Other LWN stuff:
 Daily Updates
 Calendar
 Linux Stocks Page
 Book reviews
 Penguin Gallery

 Archives/search
 Use LWN headlines
 Advertise here
 Contact us

Recent features:
- RMS Interview
- 2001 Timeline
- O'Reilly Open Source Conference
- OLS 2001
- Gaël Duval
- Kernel Summit
- Singapore Linux Conference
- djbdns

Here is the permanent site for this page.

See also: last week's LWN.

Leading items and editorials

The interesting thing, of course, is that many (perhaps even most?) Debian users are not running the 2.2 "potato" release. With a quick configuration file edit and a massive apt-get command, any system can be upgraded to the unstable "sid" release. This is where Debian development is done, and it's anything but stale. If you want the bleeding edge, you'll probably find it there.

The unstable distribution is not for everybody, of course. Your editor once performed an upgrade during a short window when the PAM packages were broken; the result was a system that nobody could log into. Following unstable through a major Perl or Python transition can be a bit of a challenge. And you never know what surprises may lurk within the latest version of your favorite utility. Unstable remains popular, though, and it is interesting to ponder why. There are things to be learned about the free software development process in the dynamics of the unstable distribution.

The first thing worth pointing out, of course, is that the unstable distribution is usually solid as a rock. It's almost too stable, in that users can easily get into the habit of tracking the bleeding edge without watching (and being prepared) for problems. It works almost all the time.

It is fun to be a part of the free software development process, and Debian unstable offers a relatively easy entry point into that process. If you want to see the latest feature in Galeon, check out what new video game has been added to emacs, or find out how badly the new binutils breaks kernel compilation, sid makes it easy. A simple upgrade command brings in the latest version, and all those obnoxious library dependency problems just go away. Anybody who wants to add their eyeballs to the thousands looking for bugs need only run unstable.

Unstable also makes life easy for people who want to try out new software. It is still a rare distribution, for example, that includes Evolution 1.0 or later. When dealing with modern graphical applications, installing a package or building from source leads straight to shared library dependency madness. Sid users, however, need only type an apt-get command. This capability makes a whole range of interesting software available in a hassle-free manner.

Free Software is a living product. As soon as it is burned onto a CD and stuffed into a box, a part of it dies. Half-dead software may be just what is needed for that corporate mail server, but it deprives the user of part of the free software community experience. Distributions like Debian unstable help to bring back part of that experience.

(Debian, of course, also has a "testing" distribution which is not quite so quick to update as sid. Debian is also certainly not the only distributor which makes a development version available. Mandrake Cooker is a great example of a development distribution with an active user community. Red Hat still makes "Rawhide" available, though they do not make it easy to find. Conectiva has a "Snapshot" distribution available, complete with a list of developers who are responsible for the most bugs; Conectiva has an APT interface as well, of course. Most other distributors do not make their development versions available, which is a loss for both the distributor and the users.)

Open source licensing helps racism? The Anti-Defamation league has posted a report on racist video games. Indeed, some of the stuff being circulated out there looks to be seriously vile. What we are interested in here, however, is the ADL's look at how the games were made: Making Ethnic Cleansing was fairly simple. Its designers were able to use a powerful, freely available open-source game program or engine that "drives" the program by providing the basic operating instructions to the computer. The designers then simply plug in their message of hate.

A bit more of where they are going with this argument can be seen in this ZDNet article: Brian Marcus, a researcher in the ADL's Internet monitoring unit and author of the report, acknowledged the difficulty of using software licensing restrictions to limit hate speech, especially among the largely self-policing open-source community.

There is no questioning the evil of racist video games. A proper game, after all, should allow the violent, bloody slaughter of dozens of people of all races. But when people start to point at open source licensing as part of the problem, it is time to get worried.

Should open source licensing prohibit racist uses of the software? The Open Source Definition is explicit on that point: The license must not restrict anyone from making use of the program in a specific field of endeavor. For example, it may not restrict the program from being used in a business, or from being used for genetic research.

...or from being used in appalling, hate-promoting games.

Software developers are already coming under attack for writing code that is seen to promote (or simply fails to prevent) copyright infringement. The last thing we need is to be told that we must not allow our software to be used to promote racism. It's a small step from there to no end of other restrictions. The fight against racism is important and deserves our support, but that fight can not be won through the sacrifice of other rights.

Inside this LWN.net weekly edition:

• Security: Internet draft on responsible security disclosure.
• Kernel: The beginnings of the rmap merge; shared page tables; the net gods are merciful.
• Distributions: TopologiLinux returns; Tinfoil Hat Linux.
• Development: Fenris tracer, Knoda database GUI, CUPS v1.1.14, ASPSeek 1.2.8, Analog 5.21, KDE 3.0 beta2, Gnome on Slackware, Flightgear simulator, Rindolf Perl dialect, Anjuta 0.1.9.
• Commerce: Mandrake Linux Corporate Club launched; Lindows.com Releases Opposition Papers; IDG's spam database.
• Letters: ALSA; Sync and bad assumptions.

This Week's LWN was brought to you by:

• Jonathan Corbet, Executive Editor

See also: last week's Security page.

Security

News and Editorials

Defining a reasonable disclosure process. Steve Christey and Chris Wysopal have released a draft document titled "Reasonable Disclosure Process;" which is in the process to become an IETF standard. This document attempts to lay out the responsibilities of all those who have to deal with security vulnerabilities. Since it touches on the controversial topic of disclosure, there is likely to be some disagreement on what the document says.

As might be expected, the draft tries to balance the interests of vendors, customers, and those who discover security holes. It provides a detailed and formal set of events that is supposed to happen:

1. Avoidance of vulnerabilities in the first place.
2. Discovery of the problem.
3. Vendor notification.
4. Acknowledgement of the notification from the vendor (within seven days).
5. Verification of the problem by the vendor.
6. Resolution of the problem (within 30 days).
7. General release of information on the problem.
8. Follow-up.

In general, people who discover vulnerabilities are not supposed to announce them generally until the release stage has been achieved. The vendor is supposed to provide a status update to the reporter every seven days, and the reporter should keep silence as long as the vendor appears to be making a good faith effort toward a solution. This process could drag on for some time: The Reporter SHOULD recognize that it may be difficult for a Vendor to resolve a vulnerability within 30 days if (1) the problem is related to insecure design, (2) the Vendor has a diverse set of hardware, operating systems, and/or product versions to support, or (3) the Vendor is not skilled in security.

What happens if the vendor is not serious? The draft calls for a "coordinator" role; the coordinator should arbitrate between the reporter and the vendor, and help decide if a disclosure of the vulnerability is called for.

Who are these coordinators? The draft is vague: A Coordinator is an individual or organization who works with the Reporter and the Vendor to analyze and address the vulnerability. Coordinators are often well-known third parties. Coordinators may have resources, credibility, or working relationships that exceed those of the reporter or vendors. Coordinators may serve as proxies for reporters, help to verify the reporter's claims, resolve conflicts, and work with all parties to resolve the vulnerability in a satisfactory manner.

A role which is so vaguely defined seems unlikely to be filled in a manner that is satisfactory to all parties.

Even when a security vulnerability is released, the draft allows a vendor to sit on the details of the problem for 30 additional days. The idea, of course, is to allow time for patches to be applied before more detailed information becomes available. Such a delay may be useful for closed-source code; it won't help much for free software, however.

There is currently an open comment period on this draft; see the announcement for information on how to send in your suggestions.

CRYPTO-GRAM Newsletter. Here's Bruce Schneier's CRYPTO-GRAM Newsletter for February. The main topics covered are Microsoft's security PR and Oracle's not-so-unbreakable system. "In addition to making its protocols and interfaces public, we suggest that Microsoft consider making its entire source code public. We're not advocating that Microsoft make its products open source, but if they really want to impress everyone about their newfound security religion, they will make their code available for inspection."

Security Reports

Debian security updates to hanterm, ncurses. The Debian Project has issued security updates to hanterm (fixing a set of buffer overflow problems) and ncurses (also fixing a buffer overflow).

Buffer overflow in exim. Ehud Tenenbaum has reported a buffer overflow in the exim mailer, versions 3.34 and prior. No known exploits exist at this time.

web scripts. The following web scripts were reported to contain vulnerabilities:

• The "slash" weblog package has a cross-site scripting vulnerability affecting versions prior to 2.2.5. Sites running older versions should upgrade to 2.2.5, which has been out for a couple of weeks.

Updates

Buffer overflow in CUPS. Versions of the Common Unix Print System prior to 1.1.14 have a buffer overflow vulnerability. (First LWN report: February 14).

This week's updates:

• Conectiva (April 3, 2002)

Previous updates:

• Debian (February 13, 2002)
• Mandrake (February 15, 2002)
• Red Hat (March 13, 2002) (Red Hat Powertools)
• SuSE (February 27, 2002)
• SuSE (February 23, 2002) (withdrawn; it introduced an unrelated bug)

Multiple vulnerabilities in SNMP implementations. Most SNMP implementations out there have a variety of buffer overflow vulnerabilities and should be upgraded at first opportunity. See this CERT advisory for more. (First LWN report: February 14).

This week's updates:

• SuSE (April 8, 2002) (ucdsnmp)

Previous updates:

• Caldera (January 22, 2002)
• Conectiva (February 14, 2002)
• Debian (February 28, 2002) (first update caused some problems)
• Debian (February 14, 2002)
• Eridani Linux (February 22, 2002)
• Mandrake (February 15, 2002)
• Red Hat (February 12, 2002)
• Yellow Dog (February 11, 2002)

Multiple vendor telnetd vulnerability. This vulnerability, originally thought to be confined to BSD-derived systems, was first covered in the July 26th Security Summary. It is now known that Linux telnet daemons are vulnerable as well.

This week's updates:

• HP (February 12, 2002)

• Caldera (August 10, 2001)
• Conectiva (August 24, 2001)
• Debian (August 14, 2001) (SSL version)
• Debian (August 14, 2001) (Update for Sparc version)
• Mandrake (August 13, 2001)
• Mandrake (December 17, 2001) (kerberos version)
• Progeny (August 14, 2001)
• Red Hat (February 7, 2002) (Update, for Red Hat 5.2, 6.2, 7.0, and 7.1, to the original advisory, issued August 9, 2001.)
• Red Hat (August 9, 2001)
• Red Hat (August 9, 2001) (kerberos version)
• Slackware (August 9, 2001)
• SuSE (September 3, 2001)
• Yellow Dog (August 10, 2001)
• Yellow Dog (August 10, 2001) (kerberos version)

Remote command execution vulnerability in uucp. The uuxqt utility in the uucp package does not properly check its options, allowing an attacker to run arbitrary commands. (First LWN report: January 24, 2002).

This week's updates:

• Conectiva (February 18, 2002)

Previous updates:

• HP (January 22, 2002)
• Red Hat (January 15, 2002)
• Yellow Dog (January 27, 2002)

Resources

Security: Key Players - HP (IT-Director). IT-Director sees HP as a growing force in computer security. "HP development in the Linux area is concentrated on providing secure compartmentalisation. The target market for this is primarily service providers, who are keen to deploy high specification servers that can support multiple clients. Plainly, there must be strong security separating individual clients. Linux is popular in the service provider market, and there is also interest from SAP."

Linux security week. The and publications from LinuxSecurity.com are available.

Events

Upcoming Security Events.

Date	Event	Location
February 20 - 22, 2002	RSA Conference 2002	San Jose, CA., USA
February 25 - March 1, 2002	Secure Trusted OS Consortium - Quarterly Meeting(STOS)	(Hyperdigm Research)Chantilly, VA, USA
March 11 - 14, 2002	Financial Cryptography 2002	Sothhampton, Bermuda
March 18 - 21, 2002	Sixth Annual Distributed Objects and Components Security Workshop	(Pier 5 Hotel at the Inner Harbor)Baltimore, Maryland, USA
March 18 - 20, 2002	InfoSec World Conference and Expo/2002	Orlando, FL, USA
April 1 - 7, 2002	SANS 2002	Orlando, FL., USA
April 5 - 7, 2002	Rubicon	Detroit, Michigan, USA
April 7 - 10, 2002	Techno-Security 2002 Conference	Myrtle Beach, SC
April 14 - 15, 2002	Workshop on Privacy Enhancing Technologies 2002	(Cathedral Hill Hotel)San Francisco, California, USA
April 16 - 19, 2002	The Twelfth Conference on Computers, Freedom & Privacy	(Cathedral Hill Hotel)San Francisco, California, USA

For additional security-related events, included training courses (which we don't list above) and events further in the future, check out Security Focus' calendar, one of the primary resources we use for building the above list. To submit an event directly to us, please send a plain-text message to lwn@lwn.net.

Section Editor: Jonathan Corbet

LWN Resources


Secured Distributions:
Astaro Security
Castle
Engarde Secure Linux
Immunix
Kaladix Linux
NSA Security Enhanced
Openwall GNU/Linux
Trustix

Security Projects
Bastille
Linux Security Audit Project
Linux Security Module
OpenSSH

Security List Archives
Bugtraq Archive
Firewall Wizards Archive
ISN Archive

Distribution-specific links
Caldera Advisories
Conectiva Updates
Debian Alerts
Kondara Advisories
Esware Alerts
LinuxPPC Security Updates
Mandrake Updates
Red Hat Errata
SuSE Announcements
Turbolinux
Yellow Dog Errata

BSD-specific links
BSDi
FreeBSD
NetBSD
OpenBSD

Security mailing lists
Caldera
Cobalt
Conectiva
Debian
Esware
FreeBSD
Kondara
LASER5
Linux From Scratch
Linux-Mandrake
NetBSD
OpenBSD
Red Hat
Slackware
Stampede
SuSE
Trustix
turboLinux
Yellow Dog

Security Software Archives
munitions
ZedZ.net (formerly replay.com)

Miscellaneous Resources
CERT
CIAC
Comp Sec News Daily
Crypto-GRAM
LinuxLock.org
LinuxSecurity.com
Security Focus
SecurityPortal

See also: last week's Kernel page.

Kernel development

The latest patch from Dave Jones is 2.5.4-dj3; it is caught up to 2.4.18-rc2 and 2.5.5-pre1, and adds a number of small fixes as well.

The current stable kernel release is 2.4.17. The 2.4.18 release is getting closer; Marcelo released the second release candidate on February 18.

Alan Cox's latest patch is 2.4.18-rc2-ac1; it adds version 12f of the reverse mapping VM, an address space accounting system, IBM's JFS journaling filesystem, and a number of fixes.

Other recent 2.4-based kernel trees include 2.4.18-rc1-shawn6 from Shawn Starr (adding rmap, the new IDE code, and the XFS filesystem), and Michael Cohen's 2.4.18-pre9-mjc2, which adds no end of stuff.

For the 2.0 users out there, David Weinehall has released 2.0.40-rc3, which adds one fix to the previous release candidates.

The beginnings of the rmap merge. Rik van Riel's reverse mapping virtual memory implementation was examined on this page one month ago. As of this writing, that patch is still only available for 2.4 kernels; that is a situation that Rik plans to fix soon. Meanwhile, some small parts of the patch have begun to find their way into the 2.5 series.

The patch that Linus included in 2.5.5 is the part that reduces the size of the page structure. The kernel maintains one such structure for every physical page in the system, so its size matters. The patch submitted by Rik (containing mostly work by William Lee Irwin and Christoph Hellwig) shrinks struct page with a hashed page wait queue scheme, the merging of a couple of fields, and the removal of the virtual pointer on systems that do not need it.

The hashed wait queue code was discussed with the rest of the rmap patch back in January. Of course, now that it is in the kernel, William Lee Irwin has come out with a new version based on "operator-sparse Fibonacci hashing." William posted a brief explanation (with an important correction) on how it works: In my own opinion, this stuff borders on numerology, but it seems to be a convenient supply of hash functions that pass chi^2 tests on the bucket distributions, so I sort of tolerate it

The removal of the virtual pointer is a different sort of optimization. That pointer holds the virtual address (in kernel space) for the physical page. It is needed on systems with high memory since that memory, by definition, does not have a static kernel-space mapping. Most systems, however, do not have high memory. For low memory, the kernel virtual address of a page is easily calculated, so a dedicated virtual is wasted. Thus its removal.

This patch does not go near the core of the rmap VM, of course, but it is a step in that direction. Rik does plan to start submitting the rest for inclusion before too long - once he has a working 2.5 kernel on his system again.

The shared page table patch by Daniel Phillips has also been covered on this page. Several versions of this patch have been released over the last week (here's the latest announcement). The patch has some distinct advantages: memory is saved through the sharing of page tables, and the fork() system call can happen in as little as 1/5 the time.

On the other hand, sharing page tables seems to bring in no end of complicated locking problems, especially when pages are being swapped out. As Linus puts it:

The only problem is swapout. And "swapout()" is always a problem, in fact. It's always been special, because it is quite fundamentally the only VM operation that ever is "nonlocal". We've had tons of races with swapout over time, it's always been the nastiest VM operation by _far_ when it comes to page table coherency.

This problems will get worked out, but it won't be surprising if the shared page table patch doesn't get into the kernel right away.

The net gods are not entirely without mercy. To understand this, one need only look at the unpleasant CML2 flamewar on linux-kernel, which was brought to a none-too-soon end when the mailing list went down. This fight begins to look like the interminable devfs battle, which only ended (sort of) when Linus included devfs into the 2.3 development series. Many of the points in the most recent fight (i.e. use of Python) have been seen before, and we stopped reporting on them a while back. There were a couple of interesting arguments that came out this time around, though, that are worth a look. They strike at the core of how kernel development is done.

It all started with this note from Eric Raymond on the kbuild list. Dirk Hohndel, says Eric, was going to "have a chat with Linus" about the new kbuild scheme and Eric's new CML2 configuration subsystem. Eric, of course, is frustrated that CML2 has not yet been integrated into the 2.5 kernel, and he was hoping that Dirk's talk with Linus could help make things happen.

The reaction to this move was fierce - it was perceived as an effort to circumvent the normal linux-kernel peer review and pressure Linus directly. Herein lies one of the interesting questions: just what are the appropriate ways of trying to get a patch into the kernel? It is not uncommon to try to push Linus; for example, Andre Hedrick's transparent efforts to get users to complain about the IDE patch gave the appearance (at least) of being highly effective. It's not clear if the problem was accepting Dirk's offer to talk to Linus, looking for feedback on the kbuild list (rather than linux-kernel), or something else.

Then, there are those who criticize the CML2 work because it is a single, large patch. The kernel way of doing things, it is said, is to evolve the code in small, simple steps that everybody can scrutinize and see are correct. See, for example, Alexander Viro's posting on the subject. Mr. Viro does practice what he preaches, having massively reworked the virtual filesystem layer through hundreds of small patches.

But must all kernel development be done in baby steps? It's hard to imagine introducing ALSA in tiny pieces. Andrea Arcangeli's VM rewrite went in as one big chunk - in a stable series at that. Netfilter was not introduced as a set of incremental patches. CML2 represents a change in both configuration and implementation languages; how does one make that kind of change gradually? The evolutionary approach to development clearly makes sense much of the time, and it may yet be the best way to fixing the configuration subsystem. But there are times when exceptions need to be made.

Some people criticize Eric's code for changing the way configuration is done - their claim is that the first version of CML2 to be integrated should make no user-visible changes. Others complain that Eric has failed to implement desired changes, such as the splitting of global configuration information into smaller, local files. Satisfying both camps is bound to be hard (thus Eric has encountered the violence inherent in the system). This is a case where small patches help: each step can be considered on its own merits and has fewer problems with conflicting goals. Still, nobody insisted that the first ALSA patch look exactly like the old OSS drivers.

Eric's case is also hurt by the fact that a number of people seem to not like him for one reason or other. His presentation of himself as a "hacker of social systems" while he is having such trouble with the kernel development social system doesn't help. And the simple fact is that most people who work with kernel code configure and build kernels every day and don't have a great deal of trouble with the process. There is a real technical discussion of CML2 and its merits going on, and some version may yet get into the 2.5 kernel tree. But the path to that conclusion does not seem entirely clear now.

Other patches and updates released this week include:

Core kernel code:

• Michael Sinz has posted allowing control over the placement and naming of core dump files.

Development tools:

• The Linux Test Project has announced a mailing list for the discussion of test results.

• Rusty Russell has a "trivial patch monkey" - an address where small patches may be sent. He will make a reasonable effort to get patches sent there included into the kernel.

• A tool for the logging of preemption events has been announced by Nigel Gamble.

• A port of the dynamic probes debugging tool to the S/390 was announced by S Vamsikrishna.

Device drivers

• A set of patches implementing a new video device API has been released by Gerd Knorr.

• EVMS 0.9.1, a beta release of the enterprise volume management system, has been announced by Kevin Corry.

• Doug Gilbert has released version 1.58 of the SCSI debug driver.

• Richard Gooch has released devfsd-v1.3.24.

• Jaroslav Kysela has announced the ALSA 0.9.0beta11 release. This patch is also incorporated into 2.5.5.

Filesystems:

• Alexander Viro has pointed out that the 2.5.5 kernel has on porting filesystems to 2.5. "It WILL be kept up-to-date. IOW, submit an API change that may require filesystem changes without a corresponding patch to that file and I will hunt you down and hurt you. Badly."

• Britt Park has released version 0.4 of the UVFS user-space filesystem kit.

• Release 1.0.15 of the IBM journaling filesystem was announced by Steve Best.

• Heinz J. Mauelshagen has announced version 1.0.3 of the logical volume manager system.

• Randy Dunlap has updated his Linux filesystems internals documentation page.

Kernel building:

• Eric Raymond has announced CML2 2.3.0.

Miscellaneous:

• Here is the latest maintainers file from Denis Vlasenko.

• For those who would like an overview of how the kernel handles network packets: Mathieu Lafon has made a diagram describing the major steps.

Networking:

• Version 0.92 of the affix BlueTooth stack has been announced by Dmitry Kasatkin.

• Mike Phillips has announced the availability of a 3c359 token ring adaptor driver.

Section Editor: Jonathan Corbet

For other kernel news, see:

• Kernel traffic
• Kernel Newsflash
• Kernel Trap
• 2.5 Status

Other resources:

• L-K mailing list FAQ
• Linux-MM
• Linux Scalability Effort
• Kernel Newbies
• Linux Device Drivers

See also: last week's Distributions page.

Distributions

News and Editorials

TopologiLinux returns. TopologiLinux somehow managed to get overlooked during the process of moving from the old list to the new list. Thanks to TopologiLinux guru Tobias Svensson, it has returned to the list under the DOS/Windows install heading.

New Distributions

Tinfoil Hat Linux. Tinfoil Hat Linux started as a secure, single floppy, bootable Linux distribution for storing PGP keys and then encrypting, signing and wiping files. At some point it became an exercise in over-engineering. Now at version 1.0, THL is released under a BSD style license. You'll find it in the list under Floppy based distributions.

Here is a vnunet article about Tinfoil Hat. "What started out as a secure, single floppy, bootable Linux distribution for storing PGP keys, and encrypting, signing and wiping files, turned into a useable Linux distribution for the totally paranoid."

Distribution News

Debian News. The Debian Weekly News for February 13 is available, with coverage of the Debian Leader election, the orphaning of PHP4, Security Enhanced Debian, and more.

Here's a release status update for Debian Woody. The bottom line: the worst bugs have been fixed, a release is coming soon, and a whole bunch of "less important" packages are about to be removed if they don't get fixed in a hurry.

We also have a wrap-up on last weekend's 7th Debian Bug-Squashing Party for Woody.

Martin Schulze sent us this note on the progress of the latest revision of the stable Debian distribution. "The plan is to get this revision of Debian GNU/Linux 2.2 (codename `potato') out within the first week of March this year (2002)."

Nominations for Debian project leader are underway now and will remain open until February 27, 2002. This note from the Debian Project Secretary contains more information.

HA Linux. Motorola has paved a way for 6NINES telecom applications with the release of HA Linux 3.0 which boasts "considerable new features and functions".

Mandrake Linux. The February 13th issue (#30) of the Mandrake Linux Community Newsletter contains more information about the Mandrake Linux 8.2 beta2 release, an interview with Frédéric Bastok, and much more.

Red Hat News. Red Hat has issued some bug fix advisories. New modutils packages are available to fix a limitation of argument processing, and to fix problems with GPL-only symbols. Packages are available for Red Hat Linux 7.1 - alpha, i386, ia64 and Red Hat Linux 7.2 - i386, ia64. New initscripts packages are available for Red Hat Linux 7.2 (i386, ia64). These new packages fix various bugs, including those dealing with changing the IP addresses of network interfaces.

Slackware Linux. There is a new version of binutils-2.11.93.0.2 available for the Slackware current Intel branch. See the changelog for details.

Minor Distribution updates

Astaro Security Linux. Astaro Security Linux has released v2.022 with some major security fixes.

GENDIST. GENDIST (the Linux Distribution Generator) has released v0.9.7. Support for ISOLINUX-based bootable CDs was added with this release.

OpenNA Linux. OpenNA Linux has released a Beta 3 development version with some major bug fixes.

proxyfloppy Linux distribution. Proxyfloppy has released v1.1 with minor security fixes.

ttylinux. ttylinux has released v1.19 with minor bug fixes.

Distribution Reviews

Installing Libranet 2.0 (Linux Journal). Linux Journal reviews Libranet, a Debian based distribution. "All in all, Libranet is a very pleasant Debian installation. It still boots remarkably fast despite the 2.4.16 kernel and KDE 2.2.2. The installation is still not ideal for newbies, it remains the domain of the Linux user who understands the mechanics of partitioning."

Mandrake Cooks Up a Winner (or Two). Open for Business reviews Mandrake Linux. "Mandrake Linux is a distribution with an interesting history. Its first edition, based on RedHat Linux 5.1 and aptly named "Linux-Mandrake 5.1," provided essentially nothing more than RedHat with additional packages such as KDE, which the elder distribution had decided not to include. For quite awhile after that, MandrakeSoft spent their time in RedHat's shadow, however in recent years Mandrake Linux has moved on to be a very good distribution in its own right."

Section Editor: Rebecca Sobol

Please note that not every distribution will show up every week. Only distributions with recent news to report will be listed.

Distribution Lists:
LWN List
DistroWatch
ibiblio
Linux.com
LinuxLinks
Woven Goods

See also: last week's Development page.

Development projects

News and Editorials

Michal Zalewski has released what appears to be an interesting new project, Fenris. Fenris is a combined tracer, stateful program analyzer, and partial GCC decompiler. The program is intended to discover information that conventional analysis and debugging tools miss. Fenris can be used to analyze executables, project source code is optional.

"This is not an interactive debugger, and it is not intended to find problems, bugs or security vulnerabilities automatically. But it is supposed to be a reliable, useful tool that works in real world and can deliver valuable information which can be used to detect known problems, but also to spot unique or not so obvious dynamic conditions."

The Fenris README file describes the operation of the tool in detail.

"Fenris is not supposed to find vulnerabilities or bugs, or to guess algorithms or describe protocols. It is supposed to report and analyze the execution path - detect and describe functional blocks, monitor data flow in the program, marking its lifetime, source, migration and destination, analyze how functions work and what conditions are evaluated."

The README file also makes note of the current state of the project:

"While functional, it is probably not tested sufficiently, there are many issues to fix, several known bugs, some portability issues. It is primarily being released to get user feedback, comments, and, most important, to request development support, as my resources are very limited, both in terms of available time and development platforms. This project is and will be distributed as a free software, regardless of projected use, accompanied by complete sources."

Fenris produces its output in a browsable form, analysis of the executed code is provided in a number of different tables.

Fenris has been released with a GPL license. The source code is available here. See the Fenris home page for more information.

Audio Projects

Alsa packages 0.9.0beta11 released. A new release of the Alsa sound driver has been released. Version 0.9.0beta11 contains a new directory tree that is synced with the Linux 2.5 kernel.

Databases

Knoda relational database GUI for KDE. Horst Knorr has announced Knoda 0.5, a GUI for accessing relational databases in KDE. "It comprises a Form generator, a Table and Query generator and a Report Designer. The introduction of the Report Designer is the central highlight of version 0.5. With just a few mouse-clicks it is possible to design reports, optionally including grouped data and subreports, and then print those reports." Knoda currently only supports MySQL, a Postgres driver is planned.

Education

Seul/EDU report for February 18, 2002. The February 18, 2002 edition of the Seul/EDU report is out. Topics include how British closed-source software companies are banding together to fight non-proprietary resources in schools, a report from the Debian-jr project, the Java Interactive Learning Environment, and more.

Embedded Systems

Embedded Linux Newsletter for Feb. 14, 2002. This week's Embedded Linux Newsletter is out. Topics include Sun's Linux announcement, the preemptible Linux kernel patch, installing Linux on a Palm OS device, and more.

Printing Software

CUPS v1.1.14 released. A new version of the CUPS printing system is available. Version 1.1.14 is mainly a security release that fixes several buffer overflow vulnerabilities.

Science

polyXmass: a scientific project for mass spectrometry of all polymers. PolyXmass is a new project that aims to build a set of Gtk/GNOME tools for working with mass spectrometry data. "This project aims at creating an entirely free (GNU GPL) framework where the users will be able to define brand new polymer chemistries and next use these definitions in order to simulate mass data and/or to analyse mass spectrometric data experimentally acquired on these polymers."

MedZope Explained (LinuxMedNews). LinuxMedNews talks about MedZope, a medical record system that is expanding into the areas of web sites and intranets.

FreePM 1.0 beta 6 available (LinuxMedNews). A new version of FreePM, the open source medical practice management system, has been announced. This release fixes some bugs and adds support for Zope 2.5.

System Administration

Understanding NFS (O'Reilly). Michael Lucas introduces NFS, the Network File System, on O'Reilly's onlamp site. "NFS intimidates many junior system administrators, but it's really quite simple once you know what's going on."

Web-site Development

February Zope News available. The Zope News for February 18 is available. It includes coverage of the Tenth Python Conference and many other items of interest to Zope developers and users.

This week's Zope Members News. This week, the Zope Members News mentions Zope book discounts for user groups, a call for papers for the Zope BBQ Europe gathering, and a number of new Zope packages.

ASPSeek 1.2.8 released. A new version of the ASPSeek web site search engine is available. The changes in version 1.2.8 include new Apache module support, bug fixes, and lots more.

Analog version 5.21. Version 5.21 of the Analog web log analyzer is available. This version adds a few minor changes.

Introducing Cocoon 2.0 (O'Reilly). O'Reilly's XML.com site features an article on the Cocoon 2.0 documentation system by developer Stefano Mazzocchi. "Cocoon was designed as an abstract engine that could be connected to almost anything, but it ships with servlet and command line connectors. The servlet connector allows you to call Cocoon from your favorite servlet engine or application server. You can install it beside your existing servlets or JSPs. The command line interface allows you to generate static content as a batch process. It can be useful to pre-generate those parts of your site that are static, some of which may be easier to create by using Cocoon functionalities than directly"

Documentation

LDP Weekly News for February 12, 2002. The Linux Documentation Project weekly news shows no new documents, several updated documents, and sadly, many unmaintained documents this week.

Application Links
GIMP
Mozilla
Galeon
High Availability
ht://Dig
mnoGoSearch
MagicPoint
Wine
Worldforge
Zope

Open Source Code Collections
Berlios
Freshmeat
OpenSourceDirectory
Savannah
Le Serveur Libre
SourceForge
Sweetcode

Desktop Development

Web Browsers

Mozilla Development Roadmap. Brendan Eich has published the latest Mozilla development road map, proposing a release schedule for the post-1.0 releases. There is life after 1.0 -- stay tuned!

Mozilla 0.9.9 Tree Closes (mozillaZine). MozillaZine has announced the closure of the Mozilla 0.9.9 tree. "Mozilla 0.9.9 is the last major milestone prior to 1.0, and includes numerous bugfixes in composer, history, and other areas. Along with this, likely new features that will be in the milestone include a new full screen window mode, set image as wallpaper, and composer publishing."

Desktop Environments

Cooperation with KDE. Gnotices features a discussion on the sharing of themes between KDE and Gnome, and the possible benefits from such cooperation.

Second KDE 3.0 beta available. The second beta of KDE 3.0 has been released; see the announcement for details. It's getting close to the last chance to find problems for the real 3.0 release comes out.

People of KDE: Dwayne Bailey. This week, the People of KDE series focuses in on Dwayne Bailey. Dwayne has worked on the translation of KDE into the eleven languages of South Africa.

Gnome and Slackware. For those of you who want to run Gnome under the Slackware distribution, a gnome-slackware mailing list has been announced. "The goal of the list is to provide an help for using gnome in slackware. It will also be the coordination place of the gnome packaging effort."

Understanding the KParts component architecture (IBM developerWorks). David Faure writes about KParts on IBM's developerWorks. "This article discusses KParts, an architecture for graphical components, found in KDE, the K Desktop Environment. KParts allows applications requiring the same functionality to share a component by embedding the graphical component into the application's window. This article compares KParts with other component models, such as CORBA, and describes the main concepts used in KParts, including actions, plug-ins, part managers, and GUI merging."

Games

New Flightgear flight simulator. A new version of the Flightgear open-source flight simulator project has been released. The changes include some bug fixes and documentation work. (Thanks to Alex Perry.)

Perl Chess Mailing List Created (use Perl). To support the recent activity in the Perl Chess::* hierarchy, a Perl Chess mailing list has been created.

GUI Packages

Colored MultiTabs widget for FLTK. Alexey Parshin has released version 0.8 of his Multi Row Tabs widget package for FLTK.

Interoperability

Wine license change clarification. Jeremy White has clarified his position on the recent Wine license change to the LGPL. "So, with each and every one of my major customers over the past three years, I have had a major, knock down, drag out fight over licensing. I have always insisted that changes we make to Wine be returned to Wine. This has meant (while in a sales situation) explaining the complexities of BSD versus GPL licenses."

Alexandre Julliard has posted the results of a vote taken in the Wine community, the majority of respondents support the switch to a Copyleft license.

Multimedia

First Broadcast 2000, now Cinelerra. Cinelarra is (or was) a product used in producing motion pictures on Linux PCs. Now the Cinelerra website simply says, "It's not here anymore. Why don't you go to this award winning page.", with a link to Microsoft.com (of all places). Cinelarra was a product of Heroine Virtual who may have simply wrapped Cinelarra code into other products.. "As the size and complexity of our software has grown, it is no longer possible to release it under individual's names because of these privacy issues. Credit is given as dictated by the GPL but our original code is released under the name Heroine Virtual Ltd." (Thanks to Wes Felter)

We're still hoping that someone will carve the excellent audio recorder/editor software out of Broadcast 2000 and make a new project. The Broadcast 2000 source code is still available here.

Gnome-Media 1.176.0 released. A new version of Gnome-Media has been released. Version 1.176.0 features improvements to Gnome-CD, CDDBSlave2, and GMix.

Programming Languages

Caml

Caml Weekly News for February 12-19, 2002. This week's Caml Weekly News looks at Ocamlcl, packaging, Active-DVI, mlgmp, and a WDialog license change.

This week's Caml Hump. This week, the Caml Hump looks at an OCaml Regexp library, an OCaml/Java interface called CamlJava, the WDialog web applications framework, the ActiveDVI TeX slide presenter, and the ThreadSocket server and client project.

Java

Java finally catches up to Perl (and Python, Tcl) (use Perl). Use Perl reports on Sun's Java 2 SDK version 1.4, which now features native support for regular expressions.

XML in Java: Java document model usage (IBM developerWorks). Dennis M. Sosnoski discusses techniques for the creation of XML from Java. "In this article, XML tool watcher Dennis Sosnoski compares the usability of several Java document models. It's not always clear what the tradeoffs are when you choose a model, and it can require extensive recoding to switch if you later change your mind. Combining sample code with analysis of the model APIs, the author gives recommendations for which models may really make your job easier. Includes code samples that show the methods for the five different document models."

Expiring Data with Hashbelts (O'Reilly). William Grosso writes about the use of Hashbelts in Java. "In this article I will show you how to use the hashbelt algorithm by using two distinct examples: implementing session keys and reimplementing the RemoteStubCache class from my previous articles on command objects in RMI. By the end of this article, you should feel comfortable using hashbelts in your code and understand when it is appropriate to do so."

Lisp

Two Lisp updates. Paolo Amoroso has sent us two new items from the world of Lisp, CL-PDF version 0.45 is an update to the Common Lisp PDF generation library, and CLAWK is a common Lisp superset of AWK functionality.

Perl

Rindolf - A Perl Dialect (use Perl). Use Perl looks at Rindolf, a dialect of Perl 5 that Shlomi Fish is working on. "What is Rindolf? Rindolf to Perl 5 is like Java is to C++, or Arc is to LISP. I.e: not as much a revolution but rather a re-organization of the language to make it cleaner, more consistent and more fun."

perl-i18n Mailing List (use Perl). A new mailing list has been created for discussion of internationalization (i18n) issues in Perl.

PHP

PHP Weekly Summary for February 18, 2002. The latest PHP Weekly Summary contains articles on a number of bug fixes, Sybase formats, PHP streams, reference macros, and a number of new extensions.

Python

Dr. Dobb's Python-URL!. This week's Dr. Dobb's Python-URL! is out. Topics include reports from the 10th International Python Conference, Python/Java benchmarks, and much more.

Stackless Reincarnate (O'Reilly). Stephen Figgins delves into the issues behind stackless Python. "Stackless was a controversial modification to Python, separating its execution stack from the C execution stack, the C-stack. With Stackless you could set up multiple execution chains, switch between them, change them, or restart them. Uncoupled from the C-stack, you could capture the control flow of your Python program and manipulate it any way you wanted to."

This week's Daily Python entries. The latest Daily Python contents include articles on Zope, the PyTheater media player, the tdmagic procedural modeling and animation library, an object-oriented persistent storage system called OOPS, ACS templating, the Gnosis XML Utilities, and more.

pySerial multiplatform serial port library. Chris Liechti has released pySerial, a multi-platform Python library for accessing serial ports.

Ruby

The Ruby Garden. This week's Ruby Garden looks at Brian Foote and Joseph Yoder's amusing article on the Big Ball of Mud coding system. Also, the hunt is on for a Powered by Ruby Logo.

Ruby Weekly News. The February 18, 2002 Ruby Weekly News looks at the Ruby Documentation Extractor for C (RUDE4C), RDoc, REXML, and RubyStudio, among other things.

Tcl/Tk

Dr. Dobb's Tcl-URL! for February 19. Here is the latest Tcl-URL! with news and links for the Tcl/Tk community.

Integrated Development Environments

Anjuta 0.1.9 released. A new version of the Anjuta Integrated Development Environment (IDE) has been released. This version features a new message manager, an embedded terminal, a project import wizard, a new application wizard, support for libglade, bug fixes, and more.

Section Editor: Forrest Cook

See also: last week's Commerce page.

Linux and Business

Mandrake Linux Corporate Club launched. MandrakeSoft has announced the launch of the Mandrake Linux Corporate Club, another way of supporting the development of the Mandrake Linux distribution. "If you use Mandrake Linux in a commercial context and profit from its use, we ask that you contribute to Mandrake Linux development by joining the Mandrake Corporate Club. The most important benefit of Club membership is that your membership fee is directly used to boost the development of the Mandrake Linux distribution."

Lindows.com Releases Opposition Papers. In the ongoing battle with Microsoft over the use of its trade name, Lindows.com has released its Opposition Papers. "According to a statement posted at their website, Lindows.com claims Microsoft is trying to prevent the public from using a descriptive English word 'windows' which has had meaning in the computer industry for years prior to Microsoft's use."

IDG's spam database. IDG has a little added bonus for LinuxWorld attendees: inclusion in their one million address direct mail database. "Derived from subscribers and attendees from publications and events such as CIO, Computerworld, InfoWorld, Network World, PC World, LinuxWorld Conference & Expo, and Macworld Conference & Expo, IDG's new e-mail database provides addresses for IT buyers who have given permission to receive third party e-mail transmissions." Always be sure to check those opt-out boxes...

EuroLinux on MPEG 4 licensing. Here's a EuroLinux press release on the plans to impose per-hour licensing fees on MPEG 4 video streams in Europe. "The MPEG LA strategy leads to levying a tax on all cultural goods and is a typical example of the way patents on Internet standards are a tool for private taxing of all economic activities."

Nokia Unveils Linux-based mobile network servers. Nokia has announced its new "FlexiServer" and "FlexiGateway" systems for the implementation of mobile networks; they are based on Linux.

Turbolinux Releases PowerCockpit Software Developers' Toolkit and PowerCockpit Version 1.1. Turbolinux has announced the general availability of the PowerCockpit Software Developers' Toolkit (SDK), as well as a new release of its PowerCockpit server provisioning and management software.

'Running Weblogs with Slash' from O'Reilly. O'Reilly has announced the release of Running Weblogs With Slash, by chromatic, Brian Aker, and Dave Krieger.

Linux Stock Index for February 15 to February 20, 2002.
LSI at closing on February 15, 2002 ... 27.88
LSI at closing on February 20, 2002 ... 26.03

The high for the week was 27.88
The low for the week was 26.03

Press Releases:

Open Source Products

• Apple Computer Inc. (CUPERTINO, Calif.): Apple Releases Apple/Genentech BLAST, Significantly Accelerating Protein And DNA Searches for the Biomedical Community.

• The Netanything Project (BOSTON): Unified Networking an Attainable Goal With Project's New Web Services Architecture.

Distributions and Bundled Products

• Astaro (SAN JOSE): Astaro Brings Best-selling Software Appliance Firewall to U.S..

• Motorola, Inc. (TEMPE, Ariz.): Motorola Paves Way for 6NINES Telecom Applications With High Availability Linux Offering for OEMs Developing IP, ATM Networks.

• SuSE Linux (Nuremberg, Germany): SuSE Linux Deploys mySAP.com on Compaq Hardware.

Proprietary Products for Linux

• Excel Software (Placitas, NM): QuickUML Linux - UML Design Tool.

• Micro Focus (SAN FRANCISCO): Micro Focus to Provide COBOL Support for IBM eServer zSeries Offering for Linux.

• SEAGULL (ATLANTA): SEAGULL Announces Support for Linux; Transidiom(TM), WinJa(TM) and J Walk(TM) Server Software to Run on Linux on mainframe, iSeries and Intel platforms..

• SlickEdit Inc. (MORRISVILLE, N.C.): SlickEdit Announces Plans to Support Linux for IBM eServer zSeries.

Hardware

• Dell (AUSTIN, Texas): Two PowerEdge Servers Bring New Technologies to Enterprise Customers.

• MIPS Technologies, Inc. (MOUNTAIN VIEW, Calif.): MIPS Technologies Announces Availability of Fastest Licensable Core.

Embedded Linux Products

• I-Logix (NURNBERG, Germany): I-Logix Launches Rhapsody in Ada; UML-Compliant Visual Development Platform For Ada Speeds Development of Embedded Military/Aerospace Applications.

• I-Logix (NURNBERG, Germany): I-Logix Launches Statemate MAGNUM Automatic Test Generator.

• OmniCluster Technologies (Boca Raton, Florida): Server Blade Product for Linux.

• RidgeRun (GSM WORLD CONGRESS, CANNES): RidgeRun Launches Escali Multimedia Phone Software Platform With Smart Fusion Java Technology For Texas Instruments OMAP Processors.

• Wildseed (KIRKLAND, Wash.): GITWiT Changes Name To Wildseed, Unveils Wireless Solution for the Youth Market at 3GSM World Congress.

Products and Services Using Linux

• IBM Life Sciences (SOMERS, N.Y.): IBM Announces Initiatives to Help Business Partners Break Into Life Sciences; Developer Momentum Grows for IBM eServer Family.

• Sun Microsystems, Inc. (SANTA CLARA, Calif.): Sun Microsystems Offers Sun Cobalt Upgrade Program.

Products With Linux Versions

• BOXX (AUSTIN, Texas): BOXX Taps New NVIDIA Quadro4 XGL Architecture to Offer Groundbreaking 3DBOXX Workstations.

• Check Point Software Technologies (CANNES, France): Check Point Software First to Ship Advanced Security Solutions for GPRS Infrastructures; FireWall-1 GX Raises Security and Integrity of Wireless Networks.

• Co-Design Automation Inc. (LOS ALTOS, Calif.): Co-Design Automation, Novas Ink Multi-Year Agreement; Co-Design Automation to OEM Novas' nWave, Novas to Support SYSTEMSIM.

• CommVault Systems (OCEANPORT, N.J.): CommVault Systems Expands Enterprise UNIX, Linux and Database Data Protection With Latest Release of CommVault Galaxy.

• Dokoni (SAN DIEGO): Dokoni Inc. Announces Launch of Deka; The First Visitor Access Management Solution for Managing Both Browser Detection and Web site Access Control for Any Type of Web-Enabled Device.

• eAssist Global Solutions Inc. (SAN DIEGO): eAssist Expands Enterprise Capabilities in Integrated Customer Care With eAssist Solution Suite 2.1.

• Eyematic (CANNES, France): Eyematic Announces Comprehensive Mobile Multimedia Platform; Animated MMS, Information and Entertainment Applications Shown at 3GSM World Congress.

• Platform Computing Inc. (TORONTO): Platform Releases Beta Version of Platform Globus, First Commercial Version of the Globus Toolkit.

• RLX Technologies Inc. (HOUSTON): RLX Technologies Announces Intel-Powered ServerBlade 800i; Third-Generation Architecture Delivers Ultra-High Performance for Internet Services and Scale-Out Computing Clusters.

• RLX Technologies Inc. (HOUSTON): RLX Technologies Announces RLX Control Tower Blade 2.

• SpeechWorks International, Inc. (BOSTON): SpeechWorks Speechify Offers New Advanced Performance.

• Virtutech Inc. (SAN JOSE, Calif.): Virtutech Announces Simics 1.0 Full System Simulation Platform; New Technology Represents the Future for Advanced Software and Hardware Engineering.

Linux At Work

• eXcelon Corporation (BURLINGTON, Mass.): Amazon.com's ObjectStore Deployment Ensures Best-in-Class Experience for Customers and Merchants; deploys HP Linux servers..

• TimeSys Corporation (PITTSBURGH and CLEVELAND): Embedded Planet Chooses TimeSys Corporation as its Exclusive Provider of Embedded Real-Time Linux.

Java Products

• Rococo Software (Dublin, Ireland): Rococo and Extended Systems Bring Java/Bluetooth to Wireless Developers.

Partnerships

• IBM (San Francisco, CA): 800% increase - IBM partners supporting Linux.

• LynuxWorks, Inc. (SAN JOSE, Calif.): LynuxWorks Appoints Unique Memec as Pan-European Distributor; UK-based Unique Memec will focus on BlueCat Linux for embedding applications. .

• Sun Microsystems Inc. (AUSTIN, Texas): Wincor Nixdorf, Sun Microsystems Sign Partnership Agreement.

Financial Results

• EBIZ Enterprises (SEC filing): EBIZ Enterprises filing 10QSB (Quarterly Report).

Personnel & New Offices

• Day (NEWPORT BEACH, Calif., and BASEL, Switzerland): Roy T. Fielding, Ph.D, Joins Day as Chief Scientist.

Other

• BioITWorld (FRAMINGHAM, Mass.): BioITWorld Conference & Expo Debuts Corporate Conference Program; includes "Building Linux Clusters for Bioinformatics Customers." .

Section Editor: Rebecca Sobol.

See also: last week's Linux in the news page.

Linux in the news

Recommended Reading

Danish local govt. rebels against MS license terms (Register). The Danish local government is evaluating open source alternatives to reduce high software licensing costs. "Seven Danish IT directors, including Lembøl, have got together under the auspices of the Association of Danish Municipalities, to investigate of open source software as an alternative to Microsoft products."

Linux in the US Government (Linux Journal). U.S. government use of open source software is increasing according to this Linux Journal article. "In fact, while far from ubiquitous, Linux and open-source software is popping up everywhere from local-level governments to national agencies. A couple of examples are the Orange County city of Garden Grove, which has been using Linux for years, and the recently launched Dublin County, N.C. web site, which uses Linux, PHP and MySQL."

Medical Enterprises and Open Source. Daniel L. Johnson, MD recently posted a white paper on open-source software in medicine, written in August, 2001. "We in the health care industry, both software vendors and institutions, need to share code that meets common needs, and work together to develop it. We are wasting precious resources competing with duplicated effort. To share development of code that meets shared needs will spread R & D across the whole industry, and enhance useful competition to meet the individual needs of customers and to provide highest quality service.

We already have a model for this in our sharing of research and medical discovery. This sharing of knowledge does not hinder competition, and allows greater attention to excellence and service. We can best meet our responsibility to society by sharing development of our software tools in the same way we share discovery of medical advances."

Open Source gets security standards (IT-Director). IT-Director covers developing industry standards for security testing. "Now there is some good news as the Open Source body The Idea Hamster Organisation are developing industry standards for security testing with the Open Source Security Testing Methodology Manual (OSSTMM)."

Open sourcers spice up security testing (vnunet). Vnunet comments on the efforts of a group of open source developers, Ideahamster.org, who are developing a standard security testing methodology. "Pete Herzog, heading up the development group, said that the focus of the project is to set a standard whereby 'any network or security expert who meets the outline requirements in this manual is said to have completed a successful security snapshot and therefore, if nothing else, has been thorough.'"

MSN fails again as Linux starts to show its flaws (IT-Director). This IT-Director article discusses the latest MSN instant messenger security hole and talks about Linux security. "So, as the research almost disregards its results as they're printed, we still don't know which is the more secure operating system. As both operating systems jostle for entry into the data centre and as businesses are being asked to open up their systems more than ever before, security is now top priority."

Censor-buster Peek-A-Booty goes public (Register). The Register reports on the recent release of Peek-A-Booty from the cult of the Dead cow (cDC). Peek-A-Booty allows users to anonymously surf web sites. "Joey told us that the code was pretty standard Unix code (on the Cygnus Windows environment), so a Linux and even a Mac OS X port should be trivial. But Windows is on most desktops, and for Peek-A-Booty to work effectively - like SETI - it needs participating nodes, so that's where the numbers are."

Human rights application not finished (News.com). News.com takes a look at the Peekabooty project. "The project promises to create an underground railroad for Web information that may be censored by some nations. Based on a peer-to-peer network of computers, Peekabooty would allow a person to get information from the Internet that they may not normally be able to access."

Open-Source Community Opening Up to Rest of World. The News & Observer, Raleigh, N.C. writes about potential pitfalls due to recent Linux acceptance by large corporations. "They've always been righteous in their hatred of so-called proprietary software such as that sold by Microsoft. And they love Linux, the open-source computer operating system. But many also thrive on being the underdog in their war for better and cheaper software. And now that their best-kept secret is slipping into the mainstream, they might just lose underdog status."

Four years on, digital copyright law revs up (CNN). CNN covers both sides of the discussion over the DMCA and touches on the Sklyarov/ElcomoSoft case. "However, supporters of the legislation, mainly powerful copyright holders, see the DMCA as a necessity. For them, the digital age is not just a time of great opportunity, but also a time of new and previously unimaginable threats to their business. In this new era, music and movies, which require millions of dollars to produce and promote, are suddenly vulnerable to casual computer users, who can make perfect digital copies of works, for free."

DMCA Protection at U.S. Border (Wired). Wired reports on the US Customs service's efforts to stop shipments from an Asian video game retailer. "The agency was trying to stop the import of NEO4s, a chip that allows PlayStation consoles to run DVDs with geographic encryptions and games copied on to CD-ROMs, according to sources familiar with the video game company, Lik-Sang.

These chips, called 'mods,' have come under scrutiny by corporations claiming the technology violates the Digital Millennium Copyright Act, which restricts anyone's ability to circumvent copy protections."

Charney an Ominous Microsoft Pick (BusinessWeek). BusinessWeek comments on the appointment of Scott Charney as "Chief Security Strategist." Mr. Charney is perhaps best known as a federal prosecutor who went after computer criminals. "Since the vulnerability would give us access to the kernel, and the kernel would give us the ability to circumvent copy protection mechanisms, certain parties might just consider the publication of such a bug -- particularly if accompanied by exploit code -- to be a technology that allows one to break digital copy protection. And guess what? That would be illegal under the Digital Millennium Copyright Act. So under the right circumstances, where you have the right government people hooked up with the right lawyers, sharing particular information about the security hole could be considered a crime."

US DoJ Identifies 47 'Major' Comments (dot.KDE.org). dot.KDE.org reports on the US DoJ proceedings against Microsoft. "After a brief review, other comments making significant references to Open Source include John A. Carroll, Steven Waldman, Ralph Nader and James Love, The American Antitrust Institute and the U.S. Senate (mainly Red Hat's testimony)..."

O, brave new OS of the future (CNN). CNN looks at Microsoft's Farsite project and compares it to the Odyssey project at Carnegie Mellon University, which uses Linux. "Farsite is a serverless, distributed system that doesn't assume mutual trust among its client computers. Although there's no central server machine, the system as a whole looks to users like a single file server. High reliability and security are ensured because each file has one or more encrypted and digitally signed replicas elsewhere in the cluster."

KDE Linux desktop nearing release (News.com). News.com covers the release of KDE 3.0 beta. "The final version is scheduled for release in the second quarter, but in the meantime KDE is seeking large numbers of developers to test the software."

BSD '3 times as popular as desktop Linux' - Apple (Register). The Register reports on the annual USENIX BSD Conference, where Apple's Ernest Prabhakar stated that BSD is three times more popular than Linux on the desktop, thanks to Mac OS X. The article also includes this tidbit: "he reminded attendees that Microsoft now has Office running on a Berkeley UNIX."

Companies

Corel shutting down open-source site (ZDNet). Corel continues to back away from open source software. A note at opensource.corel.com says, "This site will no longer be available on March 1st 2002". ZDNet covers the closure. A more detailed article is also available in French thanks to Bertrand Fremont.

HP releases new Linux workstation (News.com). News.com takes a quick look at HP's new Linux workstations. " Hewlett-Packard has begun selling new Intel-based workstations with Linux, the company said."

IBM introduces new low-end mainframe, 'Raptor' (News.com). Today IBM is announcing the introduction of its Raptor mainframe, which will go on sale worldwide on March 29th. An unrelated but interesting quote from this article: "Running Linux [...] has helped recharge IBM's mainframe business [...] Because of the new software, 2001 was the first time in 13 years that mainframe revenues grew at all."

IBM unmuzzles low-end 'Raptor' mainframe (News.com). According to this News.com article, IBM will debut its new low-end z-800 Raptor mainframe. "IBM has been heavily pushing the ability to run the Linux operating system on its mainframe line. It chose to first discuss the z800 as a Linux-only model. But Linux was more of an afterthought in the z800 design, Lechner said."

Quite Big Iron - new baby IBM mainframe (Register). Here is an article in the Register about IBM's 'Raptor'. "The new system will be available in eight models, as well as a Linux-only mainframe version. They will come in one-way to four-way processor configurations and with 8GB of central memory at standard, which can be increased up to 32GB."

IBM servers to run Linux, Windows (News.com). IBM will use VMware to allow IBM x360 eServer models to run the Windows and Linux operating systems in various combinations.

Lindows CEO delivers broadside in MS trademark dispute (Register). The Register interviews Lindows.com CEO Michael Robertson on the ongoing legal battle with Microsoft. "Another critical fact that clearly illuminates Microsoft's true motivations is that over the last 10 years Microsoft has never filed a lawsuit similar to the one they filed against Lindows.com in spite of the fact that there are hundreds of products which use the term 'windows'."

Lindows moves to head off Microsoft (ZDNet). Here's ZDNet's take on the Microsoft vs. Lindows.com law suit: "And the suit has given Lindows new ambitions. "There's a strong chance that Microsoft may lose its trademark on Windows," said Vice President of Marketing John Bromhead. He also said the company has some backup names prepared in case it loses."

Business

Just Add Linux: The Union of Commercial and Open-Source Software in Existing Business Models (Linux Journal). Linux Journal discusses the growth of Linux in business. "Open-source software combined with commercially licensed software has become a market reality, as open-source technologies like Linux and Apache, already tremendous market successes, are combined into business models by vendors who want to win in the marketplace. It's happening today and will continue to flourish, and here's why: Linux Market Penetration."

'Open-Source Software' Offers Lessons in Working toward Common Goals (Boston Globe). This Boston Globe column looks at the open source model in modern business practices. "Such open-source-like ideas can already be found in unexpected places. For example, Wolf and Lakhani say, Harley-Davidson, the venerable motorcycle manufacturer, encourages customers to extensively modify their models by working with other companies that produce various accessories for the bikes. In effect, the company willingly cedes some control to the owners and outside firms."

Open-source projects grab dot-com dropouts (News.com). What's bad for dot-comers may be good for open source software according to this News.com article. "The down economy has breathed new life into open-source software projects as unemployed software engineers pitch in."

Reviews

InsightConnector Disconnects Microsoft Exchange (ConsultingTimes). The ConsultingTimes looks at Bynari, Inc.'s InsightConnector. "In short, for the vast majority of shops deploying Microsoft desktops, Exchange servers are no longer the only game in town. With InsightConnector installed on a Windows machine, Outlook can talk to Bynari's own Insight server, as well as to Caldera's Volution, CommuniGate Pro, Courier-IMAP, the open source Cyrus IMAP, IMail Server, iPlanet, and the SuSE Linux eMail Server III."

A sneak preview of Infomart's 'Kaii' Linux PDA. LinuxDevices examines yet another Linux PDA. "Infomart decided to use a platform similar to that of Sharp's Linux-based Zaurus, in order to leverage the abilities and commitment of companies like Lineo, Trolltech, Insignia, and Sharp -- and the associated developer community. The hope is to help create a standard for Linux-based PDAs which will make it easier for software and add-on peripheral developers to support the devices, and which will give users a wider choice of software and hardware options..."

Resources

Advanced filesystem implementor's guide, Part 9 (developerWorks). IBM's developerWorks continues its survey of advanced Linux filesystems. "In this article, we'll take a look at XFS, SGI's free, 64-bit high-performance filesystem for Linux. First, I'll explain how XFS compares to ext3 and ReiserFS, and describe many of the technologies that XFS uses internally."

SNMP threatens networks (ZDNet). ZDNet covers the SNMP bug. " To protect yourself, you need to do a few simple things. First, if you really want to be safe, turn off SNMP throughout your network until you've been able to install patches provided by the manufacturer of your infrastructure equipment or software. You may need to check every router, switch, hub and server on your network, as well as the software that runs on them."

Interviews

Alan Cox, Kernel Hacker, Linux (ITWales). ITWales interviews Alan Cox. "Alan Cox is one of the most influential IT innovators in the world. A graduate of the University of Wales, Swansea, he has been a key developer of the Linux kernel for nearly a decade. Currently working for Red Hat writing kernel and application code, Cox was previously responsible for the original Linux multiprocessing support, and for much of the early work on networking. Here we ask him about his changing role at Red Hat, and learn about the benefits Linux brings to business."

Interview: Steve Holden. New Riders interviews Steve Holden, author of "Python Web Programming". "Every Python author says good things about the newsgroup, comp.lang.python, so I subscribed. Sure enough, I found it's an incredible resource, and it helped me to get up to speed with Python quite quickly. Plus there's quite a lot of humor on that group, which suits my personality."

Jim Fulton Interview (Zopera). The Zopera site interviews Zope creator Jim Fulton. "I'm an object zealot, and Zope has always been about employing the power of object technology and Python to make building web solutions to complex problems as easy as possible. We do, of course, follow industry standards. We put a lot more emphasis on the standards that our customers need or that make our lives easier. The same is true, of course, for the Zope community." The interview is also available in French.

GNU-Friends interviews David MacKenzie. Gnu-Friends has interviewed long time GNU developer David MacKenzie. "t's fun to realize that I've helped millions of people on every continent have better computer systems, and probably inspired some to make contributions to free software themselves. I don't regret anything about it." (Thanks to Jonas Oberg.)

UnderLinux interviews Harald Welte. Brazilian site UnderLinux interviews Harald Welte. "My favourite subject within computing has always been firewalling. Considering this, it's not too surprising that I tried the 'new' netfilter/iptables code in its early development state during 2.3.x linux kernels. There were some features missing, and I started to implement some of them. I got more and more involved with the project, resulting in me becoming the fourth member of the netfilter/iptables core team in October 2000."

Miscellaneous

Managing processes and threads (developerWorks). This developerWorks article looks at process and thread creation under both Linux and Windows; it is interesting to compare the two. "The graphs show that Linux is considerably faster than either Windows 2000 or Windows XP at creating threads and processes."

Section Editor: Forrest Cook

See also: last week's Announcements page.

Announcements

Resources

The Linux Gamers' FAQ. A new Linux Gamers' FAQ is available, contributions are welcomed. The site also features The Linux Game List, which lists a ton of Linux games. (Thanks to Zakk.)

Adaptec ATA Raid 2400A Review (LinuxLookup). LinuxLookup reviews the Adaptec ATA Raid 2400A PCI disk controller card.

Events

Call for submissions: Lightning talks at YAPC 2002 (use Perl). Use Perl has announced a call for submissions for Lightning talks at the upcoming YAPC 2002 conference. "In lightning talks, participants speak for no more than five minutes. Any topic is allowed. Lightning talks are an excellent forum for first-time speakers."

YAPC::NA 2002 Registration is Open. Registration is open for the YAPC::NA 2002 Perl conference in St. Louis, MO. on June 26-28, 2002.

YAS Hosts Mozilla Developer Days (use Perl). The Yet Another Society is hosting the Mozilla Developer Days on March 1-2, 2002 at Carnegie Mellon University.

Papers due by March 1 for OLS 2002. The Ottawa Linux Symposium has issued a reminder that papers must be in by the March 1 deadline. (Thanks to William Stearns.)

Guido van Rossum awarded FSF Award. For inventing and implementing as Free Software the Python programming language, Guido van Rossum has been awarded the Free Software Foundation Award for the Advancement of Free Software.

Events: February 21 - April 18, 2002.

Date	Event	Location
February 21, 2002	OMG Information Days Europe 2002	Vienna
February 22, 2002	OMG Information Days Europe 2002	Budapest
February 25, 2002	OMG Information Days Europe 2002	Prague
February 25 - March 1, 2002	Secure Trusted OS Consortium - Quarterly Meeting(STOS)	(Hyperdigm Research)Chantilly, VA, USA
March 1 - 2, 2002	Mozilla Developer Day	(Carnegie Mellon University)Pittsburgh, PA
March 2, 2002	LinuxForum 2002	Copenhagen, Denmark
March 4 - 6, 2002	International Symposium on Advanced Radio Technologies(ISART 2002)	(Dept. of Commerce, 325 Broadway)Boulder, CO
March 5, 2002	OMG Information Days Europe 2002	Helsinki
March 6, 2002	OMG Information Days Europe 2002	Stockholm
March 7, 2002	OMG Information Days Europe 2002	Oslo
March 8, 2002	OMG Information Days Europe 2002	Copenhagen
March 12 - 16, 2002	Embedded Systems Conference	(Moscone Center)San Francisco, California
March 21 - 22, 2002	Annual Conference of Open Source Content Management Systems(OSCMSC)	(Swiss Federal Institute of Technology (ETH))Zurich, Switzerland
March 22 - 24, 2002	Linux Event 2002, Italy	(Terminal Crociere di Livorno)Livorno, Italy
April 3 - 6, 2002	The Association of C & C + + Users Spring Conference(ACCU)	(Heritage Motor Centre)Warwick, England
April 11 - 12, 2002	Zope BBQ 2002, Europe	Berlin, Germany

Additional events can be found in the LWN Event Calendar. Event submissions should be sent to lwn@lwn.net in a plain text format.

Web sites

Announcing the Linux StepByStep job board. A new job board has been announced by the Linux StepByStep folks The job board already has over 1100 jobs listed.

Section Editor: Forrest Cook.

Software Announcements

The Alphabetical List and Sorted by license

Our software announcements are provided courtesy of FreshMeat

See also: last week's Letters page.

Letters to the editor

From:	 =?iso-8859-1?Q?J=F6rn?= Nettingsmeier <nettings@folkwang-hochschule.de>
To:	 letters@lwn.net
Subject: ALSA kernel integration
Date:	 Thu, 14 Feb 2002 11:30:29 +0100

hello lwn folks !


in this week's kernel section, you mention the integration of ALSA
into the kernel. you say

> ALSA will not immediately amaze Linux users with lots of new capabilities.

this is true if you only care for mail notification beeps and the
occasional splatch sounds while playing q3. otherwise, you will find
your audio subsystem has improved significantly:

* ALSA supports many cards that cannot be used with the current
  kernel drivers.

* ALSA provides far lower latencies than OSS possibly could.

* ALSA has a versatile sequencer with easily patchable MIDI
  connections.

* ALSA includes key features needed for professional audio
  applications, such as decent multi-channel support.


later, you mention

> [...] but quite a few applications also support the ALSA native API. 
> [linked to http://www.alsa-project.org/applications.php3] 

not your fault, but this page is woefully out-of-date. it still
mentions the deprecated pre-0.9.0 API and shows only a fraction of
the whole picture.

for professional audio applications using the ALSA library, check
out the following examples, among many others:

* the GLAME audio editor (http://glame.sourceforge.net).
  its filternetwork nicely shows latency behaviour, and since it
  supports both ALSA and OSS, you can compare. 

* the MusE sequencer (http://muse.seh.de)
  makes heavy use of the ALSA sequencer library.

* the ardour hd-recorder/daw (http://ardour.sourceforge.net).
  while not yet ready for the faint of heart, it stretches the ALSA
  API to the limit in terms of low-latency multichannel full-duplex
  operation.

most linux-based audio development nowadays concentrates on ALSA.
all the most widely used applications now provide native backends. 
and if you want to use multichannel hardware, there is no real 
way around ALSA anyway.


best wishes,

jörn


btw, if you're interested in using linux for audio, i'd like to
invite you to the linux-audio-user list at
http://www.linuxdj.com/audio/lad/user.php3. 
developers may want to check out linux-audio-dev at 
http://www.linuxdj.com/audio/lad/.

btw2, i'm not intending to bash OSS. it has served its purpose well, 
and without it, linux audio would still be stuck in the stone age.

From:	 Myrddin Ambrosius <imipak@yahoo.com>
To:	 letters@lwn.net
Subject: Assumptions in the Linux/Unix world
Date:	 Thu, 14 Feb 2002 06:34:43 -0800 (PST)

Dear editors,

  I am always amazed at the number of assumptions that
people make, in computing in general, but have
hitherto felt that Linux users generally knew more,
because they had the option of doing so.
  The Sync "scandal" is one case where I'm not so
sure. Sync has never flushed straight to disk. That's
one reason you generally called sync three times in
succession, when you needed to be absolutely sure.
This must be burned into the retinas and brains of
goodness-knows how many system admins, and yet it's
only now being discovered that, because of the way
hardware works, it's actually necessary for sync to
not "really" sync? Oh, goodness!
   Then, there's this thing about auditing from a
clean boot. Oh, wow. You mean, the machine has to be
in a known state, in order to reliably determine the
state of the system as a whole? I'd never have
guessed! That's like saying an observer is part of the
process of observing. Something the hard-science types
have been saying for a long time.
   Last, but by no means least, Sun's announcement
indicates they have discovered their own flawed
assumptions. Sun has fluctuated a lot, on Linux. At
one point, it was a way for them to keep users on old,
otherwise defunct Sun hardware, which at least kept
the hardware maintenance contracts going for a little.
Now, Sun are starting to edge towards the path IBM
have taken - seeing Linux as a serious server OS, with
a significant potential customer base. Enough so, that
it's worth their while to put money into it.
   I think it's time that manufacturers and coders
alike faced reality - assumptions are buggy logic. If
they work, it's by chance. Since you can't yet check
minds into CVS, the bugs are slightly harder to find,
but they're still bugs, and bugs need fixing.

Jonathan Day

From:	 Dan Stromberg <strombrg@nis.acs.uci.edu>
To:	 letters@lwn.net
Subject: sync
Date:	 Thu, 14 Feb 2002 12:30:38 -0800

What I heard was that sync was guaranteed to do two things:

1) Schedule all dirty buffers for being written to disk
2) Write all previously scheduled buffers to disk before returning

This means that just one sync isn't enough to get things written to
disk, but running it twice means the stuff written to the buffer cache
at the time of the first sync is committed to disk.

This seems to be partially responsible for the superstition that you
should always run sync three times: twice is necessary for portability;
thrice is one extra.

-- 
Dan Stromberg                                               UCI/NACS/DCS

From:	 "Jay R. Ashworth" <jra@baylink.com>
To:	 doc@searls.com
Subject: Real Networks
Date:	 Thu, 14 Feb 2002 10:55:46 -0500
Cc:	 letters@lwn.net

LWN linked your Linux Journal piece concerning RealNetworks, and
whether the train has left the station (*finally* picked up a copy of
the manifesto this week, BTW; better late tan never, I guess :-).

There's one item that I'm sure wasn't missing from your analysis, but
which you didn't seem to touch on in the article, and that's the Money.

As in "Follow The"?

One of the major things that has always annoyed *me* about RealPlayer,
and to which you allude, is that even on non-live streams, RP has
traditionally made it difficult, if not impossible, to *save* the
output of the stream -- and their .ram pointer file thing is another
level of indirection aimed at the same end.

But of course, these things aren't accidents.

Real's major selling point to *its customers* -- who are content
providers -- is "see?  We're doing our best to make it difficult for
your listeners to steal your stuff."

Forgetting who the *real* customer is is a common failing in this sort
of analysis -- the quintessential example, of course, being commercial
television.  People tend not to realize that TV networks are in the
business of selling *eyeballs* to *advertisers*, rather than programs
to viewers.  Better really is the enemy of good enough, at least in
that context.

This is why the RP Linux developer reached his pain threshhold, and
it's not at all uncommon -- it's my primary explanation to client why I
install Netscape 6.2 on their machines rather than IE: Microsoft isn't
*in* this for you.

Now, admittely, Netscape isn't either, but not being the monopoly
player (I figure, if the "yell it loudly enough and people will believe
it" approach works for them... >:-), they have to cater to their target
audience just a bit harder.  And, FWIW, Netscape 6.2 is ready for prime
time, a point I guess I should make, given the scathing review I wrote
of 6.0, which LWN was kind enough to publish.

In any event, it's a seachange for the content industry, and their
support of DMCA and SSSCA should make it perfectly clear that they're
going to take quite some time to get on the cluetrain, if indeed their
tickets are still valid.

Our Plans For World Domination...

Cheers,
-- jra
-- 
Jay R. Ashworth                                                jra@baylink.com
Member of the Technical Staff     Baylink                             RFC 2100
The Suncoast Freenet         The Things I Think
Tampa Bay, Florida        http://baylink.pitas.com             +1 727 647 1274

   "If you don't have a dream; how're you gonna have a dream come true?"
     -- Captain Sensible, The Damned (from South Pacific's "Happy Talk")

From:	 "Mamading Ceesay" <mceesay@evangineer.force9.no.spam.co.uk>
To:	 <dps@io.stargate.co.uk>
Subject: EUCD - was Region coding---the truth vs. what is said
Date:	 Wed, 20 Feb 2002 20:26:43 -0000
Cc:	 <letters@lwn.net>

As you correctly noted in your email published in 
LWN <http://lwn.net/2002/0214/letters.php3> the 
DMCA does not apply in Europe. However the EUCD 
<http://uk.eurorights.org/issues/eucd/> is the 
european equivalent of the DMCA.  It will erode 
fair use rights in a similar manner, so EU citizens
have a cause for concern.

Regards,
Mamading Ceesay

"Don't worry about what anybody else is going to do. 
The best way to predict the future is to invent it."

-- Alan Kay

From:	 Mark Richards <m.richards@utoronto.ca>
To:	 letters@lwn.net
Subject: Re: Security Prespective
Date:	 Sun, 17 Feb 2002 12:38:16 -0500

I would just like to comment on Phil Cameron's letter to the editor in Feb 
14th's lwn.net.

Phil discusses several security updates that have no known exploits or have 
only theoretical exploits.  I think it is worth pointing out that just 
because a patch is issued, does not mean that all systems will be patched.  
Thus, even if a security hole has no known exploit, or such exploits are 
purely theoretical, if nobody applies the patch then the systems remain 
vulnerable, just waiting for someone to turn a theoretical exploit into a 
real one.

After all, wasn't there a linux work recently that exploited a really old NFS 
and LPR vulnerability?  And wasn't there a patch available to fix the 
vulnerability exploited by Code Red?  Yet these worms still caused real 
damage.

I think we must assume that any vulnerability is as dangerous as it could be 
in the most devastating attack possible, since given enough time someone can 
produce that attack.

Mark Richards