Is it at all possible their attack involves tricking the application into allocating lots of data (by issuing lots of requests, a bit like a carefully planned denial of service) and then relying on the memory allocator to *reallocate* an area of memory previous used for executable code to which a dangling pointer refers?
I don't know whether the general malloc/platform allocators would do this but an application that gets a big ol chunk of RAM using weak memory protection and implements it's own tuned allocator might do so.
Re:Does GPL v3 GCC imply compiling issues?
on
GCC 4.2.1 Released
·
· Score: 1
My understanding is there has always been a clause in the licensing of GCC so that the small amount of GPL'd setup code compiled into C/C++ programs by the compiler doesn't 'infect' your application with the requirement to be released under the GPL. Of course it's a grey area, when turning C/C++ into assembly language there are going to assembly templates in GCC that are copied verbatim into your program.
The general consensus however is this doesn't effect your average user of GCC, only those developing proprietary extensions to it.
Torvald's is a pragmatist, if this is the same user space I/O framework I read about a while ago then there was a good case made for it when some guy ported a driver to it and significantly reduced the complexity and lines of code (and as I recall the number of ioctl's)
Window's has a userspace driver framework as well as a FUSE equivalent (I think) so really Linux isn't going any more toward being a micro kernel than Window's is.
I tried for days to get WPA and WEP working with the native bcm43xx driver and failed. The thing would receive wireless traffic (I could stick the card into monitor mode and capture packets from the air) but refused to connect to anything but unencrypted networks.
This may have been because the native Broadcom driver doesn't support the latest firmware (v4). I gingerly installed ndiswrapper and it just started working, and as an added bonus I can use the whizz cool Network Manager.
So the native Broadcom driver is still immature, i'm keeping an eye on it...
KQEMU (and indeed QEMU) releases are relatively infrequent, the latest pair of releases was in February.
QEMU has so far been a solid foundation for a handful of other FOSS virtualisation solutions, KVM use a modified Qemu (Does anyone know if KVM support is going upstream into the next QEMU release?) and Virtualbox incorporated QEMU to establish full system emulation on top of their own hypervisor. If anything I'd like to see the Virtualbox OSE kernel module merged, which imo is far superior to raw QEMU+KQEMU at the moment.
QEMU is far from dead though, there seems to be quite a bit of activity regarding patches on the qemu-devel mailing list.
Laws against child porn exist because the morality of such things is so fuzzy to so many different people and cultures in so many different ways.
A self-taken nude frontal shot in a mirror (think 'cam whore') of a 16 or 17 year old girl is illegal. I don't agree with that, I have no moral objection to it, but it is. On the other hand a video of a 16 year old couple (i.e. both participants being 16 years old) having intercourse I regard as morally questionable (But now I'm almost 22, I probably wouldn't have found it objectionable if I was still 16 myself)
The reason why the 'artificial' 18 year old requirement for pornography exists, despite a 16 year old age of legal sexual consent (here in the UK anyway), is because 18 is the age at which people need to start to earn money to make a living for themselves and they have the right to do that through modeling or doing porn if they want.
Thats not really true, Gentoo ebuilds are scripts which run at root to install the software via various arbitrary methods (everything from your standard configure, make, make install to nvidia's proprietary driver installer) into a "work" directory. It does have provisions for establishing a 'sandbox' but I believe it's done via library trickery (wrapping file system calls by messing with the LD PATH maybe?) rather than something like a chroot operation. I would argue that deb's and rpm's are inherently more secure because you can list the files within them *before* running the install process to see what is going to be installed and where (Of course this is just the nature of a source based distribution, not a flaw)
That said this discussion is irrelevant anyway because the whole point of community package repositories and package managers is to vet software for quality and to make sure packages installed and uninstalled correctly. Gentoo's portage, for example, automatically fixes up permissions on things going into/bin,/lib,/usr/bin,/usr/share when copying the "work" compilation into the active filesystem.
What this Samsung news proves is that the *nix way of using package repositories and managers and doing things through a common (un)install process catches outrages like this, whereas with Window's you're essentially at the mercy of some sloppy installer developer somewhere, i.e. one small group of people. Good stuff. On the other hand it also demonstrates how the rise in popularity of open source platforms is going to put increased pressure on open source communities to catch things like this and it will be hard for many developers to not give in to the Window's ways of doing things.
Astyle isn't bad. Neither is bcpp. For me though the problem with all these C++ beautifiers is the formatting of the output still depends too much on the formatting of the input. They don't strip all the formatting before rebuilding the source so the results can sometimes be unpredictable. For example, a new line ('\n') after function names and before the parameter parenthesis ( is kept as-is which is a bit of a pain for me as one of my preferred coding habits is to do this:
int/* I usually new line here only in C++ code, since in pure ANSI C all primitive types are short and readable, and I rarely deal with non #define'd or typedef'd C POD's (struct's) in C. */ main (/* In most code I see, people don't put a new line here, I prefer it and no beautifier I've tried will support it */
int argc,
char** argv ) {
The Internet Explorer 6 user interface is still available on IE7 installations... at least on XP. I can't be bothered to trawl my Windows partition for the location of the executable you can run to get it though (I'm booted into Linux atm).
Both the 'old' firewire and the 'old' wireless frameworks and their corresponding drivers are still in the tree. If you don't want to use these new and relatively untested stacks then simply don't use them in your 2.6.22 config.
1. To me this suggests an issue with Flash not Firefox. Does it happen in Opera? Try it, it'll tell you if it's Flash or Firefox (although I think Opera runs all plugin's in separate processes, so maybe not). 2. VLC has always been a mess for me too (GUI hangs up while the video keeps playing), why not try gxine (Or another Xine frontend) or mplayer? They will both play the same number of formats as VLC, if not more. 3. Perhaps an updated driver will fix this soon? 4. Not that it helps, Window's won't play DVD's out of the box either. I'm sure you can get it working trivially if you follow a guide likely to be found on the Ubuntu forums.
My guess is exhaustion of rights only applies as long as further sales aren't in direct competition with the IP owner's own sales. For example, 2nd hand sales on ebay never really compete with sales of brand new stuff on the high street, in fact the latter fuels to the former. Likewise it's not really practical to casually mosey on over to Japan and buy something cheaper.
It's common sense hammered out in law: if you can't control it, allow it, if it costs you money come down on it like a furacious wolf.
Windows XP may have had 6 years of testing and pawing over by people with various shades of monochrome hats but there is still an appreciable stream of security related bug fixes coming out of Redmond on the 2nd Tuesday of every month.
You're right that security isn't a product, it's a process, but over the last 6 years we would hope MS would have learnt enough about the issues they faced with XP to incorporate solutions into Vista.. What you have to remember is a product can be the end of a very long process, and thats certainly true of Vista.
So if I had to put my money on something, it'd be on the 800lb gorilla.
Been using Gentoo for 14 months and I do updates every 14 days, I think i've broken something serious once. But hey, it's not for everyone, if you find updating difficult try another distro, there are plenty to choose from.
It works both ways. When you buy a CD you may own that *copy* of it, but this artificial construct restricting the 'rights' of others to have a copy of that CD is in some ways no different to the way local laws *protect* the rights of others by say... making home owners file for planning permission.
The "Hey, wait a minute, I own my house and I'll do whatever I frickin' want with it" argument just doesn't hold water. There really isn't anything wrong with the *concept* of copyright and claiming that we are entitled to listen to music because it is part of our 'common culture once it's revealed' is just wrong.
That said, the real injustice here is that CD-WOW are, in fact, doing nothing illegal and now the record companies are trying to extend copyright law to pinch off perfectly legitimate trade within the confines of export and import law, tax law (and any other law) because it happens to create a loophole in getting an extraordinary amount of cash into their wallets.
I for one will advocating buying music from CD-WOW, if only to support them.
Isn't the point of FastCGI (fcgi) to enable communication between a web server and an arbitrary *persistent* daemon process (the CGI) to avoid the overhead* you commonly get with standard CGI?
I've read your little SCGI protocol.txt file and it doesn't explain any of this, in fact it looks like it advocates just passing the request (HTTP headers) through another TCP (well, a "reliable stream protocol") connection to the CGI process much like regular CGI (but without the use of environment variables as a transport). It doesn't seem to even try to deal with the **management** of these CGI processes, their *lifetime* of the process, or how they should inform the web server of whats going on. Doesn't that leave it up to implementation designers to invent their own management interface?
What i'm trying to say is, SCGI may be ridiculously simple but, unless I'm missing a massive chunk of specification I don't see how it solves any problems with FastCGI. In fact the only advantage it seems to have over *standard* CGI is the fact it uses a stream connection and can therefore be located on remote machine (like FastCGI can). If I'm missing something, please explain.
* Process startup and/or fork()'ing, script interpretation, server side resources such as database connections being obtained etc.
So now as a car owner I have to worry about keeping my car fed with a cocktail of enzymes? How are these enzymes produced? Are they produced in a eco-friendly manner? Are they expensive? Are they themselves perishable?
> It is only Linux that considers NDAs acceptable for open source.
Thats not really true of "Linux". It all comes down to the developer (or number of developers) who want(s) to write a driver... signing an NDA is a personal decision, theres no policy. *In general* the Linux developer community tends to be very pragmatic, they don't care about OS purity so much, and want working, well written, drivers and *code* under the GPL.
> A NDA would be acceptable if it allows you to release fully commented code.
If you just replicate all the specs and documentation you got from company X in code comments you've made the NDA totally pointless from that companies point of view. So unless you can convince them that NDA's are in fact point they are never going to allow this to happen.
Slashdot Mirror
Is it at all possible their attack involves tricking the application into allocating lots of data (by issuing lots of requests, a bit like a carefully planned denial of service) and then relying on the memory allocator to *reallocate* an area of memory previous used for executable code to which a dangling pointer refers?
I don't know whether the general malloc/platform allocators would do this but an application that gets a big ol chunk of RAM using weak memory protection and implements it's own tuned allocator might do so.
My understanding is there has always been a clause in the licensing of GCC so that the small amount of GPL'd setup code compiled into C/C++ programs by the compiler doesn't 'infect' your application with the requirement to be released under the GPL. Of course it's a grey area, when turning C/C++ into assembly language there are going to assembly templates in GCC that are copied verbatim into your program.
The general consensus however is this doesn't effect your average user of GCC, only those developing proprietary extensions to it.
Torvald's is a pragmatist, if this is the same user space I/O framework I read about a while ago then there was a good case made for it when some guy ported a driver to it and significantly reduced the complexity and lines of code (and as I recall the number of ioctl's)
Window's has a userspace driver framework as well as a FUSE equivalent (I think) so really Linux isn't going any more toward being a micro kernel than Window's is.
I tried for days to get WPA and WEP working with the native bcm43xx driver and failed. The thing would receive wireless traffic (I could stick the card into monitor mode and capture packets from the air) but refused to connect to anything but unencrypted networks.
This may have been because the native Broadcom driver doesn't support the latest firmware (v4). I gingerly installed ndiswrapper and it just started working, and as an added bonus I can use the whizz cool Network Manager.
So the native Broadcom driver is still immature, i'm keeping an eye on it...
KQEMU (and indeed QEMU) releases are relatively infrequent, the latest pair of releases was in February.
QEMU has so far been a solid foundation for a handful of other FOSS virtualisation solutions, KVM use a modified Qemu (Does anyone know if KVM support is going upstream into the next QEMU release?) and Virtualbox incorporated QEMU to establish full system emulation on top of their own hypervisor. If anything I'd like to see the Virtualbox OSE kernel module merged, which imo is far superior to raw QEMU+KQEMU at the moment.
QEMU is far from dead though, there seems to be quite a bit of activity regarding patches on the qemu-devel mailing list.
Parallel's patches to Wine have already been released, apparently they weren't very exciting...
For those wondering the best (IMHO) FOSS solution for those wanting to run Windows on Linux without a VT-capable processor is Virtualbox
Laws against child porn exist because the morality of such things is so fuzzy to so many different people and cultures in so many different ways.
A self-taken nude frontal shot in a mirror (think 'cam whore') of a 16 or 17 year old girl is illegal. I don't agree with that, I have no moral objection to it, but it is. On the other hand a video of a 16 year old couple (i.e. both participants being 16 years old) having intercourse I regard as morally questionable (But now I'm almost 22, I probably wouldn't have found it objectionable if I was still 16 myself)
The reason why the 'artificial' 18 year old requirement for pornography exists, despite a 16 year old age of legal sexual consent (here in the UK anyway), is because 18 is the age at which people need to start to earn money to make a living for themselves and they have the right to do that through modeling or doing porn if they want.
Thats not really true, Gentoo ebuilds are scripts which run at root to install the software via various arbitrary methods (everything from your standard configure, make, make install to nvidia's proprietary driver installer) into a "work" directory. It does have provisions for establishing a 'sandbox' but I believe it's done via library trickery (wrapping file system calls by messing with the LD PATH maybe?) rather than something like a chroot operation. I would argue that deb's and rpm's are inherently more secure because you can list the files within them *before* running the install process to see what is going to be installed and where (Of course this is just the nature of a source based distribution, not a flaw)
/bin, /lib, /usr/bin, /usr/share when copying the "work" compilation into the active filesystem.
That said this discussion is irrelevant anyway because the whole point of community package repositories and package managers is to vet software for quality and to make sure packages installed and uninstalled correctly. Gentoo's portage, for example, automatically fixes up permissions on things going into
What this Samsung news proves is that the *nix way of using package repositories and managers and doing things through a common (un)install process catches outrages like this, whereas with Window's you're essentially at the mercy of some sloppy installer developer somewhere, i.e. one small group of people. Good stuff. On the other hand it also demonstrates how the rise in popularity of open source platforms is going to put increased pressure on open source communities to catch things like this and it will be hard for many developers to not give in to the Window's ways of doing things.
Astyle isn't bad. Neither is bcpp. For me though the problem with all these C++ beautifiers is the formatting of the output still depends too much on the formatting of the input. They don't strip all the formatting before rebuilding the source so the results can sometimes be unpredictable. For example, a new line ('\n') after function names and before the parameter parenthesis ( is kept as-is which is a bit of a pain for me as one of my preferred coding habits is to do this:
/* I usually new line here only in C++ code, since in pure ANSI C all primitive types are short and readable, and I rarely deal with non #define'd or typedef'd C POD's (struct's) in C. */ /* In most code I see, people don't put a new line here, I prefer it and no beautifier I've tried will support it */
int
main
(
int argc,
char** argv
)
{
}
...and puts() would be a better choice than printf()
The Internet Explorer 6 user interface is still available on IE7 installations... at least on XP. I can't be bothered to trawl my Windows partition for the location of the executable you can run to get it though (I'm booted into Linux atm).
Both the 'old' firewire and the 'old' wireless frameworks and their corresponding drivers are still in the tree. If you don't want to use these new and relatively untested stacks then simply don't use them in your 2.6.22 config.
Yeah I wonder what we'll do when this happens with desktop PC's...
*Looks at GentooX and XBMC running on his Xbox*
Invisible Pink Unicorn farts.
Comments on your problems:
1. To me this suggests an issue with Flash not Firefox. Does it happen in Opera? Try it, it'll tell you if it's Flash or Firefox (although I think Opera runs all plugin's in separate processes, so maybe not).
2. VLC has always been a mess for me too (GUI hangs up while the video keeps playing), why not try gxine (Or another Xine frontend) or mplayer? They will both play the same number of formats as VLC, if not more.
3. Perhaps an updated driver will fix this soon?
4. Not that it helps, Window's won't play DVD's out of the box either. I'm sure you can get it working trivially if you follow a guide likely to be found on the Ubuntu forums.
My guess is exhaustion of rights only applies as long as further sales aren't in direct competition with the IP owner's own sales. For example, 2nd hand sales on ebay never really compete with sales of brand new stuff on the high street, in fact the latter fuels to the former. Likewise it's not really practical to casually mosey on over to Japan and buy something cheaper.
It's common sense hammered out in law: if you can't control it, allow it, if it costs you money come down on it like a furacious wolf.
Are you saying that after almost 2 years the 360's code signing hasn't been cracked?
Windows XP may have had 6 years of testing and pawing over by people with various shades of monochrome hats but there is still an appreciable stream of security related bug fixes coming out of Redmond on the 2nd Tuesday of every month.
You're right that security isn't a product, it's a process, but over the last 6 years we would hope MS would have learnt enough about the issues they faced with XP to incorporate solutions into Vista.. What you have to remember is a product can be the end of a very long process, and thats certainly true of Vista.
So if I had to put my money on something, it'd be on the 800lb gorilla.
Been using Gentoo for 14 months and I do updates every 14 days, I think i've broken something serious once. But hey, it's not for everyone, if you find updating difficult try another distro, there are plenty to choose from.
It works both ways. When you buy a CD you may own that *copy* of it, but this artificial construct restricting the 'rights' of others to have a copy of that CD is in some ways no different to the way local laws *protect* the rights of others by say... making home owners file for planning permission.
The "Hey, wait a minute, I own my house and I'll do whatever I frickin' want with it" argument just doesn't hold water. There really isn't anything wrong with the *concept* of copyright and claiming that we are entitled to listen to music because it is part of our 'common culture once it's revealed' is just wrong.
That said, the real injustice here is that CD-WOW are, in fact, doing nothing illegal and now the record companies are trying to extend copyright law to pinch off perfectly legitimate trade within the confines of export and import law, tax law (and any other law) because it happens to create a loophole in getting an extraordinary amount of cash into their wallets.
I for one will advocating buying music from CD-WOW, if only to support them.
I don't get it.
Isn't the point of FastCGI (fcgi) to enable communication between a web server and an arbitrary *persistent* daemon process (the CGI) to avoid the overhead* you commonly get with standard CGI?
I've read your little SCGI protocol.txt file and it doesn't explain any of this, in fact it looks like it advocates just passing the request (HTTP headers) through another TCP (well, a "reliable stream protocol") connection to the CGI process much like regular CGI (but without the use of environment variables as a transport). It doesn't seem to even try to deal with the **management** of these CGI processes, their *lifetime* of the process, or how they should inform the web server of whats going on. Doesn't that leave it up to implementation designers to invent their own management interface?
What i'm trying to say is, SCGI may be ridiculously simple but, unless I'm missing a massive chunk of specification I don't see how it solves any problems with FastCGI. In fact the only advantage it seems to have over *standard* CGI is the fact it uses a stream connection and can therefore be located on remote machine (like FastCGI can). If I'm missing something, please explain.
* Process startup and/or fork()'ing, script interpretation, server side resources such as database connections being obtained etc.
Besides, everyone knows that potato enzymes can be a little over enthusiastic
> It is only Linux that considers NDAs acceptable for open source.
Thats not really true of "Linux". It all comes down to the developer (or number of developers) who want(s) to write a driver... signing an NDA is a personal decision, theres no policy. *In general* the Linux developer community tends to be very pragmatic, they don't care about OS purity so much, and want working, well written, drivers and *code* under the GPL.
> A NDA would be acceptable if it allows you to release fully commented code.
If you just replicate all the specs and documentation you got from company X in code comments you've made the NDA totally pointless from that companies point of view. So unless you can convince them that NDA's are in fact point they are never going to allow this to happen.