IMHO, not the way Ubuntu sets it up by default. Blanket sudo is almost as much as a risk as running shells as root.
sudo should be used to give access to commands you trust yourself with. I don't see that Ubuntu has actually supported this idea at all, on Mandriva, rurpmi is available as a restricted version of urpmi, where no dangerous options are allowed (you can't accept unsigned packages, install local packages, force package installation without dependency checking etc.), specifically so it can be used relatively safely via sudo.
The other method Mandriva uses for provided access as root (natively, as evidenced by the password prompts when running Mandriva Control Center) is console_helper (which is what Fedora/Red Hat have traditionally used).
Apparently, nobody understands the big difference between temporarily elevating own privileges versus becoming another user (with everything that comes with that).
I am sure somewhere in Linux world the same technique exists, but I am not aware of it. Nor does my Ubuntu use it as far as I can see. As soon as I sudo, I become root. I dont want to become root, I just want to have root's power for a while.
It's called PolicyKit, and is the replacement for console_helper. It is shipped in Ubuntu, Fedora, OpenSUSE, Mandriva, but not necessarily well integrated into all the applications (yet).
During installation, you can add network media, and you could add the 'task-xfce' package to your installation list. Or, you could install (which will give you IceWM), and after installation, add network repos, and then install the 'task-xfce' package (e.g. 'urpmi task-xfce').
However, the Mandriva XFCE community team usually ships an XFCE live CD a few weeks after the release though... see devel/iso/contrib/2009.0 on any mirror (like http://mirrors.telkomsa.net/pub/linux/mandriva/devel/iso/contrib/2009.0/ ).
It's not just about "locking down" the desktop; this is quite easy in just about any OS, the real issue here is top-to-bottom manageability.
So yes, specific security requirements is part of that. Now say for example you want to push out the new OpenOffice to all of accounts department only...and assuming no deployment problems, sales, and R&D too.
For Red Hat, RHN will do this for you, though you probably want Satellite. For other distributions, other tools (e.g. Pulse for Mandriva).
Next, patching. Show me all machines that haven't patched $NameOfPatchHere you deployed to the company a few weeks after it was made available to the world (giving enough testing time to be sure there's no reports of anything breaking online first).
For Red Hat, RHN.
Next, branding. The company changes name; merges with another. You want all reference of $COMPANY_X changed to $COMPANY_Y; screensavers, wallpapers, etc, etc. Rebuilding each machine image isn't an option.
You could push a package out to do this, if you aren't using something like kiosktool (specific to KDE).
Next; security. You want to open an incoming port on every local firewall for a new teleconferencing system...but only for R&D.
RHN.
By default all non MS-AD ports are sealed off.
Windows AD does all of this in about 2 clicks per above need. Doesn't matter if you have 5 clients of 5000.
For the desktop cases not covered by RHN and/or packages etc., there is also support for storing KDE settings in LDAP... which, since KDE configuration is generic enough, can also be used to lock down settings. This feature is covered in this bug report, but Mandriva's KD 3.5 packages had this feature included. The feature was slated for upstream inclusion for KDE4.2, but I'm not sure if it made it.
Mandriva has also been considering allowing msec configuration in LDAP, which would address firewall policies, permissions, and various other security-related non-desktop settings.
Sometime ask for permission to edit a config file for, say, a webserver to save the admin time. In fact, ask for vi permission because that's your favourite editor:
sudo vi/etc/httpd/httpd.conf Password::sh sh#
But, if you asked in my environment, I would give you access to edit your configuration file via sudoedit, which runs the editor as *your* user, not the privileged user:
No, it does not. If you mean that there isn't an "Active Directory Wizard", that would depend what distribution you use, and you will need to do some tasks to populate the initial DIT (but there are scripts to do this, such as smbldap-initialize from smbldap-tools).
You will have to manage most maintence tasks by hand, using tools like some Java LDAP UIs, which expose raw LDAP information to you.
Well, there is no standard tool that does everything everyone wants (not all people have the same needs in a directory server...), but smbldap-tools are decent command-line utilities, and a number of good web front-ends are available (lam etc.). If you set samba up correctly, you can use the Windows NT4 admin tools (User Manager for Domains, available for XP) to manage users.
You will not have an easy interface to 'create users'.
smbldap-useradd joe works just fine, or any of the tools mentioned above.
It does not take care of DNS. It does not do Kerberos.
It is quite easy to set bind up to use LDAP for reading DNS records, and Heimdal (and MIT since 1.6 I think) can use LDAP for retrieving Kerberos principals (from the same entries Samba etc. use).
If Windows is the only consideration, sure, a Windows server makes sense. However, you really seem to be stuck in 2001 with your descriptions of the options for people who need to consider other desktop operating systems.
The btrfs wiki has a link to some benchmarks which included ext3 and ext4 (and btrfs, but it's got a way to go still...), which show that ext4 is substantially faster than ext3 in a number of the workloads.
For this use case, this is probably about the most representative benchmark (but also one of those in which ext4 really shines), in which ext4 is about 75% faster than ext3.
If this was KDE4 with compositing... you should have used the beta Nvidia driver (as their previous ones have a bug with a specific operation KDE4 uses with compositing enabled). Some distributions (e.g. Mandriva) shipped the beta driver by default, to avoid this problem.
So, yes, this one is Nvidia's fault (no issue on Intel or ATI...).
That's not terribly "seamless", and breaks on a lot of hardware even to this day. With the last version of Xorg I tried, it'd hang if I tried to move to another X session.
This only ever happens on ATI cards with fglrx. Doesn't happen on Intel. Doesn't happen on Nvidia, with any of the available drivers. Doesn't happen on ATI cards supported by free drivers with the free driver.
Every machine I've every seen this on, or seen it reported on, was an ATI card running fglrx. Nothing anyone but ATI can do about that, so place the blame elsewhere.
Ever work in a large environment? Its much easier to have one point of authentication and configuration. Do you want to deal with managing users (change passwords, disabled accounts, etc) on 8 different systems? I sure don't. Things will get forgotten, and accounts that should be disabled will not be.
Sure, but AD isn't the only solution to that, and Kerberos+LDAP+Samba (as the parent poster is using) is an adequate solution (and may be a superior one if you have more Unix to worry about than Windows).
Authorization - Nope, not there, unless you're going to run Kerberos as well.
Actually, LDAP *should* be used for authorization, and can be quite easily, with or without Kerberos...
Then you run into compatibility issues and integration nightmares.
Actually, my Heimdal KDCs integrate with my OpenLDAP server quite nicely, storing all their information in the directory server (in the same entries used for LDAP authorization and by samba). Also, my OpenLDAP servers will authenticate me against Kerberos (if I have a ticket). So, full circle integration...
Plus, you don't get any of the nice features of AD.
The question is whether you need them...
Group policy is great for managing lots of computers and rolling out settings.
Well, if you have Windows desktops to manage, then you would be using Samba (backed on your directory server) anyway, and you could use Group policy files (but, not GPOs). However, this isn't a deficiency in LDAP (the protocol) or any non-AD directory servers, but rather in Samba (which should be addressed in Samba4 which is in alpha now, but apparently quite usable), which is required to tie in all the non-LDAP or vendor-specific extensions MS has tied into their OS to make AD work for this.
For non-windows desktops, software management doesn't require GPOs really, and there are other systems for taking care of configuration (cfengine, puppet etc.).
Even after using KDE and their Kiosk tool, which can help you lock things down, I haven't found any out there that you can use that makes things easy.
Mandriva has some extensions to KDE to store KDE configuration in LDAP, and a GUI to manage the settings. AFAIK integrating it in upstream KDE is on the roadmap for KDE4 (4.2?).
Plus LDAP can be quite unwieldly. Have you ever built a forest across multiple geographic locations with LDAP?
I don't know what you mean by unwieldy, but I have no problems wielding my LDAP servers for a variety of different uses...
I don't know what the equivalent is to the AD forest terminology, but yes I have got geographically dispersed environments with one consistent LDAP directory.
What about mult-master replication?
As far as I know, AD doesn't have true multi-master replication, AFAIK usually one of the DCs for a domain is elected as the master by the other DCs (one for each purpose, so there is e.g. a Schema master as well).
Anyway, Netscape Directory server (now Sun Directory server, or Red Hat/Fedora Directory Server) has had multi-master replication for quite a long time.
OpenLDAP 2.4 has true N-way multi-master replication. I am running it (multi-master) on my personal machines (workstation at work, laptop, desktop at home) to allow me to have a working dispersed samba domain. However, our production LDAP infrastructure is way too important to have any of the risks inherent in any multi-master implementation, we use HA clusters for masters instead.
When last did you install Netbackup, Symantec Critical Server Protect, Veritas, Sun JES (and all its pieces) on Ubuntu? You haven't? Yes, this means that you aren't the target customer for the people who need problems solved.
Dolphin file manager looks drab and strangely cluttered
Most likely this is the only application-related one.
shallow implied 3D for tabs and other delimiters yet the OS X style scroll bars bulge out
Default theme.
The panel at the bottom caves in with greater depth than the background image
If I understand what you mean, this is a theme issue.
The simulated lighting model they're using to shade elements come from all over the place. I can count about 3 contradicting implied directional lights, from the panel to the icons to the widgets themselves.
Theme.
What is that Logitech logo doing in the top-right corner?
Easy access to adding plasmoids etc. It is part of plasma, and as such not visible over windows.
Those tiny minimise/maximise buttons look like they're from another universe entirely: not echoed in any other element on the desktop, lest of all the stripey title bar.
kwin theme.
Right, so maybe if you actually tried it, you would be able to use something else than the default themes, and you wouldn't think it's a mish-mash...
The DNS server might be one of ten, fifty, hundreds, maybe more different servers that an admin has to care about.
We have over 200 servers. We patched the servers that have a running 'named' first.
The person deploying a machine might not have ANY clue whatsoever about the exact package configuration on a given machine.
They should not be doing a priority patch deployment on that machine then.
It might have even BEEN a caching DNS server previously!
Then the caching-nameserver package should have been removed.
The whole idea of a package that merely overwrites another package's primary configuration file is absolutely flawed.
It doesn't: $ rpm -qf/etc/named.conf file/etc/named.conf is not owned by any package $ rpm -q bind bind-9.2.4-28.0.1.el4
The two packages should be mutually exclusive.
That would require shipping the same binaries twice.
When a configuration file gets overwritten it's "you should have tested it outside of production first".
We applied the patches on production authoritive DNS servers first, but using up2date (not from RHN). All other servers were patched later using normal procedures. If we had had caching-nameserver installed anywhere, we would have seen the warning from rpm.
Now, I agree that sometimes RedHat should mark some files as %config(noreplace) instead of %config (/etc/issue is one that we have to deal with with a custom rpm that has a trigger on redhat-release just to put our security-policy-mandated banner back), but anyone who was caught by this really needs to review the process they use to deploy priority updates (for all platforms).
Most distributions adopted the Liberation fonts more than a year ago. At least Fedora and Mandriva did.
This really shouldn't be news, as the Debian license-police usually delay introduction of anything new with unnecessary (see links in article) license haggling.
As far as I can see, the exception on the liberation fonts makes the "software" more free, whereas the Tex csplain additional restriction makes the software less free (one of the freedoms is lost).
The GPL incompatibility is also moot, since no other software will be derived works (taking into account the first exception, stating that embedding of the fonts in a document does not constitute a derived work).
So, no, other distributions need not follow, Debian is playing catch-up.
At the moment the only significant consumer movement towards Linux is by people who want to save money and/or use low-end hardware.
I don't quite agree. For example, we sometimes get the opportunity to play games at the office. Most of the people in our office are running workstations with 2 dual-core opterons, and 4GB memory. No one (not even the network engineer) runs windows on their workstation. Even if someone did, it would be inconvenient to reboot (too many virtual machines running that need to be up etc.). So, when we can, we FPS on Linux.
Do we play commercial games? No. Why not? Because they are more difficult to get working than the open-source ones (e.g. getting counterstrike to run well under wine took about 8 hours of effort), and there's not much difference in game play. So, we play Americas Army (half an hour to get running), Assault Cube (10 minutes to get running), Open Arena (15 minutes) etc. Plus, they are available for more platforms than most commercial games (Mac OS X for the one person on a Mac Book Pro).
In the end, I don't believe Linux users will not play games, and most who would play games would probably be prepared to pay for a proprietary one, but the cost/benefit ratio has to be lower than open-source games to be viable. Now if game companies would release Linux binaries (whether they are well supported or not) for free, they might see more sales of their games (assuming the Linux binaries required the usual version of the game), without having to dedicate any real testing resources.
Anyone here want to dl LIBC? Because that'll be necessary to alleviate any legal ambiguity regarding libc's usage even if the Linux people/say/ it's fine.
There are no ambiguities. Otherwise Oracle, IBM, BEA, CA, Veritas, EMC, Sun and many other vendors would not take chances shipping binaries linked to glibc (and usually, libstdc++ too).
At the office we play Americas Army from time to time. Some people play on RHEL5. Some on Fedora 7. Some on Mandriva 2008.0. Some on Ubuntu 7.10. Most of these distributions weren't tested with AA, or even around when the last binaries for Linux were shipped, yet they all work well. Even though some people in our office have strong opinions about distros, no-one pooh-poohed the idea of playing AA.
Secondly, there aren't necessarily any legal issues, most game frameworks are LGPL, which is liberal enough, and in most cases a commercial game would probably use a game engine they've licensed already (and the libraries they link to are liberal enough, which is why proprietary software can exist for Linux).
Too late. If one spam gets out, their SMTP servers may be blacklisted, meaning your (and many others') mail going through that server will be rejected.
Don't block and filter my computer because Joe Idiot has malware.
It depends how they are doing it (details available are too sketchy), but if an ISP spam filters outbound mail to ensure that my legit mail gets through, I'm all for it.
Cut him off and make it his responsiblity to clean his property.
This typically costs too much, and would only be done if someone successfully gets SPAM through filters (e.g. if the user resulted in a blacklisting or blacklisting warning).
If I had a spiking phone that was causing disruption to the telephone network they'd disconnect my phone not start filtering your phone conversations.
But, they might put surge protection on everyone's line, to prevent disruption (which in itself is too costly to other users to tolerate).
If my car was a defect I wouldn't be allowed to drive.
So, while it is, you should be allowed to violate traffic rules?
But both urpmi and yum fail at handling source code package. You have to download them and compile with rpm --rebuild.
If you have the source repos enabled, you can use urpmi --install-src to download and install the srpm for you, and urpmi -s to install the build requires.
The thing is, if you're going to download an srpm, chances are you want to make some change to it. If not, why don't you install the available binary, or request a backport to be shipped?
For package maintainers, there's no benefit to being able to install from source... as in the end the package maintainer has to support the binaries, not just the source, and the existing package maintenance tools (repsys, mdvsys etc.) which allow easy use of the svn repo, submitting packages to the build cluster etc. allow for convenient package maintenance without ever seeing a SRPM.
While a "install the latest from cooker on my ancient install by recursively rebuilding the build requires" feature has been discussed in the past, it was instead decided to put more emphasis on backports, which (assuming popular packages are made available for at least the current stable release, in some cases a few releases back) satisfies what probably >90% of users wanted anyway.
Well, I believe many of the users who claim "Distro xxx taught me nothing, then I tried Gentoo" just didn't bother learning anything on distro xxx. It's not as if there is one Linux distro available where you are prevented from learning something. And while Gentoo users claim they learnt so much... most only know how to set USE flags, use emerge, and install a new kernel from source. Simply going through something like "Securing and Optmizing Linux" will teach you more on any distribution (not that I agree entirely with the contents myself).
Since I haven't used Gentoo myself (just helped many Gentoo users get it installed, or fixing some problem preventing them from using Gentoo, or setting up some specific feature), I may be biased, but I personally feel Gentoo is a waste of time.
Slashdot Mirror
Actually both of them suck, but sudo sucks less.
IMHO, not the way Ubuntu sets it up by default. Blanket sudo is almost as much as a risk as running shells as root.
sudo should be used to give access to commands you trust yourself with. I don't see that Ubuntu has actually supported this idea at all, on Mandriva, rurpmi is available as a restricted version of urpmi, where no dangerous options are allowed (you can't accept unsigned packages, install local packages, force package installation without dependency checking etc.), specifically so it can be used relatively safely via sudo.
The other method Mandriva uses for provided access as root (natively, as evidenced by the password prompts when running Mandriva Control Center) is console_helper (which is what Fedora/Red Hat have traditionally used).
Apparently, nobody understands the big difference between temporarily elevating own privileges versus becoming another user (with everything that comes with that).
That's a bit of a rash statement.
I am sure somewhere in Linux world the same technique exists, but I am not aware of it. Nor does my Ubuntu use it as far as I can see. As soon as I sudo, I become root. I dont want to become root, I just want to have root's power for a while.
It's called PolicyKit, and is the replacement for console_helper. It is shipped in Ubuntu, Fedora, OpenSUSE, Mandriva, but not necessarily well integrated into all the applications (yet).
I would consider getting the mini dual-arch CD.
During installation, you can add network media, and you could add the 'task-xfce' package to your installation list. Or, you could install (which will give you IceWM), and after installation, add network repos, and then install the 'task-xfce' package (e.g. 'urpmi task-xfce').
However, the Mandriva XFCE community team usually ships an XFCE live CD a few weeks after the release though ... see devel/iso/contrib/2009.0 on any mirror (like http://mirrors.telkomsa.net/pub/linux/mandriva/devel/iso/contrib/2009.0/ ).
Policies for running programs can be controlled via the sudoers file, using groups.
sudo can use policies stored in LDAP directly ...
It's not just about "locking down" the desktop; this is quite easy in just about any OS, the real issue here is top-to-bottom manageability.
So yes, specific security requirements is part of that.
Now say for example you want to push out the new OpenOffice to all of accounts department only...and assuming no deployment problems, sales, and R&D too.
For Red Hat, RHN will do this for you, though you probably want Satellite. For other distributions, other tools (e.g. Pulse for Mandriva).
Next, patching. Show me all machines that haven't patched $NameOfPatchHere you deployed to the company a few weeks after it was made available to the world (giving enough testing time to be sure there's no reports of anything breaking online first).
For Red Hat, RHN.
Next, branding. The company changes name; merges with another. You want all reference of $COMPANY_X changed to $COMPANY_Y; screensavers, wallpapers, etc, etc. Rebuilding each machine image isn't an option.
You could push a package out to do this, if you aren't using something like kiosktool (specific to KDE).
Next; security. You want to open an incoming port on every local firewall for a new teleconferencing system...but only for R&D.
RHN.
By default all non MS-AD ports are sealed off.
Windows AD does all of this in about 2 clicks per above need. Doesn't matter if you have 5 clients of 5000.
For the desktop cases not covered by RHN and/or packages etc., there is also support for storing KDE settings in LDAP ... which, since KDE configuration is generic enough, can also be used to lock down settings. This feature is covered in this bug report, but Mandriva's KD 3.5 packages had this feature included. The feature was slated for upstream inclusion for KDE4.2, but I'm not sure if it made it.
Mandriva has also been considering allowing msec configuration in LDAP, which would address firewall policies, permissions, and various other security-related non-desktop settings.
But, if you asked in my environment, I would give you access to edit your configuration file via sudoedit, which runs the editor as *your* user, not the privileged user:
No, it does not. If you mean that there isn't an "Active Directory Wizard", that would depend what distribution you use, and you will need to do some tasks to populate the initial DIT (but there are scripts to do this, such as smbldap-initialize from smbldap-tools).
2.4 does.
Well, there is no standard tool that does everything everyone wants (not all people have the same needs in a directory server ...), but smbldap-tools are decent command-line utilities, and a number of good web front-ends are available (lam etc.). If you set samba up correctly, you can use the Windows NT4 admin tools (User Manager for Domains, available for XP) to manage users.
smbldap-useradd joe
works just fine, or any of the tools mentioned above.
It is quite easy to set bind up to use LDAP for reading DNS records, and Heimdal (and MIT since 1.6 I think) can use LDAP for retrieving Kerberos principals (from the same entries Samba etc. use).
If Windows is the only consideration, sure, a Windows server makes sense. However, you really seem to be stuck in 2001 with your descriptions of the options for people who need to consider other desktop operating systems.
The btrfs wiki has a link to some benchmarks which included ext3 and ext4 (and btrfs, but it's got a way to go still ...), which show that ext4 is substantially faster than ext3 in a number of the workloads.
For this use case, this is probably about the most representative benchmark (but also one of those in which ext4 really shines), in which ext4 is about 75% faster than ext3.
If this was KDE4 with compositing ... you should have used the beta Nvidia driver (as their previous ones have a bug with a specific operation KDE4 uses with compositing enabled). Some distributions (e.g. Mandriva) shipped the beta driver by default, to avoid this problem.
So, yes, this one is Nvidia's fault (no issue on Intel or ATI ...).
That's not terribly "seamless", and breaks on a lot of hardware even to this day. With the last version of Xorg I tried, it'd hang if I tried to move to another X session.
This only ever happens on ATI cards with fglrx. Doesn't happen on Intel. Doesn't happen on Nvidia, with any of the available drivers. Doesn't happen on ATI cards supported by free drivers with the free driver.
Every machine I've every seen this on, or seen it reported on, was an ATI card running fglrx. Nothing anyone but ATI can do about that, so place the blame elsewhere.
Mabybe you need to assign a different ring-tone to your work numbers ?
While Zimbra may not have actual document editors, document sharing and collaborative editing features are available.
Sure, but AD isn't the only solution to that, and Kerberos+LDAP+Samba (as the parent poster is using) is an adequate solution (and may be a superior one if you have more Unix to worry about than Windows).
Except you should be doing it against Kerberos ...
Actually, LDAP *should* be used for authorization, and can be quite easily, with or without Kerberos ...
Actually, my Heimdal KDCs integrate with my OpenLDAP server quite nicely, storing all their information in the directory server (in the same entries used for LDAP authorization and by samba). Also, my OpenLDAP servers will authenticate me against Kerberos (if I have a ticket). So, full circle integration ...
The question is whether you need them ...
Well, if you have Windows desktops to manage, then you would be using Samba (backed on your directory server) anyway, and you could use Group policy files (but, not GPOs). However, this isn't a deficiency in LDAP (the protocol) or any non-AD directory servers, but rather in Samba (which should be addressed in Samba4 which is in alpha now, but apparently quite usable), which is required to tie in all the non-LDAP or vendor-specific extensions MS has tied into their OS to make AD work for this.
For non-windows desktops, software management doesn't require GPOs really, and there are other systems for taking care of configuration (cfengine, puppet etc.).
Mandriva has some extensions to KDE to store KDE configuration in LDAP, and a GUI to manage the settings. AFAIK integrating it in upstream KDE is on the roadmap for KDE4 (4.2?).
I don't know what you mean by unwieldy, but I have no problems wielding my LDAP servers for a variety of different uses ...
I don't know what the equivalent is to the AD forest terminology, but yes I have got geographically dispersed environments with one consistent LDAP directory.
As far as I know, AD doesn't have true multi-master replication, AFAIK usually one of the DCs for a domain is elected as the master by the other DCs (one for each purpose, so there is e.g. a Schema master as well).
Anyway, Netscape Directory server (now Sun Directory server, or Red Hat/Fedora Directory Server) has had multi-master replication for quite a long time.
OpenLDAP 2.4 has true N-way multi-master replication. I am running it (multi-master) on my personal machines (workstation at work, laptop, desktop at home) to allow me to have a working dispersed samba domain. However, our production LDAP infrastructure is way too important to have any of the risks inherent in any multi-master implementation, we use HA clusters for masters instead.
But, did you note the mention of "ISV" ?
When last did you install Netbackup, Symantec Critical Server Protect, Veritas, Sun JES (and all its pieces) on Ubuntu? You haven't? Yes, this means that you aren't the target customer for the people who need problems solved.
Most likely this is the only application-related one.
Default theme.
If I understand what you mean, this is a theme issue.
Theme.
Easy access to adding plasmoids etc. It is part of plasma, and as such not visible over windows.
kwin theme.
Right, so maybe if you actually tried it, you would be able to use something else than the default themes, and you wouldn't think it's a mish-mash ...
I'm using KDE 4.1, I don't see such ugly fonts.
So, I fail to see how this is a DE thing, as opposed to a distro thing ...
We have over 200 servers. We patched the servers that have a running 'named' first.
They should not be doing a priority patch deployment on that machine then.
Then the caching-nameserver package should have been removed.
It doesn't: /etc/named.conf /etc/named.conf is not owned by any package
$ rpm -qf
file
$ rpm -q bind
bind-9.2.4-28.0.1.el4
That would require shipping the same binaries twice.
We applied the patches on production authoritive DNS servers first, but using up2date (not from RHN). All other servers were patched later using normal procedures. If we had had caching-nameserver installed anywhere, we would have seen the warning from rpm.
Now, I agree that sometimes RedHat should mark some files as %config(noreplace) instead of %config (/etc/issue is one that we have to deal with with a custom rpm that has a trigger on redhat-release just to put our security-policy-mandated banner back), but anyone who was caught by this really needs to review the process they use to deploy priority updates (for all platforms).
Most distributions adopted the Liberation fonts more than a year ago. At least Fedora and Mandriva did.
This really shouldn't be news, as the Debian license-police usually delay introduction of anything new with unnecessary (see links in article) license haggling.
As far as I can see, the exception on the liberation fonts makes the "software" more free, whereas the Tex csplain additional restriction makes the software less free (one of the freedoms is lost).
The GPL incompatibility is also moot, since no other software will be derived works (taking into account the first exception, stating that embedding of the fonts in a document does not constitute a derived work).
So, no, other distributions need not follow, Debian is playing catch-up.
I don't quite agree. For example, we sometimes get the opportunity to play games at the office. Most of the people in our office are running workstations with 2 dual-core opterons, and 4GB memory. No one (not even the network engineer) runs windows on their workstation. Even if someone did, it would be inconvenient to reboot (too many virtual machines running that need to be up etc.). So, when we can, we FPS on Linux.
Do we play commercial games? No. Why not? Because they are more difficult to get working than the open-source ones (e.g. getting counterstrike to run well under wine took about 8 hours of effort), and there's not much difference in game play. So, we play Americas Army (half an hour to get running), Assault Cube (10 minutes to get running), Open Arena (15 minutes) etc. Plus, they are available for more platforms than most commercial games (Mac OS X for the one person on a Mac Book Pro).
In the end, I don't believe Linux users will not play games, and most who would play games would probably be prepared to pay for a proprietary one, but the cost/benefit ratio has to be lower than open-source games to be viable. Now if game companies would release Linux binaries (whether they are well supported or not) for free, they might see more sales of their games (assuming the Linux binaries required the usual version of the game), without having to dedicate any real testing resources.
There are no ambiguities. Otherwise Oracle, IBM, BEA, CA, Veritas, EMC, Sun and many other vendors would not take chances shipping binaries linked to glibc (and usually, libstdc++ too).
At the office we play Americas Army from time to time. Some people play on RHEL5. Some on Fedora 7. Some on Mandriva 2008.0. Some on Ubuntu 7.10. Most of these distributions weren't tested with AA, or even around when the last binaries for Linux were shipped, yet they all work well. Even though some people in our office have strong opinions about distros, no-one pooh-poohed the idea of playing AA.
Secondly, there aren't necessarily any legal issues, most game frameworks are LGPL, which is liberal enough, and in most cases a commercial game would probably use a game engine they've licensed already (and the libraries they link to are liberal enough, which is why proprietary software can exist for Linux).
Thus, all your points are moot.
Well, if the IP was listed in a URLBL, rejecting the mail on that grounds would be valid. Without the IP, it's not possible to check this possibility.
If you have the source repos enabled, you can use urpmi --install-src to download and install the srpm for you, and urpmi -s to install the build requires.
The thing is, if you're going to download an srpm, chances are you want to make some change to it. If not, why don't you install the available binary, or request a backport to be shipped?
For package maintainers, there's no benefit to being able to install from source
While a "install the latest from cooker on my ancient install by recursively rebuilding the build requires" feature has been discussed in the past, it was instead decided to put more emphasis on backports, which (assuming popular packages are made available for at least the current stable release, in some cases a few releases back) satisfies what probably >90% of users wanted anyway.
Well, I believe many of the users who claim "Distro xxx taught me nothing, then I tried Gentoo" just didn't bother learning anything on distro xxx. It's not as if there is one Linux distro available where you are prevented from learning something. And while Gentoo users claim they learnt so much ... most only know how to set USE flags, use emerge, and install a new kernel from source. Simply going through something like "Securing and Optmizing Linux" will teach you more on any distribution (not that I agree entirely with the contents myself).
Since I haven't used Gentoo myself (just helped many Gentoo users get it installed, or fixing some problem preventing them from using Gentoo, or setting up some specific feature), I may be biased, but I personally feel Gentoo is a waste of time.