My experience has been the same. I donated $50 to Cyanogenmod a couple of years ago (FFS, they saved my buying a new phone!) and got a delighted email from Steve Kondik.
I used to assume the FOSS world would be supported like the Linux kernel is, but now I realize that many cool projects need a user-funded model. I choose a project to donate to weekly, as well as supporting gittip.com. It's not much (and I hope to increase it markedly one day), but I want to live in a world where Free hackers can just hack, and not stress about money.
Cheers, Rusty. BTW I've never used GNU LilyPond, but I'm delighted such a thing thrives. Do you take BTC?
Or, why don't writers/directors get all the attention? Even Sci Fi conventions seems to headline actors who played a part, rather than writers who created the part.
Is a great story so compelling that the line blurs and people fall in love with the puppets and ignore the puppet master?
Nope, this is a standard media beat up of the current govt. Not based in reality, uses vauge statistics in deliberately misleading manner.
Um, no, the 250,000 requests per year are government warrantless data requests; these include call data (who called whom, not contents), location data, and request header data (eg http, email: interestingly, I've not been able to find out which headers are included: links anyone?)
Obviously with this number of requests going on, the process isn't being vetted very well if at all. Certainly there aren't that many people in Australia under reasonable suspicion of criminal behaviour, so it's deeply concerning:(
One of my favourite geek charities is the Ada Initiative which provides resources and training for women in open source and open culture.
Needless to say, you should speak directly to any charity you're seriously considering; they'll often have good suggestions for how they money could be used.
No, assuming they did the same this release as last.
1) This information is on the website, not on the update itself. The update just tells you how to abort it. 2) When you buy a new game, the update is compulsory or you can't play the game you bought.
Nintendo screwed me with this (deleting my whole TP savefile because one slot was the TP hack) and I was livid. 40 hours of my gf's gameplay gone.
> Stop trying to replace C++ with a language that does not fulfill every aspect C++ covers.
Err, no (how did this get +5?) C++'s entire problem stems from the attempt to Be All Things. A far better approach is to design something that does one part of things well, and interoperates with C like everything else so you can glue stuff together.
They've subtracted, not added. This is the Right Thing to have done.
From reading the comments it seems most of the/. crowd are not the intended audience. This is not user documentation (that's in Documentation/lguest) but programmer documentation for those delving into the source, and it assumes some degree of famliarity with the Linux kernel too.
Sorry, the Age in this case is correct. The problem is that this exception does not say "if you're circumventing for non-infringment purposes you're OK", but "if a TPM has no copyright-protecting purpose you're OK". The TPM is always claimed to be "protecting a copyright", in which case you lose. The narrow case of modifying today's DVD players might be OK (assuming the court doesn't buy the "we need region code to protect copyright" which was claimed by copyright holders in the recent House of Reps Legal and Constitutional Affairs TPM hearings), but PS/2 modchipping is in trouble, as are just about any future technology. As long as it's under the same technological umbrella as something that "inhibits copyright infringement", copyright holders can place restrictions as they want.
Despite lobbying against such a legislative model for two years, we've ended up with this muddled law which is going to be decided by the High Court in around 7 years time.
> Without a DRM in place, we are capable of making as many copies of a piece of content as we want and > seeding it onto the net. How do you create a market for a product, and make money of a product that > has a huge initial creative investment, but then no manufacturing cost, and is in infinite supply?
You're making a gross assumption that noone will obey the law without draconian enforcement in place. There's little effective DRM in place today, and yet copyright-holding companies are making significant amounts of money, and have been for years. Broad casual copying != no profits.
It is possible that your assumption will become true in future. Copyright law gives significant legal protection in return for making your work available to the public. DRM attempts to override this bargain, by unilaterally adding restrictions on use. Perhaps the bargain will break down, as more and more people will feel they are not bound by it. The more copyright holders attempt to confiscate your property (movies, books and music you paid for), the less you are likely to respect their claims of property.
Companies continue to refuse to supply what customers want (convenient open format online purchases), instead relying on DRM to "solve" the problem of unlicenced competition. Yet this makes the unlicenced competition even more useful. It is not clear that increasing the legal barriers can cancel out the market effects of giving your customers what they don't want, but when you've had protectionism for long enough, you become addicted and convinced of entitlement.
What is clear is that there is significant erosion in respect for the law, and governments which are complicit in this cycle. This could well have effects far worse than kids swapping CDs.
But, as many people have pointed out, there's not much freeing in the agreement, in the sense of eliminating barriers to trade. Don't be fooled by the name.
What it does do, especially in areas like Chapter 17, is offer US companies the same protections here as it does in the US.
Linux Australia have been vigorously opposing, see my senate committee testimony for a good introduction:
http://linux.org.au/fta/testimony. Show your friends.
> If the government were to change their ideas of > what Australian business is and what our exposts > should be we could become a net exporter of IP.
No, that's crazy. The EU, US and Japan between them have about 50 times the population of Australia: we will always be a net importer of IP. Of course, this is ignoring the rest of the world, so it's an under-estimate.
I like Free Trade, but Chapter 17 of the FTA isn't it.
> Maybe now we'll actually get one of the few US copyright laws that are actually good...
No, we don't get any additional "home copying" or fair use rights. Mind you nothing in the treaty blocks us adding those, either (modulo normal DMCA concerns)
> Too bad he's such a dick about supporting the libiptc API.
I haven't touched that API in ages, but it's pretty horrible. This came up at the last netfilter summit, and it's becoming a big problem. Harald did some excellent work on his rework, but it's fundamentally trying to do two different things: support extensions which are in the kernel, and support the command language extensions required for iptables itself. This shows up clearly when you want to use it for something other than iptables.
> It's pretty confusing to use, and his asshole wit shows up in what little documentation there is.
*shrug* There's only so much you can do with documentation. What's needed is a rewrite: fortunately, Harald's plkttables looks promising, unfortunately, it's a long way off 8(. The documentation which is there is about writing extensions, not using the library directly.
As for the wit, I agree: it's not for everyone, and can make bad documentation worse.
As one of the current FHS editors, I guess I'd better make some response.
1) Replacing a handful of/bin directories with a massive path doesn't help, since the binary names can't clash anyway. And I have 1211 entries in/bin, but I have 561 packages installed (Debian unstable).
2) The GNU project has been pushing for a libexec/ dir for years: this would be where non-PATH binaries live (ie. obscure things only invoked by full path name, usually by other programs).
3) Al Viro once suggested altering shell semantics so that a filename with a / in it would still search the path, effectively giving another namespace, eg "gnome/hello --version" would not just search in "./gnome/" as it does now. For those with a passion about these things, this might be an interesting avenue to try.
Note: the FHS http://www.pathname.com/fhs is entering 2.3 discussions, and I imagine that libexec will be proposed again. This is your chance to make your voice heard (but read the latest draft first, especially the Purpose section).
Finally: remember that ALL standards stifle innovation, and that something radically different won't be compliant. That's FINE: there are no FHS police 8)
> um... wasn't the potential danger here obvious? I'm not trying to be insulting or
> anything, but this was hardly a subtle or complicated hole. "we want to introduce a
> way for the firewall to open and close ports on-the-fly, and in response to client
> actions, and requiring coordination between the firewall and various apps and
> daemons... hmmm what could go wrong with this?" And, what could go wrong is, the
> client might lie. omigod! who coulda thought of that!...
Here's what you missed: the client can already connect to machines behind the firewall, because it, too, is behind the firewall.
So, it can enable outside machines to connect directly. There's little added danger in that. But it's this "behind the firewall" thinking that lead to the error in the first place.
> so, my point is, if this one snuck through, do we have any sense that more subtle errors
> have not been made?
I guarantee there are other errors (20,000 lines of kernel code; you don't need to be a genius to figure out that there are bugs). A small subset of these will be exploitable in some way. A subset of these will expose *you* to something you didn't want.
Summary: if you have multiple networks behind your iptables packet filter (eg. a DMZ) and you use the ip_conntrack_ftp module (or you compiled it into your kernel) you should apply the simple patch, otherwise a breakin on one protected network can be used to allow probes on the other protected network.
OK, so what happened? The connection tracking code in 2.4 (ip_conntrack) can be extended to understand complex protocols, like FTP (ip_conntrack_ftp). When it sees an FTP server or client say "for the data, connect to 1.2.3.4 port 56" it remembers it, and when that connection comes in, it classifies the packet as "RELATED", not "NEW" (as packets creating new connections are normally marked). Most packet filter setups simply allow all RELATED packets.
Of course, my original code only set up this "expectation" if the ftp server gave its own IP address in that "connect here" message. However, one early user, Enrico Scholtz, had a setup where the FTP server REALLY DID use a different IP address for the data connection. After some thought, I allowed it: you can allow arbitrary connections to be marked RELATED, but only from inside a network already.
The problem is that if you are using a single box to connect your DMZ, your internal network, and the outside world, and someone breaks into the DMZ, they can use a machine there (if you allow any FTP to or from those machines) to tell the firewall to expect a connection from the outside to the internal network, giving you access to probe your internal network.
The patch provided (by James Morris) in the posting simply stops returns to ignoring an FTP server or client which says to connect on a different IP from the one it is on. In some form, it will be in 2.4.4.
FYI, I was travelling while this broke, and the Netfilter Core Team handled the issue with great aplomb. Kudos to them!
> Does the length of the line/spiral represent the length of the function ?
Hi!
Well, look at analyze_function.lex, which does this breakdown; it's basically a line of length 1 per "statement" (the output of this is sent to data2ps, which randomly jitters the angle).
1) This does not generate a call graph. It is a static rendering of all the functions in the.c files of the kernel.
2) Yes, the images correspond to the code: forks represent if and switch() statements, circles cover the code within them. Also, code with asm statements, inline, etc are `hairier' (look in the architectures). So, a big star is either a big switch or an if...else if...else if..... If it's inside a circle, there's a loop around it. Two circles inside each other: nested loops. etc.
3) Why PostScript? For the 2.3.18 one I wanted to learn about PNG, so I did it in PNG. But I wanted people to be able to print out copies at home on small printers, so I wanted something scalable: 1GB PNG was not the answer. So I learnt PostScript and changed over to that; the `posterize' shell script lets you make an NxN poster for printing (I recommend >= 6x6).
4) cannot find -lfl
You need flex installed (or use lex and change the Makefile).
5) shopt: command not found
Run bash2, or remove the line:
shopt -s nullglob; for f in $(KERNEL_DIR)/$$d/*.c; do \
And replace it with these two (don't miss the trailing \'s!):
for f in $(KERNEL_DIR)/$$d/*.c; do \
if [ "$f" = "$(KERNEL_DIR)/$$d/*.c" ]; then continue; fi \
6) tempfile: command not found
Change the two occurrances of this (classify_nonstatics.sh and conglomerate_functions.sh) to:
TMPFILE=`mktemp ${TMPDIR:-/tmp}/$$.XXXXXX`
Please give feedback for these, and any other bug reports to rusty at my linuxcare.com.au address, and I'll release 2.4.0a soon...
Slashdot Mirror
My experience has been the same. I donated $50 to Cyanogenmod a couple of years ago (FFS, they saved my buying a new phone!) and got a delighted email from Steve Kondik.
I used to assume the FOSS world would be supported like the Linux kernel is, but now I realize that many cool projects need a user-funded model. I choose a project to donate to weekly, as well as supporting gittip.com. It's not much (and I hope to increase it markedly one day), but I want to live in a world where Free hackers can just hack, and not stress about money.
Cheers,
Rusty.
BTW I've never used GNU LilyPond, but I'm delighted such a thing thrives. Do you take BTC?
The article is well worth a read: hell, I've implemented RCU myself, and I learned by reading it.
Hope that helps!
Rusty.
Is a great story so compelling that the line blurs and people fall in love with the puppets and ignore the puppet master?
Confused,
Rusty.
Nope, this is a standard media beat up of the current govt. Not based in reality, uses vauge statistics in deliberately misleading manner.
Um, no, the 250,000 requests per year are government warrantless data requests; these include call data (who called whom, not contents), location data, and request header data (eg http, email: interestingly, I've not been able to find out which headers are included: links anyone?)
Obviously with this number of requests going on, the process isn't being vetted very well if at all. Certainly there aren't that many people in Australia under reasonable suspicion of criminal behaviour, so it's deeply concerning :(
Cheers,
Rusty.
One of my favourite geek charities is the Ada Initiative which provides resources and training for women in open source and open culture.
Needless to say, you should speak directly to any charity you're seriously considering; they'll often have good suggestions for how they money could be used.
Good luck!
Rusty.
Ballarat: http://lcaunderthestars.org.au/
Looking forward to it!
Rusty.
No, assuming they did the same this release as last.
1) This information is on the website, not on the update itself. The update just tells you how to abort it.
2) When you buy a new game, the update is compulsory or you can't play the game you bought.
Nintendo screwed me with this (deleting my whole TP savefile because one slot was the TP hack) and I was livid. 40 hours of my gf's gameplay gone.
Rusty.
> Stop trying to replace C++ with a language that does not fulfill every aspect C++ covers.
Err, no (how did this get +5?) C++'s entire problem stems from the attempt to Be All Things. A far better approach is to design something that does one part of things well, and interoperates with C like everything else so you can glue stuff together.
They've subtracted, not added. This is the Right Thing to have done.
Rusty.
Hey, I'm glad you liked it.
/. crowd are not the intended audience. This is not user documentation (that's in Documentation/lguest) but programmer documentation for those delving into the source, and it assumes some degree of famliarity with the Linux kernel too.
From reading the comments it seems most of the
Feedback welcome!
Rusty.
Sorry, the Age in this case is correct. The problem is that this exception does not say "if you're circumventing for non-infringment purposes you're OK", but "if a TPM has no copyright-protecting purpose you're OK". The TPM is always claimed to be "protecting a copyright", in which case you lose. The narrow case of modifying today's DVD players might be OK (assuming the court doesn't buy the "we need region code to protect copyright" which was claimed by copyright holders in the recent House of Reps Legal and Constitutional Affairs TPM hearings), but PS/2 modchipping is in trouble, as are just about any future technology. As long as it's under the same technological umbrella as something that "inhibits copyright infringement", copyright holders can place restrictions as they want.
Despite lobbying against such a legislative model for two years, we've ended up with this muddled law which is going to be decided by the High Court in around 7 years time.
Rusty.
> Without a DRM in place, we are capable of making as many copies of a piece of content as we want and
> seeding it onto the net. How do you create a market for a product, and make money of a product that
> has a huge initial creative investment, but then no manufacturing cost, and is in infinite supply?
You're making a gross assumption that noone will obey the law without draconian enforcement in place. There's little effective DRM in place today, and yet copyright-holding companies are making significant amounts of money, and have been for years. Broad casual copying != no profits.
It is possible that your assumption will become true in future. Copyright law gives significant legal protection in return for making your work available to the public. DRM attempts to override this bargain, by unilaterally adding restrictions on use. Perhaps the bargain will break down, as more and more people will feel they are not bound by it. The more copyright holders attempt to confiscate your property (movies, books and music you paid for), the less you are likely to respect their claims of property.
Companies continue to refuse to supply what customers want (convenient open format online purchases), instead relying on DRM to "solve" the problem of unlicenced competition. Yet this makes the unlicenced competition even more useful. It is not clear that increasing the legal barriers can cancel out the market effects of giving your customers what they don't want, but when you've had protectionism for long enough, you become addicted and convinced of entitlement.
What is clear is that there is significant erosion in respect for the law, and governments which are complicit in this cycle. This could well have effects far worse than kids swapping CDs.
Rusty.
Yes, free trade is great.
But, as many people have pointed out, there's not much freeing in the agreement, in the sense of eliminating barriers to trade. Don't be fooled by the name.
What it does do, especially in areas like Chapter 17, is offer US companies the same protections here as it does in the US.
Hope that clarifies,
Rusty.
Also, send letters and sign the petition.
Please help.
Rusty.
> If the government were to change their ideas of
> what Australian business is and what our exposts
> should be we could become a net exporter of IP.
No, that's crazy. The EU, US and Japan between them have about 50 times the population of Australia: we will always be a net importer of IP. Of course, this is ignoring the rest of the world, so it's an under-estimate.
I like Free Trade, but Chapter 17 of the FTA isn't it.
> Maybe now we'll actually get one of the few US copyright laws that are actually good...
No, we don't get any additional "home copying" or fair use rights. Mind you nothing in the treaty blocks us adding those, either (modulo normal DMCA concerns)
Sorry.,.
Rusty.
> Too bad he's such a dick about supporting the libiptc API.
I haven't touched that API in ages, but it's pretty horrible. This came up at the last netfilter summit, and it's becoming a big problem. Harald did some excellent work on his rework, but it's fundamentally trying to do two different things: support extensions which are in the kernel, and support the command language extensions required for iptables itself. This shows up clearly when you want to use it for something other than iptables.
> It's pretty confusing to use, and his asshole wit shows up in what little documentation there is.
*shrug* There's only so much you can do with documentation. What's needed is a rewrite: fortunately, Harald's plkttables looks promising, unfortunately, it's a long way off 8(. The documentation which is there is about writing extensions, not using the library directly.
As for the wit, I agree: it's not for everyone, and can make bad documentation worse.
Cheers,
Rusty.
We didn't invite an O/S KDE people. And, of course, we have a list of all the people who didn't show up at the conference.
You are lying.
Rusty,
Heh...
HEY! Wait a minute!
I *knew* I'd never live down that linux.conf.au talk 8(
As one of the current FHS editors, I guess I'd better make some response.
/bin directories with a massive path doesn't help, since the binary names can't clash anyway. And I have 1211 entries in /bin, but I have 561 packages installed (Debian unstable).
1) Replacing a handful of
2) The GNU project has been pushing for a libexec/ dir for years: this would be where non-PATH binaries live (ie. obscure things only invoked by full path name, usually by other programs).
3) Al Viro once suggested altering shell semantics so that a filename with a / in it would still search the path, effectively giving another namespace, eg "gnome/hello --version" would not just search in "./gnome/" as it does now. For those with a passion about these things, this might be an interesting avenue to try.
Note: the FHS http://www.pathname.com/fhs is entering 2.3 discussions, and I imagine that libexec will be proposed again. This is your chance to make your voice heard (but read the latest draft first, especially the Purpose section).
Finally: remember that ALL standards stifle innovation, and that something radically different won't be compliant. That's FINE: there are no FHS police 8)
Cheers!
Rusty.
I'm not sure if there's an official WIP slot: you could certainly do a BoF, or go the whole hog and submit a talk...
Rusty.
> um... wasn't the potential danger here obvious? I'm not trying to be insulting or
> anything, but this was hardly a subtle or complicated hole. "we want to introduce a
> way for the firewall to open and close ports on-the-fly, and in response to client
> actions, and requiring coordination between the firewall and various apps and
> daemons... hmmm what could go wrong with this?" And, what could go wrong is, the
> client might lie. omigod! who coulda thought of that!...
Here's what you missed: the client can already connect to machines behind the firewall, because it, too, is behind the firewall.
So, it can enable outside machines to connect directly. There's little added danger in that. But it's this "behind the firewall" thinking that lead to the error in the first place.
> so, my point is, if this one snuck through, do we have any sense that more subtle errors
> have not been made?
I guarantee there are other errors (20,000 lines of kernel code; you don't need to be a genius to figure out that there are bugs). A small subset of these will be exploitable in some way. A subset of these will expose *you* to something you didn't want.
Rusty.
Hi all,
Summary: if you have multiple networks behind your iptables packet filter (eg. a DMZ) and you use the ip_conntrack_ftp module (or you compiled it into your kernel) you should apply the simple patch, otherwise a breakin on one protected network can be used to allow probes on the other protected network.
OK, so what happened? The connection tracking code in 2.4 (ip_conntrack) can be extended to understand complex protocols, like FTP (ip_conntrack_ftp). When it sees an FTP server or client say "for the data, connect to 1.2.3.4 port 56" it remembers it, and when that connection comes in, it classifies the packet as "RELATED", not "NEW" (as packets creating new connections are normally marked). Most packet filter setups simply allow all RELATED packets.
Of course, my original code only set up this "expectation" if the ftp server gave its own IP address in that "connect here" message. However, one early user, Enrico Scholtz, had a setup where the FTP server REALLY DID use a different IP address for the data connection. After some thought, I allowed it: you can allow arbitrary connections to be marked RELATED, but only from inside a network already.
The problem is that if you are using a single box to connect your DMZ, your internal network, and the outside world, and someone breaks into the DMZ, they can use a machine there (if you allow any FTP to or from those machines) to tell the firewall to expect a connection from the outside to the internal network, giving you access to probe your internal network.
The patch provided (by James Morris) in the posting simply stops returns to ignoring an FTP server or client which says to connect on a different IP from the one it is on. In some form, it will be in 2.4.4.
FYI, I was travelling while this broke, and the Netfilter Core Team handled the issue with great aplomb. Kudos to them!
Hope that clarifies,
Rusty.
> Does the length of the line/spiral represent the length of the function ?
Hi!
Well, look at analyze_function.lex, which does this breakdown; it's basically a line of length 1 per "statement" (the output of this is sent to data2ps, which randomly jitters the angle).
Hope that helps,
Rusty.
> Can we please have an assembly version so it takes 1/2 hour and not 1/2 day? :(
That would be wrong. It could be done in a 1/2 hour by using a much less naive system, and allowing it to be parallelized better.
I was optimizing for *my* time, not yours 8)
Rusty.
Hi all,
.c files of the kernel.
1) This does not generate a call graph. It is a static rendering of all the functions in the
2) Yes, the images correspond to the code: forks represent if and switch() statements, circles cover the code within them. Also, code with asm statements, inline, etc are `hairier' (look in the architectures). So, a big star is either a big switch or an if...else if...else if..... If it's inside a circle, there's a loop around it. Two circles inside each other: nested loops. etc.
3) Why PostScript? For the 2.3.18 one I wanted to learn about PNG, so I did it in PNG. But I wanted people to be able to print out copies at home on small printers, so I wanted something scalable: 1GB PNG was not the answer. So I learnt PostScript and changed over to that; the `posterize' shell script lets you make an NxN poster for printing (I recommend >= 6x6).
4) cannot find -lfl
You need flex installed (or use lex and change the Makefile).
5) shopt: command not found
Run bash2, or remove the line:
shopt -s nullglob; for f in $(KERNEL_DIR)/$$d/*.c; do \
And replace it with these two (don't miss the trailing \'s!):
for f in $(KERNEL_DIR)/$$d/*.c; do \
if [ "$f" = "$(KERNEL_DIR)/$$d/*.c" ]; then continue; fi \
6) tempfile: command not found
Change the two occurrances of this (classify_nonstatics.sh and conglomerate_functions.sh) to:
TMPFILE=`mktemp ${TMPDIR:-/tmp}/$$.XXXXXX`
Please give feedback for these, and any other bug reports to rusty at my linuxcare.com.au address, and I'll release 2.4.0a soon...
Thanks!
Rusty.