|
|
Subscribe / Log in / New account

LWN.net Weekly Edition for March 13, 2008

Emacs chooses Bazaar

By Jake Edge
March 12, 2008

The Emacs development process is undergoing some changes; Richard Stallman has handed off project maintenance duties, while a change in the version control system (VCS) seems to be in the offing. Some of the modernization suggestions made by Eric Raymond last December are taking root. Stallman has not completely stepped away from Emacs development—it's doubtful anyone expected him to—but his approach on how to choose a VCS for Emacs is raising a few eyebrows.

Currently, Emacs is tracked with CVS, but a distributed VCS (DVCS) is definitely planned down the road—how far is unclear at this point. In earlier discussions, Stallman was particularly interested in the offline capabilities of DVCS; being able to do commits, diffs, and see revision history while unconnected to the internet is a useful feature for him. Many other Emacs developers see a DVCS as a major upgrade to the development process, the question then becomes which DVCS to use.

The main contenders are git, Mercurial (aka hg), or Bazaar (aka bzr); there are other options, of course, but they were quickly eliminated due to speed or feature set issues. There was some hope that a comparative VCS study that Raymond was working on would help lead the project to the proper choice, but the study has been delayed—a major release of Wesnoth is underway which has taken Raymond from that task.

There were some discussions of the merits of the various systems but, in the meantime, Bazaar joined the GNU project which changed the equation somewhat. Stallman announced:

We should use Bzr because that is becoming a GNU package. GNU packages should show loyalty to each other when possible, and in this case it is possible.

As might be expected, short-circuiting a technical discussion for a political expedient is not met with universal approval. Juanma Barranquero sums up his (and others') objections:

What I'm trying to say is: I won't discuss which dVCS we choose (unless it makes Windows development a PITA). But I agree with Jeremy Maitin-Shepard that the cause of free software is strengthened by us selecting among the free alternatives the one that best serves our technical, not political, needs.

There is a certain irony in noting that one of the perceived weaknesses of git was its poor support for Windows development. It is certainly understandable, but the idea that one of the flagship GNU projects would make a decision based on tool availability for a proprietary operating system gives one pause. That isn't one of Stallman's requirements of course, he sees the decision as essentially a choice amongst equals:

We already know the most important thing about what we will find from a careful study of git, mercurial and Bzr. We will find that each has its advantages and disadvantages -- but none of them conclusive. Each will be preferred by some people, but any one of them would work out well enough.

As Thomas Lord (author of another GNU VCS, arch), points out, there is a cost to agonizing over a choice like this:

Probably so but any group of smart people could easily spend a year arguing about it. Not even a year arguing about which system is best but a year arguing just about what "best" means in this context.

Over-optimizing a choice like that can be a *huge* resource suck and projects and groups fail all the time because of falling into such traps.

No technical barriers to using Bazaar have been raised, it is, as Stallman asserts, a fairly arbitrary choice. Unsurprisingly, Stallman chooses the one that serves his agenda. The new maintainers, Stefan Monnier and Chong Yidong, presumably agree with that agenda, in any case they have not indicated any resistance to the choice.

So it seems that Emacs will be moving to Bazaar. Jason Earl has been pulling the CVS history into a Bazaar repository that should be available soon. The import process seems to be taking a fair amount of time—something on the order of a week—which is hopefully not indicative of the operational speed of Bazaar. Assuming the conversion works and developers can get their work done using it, this would be a pretty high-profile project to use it. Other GNU software may follow suit, which could be a big boost to the visibility of Bazaar; precisely what Stallman was aiming for.

Comments (45 posted)

Some topics related to MP3 players

By Jonathan Corbet
March 12, 2008
In many parts of the world, the U.S. is looked upon as a place with particularly poor taste in "intellectual property" legislation; the DMCA and software patents are often held up as examples. DMCA-like laws have since spread to other parts of the planet, which, for some reason, has not made people living there any more appreciative of the American legal regime. But it is often pointed out that software patents remain an almost entirely American problem; people in other parts of the world (Europe, say) need not worry about them.

If only it were so. On March 5, German police raided a booth at the CeBit conference in Hannover. That booth, run by Meizu, contained an iPhone-clone product, but nobody cared about that. Instead, the contraband which absolutely had to be suppressed was a music player for which Sisvel (an Italian company which has done this kind of thing before) had not been paid royalties on its MP3 patents. The player, as it happens, did not even have MP3 playback capability, but that didn't seem to matter. The police duly cleared the booth of all mention of the offending device and saved another day for free enterprise.

This is a pure software patent action, and the U.S. has no part in it. Software patents are truly a global problem. (Police raids raise the stakes in interesting way, though; even in the U.S., things usually start with a polite letter from a lawyer first). Anybody who wonders why companies like Red Hat exercise great care around software patents (and MP3 patents in particular) need only look at episodes like this. The selling of enterprise Linux products is likely to be distinctly harder if your prospective customers see your conference booth being forcibly shut down by the authorities.

Meanwhile, it occurred to your editor, while thinking about music players, that little has been said about the Rockbox project on LWN in recent times. Rockbox, remember, is a GPL-licensed firmware which runs on a wide variety of music players. It offers a wider range of features, has more codecs, is more customizable, and has better accessibility support than the stock firmware on any of these devices. And it's free software.

Since LWN last looked at this project, the Rockbox developers have added a number of new features and new platforms. The abandoned 3.0 release has never happened; the Rockbox developers appear to have given up on the idea of formal releases for now. The daily snapshots generally work quite well, though, and there are lots of satisfied Rockbox users out there.

Despite the fact that Rockbox supports a lot of players, absolutely none of the supported platforms are currently in production. So anybody looking to buy a player which can run Rockbox must go digging around on auction sites. The only problem is: it's not clear how many more such users may arrive in the future. Despite the fact that Rockbox supports a lot of players, absolutely none of the supported platforms are currently in production. So anybody looking to buy a player which can run Rockbox must go digging around on auction sites. Many Rockbox users do exactly that, but many more potential users would rather not get their devices that way.

Rockbox ports to current devices are underway, but the developers are fighting an uphill battle. Manufacturers tend to be uncooperative when it comes to releasing hardware information, so a certain amount of reverse engineering is required. And, by the time that work is done, the manufacturers have moved on to a new product. Music players are consumer electronics devices, and, like most such devices, their product lifetime tends to be quite short. So developers on a project like Rockbox will forever be trying to catch up.

Your editor, meanwhile, still lugs around his ancient iRiver H340. People look at it strangely, as if they expect there to be a hatch on the back so that the user can occasionally add another shovel full of coal. But it works beautifully with Rockbox, and a replacement looks hard to find. Your editor wishes that at least one manufacturer would realize that it could provide better functionality at a lower cost by designing its players to run Rockbox from the beginning. Perhaps the project needs better advocacy within the player industry.

There is another approach which could be considered here. The OpenMoko project is trying to rearrange the mobile telephone market by offering a completely open product. Surely a music player, being a much simpler device, would be amenable to the same treatment? As it turns out, there are a couple groups of people trying to jump start just this kind of effort. They have a prototype design, and a competing design as well. Both look like they could produce a respectable player at a reasonable cost - a player designed to run free software from the outset.

Designing a device which can run Rockbox and produce decent audio (and video) output is not that hard, given the components which are available. Turning it into a product which is small and sleek enough that people want to buy it seems likely to be harder. Getting a full device manufactured at a reasonable cost may be the hardest of all; that requires significant up-front money and a distribution channel which can sell enough units to make the whole thing cost-effective. There's also the little issue of those MP3 patents to take care of.

There is no real sign that the Rockbox player developers are thinking on this level at this time. One of the prototype designs carries a Creative Commons noncommercial license in an attempt to prevent others from thinking that way. So the resulting hardware may end up being little more than a kit for especially dedicated hobbyists. Unless somebody picks up the ball and tries to commercialize a product like this, Rockbox may be stuck in its role as the software of choice for last year's players. The good news in all this is that Linux-based tablet devices seem likely to become cheaper, more abundant, and more compact. Since these devices can make fine media players, we may eventually get our completely open gadget via that path. Modulo patent problems, of course.

Comments (23 posted)

Still waiting for Flash

By Jonathan Corbet
March 11, 2008
Those of us who were using Linux full-time around the turn of the century will remember that the state of web browsing on Linux was a little scary then. The only real option available was the binary-only Netscape 4 client; it was buggy and old. It really seemed like the web was going to move forward without Linux, and that there was not a whole lot we could do about it.

Things have improved somewhat on that front; we now have a few top-quality web browsers to choose between. At the same time, though, one might be forgiven for thinking that we are heading back into a similar situation, but involving Flash this time around. For all practical purposes, there is only one viable option for Flash on Linux: the binary-only plugin provided by Adobe. But that plugin is not just proprietary software; it also is somewhat old and buggy, and there is nothing we can do to fix it. For an increasing part of the web experience, we still have a second-rate, proprietary platform.

When one thinks of Flash, naturally, one thinks of video sites like YouTube. But there is more to the Flash experience than silly videos and obnoxious advertising. Some parts of Google are heavily into flash, as can be seen from that company's finance sites or analytics offerings. Your editor's children will attest that there's no end of game sites which require Flash, and for which the Linux plugin fails to work properly. Looking for any way to reduce the total amount of time spent in airplane seats, your editor recently investigated "around the world" tickets; that search ended up at this travel planning site which, of course, requires Flash. And so on. Like it or not, Flash is the language in which an increasing number of interactive sites are being coded, and Linux does not have proper support for it.

With this in mind, your editor decided to give the recently-announced Gnash 0.8.2 release a try. This release was billed as the first beta version of Gnash, so there was reason to hope that it would be something close to a true solution to the Flash problem. In reality, Gnash is a step in the right direction, but the Flash issue will be with us for some time yet.

For now, the acid test for a Flash player would appear to be YouTube, so that is the first place your editor went. The experience there was mixed. It is, in fact, possible to watch YouTube videos using the Gnash Firefox plugin. Hearing them is another matter, though; they all played silently. It would not be surprising to learn that getting audio is a matter of filling in a missing codec - but would sure be nice if the software were to say something to that effect. Pausing and playing the video worked, but skipping around in it did not. Playing videos from other sites was uniformly unsuccessful.

The "around the world" calculator appeared to load properly, but then took off as if somebody were punching all of its buttons at once. Charts on Google sites are uniformly blank. Some flash games mostly worked, others showed more input-related confusion. Few of them were truly playable. On the other hand, Flash "intros" and advertisements mostly work as intended - just what your editor wanted.

So Gnash is not really there yet. In truth, this software is not in a condition where the use of the term "beta" makes sense; there is a lot of work yet to be done. There are few of us clamoring for support for more obnoxious advertising - especially among the LWN readership, as your plentiful emails over the last couple of months have made clear. What we want is working support for the useful Flash applications out there - and there are a few of those at this point. Gnash does not, currently, provide that support. (Your editor also tried out Swfdec 0.6.0, with generally worse results).

That said, it is clear that a lot of work has been done to get Gnash to this point. Your editor has no real way to judge how much more is required to get full support for even Flash version 7; chances are it is not a small job. Needless to say, support for newer versions of Flash will require even more work. But there now appears to be a solid platform upon which that work can be done, and that is an important start. Gnash has the look of a project which has overcome some of the biggest initial hurdles and is now setting a pace to finish the job. With luck, it will have reached the point where the fact that it almost works will inspire new developers to come in and fill in the remaining pieces.

Adobe has the ability to make this job a lot easier. Your editor has heard, informally, that the company has taken a less hostile position toward the Gnash developers than it had in the past, but it certainly is still not helping them. The Flash specifications are not available to anybody trying to create a Flash player, and, unsurprisingly, the Flash EULA forbids any sort of reverse engineering. That EULA, incidentally, also forbids running Adobe's player on any "non-PC device," including tablets and phones. That restriction suggests that Adobe sees business opportunities in the lack of a free Flash player for such systems and intends to ensure that this scarcity continues. So, despite the occasionally friendly noises Adobe has been making toward the Linux community, we should not expect a great deal of help from that direction.

Someday, people will figure out that closed standards (like Flash) are best avoided. Meanwhile, Flash is a fact of life that we will need to deal with. It appears that we are getting closer to being able to deal with it - but we are not there yet.

Comments (49 posted)

Page editor: Jonathan Corbet

Security

Extended Validation certificates and cross-site scripting

By Jake Edge
March 12, 2008

Cross-site scripting (XSS) is a frequent topic on security forums because it is a common web application flaw that can lead to variety of unpleasant surprises. One of the more frequently seen abuses of an XSS flaw is in the aid of a phishing attack. With the advent of Extended Validation (EV) certificates coupled with the accompanying browser UI changes, some XSS attacks will become much more powerful.

By now, most users are familiar with SSL certificates, which are used to authenticate one or both sides of an HTTPS connection to the other. EV certificates are a step up from a more pedestrian SSL certificate as the recipient must undergo more scrutiny from the certificate authority (CA) before being granted one. We covered EV certificates in more detail in November 2006, but they are just now starting to be installed more widely.

Netcraft reported the problem a few weeks ago with regard to sourceforge.net. Sourceforge is one of the 4,000 or so sites with an EV certificate, but it also has an XSS problem. So anyone using the site for XSS purposes now gets the benefit of the higher trust that is supposed to be embodied in an EV certificate.

Browser vendors are being encouraged to highlight the EV certificates in their UI so as to give users more confidence in those sites. The most recent Firefox 3 betas as well as IE7 are highlighting the site name in green in the address bar to denote this higher trust. Unfortunately, the extra validation does not extend to testing the site for XSS flaws, which could leave users easily fooled.

A phishing attack could use an XSS flaw in a search box or error message, for example, to add content to the appearance of a site. That content is really coming from the XSS attack but it would appear under the "green means go" address bar for the EV certificate-protected site. That content could include a login screen that sent the credentials elsewhere or a cookie stealing attack for session hijacking. For any site with sensitive information, XSS attacks are already a problem, EV certificates just add another mechanism for exploiting the user's trust.

Much like the padlock icon that appeared many years ago to denote a "secure" (really, just encrypted) connection, this new green address bar indicator is somewhat difficult to explain. Based on the vetting process for EV certificates, there should be a real entity behind an EV certificate—or at least there was one at the time of issuance—but it is by no means an endorsement of the security of everything on a web page that has one. It is, like the original padlock, more nuanced than that.

Unfortunately, users are not good at security nuances. They want yes or no answers to "Is this site safe?"; that answer is nearly always "maybe" or perhaps "probably". At one time, the padlock icon was seen as a "yes" answer; now the green address bar may take its place. Somehow users need to be taught to look beyond simple answers and websites need to clean up their act so that their users are not scammed.

The number of sites with XSS problems is staggering (a look at xssed.com is instructive) and new ones crop up all the time. In many ways, XSS is an attack against users rather than directly against a site. This may make it less of a priority to fix than a direct attack, like a SQL injection, might be. That is very unfortunate for their users, especially if they have a shiny new EV certificate.

Comments (10 posted)

Removing the updated vulnerability listings

The LWN Security page has lots of useful information, but sometimes it seems to stretch on for a long ways. A lot of that length is contained in the "Updated vulnerabilities" section and we are starting to wonder if that really adds that much to the page. It is collected automatically from our daily security updates, so removing it won't help us kick out the weekly edition any faster, but it might make reading the page, especially in the "one big page" format, somewhat easier. If we removed that section, the information will still appear in the daily summaries, of course, and be available by searching our database. Before we do that, though, we'd like to hear from our readers regarding their thoughts on the matter. Please comment if you have thoughts one way or the other.

Comments (46 posted)

New vulnerabilities

java: multiple vulnerabilities

Package(s):java-1.5.0-sun CVE #(s):CVE-2008-1185 CVE-2008-1186 CVE-2008-1187 CVE-2008-1188 CVE-2008-1189 CVE-2008-1190 CVE-2008-1191 CVE-2008-1192 CVE-2008-1193 CVE-2008-1194 CVE-2008-1195 CVE-2008-1196
Created:March 7, 2008 Updated:July 16, 2008
Description: From the Red Hat advisory:

Flaws in the JRE allowed an untrusted application or applet to elevate its privileges. This could be exploited by a remote attacker to access local files or execute local applications accessible to the user running the JRE (CVE-2008-1185, CVE-2008-1186)

A flaw was found in the Java XSLT processing classes. An untrusted application or applet could cause a denial of service, or execute arbitrary code with the permissions of the user running the JRE. (CVE-2008-1187)

Several buffer overflow flaws were found in Java Web Start (JWS). An untrusted JNLP application could access local files or execute local applications accessible to the user running the JRE. (CVE-2008-1188, CVE-2008-1189, CVE-2008-1190, CVE-2008-1191, CVE-2008-1196)

A flaw was found in the Java Plug-in. A remote attacker could bypass the same origin policy, executing arbitrary code with the permissions of the user running the JRE. (CVE-2008-1192)

A flaw was found in the JRE image parsing libraries. An untrusted application or applet could cause a denial of service, or possible execute arbitrary code with the permissions of the user running the JRE. (CVE-2008-1193)

A flaw was found in the JRE color management library. An untrusted application or applet could trigger a denial of service (JVM crash). (CVE-2008-1194)

The JRE allowed untrusted JavaScript code to create local network connections by the use of Java APIs. A remote attacker could use these flaws to acesss local network services. (CVE-2008-1195)

Alerts:
Red Hat RHSA-2008:0555-01 java-1.4.2-ibm 2008-07-14
Red Hat RHSA-2008:0267-01 java-1.6.0-ibm 2008-05-19
Red Hat RHSA-2008:0244-01 java-1.5.0-bea 2008-04-28
Red Hat RHSA-2008:0243-01 java-1.4.2-bea 2008-04-28
rPath rPSA-2008-0128-2 firefox 2008-03-27
Red Hat RHSA-2008:0245-01 java-1.6.0-bea 2008-04-28
SuSE SUSE-SA:2008:025 IBMJava2,IBMJava5,java-1_4_2-ibm,java-1_5_0-ibm 2008-04-25
Gentoo 200804-20 sun-jre, sun-jdk 2008-04-17
SuSE SUSE-SA:2008:019 MozillaFirefox 2008-04-04
Red Hat RHSA-2008:0210-01 java-1.5.0-ibm 2008-04-03
SuSE SUSE-SA:2008:018 Sun Java 2008-04-02
Mandriva MDVSA-2008:080 mozilla-firefox 2007-03-28
rPath rPSA-2008-0128-1 firefox 2008-03-27
Ubuntu USN-592-1 firefox 2008-03-26
Red Hat RHSA-2008:0186-01 java-1.5.0-sun 2008-03-06

Comments (none posted)

joomla: multiple vulnerabilities

Package(s):joomla CVE #(s):CVE-2007-6642 CVE-2007-6643 CVE-2007-6644 CVE-2007-6645
Created:March 6, 2008 Updated:March 12, 2008
Description: The Joomla PHP-based content management system has the following vulnerabilities: There are multiple cross-site request forgery vulnerabilities. There is one cross-site scripting vulnerability. There is a vulnerability where remote authenticated administrators can promote arbitrary users to the administrator group, violating the intended security model. There is a registered user privilege escalation vulnerability.
Alerts:
Mandriva MDVSA-2008:060 joomla 2007-03-05

Comments (none posted)

kronolith: privilege escalation and more?

Package(s):kronolith CVE #(s):
Created:March 10, 2008 Updated:March 12, 2008
Description:

The Fedora advisory is light on details:

Fix privilege escalation in Horde API. Fix missing ownership validation on share changes.

Alerts:
Fedora FEDORA-2008-2221 kronolith 2008-03-07
Fedora FEDORA-2008-2212 kronolith 2008-03-06

Comments (none posted)

libnet-dns-perl: denial of service

Package(s):libnet-dns-perl CVE #(s):CVE-2007-6341 CVE-2007-3409
Created:March 12, 2008 Updated:March 27, 2008
Description: The libnet-dns-perl package can crash when decoding malformed A records, creating a denial of service vulnerability. Also, the domain name expander can be sent into an infinite loop, also a denial of service problem.
Alerts:
Ubuntu USN-594-1 libnet-dns-perl 2008-03-26
Mandriva MDVSA-2008:073 perl-Net-DNS 2007-03-20
Debian DSA-1515-1 libnet-dns-perl 2008-03-11

Comments (none posted)

lighttpd: cgi source disclosure

Package(s):lighttpd CVE #(s):CVE-2008-1111
Created:March 7, 2008 Updated:April 4, 2008
Description: lighttpd before 1.4.18 is vulnerable to cgi source disclosure.
Alerts:
SuSE SUSE-SR:2008:008 wireshark, otrs, xine, xgl, silc-toolkit, lighttpd, tk 2008-04-04
Fedora FEDORA-2008-2262 lighttpd 2008-03-06
rPath rPSA-2008-0106-1 lighttpd 2008-03-12
Debian DSA-1513-1 lighttpd 2008-03-06
Fedora FEDORA-2008-2278 lighttpd 2008-03-06

Comments (none posted)

MediaWiki: cross-site scripting

Package(s):mediawiki CVE #(s):CVE-2008-0460
Created:March 7, 2008 Updated:December 24, 2008
Description: From the CVE entry: Cross-site scripting (XSS) vulnerability in api.php in (1) MediaWiki 1.11 through 1.11.0rc1, 1.10 through 1.10.2, 1.9 through 1.9.4, and 1.8; and (2) the BotQuery extension for MediaWiki 1.7 and earlier; when Internet Explorer is used, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
Alerts:
Fedora FEDORA-2008-11688 mediawiki 2008-12-24
Fedora FEDORA-2008-2288 mediawiki 2008-03-06
Fedora FEDORA-2008-2245 mediawiki 2008-03-06

Comments (none posted)

moin: multiple vulnerabilities

Package(s):moin CVE #(s):CVE-2007-2637 CVE-2008-0782 CVE-2008-1098 CVE-2008-1099
Created:March 10, 2008 Updated:January 30, 2009
Description:

From the Debian advisory:

CVE-2007-2637: Access control lists for calendars and includes were insufficiently enforced, which could lead to information disclosure.

CVE-2008-0782: A directory traversal vulnerability in cookie handling could lead to local denial of service by overwriting files.

CVE-2008-1098: Cross-site-scripting vulnerabilities have been discovered in the GUI editor formatter and the code to delete pages.

CVE-2008-1099: The macro code validates access control lists insufficiently, which could lead to information disclosure.

Alerts:
Ubuntu USN-716-1 moin 2009-01-30
Fedora FEDORA-2008-3328 moin 2008-04-29
Fedora FEDORA-2008-3301 moin 2008-04-29
Gentoo 200803-27 moinmoin 2008-03-18
Debian DSA-1514-1 moin 2008-03-09

Comments (none posted)

nx: multiple vulnerabilites

Package(s):nx CVE #(s):
Created:March 7, 2008 Updated:March 12, 2008
Description: There are multiple vulnerabilities in nx before 3.1.0.
Alerts:
Fedora FEDORA-2008-2258 nx 2008-03-06

Comments (none posted)

pdflib: multiple buffer overflows

Package(s):pdflib CVE #(s):CVE-2007-6561
Created:March 11, 2008 Updated:March 12, 2008
Description: From the CVE entry: Multiple stack-based buffer overflows in PDFLib allow user-assisted remote attackers to execute arbitrary code via a long filename argument to the PDF_load_image function that results in an overflow in the pdc_fsearch_fopen function, and possibly other vectors.
Alerts:
Gentoo 200803-17 pdflib 2008-03-10

Comments (none posted)

phpmyadmin: sql injection

Package(s):phpmyadmin CVE #(s):CVE-2008-1149
Created:March 10, 2008 Updated:February 2, 2009
Description:

From the Gentoo advisory:

Richard Cunningham reported that phpMyAdmin uses the $_REQUEST variable of $_GET and $_POST as a source for its parameters.

An attacker could entice a user to visit a malicious web application that sets an "sql_query" cookie and is hosted on the same domain as phpMyAdmin, and thereby conduct SQL injection attacks with the privileges of the user authenticating in phpMyAdmin afterwards.

Alerts:
SuSE SUSE-SR:2008:026 libxml2, phpMyAdmin, lighttpd, OpenOffice_org, imp, clamav, acroread, htop, cups 2008-11-24
SuSE SUSE-SR:2009:003 boinc-client, xrdp, phpMyAdmin, libnasl, moodle, net-snmp, audiofile, xterm, amarok, libpng, sudo, avahi 2009-02-02
Mandriva MDVSA-2008:131 phpMyAdmin 2008-07-04
Debian DSA-1557-1 phpmyadmin 2008-04-24
Gentoo 200803-15 phpmyadmin 2008-03-09

Comments (none posted)

SynCE: several vulnerabilities

Package(s):synce-sync-engine CVE #(s):CVE-2007-6703 CVE-2008-1136
Created:March 7, 2008 Updated:March 12, 2008
Description: Red Hat bug #436023: "Unspecified vulnerability in vdccm before 0.10.1 in SynCE (SynCE-dccm) might allow attackers to cause a denial of service via unspecified vectors."

Red Hat bug #436024: "The Utils::runScripts function in src/utils.cpp in vdccm 0.92 through 0.10.0 in SynCE (SynCE-dccm) allows remote attackers to execute arbitrary commands via shell metacharacters in a certain string to TCP port 5679."

Alerts:
Fedora FEDORA-2008-0680 pywbxml 2008-03-06
Fedora FEDORA-2008-0680 vdccm 2008-03-06
Fedora FEDORA-2008-0680 librapi 2008-03-06
Fedora FEDORA-2008-0680 libsynce 2008-03-06
Fedora FEDORA-2008-0680 synce-gnome 2008-03-06
Fedora FEDORA-2008-0680 synce-gnomevfs 2008-03-06
Fedora FEDORA-2008-0680 odccm 2008-03-06
Fedora FEDORA-2008-0680 librra 2008-03-06
Fedora FEDORA-2008-0680 synce-serial 2008-03-06
Fedora FEDORA-2008-0680 wbxml2 2008-03-06
Fedora FEDORA-2008-0680 synce-kpm 2008-03-06
Fedora FEDORA-2008-0680 synce-sync-engine 2008-03-06

Comments (none posted)

vlc: multiple vulnerabilities

Package(s):vlc CVE #(s):CVE-2007-6681 CVE-2007-6682 CVE-2007-6683 CVE-2007-6684 CVE-2008-0295 CVE-2008-0296 CVE-2008-0984
Created:March 10, 2008 Updated:April 23, 2008
Description:

From the Gentoo advisory:

* Michal Luczaj and Luigi Auriemma reported that VLC contains boundary errors when handling subtitles in the ParseMicroDvd(), ParseSSA(), and ParseVplayer() functions in the modules/demux/subtitle.c file, allowing for a stack-based buffer overflow (CVE-2007-6681).

* The web interface listening on port 8080/tcp contains a format string error in the httpd_FileCallBack() function in the network/httpd.c file (CVE-2007-6682).

* The browser plugin possibly contains an argument injection vulnerability (CVE-2007-6683).

* The RSTP module triggers a NULL pointer dereference when processing a request without a "Transport" parameter (CVE-2007-6684).

* Luigi Auriemma and Remi Denis-Courmont found a boundary error in the modules/access/rtsp/real_sdpplin.c file when processing SDP data for RTSP sessions (CVE-2008-0295) and a vulnerability in the libaccess_realrtsp plugin (CVE-2008-0296), possibly resulting in a heap-based buffer overflow.

* Felipe Manzano and Anibal Sacco (Core Security Technologies) discovered an arbitrary memory overwrite vulnerability in VLC's MPEG-4 file format parser (CVE-2008-0984).

Alerts:
Debian DSA-1543-1 vlc 2008-04-09
Gentoo 200803-13 vlc 2008-03-07

Comments (none posted)

vobcopy: insecure temp file

Package(s):vobcopy CVE #(s):CVE-2007-5718
Created:March 6, 2008 Updated:March 12, 2008
Description: From the Gentoo alert: Joey Hess reported that vobcopy appends data to the file "/tmp/vobcopy.bla" in an insecure manner. A local attacker could exploit this vulnerability to conduct symlink attacks and append data to arbitrary files with the privileges of the user running Vobcopy.
Alerts:
Gentoo 200803-11 vobcopy 2008-03-05

Comments (none posted)

Page editor: Jake Edge

Kernel development

Brief items

Kernel release status

The current 2.6 development kernel is 2.6.25-rc5, released on March 9. Linus says: "So the size of the -rc patches is finally starting to shrink, but we still have way too many outstanding regression reports." See the announcement for the short-form changelog, or the long-form changelog for all the details.

The flow of patches into the mainline git repository continues; they are mostly fixes, but, since the 2.6.25-rc5 release, Linus has also merged drivers for JMicron jmb38x MemoryStick host controllers, Varitronix VL-PS-COG-T350MCQB-01 displays, and RouterBoard 500 PATA Compact Flash controllers and removed the x86 quicklist feature.

The current -mm tree is 2.6.25-rc5-mm1. Recent changes to -mm include a number of memory policy changes, a rework of the signal delivery code, the simple tracing infrastructure, and a lot of cleanup patches.

There have been no stable kernel releases over the last week.

Comments (none posted)

Kernel development news

Quotes of the week

Things are going much much more smoothly now than they were in 2.6.24-rcX and 2.6.23-rcX. Tree integration problems are negligible and build errors are far fewer and runtime problems seem to be less too. Fingers crossed.
-- Andrew Morton

That is not particularly important, because Linux isn't a GNU package. If it were a GNU package, I would write to its maintainers to suggest using Bzr.
-- Richard Stallman

Comments (16 posted)

A better DMA memory allocator

By Jonathan Corbet
March 10, 2008
As any device driver author knows, hardware can be a pain sometimes. In the early days of Linux, peripherals attached to the ISA bus inflicted their particular variety of pain by being unable to use more than 24 bits to access memory. What that meant, in practical terms, was that ISA devices could not perform DMA operations on memory above 16MB. The PCI bus lifted that restriction, but, for some time, there were quite a few "PCI" devices that were minimally modified ISA peripherals; many of those retained the 16MB limit.

To handle the needs of these devices, Linux has long maintained the DMA memory zone. Drivers which need to allocate memory from that zone would specify GFP_DMA in their allocation requests. The memory management code takes special care to keep memory in that zone available so that DMA requests can be satisfied. In this way, the system can provide reasonable assurance that memory will be available to perform DMA in ways which meet the special needs of this particularly challenged hardware.

The only problem is that there aren't a whole lot of devices out there which still have the old 24-bit addressing limitation. So the DMA zone tends to sit idle. Meanwhile, there are devices with other sorts of limitations. Many peripherals only handle 32-bit addresses, so their DMA buffers must be allocated in the bottom 4GB of memory. There is a subset, however, with stranger limitations - 30 or 31-bit addresses, for example. The kernel's DMA library provides a way for drivers to disclose that sort of embarrassing limitation, but the memory management code does not really help the DMA layer make allocations which satisfy those constraints. So drivers for such devices must use the DMA zone (which may not be present on all architectures), or hope that normal zone memory fits the bill.

Andi Kleen has set out to clean up this situation with a new DMA memory allocator. His solution is to take a chunk of memory out of the kernel's buddy allocator entirely and manage it in an entirely different way, forming a reserve pool for DMA allocations. The result is a bit of a departure from normal Linux memory management algorithms, but it may well be better suited to the task at hand.

The new "mask" allocator grabs a configurable chunk of low memory at boot time. Allocations from this region are made with a separate set of calls, with the core API being: 

    struct page *alloc_pages_mask(gfp_t gfp, unsigned size, u64 mask);
    void __free_pages_mask(struct page *page, unsigned size);

    void *get_pages_mask(gfp_t gfp, unsigned size, u64 mask);
    void free_pages_mask(void *mem, unsigned size);

alloc_pages_mask() looks a lot like the longstanding alloc_pages() function, but there's some important differences. The size parameter is the desired size of the allocation, rather than the "order" value used by alloc_pages(), and mask describes the range of usable addresses for this allocation. Though mask looks like a bitmask, it is really better understood as the address value that the allocated memory should have; "holes" in the mask would make no sense.

A call to alloc_pages_mask() will first attempt to allocate the requested memory using the normal Linux memory allocator, on the assumption that the reserved DMA memory is an especially limited resource. If the allocation fails, perhaps because there's no physically-contiguous chunk of sufficient size available, then the allocator will dip into the reserved DMA pool. If the normal allocation succeeds, though, the allocated memory must still be tested against the maximum allowable address: the normal memory allocator, remember, has no support for allocating below an arbitrary address. So if the returned memory is out of bounds, it must be immediately freed and the reserved pool will be used instead.

That reserved pool is not managed like the rest of memory. Rather than the buddy lists maintained by the slab allocator, the DMA allocator has a simple bitmap describing which pages are available. It will normally cycle through the entire memory region, allocating the next available chunk of sufficient size. If that chunk is above the memory limit, though, the allocator will move back to the lower end of the reserved pool and allocate from there instead. Since DMA allocations tend to be short-lived, one would expect that a suitable block of memory would either be available or become available in the near future.

One other difference of note is that, unlike the slab allocator, the DMA allocator does not round memory allocation sizes up to the next power of two. DMA allocations can be relatively large, so that rounding can result in significant internal fragmentation and memory waste.

At the next level up, Andi has added a new form of mempool which uses the DMA allocator: 

    mempool_t *mempool_create_pool_pmask(int min_nr, int size, u64 mask);

This pool will behave like normal mempools, with the exception that all allocations will be below the limit passed in as mask. These pools are used in the block layer, where memory allocations for DMA must succeed.

One might object that reserving a big chunk of low memory for this purpose reduces the total amount of memory available to the system - especially if the DMA allocator is cherry-picking normal memory whenever it can anyway. But the cost is not as bad as one might think. These patches do away with the old DMA zone, which, for all practical purposes, was already managed as a reserved (and often unused) memory area. Some 64-bit architectures also set aside a significant chunk (around 64MB) of low memory for the swiotlb - essentially a set of bounce buffers used for impedance matching between high memory (>4GB) buffers and devices which cannot handle more than 32-bit addresses. With Andi's patch set, the swiotlb, too, makes allocations from the DMA area and no longer has its own dedicated memory pool. So the total amount of memory set aside for I/O will not change very much; it could, in fact, get smaller.

For most driver authors, there will be little in the way of required changes if this patch set gets merged. The DMA layer already allows drivers to specify an address mask with dma_set_mask(); with the DMA allocator in place, that mask will be better observed. The one change which might affect a few drivers is further down the line: eventually the GFP_DMA memory allocation flag will go away. Any driver which still uses this flag should set a proper mask instead.

So far, there has been little discussion resulting from the posting of these patches. Silence does not mean assent, of course, but it would appear that there is little opposition to this set of changes.

Comments (2 posted)

How to use a terabyte of RAM

By Jonathan Corbet
March 12, 2008
We have not yet reached a point where systems - even high-end boxes - come with a terabyte of installed memory. But products like those from Violin Memory make it clear that the day is coming; one can buy a Violin box with 500GB in it now. So it seems worth asking the question: once one has spent the not inconsiderable sum to buy a box like that, what does one do with all that memory - especially now that the Firefox developers have gotten serious about fixing memory leaks?

Perhaps it's time for some wild ideas. And there is no better source for such ideas than Daniel Phillips, whose Ramback patch has stirred up a bit of discussion this week. The core idea behind Ramback is that all of that memory is turned into a ramdisk, but with a persistent device attached to it. In normal conditions, all application I/O involves only the ramdisk, and is, thus, quite fast ("Every little factor of 25 performance increase really helps."). In the background, the kernel worries about synchronizing data from the ramdisk onto permanent storage. But the synchronization process is mostly concerned with I/O performance, rather than providing guarantees about just when any given block will make it onto the disk platters.

Ramback thus differs from the normal block I/O caching done by the kernel in a number of ways. It keeps the entire device in memory, so that, in steady-state operation, applications need never encounter a disk I/O delay. Should an application call fsync(), the expected result (blocking until the data is written to physical media) will not happen. Filesystems take great care to order operations in a way that minimizes the risk of data loss in a crash; Ramback ignores all of that and writes data to physical media in whatever order it decides is best. As Daniel put it, the "most basic principle" of Ramback's design is:

[T]he backing store is not expected to represent a consistent filesystem state during normal operation. Only the ramdisk needs to maintain a consistent state, which I have taken care to ensure. You just need to believe in your battery, Linux and the hardware it runs on. Which of these do you mistrust?

Ramback does include an emergency mode which will endeavor to bring the disk up to date in a hurry should the UPS indicate that power has been lost. But that does not seem to be enough for everybody. In the resulting discussion, nobody complained about the sort of performance benefits that a tool like Ramback could provide. But there was a lot of concern about data integrity; it seems that many people distrust their battery, their hardware, and Linux. And that has led to a sort of impasse, with several developers claiming that Ramback would be too risky to use and Daniel dismissing their concerns as FUD.

FUD or not, those concerns are likely to be a difficult barrier for Ramback to overcome. Meanwhile, Daniel is looking for people to help test out the code, but that presents challenges of its own:

This driver is ready to try for a sufficiently brave developer. It will deadlock and livelock in various ways and you will have to reboot to remove it. But it can already be coaxed into running well enough for benchmarks, and when it solidifies it will be pretty darn amazing.

So far, reports from suitably courageous testers have been, well, scarce. Your editor fears that this work could suffer the same fate as many of Daniel's other patches: they can contain brilliant ideas and great coding but just don't quite survive the encounter with the real, messy world. But we need people thinking about how our systems will work in the coming years; one hopes that Daniel won't stop.

Comments (33 posted)

GCC 4.3.0 exposes a kernel bug

By Jake Edge
March 7, 2008

A change to GCC for a recent release coupled with a kernel bug has created a messy situation, with possible security implications. GCC changed some assumptions about x86 processor flags, in accordance with the ABI standard, that can lead to memory corruption for programs built with GCC 4.3.0. No one has come up with a way to exploit the flaw, at least yet, but it clearly is a problem that needs to be addressed.

The problem revolves around the x86 direction flag (DF), which governs whether block memory operations operate forward through memory or backwards. The main use for the flag is to support overlapping memory copies, where working backwards through memory may be required so that the data being copied does not get overwritten as the copy progresses. Debian hacker Aurélien Jarno reported the problem to linux-kernel on March 5th, which was found when building Steel Bank Common Lisp (SBCL) using the new compiler.

GCC's most recent release, 4.3.0, assumes that the direction flag has been cleared (i.e. memory operations go in a forward direction) at the entry of each function, as is specified by the ABI (which is, somewhat amusingly, found at sco.com [PDF]). Unfortunately, this clashes with Linux signal handlers, which get called, incorrectly, with the flag in whatever state it was in when the signal occurred. This has the effect of leaking one bit of state from the user space process that was running when the signal occurred to the signal handler, which could be in another process.

That, in itself, is a bug, seemingly with fairly minimal impact. Prior to 4.3, GCC would emit a cld (clear direction flag) opcode before doing inline string or memory operations, so those operations would start from a known state. In 4.3, GCC relies on the ABI mandate that the direction flag is cleared before entry to a function, which means that the kernel needs to arrange that before calling a signal handler. It currently doesn't, but a small patch fixes that.

The window of vulnerability is small, but was observed in SBCL. The sequence of events that would lead to memory corruption are as follows:

  • a user space program does an operation (memmove() for example) that sets DF
  • a signal occurs for some process
  • the kernel calls the signal handler
  • the signal handler does a memmove() in what it thinks is a forward direction
  • the memory is copied in the reverse direction, leading to corruption
It is hard to see how that could be turned into a security breach, but it would be a mistake to assume that it can't. Other kernel bugs, like the one that allowed the recent vmsplice() exploit, have looked liked memory corruption, but were found to be more than that. The DF issue may turn out to be harmless from a security standpoint, but it should not be assumed.

So, now the question is: what to do about it. It is clear that the kernel should not leak the DF state to signal handlers, regardless of what GCC does. It is interesting to note that this behavior is the same (DF is not cleared on entry to a signal handler) on BSD kernels, leading some to claim that it is the ABI that is incorrect and that GCC should revert to its old behavior. Solaris kernels do clear the DF before calling signal handlers. This problem has existed for 15 years; GCC has always emitted code that worked correctly on kernels that did not follow the ABI, until now.

Part of the problem is that there are an enormous number of installed kernels that are vulnerable to this problem, but only if GCC 4.3 is installed. That version of GCC is not, yet, in widespread use, so the thinking is that GCC should revert its behavior now, before it gets into distributions. As kernels with the fix become more widespread, the "proper" behavior could be restored. The GCC folks don't necessarily see it that way, so it is unclear what will happen.

While it is true that distributors can control what kernel version and GCC version they ship, those aren't the only ways that either GCC or GCC-compiled binaries get installed. It is a bit of ticking time bomb for random memory corruption at a minimum. Handling those bug reports will be very difficult and time consuming. While the new behavior of GCC is correct, and the kernel is broken, it would be very helpful to back out this change, perhaps providing the new behavior via a command-line argument for those who are sure their binaries will be running on patched kernels. Some discussion on the gcc-devel list would indicate that a GCC 4.3.0.1 or 4.3.1 may be forthcoming.

Comments (53 posted)

Patches and updates

Kernel trees

Linus Torvalds Linux 2.6.25-rc5 ?
Andrew Morton 2.6.25-rc5-mm1 ?

Architecture-specific

Suresh Siddha x86, fpu: split FPU state from task struct - v5 ?

Core kernel code

Huang, Ying kexec jump -v9 ?
Peter Zijlstra Current sched patch stack ?

Development tools

Pekka Paalanen mmiotrace full patch, preview 2 ?
Rik van Riel sysrq show-all-cpus ?
Jens Axboe IO CPU affinity testing series ?
Andy Whitcroft update checkpatch.pl to version 0.16 ?

Device drivers

Andi Kleen [0/13] General DMA zone rework ?
Rodolfo Giometti LinuxPPS (RESUBMIT 2): the PPS Linux implementation. ?
Florian Fainelli Add support the Korina (IDT RC32434) Ethernet MAC ?
Ben Nizette UIO: Implement a UIO interface for the SMX Cryptengine ?
Ben Hutchings New driver "sfc" for Solarstorm SFC4000 controller (try #8) ?

Documentation

Michael Kerrisk man-pages-2.79 is released ?
Pavel Emelyanov Add a document describing the resource counter abstraction ?

Filesystems and block I/O

Theodore Ts'o 2.6.25-rc4-ext4-1 released ?
Jan Kara JBD ordered mode rewrite ?
Takashi Sato freeze feature ver 1.0 ?
Daniel Phillips Ramback: faster than a speeding bullet ?
Daniel Phillips Stacking bio support ?
Joel Becker ocfs2: Cluster stack glue layer ?
Joel Becker ocfs2: Userspace cluster stack support ?
Duane Griffin ext3: do not modify data on-disk when mounting read-only filesystem ?
Andrew Perepechko quota: 64-bit limits with vfs ?
Peter Staubach enhanced ESTALE error handling (v3) ?
Miklos Szeredi mountinfo: show only reachable mounts ?
Zach Brown CRFS source and project resources are now available ?

Memory management

Andi Kleen [0/13] General DMA zone rework ?
David Rientjes [patch -mm v2] mempolicy: disallow static or relative flags for local preferred mode ?
Christoph Lameter Notifier for Externally Mapped Memory (EMM) V1 ?
Mathieu Desnoyers Implement slub fastpath with sequence number ?

Networking

Daniel Lezcano make addrconf and icmp per namespace ?

Security-related

Jari Ruusu Announce loop-AES-v3.2c file/swap crypto package ?
Ahmed S. Darwish Security: Introduce security= boot parameter ?

Virtualization and containers

Martin Schwidefsky Guest page hinting version 6. ?

Miscellaneous

Bharata B Rao Union mount readdir support in glibc ?

Page editor: Jonathan Corbet

Distributions

News and Editorials

News from the Debian security team

By Jake Edge
March 12, 2008

A note from the Debian security team shows a number of new initiatives and plans. The team recently expanded by two while looking for up to two more folks to round it out. That, coupled with a number of new initiatives makes for some interesting news from the Debian security world.

Adding people to the team adds more eyes to find bugs, but, perhaps more importantly, adds more hands to actually patch the code when bugs are found. In many cases, the upstream project will fix the vulnerability in its latest release, leaving the distribution security team to backport the fix into whatever version they are shipping. This takes knowledge; one must understand the code and how to build it for Debian. They have not set the bar low for the kind of folks they are looking for:

You need to be familiar with how the wide variety Debian packages are maintained, patched and built. If you're not scared by packages generating their patch series by applying sed statements from cdbs include files before passing the patches through an awk filter to quilt until they're finally built with yada, you might be the right person.

The team is now using Request Tracker to track security bugs and updates. Two separate categories have been established, one for upstream bugs that are not yet public, the other for publicly known bugs. This allows the team to track all the bugs, but not prematurely release information about security vulnerabilities that are not yet public.

Two other changes will help with the quality of security patches. The first is a public patch review mailing list that is being formed to allow interested parties to see what patches are being proposed. Presumably this would only apply to public vulnerabilities or the list membership will need to be tightly controlled.

The other quality boosting change is to use the time between when a patch is completed and when it is has been ported and built for all of the architectures to further test the patch. The team is looking for large installations that normally install security updates in their own test environment before rolling them out to their live systems. Leveraging those test environments to further exercise the patched code can only lead to better code in the long run.

Security is an important part of any distribution, so it is nice to see these kinds of initiatives. More team members, testing, and tracking are all likely to bring about a faster and better response to security problems in the future.

Comments (none posted)

New Releases

64 Studio 2.1rc1 is out

The first release candidate of 64 Studio 2.1 has been announced. Click below for a list of known bugs and other information.

Full Story (comments: none)

Ubuntu Hardy Alpha 6 released

The sixth Alpha release of the Hardy Heron is available for testing. It can be downloaded for Ubuntu, Kubuntu, Kubuntu-KDE4, Edubuntu, Ubuntu JeOS, Xubuntu, Gobuntu and UbuntuStudio; depending on your flavor preference.

Full Story (comments: none)

Distribution News

Debian GNU/Linux

Nominations complete for Debian Project Leader Election

Three candidates for the Debian Project Leader (DPL) position have been identified. Marc 'HE' Brockschmidt, Raphaël Hertzog, and Steve McIntyre will be starting to campaign for the position. Voting begins March 30th. Click below for more information.

Full Story (comments: none)

Bits from the armel porters

Debian now support the armel architecture. "Armel supports many modern ARM instruction sets that were not possible with the old port, such as thumb, VFP and NEON. And very important for the port in general, armel is well supported upstream, while the old abi risks bitrotting."

Full Story (comments: none)

Fedora

Announcing the relaunch of the Fedora BugZappers!

The official re-launch of the Fedora Bug Triage Process has been announced. "Are you looking for a meaningful way to contribute to Fedora that does not require you to be a developer or package maintainer? Do you have a genuine desire to help people? Do you want to learn more about a particular component within Fedora? If so, then the triage team is for you!"

Full Story (comments: none)

An easy way to watch new Fedora bugs

You can now watch for Fedora bugs in your RSS reader. Locate the newest bugs for triaging by adding a feed for Fedora 7, Fedora 8 or rawhide.

Full Story (comments: none)

Fedora Bangladesh mailing list

A new Fedora Bangladesh mailing list has been created for Fedora and Red Hat Bangladeshi Users.

Full Story (comments: none)

Fedora Project Brazil Releases Online Magazine

The Brazilian branch of the Fedora Project has announced the release of the first issue of Revista Fedora Brasil (Fedora Brazil Magazine), an online magazine about Fedora made by Brazilian Ambassadors and Linux community members for those who speak Portuguese. The first edition features Fedora 8 and contains much more.

Full Story (comments: 1)

Red Hat Enterprise Linux

Red Hat's war on RHEL

This is about a month old, better late than never...Red Hat Magazine has put up a "tips and tricks article" on a question which must be on the top of everybody's list: How does one properly refer to Red Hat Enterprise Linux? They provide a couple dozen verbose alternatives, then assert: "It is never correct to abbreviate 'Red Hat Enterprise Linux' as 'RHEL'" A search for "RHEL" on redhat.com suggests that a few in-house people haven't gotten this memo yet. (Seen on 451 CAOS Theory).

Comments (23 posted)

SUSE Linux and openSUSE

Announcing the Official openSUSE Forums

The openSUSE project has announced the merger of the three largest English speaking dedicated SUSE forums, into the new official openSUSE Forums at forums.opensuse.org.

Full Story (comments: none)

Distribution Newsletters

Ubuntu Weekly Newsletter #81

The Ubuntu Weekly Newsletter for March 8, 2008 covers the release of Hardy Alpha 6, interesting Brainstorm stats, interview with Server developer Mathias Gug, and much more.

Full Story (comments: none)

PCLinuxOS Magazine Issue 19

The March 2008 edition of PCLinuxOS Magazine is out. Articles include "Dansguardian Howto", "Miro, Miro, on the wall", "KDE User Guide Chapter 1", and much more.

Comments (none posted)

OpenSUSE Weekly News/13

This week the OpenSUSE Weekly News covers the announcement of the Official openSUSE Forums, Preparing for Board elections, openSUSE User-base growing nicely, Firefox 3.0 Beta 4 Packages, New YaST/ZYpp repository layout, In Tips and Tricks: Creating a DVD from YouTube videos, and more.

Comments (none posted)

Fedora Weekly News Issue 123

The Fedora Weekly News for March 3, 2008 is out. This edition looks at Planet Fedora articles "Bonnie in Laurinburg", "RSS feeds of bugs!", "Howto: Test the WebKit engine in Fedora" and "Hints for making Evolution faster"; Fedora Marketing articles "Interview with Max Spevack and Paul Frields", "Linux Powers The Spiderwick Chronicles", "Name for Fedora Compute Grid Project", "ext4 Implementation Interview"; and several other topics.

Full Story (comments: none)

DistroWatch Weekly, Issue 243

The DistroWatch Weekly for March 10, 2008 is out. "This week belongs to the fans of GNOME. The brand new version 2.22 of the popular desktop environment is scheduled for release on Wednesday and everything suggests that we can expect another great set of improvements that will grace the upcoming releases of all major distributions. In the news section, we'll take a quick look at the new features and applications in Mandriva Linux 2008.1, follow the development of the Xfce spin of Fedora 9, pass on a request from Theo de Raadt to test the upcoming OpenBSD 4.3, and link to the freely downloadable DVD images of Yellow Dog Linux 6.0. Finally, while we all await impatiently the first beta release of Gentoo Linux 2008.0, we take a look at some of the exciting new features in the upcoming release of the Gentoo-based Sabayon Linux 3.5."

Comments (none posted)

Interviews

Developer interview: Eric Sandeen on ext4 implementation

Rodrigo Menezes talks with Eric Sandeen about the ext4 implementation in Fedora 9. "How much upstream development does Fedora drive on Ext4? Eric Sandeen: ext4 development has been a joint effort by several entities. A quick look at the linux-ext4 mailing list will show contributions from several companies and individuals, all interested in helping to develop ext4. One of my responsibilities at Red Hat is to do filesystem work for Fedora and RHEL, so I've also been doing what I can to move things along by submitting patches, testing, fixing, etc."

Comments (29 posted)

People of openSUSE: Detlef Reichelt

People of openSUSE introduce Detlef Reichelt. "When did you join the openSUSE community and what made you do that? In the year 2004 I joined the PackMan-Team. At this time I was looking for x86_64 RPMs. When I realized that there was nothing available, I rebuilt the PackMan-RPMs for x86_64."

Comments (none posted)

Page editor: Rebecca Sobol

Development

Monitor disks with the S.M.A.R.T. monitoring tools

By Forrest Cook
March 11, 2008

The S.M.A.R.T. Monitoring Tools (Smartmontools) is a cross-platform set of utilities that are able to monitor operating data from hard drives:

The smartmontools package contains two utility programs (smartctl and smartd) to control and monitor storage systems using the Self-Monitoring, Analysis and Reporting Technology System (SMART) built into most modern ATA and SCSI hard disks. In many cases, these utilities will provide advanced warning of disk degradation and failure. It should run on any modern Darwin (Mac OSX), Linux, FreeBSD, NetBSD, OpenBSD, Solaris, OS/2, eComStation, QNX, or Windows system.

Wikipedia defines SMART as the Self-Monitoring, Analysis, and Reporting Technology: "Mechanical failures, which are usually predictable failures, account for 60 percent of drive failure. The purpose of S.M.A.R.T. is to warn a user or system administrator of impending drive failure while time remains to take preventative action — such as copying the data to a replacement device. Approximately 30% of failures can be predicted by S.M.A.R.T."

Version 5.38 of Smartmontools was recently announced. Improvements include:

  • Several Libata/Marvell driver improvements.
  • New additions to the drive database.
  • ATA-8 updates.
  • New Dragonfly support.
  • Support for the QNX operating system.
  • A new no-fork option for smartd.
  • Better support for systems with large numbers of disks.
  • Improvements to the descriptions of the SMART Attribute list.
  • A workaround for a Samsung firmware bug.
  • Improvements to the CCISS support system.
  • New selective self-test command line options.
  • Build system portability improvements.
  • Numerous bug fixes.

Building Smartmontools was straightforward. The code was downloaded and unpacked. The usual configure, make and make install steps were performed on an Ubuntu 7.04 system with no troubles. The operation instructions from the README file were followed and the software was able to discover data from the one hard drive on the test system. This example output shows the wide variety of drive information that Smartmontools can display. The drive appears to be healthy.

If you are a systems administrator who needs to keep track of hard drive reliability data, Smartmontools be able to provide some useful drive information. With the addition of a small amount of glue-logic scripting, it should not be too difficult to set up an automated drive monitoring system.

Comments (10 posted)

System Applications

Database Software

Firebird 2.1 Release Candidate 2 announced

Release Candidate 2 of the Firebird DBMS has been announced. "The Firebird Project team is happy to announce that download kits for the second (and hopefully, last) V.2.1 release candidate are now available for Windows and Linux 32-bit and 64-bit platforms. MacOSX Intel 32-bit are there, x64 still in QA, coming soon. You are invited to test it with as much rigour and vigor as you like and report your experiences (good or bad) back to the firebird-devel or the firebird-test list."

Comments (none posted)

MySQL 6.0.4 alpha has been released

Version 6.0.4 alpha of the MySQL DBMS has been announced. "MySQL 6.0.4-alpha, a new version of the MySQL database system including the Falcon transactional storage engine (now at beta stage), has been released."

Full Story (comments: none)

SE-PostgreSQL 8.3 is available

Version 8.3 of Security-Enhanced PostgreSQL (SE-PostgreSQL), a DBMS that is built on the SELinux architecture, has been announced. "The base version was upgraded to PostgreSQL 8.3.0 It enabled to share external libraries (like -contrib package) with original PostgreSQL. Cumulative bugfixes."

Full Story (comments: none)

Postgres Weekly News

The March 9, 2008 edition of the Postgres Weekly News is online with the latest PostgreSQL DBMS articles and resources.

Full Story (comments: none)

Interoperability

Samba 3.0.28a available for download

Version 3.0.28a of Samba has been announced. "This is a bug fix release of the Samba 3.0.28 code base and is the version that servers should be run for for all current Samba 3.0 bug fixes."

Full Story (comments: none)

Networking Tools

d3vscan: Alpha 7 Release (SourceForge)

The Alpha 7 release of d3vscan has been announced. "d3vscan is a simple yet powerful[] network and bluetooth scanner which is based on PyGTK. d3vscan is a network manager which is able to uniquely identify and graphically plot network & Bluetooth devices to provide a higher degree of understanding of a particular network.d3vscan is also simple enough to be used by an average end user for free. Alpha 7 release features Map View for Bluetooth and Network modes."

Comments (none posted)

Security

conntrack-tools 0.9.6 released

Version 0.9.6 of conntrack-tools has been announced. "The netfilter project proudly presents another development release of the conntrack-tools. This release includes important improvements, new features and bugfixes".

Full Story (comments: none)

libnetfilter_conntrack 0.0.89 released

Version 0.0.89 of libnetfilter_conntrack has been announced. "libnetfilter_conntrack is a userspace library providing a programming interface (API) to the in-kernel connection tracking state table. This release includes new features and minor fixes."

Full Story (comments: none)

libnfnetlink release 0.0.33

Version 0.0.33 of libnfnetlink has been announced. "The netfilter project proudly presents libnfnetlink 0.0.33. This release includes minor bugfixes and updates. Changelog attached. libnfnetlink is the low-level library for netfilter related kernel/userspace communication."

Full Story (comments: none)

Web Site Development

lighttpd 1.4.19 announced

Version 1.4.19 of lighttpd, a light-weight web server, has been announced. "It has been almost half a year since 1.4.18. 6months. Jan has been working on many interesting features for 1.5. [1] Currently he ports it to glib2. But back to 1.4.19. Yes again the release date was nailed down by a few security bugs. *cough* Nevertheless we got a ton of other nice bugfixes. All praise our new lighttpd hero Stefan Bühler. Big thank you from my side."

Comments (none posted)

Desktop Applications

Animation Software

Synfig 0.61.08 released

Version 0.61.08 of Synfig, a vector-based 2D animation package, has been released. "Synfig version 0.61.08 was released on March 3rd 2008. It is the result of several months of contributions by the free software community. It has security fixes, far fewer bugs, several usability enhancements, a few new features and other improvements."

Full Story (comments: none)

Synfig irregular news

The March 10, 2008 edition of the Synfig Irregular News covers the latest news from the Synfig 2D vector animation studio project.

Full Story (comments: none)

Audio Applications

Snd-ls 0.9.8.5 and San Dysth 0.1.1 announced

Version 0.9.8.5 of the Snd-ls audio editor and version 0.1.1 of San Dysth, a software synthesizer, are out.

Full Story (comments: none)

Desktop Environments

GNOME 2.22 released

GNOME 2.22 is out, right on schedule. There's a lot of new stuff in this release, including the "cheese" photo application, more 3D effects, a new virtual filesystem layer, Flash playback with swfdec, a remote desktop viewer, and much more; see the release notes for details and screenshots.

Full Story (comments: 17)

GNOME Software Announcements

The following new GNOME software has been announced this week: You can find more new GNOME software releases at gnomefiles.org.

Comments (2 posted)

KDE 4.0.2 Brings New Plasma Features (KDE.News)

KDE.News takes a look at KDE 4.0.2. "KDE 4.0.2 has, along with the bugfixes some new features in Plasma. The panel can now be configured to sit somewhere else than at the bottom and UI options for changing its size have been added. Do not let yourself be distracted by those new things, there are also plenty of bugfixes, performance improvements and translation updates in there, among which support for two new languages: Persian and Icelandic. KDE 4.0.2 is thus available in 49 whopping languages, and more are soon to come."

Comments (none posted)

KDE Software Announcements

The following new KDE software has been announced this week: You can find more new KDE software releases at kde-apps.org.

Comments (none posted)

Xorg Software Announcements

The following new Xorg software has been announced this week: More information can be found on the X.Org Foundation wiki.

Comments (none posted)

Educational Software

FET: 5.5.0 released (SourceForge)

Version 5.5.0 of FET has been announced. "FET is free timetabling software for schools, high-schools and universities. Scheduling is done automatically."

Comments (none posted)

Electronics

XCircuit 3.4.28 released

Stable version 3.4.28 of XCircuit, an electronic schematic capture application, is out with numerous enhancements.

Comments (none posted)

GUI Packages

FLTK 1.1.8rc2 released

Version 1.1.8rc2 of FLTK has been announced. Changes include: "documentation fixes, updated included image and compression libraries to their current releases fixed fl_read_image issue on X11."

Comments (none posted)

Interoperability

Wine 0.9.57 released

Version 0.9.57 of Wine has been announced. Changes include: Support for multiple OpenGL pixel formats. Improved support for color profiles. Many window management fixes. Better fullscreen support. Lots of bug fixes.

Comments (none posted)

Multimedia

Elisa 0.3.5 released

Version 3.5 of Elisa has been announced. "Elisa is a project to create an open source cross platform media center solution. While our primary development and deployment platform is GNU/Linux and Unix operating systems we also currently support MacOSX and also hope to support Microsoft Windows in the future. In addition to personal video recorder functionality (PVR) and Music Jukebox support, Elisa will also interoperate with devices following the DLNA standard like Intel's ViiV systems. Elisa uses Twisted and GStreamer."

Full Story (comments: none)

Office Suites

OpenOffice.org moving to LGPLv3

The OpenOffice.org project has announced that, as of the first OpenOffice.org 3.0 beta release, that software will be licensed under version 3 of the GNU LGPL. "This move forward is the natural evolutionary step to take for a codebase using a license from the FSF license family. The drafting process for the license involved substantial FOSS community input and we will benefit from this work. In particular, the new license includes additional protections for the community against software patents." The contributor agreement for OOo is also changing.

Full Story (comments: 9)

Video Applications

Dirac video codec 1.0 released

The Schrödinger project has announced the availability of the 1.0 version of the Dirac video codec. "Schrödinger core is implemented in ANSI C with further assembly level optimisations provided through the liboil optimisation library. The Schrödinger decoding and encoding components offer a stable ABI for developers which will enable easy integration of Dirac support for application and media framework developers. The Schrödinger project also includes a set of GStreamer plugins as an example of how to use the Schrödinger library in a modern multimedia framework." (thanks to Timo Jyrinki)

Comments (18 posted)

The first Gnash beta is out

Gnash 0.8.2 - deemed the first beta release - is available. "Gnash is a GPL'd SWF movie player and browser plugin for Firefox, Mozilla, and Konqueror. Gnash supports many SWF v7 features and ActionScript 2 classes. with growing support for SWF v8 and v9." There is a long list of improvements made since the alpha release; click below for details.

Full Story (comments: 21)

Web Browsers

A look at memory usage in Firefox 3

"Pavlov" has posted a detailed look at what was done to reduce memory usage in Firefox 3. "Another fantastic change from Alfred Kayser changed the way we store animated GIFs so that they take up a lot less memory. We now store the animated frames as 8bit data along with a palette rather than storing them as 32 bits per pixel. This savings can be huge for large animations. One extreme example from the bug showed us drop from using 368MB down to 108MB — savings of 260MB!"

Comments (17 posted)

Mozilla Firefox 3 Beta 4 released (MozillaZine)

MozillaZine has announced the availability of the Beta 4 release of Mozilla Firefox 3. "Mozilla Firefox 3 Beta 4 has been released for testing. The fourth beta of the next major Firefox version offers over 900 bug fixes over Beta 3, including improvements in download manager, full page zoom, better integration with Vista, Mac OS X and Linux, and significant improvements in speed and memory usage."

Comments (none posted)

Languages and Tools

C

GCC 4.3.0 Released

Version 4.3.0 of the Gnu Compiler Collection (GCC) is out. "GCC 4.3.0 is a major release, containing substantial new functionality not available in GCC 4.2.x or previous GCC releases." See the article GCC 4.3.0 exposes a kernel bug for a discussion of an issue raised by the x86 direction flag (DF).

Full Story (comments: none)

C#

MonoDevelop 1.0 released

Novell has sent out a press release on the availability of MonoDevelop 1.0 and the Mono 2.0 beta release. "MonoDevelop enables developers to quickly write desktop and ASP.NET Web applications on Linux and Mac OS X. MonoDevelop will make it easier for developers to port .NET applications created with Visual Studio to Linux and Mac OS X and to maintain a single code base for all three platforms."

Comments (3 posted)

Caml

Caml Weekly News

The March 11, 2008 edition of the Caml Weekly News is out with new articles about the Caml language.

Full Story (comments: none)

Haskell

Haskell Weekly News

The March 09, 2008 edition of the Haskell Weekly News is online. Nearly 100 new and updated libraries and tools have been released, along with new jobs, and Haskell.org's participation in the Google Summer of Code project.

Comments (none posted)

HTML

CSSBox: 1.0 released (SourceForge)

Version 1.0 of CSSBox has been announced. The software description states: "An (X)HTML/CSS rendering engine written in pure Java. Its primary purpose is to provide a complete information about the rendered page suitable for further processing. However, it also allows displaying the rendered document. The 1.0 version of the CSSBox rendering engine has been released. It contains a new block width computation algorithm, many improvements and bugfixes."

Comments (none posted)

Java

Avian 0.0.1 announced

Version 0.0.1 of Avian has been announced, it includes major bug fixes. "Avian is a lightweight virtual machine and class library, both written from scratch to provide a useful subset of Java's features. It's well-suited to cross-platform applications which need a typesafe language but must remain small and self-contained." (Thanks to Joel Dice).

Comments (none posted)

GNU Classpath 0.97.1 released

Version 0.97.1 of GNU Classpath has been announced. "We are proud to announce the release of GNU Classpath 0.97.1, the first bugfix release for GNU Classpath 0.97. GNU Classpath, essential libraries for java, is a project to create free core class libraries for use with runtimes, compilers and tools for the java programming language."

Full Story (comments: none)

Perl

This Week on perl5-porters (use Perl)

The February 24-29, 2008 edition of This Week on perl5-porters is out with the latest Perl 5 news.

Comments (none posted)

Python

CodeInvestigator 0.7.5 announced

Version 0.7.5 of CodeInvestigator, a tracing tool for Python programs, has been announced. Changes include new Firefox support and a bug fix.

Full Story (comments: none)

Python-URL! - weekly Python news and links

The March 10, 2008 edition of the Python-URL! is online with a new collection of Python article links.

Full Story (comments: none)

Tcl/Tk

Tcl-URL! - weekly Tcl news and links

The March 5, 2008 edition of the Tcl-URL! is online with new Tcl/Tk articles and resources.

Full Story (comments: none)

Cross Compilers

SDCC 2.8.0 RC1 released

Version 2.8.0 RC1 of SDCC, the Small Device C Compiler, has been announced. This version adds many new capabilities and some bug fixes. "SDCC is a retargettable, optimizing ANSI - C compiler that targets the Intel 8051, Maxim 80DS390, Zilog Z80 and the Motorola 68HC08 based MCUs. Work is in progress on supporting the Microchip PIC16 and PIC18 series. SDCC is Free Open Source Software, distributed under GNU General Public License (GPL)."

Comments (none posted)

Editors

Komodo Edit released as free software

ActiveState has announced that its "Komodo Edit" utility is now available under any of the MPL, GPL, or LGPL. "Komodo Edit, based on the award-winning Komodo IDE, offers sophisticated support for all major scripting languages, including in-depth autocomplete and calltips, multi-language file support, syntax coloring and syntax checking, Vi emulation, and Emacs key bindings."

Comments (8 posted)

Libraries

UnitsC++: First release (SourceForge)

The first release of UnitsC++ has been announced. "UnitsC++ is a lightweight C++ library that lets you use unit objects for performing type-safe numerical calculations involving physical units. It 1) is easy to use, 2) results in very readable code, 3) is easy to change to fit your needs. UnitsC++ targets scientists and engineers writing code in C++ that performs numerical calculations."

Comments (none posted)

Version Control

GIT 1.5.4.4 released

Version 1.5.4.4 of the GIT distributed version control system is out with numerous enhancements and bug fixes.

Full Story (comments: none)

Page editor: Forrest Cook

Linux in the news

Recommended Reading

Top 10 Linux Desktop Hurdles (Intranet Journal)

Intranet Journal covers 10 hurdles for Linux on the desktop. "In the past, many desktop Linux users have opted to simply point to the hardware industry or Microsoft as the root cause of a lack of mainstream adoption. In reality, there are actually core issues extending beyond hardware -- and competition from the proprietary markets -- that simply must be dealt with head on. With that said, hardware compatibility and competition from closed-source vendors are valid issues, just not solid core excuses for the lack of mainstream interest. Here are the real hurdles..."

Comments (6 posted)

GNU/Linux World Domination for the Wrong Reasons (Datamation)

Over at Datamation, Bruce Byfield has a thoughtful piece about Linux and world domination. "At its most basic, free software is about helping users gain control of their computers so that they can participate unhindered in the digital conversations of the networks and the Internet. It's about installing software freely, rather than being dictated to by the manufacturer. It's about using your computer the way that you want, instead of ceding control to lock-down devices installed by software vendors without permission on your machine."

Comments (38 posted)

Trade Shows and Conferences

KDE at CeBIT 2008 (KDE.News)

KDE was present at CeBIT 2008 in Hannover. "Thanks to our great community the KDE booth was always very well staffed, both by experienced KDE contributors and our friends in the Fedora community, but also by users who volunteered and so made their first-time contributions to the KDE world. It's nice to see such enthusiastic new contributors coming to KDE!"

Comments (none posted)

MIX - Novell's de Icaza criticizes Microsoft patent deal (LinuxWorld)

Miguel de Icaza spoke out against Microsoft at the MIX 08 conference. "Open-source pioneer and Novell Vice President Miguel de Icaza Thursday for the first time publicly slammed his company's cross-patent licensing agreement with Microsoft as he defended himself against lack of patent protection for third parties that distribute his company's Moonlight project, which ports Microsoft's Silverlight technology to Linux."

Comments (76 posted)

Companies

Nero Linux moves ahead with HD DVD, Blu-ray support (BetaNews)

BetaNews covers the planned launch of Nero Linux 3.5 "During the CeBIT computer show in Hannover, Germany, Nero announced plans to launch Nero Linux 3.5, which now promises to run on Linux subnotebooks with smaller screen resolutions. Although there are several different options for Linux users wanting to create CDs or DVDs, Nero Linux is different because it offers users the ability to back up Blu-ray and HD DVD content easily. Further, the GUI in the Linux version is very similar to the one used in Windows."

Comments (none posted)

Red Hat adds top intellectual property lawyers (Linux-Watch)

Linux-Watch covers Red Hat's hiring of two intellectual property lawyers. "It's a sign of the times when a major open-source company makes a big deal of hiring not top developers, but top lawyers. On March 5, Red Hat announced that it is hiring top intellectual property attorneys Robert Tiller, as vice president and assistant general counsel, and Richard Fontana, as open-source licensing and patent counsel."

Comments (1 posted)

Wal-Mart Ends Test of Linux in Stores (Associated Press)

This press release has some mixed messages. On the one hand: "Computers that run the Linux operating system instead of Microsoft Corp.'s Windows didn't attract enough attention from Wal-Mart customers, and the chain has stopped selling them in stores, a spokeswoman said Monday." But this report goes on to say that "Walmart.com now carries an updated version, the gPC2, also for $199, without a monitor. The site also sells a tiny Linux-driven laptop, the Everex CloudBook, for $399."

Comments (26 posted)

Linux Adoption

Linux well suited to SMB market (itbusiness.ca)

IT Business Canada looks at Linux in the small-medium business (SMB) market. It is a huge market that is being targeted by many proprietary and free software vendors with Linux making some headway. "Rupani adds that other cost savings associated with open source include using Linux servers in a variety of roles such as file server and Web server. In addition, Linux servers can service a large number of users at no extra cost apart from the additional hardware."

Comments (none posted)

Linux at Work

Linux tool speeds up police computer forensics (ZDNet)

ZDNet reports on a Linux-based live CD that can analyze computers used in criminal activities. "Called Simple (Simple Image Preview Live Environment), the software allows investigators to view and acquire forensic data at the scene of the crime without compromising the integrity of data as it is collected. "It's a Linux Live CD that we have built from the ground up. We customised the kernel and the underlying operating system so that, when it runs, it's incapable of writing to the hard disk or any other storage," Peter Hannay, the software developer behind the forensic acquisition tool, told ZDNet.com.au."

Comments (14 posted)

Resources

Secure temporary files in Linux (ZDNet India)

ZDNet India has some tips on securing /tmp and friends on Linux. "One problem with directories meant to store temporary files is that they can often be targeted as places to store bots and rootkits that compromise the system. This is because in most cases, anyone (or any process) can write to these directories."

Comments (22 posted)

Miscellaneous

Negroponte Not Seeking Replacement, OLPC XO to Run Windows in 60 Days or Less (Laptop Magazine)

Laptop Magazine is reporting two interesting things about the OLPC. The first is that contrary to other reports, Nicholas Negroponte is not looking to "replace" himself, but is looking for a CEO for the company. The second is that Windows XP will be available for the XO soon. "'Microsoft and OLPC are in discussion on how to release it, as well as how to announce,' he said. Negroponte added that the Windows operating system should be available on the XO in less than 60 days." (seen on OLPC News)

Comments (8 posted)

Samba 4 hits alpha status, but 2008 release unlikely (SearchEnterpriseLinux.com)

SearchEnterpriseLinux.com looks at the Samba 4 release schedule. "Are you curious about Samba 4, the ambitious new version of the open source program that provides an interface between Linux and Unix print and file servers and Microsoft Windows clients? As of last month, version 4.0.0alpha2 is available for download, and Samba team authentication developer Andrew Bartlett is encouraging others to play around with the release and report the findings."

Comments (none posted)

Page editor: Forrest Cook

Announcements

Non-Commercial announcements

BusyBox settles another lawsuit

The Software Freedom Law Center has sent out a press release on the settlement of another BusyBox GPL-infringement lawsuit. "As a result of the plaintiffs agreeing to dismiss the lawsuit and reinstate High-Gain Antennas' rights to distribute BusyBox under the GPL, High-Gain Antennas has agreed to appoint an Open Source Compliance Officer within its organization to monitor and ensure GPL compliance, to publish the source code for the version of BusyBox it previously distributed on its Web site, and to undertake substantial efforts to notify previous recipients of BusyBox from High-Gain Antennas of their rights to the software under the GPL. The settlement also includes an undisclosed amount of financial consideration paid by High-Gain Antennas to the plaintiffs."

Comments (45 posted)

GNOME Foundation Annual Report for 2007

The GNOME Foundation has released an annual report as a rather slickly-produced PDF file. "We have completed our original goal. Ten years ago, GNU/Linux distributions did not include a free and usable web browser. Ten years ago, using only free software, you could not do graphic design and illustration, you could not balance your checkbook, you could not download pictures from your camera to the computer, you could not do phone calls over the Internet, you could not create a spreadsheet with pie charts, and you could not plug a USB drive into your computer and expect it to 'just work'. Okay, USB sticks didn't exist ten years ago, but you get the idea."

Full Story (comments: 23)

Google Summer of Code 2008 (MozillaZine)

MozillaZine has announced the participation of the Mozilla project in the Google Summer of Code 2008. "Gervase Markham wrote in to inform us that Mozilla intends to participate in Google Summer of Code 2008 as a mentoring organization. Gerv's weblog post calls on interested people to submit proposals at the Brainstorming page at mozilla wiki."

Comments (none posted)

New OpenOffice.org license and contributor agreement

The OpenOffice.org office suite project has announced license change and a new contributor agreement. "The license for code is changing from the early LGPL v 2.1 to 3.0 effective the Beta of OpenOffice.org 3.0. (The actual date of this beta has not been finalized.) The Joint Copyright Assignment form (JCA) is being replaced by the Sun Microsystems Inc. Contributor Agreement (SCA). This change is effective immediately with this announcement."

Full Story (comments: none)

Petition calls for Open Standards in the European Parliament

The Free Software Foundation Europe has announced a petition that calls for open standards in the European Parliament. "At a time when the EU Commission investigates the anti-competitive behaviour of a market-dominant player, the European Parliament (EP) still imposes that same specific software choice on both the European Union's citizens and its own MEPs. OpenForum Europe, The European Software Market Association, and the Free Software Foundation Europe today launched a petition to call on the EP to use Open Standards so that all citizens can participate in the democratic process."

Full Story (comments: none)

SFLC: Do not rely on Microsoft's Open Specification Promise

The Software Freedom Law Center has posted a position paper on Microsoft's recently-announced "Open Specification Promise" and how it relates to free software. "In response to these requests for clarification, we publicly conclude that the OSP provides no assurance to GPL developers and that it is unsafe to rely upon the OSP for any free software implementation, whether under the GPL or another free software license."

Comments (6 posted)

Commercial announcements

Funambol launches new Code Sniper projects

Funambol has announced new Code Sniper projects. "Code Sniper is Funambol's community program that rewards developers with monetary bounties to work on open source projects that benefit mobile users around the globe. This new slate of Code Sniper projects ranges from syncing pictures of friends on social networks to the address book on a mobile phone, to making it easy to invite your mobile contacts to join your favorite social network. All of the apps developed as part of Code Sniper are made freely available under standard open source licensing."

Comments (none posted)

Komodo IDE 4.3 features find and replace system

ActiveState has announced Komodo IDE 4.3. "After an award-winning major release a year ago, ActiveState's Komodo IDE continues its evolution with major new features and improvements in Komodo IDE 4.3, released today. The integrated development environment (IDE) for dynamic languages added powerful Find in Project and Replace in Files features, new Unit Testing integration, improved Source Code Control, and an Abbreviation feature in addition to performance improvements."

Full Story (comments: none)

Microsoft Launches Document Interoperability Initiative

Microsoft Corp. has announced their Document Interoperability Initiative. "Microsoft Corp. today announced the launch of its Document Interoperability Initiative, which is aimed at promoting user choice among document formats and expanded opportunity for developers, partners and competitors. The launch of this initiative is an important step in Microsoft's commitment to implement a set of strategic changes in its technology and business practices to expand interoperability through the implementation of its interoperability principles. The Document Interoperability Initiative focuses on bringing vendors together to promote interoperability between document format implementations through testing and refining those implementations, creation of format implementation test suites, and the creation of templates designed for optimal interoperability between different formats."

Comments (3 posted)

New Books

ScreenOS Cookbook--New from O'Reilly

O'Reilly has published the book ScreenOS Cookbook by Stefan Brunner, Vik Davar, David Delcourt, Ken Draper, Joe Kelly and Sunil Wadhwa.

Full Story (comments: none)

The Ultimate CSS Reference--New from SitePoint

SitePoint has published the book The Ultimate CSS Reference by Tommy Olssen and Paul O'Brien.

Full Story (comments: none)

Resources

Clean Room Design Practice (OpenCollector)

OpenCollector.org has announced a paper [pdf] on the clean room design practice for reverse engineering hardware. "Wade D. Peterson of Silicore (the people who created the free Wishbone SOC architecture) has written a major new paper on clean room design practice, full of detail on the legal aspects of reverse engineering and practical methods for separating copyright and patent governed aspects of a design, essential for creating open and interoperable designs."

Comments (none posted)

Contests and Awards

Stroustrup presented with Dr. Dobb's Excellence in Programming award

Bjarne Stroustrup has received a Dr. Dobb's Excellence in Programming Award. "2008-Best-selling author Bjarne Stroustrup, inventor of C++ and author of the Addison-Wesley title The C++ Programming Language, was presented with the Dr. Dobb's Journal Excellence in Programming Award at the SD West conference on Wednesday. The award acknowledges significant achievements in object-oriented programming, software architecture, and modeling."

Full Story (comments: none)

Meeting Minutes

Minutes of GNOME Summer of Code meeting

The minutes are available from the March 6, 2008 GNOME Summer of Code meeting. "Present: Adam Schreiber Buddhika Laknath Semage Christian Kellner Gabriel Burt Johannes Schmid Lucas Rocha Marco Barisione Rob Taylor Sandy Armstrong Vincent Untz".

Full Story (comments: none)

Calls for Presentations

Call for Presentations -- Flash Memory Summit 2008

A call for presentations has gone out for the Flash Memory Summit 2008. The event takes place in Santa Clara, CA on August 12-14, 2008. The submission deadline is April 25.

Comments (none posted)

LinuxWorld 2008 is looking for BOF topics and .org Exhibitors

The LinuxWorld conference is looking for Birds of a Feather (BOF) session proposals as well as free software projects to exhibit in the .org pavilion. The conference is being held August 4-7 at the Moscone Center in San Francisco. The deadline for .org pavilion applications is April 11, while BOF proposals need to be in by May 5. Click below for more information.

Full Story (comments: 1)

Upcoming Events

Global Open Source Conference announced

SDForum has announced the Global Open Source Conference, which takes place on March 24, 2008 in San Francisco, CA. "Speakers at the event will discuss the opportunities for open source software companies and developersthanks to government initiatives using open source, as well as sharinglearning lessons and successes from around the world. "Open source has quickly changed the global software industry," said Don Brown of Atlassian Software Systems, a speaker at the event. "A huge demand has arisen for open source companies worldwide as more governments enforce policies mandating open source and international markets continue to open.""

Comments (none posted)

GoOOoCon2008 / Prague

GoOOoCon 2008 will take place in Prague, Czech Republic on April 10-13, 2008. "The Novell team thought that, what with the next OOoCon being in Beijing and the cost of travel there (etc.) and of course the broad focus of that conference; that it would be good to have a very hacker-focused event in Europe. So, we're inviting all hyper-technical people (with or without long hair) to join the Novell go-oo team for part of their annual team face-to-face in Prague."

Full Story (comments: none)

KVM developer forum 2008

The KVM developer forum 2008 has been announced. "The KVM Forum 2008 will also give developers an opportunity to update the community on the work that they are doing and coordinate efforts for the betterment of KVM and Linux virtualization. Please reserve these dates, the event will take on June 11th - 13th, at Marriot Napa Valley, California, USA. For those of you who want to get there earlier, we will be holding a reception cocktail on June 10th evening time. The registration web site will be up shortly as will the call for papers".

Full Story (comments: none)

The Linux Foundation Reveals Speaker Line-up for 2nd Annual Collaboration Summit

The Linux Foundation has announced the speakers for its 2nd Annual Linux Foundation Collaboration Summit."The Collaboration Summit is designed to accelerate collaboration and problem solving in the Linux community by bringing key stakeholders together in a neutral setting. While there are a variety of industry and developer conferences, the LF Collaboration Summit is the only one to combine participation from developers, users, vendors, ISVs, attorneys and C-level executives to tackle the most pressing issues facing Linux." The summit takes place April 8 - 10, 2008 at the UT Super Computing Center in Austin, TX.

Full Story (comments: none)

PTPW 2008 :: Registrations open (usePerl)

Registration is open for PTPW 2008. "Registration and payment for the Portuguese Perl Workshop is finally open. Seats for the workshop and for the training classes are limited, so grab yours soon. Workshop seats: 100."

Comments (none posted)

PyCon 2008 begins on March 13 in Chicago

PyCon 2008 begins on March 13. "PyCon 2008 kicks off Thursday, March 13 at the Crowne Plaza Chicago O'Hare Hotel featuring talks and tutorials from Caltech, Google, Lockheed Martin, Microsoft, One Laptop per Child, Red Hat, and the University of California, Berkeley. Organized by the Python Software Foundation, and staffed entirely by volunteers, this annual community conference boasts more than double the number of tutorials compared to 2007."

Full Story (comments: none)

Mailing Lists

OLPC-Health mailing list announced

A new OLPC-Health mailing list has been created.

Full Story (comments: none)

Web sites

MacForge.net launched

MacForge.net has been launched. "MacTech(r) Magazine announced today that its MacForge(tm) Mac open source project index now has over 50,000 projects. In 2005, MacForge.net was created for not only the experienced open source user, but to introduce the Mac technical community to the wonderful array of projects available."

Full Story (comments: none)

Audio and Video programs

LCA Gaming Miniconf proceedings videos are available

Videos from the Linux.conf.au 2008 Gaming Miniconf are available. "There where loads of interesting talks, so if you where silly enough to not be there, you can now get in on the fun. Find out about a program which makes games from children's crayon drawings. Listen to how FOSS is being used to teach the next generation of game developers and find out how FOSS is being used in Australian commercial game companies. Don't forget to view the pyglet pinata session for the coolest live coding session you have ever seen (Space Invaders in under 40 minutes). Even Rusty Russell, our favourite kernel hacker turned game developer, makes an appearance with Pong Hero!"

Full Story (comments: none)

Page editor: Forrest Cook


Copyright © 2008, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds