Slashdot Mirror

they were the one major player unable to handle a necessary security task.

I don't know "unable" means in your world, but it my world, it means "not able to be done." Were they slower than others? Yes. Were they the last one? No. Depending on who you consider "a major player", they weren't the last. If you deal with servers, Redhat and Ubuntu also patched the same day. MS only patched 3 days before Apple.

• Ubuntu: September 9, 2011
• Apple OS X: September 9, 2011
• Redhat: September 9, 2011
• FreeBSD: September 6, 2011
• MS: September 6, 2011
• Google Chrome: September 5, 2011
• OpenBSD: August 31, 2011
• Mozilla: August 31, 2011
• Debian: August 31, 2011
• Android: no date
• iOS: no date
• WP7: no date
• BBM: no date

This is going to be a feature in Fedora 16 (it already works in earlier versions of Fedora, we're just polishing it). More screenshots.

You can also mount and modify virtual machines securely (including Windows VMs and VHDs), using libguestfs and guestmount.

Rich.

If only M$ didn't make it so difficult to change the RDP port...

Oh wait, it used to be difficult, but now its stupid easy: http://support.microsoft.com/kb/306759
Now they even have a program that does it for idiots -- what amazing customer service!
This is why I now respect Microsoft's operating systems - someone finds an exploit and they get vilified, so they have to work extra hard and put a lot of money into meeting a higher standard of criticism to keep a huge base of customers satisfied and using their OS.
They make "QA mistake" releases like Vista, and they turn around and outdo everyone win Win7 and 2008R2..... ....unlike the academic operating systems where often kernels and filesystems and distributions are released with statements given such as "ext4 is now a fully supported file system" http://centos.org/ with severe but not mentioned issues like https://bugzilla.redhat.com/show_bug.cgi?id=696545 but they are silently given a pass because technically its a WIP.
With hokey pokey dodgy insecure applications like the authentication-less/unencrypted NFS protocol or the openldap that sends passwords clear text over the wire still by default configuration, or I could go on and on... but I know this criticism (like the criticism mentioned above) will be ignored and treated like flame-bait...

VMware vSphere 5 supports virtual machines (VMs) that are up to four times more powerful than previous versions -- VMs can now be configured with up to 1 terabyte of memory and 32 virtual CPUs.

In Red Hat Enterprise Virtualization Beta 3 (yes, it's a beta, still...), based in KVM: supporting up to 128 logical CPUs and 2TB memory for hosts, and up to 64 vCPUs and 2TB memory for guests

http://listserv.fnal.gov/scripts/wa.exe?A2=ind1108&L=scientific-linux-users&T=0&P=30820

Hi,
I have loved all the years that I have been a developer and architect for Scientific Linux, but it is time for me to move on. I have accepted a job offer from Red Hat to work on their new openshift project. ( https://www.redhat.com/openshift/ )
My last day working for Fermilab, and on the Scientific Linux project will be September 2, 2011.

Thank you to everyone who has encouraged, thanked, and helped me over the past 8 years that I have worked on Scientific Linux. I have said it before, and I'll say it now, The Scientific Linux community is one of the best communities there is.

Troy

Duh; there is no box. But Fedora is up front about telling you that it is essentially the testing sandbox for Red Hat Enterprise linux. If you don't like bleeding edge, and you don't want to pay for RHEL, just use one of the clones; PUIAS, Scientific Linux, or CentOS. They are absolutely free and absolutely stable, with a long supported life, and are supported with security updates and bug fixes.

Sorry, that was meant to be zlib. And here is a bug report about rsync using an internal bundled version of zlib.

• XHTML, generated by some code I wrote, with hyperlinks and cross references and semantic markup in the code listings generated by clang for [Objective-]C[C++].

In the process of compiling this on Fedora 15, I raised bug 728744, and worked around those problems. The compilation of ETClassMirror.m failed with "incomplete implementation of class ‘ETClassMirror’ [-Werror]". I'm tempted to leave this for now, as this doesn't seem sufficient reason to learn Objective C, and I have other things to do.

What you're looking for i 'strlcpy()' (or on windows maybe 'strncpy_s()'). BSD has strlcpy(), I don't know why glibc (Linux) doesn't have it by default. Actually, I do sort of know: The glibc project leader doesn't like it: http://sources.redhat.com/ml/libc-alpha/2002-01/msg00002.html

Ulrich left it out because he either doesn't like the (BSD) people who came up with strlcpy() (http://www.gratisoft.us/todd/papers/strlcpy.html), or it is what he implies, that he is convinced it encourages lazy programming and causes unexpected failure modes if the programmer forgets that strlcpy() can truncate a string (well he literally says something else, but if he literally means what he says then he just plainly doesn't understand where source strings can come from in the real world).

Besides the fact that strlcpy() has a return value that indicates truncation, he (incorrectly) assumes that ignored truncation can only be bad. I say incorrectly, because there are plenty of cases where a string truncation by strlcpy() is no problem. One important one of them is when the source string is only too long for the buffer if it is either erroneous (and a truncated version of the string is not more problematic later on), or it is specially crafted to try to cause a buffer overflow.... Honestly, I think the missing strlcpy() in glibc is more about personalities than anything else. Oh well...

The irony is that, as a result, some (many?) programmers are now using strncpy() and assuming it does the same thing as strlcpy(), causing more problems than strlcpy() even could have caused in Ulrich's imagination.

The (in case of overflow) not NUL-terminating of strncpy() means the destination is not guaranteed a string. It clearly was not meant to have a string as destination, but just a buffer (that's what the man page says too btw). It's padding with zeros to prevent 'leakage' of previous data in the destination, in case later the destination buffer is forwarded/stored as a whole (not as a string).

I think the main problem with that funtion is its name, it does not do what the name implies. A better name would be memstrcpy(dst,src,count), because it really is a memcopy where the source is a string and the destination is a buffer (it will never read past the end of the source string but always write the entire destination buffer).

I wonder how many people don't have a clue about this. For example, even "{char buf[10]; strncpy(buf,something,9);}" is still not safe, because buf[9] is uninitialized and therefore not guaranteed to be NUL... If you want to use strncpy() and the destination buffer is later treated as a string, you really have to make sure yourself that the last char in your buffer is NUL. When you do use strncpy(), you can check afterwards if the string did fit (it's going to be NUL if it did, not NUL if it didn't), and take appropriate action... But that's a lot of code if you just want a string copy with length truncation, aka strlcpy()...

So what you are saying is Red Hat needs some sort of team that responds to security issues, something like a Red Hat Security Response Team that "makes sure that security issues found in Red Hat products and services are addressed." using a tool like KSplice.

The problem was that Flash was using overlapping memory areas on memcpy. This was a hidden problem in Flash but it was exposed by a glibc change on certain architectures (as noted at length in the bug you linked to). The glibc change was not wrong as far as the spec goes but it was definitely unhelpful to end users. In the end, the glibc devs made a change that means the different memcpy only kicks in for programs linked against newer versions glibc which seems a defensible stance.

Nice, it seems to have fixed this problem. Even though the main problem was actually in glibc.

This is pretty generally know if you've been following Java, but since you ask:

The Java Runtime license states:

"Software embedded in or bundled with industrial control systems, wireless mobile telephones, wireless handheld devices, kiosks, TV/STB, Blu-ray Disc devices, telematics and network control switching equipment, printers and storage management systems, and other related systems are excluded from this definition and not licensed under this Agreement."

As for the open source release, that's covered under the Java Language Spec patent grant.

That only covers fully-conforming versions, not sub or supersets.

http://en.swpat.org/wiki/Java_and_patents

It was Sun's intention to give Java away on the desktop, and charge for embedded use.

How about filing regular patents and refrain from enforcing them against others in the F/OSS community, just like Red Hat does?

Unfortunately that does require plenty of cash for litigation if a big corporation decides to challenge the patents anyway.

RHEL 6, ext4 only, enabled by mount option:

mount -t ext4 -o discard <device> <mountpoint>

linky

BTW, I've seen a couple of people insist that old browsers get backported security fixes. You might want to read RedHat's official policy on this:

For most products our default policy is to backport security fixes, but we do sometimes provide version updates for some packages after careful testing and analysis. These are likely to be packages that have no interaction with others, or those used by an end-user, such as web browsers and instant messaging clients.

It would be insanely difficult and dangerous to backport security fixes after the Firefox 3.5 and 3.6 codebases diverge significantly.

A little bit later than the video, but I tried RedHat (5.1 or 5.2? I can't remember) in the summer of 1997.

No, you didn't. Either your timing or your version numbering is a bit off. Timeline

Redhat doesn't charge for the software. They charge for the services and hardware they provide surrounding the software.

Not exactly true. They charge for commercial Cygwin usage: http://www.redhat.com/services/custom/cygwin/

January 6 through April 14. CentOS patches for version 5 were nonexistent.

Take a look at the RHEL watch list for the same period and compare.

https://www.redhat.com/archives/enterprise-watch-list/

There has been some strong criticism of the CentOS team recently and frankly, some of it is deserved.

Me, moderately annoyed by CentOS 6 not being out yet? Eh, not really.

The 5.6 boxes are running fine and will be for a few more years. RHEL5 doesn't exit the normal life cycle until March 31, 2014, and the extended life cycle runs until March 31, 2017. So we have until 2014 for regular patches and 2017 for critical security patches.

Which means that CentOS will still be shipping critical security patches until 2017 as well.

Oh... so you mean it's something like this and this.

Nope. Nothing like that at all. I believe you misunderstand what automation is about. It is not about controlling an application user interface. That is brittle and error prone. Rather, automation is about accessing and controlling the model of the application and performing the actions directly.

You can script objects of applications which were never designed with CLI scripting in mind.

Oh... so you mean it's something like this and this. And to think, I was all ready to be impressed.

libvirt maybe ? It is a library and tooling for handling all kinds of VM.

http://libvirt.org/
http://virt-manager.et.redhat.com/

Here is a list of applications:

http://libvirt.org/apps.html

Or maybe this ?:

http://community.abiquo.com/display/ABI17/Abiquo+Documentation+Home

RedHat Enterprise Linux 1, 2, 3 & 4 - all gone

Except that RHEL3 is still supported in its extended life cycle phase until October 31, 2013, and RHEL4 doesn't reach the end of its regular life cycle until February 29, 2012 - and then is in extended life cycle phase until February 28, 2015

Red Hat Enterprise Linux Life Cycle

Every major release of Red Hat Enterprise Linux is maintained and supported independently during the 10 year Life Cycle

But yeah - RHEL 2.1 reached EOL in mid-2009, so you're right about that - gone. There was no such thing as Red Hat Enterprise Linux 1, though.

RHEL is for production boxes not desktops

O rly?

Desktop
Self-support Subscription (1 year)$49

Maybe you should actually research these things before speaking? So as I said, I have to pay $49/year for RHEL desktop to get something even approaching what Microsoft gives for free so that it can be supported for around 7-8 years. Once you pass that threshold support costs go up even more. So for the same length of time I've run XP using RHEL desktop would have cost me 5x as much and I'd have to live with ancient versions of programs.

Find me a Linux distro that supports 10 year old versions, on the desktop.

These cowboys might I guess....

I love that the link goes to a 404 page... the fact is that MS is discontinuing support for a 10 year old version of an OS. No one else to my knowledge supports an OS as old as XP at the level Microsoft has since Vista and 7 were released. Don't get me wrong, I'll use RHEL or Ubuntu any day over XP or 7 for that matter... but credit is due when credit is due.

Missing trailing slash in the link, my mistake, this should work unless something is actively stripping them.

In relation to Microsoft, I wasn't making any comment about them at all - indeed they do deserve credit for the length of support of XP, I didn't say they weren't - the sole point of the reply to the OP was to respond to the directive "Find me a Linux distro that supports 10 year old versions" - which I attempted to do, however poorly.

If the link does not work again - here is a snippet which may be relevant.

"Every major release of Red Hat Enterprise Linux is maintained and supported independently during the 10 year Life Cycle."

Find me a Linux distro that supports 10 year old versions, on the desktop.

These cowboys might I guess....

I love that the link goes to a 404 page... the fact is that MS is discontinuing support for a 10 year old version of an OS. No one else to my knowledge supports an OS as old as XP at the level Microsoft has since Vista and 7 were released. Don't get me wrong, I'll use RHEL or Ubuntu any day over XP or 7 for that matter... but credit is due when credit is due.

Missing trailing slash in the link, my mistake, this should work unless something is actively stripping them.

In relation to Microsoft, I wasn't making any comment about them at all - indeed they do deserve credit for the length of support of XP, I didn't say they weren't - the sole point of the reply to the OP was to respond to the directive "Find me a Linux distro that supports 10 year old versions" - which I attempted to do, however poorly.

If the link does not work again - here is a snippet which may be relevant.

"Every major release of Red Hat Enterprise Linux is maintained and supported independently during the 10 year Life Cycle."

You'd be a fool to choose to depend on MS, just like you'd be a fool to rely on any single supplier... It's only good business sense to have backup options for anything thats remotely important.

RedHat release patches for 10 years (at least for paying customers): https://access.redhat.com/support/policy/updates/errata/

There are many differences however...

A linux distro contains far more software than windows does.
There are less reasons not to upgrade a linux system, new versions are free and your existing hardware is usually capable of running them with adequate performance.

On the other hand, there are plenty of linux based embedded devices running positively ancient versions of code, which are still being actively supported by the device vendors.

"True, but with free software, you choose on whom to depend."

Just like you can choose to depend on MS. BTW, which linux distro releases patches for 10 year old releases, I'm curious..

Answer: Red Hat Enterprise Linux
https://access.redhat.com/support/policy/updates/errata/

Let's look at Red Hat then. The closest I could find to XP (late 2001) time-wise, is Red Hat 6.2 (early 2000). Granted, this is a 2 minute googling job here, but a year give or take doesn't really matter as it turns out.

The latest patch I can find for that is from 2002. How much would Red Hat charge you to keep supporting a 13 year old distribution? Probably a helluva lot more than the XP license cost. Actually, it seems they don't maintain beyond 10 years, regardless of how much cash you might be willing to throw at them. And after 4 years the level of support starts diminishing. Not saying there's anything wrong with that, I find it perfectly reasonable.

Of course, one can argue that you can always hire a developer, if source code is available. Sure. But a decent developer would've charged you more than a new Windows license virtually before turning on their monitors.

The parent isn't spouting FUD, they're stating reality. Unless you created the piece of software yourself, you're always depending on the creator to maintain it. Even if the source code is available, the cost of picking up maintenance on it will usually be prohibitively high. Unless you think your time is worth nothing, this is still true even if you do it yourself.

Let's look at Red Hat then. The closest I could find to XP (late 2001) time-wise, is Red Hat 6.2 (early 2000). Granted, this is a 2 minute googling job here, but a year give or take doesn't really matter as it turns out.

The latest patch I can find for that is from 2002. How much would Red Hat charge you to keep supporting a 13 year old distribution? Probably a helluva lot more than the XP license cost. Actually, it seems they don't maintain beyond 10 years, regardless of how much cash you might be willing to throw at them. And after 4 years the level of support starts diminishing. Not saying there's anything wrong with that, I find it perfectly reasonable.

Of course, one can argue that you can always hire a developer, if source code is available. Sure. But a decent developer would've charged you more than a new Windows license virtually before turning on their monitors.

The parent isn't spouting FUD, they're stating reality. Unless you created the piece of software yourself, you're always depending on the creator to maintain it. Even if the source code is available, the cost of picking up maintenance on it will usually be prohibitively high. Unless you think your time is worth nothing, this is still true even if you do it yourself.

Find me a Linux distro that supports 10 year old versions, on the desktop.

These cowboys might I guess....

I love that the link goes to a 404 page... the fact is that MS is discontinuing support for a 10 year old version of an OS. No one else to my knowledge supports an OS as old as XP at the level Microsoft has since Vista and 7 were released. Don't get me wrong, I'll use RHEL or Ubuntu any day over XP or 7 for that matter... but credit is due when credit is due.

Find me a Linux distro that supports 10 year old versions, on the desktop.

These cowboys might I guess....

http://press.redhat.com/about/news/blog/commitment-to-open/ for the information right from the hacker's mouth.

Using gconf to set a default size in certain versions of GNOME Terminal is broken

I'd say "using gconf to set a default size in certain versions of GNOME Terminal would be a crock even if it weren't broken"; the moral equivalent in Mac OS X would be requiring that you use the defaults command, or the plist editor if you want a GUI, to set the default terminal size in Terminal.app.

but looking at the gnome-terminal 2.33.90 shows a "Use custom default terminal size" (yeah I know that page talks about Ubuntu but the option was there in a Fedora 15 Alpha live CD too). gnome-terminal 2.30 and peering at gnome-terminal's git suggests the option would have gone in around 2.31.

It looks as if they broke it while fixing another bug, and finally got around to putting it back. I don't remember the ability to set it ever being broken in Terminal.app (the UI for it changed when they did a rewrite). Unfortunately, I haven't yet freed up enough disk space to add an Ubuntu 10 VM on my Mac to my other N VMs.

But hey - Slashdot ain't a bug tracker so here might not have been the best place to ask (even if you did work at NetApp)... :)

I was really just snarking about the CLI-in-the-GUI on a non-OS X desktop environment.

Speaking of gnome-terminal, how the fuck do you set the default window size? In Terminal.app, you just resize and Shell -> Use Settings As Default.

Using gconf to set a default size in certain versions of GNOME Terminal is broken but looking at the gnome-terminal 2.33.90 shows a "Use custom default terminal size" (yeah I know that page talks about Ubuntu but the option was there in a Fedora 15 Alpha live CD too). gnome-terminal 2.30 and peering at gnome-terminal's git suggests the option would have gone in around 2.31.

But hey - Slashdot ain't a bug tracker so here might not have been the best place to ask (even if you did work at NetApp)... :)

If you round off their 2010 income numbers, subscription income totals to $639 million (85.3%), and training service income totals to $110 million (14.6%). That is all on page 40 of their 2010 Annual SEC (10-K) filing. The subscriptions had a 93% profit margin, and the training had a 36% profit margin this year. Which makes sense, I imagine training services cost quite a bit, you would probably have equipment and training material costs, as well as trainer's salaries. Then, at least some of the time, there would be travel and hotel costs incurred for the trainers themselves, anytime they are training groups.

According to page 48 of the same report, they spent $272 on sales and marketing, which the fancy training mailer pamphlets would fall under. However, that would also include expenses from sponsoring Open Source conferences under the same line item (its not all wasted on those fancy pamphlets).

Research and Development I imagine covers salaries for Kernel and subsystem developers. R&D costs total $148 million. Administrative costs were $104 million. According to the 10-K report, they have 3,000 employees globally.

Total operating expense for 2010 was $534 million, once you have tacked on taxes the Net income comes to $87 million.

There is a lot of boring stuff in SEC filings, most always something interesting to learn from them though. If you really want to find out what a company is all about, there are some interesting details, a lot of it is in there. It explains in brief detail what each line item in the Balance Sheets and Income Statements actually mean in mostly plain English. Plus, the executive summary gives you some insight into their management's frame of mind, business model, and strategies.

The legal analysis is here. The argument is basically that Bionic copied directly from the kernel, like this clever implementation of a byteswap. It's the cleverness that makes it copyrightable, whereas headers that only include defines used for interopt are not copyrightable. The glibc version of the same file is original; it doesn't come from the Linux kernel (at least I can't find it). So the problem is there may be original ideas that come from the linux code that got put into bionic. At the same time, it would be hard to argue that a program linking to a standard C library is a derivative work of that particular implementation. I believe such an argument would get laughed out of court.

Now, this guy is a lawyer, and he understands copyright law more than me, but his understanding of this particular issue is weak. The example given earlier, of the bytewaps, does not apply at all to any developers on ARM because that was x86 specific code.

His second argument is extremely weak. He says the API is also copyrightable (which is sometimes true), and that if it were not, someone could use it to re-implement a closed source version of Linux. Which is true, but it's a rather braindead thing to worry about: getting the API is not the hardest part of that (and indeed, BSD has a linux compatibility layer that responds correctly to the Linux APIs).

Does Red Hat own any software patents itself?

Yes. They even have a whole page about patents:

One defense against such misuse is to develop a corresponding portfolio of software patents for defensive purposes. Many software companies, both open source and proprietary, pursue this strategy. In the interests of our company and in an attempt to protect and promote the open source community, Red Hat has elected to adopt this same stance. We do so reluctantly because of the perceived inconsistency with our stance against software patents; however, prudence dictates this position.

At the same time, Red Hat will continue to maintain its position as an open source leader and dedicated participant in open source collaboration by extending the promise set forth below.

Redhat is ranked #1 in terms of code contribution to gnome http://www.redhat.com/about/news/prarchive/2010/gnome-desktop-project.html. Canonical - almost nothing. Those code contributions were made by paid devs. That's a lot more money than the amazon referral code will generate.

If have one of these problems also.

I'm not sure if this is your distro's bug, but one of mine involves Ubuntu's network-manager over WPAand I can barely remain connected since maverick; prior to that, there were serious problems in just handshaking.

At the time you posted, I was halfway through test-driving the recent KDE 4.6 after dumping Fedora back in 2009 or so. I still had to use my WPA-free network. Back in 2005 the problem was that distros didn't support your wireless card; laptops were fairly new at luring devs to support 'em out of the box. It seems wifi support on Linux is in a perpetual beta, akin to sounds issues that still sometimes resurface after 15 years of being an issue. Intel is working to release microcode to resolve some of the AGN problems.

There are no profitable desktop Linux desktop publishers.

So RedHat Enterprise Linux Desktop doesn't exist?

RedHat makes more profit than Ubuntu generates in revenue. All while contributing more than an order of magnitude more code to the development of linux than Ubuntu does.

According to RHEL CVE database RH distros are not vulnerable. "This issue did not affect the versions of bind as shipped with Red Hat Enterprise Linux 4, 5, or 6."

It still pisses me off that Fedora Linux does not recognise "Edinburgh" as a capital when selecting the TZ during installation but it does recognise USA state capitals.

Have you raised a bug about it? Thought about submitting a patch? Or are you just going to stay getting angry about it?

I wish using ulimits was taken more seriously. For example I have to remove memory ulimits every time I start an sbcl or a java program: https://bugzilla.redhat.com/show_bug.cgi?id=568753 https://bugzilla.redhat.com/show_bug.cgi?id=510344

I wish using ulimits was taken more seriously. For example I have to remove memory ulimits every time I start an sbcl or a java program: https://bugzilla.redhat.com/show_bug.cgi?id=568753 https://bugzilla.redhat.com/show_bug.cgi?id=510344

I thought Red Hat and Canonical weren't paying this $0.02 for Fedora and Ubuntu because it went against their licensing policy. When did this change?

Ubuntu Advantage already includes patent licensing and indemnification from Canonical. They distribute MP3, H.264, and other patented technoliges from their repositories.

Red Hat also has a framework for the inclusion of patented technologies in RHEL..

I'm not saying Canonical and Red Hat include H.264 by default today with their distributions, but they easily can in the future for paying cusotmers. They currently skirt the issue by distributing codecs and other clearly patented stuff from restricted repositories and requiring manual steps to install, but that can change. We're talking a very minor percentage of the video eyeballs using one of these OS in any case.

I have been following this issue for awhile now which also affects CentOS 4 and CentOS 5. For setting up Linux firewall systems it can be a big security risk for interfaces to come up differently on a reboot. There are workarounds but an out of the box solution would surely make setting up firewalls easier on Linux.

The details are in the redhat bug here:
https://bugzilla.redhat.com/show_bug.cgi?id=491432

I use the fix where you tell udev to ignore ethernet cards and let the normal modprobe.conf load the modules.

/etc/udev/rules.d/10-local.rules add the following:

SUBSYSTEM=="pci", SYSFS{class}=="0x020000", OPTIONS="ignore_device"

I think last year it was CentOS that got hit, not Fedora. Also, the nature of the attack was different and I believe some packages were compromised, or at least the repo signing keys.

It was Red Hat, wasn't it?

http://www.redhat.com/security/data/openssh-blacklist.html

http://www.redhat.com/virtualization/rhev/desktop/spice/
http://www.spicespace.org/

it's pretty aggressive. just found out about it a couple months ago. QEMU based. they're doing some cool stuff with virtual devices; qxl is their accelerated graphics driver for Linux & Windows, and is probably gonna end up taking over for NX client now that they're closed source. and yes, i am aware there is a difference between a remote desktop and vm.

interested to see how RHEL manufacture disk images for the individual clients; needing a dedicated disk image for each OS is pretty bogus, but fairly common practice.