As fond as I am of shell scripts (and I get a lot of crap from my perl loving friends for using bash too much!) the useful frameworks for making distros already exist. Linux/OSS/whatever doesn't need more ways of pushing software at people, we already have all of the best ones anyway! Money and resources could be far far better used in my opinion.
I personally do not expect a free lunch and in the decade I've been using Linux I have given back. Certainly not as much as some, but more than others. I am not a FSF stallwart though and I have no quarrel with anyone who wants to put a price tag on their software, just be up front about it and call it shareware, not Free Software.
My big bugbear here is the notion that in someway it is behoven upon users of Open/Free software to contribute back. All we can do is ask people to contribute, if they do not want to that is entirely their choice, if we wanted otherwise we should write it in our licenses. You can't call it Free software and then cough at people until they tip you!
I'm not going to argue that he shouldn't be paid, I'd be very happy to see a philanthropist fund Gentoo, they may well turn up interesting solutions to share with others. The market for distros is marked by them being pretty much all free, or having commercial aspects they use as leverage to charge for. Gentoo is an open source distro, architecture aside it isn't really that different to Fedora or Ubuntu, so why expect money for it? Robbins could have turned his doubtless talent to a field not already crammed to overflowing for his revenue source, surely? I see very active gentoo mailing lists and forums - that suggests to me that people are contributing back, and in a way that is far more useful to an open source project than money: effort.
My work is not relevant here, the code I produce is not open source thus I am not contributing anything, thus I require that I must be rewarded financially. Code I write on my time is Open Source and I hope it always will be, it's just not very exciting yet;) I will say though that I have encouraged the company to give back where possible because of the massive advantage open source has given us by integrating it throughout the company from a very early point in our growth. We try to purchase software from the people supporting key projects we rely on (including PHP, I've dumped a bunch of money at Zend for Studio because it rocks so much, as my weblog ought to suggest). If Mr Robbins had been offering a service of use to us I would have seriously looked at buying it.
I don't understand. You claim to have the skills, but can't get a job that pays you what you "deserve" for them. Why should anyone care about your FOSS contributions? If they don't know and understand what that means and how they can check up on it, it doesn't help them at all. If *you* want the job market to give *you* a job then *you* have to sort yourself out so *you* can get one.
Take a junior programming job that requires little/no experience, prove your metal and advance quickly. That's the only way it's going to happen, you're not going to just get given a flashy job just because Linus and co managed it back when.coms had fucktons of cash and you are on sourceforge.
Or, you could keep thinking that you are owed more, keep whinging and most depressingly, keep installing security systems. Your *choice*.
People shouldn't just be given jobs because they work on something vaguely OSS related and need a job. That's nuts!
If he had something useful to contribute to RH or Novell I'm sure htey would have hired him. Perhaps he didn't talk to them or maybe he didn't want to work for them at all.
It was Daniel that failed to make it work, the community is under no obligation to provide any finances - if he wanted to put such an obligation on them chosing open source was a bit of a mistake;)
I have to say that from what I've seen of ebuilds and the like, it's a seriously cheesy bunch of hacks that really have no place in anything that intends to use words like "money" or "professional";)
Why would a government fund something like Gentoo? There are distros out there that actually have paying customers, they are in a far better position to service any government needs than a bunch of whinging 15 year olds on a forum;)
You can't be bitter about this stuff though - everyone walks into Open Source development with their eyes open, if you then choose to feel that people owe you, or you deserved better; that's your problem. Your code is the contribution and the reward, anything else is a bonus imho.
Sorry to hear that namesys is having problems, I hope they get resolved soon.
porn is already blocked en mass by corporate nonsense, but badly and in such a way that it blocks legitimate stuff. I know of some huge company firewalls/proxies that won't even let you get to hotornot, that's how much they filter.
The phrase "viral license" is dumb. Viruses are alive and they reproduce by destroying the host. GPL is a license you can choose to put on your work.
Nobody is forcing you to use GPL code, nobody is forcing you to modify GPL code, nobody is forcing you to write GPL code. If you choose to modify *AND DISTRIBUTE* a GPL program then you should be happy to put your modifications out too. If you're not happy with that, go with some code that's under a different license and modify/distribute that instead.
Porn sites don't like to be filtered? An awful lot of them ask people to confirm they are >18 and provide links to net filtering software for concerned parents. What porn sites don't want is lots of parents screaming about their kids seeing porn everywhere and demanding policitians do something that will hurt the porn industry.
As for your comments about their level of organisation, you should look into the link/banner exchange programs that run between all the partnerships and organisational groups, not to mention that many of the sites are the same companies. There are also a number of industry groups, many online communities for adult webmasters, etc. The internet is unmatched for helping diverse groups organise and they are a leading internet industry.... it's not rocket science;)
Here in the UK we have.me.uk which is for personal domains, but personally I think such TLDs are ugly and have a.net:)
If you can't make the thing work in WINE or similar, a very easy way (although probably not cheap) to do it that places very minimal load on the client would be to get a Windows server running Terminal Services, then you can have people connect to it with rdesktop (faster and less intensive than vnc, as well as allowing lots of sessions off a single machine). Slap a little profile on people and they'll just get the custom app when they run it, not a windows desktop, which would be confusing and lead to people doing work in the wrong place I suspect;)
I've been saying for ages that there should be a.xxx TLD, for the simple reason that you can block it really easily, so kids can be kept safer. The porn industry is quite organised from what I can see, they could probably be persuaded to move to.xxx en masse and then all the stupid logic based filtering systems can be slashed back to bare bones;)
My wireless Logitech Trackman Marble only needs cleaning quite rarely, it accumulates only a small amount of what I assume is dead skin type detritis around the beads that support the main ball. Since removing the ball just means grabbing it and pulling and cleaning the beads just means pulling your finger across them, I find it is typically easier than cleaning a mouse. Even my ball-less mouse still needs cleaning, the pads and cable collect dust from the table over time and get a bit crufty.
This is the point, unless they include every patch then it is unreasonable to bump the version number. It is also unreasonable to do so because it would violate Ubuntu policy regarding stable releases.
Ubuntu only release updates to a stable version if it is a security fix or an important bug fix and this would usually be by backporting a fix. I don't doubt that between 1.0.2 and 1.0.4 that has been all that has gone into firefox and in this specific case you could argue bumping the version would be ok, but I am talking about a more generic situation. Say that 1.0.5 changes a layout feature slightly to make it more correct, Ubuntu are probably not going to backport that, but will take the security bugs fixed by 1.0.5, so it would be unreasonable to rename their release 1.0.5.
This is a very tricky situation to resolve because there are many vendors here all trying to release off mozilla's work and stay in sync. It just seems a tad unthoughtful of their web admins not to recognise that older versions can be secure too.
I'm not at all convinced that it would be sane for Ubuntu to hack their firefox packages (which are 1.0.2 with security bugfixes) to say 1.0.4 when it very plainly is not 1.0.4.
Something that has irked me is that I can no longer use the official firefox extension type pages. I'm running ubuntu with firefox 1.0.2 and the later security patches are applied, but their pages still tell me I should be running 1.0.4. Pretty stupid imo.
Remote root vulnerabilities are rare because most things aren't running as root, but you probably have quite a wide footprint of daemon software running as a normal user, so there's a good chance there are vulnerabilities to be had there. Combine that with one of the regularly discovered local root exploits and you can do whatever you like.
I'm not saying this isn't a hole and that it shouldn't be fixed, but I am saying that you would need to be really very paranoid about your security to be taking notice of the potential for stealing your RSA keys through complex cache mathematics:)
typical users do not need to fear this attack vector either. the steps involved are so convoluted and specific that you would never bother to use them. People will get in through a simple sploit as always and then use a local root sploit as always. getting there is easier than this attack and once you are there you can just read the rsa key file, or read it from another processes instead of trying to guess what it is from cache behaviours.
A good post. It reminded me of the fact that you can actually listen to the sounds the CPU is making (with suitably delicate equipment), or measure its magnetic field, etc. all of which will be leaking data about the operations going on inside it, so if you are going to be worried by HT you face a raft of issues and should buy a faraday cage and unhook from the internet;)
Have you investigated modifying Hylafax to do this? I am not familiar with the source, but I wouldn't imagine it would involve digging too deep if you know C++.
Is it a work thing? If so someone like ifax.com might well write you a patch for some dorrah.
I also meant to say that HylaFax presents a fair amount of API via a modified version of the FTP protocol, so it should be pretty easy to subclass a generic FTP class in C# and do quite a lot that way.
Get yourself a PRI card (PRI being a bunch of ISDN lines in a single cable) such as an Eicon Diva and run HylaFax. It is an extremely capable fax server and there are a bunch of clients for it for Windows. I run a HylaFax server at work, it's a 2Ghz 1GB machine with a 30 channel diva card. Our peak load so far is a little under 3000 faxes sent and slightly more than 3000 received per week, which was handled with only 8 of the phone lines active. The various conversions between postscript and tiff are pretty quick, so the system load stayed pretty low). The machine was also doing database, email, intranet and dns duties at the peak point.
We don't actually use any of the client software, so I can't speak directly on those in any depth, but I believe they are quite numerous and vary in quality/price; instead we have a samba printer which is actually a shell script that converts the postscript received from windows into a tiff and feeds it to hylafax, extracting the destination fax number from a specially formatted string in the document (this is fantastically useful for batch sending reports and you can hide the ugly special string by colouring the font white;) At both the point of receiving a fax and that of sending a fax, control of all behaviour is handled with shell scripts and some awking. This means the server is pretty much infinitely flexible. You can get a service from the telecom provider (it may be included) that identifies the caller's number (if available) and the number they called (because you will probably have several aliased to the line). All of this information is available in the script, so you can get a bunch of cheap DID numbers on the line and give each dept or even each person a fax line, which will be identified by the script and any faxes sent to them will be emailed to them as pdfs, or printed to their printer, or (as we do) placed in a directory visible to a webserver and indexed in a database, so people can view their faxes online. That obviously required some external work, but it's a very simple sort of script to write, as are most of the things people want to do:) HylaFax also has an outstanding mailing list, with several very active and very helpful people. If that fails, you can throw a couple of hundred bucks at ifax.com for some of their time to fix it for you.
You do get the odd persistant offender of a crappy old fax machine that it just won't talk to, but there is a lot of tweaking you can do if you want, to try and work around this. We have a single manual fax line and machine for the situations when things simply will not talk to our card/hylafax, but I think it's less than 0.1% of our customers and I have done zero tweaking to workround it so far.
Originally we used a machine with 8 analogue modems hanging off it and it still coped very well, but the modems were easily confused and hung a lot, which is what pushed us to spend the money on a PRI card, but it was well worth it because the DSP modems on it never hang (or "wedge" in hylafax terms) so it requires almost no intervention from me for extended periods, which is ultimately the reason I like it so much. When you finish setting it up right, it Just Works[tm]
I think CUPS can broadcast its printers on a network, so that is easy. SMB stuff can be autodiscovered; I expect newer network printers are probably broadcasting UPnP too. USB can be autodetected. HP has a network scanner for installing their network printers, so that could be figured out if it hasn't been already. That only really leaves parallel printers, which are becoming less and less common; and that's most printers covered imho. Hell you could even scan bluetooth for printers:)
Slashdot Mirror
Hi
;)
As fond as I am of shell scripts (and I get a lot of crap from my perl loving friends for using bash too much!) the useful frameworks for making distros already exist. Linux/OSS/whatever doesn't need more ways of pushing software at people, we already have all of the best ones anyway! Money and resources could be far far better used in my opinion.
I personally do not expect a free lunch and in the decade I've been using Linux I have given back. Certainly not as much as some, but more than others. I am not a FSF stallwart though and I have no quarrel with anyone who wants to put a price tag on their software, just be up front about it and call it shareware, not Free Software.
My big bugbear here is the notion that in someway it is behoven upon users of Open/Free software to contribute back. All we can do is ask people to contribute, if they do not want to that is entirely their choice, if we wanted otherwise we should write it in our licenses. You can't call it Free software and then cough at people until they tip you!
I'm not going to argue that he shouldn't be paid, I'd be very happy to see a philanthropist fund Gentoo, they may well turn up interesting solutions to share with others. The market for distros is marked by them being pretty much all free, or having commercial aspects they use as leverage to charge for. Gentoo is an open source distro, architecture aside it isn't really that different to Fedora or Ubuntu, so why expect money for it? Robbins could have turned his doubtless talent to a field not already crammed to overflowing for his revenue source, surely? I see very active gentoo mailing lists and forums - that suggests to me that people are contributing back, and in a way that is far more useful to an open source project than money: effort.
My work is not relevant here, the code I produce is not open source thus I am not contributing anything, thus I require that I must be rewarded financially. Code I write on my time is Open Source and I hope it always will be, it's just not very exciting yet
I will say though that I have encouraged the company to give back where possible because of the massive advantage open source has given us by integrating it throughout the company from a very early point in our growth. We try to purchase software from the people supporting key projects we rely on (including PHP, I've dumped a bunch of money at Zend for Studio because it rocks so much, as my weblog ought to suggest). If Mr Robbins had been offering a service of use to us I would have seriously looked at buying it.
Cheers,
I don't understand. You claim to have the skills, but can't get a job that pays you what you "deserve" for them. Why should anyone care about your FOSS contributions? If they don't know and understand what that means and how they can check up on it, it doesn't help them at all. If *you* want the job market to give *you* a job then *you* have to sort yourself out so *you* can get one.
.coms had fucktons of cash and you are on sourceforge.
Take a junior programming job that requires little/no experience, prove your metal and advance quickly. That's the only way it's going to happen, you're not going to just get given a flashy job just because Linus and co managed it back when
Or, you could keep thinking that you are owed more, keep whinging and most depressingly, keep installing security systems. Your *choice*.
People shouldn't just be given jobs because they work on something vaguely OSS related and need a job. That's nuts!
If he had something useful to contribute to RH or Novell I'm sure htey would have hired him. Perhaps he didn't talk to them or maybe he didn't want to work for them at all.
Interesting viewpoint, but a bit backwards.
;)
;)
;)
It was Daniel that failed to make it work, the community is under no obligation to provide any finances - if he wanted to put such an obligation on them chosing open source was a bit of a mistake
I have to say that from what I've seen of ebuilds and the like, it's a seriously cheesy bunch of hacks that really have no place in anything that intends to use words like "money" or "professional"
Why would a government fund something like Gentoo? There are distros out there that actually have paying customers, they are in a far better position to service any government needs than a bunch of whinging 15 year olds on a forum
You can't be bitter about this stuff though - everyone walks into Open Source development with their eyes open, if you then choose to feel that people owe you, or you deserved better; that's your problem. Your code is the contribution and the reward, anything else is a bonus imho.
Sorry to hear that namesys is having problems, I hope they get resolved soon.
porn is already blocked en mass by corporate nonsense, but badly and in such a way that it blocks legitimate stuff.
I know of some huge company firewalls/proxies that won't even let you get to hotornot, that's how much they filter.
The phrase "viral license" is dumb. Viruses are alive and they reproduce by destroying the host.
GPL is a license you can choose to put on your work.
Nobody is forcing you to use GPL code, nobody is forcing you to modify GPL code, nobody is forcing you to write GPL code. If you choose to modify *AND DISTRIBUTE* a GPL program then you should be happy to put your modifications out too.
If you're not happy with that, go with some code that's under a different license and modify/distribute that instead.
It's not rocket science. Now stop with the FUD.
Porn sites don't like to be filtered? An awful lot of them ask people to confirm they are >18 and provide links to net filtering software for concerned parents. What porn sites don't want is lots of parents screaming about their kids seeing porn everywhere and demanding policitians do something that will hurt the porn industry.
;)
.me.uk which is for personal domains, but personally I think such TLDs are ugly and have a .net :)
As for your comments about their level of organisation, you should look into the link/banner exchange programs that run between all the partnerships and organisational groups, not to mention that many of the sites are the same companies. There are also a number of industry groups, many online communities for adult webmasters, etc. The internet is unmatched for helping diverse groups organise and they are a leading internet industry.... it's not rocket science
Here in the UK we have
If you can't make the thing work in WINE or similar, a very easy way (although probably not cheap) to do it that places very minimal load on the client would be to get a Windows server running Terminal Services, then you can have people connect to it with rdesktop (faster and less intensive than vnc, as well as allowing lots of sessions off a single machine). ;)
Slap a little profile on people and they'll just get the custom app when they run it, not a windows desktop, which would be confusing and lead to people doing work in the wrong place I suspect
I've been saying for ages that there should be a .xxx TLD, for the simple reason that you can block it really easily, so kids can be kept safer. .xxx en masse and then all the stupid logic based filtering systems can be slashed back to bare bones ;)
The porn industry is quite organised from what I can see, they could probably be persuaded to move to
My wireless Logitech Trackman Marble only needs cleaning quite rarely, it accumulates only a small amount of what I assume is dead skin type detritis around the beads that support the main ball. Since removing the ball just means grabbing it and pulling and cleaning the beads just means pulling your finger across them, I find it is typically easier than cleaning a mouse.
Even my ball-less mouse still needs cleaning, the pads and cable collect dust from the table over time and get a bit crufty.
If that was in any way true, how is it that so much innovation comes from students at university who don't even have a fucking job?
Get real Larry, you're wrong.
This is the point, unless they include every patch then it is unreasonable to bump the version number. It is also unreasonable to do so because it would violate Ubuntu policy regarding stable releases.
Ubuntu only release updates to a stable version if it is a security fix or an important bug fix and this would usually be by backporting a fix. I don't doubt that between 1.0.2 and 1.0.4 that has been all that has gone into firefox and in this specific case you could argue bumping the version would be ok, but I am talking about a more generic situation.
Say that 1.0.5 changes a layout feature slightly to make it more correct, Ubuntu are probably not going to backport that, but will take the security bugs fixed by 1.0.5, so it would be unreasonable to rename their release 1.0.5.
This is a very tricky situation to resolve because there are many vendors here all trying to release off mozilla's work and stay in sync. It just seems a tad unthoughtful of their web admins not to recognise that older versions can be secure too.
I'm not at all convinced that it would be sane for Ubuntu to hack their firefox packages (which are 1.0.2 with security bugfixes) to say 1.0.4 when it very plainly is not 1.0.4.
Something that has irked me is that I can no longer use the official firefox extension type pages.
I'm running ubuntu with firefox 1.0.2 and the later security patches are applied, but their pages still tell me I should be running 1.0.4.
Pretty stupid imo.
http://forum.tobiasjung.net/showthread.php?fid=25& tid=93&old_block=0
I don't know about "breaking out" of a chroot, but 2.4.29 has local root vulnerabilities in it, e.g.:
= CAN-2005-1263
:)
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name
Remote root vulnerabilities are rare because most things aren't running as root, but you probably have quite a wide footprint of daemon software running as a normal user, so there's a good chance there are vulnerabilities to be had there. Combine that with one of the regularly discovered local root exploits and you can do whatever you like.
I'm not saying this isn't a hole and that it shouldn't be fixed, but I am saying that you would need to be really very paranoid about your security to be taking notice of the potential for stealing your RSA keys through complex cache mathematics
typical users do not need to fear this attack vector either.
the steps involved are so convoluted and specific that you would never bother to use them.
People will get in through a simple sploit as always and then use a local root sploit as always. getting there is easier than this attack and once you are there you can just read the rsa key file, or read it from another processes instead of trying to guess what it is from cache behaviours.
A good post. It reminded me of the fact that you can actually listen to the sounds the CPU is making (with suitably delicate equipment), or measure its magnetic field, etc. all of which will be leaking data about the operations going on inside it, so if you are going to be worried by HT you face a raft of issues and should buy a faraday cage and unhook from the internet ;)
You'll have a wastebasket full of marketing waste ;)
;)
;)
Asking a bunch of people who know about it is far better than asking a bunch of companies who want to sell it to you
The qeustion is finding those people though. This guy chose to ask slashdot, so he might be screwed
Have you investigated modifying Hylafax to do this? I am not familiar with the source, but I wouldn't imagine it would involve digging too deep if you know C++.
Is it a work thing? If so someone like ifax.com might well write you a patch for some dorrah.
I also meant to say that HylaFax presents a fair amount of API via a modified version of the FTP protocol, so it should be pretty easy to subclass a generic FTP class in C# and do quite a lot that way.
I believe HylaFax is mostly C++ and I also believe that shouldn't be a problem ;)
Get yourself a PRI card (PRI being a bunch of ISDN lines in a single cable) such as an Eicon Diva and run HylaFax.
;) :)
It is an extremely capable fax server and there are a bunch of clients for it for Windows.
I run a HylaFax server at work, it's a 2Ghz 1GB machine with a 30 channel diva card. Our peak load so far is a little under 3000 faxes sent and slightly more than 3000 received per week, which was handled with only 8 of the phone lines active. The various conversions between postscript and tiff are pretty quick, so the system load stayed pretty low). The machine was also doing database, email, intranet and dns duties at the peak point.
We don't actually use any of the client software, so I can't speak directly on those in any depth, but I believe they are quite numerous and vary in quality/price; instead we have a samba printer which is actually a shell script that converts the postscript received from windows into a tiff and feeds it to hylafax, extracting the destination fax number from a specially formatted string in the document (this is fantastically useful for batch sending reports and you can hide the ugly special string by colouring the font white
At both the point of receiving a fax and that of sending a fax, control of all behaviour is handled with shell scripts and some awking. This means the server is pretty much infinitely flexible. You can get a service from the telecom provider (it may be included) that identifies the caller's number (if available) and the number they called (because you will probably have several aliased to the line). All of this information is available in the script, so you can get a bunch of cheap DID numbers on the line and give each dept or even each person a fax line, which will be identified by the script and any faxes sent to them will be emailed to them as pdfs, or printed to their printer, or (as we do) placed in a directory visible to a webserver and indexed in a database, so people can view their faxes online. That obviously required some external work, but it's a very simple sort of script to write, as are most of the things people want to do
HylaFax also has an outstanding mailing list, with several very active and very helpful people. If that fails, you can throw a couple of hundred bucks at ifax.com for some of their time to fix it for you.
You do get the odd persistant offender of a crappy old fax machine that it just won't talk to, but there is a lot of tweaking you can do if you want, to try and work around this. We have a single manual fax line and machine for the situations when things simply will not talk to our card/hylafax, but I think it's less than 0.1% of our customers and I have done zero tweaking to workround it so far.
Originally we used a machine with 8 analogue modems hanging off it and it still coped very well, but the modems were easily confused and hung a lot, which is what pushed us to spend the money on a PRI card, but it was well worth it because the DSP modems on it never hang (or "wedge" in hylafax terms) so it requires almost no intervention from me for extended periods, which is ultimately the reason I like it so much. When you finish setting it up right, it Just Works[tm]
Cheers,
I don't think that is necessarily all that hard.
:)
I think CUPS can broadcast its printers on a network, so that is easy. SMB stuff can be autodiscovered; I expect newer network printers are probably broadcasting UPnP too. USB can be autodetected. HP has a network scanner for installing their network printers, so that could be figured out if it hasn't been already. That only really leaves parallel printers, which are becoming less and less common; and that's most printers covered imho.
Hell you could even scan bluetooth for printers
I wouldn't wait, it's a great film :)