Slashdot Mirror

gergnz writes "Just popped into my inbox, GCC 3.1 released. There are many bug fixes over 3.0. "we focused more on quality than new features" Mark Michell. Here are the changes, and you can see a list of ftp servers here. This is the release I have been waiting for. I will now upgrade :-) Well Done to all involved!"

gergnz writes "Just popped into my inbox, GCC 3.1 released. There are many bug fixes over 3.0. "we focused more on quality than new features" Mark Michell. Here are the changes, and you can see a list of ftp servers here. This is the release I have been waiting for. I will now upgrade :-) Well Done to all involved!"

ICC-Rocks writes "In light of the imminent release of the first 'stable' version of GCC version 3, OSNews features an interview with Mark Mitchel, GCC's Release Engineer. They are talking about GCC 3.x, the future and the competition."

peddrenth asks: "Software licenses are, we keep saying, difficult to read. The public clicks OK without reading, either implicitly trusting or mistrusting us the software authors. There have been calls recently for companies to clean-up the license, to bullet, section, and colour their licenses, to remove THE UPPERCASE and to draw charts and graphs to explain the license. Anyone who's had to read a 3-page document in a 3"x1" textbox knows how useful this would be. The GPL is one of the most important licenses in the world, and appears on thousands of products. Everything from windows programs to operating systems to people's artwork requires understanding and acceptance of the GNU GPL. Should we, the free software community, take the first step in this effort, and show the world what an easy-to-read license looks like? Would it be useful if long textual software licenses stood out like a sore thumb amongst the cool, pretty, and clear free licenses?" Many may think the GPL Preamble to be clear enough, and this may be true. However there are a lot of people out there that would like to read the entire license so that they know exactly what they may be getting into, before they agree to it. This usually implies being able reading the actual license, and not just the preamble.

"Should we use such a comparison to show the public how they're being manipulated by terms in a EULA they don't read or understand, and encourage other license-writers to include the graphs and tables themselves, showing the public what a license really means?

What would be your ideal license, what poster would you draw to explain the GPL to a child, a PHB, or an artist? Would you stick with the text, or can you think of anything better?"

jamie interjects: The root of the problem is that "intellectual property" is a kludge of a natural human understanding of property rights. Useful, but a kludge. You have to invent many oddball concepts to keep up the pretense that ideas are property. The GPL is a kludge (strict and precise licensing terms) implemented on top of a kludge (copyright law) and, in English or in code, there is no short and simple way to describe complex things.

F2F writes "Plan 9 from Bell Labs Fourth Release was announced yesterday marking a major overhaul of the entire operating system. VMware images are now supported, together with hoards of new hardware. The operating system now sports a new security model (on top of the old one, which was already quite secure), new network-resident secure storage system and improvements in the thread library, among others. See the release notes here: release4 notes or simply go to the download page at: plan9 download." T. adds: erikdalen sent in these links to critiques of the Plan 9 license from Richard Stallman and Nathan Myers.

Yokaze writes: "Intels C++ and Fortran compilers are now available for Windows and Linux. The compiler for Linux provides higher compatibility with the GNU C-compiler including compability to the upcoming GCC-3.1 C++-ABI (binary compability) and support for several GNUisms in the syntax (PDF). To quote Intel: 'The 6.0 release of the Intel C++ compiler has improved support for the GNU C language extensions and is now able to build the Linux kernel with minor work arounds for both the IA-32 and Itanium architectures.' Little reminder: Running such a kernel is, of course, not supported by the kernel developers. Evaluation copies are available for download, but requires previous registration."

bbh writes: "NewsForge has an article about the Free Software Foundation asking the makers of LindowsOS a simple question, 'Where's the Source?' Lindows CEO Michael Robertson has an interesting take on what the GPL means."

Max Hyre writes "Apropos (!= man -k :-) RIAA, web radio, and other such data-dispersal disagreements, here's a new way to do it your way: a fully software-driven radio receiver; just strap some off-the-shelf DAC hardware into a generic computer, and let the software do the rest. While I can just barely spell `sideband', this looks like it could be more fun than any set you ever had before, especially after those in the know build up some kewl apps for the great unwashed like me. They're also dreaming of GPS, cellular phones, &c.. My only gripe is that the web pages proper don't seem to have any cookbook recipes for the hardware; maybe that's in the docs with the source, or maybe this is strictly for the experienced, for now."

Max Hyre writes "Apropos (!= man -k :-) RIAA, web radio, and other such data-dispersal disagreements, here's a new way to do it your way: a fully software-driven radio receiver; just strap some off-the-shelf DAC hardware into a generic computer, and let the software do the rest. While I can just barely spell `sideband', this looks like it could be more fun than any set you ever had before, especially after those in the know build up some kewl apps for the great unwashed like me. They're also dreaming of GPS, cellular phones, &c.. My only gripe is that the web pages proper don't seem to have any cookbook recipes for the hardware; maybe that's in the docs with the source, or maybe this is strictly for the experienced, for now."

Jonas Öberg writes "GNU-Friends is doing a series of interviews with long-time free software hackers that I think people would be interested in. Check out interviews with Arnold Robbins, Karl Berry, Andrew L. Moore, Guido van Rossum, David MacKenzie and Chet Ramey. More to come, but that should keep people occupied for a few minutes." The GNU-Friends should have a show right after Superfriends.

A little fairy whispered in our ear: "MySQL AB is seeking a temporary injunction against NuSphere, even though they've finally released the source code for Gemini and MySQL Advantage. According to the GPL, NuSphere lost the right to redistribute when they violated #3 by not providing the source code originally. The FSF will testify tomorrow in court, according to this Newsforge article." Newsforge and Slashdot are both part of OSDN. We've done a couple of previous stories about the MySQL AB vs. Nusphere conflict: the original story, a follow-up, and a note about a countersuit. Update: 02/26 21:15 GMT by T : bkuhn (Bradley Kuhn of the Free Software Foundation) writes: "The FSF has a press release on the matter and affidavit that we filed is also available."

Isle writes: "GCC 3.0.4 has finally been released. As those who has tried the prereleases will know this version finally compiles a working version of aRts and thus compiles the entire KDE-suite. With the Linux kernel compiling already with the 3.0.3 version, gcc 3.0 now compiles all major projects I know of. Is it finally time to dump that good old 2.95?"

Dare Obasanjo contributed this followup to an article entitled The Myth of Open Source Security Revisited that appeared on the website kuro5hin. He writes: "The original article tackled the common misconception amongst users of Open Source Software(OSS) that OSS is a panacea when it comes to creating secure software. The article presented anecdotal evidence taken from an article written by John Viega, the original author of GNU Mailman, to illustrate its point. This article follows up the anecdotal evidence presented in the original paper by providing an analysis of similar software applications, their development methodology and the frequency of the discovery of security vulnerabilities." Read on below for his detailed analysis, especially relevant with the currency of security initiatives in the worlds of both open- and closed-source software.

The Myth of Open Source Security Revisited v2.0 The purpose of this article is to expose the fallacy of the belief in the "inherent security" of Open Source software and instead point to a truer means of ensuring the quality of the security of a piece software is high.

Apples, Oranges, Penguins and Daemons

When performing experiments to confirm a hypothesis on the effect of a particular variable on an event or observable occurence, it is common practice to utilize control groups. In an attempt to establish cause and effect in such experiments, one tries to hold all variables that may affect the outcome constant except for the variable that the experiment is interested in. Comparisons of the security of software created by Open Source processes and software produced in a proprietary manner have typically involved several variables besides development methodology.

A number of articles have been written that compare the security of Open Source development to proprietary development by comparing security vulnerabilities in Microsoft products to those in Open Source products. Noted Open Source pundit, Eric Raymond wrote an article on NewsForge where he compares Microsoft Windows and IIS to Linux, BSD and Apache. In the article, Eric Raymond states that Open Source development implies that "security holes will be infrequent, the compromises they cause will be relatively minor, and fixes will be rapidly developed and deployed." However, upon investigation it is disputable that Linux distributions have less frequent or more minor security vulnerabilities when compared to recent versions of Windows. In fact the belief in the inherent security of Open Source software over proprietary software seems to be the product of a single comparison, Apache versus Microsoft IIS.

There are a number of variables involved when one compares the security of software such as Microsoft Windows operating systems to Open Source UNIX-like operating systems including the disparity in their market share, the requirements and dispensations of their user base, and the differences in system design. To better compare the impact of source code licensing on the security of the software, it is wise to reduce the number of variables that will skew the conclusion. To this effect it is best to compare software with similar system design and user base than comparing software applications that are significantly distinct. The following section analyzes the frequency of the discovery of security vulnerabilities in UNIX-like operating systems including HP-UX, FreeBSD, RedHat Linux, OpenBSD, Solaris, Mandrake Linux, AIX and Debian GNU/Linux.

Security Vulnerability Face-Off

Below is a listing of UNIX and UNIX-like operating systems with the number of security vulnerabilities that were discovered in them in 2001 according to the Security Focus Vulnerability Archive. AIX 10 vulnerabilities[6 remote, 3 local, 1 both] Debian GNU/Linux 13 vulnerabilities[1 remote, 12 local] + 1 Linux kernel vulnerability[1 local] FreeBSD 24 vulnerabilities[12 remote, 9 local, 3 both] HP-UX 25 vulnerabilities[12 remote, 12 local, 1 both] Mandrake Linux 17 vulnerabilities[5 remote, 12 local] + 12 Linux kernel vulnerabilities[5 remote, 7 local] OpenBSD 13 vulnerabilities[7 remote, 5 local, 1 both] Red Hat Linux 28 vulnerabilities[5 remote, 22 local, 1 unknown] + 12 Linux kernel vulnerabilities[6 remote, 6 local] Solaris 38 vulnerabilities[14 remote, 22 local, 2 both] From the above listing one can infer that source licensing is not a primary factor in determining how prone to security flaws a software application will be. Specifically proprietary and Open Source UNIX family operating systems are represented on both the high and low ends of the frequency distribution.

Factors that have been known to influence the security and quality of a software application are practices such as code auditing (peer review), security-minded architecture design, strict software development practices that restrict certain dangerous programming constructs (e.g. using the str* or scanf* family of functions in C) and validation & verification of the design and implementation of the software. Also reducing the focus on deadlines and only shipping when the system the system is in a satisfactory state is important.

Both the Debian and OpenBSD projects exhibit many of the aforementioned characteristics which help explain why they are the Open Source UNIX operating systems with the best security record. Debian's track record is particularly impressive when one realizes that the Debian Potato consists of over 55 million lines of code (compared to RedHat's 30,000,000 lines of code).

The Road To Secure Software

Exploitable security vulnerabilities in a software application are typically evidence of bugs in the design or implementation of the application. Thus the process of writing secure software is an extension of the process behind writing robust, high quality software. Over the years a number of methodolgies have been developed to tackle the problem of producing high quality software in a repeatable manner within time and budgetary constraints. The most successful methodologies have typically involved using the following software quality assurance, validation and verification techniques; formal methods, code audits, design reviews, extensive testing and codified best practices.

1. Formal Methods: One can use formal proofs based on mathematical methods and rigor to verify the correctness of software algorithms. Tools for specifying software using formal techniques exist such as VDM and Z. Z (pronounced 'zed') is a formal specification notation based on set theory and first order predicate logic. VDM stands for "The Vienna Development Method" which consists of a specification language called VDM-SL, rules for data and operation refinement which allow one to establish links between abstract requirements specifications and detailed design specifications down to the level of code, and a proof theory in which rigorous arguments can be conducted about the properties of specified systems and the correctness of design decisions.The previous descriptions were taken from the Z FAQ and the VDM FAQ respectively. A comparison of both specification languages is available in the paper, Understanding the differences between VDM and Z by I.J. Hayes et al.
   
   
2. Code Audits: Reviews of source code by developers other than the author of the code are good ways to catch errors that may have been overlooked by the original developer. Source code audits can vary from informal reviews with little structure to formal code inspections or walkthroughs. Informal reviews typically involve the developer sending the reviewers source code or descriptions of the software for feedback on any bugs or design issues. A walkthrough involves the detailed examination of the source code of the software in question by one or more reviewers. An inspection is a formal process where a detailed examination of the source code is directed by reviewers who act in certain roles. A code inspection is directed by a "moderator", the source code is read by a "reader" and issues are documented by a "scribe".
   
   
3. Testing: The purpose of testing is to find failures. Unfortunately, no known software testing method can discover all possible failures that may occur in a faulty application and metrics to establish such details have not been forthcoming. Thus a correlation between the quality of a software application and the amount of testing it has endured is practically non-existent.
   
   There are various categories of tests including unit, component, system, integration, regression, black-box, and white-box tests. There is some overlap in the aforementioned mentioned testing categories.
   
   Unit testing involves testing small pieces of functionality of the application such as methods, functions or subroutines. In unit testing it is usual for other components that the software unit interacts with to be replaced with stubs or dummy methods. Component tests are similar to unit tests with the exception that dummmy and stub methods are replaced with the actual working versions. Integration testing involves testing related components that communicate with each other while system tests involve testing the entire system after it has been built. System testing is necessary even if extensive unit or component testing has occured because it is possible for seperate subroutines to work individually but fail when invoked sequentialy due to side effects or some error in programmer logic. Regression testing involves the process of ensuring that modifications to a software module, component or system have not introduced errors into the software. A lack of sufficient regression testing is one of the reasons why certain software patches break components that worked prior to installation of the patch.
   
   Black-box testing also called functional testing or specification testing test the behavior of the component or system without requiring knowledge of the internal structure of the software. Black-box testing is typically used to test that software meets its functional requirements. White-box testing also called structural or clear-box testing involves tests that utilize knowledge of the internal structure of the software. White-box testing is useful in ensuring that certain statements in the program are excercised and errors discovered. The existence of code coverage tools aid in discovering what percentages of a system are being excercised by the tests.
   
   More information on testing can be found at the comp.software.testing FAQ .
   
   
4. Design Reviews: The architecture of a software application can be reviewed in a formal process called a design review. In design reviews the developers, domain experts and users examine that the design of the system meets the requirements and that it contains no significant flaws of omission or commission before implementation occurs.
   
   
5. Codified Best Practices: Some programming languages have libraries or language features that are prone to abuse and are thus prohibited in certain disciplined software projects. Functions like strcpy, gets, and scanf in C are examples of library functions that are poorly designed and allow malicious individuals to use buffer overflows or format string attacks to exploit the security vulnerabilities exposed by using these functions. A number of platforms explicitly disallow gets especially since alternatives exist. Programming guidelines for such as those written by Peter Galvin in a Unix Insider article on designing secure software are used by development teams to reduce the likelihood of security vulnerabilities in software applications.

Projects such as the OpenBSD project that utilize most of the aforementioned techniques in developing software typically have a low incidence of security vulnerabilities.

Issues Preventing Development of Secure Open Source Software

One of the assumptions that is typically made about Open Source software is that the availability of source code translates to "peer review" of the software application. However, the anecdotal experience of a number of Open Source developers including John Viega belies this assumption.

The term "peer review" implies an extensive review of the source code of an application by competent parties. Many Open Source projects do not get peer reviewed for a number of reasons including

• complexity of code in addition to a lack of documentation makes it difficult for casual users to understand the code enough to give a proper review
  
  
• developers making improvements to the application typically focus only on the parts of the application that will affect the feature to be added instead of the whole system.
  
  
• ignorance of developers to security concerns.
  
  
• complacency in the belief that since the source is available that it is being reviewed by others.
  
  

Also the lack of interest in unglamorous tasks like documentation and testing amongst Open Source contributors adversely affects quality of the software. However, all of these issues can and are solved in projects with a disciplined software development process, clearly defined roles for the contributers and a semi-structured leadership hierarchy.

Benefits of Open Source to Security-Conscious Users

Despite the fact that source licensing and source code availability are not indicators of the security of a software application, there is still a significant benefit of Open Source to some users concerned about security. Open Source allows experts to audit their software options before making a choice and also in some cases to make improvements without waiting for fixes from the vendor or source code maintainer.

One should note that there are constraints on the feasibility of users auditing the software based on the complexity and size of the code base. For instance, it is unlikely that a user who wants to make a choice of using Linux as a web server for a personal homepage will scrutinize the TCP/IP stack code.

References

1. Frankl, Phylis et al. Choosing a Testing Method to Deliver Reliability. Proceedings of the 19th International Conference on Software Engineering, pp. 68--78, ACM Press, May 1997. < http://citeseer.nj.nec.com/frankl97choosing.html >
   
   
2. Hamlet, Dick. Software Quality, Software Process, and Software Testing. 1994. < http://citeseer.nj.nec.com/hamlet94software.html >
   
   
3. Hayes, I.J., C.B. Jones and J.E. Nicholls. Understanding the differences between VDM and Z. Technical Report UMCS-93-8-1, University of Manchester, Computer Science Dept., 1993. < http://citeseer.nj.nec.com/hayes93understanding.ht ml >
   
   
4. Miller, Todd C. and Theo De Raadt. strlcpy and strlcat - consistent, safe, string copy and concatenation. Proceedings of the 1999 USENIX Annual Technical Conference, FREENIX Track, June 1999. < http://www.usenix.org/events/usenix99/full_papers/ millert/millert_html/ >
   
   
5. Viega, John. The Myth of Open Source Security. Earthweb.com. < http://www.earthweb.com/article/0,,10455_626641,00 .html >
   
   
6. Gonzalez-Barona, Jesus M. et al. Counting Potatoes: The Size of Debian 2.2. < http://people.debian.org/~jgb/debian-counting/coun ting-potatoes/ >
   
   
7. Wheeler, David A. More Than A Gigabuck: Estimating GNU/Linux's Size. < http://www.counterpane.com/crypto-gram-0003.html >
   
   

Acknowledgements

The following people helped in proofreading this article and/or offering suggestions about content: Jon Beckham, Graham Keith Coleman, Chris Bradfield, and David Dagon. © 2002 Dare Obasanjo

An Anonymous Reader writes: "Jonas Oberg announced the launch of GNU-Friends, a news site for friends of the GNU Project based on the Kuro5hin Scoop-backend. GNU-Friends is intended to provide news from and by the Free Software community, especially such news that does not generally make it to onto other news channels. Also started with GNU-Friends is the Free Software Development Network. More info on how to join it can be found here."

An Anonymous Reader writes: "Jonas Oberg announced the launch of GNU-Friends, a news site for friends of the GNU Project based on the Kuro5hin Scoop-backend. GNU-Friends is intended to provide news from and by the Free Software community, especially such news that does not generally make it to onto other news channels. Also started with GNU-Friends is the Free Software Development Network. More info on how to join it can be found here."

bkuhn writes: "The FSF has released a draft version 1.2 of the the GNU Free Documentation License for comment by the Free Software community. Comments should be directed to <fdl-comments@fsf.org>."

bkuhn writes: "The FSF has released a draft version 1.2 of the the GNU Free Documentation License for comment by the Free Software community. Comments should be directed to <fdl-comments@fsf.org>."

GNU lover writes "National Advisory Council on Innovation in South Africa has issued a release concering the use of Open Source and the digital divide." The use of open source in the 3rd/2nd world is one way to get around licensing costs - at least more honest then pirating.

Linux World continues, and reports from the floor continue to roll in; below are some more tidbits on what was on the floor or announced at today's show. Notably absent this year (besides a whole raft of companies, like formerly large exhibitors like Penguin Computing, Oracle, VA Software and subsidiaries like OSDN) were the sort of toys that crystallized dot-com risk-taking. On the other hand, companies like IBM, HP and Compaq seem as gung-ho as ever, with all sorts of info on how large customers will save (favorite trade-show words) Real Money with free software, and the dot-org booths where a lot of the show's spirit lives are happily sharing their projects' visions and toys.

wo1verin3 writes: "Trivia for geeks... and nerds. Or rather geeks vs nerds. Read about the contest of the people with oddly and randomly shaped heads here." This site also links to MoC chrisd's page of questions and answers.

abel wisman submitted news that GNU Bayonne and PreViking have merged into a single project, which will keep the name GNU Bayonne. Not familiar with either? Bayonne is a telephony application server, and PreViking is a telephony-switching daemon, both of which are open source. David Sugar of the Bayonne project also demonstrated an automated web-based callback system used to provide callbacks to form-based online queries. The newly combined Bayonne / PreViking teams will also be working on www.phonestreamer.com, built on top of GStreamer. The Bayonne booth at LinuxWorld offered booth visitors today free calls to anywhere in the world using these technologies.

red_gnom writes: "Linux is in the running to power the world's biggest computer, we learned this week at LinuxWorld Expo. A bid is being prepared to provide the computing power behind the US government sponsored Project Purple, which will pool a vast server farm to the three leading U.S. research labs, which is scheduled to come on stream by the end of 2004."

terrywin writes: "Apparently, the company that licensed Corel's Linux has indicated that the beta is now available. http://www.xandros.com/news.html, their home page has a link to the beta form. The last report I saw on this was back in September."

Finally, cnmill points to this story on CNET about today's announcement of version 1.1 of the Linux Standard Base. Congratulations!

jfonseca writes: "An article from Open Magazine claims the new Intel C/C++ compiler's geometric mean performance on multiple kernels compiled through it reached 47% improvement over GCC. They also predict the end to the ubiquitous GNU compiler due to low performance. Many other compiler/platform combinations also compared. A bit pretentious, yet an interesting read."

Fans of Vernor Vinge know that he's a computer scientist, now retired, and science fiction writer. An interview we linked to a few months ago does a good job of discussing some of his ideas about the Singularity, the point in time when humans create a machine intelligence that is smarter than we are. Vinge's novella True Names was written in 1981, and forecast many aspects of the internet of today. True Names and The Opening of the Cyberspace Frontier is an anthology of the True Names novella and several shorter articles by other technically-inclined folk. If you haven't read the original True Names, this book is worth it for that story alone. True Names and The Opening of the Cyberspace Frontier author Vernor Vinge; ed. by James Frenkel pages 352 publisher Tor rating 8/10 reviewer michael ISBN 0-312-86207-5 summary collection of articles by computer scientists predicting the future of the network

The history of this book is a little odd. It was supposed to be published several years ago, and was delayed for some reason, unknown to me. As a result, only the introduction to the book has been written recently - even the pieces that were intended to be extremely current are now rather painfully dated.

There's an old interview with Vinge where the interviewer draws out a number of Vinge's ideas about the modern internet and the Singularity. Vinge seems to have had it in hand when writing his introduction to True Names, and you can probably got a good idea of what he tried to convey in the anthology by reading the interview. If it sounds at all interesting, read on.

Vinge's central point is that cyberspace is extremely controllable, if and only if everyone's true names are known. That's the point brought out in the essay True Names, and it's a point that the other writers featured in the anthology agree upon. It's an incredibly insightful idea, one well worth spending some time pondering.

Let's look at some of the larger pieces included in the book. Timothy May, who is perhaps best known for his ranting posts about crypto anarchy, has a lengthy and astonishingly well-written essay titled "True Nyms and Crypto Anarchy". The essay reads as if an editor with a firm hand extracted most of May's characteristic wild-eyed prose and yet kept the insightful ideas behind it - if only all of his writing was like this essay. It's a great introduction to what May means by "crypto anarchy". May is one of the most optimistic writers in the book, and he, as well as the other writers, believe that we are at a fork: either we'll move toward a surveillance state, or toward what May calls an anarcho-capitalist state, but the middle ground is unstable - we'll end up at one extreme or the other. May believes we're already firmly on the road toward anarcho-crypto-utopia.

John M. Ford, who you may recognize as a science fiction writer, has a short story wondering what the machines will think of us.

Alex Wexelblat, computer scientist, has a powerful essay looking at the internet as a tool for surveillance and control. Written only a few years ago, many of his predictions are now fact.

Richard Stallman has his essay The Right to Read. Hopefully it will reach a larger audience on dead trees than in electronic form.

Leonard Foner has an essay covering the basics of the cryptography debate. It's geared to get newcomers up to speed and should do that adequately.

Chip Morningstar and F. Randall Farmer have a couple of essays about Habitat, a very early MUD sponsored by Lucasfilm. The essays have been published online; here's one of them and there's been plenty written about Habitat if you look. Excellent reading, brings out the challenges faced by any online community and simultaneously reminds you of the "good" old days (who here is paying by the hour for internet access today?).

And finally we come to True Names itself. Should be required reading in high school, IMHO. I won't discuss it much, either you've read it or you haven't, and if you haven't I'd rather you learn about it by reading it. If you don't want to buy the book, there are unauthorized electronic versions of the text floating around, but one way or another, read it, it's worth your time.

I'm going to go back now to Vinge's introduction. It bears quoting:

"It seems to me that it's still an open question whether computers and networks will help or hurt freedom--but this is one place where the most extreme scenarios are also the most plausible. I think we could easily go in the direction Tim May indicates, perhaps ending up with a world very like the one in Neal Stephenson's Diamond Age. On the other hand, there are the "Four Horsemen" that Tim, Alan, and Lenny remark upon. All four Horsemen are good excuses for the incremental tightening of regulation and enforcement (some being more effective with one constituency than another), but I think the "Terrorist Horseman" is the one that could shift our whole society toward strict controls. Just a few really ghastly terrorist incidents would be enough to cause a sea change in public opinion. It's not hard to imagine the entire country run the way airports were run in the late twentieth century. But there are worse nightmares: Imagine a government that mandated control of some part of each communicating microchip. In that case, the computing power of the Internet could be used for much tighter control than George Orwell described." -- Vernor Vinge, August 1999

Today the "Terrorist Horseman" is in full charge, whipping us toward ever-tighter controls. And Vinge's prediction is embodied in the countless initiatives to install Digital Rights Management and government surveillance in every computing device. And that is why, in the end, I gave the anthology less than a 10/10 rating. Although I know it was written before the most recent events which proved it so accurate, it feels dated, as if we've already run at top speed down the road to a Net filled with surveillance, where the government and the MPAA know everyone's True Name, and yet Vinge is behind the times in predicting it now.

You can purchase True Names at Fatbrain. Want to see your own review here? Read the review guidelines first, then use Slashdot's webform.

Pnet Guy writes: "Portable .NET is a component of the dotGNU meta project to provide a CLI (ECMA standard) platform for free software. The project true to its name runs on a variety of platform including Linux,Hurd and Cygwin GNU systems. To avoid any legal problems Pnet has decided to go the hard way and bootstrap our compiler off gcc. Unlike Mono which uses microsoft's runtime to run their compiler. Our premier developer Rhys Weatherly has contributed 254,423 lines written since Jan 1, 2001. Which amounts to about 5000 lines per week which is phenomenal for any programmer. He is dotGNU's one-man army. So join him in celebrating his quarter billion lines of his code." Update: 12/27 02:41 GMT by T : Note that as many readers have pointed out, that's just like the headline says -- a quarter million lines, rather than billion. Some related links to check out include the dotGNU home page, the Southern Storm Software (Rhys Weatherley's shop, with Portable .NET information), Mono's page and Pnet's CVS repository.

Guylhem writes "After the problems the LDP had with Debian rules, it seems clear we need an organization which would for example sort documentation between free (as "libre" or "freedom") and non free. After some discussions with people from the GNU project and the FSF, we came to the conclusion no such project already existed. I am please to announce that I am now starting the GNU Writing Movement with help from the GNU project. We will provide links to existing free documents, with a possibility to rate the documentation quality. The project is not competing with existing documentation project such as the LDP or GDP. It will complement them, both by serving somewhat as a meta-project for free software documentation, to provide help to authors willing to replace their FAQ or HOWTO will a full Guide on a specific topic, and to develop brand-new book-length material on many topics. " If you can't find a home for your documentation at an existing documentation project, and you agree with the philosophy of the GNU project, we can help you. Volunteers are welcome for the first phase of the project - cataloging existing free software documentation, rating it, and determining TODO lists for what needs to be documented.

Guylhem writes "After the problems the LDP had with Debian rules, it seems clear we need an organization which would for example sort documentation between free (as "libre" or "freedom") and non free. After some discussions with people from the GNU project and the FSF, we came to the conclusion no such project already existed. I am please to announce that I am now starting the GNU Writing Movement with help from the GNU project. We will provide links to existing free documents, with a possibility to rate the documentation quality. The project is not competing with existing documentation project such as the LDP or GDP. It will complement them, both by serving somewhat as a meta-project for free software documentation, to provide help to authors willing to replace their FAQ or HOWTO will a full Guide on a specific topic, and to develop brand-new book-length material on many topics. " If you can't find a home for your documentation at an existing documentation project, and you agree with the philosophy of the GNU project, we can help you. Volunteers are welcome for the first phase of the project - cataloging existing free software documentation, rating it, and determining TODO lists for what needs to be documented.

Josh Coalson asks: "I am the author of FLAC, an open-source lossless audio codec. The core of the project is a reference encoder/decoder library currently licensed under the LGPL. As the format grows more popular I am being been approached by third parties about implementation in proprietary hardware systems. This is natural and I don't have anything against it, but several people are voicing concerns that the LGPL is too strict for use in embedded systems. I want the codec to remain Free, but then again, wide adoption of a format makes it more useful to all users."

"More specifically, the nature of many embedded systems force them to be bound by the stringent requirements of Section 6 the LGPL. In some cases, dynamic linkage is not possible, ruling out 6(b), or causing the terms of the FLAC library to come into conflict with other proprietary libraries. In other cases, it simply is not possible to provide an environment, according to 6(a), where the user can re-link with a different copy of the library.

What are my options? I could stick to my guns, which might limit the adoption of the format, or change the license. I know Vorbis uses the BSD license, but I feel strongly about modifications that are useful for others going back into the free code base. Perhaps there is another middle-ground license that could preserve the Freedom of the code in these cases? Or maybe I am not interpreting the verbiage of the LGPL correctly? Can't I have my cake and eat it too?"

Warhammer writes: "In his web log today Tim O'Reilly responded to Stallman and Kuhn's essay, Freedom or Power (previous Slashdot article). I think he has some great points about not getting caught up in who has more of a right to freedom. Instead he says we should concentrate on a compromise that benefits everyone, developer and user alike."

Ed. note - a brief response to Tim. A) my name isn't Timothy. (I know, I know, we all look alike. :) And B) I was trying to say pretty much what O'Reilly is saying - that all licensing, including the GPL, is an expression of power over what other people can do with the software. Hence the term "all licensing". If there were no copyright whatsoever on computer code, no intellectual property considerations at all, perhaps we could approach the state of true freedom. In the meantime, the GPL is a good way to place code firmly into a state where it is mostly free - you are free to do anything with GPL code except take it out of its free state. As far as restrictions go, this one is infinitely more palatable than most of the powers that software licensing seeks to exercise over software users.

As a more general point, I take issue with O'Reilly's description of copyright law as a compromise between creators and users. There's absolutely no evidence that the rights of users are considered when copyright laws are made. All copyright law changes made in my lifetime, nearly all copyright law changes ever, have been expansions of copyright law - if it's a compromise, it's an extraordinarily one-sided one. (I suppose you could a describe a mugging as a compromise between the mugger and the little old lady over rights to her purse.) Copyright law is more accurately described as a compromise between copyright holders and copyright holders. Other descriptions are both inaccurate and do a disservice to efforts to reform the laws.

mpawlo writes: "As reported by Gnuheter, a new essay published by Bradley M. Kuhn and Richard M. Stallman carries the title "Freedom or Power?". The authors state something that we might have suspected from essays from Kuhn and Stallman before, but now is a little more clear, if still ambiguous: "However, one so-called freedom that we do not advocate is the "freedom to choose any license you want for software you write". We reject this because it is really a form of power, not a freedom." The essay is interesting in the light of an earlier essay published by Eric S Raymond. ... Tim O'Reilly started the debate with his weblog of July 28, 2001: My definition of freedom zero." Ed. note - FWIW, Stallman and Kuhn are right. Not necessarily in their advocacy of the GPL, but certainly in their description of whether licensing is freedom for the developer or power over others. All licensing stems from copyright law, a completely man-made creation whose sole purpose is to give the writer of creative works artificial power over what others do with those works. If you take the canonical description of freedom ("Your right to swing your fist ends where my nose begins") and apply it to software, it's pretty clear that true freedom would not let one person control what another does with software.

An Anonymous Coward writes: "One of the GNU/Hurd developers, Neal Walfield, was recently interviewed by KernelTrap. Nice read."

musicmaster writes "A couple of organisations that worry about too much copyright protection have organised an essay contest about intellectual property. This contest is meant as an alternative to a similar WIPO contest. The contest can be found at Wipout Among the participating organisations are Center for the public domain, the Register, the EFF and the GNU foundation."

Bryce Harrington writes "The GNU Bayonne project and the Open Source Development Lab... announced the availability of large-scale development and testing for GNU Bayonne through OSDL.

The facilities will be used to extend GNU Bayonne's digital telephony capabilities to support large-scale commercial enterprises and carrier-class telco applications. OSDL will initially provide four dedicated high-end servers equipped with a variety of digital telephony hardware.

Initial development at this facility will not only focus on extending GNU Bayonne to support large API applications, but also to test and demonstrate the project's clustering and distributed network call model. The Bayonne software will extend the use of Linux in high-end commercial voice telephony and provide GNU Bayonne services for the next-generation IP based telephony network."

WhyPanic writes "XOSL, the Extended Operating System Loader, is a free (as in beer and as in GPL), full featured, graphical boot loader that can work in conjunction with Lilo or separately to boot all varieties of Windows, Linux, and many other OS's." Nifty looking.

anotherworld writes: "GCC 3.0.2 is out. That's good news for me, since I am having trouble compiling the 2.4.13 kernel with 3.0.1 (internal error) AND 2.96 (under investigation)... so I can try a new one :) But where is that good old 2.95.x? I just can't find it at the moment! Really, well done guys!" The site says this is mostly a bugfix release, but if you need those particular bugfixes, please use one of the mirrors. And remember, they do take appreciation is cold, hard cash, too :)

anotherworld writes: "GCC 3.0.2 is out. That's good news for me, since I am having trouble compiling the 2.4.13 kernel with 3.0.1 (internal error) AND 2.96 (under investigation)... so I can try a new one :) But where is that good old 2.95.x? I just can't find it at the moment! Really, well done guys!" The site says this is mostly a bugfix release, but if you need those particular bugfixes, please use one of the mirrors. And remember, they do take appreciation is cold, hard cash, too :)

anotherworld writes: "GCC 3.0.2 is out. That's good news for me, since I am having trouble compiling the 2.4.13 kernel with 3.0.1 (internal error) AND 2.96 (under investigation)... so I can try a new one :) But where is that good old 2.95.x? I just can't find it at the moment! Really, well done guys!" The site says this is mostly a bugfix release, but if you need those particular bugfixes, please use one of the mirrors. And remember, they do take appreciation is cold, hard cash, too :)

Alex writes: "After a wait worthy of the Mozilla project, GNU Emacs 21 is finally released! Image support, colour syntax highlighting on terminals, nice scrollbars and tooltips, it's all there folks. Also, for the first time in it's long illustrious history (and a step forward for GNU Project development in general) it's now available via anonymous CVS on savannah. No more waiting a year for the latest features... Now all we need is a port to GTK/GNOME...." Other submitters point out that the changelog is available through CVS (this is a serious changelog!), and you might try the mirrors, or maybe some light reading while you download.

Alex writes: "After a wait worthy of the Mozilla project, GNU Emacs 21 is finally released! Image support, colour syntax highlighting on terminals, nice scrollbars and tooltips, it's all there folks. Also, for the first time in it's long illustrious history (and a step forward for GNU Project development in general) it's now available via anonymous CVS on savannah. No more waiting a year for the latest features... Now all we need is a port to GTK/GNOME...." Other submitters point out that the changelog is available through CVS (this is a serious changelog!), and you might try the mirrors, or maybe some light reading while you download.

Alex writes: "After a wait worthy of the Mozilla project, GNU Emacs 21 is finally released! Image support, colour syntax highlighting on terminals, nice scrollbars and tooltips, it's all there folks. Also, for the first time in it's long illustrious history (and a step forward for GNU Project development in general) it's now available via anonymous CVS on savannah. No more waiting a year for the latest features... Now all we need is a port to GTK/GNOME...." Other submitters point out that the changelog is available through CVS (this is a serious changelog!), and you might try the mirrors, or maybe some light reading while you download.

Alex writes: "After a wait worthy of the Mozilla project, GNU Emacs 21 is finally released! Image support, colour syntax highlighting on terminals, nice scrollbars and tooltips, it's all there folks. Also, for the first time in it's long illustrious history (and a step forward for GNU Project development in general) it's now available via anonymous CVS on savannah. No more waiting a year for the latest features... Now all we need is a port to GTK/GNOME...." Other submitters point out that the changelog is available through CVS (this is a serious changelog!), and you might try the mirrors, or maybe some light reading while you download.

Alex writes: "After a wait worthy of the Mozilla project, GNU Emacs 21 is finally released! Image support, colour syntax highlighting on terminals, nice scrollbars and tooltips, it's all there folks. Also, for the first time in it's long illustrious history (and a step forward for GNU Project development in general) it's now available via anonymous CVS on savannah. No more waiting a year for the latest features... Now all we need is a port to GTK/GNOME...." Other submitters point out that the changelog is available through CVS (this is a serious changelog!), and you might try the mirrors, or maybe some light reading while you download.

Alex writes: "After a wait worthy of the Mozilla project, GNU Emacs 21 is finally released! Image support, colour syntax highlighting on terminals, nice scrollbars and tooltips, it's all there folks. Also, for the first time in it's long illustrious history (and a step forward for GNU Project development in general) it's now available via anonymous CVS on savannah. No more waiting a year for the latest features... Now all we need is a port to GTK/GNOME...." Other submitters point out that the changelog is available through CVS (this is a serious changelog!), and you might try the mirrors, or maybe some light reading while you download.

Slashback brings you updates tonight on book reviews past, intentionally defective CDs, failing disk drives, and joining the HURD. Enjoy!

Spin control for some IBM drives? If you are one ofthe people who have the same results with IBM 75GXP hard drives that Sean Kelly did when he posed a recent Ask Slashdot, you may be interested in this report from legLess, who writes: "Pair Networks is swapping out every IBM 75GXP hard drive they have "[b]ased on an amazingly high failure rate." Pair is a big host: 114,000 sites all running on FreeBSD 4.1.1, including cdrom.com and Tom's Hardware. "We currently use and recommend Maxtor drives" they say. Big black eye for IBM."

GNU isn't Linux, either. Amid the stream of recent and upcoming software releases (Suse 7.3, Red Hat 7.2, Qt 3.0), it's sometimes easy for projects with smaller followings or more esoteric goals to get lost. BorrisYeltsin writes: "The Debian HURD iso images are now available from your local ftp.gnu.org mirror. There are 3 iso's available, so get downloading now!" (And read through the recent months' on the HURD Kernel Cousin too.)

Update: 10/16 14:20 GMT by T : Please note that the GNU Project maintains a list of ftp mirrors -- look for one local to you for best results all around :)

Placing warning signs along the road to consumerism brigc writes: "Good interview in the Chronicle of Higher Education with Jessica Litman about changes in the copyright arena since the publication of her book.

For those who were asleep, Litman's book 'Digital Copyright' does a good job of discussing why the copyright process got handed over to the industry and Congress has failed to protect the rights of the public."

Litman's book got a rave review from Michael a few months back; I suggest you check it out, and better yet ask you local library to put it up on display. Libraries have a strong vested interest in not ceding all control to copyright holders forever and ever amen.

It might pay to have a big fat mouth and ask for a refund on defective merchandise, too. anonicon writes: "Here's a heads up to the web site I'm running at http://www.fatchucks.com. I've started both a Corrupt CDs list for people who wish to report 'copy-protected' CDs or find out which ones they are, and an Indie Rec for people who want to recommend independent artists to the public. Thank you."

Slashback brings you updates tonight on book reviews past, intentionally defective CDs, failing disk drives, and joining the HURD. Enjoy!

Spin control for some IBM drives? If you are one ofthe people who have the same results with IBM 75GXP hard drives that Sean Kelly did when he posed a recent Ask Slashdot, you may be interested in this report from legLess, who writes: "Pair Networks is swapping out every IBM 75GXP hard drive they have "[b]ased on an amazingly high failure rate." Pair is a big host: 114,000 sites all running on FreeBSD 4.1.1, including cdrom.com and Tom's Hardware. "We currently use and recommend Maxtor drives" they say. Big black eye for IBM."

GNU isn't Linux, either. Amid the stream of recent and upcoming software releases (Suse 7.3, Red Hat 7.2, Qt 3.0), it's sometimes easy for projects with smaller followings or more esoteric goals to get lost. BorrisYeltsin writes: "The Debian HURD iso images are now available from your local ftp.gnu.org mirror. There are 3 iso's available, so get downloading now!" (And read through the recent months' on the HURD Kernel Cousin too.)

Update: 10/16 14:20 GMT by T : Please note that the GNU Project maintains a list of ftp mirrors -- look for one local to you for best results all around :)

Placing warning signs along the road to consumerism brigc writes: "Good interview in the Chronicle of Higher Education with Jessica Litman about changes in the copyright arena since the publication of her book.

For those who were asleep, Litman's book 'Digital Copyright' does a good job of discussing why the copyright process got handed over to the industry and Congress has failed to protect the rights of the public."

Litman's book got a rave review from Michael a few months back; I suggest you check it out, and better yet ask you local library to put it up on display. Libraries have a strong vested interest in not ceding all control to copyright holders forever and ever amen.

It might pay to have a big fat mouth and ask for a refund on defective merchandise, too. anonicon writes: "Here's a heads up to the web site I'm running at http://www.fatchucks.com. I've started both a Corrupt CDs list for people who wish to report 'copy-protected' CDs or find out which ones they are, and an Indie Rec for people who want to recommend independent artists to the public. Thank you."

jdavidb writes: "The GNU Project has a new essay today by Eben Moglen, general legal counsel for GNU, about enforcing the GPL. People ranting about the GPL not holding up in court should read this. Very interesting, but I felt that this paragraph looked bad: 'In such situations we work with organizations to establish GPL-compliance programs within their enterprises, led by senior managers who report to us, and directly to their enterprises' managing boards, regularly.' I'm all for the GPL, but this sounds suspiciously like an Software Publishers' Association audit. On the other hand, circumstances of something like this would be completely different, i.e., illegally taking copyright privileges over software you didn't write, as opposed to illegally copying software." Actually, I also think they sound alike in certain ways, but that it makes sense -- since both are about unauthorized reproduction of software. I like the FSF's terms a lot more. Update: 09/18 19:53 PM GMT by T : As Dr. Nonsense points out, davidb "probably meant the dreaded audits by the Business Software Alliance," rather than the SPA.

jdavidb writes: "The GNU Project has a new essay today by Eben Moglen, general legal counsel for GNU, about enforcing the GPL. People ranting about the GPL not holding up in court should read this. Very interesting, but I felt that this paragraph looked bad: 'In such situations we work with organizations to establish GPL-compliance programs within their enterprises, led by senior managers who report to us, and directly to their enterprises' managing boards, regularly.' I'm all for the GPL, but this sounds suspiciously like an Software Publishers' Association audit. On the other hand, circumstances of something like this would be completely different, i.e., illegally taking copyright privileges over software you didn't write, as opposed to illegally copying software." Actually, I also think they sound alike in certain ways, but that it makes sense -- since both are about unauthorized reproduction of software. I like the FSF's terms a lot more. Update: 09/18 19:53 PM GMT by T : As Dr. Nonsense points out, davidb "probably meant the dreaded audits by the Business Software Alliance," rather than the SPA.

Hobart noted that Richard Stallman has written a very well said piece on the civil liberties that we will no doubt be deprived of following the recent terrorist attacks on the US. I know RMS takes a lot of heat for being out there sometimes, but this is a really well said bit and worth a read. Thousands dead, millions deprived of civil liberties? By Richard Stallman

The worst damage from many nerve injuries is secondary -- it happens in the hours after the initial trauma, as the body's reaction to the damage kills more nerve cells. Researchers are beginning to discover ways to prevent this secondary damage and reduce the eventual harm.

If we are not careful, the deadly attacks on New York and Washington will lead to far worse secondary damage, if the U.S. Congress adopts "preventive measures" that take away the freedom that America stands for.

I'm not talking about searches at airports here. Searches of people or baggage for weapons, as long as they check only for weapons and keep no records about you if you have no weapons, are just an inconvenience; they do not endanger civil liberties. What I am worried about is massive surveillance of all aspects of life: of our phone calls, of our email, and of our physical movements.

These measures are likely to be recommended regardless of whether they would be effective for their stated purpose. An executive of a company developing face recognition software is said to be telling reporters that widespread deployment of face-recognizing computerized cameras would have prevented the attacks. The September 15 New York Times cites a congressman who is advocating this "solution." Given that the human face recognition performed by the check-in agents did not keep the hijackers out, there is no reason to think that computer face recognition would help. But that won't stop the agencies that have always wanted to do more surveillance from pushing this plan now, and many other plans like it. To stop them will require public opposition.

Even more ominously, a proposal to require government back doors in encryption software has already appeared.

Meanwhile, Congress hurried to pass a resolution giving Bush unlimited power to use military force in retaliation for the attacks. Retaliation may be justified, if the perpetrators can be identified and carefully targeted, but Congress has a duty to scrutinize specific measures as they are proposed. Handing the president carte blanche in a moment of anger is exactly the mistake that led the United States into the Vietnam War.

Please let your elected representatives, and your unelected president, know that you don't want your civil liberties to become the terrorists' next victim. Don't wait -- the bills are already being written.

Copyright 2001 Richard Stallman

Verbatim copying and distribution of this entire article are permitted in any medium provided the copyright notice and this notice are preserved.

bkuhn writes "The FSF has issued an official statement on the GPL violation by RTLinux." nothign surprising here, basically they say that RTLinux is violating the GPL by not releasing the source to their Linux kernel mods, but since the FSF isn't the copyright holder, they can't do much about it. Now it's up to RTLinux to decide if they are gonna do the right thing or not.Update: 09/16 00:48 AM GMT by H : Please check out these comments for more information - it's not a source code violation, but a patent issue.

bkuhn writes "The FSF has issued an official statement on the GPL violation by RTLinux." nothign surprising here, basically they say that RTLinux is violating the GPL by not releasing the source to their Linux kernel mods, but since the FSF isn't the copyright holder, they can't do much about it. Now it's up to RTLinux to decide if they are gonna do the right thing or not.Update: 09/16 00:48 AM GMT by H : Please check out these comments for more information - it's not a source code violation, but a patent issue.

Remote writes: "Borland has a paper [.pdf] by William Roetzheim comparing development and maintenance costs of software development using Kylix and gcc. Bottom line is that applications written with gcc are twice as expensive (timewise) both to write and to maintain, and about 50% more expensive to document. The comparison was done using parametric modeling techniques but the author claims that his tool has 7% accuracy. While I don't do Pascal myself, I wonder if the same would apply after they port C++ Builder to Linux and compare it to something like KDevelop + gcc."

Borland sponsored and is distributing this study -- take it for what you will. Interested parties can still produce useful studies, and may even be in the best position for collecting this sort of data. But whether Kylix matches your development environment or licensing philosophy is up to you.

Proud to be unAustralian writes: "Australian IT reports that a landmark court ruling puts Internet publishers around the world on notice that they can be sued under Australia's strict defamation laws -- and effectively in any of the 190 nations where defamation proceedings can be brought." entrippy contributes a link to another article on the case running at The Age.

Reader Diabolus notes that "it is unlikely that this same success would have occurred under American law. This occurred despite the site being hosted in America. It seems that RMS' nightmare 'Harm from the Hague' has come to pass even before that treaty is signed."

Tonight's slashback with news of how you can help rebuild the foundations of the Internet (at least a small corner), more on slimming down the old Cathode Ray Tube, a new compiler which costs a bit more than GCC, and more.

Why not put 'em on Freenet while you're at it ... Imran Ghory writes: "Google has put out an appeal to get NetNews CDs (produced by Sterling Software and CD Publishing Corporation) which archived usenet between 1992 to 1995. Looks like Google is reviving Deja's idea of a total usenet archive."

This sounds like a worthy objective, worth rooting around for -- maybe they'll even give you a credit somewhere.

They know that of which they speak. Hot on the heels of the inexorable GCC project's 3.0.1 release, zealot (and a number of other people) wrote with the news that "Intel will release its latest compilers (the ones that optimize for P4 and can do some auto-vectorization of code) for Linux this Thursday. I'd love to see some performance numbers for compiled code on a P4 if anyone gets their hands on this ... maybe the autovectorization could help some gimp plugins speed up."

You cannot stop the chess updates Álvaro Begué writes: "Junior is the new World Micro Computer Chess Champion, Shredder won in the single processor category (five years in a row) and Goliath won the blitz tournament. Congratulations to all of them. Check out the official website."

Maybe the durned things will stick around forever. In addition to the IBM research on making ultra-slim CRT monitors, an Anonymous Coward points to another article on the future of CRTs: "This is a new technology that can integrate into existing production lines and can halve the depth of a CRT type tube. A TV normally 22 inches deep would be only 11 inches."