo, MSN or Napster."

Quake II 3.2x server cvar leak. A problem in the Quake II server for Linux allows an attacker to reveal the servers rcon password. Details of the affected source code and patched binaries are available.

web scripts. The following web scripts were reported to contain vulnerabilities:

  • NOCC 0.9.5, and possibly earlier versions, have a cross-site scripting vulnerability. The NOCC team is working on a fix. "NOCC is a webmail client written in PHP. It provides webmail access to IMAP and POP3 accounts."

Updates

GNU fileutils race condition. A race condition in rm may cause the root user to delete the whole filesystem. The problem exists in the version of rm in fileutils 4.1 stable and 4.1.6 development version. A patch is available. (First LWN report: May 2).

This week's updates:

Previous updates:

Multiple vulnerabilities in icecast. Icecast is a streaming audio broadcasting system. Version 1.3.12 was released on April 10th. "This release is a security update and all users are highly encouraged to upgrade immediately or apply the relevant patches to their own versions. Remember, never run icecast as a privileged user, especially not as root." (First LWN report: May 2).

This week's updates:

Previous updates:

Multiple vulnerabilities in tcpdump. Version 3.5.2 fixed a buffer overflow vulnerability in all prior versions. However, newer versions, including 3.6.2, are vulnerable to another buffer overflow in the AFS RPC functions that was reported by Nick Cleaton. (First LWN report: May 9).

Both problems appear to have been reported and fixed in FreeBSD some months ago. The CIAC report on the vulnerability in versions prior to 3.5.2 is dated October 31, 2000. Nick Cleaton's FreeBSD security advisory on the AFS RPC bug, and reference to a fix for FreeBSD, is dated July, 17, 2001. Tcpdump 3.7 was released on January 21, 2002.

This week's updates:

Previous updates:

Resources

Linux security week. The and publications from LinuxSecurity.com are available.

Fenris 0.02 has been released by Michal Zalewski. "Fenris is a multipurpose tracer, stateful analyzer and partial decompiler intended to simplify bug tracking, security audits, code, algorithm, protocol analysis and computer forensics." Michal has also written these hints for those using Fenris for The Reverse Challenge contest from the folks at Honeynet. His "quick write-up is not intended to spoil the fun, so it is safe to have a look."

Events

Upcoming Security Events.

The 2002 Edinburgh Financial Cryptography Engineering has issued a call for papers. On June 28th and 29th 2002 Edinburgh, Scotland "is again host to the international engineering conference on Financial Cryptography. Individuals and companies active in the field are invited to present and especially to demonstrate Running Code that pushes forward the "state of the art"."

Date Event Location
May 16 - 17, 200214th Annual Canadian Information Technology Security Symposium(CITSS)(Ottawa Congress Centre)Ottawa, Ontario, Canada
May 27 - 31, 20023rd International SANE Conference(SANE 2002)Maastricht, The Netherlands
May 29 - 30, 2002RSA Conference 2002 Japan(Akasaka Prince Hotel)Tokyo, Japan
May 31 - June 1, 2002SummerCon 2002(Renaissance Hotel)Washington D.C., USA
June 17 - 19, 2002NetSec 2002San Fransisco, California, USA
June 24 - 28, 200214th Annual Computer Security Incident Handling Conference(Hilton Waikoloa Village)Hawaii
June 24 - 26, 200215th IEEE Computer Security Foundations Workshop(Keltic Lodge, Cape Breton)Nova Scotia, Canada
June 28 - 29, 2002Edinburgh Financial Cryptography Engineering 2002Edinburgh, Scotland

For additional security-related events, included training courses (which we don't list above) and events further in the future, check out Security Focus' calendar, one of the primary resources we use for building the above list. To submit an event directly to us, please send a plain-text message to lwn@lwn.net.

Section Editor: Dennis Tenney


May 16, 2002

LWN Resources


Secured Distributions:
Astaro Security
Castle
Engarde Secure Linux
Immunix
Kaladix Linux
NSA Security Enhanced
Openwall GNU/Linux
Trustix

Security Projects
Bastille
Linux Security Audit Project
Linux Security Module
OpenSSH

Security List Archives
Bugtraq Archive
Firewall Wizards Archive
ISN Archive

Distribution-specific links
Caldera Advisories
Conectiva Updates
Debian Alerts
Kondara Advisories
Esware Alerts
LinuxPPC Security Updates
Mandrake Updates
Red Hat Errata
SuSE Announcements
Turbolinux
Yellow Dog Errata

BSD-specific links
BSDi
FreeBSD
NetBSD
OpenBSD

Security mailing lists
Caldera
Cobalt
Conectiva
Debian
Esware
FreeBSD
Kondara
LASER5
Linux From Scratch
Linux-Mandrake
NetBSD
OpenBSD
Red Hat
Slackware
Stampede
SuSE
Trustix
turboLinux
Yellow Dog

Security Software Archives
munitions
ZedZ.net (formerly replay.com)

Miscellaneous Resources
CERT
CIAC
Comp Sec News Daily
Crypto-GRAM
LinuxLock.org
LinuxSecurity.com
Security Focus
SecurityPortal

   

Sections:
 Main page
 Security
 Kernel
 Distributions
 Development
 Commerce
 Linux in the news
 Announcements
 Letters

See also: last week's Kernel page.

Kernel development


The current development kernel release is 2.5.15, released on May 9. Changes this time around include a resumption of the "device model" work (with an emphasis on the x86 PCI code), more IDE reworking (including the removal of /proc/ide - see last week's LWN Kernel Page), an NFS server update, many patches from the "dj" series, and lots of other fixes and updates.

The in-progress 2.5.16 patch, as seen in BitKeeper, includes an ISDN update, George Anziger's 64-bit jiffies patch, the usual IDE patches, some networking updates, work on the new NFS export scheme, and more.

Dave Jones's latest patch is 2.5.15-dj1, which contains a relatively small set of fixes and updates.

The latest 2.5 status summary from Guillaume Boissiere is dated May 15.

The current stable kernel release is 2.4.18. No 2.4.19 prepatches have been released by Marcelo this week.

The current patch from Alan Cox is 2.4.19-pre8-ac4. The biggest change here is a new set of IDE updates by Andre Hedrick that went into -ac3. The 2.4 and 2.5 IDE subsystems continue to go in very different directions.

On the 2.2 front, Alan has released 2.2.21-rc4, the latest 2.2.21 release candidate. Unless something turns up, this one will become the real 2.2.21.

The future of in-kernel web servers. Some recent discussion on troubles with khttpd, the in-kernel web server which has been present since the early 2.3 days, led to the statement that khttpd would soon be removed from the 2.5 series. khttpd has a number of happy users, but it has been essentially unmaintained for a number of years, and it has been superseded by Ingo Molnar's TUX server. So the kernel developers see little reason to keep it around.

The more interesting question, perhaps, is whether TUX will take the place of khttpd. There appears to be little consensus on whether TUX should go in or not. Some developers are worried about the impact of the TUX patch, while others claim it affects little other code. It is not clear how much of a performance benefit TUX really provides - some user-space web servers are said to be getting quite close to TUX in speed. And, of course, a number of people feel that an application like a web server has no place inside the Linux kernel.

Servers like TUX and khttpd remain interesting as a demonstration of how to create the shortest, fastest path between the network and files on a disk. Chances are that TUX will find its way into a mainline kernel sooner or later.

Per-driver filesystems made easy. Alexander Viro has long been a proponent of small, special-purpose filesystems as a way for device drivers (or other kernel subsystems) to communicate with user space. The mini filesystem approach, he says, is a far cleaner and safer technique than the alternatives: /proc, the ioctl() call, or devfs. This approach makes sense to a number of people, but it has not been widely adopted. After all, if you are not Al Viro (which is the case for most of us), hacking up a new filesystem can be a little intimidating.

So he has been trying for a while to make the task of writing driver filesystems easier. His latest posting includes a set of library functions which mostly concern themselves with the creation of superblocks for virtual filesystems. The superblock is a good thing to hide within a library layer; virtual filesystems just need something to hand to the VFS; there should be no need for each one to duplicate a lot of "fill in the superblock field" code.

The other half of the posting is a driver which creates a little filesystem to export the value of a set of VIA motherboard temperature sensors. The whole thing takes up 70 lines of code, and much of that, of course, is dealing with getting information from the sensors. The task of creating special purpose virtual filesystems has indeed been made easy.

The trickier part in the long run may be on the system administration side. If the mini filesystem approach takes off, each system will have to be configured to mount these filesystems in the right places. /proc files and ioctl() calls just show up in their standard places, but filesystems must be explicitly mounted somewhere. How are VIA motherboard users to know that they can mount a devvia filesystem somewhere to read their temperature sensors? Add in a dozen other hardware-specific filesystems and one begins to see that some work on system administration tools will be needed to make it all easy to manage.

A different approach to asynchronous I/O. It started with a discussion of the O_DIRECT flag, which can be used to request that "direct" I/O be performed on a file. Direct I/O moves data directly between the userspace buffer and the device performing the I/O, without copying through kernel space. Direct I/O can be faster, since it avoids copy operations and because it does not fill the system's page cache with data that will not be used again.

It was noted recently that benchmarks using O_DIRECT tend to perform worse than those using regular, cached I/O. The reason for this poor performance is reasonably straightforward: direct I/O, as implemented in Linux, is synchronous. The application must sleep and wait for the operation to complete, and there is no opportunity to reorder operations for better I/O performance. If you really want to make O_DIRECT work well, you need to combine it with asynchronous I/O.

So, one would think, there would be a motivation to get the asynchronous I/O patches into the 2.5 kernel. Linus, however, has other ideas, based on his opinion of O_DIRECT:

The thing that has always disturbed me about O_DIRECT is that the whole interface is just stupid, and was probably designed by a deranged monkey on some serious mind-controlling substances.

In other words, one might conclude that he doesn't like it.

A statement like that, of course, raises an immediate question: how, exactly, would one design a high-performance, zero-copy, asynchronous I/O subsystem if you can't get the monkeys to share their substances with you? Linus's answer is to split apart the two aspects of the problem: performing the I/O and connecting the data to user space.

In this new scheme, a process wishing to do asynchronous, direct reads from a file would, after opening that file, invoke a new system call:

     readahead (file_desc, offset, size);
This call will set the kernel to populating the system's page cache with data from the file starting at the given offset, for an amount approximating size. At this point, the data is in (kernel) memory, and is not visible to the userspace application. Actually getting at the data requires calling mmap with a special MAP_UNCACHED flag.

This memory mapping is special in a couple of ways. One is that it does not set up any page tables when the mapping is established, so it happens very quickly. The other is that, when the user application generates a page fault (by trying to access the data it ordered with readahead()), the page is "stolen" from the page cache and turned into a private page belonging to the application. Until the fault happens, the read operation is entirely asynchronous; once the application actually tries to use the data, it will wait if the operation still has not completed.

If the application is, instead, looking to write data, it starts by populating its mapped memory segment. When things are ready to go, another new system call:

	mwrite (file_desc, address, length);
is used. mwrite() puts the page back into the page cache (where it will get written eventually) and removes it from the process's page table. The (new) fdatasync_area() system call may be used to force (and wait for) specific pages to be written.

A process which is simply copying data need never access the pages in the mapping directly. In this case, no page tables ever get built, and things go even more quickly. Pure copy cases are relatively rare, though, especially since this scheme would not support I/O to network connections (which do not use the page cache). The high-profile application for this sort of I/O (or O_DIRECT) is Oracle, which performs lots of I/O out of large segments.

So far, all this is just a scheme sketched out by Linus, with no implementation to play with. Should some ambitious kernel hacker code it up, however, it would be interesting to see how it really performs relative to other techniques.

Corrections on the buffer head work. Andrew Morton politely pointed out that your editor was more confused than usual when writing about Andrew's buffer head work last week. The bulk of that work actually affected the way the write() system call was handled. In the old scheme, data to be written back to files would find its way into the buffer head least-recently-used queue, where it would eventually be flushed to disk. With the new code, this data is written directly from the page cache, in a more page-oriented mode.

Buffer heads are still used to coordinate the I/O process, for now. As a result of all the block layer work that has gone in, the block system now takes those buffer heads and digs down to the real pages underneath them. So, at some point, an obvious step will be to remove the buffer head "middleman," and submit pages to be written directly to the block layer. So, eventually, buffer heads will no longer be the main I/O mechanism for block I/O.

Sorry for the confusion.

Other patches and updates released this week include:

Kernel trees:

Core kernel code:

Device drivers

Filesystems:

Kernel building:

Miscellaneous:

Ports:

Section Editor: Jonathan Corbet


May 16, 2002

For other kernel news, see:

Other resources:

   

Sections:
 Main page
 Security
 Kernel
 Distributions
 Development
 Commerce
 Linux in the news
 Announcements
 Letters

See also: last week's Distributions page.

Distributions


Please note that security updates from the various distributions are covered in the security section.

News and Editorials

ALT Linux. This week we are happy to spotlight ALT Linux. ALT Linux developer Michael Shigorin was kind enough to fill out an LWN Distribution survey for us. You can find the full results here and also linked from the new entry in the LWN Distributions List (under General Purpose). It started as the Linux-Mandrake Russian Edition, created by the IPLabs Linux Team. But not all the significant changes found their way back to Mandrake, and the team went on to create ALT Linux. There are several branches now, all using the ALT Linux Master tree. ALT Linux uses RPM4 plus APT (Conectiva apt/rpm port) for package management. English, Russian, Belarussian, Ukrainian, French, and German are supported, with a special emphasis on a correct implementation of The Free Standards Group's Linux Internationalization Initiative Li18nux.

Sisyphus is the current unstable branch of ALT Linux. Here is the Freshmeat page for version 20020507 of Sisyphus.

The recently released ALT Linux 2.0 Master can be downloaded from the FTP site, or purchased as a boxed set with 6 CDs, installation, administrator's and user's manuals, as well as a manual on OpenOffice.org, and lots of extras, including some music in Ogg Vorbis format.

The Castle branch has been on the LWN List for some time. It's a secured, RSBAC-enabled, server distribution.

There is also ALT Linux Junior, a single-disk distribution for home computers, designed especially for beginners, easy to install and use; and ALT Linux MSI Edition, a specialized OEM distribution for MicroStar, with a large set of multimedia applications, OpenOffice and games.

New Distributions

Aleph ARM Linux returns. This is one of those not-at-all-new distributions that simply got lost. Aleph One provides well-documented Linux distributions for various ARM-based systems. There is an official Debian ARM release based on Debian 2.2; and they are working on Psion and Compaq iPaq and other RISC architectures as well. Wookey at Aleph One filled out an LWN distribution survey on February 6, 2000, which somehow managed to get lost until we got another copy this week.

Distribution News

Debian Weekly News. The Debian Weekly News for May 8 covers hardware detection libraries, Bruce Perens's open standards efforts, the new Debian Developers Reference, and several other topics.

Kernel Cousin Debian Hurd #118. Issue #118 of Kernel Cousin Debian Hurd looks at GCC bugs, boot messages and logging, building the parted store modules with Autotools, and more.

Mandrake Linux Community Newsletter - Issue #42. The Mandrake Linux Community Newsletter for May 8, 2002 is available. This week's issue has news about Incident-based Support Packs at MandrakeStore; the latest MandrakeClub activities; KDE3 Packages for 8.2 PPC; errata updates for 8.2 x86 & PPC; and much more.

Red Hat Linux. Red Hat bug fix advisories for this week:

  • A few bugs, including one in ext3 that could cause a kernel panic on SMP systems, are fixed in this kernel errata for Red Hat Linux 7.3 - athlon, i386, i586, i686, noarch..
  • Updated packages are available for Red Hat Linux 7.3 - i386 Evolution which fix a vulnerability in the mime parsing component.

Slackware Linux. Here is this week's slice of the Slackware-current changelog.

Minor Distribution updates

2-Disk Xwindow System. The 2-Disk Xwindow System has released v1.4rc11 with fixes to chimera (SSL tracing fixes), an "obfuscation reimpedimentation" in the SOCKS transport layer, and table cleanups.

Astaro Security Linux. Astaro Security Linux has released v2.024 with minor security fixes.

BasicLinux. BasicLinux has released v1.7 with major feature enhancements.

ELX. ELX, Everyone's Linux, is getting ready for its global launch. "The soft launch is scheduled to take place during the third week of May all across the United States and North America. By the first week of June the product would find its way into Europe, Latin America, South Africa, Australia and the rest of the world."

EnGarde Secure Linux. EnGarde Secure Linux bug fix advisories for this week:

  • Some defaults in /etc/php.ini changed in our last PHP update (ESA-20020301-006). In particular file_uploads and register_globals were disabled. This update changes these defaults back to what they were before the update.

  • An issue was found with the swatch audit logs and the resulting daily summary. Under some circumstances the daily summary would report slightly inaccurate data for SSH logins.

EvilEntity Linux. EvilEntity Linux has released DR-0.2.4f with minor bug fixes.

Gentoo Linux. Gentoo Linux has some important Portage/rsync news.

Edmonds Enterprises has Gentoo Linux 1.1a CDs available for $0.99 USD (plus $1.50 for shipping).

Kondara MNU/Linux. Kondara MNU/Linux has updates available for several packages. There is also a change in the FTP tree and how Errata Packages are provided.

LEAF (Linux Embedded Appliance Firewall). LEAF has released Shorewall 1.2.13. The changes in this release include SuSE RPM support, white-listing, and the addition of TCP connection rate limiting.

PXES Linux Thin Client. PXES Linux Thin Client has released 0.4-Beta2 with minor feature enhancements.

Distribution Reviews

Aschwin Marsman upgrades to Red Hat 7.3. Aschwin Marsman of aYniK Software Solutions has updated his review of Red Hat Linux 7.3.

Section Editor: Rebecca Sobol


May 16, 2002

Please note that not every distribution will show up every week. Only distributions with recent news to report will be listed.

Distribution Lists:
LWN List
DistroWatch
ibiblio
Linux.com
LinuxLinks
LDP English-language GNU/Linux distributions on CD-ROM
Woven Goods

   

Sections:
 Main page
 Security
 Kernel
 Distributions
 Development
 Commerce
 Linux in the news
 Announcements
 Letters

See also: last week's Development page.

Development projects


News and Editorials

The FOX Toolkit

FOX, which stands for Free Objects for X, is a C++ based toolkit that provides components for writing Graphical User Interface software. Design goals of FOX include ease of programming, portability, speed, and minimal memory usage. FOX runs on a variety of platforms, including most popular Unix and Windows variants.

FOX development was started in 1997 on the Linux platform. FOX has been designed so that applications written with it can move across platforms with ease. The FOX documentation Foreword and Goals pages explain the history and design goals of FOX in greater detail.

The FOX Screenshots page give a look at various FOX applications. One such application is the FOX Calculator, a general purpose scientific calculator application. Also, see A.D.I.E., the ADvanced Interactive Editor, another FOX based application. See the FOX-Based Projects and screenshots page for more examples.

FOX bindings are available for Python via FXPy, for Ruby via FXRuby, and for Eiffel via EiffelFox.

Development version 1.1.9 of FOX has recently been released. This version features a new FXGradientBar widget, improved performance, bug fixes, and more. The release notes indicate that steady progress is being made on FOX development, the project has become stable enough to warrant a 1.X designation.

FOX may be downloaded here, packages are available for Debian, Red Hat, and Mandrake, in addition to .gz files. FOX has been released under the Lesser GNU Public License (LGPL). (Thanks to Dejan Lekic.)

Databases

Mini SQL 3.0 Pre 4.1. Mini SQL 3.0 Pre 4.1 has been released. This version fixes a bug that was found in Mini SQL 3.0 Pre 4. See the release notes for all of the details.

Education

Seul/EDU Linux in Education Report. Issue #70 of the Seul/EDU Linux in Education report looks at German efforts to bring open-source software to education, the Vidyakash 2002 online learning conference, and more.

Embedded Systems

Linux Devices Embedded Linux Newsletter. The May 9, 2002 Embedded Linux Newsletter has been published by Linux Devices. Topics include penguins on the North pole, the Hippo Internet phone, real-time Linux sub-kernels, a new ELC membership structure, and more.

Mail Software

Mail filtering with Sentinel. Version 1.2 of an email filtering utility known as Sentinel has been announced. Sentinel works on various Unix operating systems in conjunction with sendmail. Sentinel is licensed under the GPL.

Science

Littlefish . Linux Med News reports that the Littlefish Health Project, a patient information and recall system, has been integrated into the Res Medicinae project.

System Administration

A Batch Job to Add New User IDs (O'Reilly). Arnold Robbins explains how to use the Korn shell to automate systems administration tasks. "A common system administration task is to add new users. In large installations, such as central computing servers at universities or in large companies, adding users is often best performed as a 'batch' job, one that is automated with scripts. Consider, for example, the start of a new semester at a large public university, where there are hundreds, if not thousands, of new students. Creating accounts by hand would be impossible, so we need to automate the task."

Web-site Development

Managing Images With a Web Database Application (O'Reilly). Hugh E. Williams talks about the use of PHP and MySQL for managing image archives on the web. "Web developers often need to store images, sounds, movies, and documents in a database and deliver these to users. In this article, I'll show you how to develop a simple Web database application that allows users to upload and retrieve images, but can easily be adapted to storing files of any type."


May 16, 2002


Application Links
GIMP
Mozilla
Galeon
High Availability
ht://Dig
mnoGoSearch
MagicPoint
Wine
Worldforge
Zope

Open Source Code Collections
Berlios
Freshmeat
OpenSourceDirectory
Savannah
Le Serveur Libre
SourceForge
Sweetcode

   

 

Desktop Development


Audio Applications

WaveSurfer 1.4 released. Version 1.4 of the WaveSurfer tool for sound visualization and manipulation. is available. The CHANGES file has not been updated as of this writing.

Web Browsers

Mozilla 1.0 RC2. Release Candidate #2 of the Mozilla browser is available. The release notes mention a plugged security hole, fixes for the 15 most common crashing bugs and 10 freezing bugs, support for CSS2:hover, and more.

Also, see the coverage of this release on MozillaZine.

Desktop Environments

GNOME 2.0 Desktop Snapshot 20020509: 'Cominagetcha'. A new snapshot of GNOME 2.0 has been announced. The 'Cominagetcha' release contains 17 updated modules.

KDE Usability Team Takes First Steps. The KDE Usability Team has made big changes to the Kicker KControl module.

Games

4st Attack (PyGame). This week, the PyGame site features 4st Attack, a stone-connecting game. "The goal of the game is to connect four of stones in a straight line. This can be horizontaly, vertically and even diagonnally."

GUI Packages

FLTK 1.1.0rc2 Now Available. A new version of FLTK, the Fast, Light ToolKit, has been announced. FLTK 1.1.0rc2 features portability fixes, tooltip changes, and bug fixes.

Interoperability

Kernel Cousin Wine #122. Issue #122 of Kernel Cousin Wine covers the Xandros Beta, removal of the Quartz dll, SafeDisc support, the Native user32 dll, trading patches, and more.

Wine release 20020509. A new developer's release of Wine has been announced. Version 20020509 features dll separation work, async I/O improvements, more unit tests, less multimedia code, as well as portability and bug fixes.

Multimedia

GNOME Media 1.547.0 released. A new version of GNOME Media has been released. Version 1.547.0 features general improvements and bug fixes.

Office Applications

GNOME Office becoming more than a name. Progress is being made with the integration of AbiWord into the GNOME environment, according to this message on Gnotices. Included are links to screenshots of AbiWord embedded within Gnumeric and Evolution.

AbiWord 1.0.1 released.. The stable AbiWord release is no longer a stealth product: the AbiWord team has announced the release of AbiWord 1.0.1. See the release notes for details.

AbiWord Weekly News. Issue #91 of the AbiWord Weekly News covers all of the latest AbiWord development issues.

Kernel Cousin GNUe #28. Issue #28 of Kernel Cousin GNUe looks at using GNUe for plant nursery management, problems with GNUe Common and mySQL, the GNUe Application Server, and much more.

Bluefish needs GTK 2 porting help. The Bluefish HTML Editor home page mentions that help is needed for porting Bluefish to the GTK environment2.

Miscellaneous

Nautilus homepage and theme tutorial. A number of resources for the Nautilus file manager are now online on the Nautilus home page.

Kooka Scanner Suite Now With Website (KDE.News). A new web site has been announced for KDE's Kooka. "Kooka is a scanner management suite for KDE with support for Optical Character Recognition (OCR). The Kooka web site offers extensive documentation on Kooka and the KScan library, future project plans, screenshots, and much more."

 
Desktop Environments
GNOME
GNUstep
KDE
XFce
XFree86

Window Managers
Afterstep
Enlightenment
FVMW2
IceWM
Sawfish
WindowMaker

Widget Sets
GTK+
Qt
   

 

Languages and Tools


Caml

Caml Weekly News for May 14, 2002. The May 7-14, 2002 Caml Weekly News covers new releases of gmetadom, gdome2-xslt, and lablgtkmathview, and looks at random variables, graphics without open_graph, the FFTW interface, and more.

The Caml Hump. This week's Caml Hump additions include an interface to the FFTW library, gdome2-xslt, gmetadom, lablgtkmathview, Camomile, DBC, Stew, and OCamlMySQL.

Haskell

Haskell Communities and Activities Report. The second edition of the Haskell Communities and Activities Report has been published. "The idea behind these reports is simple: twice a year, a call goes out to the main Haskell mailing list, inviting all Haskellers to contribute brief summaries of their area of work, be it language design, implementation, type system extensions, standardisation of GUI APIs, applications of Haskell, or whatever. The summaries introduce the area of work, the major achievements over the previous six months, the current hot topics, and the plans for the next six months. They also provide links to further information." (Thanks to Christian Sievers.)

Java

Test flexibly with AspectJ and mock objects (IBM developerWorks). Nicholas Lesiecki discusses unit testing and eXtreme Programming for Java on IBM's developerWorks. "The recent attention to Extreme Programming (XP) has spilled over onto one of its most portable practices: unit testing and test-first design. As software shops have adopted XP's practices, many developers have seen the increase in quality and speed that comes from having a comprehensive unit-test suite. But writing good unit tests takes time and effort."

Developing Highly Distributed Applications with Jtrix (O'Reilly). Nik Silver shows how to make use of Jtrix on O'Reilly's OnJava site. "Jtrix is an open source Java platform for creating highly scalable, distributed, and efficient Web services. This article describes Jtrix, compares it to other Java technologies, and illustrates how to write a Jtrix application -- both a client, and the service it uses."

Perl

Ask Perl 6 (use Perl). It's time to send your Perl 6 questions in. The questions will be answered by the Perl 6 design team, answers will be posted on May 20th.

The Perl You Need To Know - Part 2 (O'Reilly). Stas Bekman illustrates Perl debugging techniques on O'Reilly's perl.com site.

Where Wizards Fear To Tread (O'Reilly). Simon Cozens explains the Perl op tree on perl.com. "So you're a Perl master. You've got XS sorted. You know how the internals work. Hey, there's nothing we can teach you on perl.com that you don't already know. You think? Where Wizards Fear To Tread brings you the information you won't find anywhere else concerning the very top level of Perl hackery."

PHP

PHP 4.2.1 released. Version 4.2.1 of PHP has been announced. This is a bug fix release that addresses a problem with MySQL, among other things. See the Change Log for more information.

PHP Weekly Summary for May 13, 2002. The May 13, 2002 edition of the PHP Weekly Summary covers the new PHP 4.2.1 RC 2, the PHP 4.3.0 release schedule, bug fixes, and more.

Developing Professional Quality Graphs with PHP (Zend). Jason E. Sweat has put together a tutorial that covers the generation of graphics from PHP. "This tutorial is intended for the PHP programmer interested in applying PHP's GD image manipulation to chart data. This tutorial will focus not on the lower level GD calls, but on using the JpGraph libraries to wrap the GD calls."

Python

Dr. Dobb's Python-URL! for May 14. Here's the weekly Dr. Dobb's Python-URL! with news and links for the Python community.

Building basic browser functionality with wxPython (IBM developerWorks). Nicholas Bastin introduces wxPython on IBM's developerWorks. "Embedding a Web browser in your application eliminates the need to worry about which browser a client uses to view your pages, and also allows you to create custom tags that tie the HTML page back to your application."

Cross-compiling Python. K's cluttered loft features an article about the trickeries involved in cross-compiling Python.

"Cross compiling Python is tricky because:

  • The compiled python binary is used to compile and install the modules. The parser generator which is linked to some Python libraries is executed during compilation.
  • The compiled modules are checked if they can be imported. But they can't be imported because they are not running on the host system.
  • These modules are automatically removed which is bad."

The Daily Python-URL. This week, the Daily Python-URL features articles on the European Python and Zope conference, the Wing IDE, the webAppWorkshop, the Python pattern, fun with generators, Coffee, conversation and ZUBB, and more.

Ruby

The Ruby Garden. This week, The Ruby Garden looks at Array.rassoc and Array.assoc for making arrays of arrays, and Float#to_s issues.

The Ruby Weekly News. The Ruby Weekly News has announcements for SOAP4R 1.4.4.1, QuantLib-Ruby 0.3.0, JTTui 0.11.0, Practical Ruby 0.3.3, PageTemplate 0.2.0, REXML 2.3.2, and xample-pp 0.0. Other ruby discussions are also included.

Tcl/Tk

Dr. Dobb's Tcl-URL!. This week's Dr. Dobb's Tcl-URL! covers interpreter aliases, concurrency and re-entrancy problems, the grid manager, documentation, and more.

Integrated Development Environments

Phpmole 1.3 released. A new version of the Phpmole IDE, which is used for developing web based and phpgtk based applications, has been released. This version features a new look, a beta interactive debugger, a database navigator/viewer, an html presentation module, and more.

GNUstep Weekly Editorial. The GNUstep Weekly Editorial for May 11, 2002 covers the latest developments to the GNUstep object oriented development environment.

Revision Control Systems

An Introduction to the arch Version Control System (Linux Journal). Linux Journal introduces arch, an alternative to the popular CVS version control system. "One reason for arch's creation was to overcome some weaknesses in existing version control systems, such as the lack of atomic commits, the inability to keep track of file renames and difficulties when working on different branches of a project.

arch also provides support for easily and intelligently merging code from several different branches (e.g., stable, development, feature-test) of a project. Projects and revisions stored in arch have globally unique names, which allows branch and merge operations to span network boundaries."

Section Editor: Forrest Cook

 
Language Links
Caml
Caml Hump
Tiny COBOL
Erlang
g95 Fortran
Gnu Compiler Collection (GCC)
Gnu Compiler for the Java Language (GCJ)
Guile
Haskell
IBM Java Zone
Jython
Free the X3J Thirteen (Lisp)
Use Perl
O'Reilly's perl.com
Dr. Dobbs' Perl
PHP
PHP Weekly Summary
Daily Python-URL
Python.org
Python.faqts
Python Eggs
Ruby
Ruby Garden
MIT Scheme
Schemers
Squeak
Smalltalk
Why Smalltalk
Tcl Developer Xchange
Tcl-tk.net
O'Reilly's XML.com
Regular Expressions
   

Sections:
 Main page
 Security
 Kernel
 Distributions
 Development
 Commerce
 Linux in the news
 Announcements
 Letters

See also: last week's Commerce page.

Linux and Business


Proposal: free software in the Spanish administration. Hispalinux, the Spanish Internauts Association, and Esquerra Republicana de Catalunya have given a proposed law to governmental representatives which would promote the use of free software in the Spanish administration. A partial English translation of the proposal is available via Babelfish.

Red Hat Opens Major Engineering and R&D Facility in Massachusetts. In an unusual bit of expansion in the current business environment, Red Hat has issued a press release stating that it has opened a new research and development facility in Massachusetts, and 50 new jobs have been created. "The facility will work on developing high-performance computing products, enhanced enterprise capabilities for Red Hat's line of Advanced Server products, 64-bit technologies and other projects as part of Red Hat's expanding efforts in open source enterprise computing."

Caldera announces results, layoffs. Caldera International has put out a press release lowering its projected second quarter revenue to a little over $15 million (the estimate had been $16-18 million). The problem is the economy, of course. Also in the PR is the announcement that the company will lay off 15% of its staff - about 73 people. Finally, CTO Drew Spencer has left the company.

IBM Delivers Open Platform for Business Partners. IBM has announced a new business platform based on Linux, DB2, WebSphere, and its xSeries servers.

Opera 6.0 released. Opera Software has announced the release of version 6.0 of the Opera web browser for Linux. See the release notes for a list of new features.

Linux Stock Index for May 10 to May 14, 2002.
LSI at closing on May 10, 2002 ... 24.25
LSI at closing on May 14, 2002 ... 25.76

The high for the week was 25.76
The low for the week was 24.25

Press Releases: