Why don't you stop expecting Sun to release it and write a replacement for your_favourite_free_os? Free software doesn't exist because of scraps from the corporate table, but because people get off their arses and write good software.
Please tell me there is no patent on fractional distillation, this process is primary-school chemistry. Cryogenic extraction processes may be encumbered, but aren't those only used for natural gas?
SMP isn't just a bit of software that you can port from one OS to another. It touches just about every kernel internal and changes many assumptions on the way. That being said, the approach to implement SMP in OpenBSD (and some code) is being derived from NetBSD.
I respect Miguel, but I think he seriously underestimates the risk posed by MSFT's patents in this area. Quoth the article:
Microsoft has granted a license to use this technology under so-called "reasonable and non-discriminatory" terms.
"Reasonable and non-discriminatory" (RAND) does not imply "free". RAND was the proposed licensing requirement for W3C patents that was howled down by the community.
Given that MSFT is willing to finance SCO to use arguably illegal tactics to destabilise and discredit free software, who would expect that they are above enforcing a small fee for every patent needed to implement Mono? They needn't do this immediately, in fact it is in their interest to wait until the technology is widely adopted, so they can slug everyone at the same time. Note that the usual legal defences against "submarine patents" won't work either if the terms have been disclosed to be RAND all along.
I don't think that attendance at a voting station ever couple of years is too much to ask of citizens in return for all of the benefits of a healthy western democracy. Note that in Australia, only attendance is compolsory - it is legal to return an blank vote once you are there.
As to your fears of compolsory voting inducing politics to reach the "lowest common demoninator", I'd have to say that the US is far closer to that than Australia. We don't have the cruel and bitter personal attacks in mass-media political advertising, mudslinging and insinuation that seem characterise US politics. We certainly wouldn't get hung up about any political candidate's "war record" or lack thereof. (OTOH our capacity for cheap political stunts is up there with the best...)
Perhaps you should consider the converse: that the requirement of people to remain engaged with the democratic process causes them to care a little more about the outcome. It is not an option to merely opt-out and cynically consider politics a distant game, over which citizens can have no effect.
It is possible to build a useful and generic authentication system without dynamic loading.
OpenBSD and BSD/OS have one (bsd_auth) that exec()s small helper programs which implement the actual auth methods. These helpers speak a little protocol to the library via stdio.
The use of dynamic linking here is just lazyness on the part of people who would rather throw hidden complexity at problems rather than solving them through careful design.
Yes, PAM creates more problems through its complexity, poor specification and an absolutely shocking API than it solves. I wouldn't be at all surprised if this bug was in the PAM library or a module.
Don't believe me? Try writing a program that doesn't block during authentication. Try writing something cross-platform (there are at least three subtly different PAM implementations). Still not convinced? Have a look at the hoops that OpenSSH has jump through to work around this and other issues. Don't get me started on the busted config file that doesn't separate mechanism from policy or the stupid idea of dynamically loading modules in a security context....
I'm surprised that the major distributions haven't moved on to something more sane. It's good that that Slackware, at least, has demonstrated some critical thinking and has not just mindlessly followed the flock.
(disclaimer: I am an OpenSSH developer, very jaded for working with PAM for too long. OTOH, I'm not the only one)
No, often you just need numbers that meet statistical criteria of randomness (e.g. bias, spectral characteristics, etc). They don't even necessarily need to be unpredictable.
Cryptographic random numbers set the bar somewhat higher, in that they need to unpredictable too. It would be fatal for many applications if an attacker could guess the next few pseudorandom number given a little history.
E.g. a LCG is very predictable, but may be statistically random-looking enough for many applications.
To use *really* random numbers would condemn you to store quantities of real, physically-derived randomness large enough for whatever application you wanted. Alternately you could forego the repeatability that a pseudo-random number generator gives you.
These problems are pretty much solved for practical applications - there are incredibly fast non-cryptographic PRNGs and quite strong cryptographic PRNGs.
There is one that appears to be left out (from the summary, perhaps not from the book - I haven't read it): fix it everywhere.
Once you have found a bug, search the rest of your tree for similar bugs. Chances are that you will find and fix several. This is especially true of bugs caused by bad assumptions.
FYI: This is one of the central audit methodologies of the OpenBSD project. It works much better for the BSDs as they keep the entire system in one CVS tree, rather than scattering it around FTP servers in the forms of tarballs. The whole system is readily available to search for entire classes of bugs.
That is because Darren Reed was trolling - he changed his ipfilter license in a way that made it unacceptable to OpenBSD, so some OpenBSD developers wrote a better replacement.
Why else would he interpose himself into such a highly emotive debate and then go on to make stupid insinuations (read the thread). The people calling him "troll" are well aware of this history.
I don't think anyone praised ESR as a "father" of OSS. He'd like to pretend that he is, and goes to great effort to approrpriate credit is opportunistic ways (e.g. releasing the useless "comparator" tool that doesn't even detect simple search+replace). CatB was a reasonable essay, though and his documentation efforts are to be rightly lauded.
But, witness his unsubtle and ongoing recrafting of the Jargon File to suit his strange political proclivities. He would probably describe this as an attempt to "hack a social network", others would refer to it as cheap manipulation and abuse of one's position.
I chose free software leaders by what they *do*, not what they *say*.
A while back I Googled my credit card number for a laugh
You therefore send your credit card number, unencrypted, over the Internet. Along the way it would have probably been logged at a proxy cache and would have certainly been logged at Google. You sure are a trusting fellow.
"Strontium-90 was widely dispersed in the 1950s and 1960s in fall out from atmospheric testing of nuclear weapons."
and wonder why we aren't all dead or dying.
"widely dispersed" is not a quantitive term - so you can't go basing judgements off it. But consider the volume of the atmosphere (vast), the amount of fissile materials in the nuclear tests (way less than 1000 kilograms per test), the conversion rate of u-235/pu-240 into sr-90, the locations of the tests (remote, or over water) and the likely dispersal pattern.
BTW I suggest that you stop your poorly-informed ranting about the safety of nuclear power (which I personally *prefer* nuclear to burning fossil fuels). You aren't going to have any credibility to argue your position if you make factually incorrect statements, just because they sound nice.
Slashdot Mirror
Why don't you stop expecting Sun to release it and write a replacement for your_favourite_free_os? Free software doesn't exist because of scraps from the corporate table, but because people get off their arses and write good software.
...equipped with obvious and conveniently located self-destruct button.
He must have allowed Meryl to die if he got the invisibility cloak...
Please tell me there is no patent on fractional distillation, this process is primary-school chemistry. Cryogenic extraction processes may be encumbered, but aren't those only used for natural gas?
I bet that if you wait two months, there will be no such announcement.
Rubbish - please name a "serious vulnerability" for Bind 9?
SMP isn't just a bit of software that you can port from one OS to another. It touches just about every kernel internal and changes many assumptions on the way. That being said, the approach to implement SMP in OpenBSD (and some code) is being derived from NetBSD.
anonymous rant making accusations without references or evidence == troll
I respect Miguel, but I think he seriously underestimates the risk posed by MSFT's patents in this area. Quoth the article:
Microsoft has granted a license to use this technology under so-called "reasonable and non-discriminatory" terms.
"Reasonable and non-discriminatory" (RAND) does not imply "free". RAND was the proposed licensing requirement for W3C patents that was howled down by the community.
Given that MSFT is willing to finance SCO to use arguably illegal tactics to destabilise and discredit free software, who would expect that they are above enforcing a small fee for every patent needed to implement Mono? They needn't do this immediately, in fact it is in their interest to wait until the technology is widely adopted, so they can slug everyone at the same time. Note that the usual legal defences against "submarine patents" won't work either if the terms have been disclosed to be RAND all along.
I don't think that attendance at a voting station ever couple of years is too much to ask of citizens in return for all of the benefits of a healthy western democracy. Note that in Australia, only attendance is compolsory - it is legal to return an blank vote once you are there.
As to your fears of compolsory voting inducing politics to reach the "lowest common demoninator", I'd have to say that the US is far closer to that than Australia. We don't have the cruel and bitter personal attacks in mass-media political advertising, mudslinging and insinuation that seem characterise US politics. We certainly wouldn't get hung up about any political candidate's "war record" or lack thereof. (OTOH our capacity for cheap political stunts is up there with the best...)
Perhaps you should consider the converse: that the requirement of people to remain engaged with the democratic process causes them to care a little more about the outcome. It is not an option to merely opt-out and cynically consider politics a distant game, over which citizens can have no effect.
It is possible to build a useful and generic authentication system without dynamic loading.
OpenBSD and BSD/OS have one (bsd_auth) that exec()s small helper programs which implement the actual auth methods. These helpers speak a little protocol to the library via stdio.
The use of dynamic linking here is just lazyness on the part of people who would rather throw hidden complexity at problems rather than solving them through careful design.
Yes, PAM creates more problems through its complexity, poor specification and an absolutely shocking API than it solves. I wouldn't be at all surprised if this bug was in the PAM library or a module.
Don't believe me? Try writing a program that doesn't block during authentication. Try writing something cross-platform (there are at least three subtly different PAM implementations). Still not convinced? Have a look at the hoops that OpenSSH has jump through to work around this and other issues. Don't get me started on the busted config file that doesn't separate mechanism from policy or the stupid idea of dynamically loading modules in a security context....
I'm surprised that the major distributions haven't moved on to something more sane. It's good that that Slackware, at least, has demonstrated some critical thinking and has not just mindlessly followed the flock.
(disclaimer: I am an OpenSSH developer, very jaded for working with PAM for too long. OTOH, I'm not the only one)
Just give it to a graphic designer.
The ones listed in the story were appalling.
No, often you just need numbers that meet statistical criteria of randomness (e.g. bias, spectral characteristics, etc). They don't even necessarily need to be unpredictable.
Cryptographic random numbers set the bar somewhat higher, in that they need to unpredictable too. It would be fatal for many applications if an attacker could guess the next few pseudorandom number given a little history.
E.g. a LCG is very predictable, but may be statistically random-looking enough for many applications.
To use *really* random numbers would condemn you to store quantities of real, physically-derived randomness large enough for whatever application you wanted. Alternately you could forego the repeatability that a pseudo-random number generator gives you.
These problems are pretty much solved for practical applications - there are incredibly fast non-cryptographic PRNGs and quite strong cryptographic PRNGs.
There is one that appears to be left out (from the summary, perhaps not from the book - I haven't read it): fix it everywhere.
Once you have found a bug, search the rest of your tree for similar bugs. Chances are that you will find and fix several. This is especially true of bugs caused by bad assumptions.
FYI: This is one of the central audit methodologies of the OpenBSD project. It works much better for the BSDs as they keep the entire system in one CVS tree, rather than scattering it around FTP servers in the forms of tarballs. The whole system is readily available to search for entire classes of bugs.
You forgot PyGame - a wonderful game programming API based around SDL.
That is because Darren Reed was trolling - he changed his ipfilter license in a way that made it unacceptable to OpenBSD, so some OpenBSD developers wrote a better replacement.
Why else would he interpose himself into such a highly emotive debate and then go on to make stupid insinuations (read the thread). The people calling him "troll" are well aware of this history.
I don't think anyone praised ESR as a "father" of OSS. He'd like to pretend that he is, and goes to great effort to approrpriate credit is opportunistic ways (e.g. releasing the useless "comparator" tool that doesn't even detect simple search+replace). CatB was a reasonable essay, though and his documentation efforts are to be rightly lauded.
But, witness his unsubtle and ongoing recrafting of the Jargon File to suit his strange political proclivities. He would probably describe this as an attempt to "hack a social network", others would refer to it as cheap manipulation and abuse of one's position.
I chose free software leaders by what they *do*, not what they *say*.
So you are happy to acquiesce and let a few idiots ruin an excellent software project...
Fortunately 4.4RC2 is still under the original license, so forks may be based off it.
OpenBSD has imported the XFree4.4 Release Candidate immediately before this stupid licensing change and will be basing further work off that.
I don't think that it will be long before these efforts link up and produce a viable fork.
A while back I Googled my credit card number for a laugh
You therefore send your credit card number, unencrypted, over the Internet. Along the way it would have probably been logged at a proxy cache and would have certainly been logged at Google. You sure are a trusting fellow.
OpenSSH will listen on an IPv6 socket by default. Of course you must have configured IPv6, set up routing, etc for the attack to be useful.
Where was I factually incorrect?
Ranting about how sr-90 is not a problem based only on its half-life and emissions.
You quote:
"Strontium-90 was widely dispersed in the 1950s and 1960s in fall out from atmospheric testing of nuclear weapons."
and wonder why we aren't all dead or dying.
"widely dispersed" is not a quantitive term - so you can't go basing judgements off it. But consider the volume of the atmosphere (vast), the amount of fissile materials in the nuclear tests (way less than 1000 kilograms per test), the conversion rate of u-235/pu-240 into sr-90, the locations of the tests (remote, or over water) and the likely dispersal pattern.
BTW I suggest that you stop your poorly-informed ranting about the safety of nuclear power (which I personally *prefer* nuclear to burning fossil fuels). You aren't going to have any credibility to argue your position if you make factually incorrect statements, just because they sound nice.