•   Distro Watch
•   Linux Today News Service
•   News for nerds, stuff that matters
•   News, reviews and commentary on all aspects of Linux and open-source software, including application servers, communications and database servers.
•   The O'Reilly Network ONLamp Articles and Weblogs

Source: LinuxTracker.org

Category: FreeNAS Size: 41.70 MB Status: 3 seeders and no leecher Added: 2007-07-17 04:39:45

Source: ipcop

IPCop Firewall, a distribution for protecting the network it is installed on, has been updated to version 1.4.16: "This release fixes some bugs, update glibc, Net::DNS and capi for security reasons. Upgraded packages are squid, snort, e100, r1000 As usual, this version can be installed as an update .

Source: damnsmall

Robert Shingledecker has announced Damn Small Linux 4.0 Alpha1: "This is a very different version of DSL. It is based on the following wish list as expressed in the forums: New 2.4.34 kernel; Easier to use user interface; A real desktop framework; Drag-N-Drop capability; Better and more flexible .

Source: Linux Today

ThemBid: "Currently, there are a bunch of website monitors available, some are free, but I couldn't find any that was really simple and satisfy our requirements "

Source: Linux Today

HowtoForge: "'MemCached' is a high-performance, distributed memory object caching system, generic in nature, but intended for use in speeding up dynamic web applications by alleviating database load "

Source: Linux Today

Ubuntu Geek: "Maxemum TV-Guide is a KDE TV-guide. It is developed in C++, based on QT/KDE and uses XMLTV as its back end to grab listings.

Source: Linux Today

TechBizMedia: "The software as a service is at very early stages and it is too early to determine how it will play out in the future "

Source: Linux Today

Seopher: "It can't be easy being Fedora; the once cream of the crop release being entirely overshadowed by the young upstart that is Ubuntu "

Source: Linux Today

InformationWeek: A few readers complained I had not provided a complete picture of Torvald's feelings. They were right. He also thinks FSF leaders are 'controlling,' 'condescending,' and full of 'hot air '"

Source: Linux Today

InformationWeek: "Microsoft says software that's licensed under a new version of a popular open source license isn't covered by the patent protection deal it recently signed with desktop Linux distributor Linspire "

Source: Linux Today

LoopFuse Blog: "The main benefits, in my view, of adopting an OSS business model are: a/ disruption and b/ commoditization "

Source: Linux Today

Heise Open: "Just like the UK National Archives fell for the myth of better archival through MS-OOXML, which has been analysed in more depth in a recent followup article in the BBC Technology news, influential groups like Gartner have swallowed the converter claim hook, line and sinker "

Source: Linux Today

Linux-Watch: "Ah! Notice the start of the last phrase, 'none of our recent conversations.' So, they are still talking "

Source: Linux Today

Interop News: "After my post two weeks ago about Xen, I got a call from the XenSource people. I had a long chat with their CTO Simon Crosby, who had some very interesting things to say "

Source: Linux Today

SearchOpenSource: "This is one case study, out of a three-part series, where OpenOffice expert and instructor Solveig Haugland examines the successes and failures of a school, city government and corporate migration from proprietary office suites like Microsoft Office to OpenOffice "

Source: Linux Today

Gizmodo: " [T]his video of a Linux-based MPX multi-touch table shows that things are moving full speed ahead in the land of the free penguins "

Source: Linux Today

internetnews.com: "So far the site lists Ubuntu's Mobile and Embedded Edition and Red Flag's MIDINUX Linux distributions as participants. This leaves out what is arguably the world's most deployed embedded Linux distribution: MontaVista Linux "

Source: Linux Today

SearchDataCenter: "Microsoft Windows is emerging as an acceptable operating system for high-performance computing (HPC) clusters in place of Linux, lowering the bar for entry into that space, according to some analysts and major vendors "

Source: Linux Today

Sabayon: "You love Sabayon Linux and want to use it for working purpose but you're not interested at all in games or desktop acceleration ?"

Source: Linux Today

internetnews.com: "Oracle's Linux offerings are gaining new support today "

Source: Linux Today

Palo Alto Daily News: "What is silent, the size of a hearty sandwich, connects to the Internet and saves its user an average of one ton of carbon dioxide emissions each year ?"

Source: Linux Today

internetnews.com: "The new Carrier Grade Rack Mount Server TIGW1U is the first Intel carrier grade server shipping today that supports both Linux and Solaris "

Source: Linux Today

Enterprise Linux Log: "Today HP execs wrote to tell us that their company has been awarded a top international Linux security certification "

Source: Linux Today

LinuxWorld: "Australian schools are subscribing to proprietary software--but the choice between proprietary and open source may have not been made on entirely equal ground "

Source: Linux Today

Linux Update: "This is a quick overview of the proposed features. As these are proposed features and it is still about 4 months from release some of these will change "

Source: Linux Today

CNET News: "The iPhone doesn't run Linux, but Intel has begun work to help improve the operating system for future devices of its ilk "

Source: Linux Today

TechIQ: "While prepping for the event, he spotted four key developments in the Linux market--including a possible surprise announcement from Hewlett-Packard Co "

Source: Linux Today

Oneopensource: "We can't start without a question: does Linux infinge Microsoft patents ?"

Source: Linux Today

CNET News: "The end is in sight for the 7-year-old but still popular version 4 of PHP, open-source software that lets servers create customized Web pages such as online catalog pages or a list of search results "

Source: Linux Today

eWeek: "Microsoft and Red Hat are no closer to a deal involving intellectual property cooperation, Microsoft has confirmed "

Source: Linux Today

Linux.com: "A group of developers from free software digital video recorder (DVR) related projects announced the first step towards a solution for obtaining free television listing information this week "

Source: Linux Today

KernelTrap: "H. Peter Anvin submitted a series of patches rewriting the x86 setup code "

Source: Linux Today

LinuxDevices: "Nokia's Navigation Kit for the N800 Internet Tablet works great when used in a car in metropolitan outskirts "

Source: Linux Today

Linux.com: "Katapult is an application launcher that does everything the Alt-F2 run dialog does, and much more "

Source: Linux Today

KernelTrap: "Ingo Molnar announced that the real time patchset that he and Thomas Gleixner maintain is now available as a series of 374 broken out patches "

Source: Linux Today

Phoronix: "It was just a month ago that the open-source Avivo driver for the ATI Radeon X1000 (R500) series was introduced to the public, but in this time we've seen some great progress made "

Source: Linux Today

Help Net Security: "Let us face it, modern e-mail communication relying on SMTP is fundamentally broken--there is no sender authentication "

Source: Slashdot: Linux

jd writes "Despite having one of the largest user-bases of any clustering system for Linux, openMosix is to be shut down. Top developers have left and they lack the means or motivation to continue. Their official claim of multicore CPUs making clustering redundant is somewhere between highly improbable and totally absurd, as has been pointed out elsewhere. Why is this shutdown so important? Well, from a technical standpoint, the open-source bproc (the Beowulf process migration module) is ancient, MOSIX is very hard to obtain unless you're a student, and kerrighd is (as yet) immature. From a user standpoint, openMosix is the mainstay of the Open Source clustering world and has by far the best management tools of any. The ability of this project to continue will likely have a major impact on the future of Open Source in the high-end markets — if the best of the best couldn't survive, people will be more careful about anything less."Read more of this story at Slashdot.

Source: Slashdot: Linux

(Score.5, Interestin writes "The NZ Automobile Association has just announced that it is dropping Open Office and switching back to MS Office. According to their CIO, 'Microsoft Office is not any cheaper, but it was almost impossible to work out what open-source was actually costing because of issues such as incompatibility and training.' In addition, 'you have no idea where open-source products are going, whereas vendors like Microsoft provide a roadmap for the future.'" About 500 seats are involved. MS conceded to letting Office users run the software at home as well.Read more of this story at Slashdot.

Source: Slashdot: Linux

Macthorpe writes "BetaNews is reporting that Microsoft has announced in a letter that they will support ODF as a format option, if it doesn't 'restrict choice among formats'. Citing their lack of opposition to the ratification of ODF as a standard, they go on to say: 'ODF's design may make it attractive to those users that are interested in a particular level of functionality in their productivity suite or developers who want to work that format. Open XML may be more attractive to those who want richer functionality [ ] This is not to say that one is better than the other — just that they meet different needs in the marketplace.'"Read more of this story at Slashdot.

Source: Slashdot: Linux

An anonymous reader writes "Intel has unveiled an ambitious project aimed at developing open source software for mobile devices. The Moblin project comprises a Linux kernel, UI framework, browser, multimedia framework, and embedded Linux image creation tools, along with developer resources such as documentation, mailing lists, and an IRC channel. Intel says it hopes Moblin will serve as a 'point of integration' for multiple sub-projects, and appears eager to see devices such as its Mobile Internet Device design, and chipsets such as its Ultra Mobile Platform 2007 platform, be thoroughly supported by Linux. Although all of the projects currently focus on the Intel architecture, Moblin says it is open to hosting support for other processor architectures."Read more of this story at Slashdot.

Source: eWEEK Linux

Oracle and Symantec announced on July 17 that Veritas data center software has been certified for use with Oracle Enterprise Linux.

Source: ONLamp.com

It’s been some time since I don’t follow closely Lua development. But I try to keep updated with what’s going on. The announcement of LuaPOD 0.1 caught my attention (due to the gathering of three technologies I find quite interesting).
Lua is a nice scripting language, especially designed for embedding in larger applications. Lua has one of its niches in the development of games, and World of Warcraft is among the most famous pieces where Lua is used as a scripting language. But, of course, there is more about Lua (for example, take a look at lua-users.org or LuaForge).
Some days ago, it was announced in the lua-l mailing list a new library LuaPOD, which renders the markup language POD as HTML or TeX. The intention of the library itself is to provide support for POD as markup language for the wiki at the Sputnik project.
POD is the Plain Old Documentation format well known to the users of the Perl programming language. Most of Perl’s related documentation (including the core libraries and CPAN modules) is written using POD. A variant of POD (known as PseudoPOD) is used at O’Reilly for producing books themselves.
In turn, the implementation takes advantage of the brand new LPeg library, a new pattern-matching library for Lua that is based on Parsing Expression Grammars (PEGs). LPeg brings to Lua an improved pattern matching library compared
to the basic support that was provided by the string library which is part of the standard Lua language. Among LPeg features, it allows for an efficient and simple implementation with
full-featured pattern-matching capabilities.
I found this a very intriguing project built on a set of open-source technologies which I hope to find the time to investigate further in the future.

Source: ONLamp.com

XSRF (Cross Site Request Forgery) is a huge security problem affecting most web applications. There have been a lot of articles written about XSRF, including the useful XSRF FAQ I linked to earlier.
There are quite a few free and commercial web application security assessment tools and static code analysis tools in the market today. A few commercial security assessment tool vendors have published white-papers about the importance of discovering XSRF vulnerabilities, yet their own products do not have the ability to assess for XSRF. I think there are multiple reasons for this, and here are my preliminary thoughts:
1. Lack of business awareness and demand.
SQL injection vulnerabilities are visually impactful. It is clear why SQL injection is bad, and why they can threaten the survival of an organization. On the other hand, the business impact of XSS (Cross Site Scripting) can be harder to demonstrate or explain. Thanks to some of the recent media coverage on XSS, most people who care about security in a business organization know that finding and remediating XSS vulnerabilities is important (I do not agree that organizations are making reasonable progress in understanding what XSS is, I just feel that a lot of people have heard of ‘Cross Site Scripting’ and know it is bad, and the awareness stops there. Other security professionals are more optimistic than me, but I’ll leave this topic to future discussion). Compared to XSS, the awareness of XSRF is just beginning to brew, and businesses are slowly realizing the impact. Most applications, by design, are vulnerable to XSRF - yet we don’t see the media jumping up and down about XSRF (as much as they do for XSS) just yet. This is slowly improving.
2. Even (some) security professionals do not understand XSRF.
I’ve interviewed sales and engineering folks from companies that sell security assessment tools, and I’ve come across many people who don’t know what XSRF is or think they know what it is (they confuse it with XSS).
3. It is hard to write a zero knowledge signature for XSRF that is *accurate*.
This point is specific to web application security assessment tools. These tools, for the most part, rely on input and output. To find SQL injection issues for example, the tools fuzz parameters with SQL code to see if the resultant output differs. To find XSS, these tools insert certain HTML characters into the parameters and look to see if the same characters are output without being escaped. Going by this general principle, finding XSRF and guaranteeing a low false positive rate is hard. Assume the following actions:
a. http://www.example.com/servlet/blah?action=hello
b. http://www.example.com/servlet/blah?action=delete_user
It is clear that even though action a. may be XSRF-able, it is the XSRF vulnerability in action b. that would need to be called out as a high risk vulnerability. But how can a scanner differentiate between the two? One possibility would be to rely on a list of English words that when found in a GET or POST request imply that the action is important, but this has the potential of giving rise to high false positives. It also has the potential of missing important actions that may be labeled differently.
Perhaps a better way to approach the issue is for the assessment tool to require the analyst to point out critical actions before the scan is launched. This may take away from the ‘point and click’ promise marketing departments at security companies like to make.
4. It is hard to *accurately* find XSRF issues using static code analysis.
There are many ways to mitigate XSRF so it can become difficult to tell if a XSRF vulnerability exists in a given piece of source code just by performing static analysis. As with 3., one approach may be for the static code analyzer to require the analyst to pick a method that is responsible for mitigating the issue, causing the analyzer to point out code that doesn’t invoke the given method. Yet again, this requires effort on part of the analyst and commercial security vendors prefer to advertise a no-brainer solution.
[NOTE: My thoughts on 3. and 4. are limited to initial brain-storming. If you have any thoughts on elegant solutions on how to find XSRF using automated tools, or know of a tool that already does this well, feel free to comment].
In summary, I feel XSRF hasn’t obtained the impact awareness it deserves - yet. Businesses are slowly becoming aware of the risk posed by XSRF, and I sincerely hope the security assessment products catch up soon.

Source: ONLamp.com

People who read my blog regularly know I’ve been researching what happens on mailing lists and in other forms of free online documentation. I now have a sort of portal or home page for the resulting articles. I’ve just published the most recent one, How to Help Mailing Lists Help Readers (Results of Recent Data Analysis). I hope to put up some other interesting experiments besides articles in the next stage of my work. I’ll be speaking about this research at O’Reilly’s Open Source convention on Wednesday, July 24.

Source: ONLamp.com

I program in C very reluctantly. I don’t hate the language, but it occupies a curious niche between assembly language (where you can do absolutely anything, if you’re willing to write it yourself, and eval is trivial) and a true high level language (where you can do absolutely anything, you don’t have to write it yourself, and eval is available for everything else). Yet it’s ubiquitous, it has a lot of libraries, and it’s probably the best way to write reasonably efficient code that has to run on plenty of platforms.

Because I’m writing a lot more C code lately (and of that, finding and fixing a lot of bugs), I’ve spent a lot of time using the GNU debugger GDB.

As a reluctant programmer in general, I spent many years happily debugging with print statements, and then plenty of years debugging with comprehensive test cases. When you’re writing a virtual machine and your test cases are all in a high level language, you don’t always have that luxury, especially when you have segfaults.

I already knew the value of backtraces, breakpoints, and printing the value of local variables. Then I forced myself to learn a few more tricks to make the most of the debugger. For example, breakpoints can take conditions. That is, you can write break src/exceptions.c:59 if exception-type == exception_class_NULLACCESS. Learning that alone paid off several times over.

The other feature I forget after a couple of months away from marathon debugging sessions is that p can dereference a pointer to a struct. That is, if you have a Coord pointer in the variable coords, use p *coords to see a serialized version of the struct and its contents. Handy!

I could talk more about using up and down to walk up and down the call stack after a breakpoint, but even learning only three or four useful commands has already cut out hours of debugging time in the past month. (I even found myself wishing for a better debugger in one of the HLLs I was working on.)

Thanks to all of the contributors to GNU GDB and its ecosystem; you’ve made it easier for me to write further free software.