[LWN Logo]
[LWN.net]

Bringing you the latest news from the Linux World.
Dedicated to keeping Linux users up-to-date, with concise news for all interests


Sections:
 Main page
 Security
 Kernel
 Distributions
 Development
 Commerce
 Linux in the news
 Announcements
 Letters

Other LWN stuff:
 Daily Updates
 Calendar
 Linux Stocks Page
 Book reviews
 Penguin Gallery

 Archives/search
 Use LWN headlines
 Advertise here
 Contact us

Recent features:
- RMS Interview
- 2001 Timeline
- O'Reilly Open Source Conference
- OLS 2001
- Gal Duval
- Kernel Summit
- Singapore Linux Conference
- djbdns

Here is the permanent site for this page.

See also: last week's LWN.

Leading items and editorials


The war requires closed source? Consider, for a moment, this eWeek article, which covers Microsoft VP Jim Allchin's testimony at the antitrust trial:

A senior Microsoft Corp. executive told a federal court last week that sharing information with competitors could damage national security and even threaten the U.S. war effort in Afghanistan.

Mr. Allchin, of course, is worried about the technical disclosure requirements that the nine dissident states are trying to work into the antitrust settlement.

A high-profile, upstanding, public company like Microsoft would certainly never dream of using the war in Afganistan just to avoid some commercial discomfort, so one concludes that this threat must be real. The national security of the United States, it would seem, is dependent on the continued security-through-obscurity of closed source code.

Of course, there is no way, really, to know if that claim is true or not. The code is closed, so we will never know where the problems might be until somebody breaks it. The public does not know, the government does not know. There is no way to verify the security of code that is running in truly mission critical situations. Not cool.

The time for entrusting one's security to closed code has certainly passed. That time has passed whether the system in question is used by the kids to play games, is a corporate web server, is used by the CEO to play games, or is used by a general to run a military operation. If you cannot look at your software, you are depending entirely on the "trust me" claims of a corporation which has its own interests at heart. That is not a good position to be in, and it is increasingly unnecessary. The sooner that free software finds its way into "mission critical" applications, the safer we will all be.

Software and warranties. Software is a strange business, in that it manages to escape the consequences of its mistakes in a way that few other industries can manage. If your disk drive explodes, your car's wheels fall off, your toaster catches fire, or your beer fails to make you attractive to the opposite sex, you can sue the manufacturer for damages. Well, maybe the brewer will get away with it. But, in general, vendors cannot escape liability for the things they sell - except for software vendors.

There is a rumbling in the distance, however, that suggests that pressure for change is increasing. The National Academy of Sciences has called for software vendors to be liable for defects in their products. Bruce Schneier has also called for liability as a way of reducing security problems:

If we expect software vendors to reduce features, lengthen development cycles, and invest in secure software development processes, they must be liable for security vulnerabilities in their products.

No doubt liability would change life for software vendors; they would be forced to concentrate far more attention on reliability and security. The cost of software would go up to fund that effort and to pay for liability claims. It would be a different world.

Life would change for free software too, however. If a developer can be sued for a bug which appears in software which was released for free, the supply of free software will dry up in a hurry. Free software developers do not have the resources for fanatical quality control procedures or to buy insurance against liability suits. The free software development process depends heavily on users to help find problems.

Distributors of free software also have much to fear from exposure to product liability suits. Some Linux distributors are more careful than others, but they all package up vast amounts of software that they did not write, and for which they are in no position to write guarantees.

The software business as a whole, perhaps, is not yet in a position to assume liability for its products. The state of the art in software development remains primitive. Yet it would be a good thing to encourage software producers to focus more on the reliability and security of their offerings. But any such change must be done in a way that does not destroy the free software ecology.

One possible position to take could be that closed-source software, being a proprietary black box, should come with warranties and liability coverage. By making its source available (not necessarily with a free license) a company could enable others to audit its software, and, in the act, transfer liability to the users of that software. All free software would, thus, retain its current "no warranty" status. Don't expect proprietary software companies - and the congressmen they buy - to be pleased with that idea, however.

2600 case appeal denied. A U.S. Federal Appeals Court declined to review the 2600 DVD case, leaving the lower court ruling unchanged. Thus, it is still illegal to post the DeCSS code, or even a link to it. The one remaining option at this point is to appeal to the Supreme Court; no decision, yet, has been announced as to whether that course will be followed or not.

The LWN.net Weekly Edition will not be published next week so that the LWN staff can enjoy the Memorial Day holiday, and so we can finish up a surprise that we hope to make available soon. The daily updates page will be maintained as usual, and the Weekly Edition will return on June 6.

Inside this LWN.net weekly edition:

  • Security: Goodbye rlogind; fingerprint scanners; OpenSSH and Mailman releases
  • Kernel: New quota code; the end of /dev/port, misusing copy_*_user.
  • Distributions: Clustering and the Linux distribution; ClosedBSD.
  • Development: GCC 3.1, MnoGoSearch 3.2.4, Analog 5.23, Guikachu 1.2.0, OpenSSH 3.2.2, AlsaPlayer 0.99.70, WaveSurfer 1.4, Netscape 7.0 Preview Release 1.
  • Commerce: FSF Files Brief Amicus Curiae in Eldred v. Aschroft Supreme Court Case; Ericsson Joins Open Source Development Lab.
  • Letters: Outlawing markers; RMS and GNU/Linux.
...plus the usual array of reports, updates, and announcements.

This Week's LWN was brought to you by:


May 23, 2002

   

Sections:
 Main page
 Security
 Kernel
 Distributions
 Development
 Commerce
 Linux in the news
 Announcements
 Letters

See also: last week's Security page.

Security


News and Editorials

Legacy, security-free protocols: goodbye rlogind (OpenBSD Journal). OpenBSD Journal reports that rlogind and rexecd have been removed from OpenBSD. "Hopefully other operating systems and software vendors will take note and cease having installation or runtime dependencies on r* programs." We certainly agree. Verifying that rlogin and telnet are disabled has been part of securing a Linux installation for as long as your editor can recall.

CRYPTO-GRAM newsletter. Here is Bruce Schneier's CRYPTO-GRAM newsletter for May. It looks at Kerckhoffs' Principle (no security through obscurity) and a technique for fooling fingerprint scanners with fake fingers made of gelatin. "Gummy fingers can even fool sensors being watched by guards. Simply form the clear gelatin finger over your own. This lets you hide it as you press your own finger onto the sensor. After it lets you in, eat the evidence."

International Developers Finger Biometrics as Most Effective User Authentication Method. In contrast to Bruce Schneier's comments (above), Evans Data Corporation has announced the results of the Evans Data Spring 2002 International Developers Survey. "The Evans Data Corp. survey of more than 400 programmers working outside North America found that biometric solutions generally -- and signatures and fingerprint identification specifically -- have the strongest backing among developers seeking tools to help keep computer networks free from unwanted intrusions and other security breaches."

OpenSSH 3.2.2 released. The OpenSSH developers have released OpenSSH 3.2.2. Security fixes and other changes are available in this release.

Mailman 2.0.11 released. Mailman 2.0.11 has been announced. There are fixes for a couple of cross-site scripting vulnerabilities in this release, so an upgrade is recommended.

Security Reports

Remotely-exploitable vulnerability in fetchmail. Unpatched versions of fetchmail prior to 5.9.10 have a remotely-exploitable buffer overflow problem.

Updates which fix the problem have been released by:

SuSE alert for shadow/pam-modules. A security announcement has been released by SuSE for shadow/pam-modules. "The shadow package contains several useful programs to maintain the entries in the /etc/passwd and /etc/shadow files. The SuSE Security Team discovered a vulnerability that allows local attackers to destroy the contents of these files or to extend the group privileges of certain users."

Caldera security update to imapd. Caldera International has issued a security update to imapd fixing a buffer overflow vulnerability in that package.

Red Hat updates for mpg321. Red Hat has issued an update for mpg321 that fixes a network streaming buffer overflow bug.

SuSE alert for lukemftp. SuSE has issued a security alert for the lukemftp,, ftp client. "A buffer overflow could be triggered by an malicious ftp server while the client parses the PASV ftp command. An attacker who control an ftp server to which a client using lukemftp is connected can gain remote access to the clients machine with the privileges of the user running lukeftp. [...] The lukemftp RPM package is installed by default."

ViewCVS cross site scripting vulnerability The problem exists in ViewCVS version 0.9.2 and under. The ViewCVS team is working on a fix. "ViewCVS is a WWW interface for CVS Repositories."

web scripts. The following web scripts were reported to contain vulnerabilities:

  • Phorum 3.3.2a has a remote command execution vulnerability which is fixed in the May 16, 2002 release of Phorum 3.3.2b3. "Phorum is an OpenSource web based discussion software application written in PHP."

Proprietary products. The following proprietary products were reported to contain vulnerabilities:

  • Steve Gustin reported path disclosure vulnerabilities in more than fourteen scripts available from CGIScript.net including csBanner.cgi and CSMailto.cgi.

Updates

DHCP remotely exploitable format string vulnerability. The May 8, 2000 release of ISC DHCP 3.0p1 fixes this serious vulnerability in ISC DHCPD 3.0 to 3.0.1rc8 inclusive.

We encourage dhcp users to upgrade, disable dhcp or, at a minimum, consider using ingress filtering as described in the CERT advisory. (First LWN report: May 16).

Note: Distributions which use version 2 of ISC DHCP, such as Red Hat Linux, are not vulnerable.

This week's updates:

Previous updates:

GNU fileutils race condition. A race condition in rm may cause the root user to delete the whole filesystem. The problem exists in the version of rm in fileutils 4.1 stable and 4.1.6 development version. A patch is available. (First LWN report: May 2).

This week's updates:

Previous updates:

Problem loading untrusted images in imlib. Versions of imlib prior to 1.9.13 used the NetPBM package in ways which "make it possible for attackers to create image files such that when loaded via software which uses Imlib, could crash the program or potentially allow arbitrary code to be executed." (First LWN report: March 28).

This week's updates:

Previous updates:

Mozilla XMLHttpRequest file disclosure vulnerability. This XMLHttpRequest security bug impacts all Mozilla-based browsers. "The bug is found in versions of Mozilla from 0.9.7 to 0.9.9 on various operating system platforms, and in Netscape versions 6.1 and higher." (First LWN report: May 2).

This week's updates:

Previous updates:

  • The fix is in Mozilla 1.0 branch nightly builds dated 2 May 2002 or later.

ZDNet also covered the vulnerability with a focus on its presence in Netscape.

Buffer overflow in OpenSSH's sshd. According to the advisory, it could be remotely exploitable, but only under a set of relatively rare conditions: "AFS has been configured on the system or if KerberosTgtPassing or AFSTokenPassing has been enabled in the sshd_config file. Ticket and token passing is not enabled by default." (First LWN report: April 25).

The problem is fixed in the OpenSSH 3.2.2 release.

This week's updates:

Previous updates:

Both PHP3 and PHP4 have vulnerabilities in their file upload code which can lead to remote command execution. This one could be ugly; sites using PHP should apply updates at the first opportunity. If an update isn't available for your distribution, users of PHP 4.0.3 and later are encouraged to consider disabling file upload support by adding this directive to php.ini:

  
	file_uploads = Off

CERT has issued this advisory on the problem. This article in the Register also talks about the vulnerability. (First LWN report: March 7).

Developers using the 4.2.0 branch, are not vulnerable because because file upload support was completely rewritten for that branch.

This week's updates:

Previous updates:

Update: Despite some concern expressed in an earlier report by LWN, these updates do, in fact, fix the problem. The original update from the php team fixes the security hole but introduces a "rare segfault condition" that is not a security problem.

Sharutils potential privilege escalation using uudecode. According to the CVE entry, "uudecode, as available in the sharutils package before 4.2.1, does not check whether the filename of the uudecoded file is a pipe or symbolic link, which could allow attackers to overwrite files or execute commands ." (First LWN report: May 16).

This week's updates:

Previous updates:

Multiple vulnerabilities in tcpdump. Version 3.5.2 fixed a buffer overflow vulnerability in all prior versions. However, newer versions, including 3.6.2, are vulnerable to another buffer overflow in the AFS RPC functions that was reported by Nick Cleaton. (First LWN report: May 9).

Both problems appear to have been reported and fixed in FreeBSD some months ago. The CIAC report on the vulnerability in versions prior to 3.5.2 is dated October 31, 2000. Nick Cleaton's FreeBSD security advisory on the AFS RPC bug, and reference to a fix for FreeBSD, is dated July, 17, 2001. Tcpdump 3.7 was released on January 21, 2002.

This week's updates:

Previous updates:

Webmin/Usermin vulnerabilities. Webmin is a web-based interface for system administration for Unix. Webmin has cross-site scripting and session ID spoofing vulnerabilities which are fixed in the May 6, 2002 release of version 0.970. (First LWN report: May 9).

This one is scary. The session ID spoofing vulnerability allows the "possibility that arbitrary commands may be executed with root privileges." Upgrading is strongly recommended. At a minimum avoid the "preconditions for a successful exploit" by disabeling password timeouts under Webmin->Configuration->Authentication.

This week's updates:

Resources

Linux security week. The and publications from LinuxSecurity.com are available.

Cross Site Scripting FAQ. Cgisecurity.com has published The Cross Site Scripting FAQ "which covers frequently asked questions in relation to Cross Site Scripting Attacks."

Events

Upcoming Security Events.

Canadian Security & Intelligence Conference for 2002 announced. CSICON will be held August 19-21, 2002 at the Hyatt Regency, Calgary, Alberta Canada. "This is a technical security conference aimed at IT Professionals, and IT Security Managers. Enjoy three days filled with presentations and discussions around IT Security issues free of vendor pitches."

ICICS 2002 call for papers. The 4th International Conference on Information and Communications Security will be held December 9-12, 2002 in Singapore. "Original papers on all aspects of information and communications security are solicited for submission. The proceedings of ICICS'02 will be published in Springer-Verlag's Lecture Notes in Computer Science series."

Date Event Location
May 27 - 31, 20023rd International SANE Conference(SANE 2002)Maastricht, The Netherlands
May 29 - 30, 2002RSA Conference 2002 Japan(Akasaka Prince Hotel)Tokyo, Japan
May 31 - June 1, 2002SummerCon 2002(Renaissance Hotel)Washington D.C., USA
June 17 - 19, 2002NetSec 2002San Fransisco, California, USA
June 24 - 28, 200214th Annual Computer Security Incident Handling Conference(Hilton Waikoloa Village)Hawaii
June 24 - 26, 200215th IEEE Computer Security Foundations Workshop(Keltic Lodge, Cape Breton)Nova Scotia, Canada
June 28 - 29, 2002Edinburgh Financial Cryptography Engineering 2002Edinburgh, Scotland

For additional security-related events, included training courses (which we don't list above) and events further in the future, check out Security Focus' calendar, one of the primary resources we use for building the above list. To submit an event directly to us, please send a plain-text message to lwn@lwn.net.

Section Editor: Dennis Tenney


May 23, 2002

LWN Resources


Secured Distributions:
Astaro Security
Castle
Engarde Secure Linux
Immunix
Kaladix Linux
NSA Security Enhanced
Openwall GNU/Linux
Trustix

Security Projects
Bastille
Linux Security Audit Project
Linux Security Module
OpenSSH

Security List Archives
Bugtraq Archive
Firewall Wizards Archive
ISN Archive

Distribution-specific links
Caldera Advisories
Conectiva Updates
Debian Alerts
Kondara Advisories
Esware Alerts
LinuxPPC Security Updates
Mandrake Updates
Red Hat Errata
SuSE Announcements
Turbolinux
Yellow Dog Errata

BSD-specific links
BSDi
FreeBSD
NetBSD
OpenBSD

Security mailing lists
Caldera
Cobalt
Conectiva
Debian
Esware
FreeBSD
Kondara
LASER5
Linux From Scratch
Linux-Mandrake
NetBSD
OpenBSD
Red Hat
Slackware
Stampede
SuSE
Trustix
turboLinux
Yellow Dog

Security Software Archives
munitions
ZedZ.net (formerly replay.com)

Miscellaneous Resources
CERT
CIAC
Comp Sec News Daily
Crypto-GRAM
LinuxLock.org
LinuxSecurity.com
Security Focus
SecurityPortal

   

Sections:
 Main page
 Security
 Kernel
 Distributions
 Development
 Commerce
 Linux in the news
 Announcements
 Letters

See also: last week's Kernel page.

Kernel development


The current development kernel is 2.5.17, which was announced on May 20. This release includes the new quota code (see below), some VFS changes, and quite a few other improvements and fixes.

Linus released 2.5.16 on May 18; it contained a bunch of low-level x86 paging changes, the usual IDE patches, the 64-bit jiffies patch (no more uptime wraparounds), a bunch of USB updates, an IrDA update, and various other fixes.

Linus has been posting changelogs in a new, shorter format; for those who prefer the details, here are the long-format logs for 2.5.16 and 2.5.17.

The latest prepatch from Dave Jones is 2.5.15-dj2.

The current 2.5 status summary from Guillaume Boissiere is dated May 22.

The current stable kernel release is 2.4.18; Marcelo has not released any 2.4.19 prepatches since May 2.

Alan Cox released 2.4.19-pre8-ac5 on May 20; it contains the latest reverse mapping VM, various copy_to/from_user cleanups (see below), a bunch of aacraid and I2O changes, and many other fixes.

Alan has also released 2.2.21, which contains only one small fix added after the last release candidate.

The new disk quota code went into 2.5.17. The reimplemented quota system is the work of Jan Kara, who has posted a brief summary of the changes.

With the new quota implementation there is, of course, a new quota file format. It brings a number of advantages, including 32-bit user IDs and accounting for files sizes in bytes rather than blocks. Filesystems like ReiserFS, which take pains to store very small files efficiently, will benefit from the more accurate quota accounting. The old quota format is still supported, however, along with any other format that people might wish to implement: quota formats may now be implemented by separate modules and plugged in as needed.

The filesystem interface to quotas has changed, of course. Filesystems now have much more flexibility to override, modify, and extend quota operations. Thus, for example, journaling filesystems can journal quota operations as well.

The old quota tools can be supported through a compatibility interface, but really taking advantage of the new code will require new tools. Those can be found on the Linux quota SourceForge page.

Software suspend goes in. Pavel Machek posted a new version of the software suspend code (written originally by Gabor Kuti) asking "What can I do to make this applied?" The answer, according to Linus, is nothing - he has accepted it for 2.5.18.

The swsusp patch provides a laptop-style suspend capability to any machine, whether the underlying BIOS power management code supports it or not. When you tell your system to suspend (via a "magic sysrq" key, a user-space tool, or /proc/acpi/sleep), it starts by flushing everything to disk that it can. Files are synced to disk, processes are swapped out, and in-kernel data structures are reduced to a minimal state. This step is required to save important data, of course, but it also has the effect of freeing up a great deal of memory which will, then, not need to be saved separately.

The suspend code then sets up a new set of page tables for all remaining memory which must be saved; the swap code, at that point, can be used to save the rest to disk. Once that is done, the system can be halted. Restoring the system is done by booting with the "resume=" option; it pulls in all of the saved memory and generally reverses the steps taken above.

Suspending a running system in this way is a task with many potential pitfalls, and, no doubt, one or two of them remain in the code. It is marked "experimental" for a reason. Nonetheless, this patch has been circulating for a long time, and has been tested by quite a few people. It was time for it to go into the mainline kernel.

Still waiting for kbuild. Keith Owens has sent out his 'third and final attempt' to get a response from Linus on when and how the new kernel build patch might get merged. Linus still appears to not have answered Keith directly, but he did let this slip in a thread on a completely different subject:

I'm hoping we can get there in small steps, rather than a big traumatic merge. I'd love to just try to merge it piecemeal.

This suggests that somebody needs to split apart the kbuild patch into a number of small, incremental steps. Of course, this patch is not the easiest to split in that manner...

/dev/port goes out. Martin Dalecki, seemingly, has not been flamed enough despite all of his IDE work. So he set out to remove the /dev/port device. /dev/port is a pseudo device which makes it easy for suitably privileged application programs to access (x86) I/O ports via read and write calls. Martin cites a number of problems with the code, including the fact that nobody is using it.

Interestingly, Martin didn't get his desired flames, despite a separate attempt to stir them up. Linus agrees that it should probably go; about the only dissent came from Alan Cox, who claims to have seen it used, especially in scripting languages. Linus has not issued a final decree, but it looks like /dev/port is no more.

copy_*_user and errors. The kernel, of course, runs in its own memory space that is distinct from the address space given to each user process. So some care must be taken when moving data between the two; it's not just a matter of following a pointer. The kernel provides a whole set of functions that copy data between kernel and user space; the two most general are called copy_to_user and copy_from_user.

A common convention for utility routines within the kernel is to return zero on success, and an error code (suitable for passing back to user space) on failure. But the copy functions are different: they return the number of bytes that were not actually copied. For most operations, that value will be zero - everything is copied as requested. When something goes wrong, however, the return value tells just how far into the operation the error happened.

Rusty Russell sees a problem with this interface: kernel programmers get confused and expect that the copy functions follow the same conventions as most other kernel utilities. That leads to code like the following (taken from the Intermezzo filesystem):

        error = copy_from_user(&hdr, buf, sizeof(hdr));
        if ( error )
                return error;
The problem, of course, is that the "error" returned to the user does not look like an error code. Thus problems are not caught and bugs result. That's when the programmer is happy that liability laws have not caught up to software yet.

Rusty states that, of the 5500 copy calls in the kernel, 415 are incorrect, despite an audit done one year ago. He would like to change the copy functions to return an error code like most other utilities, or to send a segmentation fault signal and return nothing at all. Either solution would eliminate what he sees as a trap which trips up many or most kernel programmers sooner or later. (Of course, being Rusty, he expressed it in a rather more colorful manner).

Making internal kernel interfaces safer to use seems like a good cause, but Rusty seems to be mostly alone on this one. The main counterpoint is that the "partial success" return value can be useful in some situations: restarting system calls after signals or simply reporting a partial result back to user space. There are, however, very few places in the code where that information is actually used.

On the other hand, it has been pointed out that a partial success value "n" need not indicate that the first n bytes were copied. Trying to speed things up with fancy MMX instructions could cause things to be copied in strange orders. Andrew Morton has also pointed out a bug in the copy code that can corrupt data (though it's not something that comes up in normal use). That bug could be fixed by copying from the far end of the array first in some situations. The point of all this is that a partial success might not tell you which bytes were actually copied.

That notwithstanding, it looks like very little will actually change - Linus has spoken:

The current interface is quite well-defined, and has good semantics. Every single argument against it has been totally bogus, with no redeeming values.

One can not accuse Linus of not being clear on what he thinks.

So the one remaining approach, it seems, is to simply go through and fix all of the broken copy calls on a regular basis. Arnaldo Carvalho de Melo has already jumped into that task, posting fixes for intermezzo, OSS, ISDN, block drivers, and USB. But chances are more mistakes will creep in with future patches.

Other patches and updates released this week include:

Kernel trees:

2.4 backports

Core kernel code:

Device drivers

Filesystems:

Kernel building:

Miscellaneous:

Section Editor: Jonathan Corbet


May 23, 2002

For other kernel news, see:

Other resources:

   

Sections:
 Main page
 Security
 Kernel
 Distributions
 Development
 Commerce
 Linux in the news
 Announcements
 Letters

See also: last week's Distributions page.

Distributions


Please note that security updates from the various distributions are covered in the security section.

News and Editorials

Clustering and the Linux distribution. Distributions that manage computer clusters have a somewhat different task than the usual server or workstation distributions. Good clustering software will create a whole that is greater than the sum of its parts. But when the software is not properly configured, the cluster could instead become less than the sum of its parts. There are several cluster distributions already on the LWN list, scattered over several categories. For example, the Rock Linux Massively Parallel Processing(MPP) project is closely tied to its well known parent.

MSC.Software built MSC.Linux for high-performance, high-availability, cluster computing. Clearly it's a special purpose distribution. Also specialized, but listed under CD-based, is ClumpOS. ClumpOS is a Linux/MOSIX mini-distribution designed to allow you to quickly, or temporarily, add nodes to a MOSIX cluster.

Scyld Beowulf, from the original Beowulf development team, is tied to its hardware, as is the PowerPC-based Black Lab Linux.

In addition to these distributions, there are a number of clustering packages that are designed to run on top of an operating system. There are commercial packages that will even support the use of multiple operating systems within the cluster. These products are not in the scope of this page. However, other projects provide a specially configured distribution, bundled with its unique cluster management software. These later products may evolve into unique distributions. Thanks to Andrew Shewmaker, we'll introduce two cluster projects that may have crossed that fuzzy line between a software package and a Linux distribution.

Red Hat based OSCAR is a fully integrated and easy to install software bundle designed for high performance cluster computing. OSCAR v1.2.1rh72 is based on RH 7.2; OSCAR v1.2.1 is based on RH 7.1; and OSCAR v1.0 is still available, and is based on RH 6.2.

NPACI Rocks is built on top of Red Hat 7.2 releases, and supports x86 processors. Rocks makes complete OS installation on a node the basic management tool in order to reduce the complexity of cluster management.

New Distributions

ClosedBSD. ClosedBSD is a firewall and network address translation utility which boots off of a single floppy disk or CDROM, and requires no hard drive. ClosedBSD is based off of the FreeBSD kernel, and uses ipfw as its native ruleset management system, and natd as it's network address translation utility. (Thanks to Werner vanWaesberghe)

Distribution News

Debian News. The Debian Weekly News for May 15 is available, with coverage of the bug tracking system redesign, the second Debian Conference, the new SGML/XML policy group, and numerous other topics.

Debian Leader Bdale Garbee has sent out his second 'Bits from the DPL' column; this one looks at the numerous architectures supported by the Debian distribution. "A more recent example (that we are working through right now) is how our security team can quickly get a new package version built and uploaded for all of our architectures. A good solution, that involves giving them a high priority path through our autobuilders, is nearly implemented and is the last major hurdle before woody releases."

Here is final Debconf schedule, barring any changes of course.

Mandrake Linux. MandrakeSoft has released new grpmi packages for ML 8.2 on PPC systems. This should fix that segfault you got when downloading updates with rpmdrake.

Red Hat kernel enhancement for S/390. Red Hat has released updated 2.4 kernel packages for Red Hat 7.2 on S/390 and zSeries systems. Included in the new kernel is the Open Source LCS driver for both the OSA-2 Ethernet Token Ring card and the OSA-Express Fast Ethernet card in non-QDIO mode.

Slackware Linux. Slackware Linux has another long list of changes to Slackware-current for this week.

Turbolinux. Turbolinux has announced the availability of Turbolinux (TL) 8 Workstation. This release has the latest volume management capabilities and provides a complete desktop solution for development and multimedia environments.

Minor Distribution updates

2-Disk Xwindow System. The 2-Disk Xwindow System has released v1.4rc12 with major feature enhancements.

ALT Linux. ALT Linux announced a new ALT Linux Master for education program which includes discount prices on ALT Linux Master 2.0 for educational institutions which use or plan to use Linux-based training in their educational programs. There is also a new mailing list, created to discuss issues of using free software in education. Subscribe to Freeschool@altlinux.ru here.

Astaro Security Linux. Astaro Security Linux has released its stable version 2.024 for Sun Cobalt with minor security fixes.

Kondara MNU/Linux. Kondara MNU/Linux has a number of security fixes available for hanibi.

Lunar-Linux. Lunar-Linux has released the latest version of its Lunar Linux XFCE theme. Lunar-Linux is still working toward version 1.0. There is a progress report, of sorts, here.

Sorcerer. Sorcerer has a new Install/Rescue ISO9660 available. "Due to a few reports of people having trouble with the May 1st ISO9660, I rechecked it, smote a few small and inconsequential bugs, updated the installed software, and uploaded a new one. The xdelta update is half a meg."

Distribution Reviews

The Debian Packaging System (LinuxGuru). LinuxGuru looks at the Debian packaging system. "Debian's packaging system contains a very useful and advanced (speaking in a coders point of view) feature called 'apt-get'. 'Apt-get,' is a command of the Debian packaging system that allows you to get applications off of the Internet, or CD-ROM."

Mandrake Linux 8.2 reviews. MandrakeForum points to three reviews of ML 8.2.

Reviews of SuSE Linux 8.0. This review on Linux and Main is not very flattering. "It's unlikely that anyone who is not already running SuSE Linux is going to show much interest in the new version. There is no compelling reason to switch on 8.0's account, nor is there any technical reason among current distributions to abandon another one in favor of SuSE. This means the question comes down to whether there is anything about 8.0 that would lure existing SuSErs to upgrade. If there is, we didn't find it."

Tux Reports does not paint a better picture. "After only spending the weekend with the system we can't recommend this distribution on the PL133 chipset board. Red Hat 7.2 seems to have worked beautifully but SuSE 8.0 is too slow. The system slows and stops - sometimes at random."

SuSE fans. Instead of writing to us to tell us why these reviews are "wrong", please point us to better reviews, or write your own, to let people know the good things about SuSE 8.0 Pro.

Section Editor: Rebecca Sobol


May 23, 2002

Please note that not every distribution will show up every week. Only distributions with recent news to report will be listed.

Distribution Lists:
LWN List
DistroWatch
ibiblio
Linux.com
LinuxLinks
LDP English-language GNU/Linux distributions on CD-ROM
Woven Goods

   

Sections:
 Main page
 Security
 Kernel
 Distributions
 Development
 Commerce
 Linux in the news
 Announcements
 Letters

See also: last week's Development page.

Development projects


News and Editorials

GNU Compiler Collection 3.1

Version 3.1 of GCC, the Gnu Compiler Collection, has been announced. "In this release, we focused more on quality than new features; many bugs were fixed. We worked very hard to fix bugs that were introduced in GCC 3.0, but that were not present in previous releases of the compiler. We also worked hard to eliminate new bugs.

We have continued to improve the standards conformance in the C, C++ and Java compilers, added support for profile-directed optimizations, improved support for many chips used in embedded systems, added an Ada compiler, and added support for the x86-64 architecture." [GCC]

The Changes document shows a long list of new features:

Caveats include deprecation of the -traditional option, and a change of the default debugging format from the stabs format to DWARF2.

Optimizer improvements include the contribution of the infrastructure for profile driven optimizations from SuSE and Red Hat. The tree in-lining infrastructure has been generalized, allowing more optimization opportunities. The back end of several targets now have support for data pre-fetching, and macros can now emit debugging information.

Many improvements have been added to the C, C++, Objective-C, Java, and FORTRAN compilers.

An Ada 95 front end has been added, work is still in progress.

New targets include the MMIX, the CRIS, and the SuperH. Other targets have had improved support. A number of old target architectures have been declared obsolete - Elxsi owners better speak up now if they don't want to lose support..

See the updated online manual for more information.

GCC 3.1 is available here. (Thanks to Pat Eyler.)

Audio Projects

Jack news. The latest news from the Jack low-latency audio server project includes a new FAQ entry on tuning Jack's performance, and rumors of an upcoming public release.

Databases

SAP DB Version 7.3.00.23 released. Version 7.3.00.23 of SAP DB has been announced. This is mainly a bug fix release, see the release information for all of the details.

Electronics

Icarus Verilog 20020519. A new development snapshot of the Icarus Verilog electronic simulation language compiler has been released. A number of bug fixes are included, see the release notes for the details.

Embedded Systems

Linux Devices Embedded Linux Newsletter. The May 16, 2002 edition of the Linux Devices Embedded Linux Newsletter looks at the SNOM 100 VOIP phone, the Rio Central digital audio center, the ELC's platform standard, NIC contest winners, and more.

Libraries

Override the GNU C library -- painlessly (IBMdeveloperWorks). Here is a developerWorks article on working around glibc return arguments. "What do you do if you don't have the source for your application and it's failing because a GNU Library for C (glibc) function is returning something bad to the application? Because glibc is open-source, you can of course get the source code, make your changes, rebuild, and install. This is not for the faint of heart, however, because although the API is well documented, the internal organization of the GNU C library is not. Finding the correct function prototypes is only the first of many challenges. It's a big package as well, so the first time you compile, it will take some time (glibc 2.2.2 has 8,552 files and 1,775,440 lines of code, including comments)."

Mail Software

Mailman 2.0.11 released. Mailman 2.0.11 has been announced. There are fixes for a couple of cross-site scripting vulnerabilities in this release, so an upgrade is recommended.

System Administration

Poor Sysadmin's Guide to Remote Linux Administration (O'Reilly). O'Reilly is running an article by Kendall Clark that shows how to set up a Daemon Monitoring Daemon (DMD). " I suppose for many free software users, uptime mania is something of an occupational hazard. There is a kind of Zen-like sysadmin virtue which comes from implementing a clever, efficient, and inexpensive hack, but especially if that hack increases uptime and service quality."

Web-site Development

MnoGoSearch version 3.2.4. Version 3.2.4 of the mnoGoSearch web site search engine is available. Lots of improvements and bug fixes are included - see the change log for the details.

Analog version 5.23. Version 5.23 of the Analog web log file analyzer is available. The What's New document lists the changes, which are mainly security related.

Zope Members News. The latest Zope Members News examines new releases of TextIndexNG, MySQL User Folder, and External Editor.

Using Zope With Apache (Developer Shed). Developer Shed looks at Zope/Apache integration. "While Zope is a remarkably full-featured solution, it's not always the best one for a live Web site or Web application. If you're developing a complex Web application with sophisticated business logic and lots of interconnected routines, Zope is a great sandbox to play in. If, on the other hand, you're merely putting up Grandma's chocolate chip cookies on the Web, you're going to find Zope way too complex for your relatively-simpler needs."

Miscellaneous

Guikachu 1.2.0: 'The Inevitable Return' released. A new version of Guikachu has been announced. "Guikachu is the premiere solution for creating PalmOS resource files on UNIX operating systems, and it is also available as Free Software, as defined by the GNU GPL." This version features support for string list resources, usability improvements, support for the eBookMan palmtop, better font support, and bug fixes.

OpenSSH 3.2.2 released. OpenSSH has released OpenSSH 3.2.2. Security fixes and other changes are available in this release.

O'Reilly's Linux DevCenter features an article by Noel Davis that looks at the new version of OpenSSH in addition to a few more security updates.

Schedutils 0.0.5 released. A new release of the schedutils suite of tools for manipulating the Linux scheduler has been announced.


May 23, 2002


Application Links
GIMP
Mozilla
Galeon
High Availability
ht://Dig
mnoGoSearch
MagicPoint
Wine
Worldforge
Zope

Open Source Code Collections
Berlios
Freshmeat
OpenSourceDirectory
Savannah
Le Serveur Libre
SourceForge
Sweetcode

   

 

Desktop Development


Audio Applications

AlsaPlayer 0.99.70. AlsaPlayer version 0.99.70 has been released. Changes include: "lots of bug fixes, brandnew libalsaplayer API, new FLAC input plugin, new JACK output plugin. XING header parsing, etc."

WaveSurfer version 1.4 released. A new version of the WaveSurfer audio file visualization and manipulation tool has been released. Version 1.4 features new pitch and formant tracking capabilities, bug fixes, and better documentation. See the changes file for more information.

Web Browsers

Galeon 2 beta coming soon (FootNotes). According to FootNotes, a new beta release of Galeon 2 is coming soon.

Mozilla Status Update. The May 16, 2002 Mozilla Status Update covers module updates for Necko, Imagelib, and XPCOM.

Netscape 7.0 Preview Release 1 (MozillaZine). MozillaZine has an announcement for a new version of Netscape. "Netscape today unveiled Netscape 7.0 Preview Release 1, the first beta of its successor to Netscape 6. The preview is based on the recent Mozilla 1.0 RC2 build and features most of the enhancements that have been added to Mozilla since Netscape 6.2 was released, including tabbed browsing, print preview, the ability to save complete web pages, email return receipts, message labels and S/MIME support."

Desktop Environments

Knoda 0.5.2 has been released. Version 0.5.2 of the Knoda relational database GUI for KDE has been released. This version features bug fixes and a newly rewritten grid widget, among other things.

KDE on Cygwin: 2.2.2 Beta 1 Release Available. Version 2.2.2 Beta 1 of KDE on Cygwin has been announced. "The KDE on Cygwin project, the project to port Qt and KDE to Windows, has announced the first beta release of KDE 2.2.2 for Cygwin and Cygwin/XFree86."

GNOME 2.0 Desktop Beta 5: "Reciprocity". The GNOME 2.0 Desktop Beta 5 release, "Reciprocity", is ready for your bug-busting and testing pleasure!

This week's GNOME Summary. Here's the GNOME Summary for May 18. It looks at the fifth GNOME 2 beta, the upcoming Galeon2 release, Freedesktop.org, and numerous other topics.

Games

New stuff on PyGame. The PyGame site features new versions of Pyddr and Cog engine.

GUI Packages

FLTK news. The latest news additions on the FLTK site include a new version of fltdj, The Daily Journal 0.6.1, and a chooser design contest for FLTK.

Open Motif Call for Participation. There is a Call for Participation on the Open Motif site. "The OpenMotif team is looking for people to help define and develop OpenMotif 2.3! A lot of progress has been made since the original 2.2 release, but there is much more to be done."

Glade 1.1.0 released (FootNotes). The FootNotes site mentions a new release of the Glade GUI builder for GTK+ 2 and GNOME 2. Testers are needed.

Interoperability

Kernel Cousin Wine #123. Issue #123 of Kernel Cousin Wine covers the May 9 release of Wine, component owners, patch trading, global Wine configuration, WineLib, Cross-compiling Wine, and more.

Office Applications

AbiWord Weekly News #92. This week's AbiWord Weekly News is out, with the latest development news from the AbiWord word processor project. Bug fixing continues to be the main topic.

 
Desktop Environments
GNOME
GNUstep
KDE
XFce
XFree86

Window Managers
Afterstep
Enlightenment
FVMW2
IceWM
Sawfish
WindowMaker

Widget Sets
GTK+
Qt
   

 

Languages and Tools


Caml

The Caml Weekly News. The May 21, 2002 edition of the Caml Weekly News covers C stubs, COM binding with CAMLIDL, Dynamic Caml v0.2, Surreal-0.0.3, and solutions for OCaml packaging problems.

The Caml Hump. This week's Caml Hump looks at Hevea - A quite complete and fast LATEX to HTML translator, Surreal - An exact real arithmetic library for objective Caml, Dynamic Caml - A high-level run-time code generation library for Objective Caml, and mlglade - A Glade to OCaml compiler.

Haskell

Haskell Communities and Activities Report. The second edition of the Haskell Communities and Activities Report has been announced. Check it out to see what the Haskell community has been up to in the last six months.

Java

Double-checked locking and the Singleton pattern (IBM developerWorks). Peter Haggar writes about pitfalls with Java's Double-checked locking. "The Java programming language contains several useful programming idioms. It also contains some that further study has shown should not be used. Double-checked locking is one such idiom that should never be used. In this article, Peter Haggar examines the roots of the double-checked locking idiom, why it was developed, and why it doesn't work."

Why Data Binding Matters (O'Reilly). Brett McLaughlin discusses the Java Data Binding API for XML. "OK, I know what you're thinking: 'So now I'm going to be told that I need another API for working with XML. Come on, give me a break!'"

Perl

The Perl You Need To Know - Part 3 (O'Reilly). Stas Bekman continues his series on Perl with Part 3. "This article is the third in our series talking about the essential Perl basics that you should know before starting to program for mod_perl.

You will hear a lot about namespaces, symbol tables and lexical scoping in Perl discussions"

Perl 6 Answers (use Perl). Use Perl has the answers to the questions that were asked in last week's online poll for Perl 6 questions.

PHP

Using Java objects in PHP scripts (Zend). John Coggeshall discusses the use of Java objects in PHP scripts in a two part article. See part 1 and Part 2 of the article.

Python

Py in Print (O'Reilly). Stephen Figgins talks about the Python technical journal, Py. "When Bryan Richard wrote me a few months ago to ask if I thought a Python magazine would make it, I told him it probably would, if it were a labor of love. I didn't think he would make much money off the venture, but it would sure be great to have something out there. Maybe it could take off the way The Perl Journal did. Bryan decided it was love, and a few months later, the first issue Py was mailed out to early subscribers."

The Daily Python-URL. This week, the Daily Python-URL looks at stackless Python, MoinMoin, Python's evolution, a new Python Business Forum, and wxHTML for beginners.

Ruby

The Ruby Garden. This week, The Ruby Garden looks at nested classes, a rand method for Enumerable, Perl's Parrot and Ruby, Ruby hashes, and more.

The Ruby Weekly News. The Ruby Weekly News for May 20, 2002 looks at the following Ruby projects: REXML 2.3.3, DBTalk 0.6, FXRuby-1.0.10, JRuby 1.6/0.5.0 beta, RubyRED 1.0 alpha, XML Serialization 1.0.pre3, and the RubyEclipse IDE.

Miscellaneous

Revenge of the Nerds. Paul Graham has expanded on his keynote on programming languages, with the paper entitled revenge of the nerds.

The pointy-haired boss miraculously combines two qualities that are common by themselves, but rarely seen together: (a) he knows nothing whatsoever about technology, and (b) he has very strong opinions about it.

Suppose, for example, you need to write a piece of software. The pointy-haired boss has no idea how this software has to work, and can't tell one programming language from another, and yet he knows what language you should write it in. Right: he thinks you should write it in Java.

Lisp programmers, in particular, should like this piece.

Section Editor: Forrest Cook

 
Language Links
Caml
Caml Hump
Tiny COBOL
Erlang
g95 Fortran
Gnu Compiler Collection (GCC)
Gnu Compiler for the Java Language (GCJ)
Guile
Haskell
IBM Java Zone
Jython
Free the X3J Thirteen (Lisp)
Use Perl
O'Reilly's perl.com
Dr. Dobbs' Perl
PHP
PHP Weekly Summary
Daily Python-URL
Python.org
Python.faqts
Python Eggs
Ruby
Ruby Garden
MIT Scheme
Schemers
Squeak
Smalltalk
Why Smalltalk
Tcl Developer Xchange
Tcl-tk.net
O'Reilly's XML.com
Regular Expressions
   

Sections:
 Main page
 Security
 Kernel
 Distributions
 Development
 Commerce
 Linux in the news
 Announcements
 Letters

See also: last week's Commerce page.

Linux and Business


FSF Files Brief Amicus Curiae in Eldred v. Aschroft Supreme Court Case. The Free Software Foundation (FSF) has filed a Brief Amicus Curiae in the pending Supreme Court case, Eldred v. Aschroft. The future of copyright law in the digital age is at issue in this case, which seeks to extend copyright protection and withhold material from the public domain.

Ericsson Joins Open Source Development Lab (OSDL). Ericsson has joined the Open Source Development Lab. "Open Source Development Lab (OSDL) today announced that telecommunications industry leader Ericsson has been added to its roster of members aligned to guide Linux development for the telecommunications market segment. Ericsson will participate in the OSDL Carrier Grade Linux Working Group established earlier this year. Together, OSDL industry leaders and open source community members are developing feature roadmaps to enable Linux for the telecommunications and enterprise market segments."

Open Letter from Lavi Lev, Cadence Design Systems, Inc.. Lavi Lev of Cadence Designs is calling for EDA companies to adopt an open source database API for Integrated Circuit design companies. "If we all open our databases, the industry will reduce unnecessary costs to the customer and allow the EDA and electronics industries' combined energies to focus on addressing the complexity of chip designs. This will provide significant benefits for both the EDA and electronics industries."

VA Software reports results. Here's a press release from VA Software on its quarterly results. The company lost $7.7 million over the quarter ($4.7 million if you ignore the stuff they sweep under the rug) on $5.1 million in revenue. "SourceForge continued to gain acceptance and is currently installed in more than 20 customer accounts."

Reuters Supports Adoption of Linux in Financial Services Industry Using Intel Based Servers. Here is a press release from HP about Reuters' plans to make the Reuters Market Data System (RMDS) available on Intel-based servers with Linux, with the help of HP, Intel and Red Hat.

Embedded Linux Journal Ceases Print Publication. Here's a copy of a note sent to Embedded Linux Journal subscribers. ELJ will no longer be available in print. You can expect to find an Embedded Linux section in the print copies of Linux Journal, beginning in August. (Thanks to Alex Perry)

Sun releases StarOffice 6.0. Sun has released Star Office version 6.0 for Solaris, Linux, and Windows. It is, of course, commercial software and the price is $75.95. (Thanks to Martin Rowe.)

Linux Stock Index for May 21 to May 22, 2002.
LSI at closing on May 21, 2002 ... 24.78
LSI at closing on May 22, 2002 ... 24.89
The high for the week was 24.89
The low for the week was 24.78

Press Releases: