Here are a few (which apply to *BSD as well as Linux) -
tar with a z switch/dev/random
a compiler included for no added cost
ssh included in the core distribution
Sure, these can be added on (unsupported) after installing a proprietary unix, but the fact that you need to install any of these is indicative of the situation.
Btw, there's an interesting article about her speech on the BBC's website. I noticed it over on LWN.Net earlier today. It was one of the few I've seen from the Consumer Electronics show that went much beyond "I saw shiny things. I drooled."
It's set up like bind4 was, but you've got the bind9 named.conf file instead of named.boot
One odd thing I noticed, though, was that on my nameservers, I needed to set the debug level to 3 or higher for answer requests (and submitted a bug report about it, etc)
Debian Planet has a news article pointing to an in-progress OSNews series of reviews:
http://debianplanet.org/node.php?id=1025 It focuses on the different Debian-based distributions.
I had the same problems with the 2-year release cycle. I'm convinced this is due to the core OS being held back from release while every random application with a critical bug is stabilized (the tail wagging the dog), and the apps should be decoupled a bit. That is, something like how FreeBSD does it with a solid core, and the add-ons in ports which is a separate tree.
From the review linked above, Libranet looks like it would be the best option for my purposes (from a technical standpoint, anyway - it even has XFree86 4.3!). It's $64 for the "Home/Small Office" version.. It looks like there are some non-free components included, though.
The OpenBSD project isn't just working on amd64, they even wrote a song about it.:-)
Like other Barbarians before him, Puff has had to face some pretty crazy challenges.
This song is an allegory of the recent difficulties we went through dealing with Sun, who refused our request for documentation about their UltraSPARC III processors. We want documentation, because these are the fastest processors with a per-page eXecute bit in the MMU, needed to fully support our new W^X security feature.
In the meantime, the AMD Hammer has come onto the scene, and this processor supports an eXecute bit in 64-bit mode. And it is going to be faster...
My guess is the errata for this release were mostly due to closing off the community a bit. Last time I recall getting a release, MandrakeForum was still open to the public for discussion (now consolidated into members-only MandrakeClub), and had announcements, download links and discussions of bugs in the release candidate ISOs.
Mandrake also seems to have a strong "get it out the door" drive. For what it's worth, I'd rather have it ship with a few bugs (I didn't even notice any of the scary bugs on the original 9.2 CD) as long as they release in a timely fashion, then fix it within 2 weeks (as seems to be standard practice with Mandrake) Perhaps it would be better to have a release strategy to reflect this, though, so as to only release the fixed version for the packaged CD's (like the fixed release to deal with LG drives this time around)
Customisations within certain limits are OK. Like, installing more software through RPM, recompiling the kernel, editing services, setting up configuration and user accounts, but if, say, the user support guy depends on kudzu to tell your hardware, and you just uninstalled it, most probably you will be politely asked to reinstall it, no matter how much you hate it and don't want it in your system.
I don't know about Progeny support, but Red Hat support explained the scope of their Advanced Server support to me quite clearly: They will only support software shipped on their CD insofar as problem was triggered by software shipped on their CD.
For instance, recompiling their Apache 1.3.x rpm, to set -DHARD_SERVER_LIMIT higher than their absurdly low compiled-in value of 256 to a higher value does not gain you support with the 2.4.9 kernel bug triggered by high values of MaxClients.
To provide any broader scope of support doesn't scale is what the rep told me.
My developers tend to want to run their web servers on port 80. I won't let them.
Why not? Because then they have to have root privs to start/stop the app.
No dice.
What's my solution?
Run the webserver on a high port (I tend to use 8000, but that's arbitrary)
That works great until someone hits a directory without a trailing slash, and Apache issues the redirect with port 8000 embedded, because that's the port its config file says it's running on.
A more elegant solution is to configure sudo to allow the non-sysadmin users who need to restart the webserver to be able to run sudo/usr/local/apache/bin/apachectl graceful (and/or restart/stop/start/starssl, etc)
This sounds like another dot-com boom style situation in the making. It's easy to picture 10,000 half-baked but "looks good on paper" plans for the purpose of property speculation. eg., "We own mineral rights to this asteroid! But we'll gladly share them with Company B for half the take!"
In concise terms "less vendor lock-in". It's much easier to migrate from Linux to BSD than from Windows to anything. That means that if any of the other reasons cease to be true, there aren't loads of proprietary interfaces and data formats to migrate away from just to change operating systems.
Make the communication two-way. If the reception dish loses its lock on the power beam or if the transmitter loses its lock on the communication beam, the whole apparatus shuts off until it can be inspected.
That's a decent idea for a safeguard, but depending only on a system such as such as that comes off as a bit naive. The first time the controlling code (which of course was thorougly tested, certified by a panel of experts, etc) hits an = instead of an ==, for instance, the off switch could be rendered completely useless. Then there are also the possibilities of that component melting and shorting or a third party making their own "ALL CLEAR" transmission to override the official mechanisms.
A fairly high-profile example of this was when (now defunct) ORBS announced that all of above.net was an open relay a few years ago (in response to above.net blocking network scans from ORBS). A mention of how it blocked the PHP mailing list is here.
6 months later, its proponents were telling people the same thing - "every entry was verified an open relay" (here)
Of course, these lists can be workable when combined with a system such as spamassassin, which uses them to weight whether or not a message might be spam, thus taking into account the too often power tripping and overreacting operators.
It must be frustrating playing whack-a-mole with spammers, but, slandering entire network service providers is wrong, too.
Remember the old adage: "be careful when you fight monsters lest you become one yourself"?
Or, how about "100 guilty men go
free than for one innocent man to be put to death"? Just like with censorware, when people see legitimate sites and users suffering at the hands of the "protectors", it leads to wariness of placing much trust in these "protectors".
The qualifications of these "geeks" seems questionable. It sounds more like they had typical executives from technology companies (an IT executive at Time Inc., A former CTO, and an audio store owner) calling shots in their standard fashion:
1. Buy expensive things based on the brochures, 2. Yell when the standard lack any due diligence or research left them in a jam, 3. Demand a bonus for staying on the sinking ship! / Get the geeks to come up with a workable interim kludge. -- omitted
However, in this case, they didn't have actual geeks to pick up any slack. And, they also were forced to omit their core competency of writing memos "We are excited to announce the strategic alliance with $VENDOR! We will be rolling out $BROKEN_PRODUCT beginning next month!"
I would like to know what warrants a RC release story on the front of Slashdot.
I'd say the rationale of announcing a first RC is along the lines of letting people who use Mandrake know they should start going out to test it, because the next release is almost ready.
The more -RC testers, the more system configurations it gets tested on, the more bugs reported (and hopefully fixed!) prior to release. I think Slashdot is doing its job nicely by reporting this.
Usinng Mandrake myself, I'll be happy just to get incremental upgrades on all the distro-bundled software I use (galeon, mozilla, OpenOffice, etc), regardless of whiz-bang new things.
Choosing something like Linux or BSD is a good thing, and choosing Sol for say 64bit machines is also good unless they intend on staying in a 32 bit world forever.
AMD has been selling their (32 and) 64-bit Opteron for a while now. Linux and BSD are both geared up to support this. Eg., NetBSD already has their amd64 port fully functional, and slated to ship in the next NetBSD release, FreeBSD has it running and supports it as a Tier 2 platform. Some LInux vendors have also promised support. There is even (shipping) support for Intel's 64-bit attempt. Granted, neither really qualfies as prime time today, but I'd bet on it happning quite sooner than when 'forever' rolls around.;) Especially given the long history of supporting other 64-bit architectures such as Alpha.
Sun makes sense in certain applications (eg,. the kind which need to be massively vertically scaled), but that's true regardless of whether the desktops and infrastructure are running free or proprietary software.
OpenBSD comes with a program called spamd, which, when a spammer is sent there, will respond to the effect of "temporary failure, keep that in your queue" -- after several minutes of displaying the message very slowly, character-by-character. The idea is that the spammer wastes several minutes per occurrence, and if a relay is used, it gets bogged down retrying "temporary failures".
Daneil Hartmeier (the guy who started OpenBSD's pf firewall) has an explanation of how this can be used in conjuction with filters such as spamassassin. Using this method, each time you get a spam, the spammer gets blacklisted to be directed to spamd the next time. It's documented at http://www.benzedrine.cx/relaydb.html -
Until, after several attempts, wasting both his queue space and socket handles for several days, he gives up. The resources I have to waste to do this are minimal.
If the sender is badly configured, an uncooperative recipient might actually delay his entire queue handling for several minutes each time he connects to the tarpit. And many spammers use badly configured open relays.
"I did think about them forking," Fleury said. "If they fork JBoss, that's another problem. If there's a new JBoss, if they fork it
and call it JBoss I would sue them. There is only one version that we control."
So, a suit was only threatened in the case the forked version used the same name as the original (presumably on trademark grounds).
According to Pine's history page, pine was conceived in 1989. The GPL first got its name in 1988 as documented here, and the GNU Project was first announced in 1983.
Btw, as a Pine user, I can assure you that the license doesn't allow all the freedom I want. The primary system on which I use Pine runs Debian. Due to pine's non-free license (and, likely, the advent of mutt), Pine fell out of active maintenance by Debian. So, I have to fetch and build the source myself outside the package system instead being able to apt-get security updates. Even prior to that, Debian switched to only distributing pine as a source package - apparently due to the Pine license change "clarifying" that distributing modified versions is forbidden.
I wouldn't go so far as to call the pine license Evil, but I think it is unfortunate. If there were a clone with the same interface, so as to not disrupt the long-time pine users on the system (including myself), I'd switch to it. As it stands, pine has about 7 years of finger memory going for it.
Now you can have camgirls welcoming you to Megacorp, Inc:
"Have a seat in the vidconference room down the hall to the left. It's the Brady Bunch room. Feel free to get acquainted with the person on each monitor beore the meeting starts.
"Oh, and if you liked your reception, how about buying something from my Wishlist? I take PayPal, too!"
And, then there's outsourcing... "The leadership team has decided it's in our strategic interest to outsource our camgirl receptionists. We've just signed a contract with Camwhores.com, the best-of-breed provider of camgirl services."
Nagios, which is the continuation of netsaint, requires you to specify in the host definition the time periods for which you want notification. Eg., you can have a period called 24x7, which is always, or officehours, which is only 8-5 Monday-Friday, etc.
No artificial intelligence or learning is involved in the system, but just specifying it does get the job done (and probably in a more straightforward and predicatable way than a neural network or somesuch).
You're required to specify hours for contacts, as well. Eg., the on-call pager only gets messages outside of office hours, individual sysadmin pagers only get messages during office hours, etc. The contact settings are broken down by host and service, too, so, for instance, you can have it so the Oracle DBA won't get a page when a host goes down, but the unix admin will.
I've only been using nagios for a few weeks, but I've been really impressed with it. All the shortcomings I saw with other monitoring systems are fixed. The dependencies keep me from getting 20 pages when a router goes down. check_by_ssh allows me to have an individual key for each thing I want to check on a host (such as load), without running any additional daemons - and without giving the monitoring system a shell on the system. Events allow me to get information from the time of the alert - such as by running top on a host with high load, or traceroute for an abnormally high ping response time. Scheduled maintenence windows allow me to simply visit a web page, and set a maintenance time for something, and all the alarms don't go off during maintenance.
Inheritance in the template-based configuration files allows you to specify all the basics for a host or service in a single place, too, so you only need a few lines to specify the actual host or service to be checked. Since the host names can be separated by commas in the definition, it doesn't take lots of repetition for a number of similar machines.
In other words, I wouldn't call it low-end any more.:)
I just looked into the 22 code red hits one of my hosts has gotten from midnight to 9am today.
The results are:
5 down 14 reported as a Windows variant by nmap 2 unknown 1 Linux
I looked into the 2 unknown results a bit more. Both respond on port 80 with an IIS banner and ASPSESSIONID cookies. One of them has a Serv-U banner for ftp as well.
Interestingly, one of them (the one w/o Serv-U) is a.gov.cn site.
The Linux result answers on port 443 as a vulnerable version of Apache on someone's firewall in Italy. This is likely being used as a launchpad for attacks.
So, from what I gather, the bulk of the ongoing Code Red attacks are from Windows machines with extremely negligent administrators.
I suspect in a large part, this is a housecleaning measure. Corporate environments tend to foster byzantine empires driven more by politics than by productivity. Each department manager fighting to get his budget as high as possible, each manager having his own team of sycophants operating at 5% efficiency while using politics to put a strangehold on other teams.
The contracting houses aren't enmeshed in the corporate political structure, and offer project-based propositions rather than the typical corporate song and dance. Of course, an economic downturn is the perfect time to do this. When things are going well, "if it ain't broke, don't fix it". So, I'd consider this essentially as a corporate maintenance window. Soon, the limitations of outsourcing will rear their ugly heads eg., "oh, you want additional services beyond the contract? 5x the original cost!" which will spur the cycle onward.
Regarding technology-specific firms, I think that's another topic entirely. In point of the construction analogy, I think the analogue would be software libraries. But the creators of those need skilled people to keep those in order (think movie & image format display stuff)
If you mean in the fabless CPU company sense where a company gives a spec to an engineering company, I think that may end up as a net gain. That way, you get software design expertise concentrated with companies who know how to do that. Think: less hopelessly clueless managers calling shots on software projects, making every mistake in the book and dooming everything to failure through gross incompetence.
Of course, the same companies which would be doing the "design" would need to know a good deal about software to begin with, which brings us full circle to how things were previously: software companies writing commodity software and vertical applications. Internal teams doing specialized work because open-ended/emerging technology is typically not handled well by contracting.
I've never personally seen an IT outsourcing scenario that ended up well for the company doing the outsourcing. Typically this is because of changing business needs conflicting with the locked in contract with the services vendor.
Not surprisiingly, Jack Valenti has apparently started a road tour to promote this legislation. Today, there's a column by him in the Wall Street Journal, where he pleads:
"Families deserve to have options to watch movies on the Net, legally, at their command."
Touching, isn't it?
Quite! Especially after having seen Cecil B. DeMented. "Family is just a dirty word for censorship!"
I had this happen on a couple occasions with a CGI navigation script on a real estate site.
Apparently some other sites' webmasters saw it, and decided to use it on their own sites. A few lines of code later, and anyone who used that feature on one of those sites was sent off to a porn site.
Both times the off-site referrer hits stopped coming in shortly after.
Slashdot Mirror
Here are a few (which apply to *BSD as well as Linux) -
/dev/random
tar with a z switch
a compiler included for no added cost
ssh included in the core distribution
Sure, these can be added on (unsupported) after installing a proprietary unix, but the fact that you need to install any of these is indicative of the situation.
Btw, there's an interesting article about her speech on the BBC's website. I noticed it over on LWN.Net earlier today. It was one of the few I've seen from the Consumer Electronics show that went much beyond "I saw shiny things. I drooled."
It's set up like bind4 was, but you've got the bind9 named.conf file instead of named.boot
One odd thing I noticed, though, was that on my nameservers, I needed to set the debug level to 3 or higher for answer requests (and submitted a bug report about it, etc)
I had the same problems with the 2-year release cycle. I'm convinced this is due to the core OS being held back from release while every random application with a critical bug is stabilized (the tail wagging the dog), and the apps should be decoupled a bit. That is, something like how FreeBSD does it with a solid core, and the add-ons in ports which is a separate tree.
From the review linked above, Libranet looks like it would be the best option for my purposes (from a technical standpoint, anyway - it even has XFree86 4.3!). It's $64 for the "Home/Small Office" version.. It looks like there are some non-free components included, though.
Mandrake also seems to have a strong "get it out the door" drive. For what it's worth, I'd rather have it ship with a few bugs (I didn't even notice any of the scary bugs on the original 9.2 CD) as long as they release in a timely fashion, then fix it within 2 weeks (as seems to be standard practice with Mandrake) Perhaps it would be better to have a release strategy to reflect this, though, so as to only release the fixed version for the packaged CD's (like the fixed release to deal with LG drives this time around)
For instance, recompiling their Apache 1.3.x rpm, to set -DHARD_SERVER_LIMIT higher than their absurdly low compiled-in value of 256 to a higher value does not gain you support with the 2.4.9 kernel bug triggered by high values of MaxClients. To provide any broader scope of support doesn't scale is what the rep told me.
A more elegant solution is to configure sudo to allow the non-sysadmin users who need to restart the webserver to be able to run sudo /usr/local/apache/bin/apachectl graceful (and/or restart/stop/start/starssl, etc)
This sounds like another dot-com boom style situation in the making. It's easy to picture 10,000 half-baked but "looks good on paper" plans for the purpose of property speculation. eg., "We own mineral rights to this asteroid! But we'll gladly share them with Company B for half the take!"
In concise terms "less vendor lock-in". It's much easier to migrate from Linux to BSD than from Windows to anything. That means that if any of the other reasons cease to be true, there aren't loads of proprietary interfaces and data formats to migrate away from just to change operating systems.
6 months later, its proponents were telling people the same thing - "every entry was verified an open relay" (here)
Of course, these lists can be workable when combined with a system such as spamassassin, which uses them to weight whether or not a message might be spam, thus taking into account the too often power tripping and overreacting operators.
It must be frustrating playing whack-a-mole with spammers, but, slandering entire network service providers is wrong, too.
Remember the old adage: "be careful when you fight monsters lest you become one yourself"?
Or, how about "100 guilty men go free than for one innocent man to be put to death"? Just like with censorware, when people see legitimate sites and users suffering at the hands of the "protectors", it leads to wariness of placing much trust in these "protectors".
The qualifications of these "geeks" seems questionable. It sounds more like they had typical executives from technology companies (an IT executive at Time Inc., A former CTO, and an audio store owner) calling shots in their standard fashion:
1. Buy expensive things based on the brochures,
2. Yell when the standard lack any due diligence or research left them in a jam,
3. Demand a bonus for staying on the sinking ship! / Get the geeks to come up with a workable interim kludge. -- omitted
However, in this case, they didn't have actual geeks to pick up any slack. And, they also were forced to omit their core competency of writing memos "We are excited to announce the strategic alliance with $VENDOR! We will be rolling out $BROKEN_PRODUCT beginning next month!"
I'd say the rationale of announcing a first RC is along the lines of letting people who use Mandrake know they should start going out to test it, because the next release is almost ready.
The more -RC testers, the more system configurations it gets tested on, the more bugs reported (and hopefully fixed!) prior to release. I think Slashdot is doing its job nicely by reporting this.
Usinng Mandrake myself, I'll be happy just to get incremental upgrades on all the distro-bundled software I use (galeon, mozilla, OpenOffice, etc), regardless of whiz-bang new things.
AMD has been selling their (32 and) 64-bit Opteron for a while now. Linux and BSD are both geared up to support this. Eg., NetBSD already has their amd64 port fully functional, and slated to ship in the next NetBSD release, FreeBSD has it running and supports it as a Tier 2 platform. Some LInux vendors have also promised support. There is even (shipping) support for Intel's 64-bit attempt. Granted, neither really qualfies as prime time today, but I'd bet on it happning quite sooner than when 'forever' rolls around. ;) Especially given the long history of supporting other 64-bit architectures such as Alpha.
Sun makes sense in certain applications (eg,. the kind which need to be massively vertically scaled), but that's true regardless of whether the desktops and infrastructure are running free or proprietary software.
Daneil Hartmeier (the guy who started OpenBSD's pf firewall) has an explanation of how this can be used in conjuction with filters such as spamassassin. Using this method, each time you get a spam, the spammer gets blacklisted to be directed to spamd the next time. It's documented at http://www.benzedrine.cx/relaydb.html -
So, a suit was only threatened in the case the forked version used the same name as the original (presumably on trademark grounds).
According to Pine's history page, pine was conceived in 1989. The GPL first got its name in 1988 as documented here, and the GNU Project was first announced in 1983.
Btw, as a Pine user, I can assure you that the license doesn't allow all the freedom I want. The primary system on which I use Pine runs Debian. Due to pine's non-free license (and, likely, the advent of mutt), Pine fell out of active maintenance by Debian. So, I have to fetch and build the source myself outside the package system instead being able to apt-get security updates. Even prior to that, Debian switched to only distributing pine as a source package - apparently due to the Pine license change "clarifying" that distributing modified versions is forbidden.
I wouldn't go so far as to call the pine license Evil, but I think it is unfortunate. If there were a clone with the same interface, so as to not disrupt the long-time pine users on the system (including myself), I'd switch to it. As it stands, pine has about 7 years of finger memory going for it.
I can see it now: telecommuting receptionists.
Now you can have camgirls welcoming you to Megacorp, Inc:
"Have a seat in the vidconference room down the hall to the left. It's the Brady Bunch room. Feel free to get acquainted with the person on each monitor beore the meeting starts.
"Oh, and if you liked your reception, how about buying something from my Wishlist? I take PayPal, too!"
And, then there's outsourcing... "The leadership team has decided it's in our strategic interest to outsource our camgirl receptionists. We've just signed a contract with Camwhores.com, the best-of-breed provider of camgirl services."
No artificial intelligence or learning is involved in the system, but just specifying it does get the job done (and probably in a more straightforward and predicatable way than a neural network or somesuch).
You're required to specify hours for contacts, as well. Eg., the on-call pager only gets messages outside of office hours, individual sysadmin pagers only get messages during office hours, etc. The contact settings are broken down by host and service, too, so, for instance, you can have it so the Oracle DBA won't get a page when a host goes down, but the unix admin will.
I've only been using nagios for a few weeks, but I've been really impressed with it. All the shortcomings I saw with other monitoring systems are fixed. The dependencies keep me from getting 20 pages when a router goes down. check_by_ssh allows me to have an individual key for each thing I want to check on a host (such as load), without running any additional daemons - and without giving the monitoring system a shell on the system. Events allow me to get information from the time of the alert - such as by running top on a host with high load, or traceroute for an abnormally high ping response time. Scheduled maintenence windows allow me to simply visit a web page, and set a maintenance time for something, and all the alarms don't go off during maintenance.
Inheritance in the template-based configuration files allows you to specify all the basics for a host or service in a single place, too, so you only need a few lines to specify the actual host or service to be checked. Since the host names can be separated by commas in the definition, it doesn't take lots of repetition for a number of similar machines.
In other words, I wouldn't call it low-end any more. :)
This is a sad day for me. I've been reading LWN since it started, and they have always had excellent reporting and editorial content.
Their long memories, digging deep enough to get at the meat of the stories and excellent security coverage for Linux & *BSD will be sorely missed.
I just looked into the 22 code red hits one of my hosts has gotten from midnight to 9am today.
.gov.cn site.
The results are:
5 down
14 reported as a Windows variant by nmap
2 unknown
1 Linux
I looked into the 2 unknown results a bit more. Both respond on port 80 with an IIS banner and ASPSESSIONID cookies. One of them has a Serv-U banner for ftp as well.
Interestingly, one of them (the one w/o Serv-U) is a
The Linux result answers on port 443 as a vulnerable version of Apache on someone's firewall in Italy. This is likely being used as a launchpad for attacks.
So, from what I gather, the bulk of the ongoing Code Red attacks are from Windows machines with extremely negligent administrators.
I suspect in a large part, this is a housecleaning measure. Corporate environments tend to foster byzantine empires driven more by politics than by productivity. Each department manager fighting to get his budget as high as possible, each manager having his own team of sycophants operating at 5% efficiency while using politics to put a strangehold on other teams.
The contracting houses aren't enmeshed in the corporate political structure, and offer project-based propositions rather than the typical corporate song and dance. Of course, an economic downturn is the perfect time to do this. When things are going well, "if it ain't broke, don't fix it". So, I'd consider this essentially as a corporate maintenance window. Soon, the limitations of outsourcing will rear their ugly heads eg., "oh, you want additional services beyond the contract? 5x the original cost!" which will spur the cycle onward.
Regarding technology-specific firms, I think that's another topic entirely.
In point of the construction analogy, I think the analogue would be software libraries. But the creators of those need skilled people to keep those in order (think movie & image format display stuff)
If you mean in the fabless CPU company sense where a company gives a spec to an engineering company, I think that may end up as a net gain. That way, you get software design expertise concentrated with companies who know how to do that. Think: less hopelessly clueless managers calling shots on software projects, making every mistake in the book and dooming everything to failure through gross incompetence.
Of course, the same companies which would be doing the "design" would need to know a good deal about software to begin with, which brings us full circle to how things were previously: software companies writing commodity software and vertical applications. Internal teams doing specialized work because open-ended/emerging technology is typically not handled well by contracting.
I've never personally seen an IT outsourcing scenario that ended up well for the company doing the outsourcing. Typically this is because of changing business needs conflicting with the locked in contract with the services vendor.
Apparently some other sites' webmasters saw it, and decided to use it on their own sites. A few lines of code later, and anyone who used that feature on one of those sites was sent off to a porn site.
Both times the off-site referrer hits stopped coming in shortly after.