July 2006 (#128):

• The Front Page, by Heather Stern
• The Linux Gazette Mailbag
• The LG Talkbacks
• NewsBytes, by Howard Dyckoff
• LG Tips
• How Fonts Interact with the X Server and X Clients, by Thomas Adam
• Creating a Rudimentary Kiosk System using FVWM, by Thomas Adam
• A Brief Introduction to VMware Player, by Edgar Howell
• Subversion: Installation, Configuration — Tips and Tricks, by Muthaiah Ramanathan
• Coding a Simple Packet Sniffer, by Amit Saha
• The Foolish Things We Do With Our Computers, by Ben Okopnik

The Front Page

By Heather Stern

Ride the X11 Bus

This one's inspired by Tavis Ormandy of #fvwm on freenode, realising that one of his nearby bus lines to Uni really is the X11 bus. He took a pic to share - I asked him what he thought of my silly idea - the rest, as they say, is history.

You can't really see who's the driver, but hey, most people don't care what the Window Manager is anyway, as long as the keyboard works.

Xteddy - a Gund "Tender Teddy" - was born in 1983, fell in love with Stegu's monitor in the 90's sometime, and since 1998 or so has been faithfully using Unix, though he has been seen on a Windows system now and then and even with a Macintosh once in a while. Lately he has been hanging out a lot in #fvwm on freenode, baking cookies, memorizing people's screenshots so as to be helpful, and indulging in a mocha now and then. The regulars there call him a little hug daemon - a ready source of hugs for all processes. Our Weekend Mechanic is one of his biggest fans. Our regular readers may recall that Xteddy featured in our second cover art picture over a year ago (back in issue 111). His good pal bear has also stood in for him on occasion.

Wilbur has been the GIMP's mascot since whenever it was that he won that logo contest. Best thing he ever did. Now his work gets seen at speaking engagements in just about every major Linux technical conference. He's been working on outreach programs to benighted Windows users, as well.

Konqi has been with the K desktop crowd for some time now. He enjoys fleshing out bug reports, and when he really gets into gear, polishing his shiny white taskbar. He and his girlfriend plan to visit Kiagara Falls sometime later this year, and enjoy the purple mists. For the uninitiated, "Kiagara Falls" is one of the finer wallpapers in the KDE collection. Consider taking a look at kde-look.org.

Talkback: Discuss this article with The Answer Gang

Heather got started in computing before she quite got started learning English. By 8 she was a happy programmer, by 15 the system administrator for the home... Dad had finally broken down and gotten one of those personal computers, only to find it needed regular care and feeding like any other pet. Except it wasn't a Pet: it was one of those brands we find most everywhere today...

Heather is a hardware agnostic, but has spent more hours as a tech in Windows related tech support than most people have spent with their computers. (Got the pin, got the Jacket, got about a zillion T-shirts.) When she discovered Linux in 1993, it wasn't long before the home systems ran Linux regardless of what was in use at work.

By 1995 she was training others in using Linux - and in charge of all the "strange systems" at a (then) 90 million dollar company. Moving onwards, it's safe to say, Linux has been an excellent companion and breadwinner... She took over the HTML editing for "The Answer Guy" in issue 28.

Here's an autobiographical filksong she wrote called The Programmer's Daughter.

The Linux Gazette Mailbag

insmod soundcore
  insmod soundlow
  insmod sound
  insmod v_midi (Do I need this one? Is it causing problems?)
  insmod uart401
  (Sometimes also insmod mpu401, makes no difference)
  insmod sb io=0x220 mpu_io=0x330 irq=5 dma=1 dma16=5
  insmod awe_wave (for AWE sound only)
  sfxload /usr/lib/sfbank/synthgm.sbk (the sound bank)
  insmod opl3 io=0x388 (for FM synthesis only)

  insmod soundcore
  insmod sb_lib
  insmod sb.....

[ cc'd to The Answer Gang for comments and further suggestions ]
On Wed, Apr 19, 2006 at 05:49:17PM -0700, Pablo Jadzinsky wrote: 
  > Dear editor, 
  >  
  > I am somewhat newbie to linux and I find your magazine the best  
  > resource I found so far. Even though I have great pleasure reading it  
  > and I find it extremely useful I have a suggestion. 
  > I think it would be great to have a 'homework' forum where every  
  > month a script or task can be suggested and then we (the readers)  
  > work on in during say 2 weeks. Some of us can send solutions to you  
  > and then someone on your team can post some of the different  
  > solutions with perhaps some comments on the different approaches. My  
  > experience says that the only way of really learning linux is through  
  > practice but at the beginning is difficult to use the system altogether. 
  >  
  > Any way, I hope you find my comment appropriate and useful. 
  >  
  > Thanks a lot 
  > Pablo Jadzinsky 

  I find "Newbie" to be a grating, overly-cutsie buzzword 
  (read: obsequious neologism) used by people who are either
  trying to be overly-cutsie or else who don't know that 
  "neophyte", "beginner" or "I'm new to" work just fine. 
  It sounds like something you'd be likely to find 
  in that offensively entitled line of books called 
  "XXX for Dummies".

"Gee, Brain - what are we going to do tonight?"
  "The same thing we do every night, Pinky - try to take over the world."

  rm *[!.c]

 rm -rf *[!.c]

   > The simple command (bash)
   > rm *[!.c]
   > would work for deleting all files except the right?

   > For all directories also, one can use:
   > rm -rf *[!.c]

  neil ~ 07:51:14 529 > mkdir /tmp/test
  neil ~ 07:51:26 530 > cd !$
  cd /tmp/test
  neil test 07:51:31 531 > mkdir src
  neil test 07:51:38 532 > mkdir module1
  neil test 07:51:45 533 > echo -n > readme.txt
  neil test 07:51:52 534 > echo -n > example.pc
  neil test 07:51:58 535 > cp readme.txt example.pc src/
  neil test 07:52:06 536 > cp readme.txt example.pc module1/
  neil test 07:52:09 537 > ls -lR
  .:
  total 8
  -rw-r--r-- 1 neil users 0 May 26 07:51 example.pc
  drwxr-xr-x 2 neil users 4096 May 26 07:52 module1
  -rw-r--r-- 1 neil users 0 May 26 07:51 readme.txt
  drwxr-xr-x 2 neil users 4096 May 26 07:52 src

  ./module1:
  total 0
  -rw-r--r-- 1 neil users 0 May 26 07:52 example.pc
  -rw-r--r-- 1 neil users 0 May 26 07:52 readme.txt
  
  ./src:
  total 0
  -rw-r--r-- 1 neil users 0 May 26 07:52 example.pc
  -rw-r--r-- 1 neil users 0 May 26 07:52 readme.txt
  neil test 07:52:16 538 > rm -rf *[!.c]
  neil test 07:52:27 539 > ls -lR
  .:
  total 4
  -rw-r--r-- 1 neil users 0 May 26 07:51 example.pc
  drwxr-xr-x 2 neil users 4096 May 26 07:52 src
  
  ./src: 
  total 0
  -rw-r--r-- 1 neil users 0 May 26 07:52 example.pc
  -rw-r--r-- 1 neil users 0 May 26 07:52 readme.txt
  neil test 07:52:30 540 > 

Unresolved symbol: generic_file_llseek
  generic_commit_write 
  unlock_new_inode 
  generic_read_dir 
  block_read_full_page 
  __out_of_line_bug 
  block_sync_page 
  cont_prepare_write 
  event 
  mark_buffer_dirty 
  block_write_full_page 
  iget4_locked 
  generic_block_bmap

  > My friend was born in Hereford England on the third of April 1940,attended
  > Lord Scudamores boys school has three sisters.

  > This may be a shot in the dark,but I would like to see the old fellow again
  > before I pop my clogs.

Talkback: Discuss this article with The Answer Gang

The LG Talkbacks

   >The Blackfin processor does not have an MMU, and does not provide any 
   >memory protection for programs. This can be demonstrated with a simple program:

   int main ()
   {
            int *i;
            i=0;
            *i=0xDEAD;
            printf("%i : %x\n", i, *i);
   }

   root:~> uname -a
   Linux blackfin 2.6.16.11.ADI-2006R1blackfin #4 Sat May 6 11:38:53 EDT 2006 
   blackfin unknown
   root:~> ./test
   SIGSEGV

   rgetz at test:~/test> uname -a
   Linux test 2.6.8-24.18-smp #1 SMP Fri Aug 19 11:56:28 UTC 2005 i686 i686 
   i386 GNU/Linux
   rgetz at test:~/test> ./test
   Segmentation fault

  *  Check if your CPU load is high and you a have large number of HTTP 
     process running

  MaxClients 30 

  ps -aux|grep -i HTTP|wc -l   

  ps aux | grep -ic '[h]ttp'

  *  Determine the attacking network 

  netstat -lpn|grep :80|awk '{print $5}'|sort 

  netstat -lpn | awk '/:80/ {print $5}' | sort 

  for f in /proc/sys/net/ipv4/conf/*/rp_filter  
  do 
          echo 1 > done  
          echo 1 > /proc/sys/net/ipv4/tcp_syncookies  

  for f in /proc/sys/net/ipv4/conf/*/rp_filter  
  do 
          echo 1 > "$f" 
  done

  echo 1 > /proc/sys/net/ipv4/tcp_syncookies 

   -----------------------------------------------------
   for f in /proc/sys/net/ipv4/conf/*/rp_filter 
   do
   	echo 1 > done 
   	echo 1 > /proc/sys/net/ipv4/tcp_syncookies 
   -----------------------------------------------------

   -----------------------------------------------------
   for f in /proc/sys/net/ipv4/conf/*/rp_filter
   do
        echo 1 > $f
   done
   echo 1 > /proc/sys/net/ipv4/tcp_syncookies
   -----------------------------------------------------

   net.ipv4.tcp_syncookies = 1

Talkback: Discuss this article with The Answer Gang

NewsBytes

By Howard Dyckoff

Contents: News in General Conferences and Events Security News Distro News Software and Product News Magical Realism....

Please submit your News Bytes items in plain text; other formats may be rejected without reading. [You have been warned!] A one- or two-paragraph summary plus a URL has a much higher chance of being published than an entire press release. Submit items to bytes@linuxgazette.net.

News in General

Eclipse Callisto shines in FOSSw world

"Callisto" is a coordinated, simultaneous release of some 10 new or upgraded releases of major projects. This includes version 3.2 of the Eclipse Platform and these other new releases:

* Business Intelligence and Reporting Tools (BIRT) Project
* C/C++ IDE
* Data Tools Platform
* GEF - Graphical Editor Framework
* Eclipse Project [v. 3.2]
* Eclipse Test and Performance Tools Platform Project
* Eclipse Web Tools Platform Project
* VE - Visual Editor and
* Eclipse Modeling and Graphical Frameworks

Callisto was a major undertaking for the Eclipse community, involving 10 different project teams, 260 committers and over 7 million lines of code. Demonstrating the multi-vendor and global nature of the Eclipse community, 15 different ISVs contributed open source developers to work on the projects included in Callisto.

The coordination took the better part of a year and involved Bjorn Freeman-Benson, technical director of infrastructure at the Eclipse Foundation, and Ward Cunningham, Director, Committer Community Development, who left Microsoft in 2005 to work with Eclipse. [Cunningham has been described as the father of the wiki.] Eclipse presenters from IBM at JavaOne had described the level of maturity and coordination built into the Eclipse process during a morning keynote and also at a JavaOne BOF. This is based in part on advanced collaboration tools shared by all Eclipse project leads [IBM suggested that it may productize some of the process tools]. It also involved coordinating bug fixes with Bugzilla.

http://www.crn.com/sections/breakingnews/dailyarchives.jhtml?articleId=189601018&pgno=2&queryText=
http://www.eweek.com/article2/0,1895,1981651,00.asp
http://www.eclipse.org/projects/callisto.php

Also see free archived webinars on how you can use the different Eclipse projects. These use Adobe's Macromedia Breeze meeting service to host the webinars: http://www.eclipse.org/callisto/webinars.php

RSA folds into EMC

EMC had an expensive lunch at the end of June. For a whopping $2.1 billion, it acquired security and identity company RSA, orignially founded by the 3 cryptologists whose initials make up its name.

Although financial analysts were skeptical about the potential integration issues and the high cost, EMC's CEO Joe Tucci called the purchase "critical technology" for adding security to storage solutions. One area of possible synergy is regulatory compliance, where data security is of increasing importance. However, RSA has not been primarily a sales organization, as EMC is, and the corporate cultures may clash.

RSA put itself up for auction several months ago, according to NY Times reports.

Red Hat Enterprise Linux 5 beta starting in July

Beta 1 of the next RHEL server may to be available in late July. The now-available Fedora Core 5 is viewed as alpha code for RHEL5. Red Hat hopes to incorporate the next Fedora Core 6 build into its Beta 2, planned for release in mid September.

RHEL 5 will include the Xen open source virtualization hypervisor -- a key element of the release and a necessary addition due to Novell's inclusion of Xen in Suse 10 -- as well as integration with the Red Hat's directory and certificate servers. It will also offer support for Intel and AMD virtualization extensions, stateless Linux clients, and single sign-on.

JBoss Unveils OSSw Enterprise Management Strategy with implementation of agent technology

JBoss, now a division of Red Hat, is open sourcing the core systems management agent in JBoss Operations Network (ON) to create and drive broadened adoption and collaboration around its open management platform. This announcement, backed by the JBoss developer and ISV community, provides software vendors and customers a foundation for building their own management agents, which will enable interoperability across heterogeneous IT environments.

This strategy is an important step in putting customers in charge of their IT infrastructures. As a subscription-based offering, JBoss ON delivers dramatic savings in total cost of ownership (TCO) and provides a holistic environment for inventory management, administration and configuration, monitoring, software updates and provisioning of applications based on JBoss Enterprise Middleware Suite (JEMS). Red Hat is working with other network and systems management vendors to ensure that management data can be shared with existing customer management installations. JBoss ON subscribers will also be able to leverage existing open source agents from projects such as Nagios.

By bringing its JBoss management agent to the open source community, Red Hat will enable systems to expose its manageability functions in an extendable and pluggable way - underscoring the company's commitment to support heterogeneous customer environments. For example, other vendors can extend the agent to manage their products. As part of its strategy, JBoss will create blueprints, certification toolkits and methodologies that vendors can use to validate their extensions and plug into the management process used for JEMS today.

JBoss Releases JBoss Seam 1.0, a Web 2.0 framework for SOA technologies

JBoss also announced the general availability of JBoss Seam 1.0, a new application framework for Web 2.0 applications that unifies popular service-oriented architecture (SOA) technologies such as Asynchronous JavaScript and XML (AJAX), JavaServer Faces (JSF), Enterprise JavaBeans (EJB) 3.0, Java portlets, business process management (BPM) and workflow. Since its initial developer release, JBoss Seam has seen strong community interest and has played a driving role for a new standards initiative for Web Beans through the Java Community Process (JCP).

Designed to eliminate complexity at the architecture and application programming interface (API) level, JBoss Seam enables developers to assemble complex web applications with simple annotated POJOs (plain old Java objects), componentized UI widgets and simple XML. To accomplish this, JBoss Seam extends the annotation-driven and configuration-by-exception programming model of EJB 3.0 into the entire web application stack. It bridges the artificial gap between EJB 3.0 and JSF in the Java Platform Enterprise Edition 5.0 (Java EE 5.0) architecture. The result is a unifying, tightly integrated application model that enables stateless, stateful, transactional and process-driven applications such as workflow and page flow.

Gavin King, founder and project lead of JBoss Seam and founder of Hibernate, commented: "Enabling the next generation of web development requires a major reconsideration of the underlying web application architecture. Until EJB 3.0, that had not been possible. As the first unifying ... framework for SOA technologies, JBoss Seam offers developers a rapid development environment and programming model that extends from the simple to the most complex web applications."

Key features of JBoss Seam 1.0 include:

-- EJB-based development. EJB 3.0 has changed the notion of EJBs as coarse-grained, heavy-weight objects to EJBs as lightweight POJOs with fine-grained annotations. In JBoss Seam, everything is an EJB. JBoss Seam embraces the Web 2.0 concept that the web is the platform, and as such, JBoss Seam eliminates the distinction between presentation tier components and business logic components. Even session beans, for example, can be used as JSF action listeners.
-- AJAX-based remoting layer. JBoss Seam Remoting allows EJB 3.0 session beans to be called directly from the web browser client via AJAX. The session beans appear as simple JavaScript objects to the JavaScript developer, hiding the complexity of XML-based serialization and the XMLHttpRequest API. Web clients may even subscribe to JMS topics and receive messages published to the topic as asynchronous notifications.
-- Declarative state management for application state. Currently, Java EE applications implement state management manually, an approach that results in bugs and memory leaks when applications fail to clean up session attributes. JBoss Seam eliminates almost entirely this class of bugs. Declarative state management is possible because of the rich context model defined by JBoss Seam.
-- Support for new types of stateful applications. Before Seam, HTTP session was the only way to manage web application states. JBoss Seam provides multiple stateful contexts of different granularity. For example, developers can write web applications with multiple workspaces that behave like a multi-window rich client.
-- Support for process-driven applications. JBoss Seam integrates transparent business process management via JBoss jBPM, making it easier than ever to implement complex workflow and page flow applications. Future versions of JBoss Seam will allow for the definition of presentation-tier conversation flows by the same means.
-- Portal integration. JBoss Seam supports JSR-168 compliant portals such as JBoss Portal.

JBoss Seam 1.0 is free to download and use under the GNU Lesser General Public License (LGPL). JBoss Seam 1.0 works with any application server that supports EJB 3.0, including JBoss. For download and additional information, visit www.jboss.com/products/seam

Webinar Series on Clustering JVM, Tomcat Sessions

Terracotta, Inc., announced a free Webinar series for Java professionals about the technology and benefits of the company's clustered JVM (Java Virtual Machine) solutions The series is a response to the market's growing interest in clustering at the JVM level, instead of at the application level.

Designed for Java developers, architects, and anyone needing fault tolerance and linear scalability, the webinars will cover all aspects of clustering the JVM. Highlights will include benefits, new features, installation, usage, management, demos, and technical Q&As. Webinars will be archived for those who cannot attend.

The first webinar, on June 28, addressed clustering the JVM with Apache Tomcat, which Terracotta currently supports. The Panelists included Jim Jagielski, CTO, Covalent Technologies; Gary Nakamura, vice president, Terracotta; and Sreeni Iyer, senior manager/field engineer, Terracotta

Terracotta Sessions clusters the JVM, instead of the application, so no coding or tuning during development is needed while achieving high availability and linear scalability. Developers can easily replicate sessions to other servers for high availability, without sacrificing performance. The product is fee for developers.

Future Webinars will focus on the Spring Framework from Interface21, which Terracotta will support in Q3, and additional open source projects that Terracotta will support. Register at : http://www.terracottatech.com/

Improving Make with Mr. Make

If you want to expand your software build repertoire, check out a 4-part series of practical techniques for enhancing your GNU Make Makefiles. John Graham-Cumming presents "recipes" for improving your Make-based builds. For example, Recipe 4 shows how to determine the version of GNU Make in a Makefile, or if a specific GNU Make feature is available. Recipe 5 performs a recursive $(wildcard), and Recipe 6 demonstrates tricks for tracing rule execution.

Interested? See: http://cmc.unisfair.com/log_thru.jsp?eid=72 and http://cmc.unisfair.com/index.jsp?id= 755&code= mrmake [for part 1, use id=844 for part 2 and id=993 for part 3]. The last part will occur in August.

Opera 9 is out [and eWeek likes it]

New Opera widgets make for small, light-weight applications that execute locally in the browser. These include calendar and game widgets, currency converters, etc.

Opera's expanded functionality makes it possible to selectively block content within a Web site. This can be done with right-clicking on the site page, then holding down the Shift key and clicking on specific images, ads and other componentsto be blocked on the next visit.

Quoting from the eWeek review: "A new site-settings feature made it possible to define controls and settings on a site-by-site basis. So, for example, we could define how we wanted to deal with pop-ups or cookies on a site.

"Now integrated directly within the Opera browser is a BitTorrent client, useful for downloading very large files (legal and non-legal). This client worked very well in our tests, and during downloads of Linux ISO files it provided good feedback and was very lightweight. However, BitTorrent users should keep in mind that if you close the browser, the download stops. Many BitTorrent clients, in contrast, just switch to a minimized mode. "

Here's a full list of new features: http://www.opera.com/products/desktop/

Conferences and Events

http://use.perl.org

Dr. Dobb's Architecture & Design World 2006

July 17-20, Hyatt Regency McCormick Place Conference Center, Chicago, IL

O'Reilly Open Source Convention 2006

July 24-28, Portland, OR

YAPC::EU

August 30-- 01 September, Birmingham, U.K

SIGGRAPH 2006

7/30 - 8/03, Moscone Center, Boston, MA

Entertainment Media Expo 2006

8/07 - 8/09, Universal City, CA

LinuxWorld Conference & Expo -- SF

August 14-17, 2006 -- in foggy San Francisco, dress warmly!!

SD Best Practices 2006

September 11-14, Hynes Convention Center, Boston, MA

GridWorld 2006

September 11-14, Convention Center, Washington, DC.

Digital ID World Conference

September 11-13, 2006, Santa Clara Marriott, Santa Clara, CA.

[The Dig-ID Conference sessions are on areas such as: enterprise identity management, provisioning, strong authentication, federated identity, virtual directories, smart cards, web services security, identity-based network access control, enterprise rights management, and trusted computing. I found the 2005 conference to be most excellent. Further information on Digital ID World 2006, is here: http://conference.digitalidworld.com/2006/]

Distro news

The latest stable version of the Linux kernel is: 2.6.17.3 [ http://www.kernel.org/pub/linux/kernel/v2.6/patch-2.6.17.3.bz2 ]

Xandros Desktop 4 released

Xandros Corporation has announced immediate availability of Xandros Desktop 4, a novice-friendly desktop Linux distribution based on Debian GNU/Linux: "Xandros, the leading provider of easy-to-use Linux alternatives to Windows desktop and server products, today announced a new line of consumer desktop products targeting home and multimedia users: Xandros Desktop Home Edition and Xandros Desktop Home Edition - Premium."

Xandros Desktop Home Editions provide enhanced Windows compatibility, including enhanced Windows-to-Linux migration support. This is the first distribution to enable writing to NTFS partitions (the native file system on Windows computers) from Linux, which allows users to work with the same files from Linux and Windows.

Announcing Fedora Core 6 Test 1 (5.90)

The Fedora Project announced the first release of the Fedora Core 6 development cycle, available for the i386, x86_64, and ppc/ppc64 architectures, including Intel based Macintosh computers. Beware that Test releases are recommended only for Linux experts/enthusiasts or for the technology evaluation, as many parts are likely to be broken adn the rate of change is rapid. Test 2 is scheduled for release July 19, marking the developmental freeze of the Fedora Core 6 release. No new features after this point. It is important that we get your help in testing, reporting and suggesting fixes for bugs, and directing the technological improvements we attempt with this release of Fedora Core.

See info at : http://fedoraproject.org/wiki/Core/Schedule

SimplyMEPIS 6.0 Release Candidate 2 adds Security

The MEPIS team released the second release candidate of SimplyMEPIS 6.0, on June 21. RC2 adds bug fixes, security updates, and screen resolution detection, founder and lead developer Warren Woodford said. The distribution now also includes monitor resolution autodetection.

[Monitor resolution autodetection] is a feature that has been requested for a long time," according to Woodford. "If the user does not specify their desired display resolution when booting the CD, we attempt to obtain it from the EDID data returned by the display card, and then the optimum screen resolution is chosen automatically. Unfortunately there are a lot of monitor-display card combinations that do not return this data, so this feature will work only for some users."

A bug was found in RC1 that broke the "install on entire disk" option, Woodford said, and it has been fixed for RC2. By popular demand, the apt-notify applet was improved to support transparency in the panel. Firefox now runs much faster out-of-the-box, due to some configuration improvements suggested by the community, he added.

RC2 incorporates more security updates from the Ubuntu Dapper pool, including a security-patched version of the 2.6.15 kernel

SUSE Linux Enterprise Release Candidate 3

Novell has announced the availability of SUSE Linux Enterprise 10 RC3, both Desktop (SLED) and Server (SLES) editions, for public testing: "Be among the first to install, test and enjoy SUSE Linux Enterprise 10. The pre-release contains all the functionality of the regular release, but is not the final product. SUSE Linux Enterprise 10 is an open, flexible and secure platform that is ready to host the applications and databases critical to your business -- from the desktop to the data center, across a wide variety of workloads."

See: http://www.novell.com/linux/preview.html

OpenOffice Security Bulletin [06-29]

OpenOffice.org 2.0.3 fixes three security vulnerabilites that have been found through internal security audits. Although there are currently no known exploits, we urge all users of 2.0.x prior to 2.0.2 to upgrade to the new version or install their vendor's patches accordingly. Patches for users of OpenOffice.org 1.1.5 will be available shortly. [note: the Macro execution flaw allows an attacker to get a macro executed even if the user has disabled document macros.]

The three vulnerabilities involve:
* Java Applets, CVE-2006-2199
* Macro, CVE-2006-2198; and
* File Format, CVE-2006-3117

Security News

"Blue Pill = Security Nightmare"

From Joanna Rutkowska on the 'theinvisiblethings' blog:

"Over the past few months I have been working on a technology code-named Blue Pill, which is just about that - creating 100% undetectable malware, which is not based on an obscure concept.

"The idea behind Blue Pill is simple: your operating system swallows the Blue Pill and it awakes inside the Matrix controlled by the ultra thin Blue Pill hypervisor. This all happens on-the-fly (i.e. without restarting the system) and there is no performance penalty and all the devices, like graphics card, are fully accessible to the operating system, which is now executing inside virtual machine. This is all possible thanks to the latest virtualization technology from AMD called SVM/Pacifica."

See the full entry at http://theinvisiblethings.blogspot.com/2006/06/introducing-blue-pill.html

Selected Security NEWS from SANS Institute

--Buffer Overflow Flaw in Opera Browser (23 June 2006)

A buffer overflow flaw that occurs when the Opera web browser processes JPEG mages could allow remote code execution. The problem is known to exist in Opera v.8.54 and possibly in earlier versions as well. Users are urged to upgrade to the new Opera v.9. http://www.vnunet.com/vnunet/news/2158971/jpeg-flaw-uncovered-opera

--DATA THEFT & LOSS --Lost Memory Stick Holds Phishing Investigation Dossier (26 June 2006)

A police officer with the Australian High Tech Crime Centre (AHTCC) lost a memory stick that contains sensitive financial data belonging to thousands of Australians. The lost memory stick holds a dossier on Russian phishing scams. The data on the stick were being used in an investigation; several arrests were made with the help of the data, but since the loss of the stick, no arrests have been made. While officials searched fruitlessly for the memory stick, the people whose data were compromised were not informed of the loss. The officer who lost the device violated AHTCC rules regarding data transport. http://australianit.news.com.au/common/print/0,7208,19588463%5E15306%5E%5Enbv%5E,00.html

--Attackers Use SMS Messages to Lure People to Malicious Site (23 June 2006)

A recently detected attack sends intended victims SMS text messages thanking them for subscribing to an online dating service and telling them they will be charged US$2 a day until they unsubscribe. When people visit the site where they are purportedly unsubscribing from the fictitious service, "they are prompted to download a Trojan horse program." Infected computers then become part of a botnet. http://www.zdnet.co.uk/print/?TYPE=story&AT=39277240-39020375t-10000025c

--Survey Finds Americans Want Strong Data Security Legislation

A survey from the Cyber Security Industry Alliance (CSIA) of 1,150 US adults found 71 percent want the federal government to enact legislation to protect personal data similar to California's data security law. Of that 71 percent, 46 percent said they would consider a political candidate's position on data security legislation and "have serious or very serious doubts about political candidates who do not support quick action to improve existing laws." In addition, half of those surveyedavoid making online purchases due to security concerns.

http://www.fcw.com/article94613-05-23-06-Web
http://ww6.infoworld.com/products/print_friendly.jsp?link=/article/06/05/23/78609_HNdatapolitics_1.html

--Millions of Blogs Inaccessible Due to DDoS Attack

A "massive" distributed denial-of-service (DDoS) attack on Six Apart's blogging services and corporate web site left about 10 million LiveJournal and TypePad blogs unreachable for hours on Tuesday, May 2.

Six Apart plans to report the attack to authorities.

http://www.zdnet.com.au/news/security/print.htm?TYPE=story&AT=39255176-2000061744t-10000005c

--Soon-to-be-Proposed Digital Copyright Legislation Would Tighten Restrictions

Despite efforts of computer programmers, tech companies and academics to get Congress to loosen restrictions imposed by the Digital Millennium Copyright Act (DMCA), an even more stringent copyright law is expected to be introduced soon. The Intellectual Property Protection Act of 2006 would make simply trying to commit copyright infringement a federal crime punishable by up to 10 years in prison. The bill also proposes changes to the DMCA that would prohibit people from "making, importing, exporting, obtaining control of or possessing" software or hardware that can be used to circumvent copyright protection.

http://news.com.com/2102-1028_3-6064016.html?tag=st.util.print

Software and Product News

New Berkeley DB Java Edition 3.0

The new Berkeley DB 3.0 is a high performance, transactional storage engine written entirely in Java. Like the original, highly successful Berkeley DB product, Berkeley DB Java Edition executes in the address space of the application, without the overhead of client/server communication. It stores data in the application's native format, so no runtime data translation is required. Berkeley DB Java Edition supports full ACID transactions and recovery. It provides an easy-to-use, programmatic interface, allowing developers to store and retrieve information quickly, simply and reliably.

Berkeley DB Java Edition is designed to offer the same benefits of Enterprise Java Beans 3.0 (EJB3) persistence without the need to translate objects into tables.

Most persisted object data is never analyzed using ad-hoc SQL queries; it is usually simply retrieved and reconstituted as Java objects. The overhead of using a sophisticated analytical storage engine is wasted on this basic task of object retrieval. The full analytical power of the relational model is not required to efficiently persist Java objects. In many cases, it is unnecessary overhead. In contrast, Berkeley DB does not have the overhead of an ad-hoc query language like SQL, and so does not incur this penalty.

The result is faster storage, lower CPU and memory requirements, and a more efficient development process. Despite the lack of an ad-hoc query language, Berkeley DB Java Edition can access Java objects in an ad-hoc manner, and it does provide transactional data storage and indexed retrieval, as you would expect from any database. The difference is that it does this in a small, efficient, and easy-to-manage package. Using the Persistence API, Java developers can quickly and easily persist and retrieve inter-related groups of Java objects.

Berkeley DB Java Edition was designed from the ground up in Java. It takes full advantage of the Java environment. The API provides a Java Collections-style interface, as well as a programmatic interface similar to the Berkeley DB API. Its architecture supports high performance and concurrency for both read- and write-intensive workloads.

Berkeley DB Java Edition is not a relational engine built in Java [like Derby]. It is a Berkeley DB-style embedded store, with an interface designed for programmers, not DBAs. The architecture is based on a log-based, no-overwrite storage system, enabling high concurrency and speed while providing ACID transactions and record-level locking. Berkeley DB Java Edition efficiently caches most commonly used data in memory, without exceeding application-specified limits.

Here's the download link : http://dev.sleepycat.com/downloads/releasehistorybdbje.html

Ajax4jsf Now open source

Exadel, Inc. has contributed Ajax4jsf as an open source project to Java.Net, the web-based, open community that facilitates Java technology collaboration in applied areas of technology and industry solutions.

Exclusively created to bring rich user interface functionality to the JavaServer Faces (JSF) world, Ajax4jsf is a rich component development framework that extends the benefits of JSF to AJAX development. Ajax4jsf allows developers to add AJAX-capability to existing JSF applications, create rich components with built-in AJAX support, create a slick user interface with Skinning technology, package Java Script files and other resources together with JSF components, and test the components functional elements in the process of components development.

More information about Ajax4jsf can be found at: http://ajax4jsf.dev.java.net

Unisys Announces Open Source 'Oasis' in Enterprise Computing

Unisys Corporation has announced a major expansion of its open source capabilities with Unisys Open and Secure Integrated Solutions (OASIS), an integrated, certified set of software suites targeted specifically for enterprise class computing based on open standards and fully supported through Unisys global services and vertical-industry solutions capabilities. Combining technology and services, Unisys open source solutions provide a comprehensive environment that realizes the full benefits of enterprise computing capitalizing on the economics of OSSw.

Unisys OASIS and associated services enable clients to take a disciplined, secure approach to realizing the cost, agility and security advantages that open source solutions can provide. The Unisys OASIS software suites provide a range of options, including:

For additional information on Unisys OASIS, visit http://www.unisys.com/services/open__source.htm .

BlueCat Networks and Mirage Networks Defend Network Access

BlueCat Networks and Mirage Networks announced that the companies have formed an alliance to deliver the strongest DHCP-based network access control (NAC) available. Through this partnership, BlueCat Networks is adding support for Mirage NAC to its lineup of network appliances. The combined solution will enable customers to cost-effectively authenticate users and control their access to network resources.

A recent Gartner report, states "To protect their networks, many network managers are implementing network access control (NAC), based on technologies such as 802.1x and Dynamic Host Configuration Protocol (DHCP)." This reflection of industry requirements and drivers has spurred the development of this partnership.

BlueCat selected Mirage NAC for its abilities to provide a future-proof approach that provides security no matter the IP device or operating system. Its award-winning design offers complete access control by:

"There are no safe havens in the network: every endpoint, from the network printer to the VoIP phone to the Windows desktop is vulnerable to threats," stated Michael D'Eath, vice president of corporate and business development, Mirage Networks. "BlueCat is clearly a leader in the IPAM, DNS and DHCP Space. With this partnership, BlueCat can securely authenticate and attach any endpoint, managed or unmanaged, to the network, without the need for expensive switch upgrades, cumbersome client software or reactive signature updates."

The joint solution is available through BlueCat Networks. Contact BlueCat Networks at www.bluecatnetworks.com or 1-866-895-6931 for pricing and more information.

Forum Systems Launches Web Services Security Software Development Kit

Forum Systems has released the Forum Java Web Services Security (JWSS) Software Development Kit (SDK) version 1.0 offering developers a comprehensive library of application programming interfaces (API's) to leverage in coding Web Services applications. The JWSS SDK v1.0 addresses the need for security to be enforced within the application itself in order to ensure privacy and integrity of Web Services and SOA applications.

Forum JWSS SDK v1.0 allows developers to administer and apply security policies within J2EE compliant Application Servers using a declarative security model and API's for XML message authentication and authorization. The Application Server is then responsible for applying these security constraints to the code at runtime. Adding XML security within business logic prevents transactions from bypassing third-party enforcement points that would violate regulatory compliance or work flow security. Companies should complement this developer-centric approach with an "interception" model using a SOA Gateway or XML Firewall within a DMZ (Demilitarized Zone) for a global and scalable SOA security and acceleration strategy.

"There are business applications in which security must be enforced at the exact location where information is being processed for privacy reasons," said Walid Negm, vice president of marketing for Forum Systems. "In certain financial services and government settings, the origin of messages must be verified at the point of consumption to ensure that they were not physically intercepted. When using XML Encryption within the application, Forum's JWSS SDK v1.0 equips the developer with XML security functionality to decipher and verify the message contents," Negm added.

Forum Seamless Security Solutions Architecture (Forum S3A) is an adaptive approach to building security-minded service-oriented applications and data-level networks using life-cycle solutions including vulnerability management, testing systems, firewalls and gateways. Forum products are available as software, PCI-card and appliance options and comply with government requirements including CheckPoint OPSEC Certification, FIPS Certification, Common Criteria EAL 4+ (in process) and JITC DoD PKI Certification. Forum Systems is an active a member of OASIS and WS-I helping mature standards such as WS-I Basic Profiles, SAML and WS-Security.

Magical Realism... (non-Linux news of general interest)

WOMMA Site Devoted to Word of Mouth Research and Measurement

The Word of Mouth Marketing Association (WOMMA) has launched the first site devoted solely to the field of word of mouth (WOM) research. Featuring a new blog and email newsletter, the WOM Research site is a resource for both marketers and academics seeking the latest information on word of mouth measurement and metrics. Everything can be found at http://www.womma.org/research.

The new site features content designed to introduce WOM research to a wider audience. In addition to the latest research reports, surveys, and data, the WOM Research blog also features original contributions from leading academics and market research experts.

WOMMA has also announced the Word of Mouth Basic Training 2 Conference to be held on June 20-21 in San Francisco. Measurement and research will form a significant part of the agenda, with research experts on hand from BIGresearch, Biz360, Informative, Keller Fay Group, Millward Brown, MotiveQuest, Starcom, VoodooVox, and Umbria. More details can be found at http://www.womma.org/wombat2.

As word of mouth marketing has continued to explode into the mainstream marketing mix, the demand for new resources and data has become essential. According to eMarketer, 43% of all marketers will incorporate word of mouth into their marketing programs in 2006.

WOMMA is the official trade association for the word of mouth marketing industry. Its members are committed to building a prosperous word of mouth marketing profession based on best practices, measurable ROI, and ethical leadership. Learn about WOMMA at http://www.womma.org.

World's Record Etch A Sketch Coming to SIGGRAPH 2006

The world's largest Etch A Sketch(R) will make its debut at SIGGRAPH 2006, the International Conference and Exhibition on Computer Graphics held 30 July to 3 August 2006 in Boston, Massachusetts. SIGGRAPH 2006 will bring an estimated 25,000 computer graphics and interactive technology professionals from six continents the event.

Officially endorsed by The Ohio Art Company, the installation will be in use before the curtain rises on the SIGGRAPH Computer Animation Festival - the world's marquee showplace for the latest and most innovative animation films of the year.

It allows audience members to control (in real-time) the two famous Etch A Sketch(R) drawing knobs and use them interactively on the main projection screen. Functionality will also include the audience's ability to "shake" the screen clean and start again with a blank canvas.

The SIGGRAPH 2006 Computer Animation Festival features approximately 100 films and videos by some of the world's most creative scientists, animators, VFX specialists, educators, studios, and students. For more information on the Computer Animation Festival,visit: http://www.siggraph.org/s2006/main.php?f=conference&p=caf.

Virtualization Software Allows SPARC Applications to Run on Linux

Transitive Corp recently announced the first two products in its series of products that are being developed as part of its new Solaris/SPARC Migration Initiative:

-- QuickTransit for Solaris/SPARC-to-Linux/Xeon and
-- QuickTransit for Solaris/SPARC-to-Linux/Itanium

Transitive Corp previously developed Rosetta which allows Macintosh applications written for the PowerPC chip to run on the new Intel-based versions of the Macintosh.

The new products are the first results of the collaboration with Intel announced in March of this year to accelerate the migration from RISC-based platforms to Intel-based platforms, and they allow Solaris/SPARC applications to run without any source code or binary changes on Linux/Xeon- and Linux/Itanium 2-based servers respectively. The products dramatically reduce the barriers IT organizations face when migrating Solaris/SPARC workloads to Linux/Xeon- and Linux/Itanium-based servers. Future products will allow SPARC applications to run on various other hardware platforms.

"One of the biggest obstacles to migrating from one server to another is getting your internally developed and commercial applications ported to the new server," said Bob Wiederhold, President and CEO of Transitive Corporation. "In a large IT organization this can take years to accomplish. Since SPARC applications can now run on your target platform without the burden of porting, this migration barrier is eliminated and IT organizations can immediately realize the full benefits of their new strategic server platform."

Transitive's QuickTransit hardware virtualization products allow SPARC applications to run with full functionality, including interactive and graphics performance. The use of QuickTransit is completely transparent to the end-user and easily managed by IT system administrators. Commercial and in-house software development teams can easily support their applications with QuickTransit because no source code or binary changes are required.

Transitive expects to deliver the first product, QuickTransit for Solaris/SPARC-to-Linux/Xeon, in Q3 2006. The second product, QuickTransit for Solaris/SPARC-to-Linux/Itanium, is expected to be available by the end of the year 2006.

AMD to gradually introduce DDR3, FB-DIMM; will be used in next gen Cray supercomputer

In a recent supercomputing win, AMD Opteron processors were selected for a multi-year contract that Cray, Inc. signed with Oak Ridge National Laboratory (ORNL) to provide the world's first petaflops-speed (1,000 trillion floating-point operations/second) supercomputer. The contract calls for progressive upgrades to ORNL's existing Cray XT3™ supercomputer, starting with Next-Generation AMD Opteron processors with DDR2 memory, followed by upgrades to use quad-core AMD Opteron processors, which will be socket compatible. These upgrades will accelerate peak speed to 250 teraflops (250 trillion floating-point operations per second), planned in late 2007.

ORNL is then expected to install a next-generation Cray supercomputer in late 2008. This system, currently code-named 'Baker,' is designed to deliver peak performance of one petaflops, making it roughly three times faster than any existing computer in the world. All systems provided for in the contract will utilize current and future versions of the AMD Opteron processor.

At the May Processor Forum, Senior Fellow Chuck Moore described a gradual process of innovation for AMD multi-core chips. This involved supporting advanced RAM technology as the price points come down near current DDR2 pricing.

At the presentation, AMD indicated that new architecture products from Intel will roughly halve the power consumption advantage AMD now enjoys. AMD will add better power management to keep its lead on future products in the 2007 and 2008 timeframe.

AMD also hopes to improve HyperTransport technology to handle up to 5.2 gigatransfers per second. AMD is encouraging motherboard manufacturers to add HTX slots that use the high speed data transfers.

AMD has plans to add an on-chip L3 cache, shared by all CPU cores, while maintaining the localized L2 caches for each core. Depending on its size and the use of pre-fetch algorithims, this feature would keep CPU cores running longer between pipleline stalls.

AMD will simplify its product portfolio by dropping the 939 and 754 processors in July and will offer steep discounts of up to 46% to stay ahead of Intel on chip pricing.

Meanwhile, Intel may have delayed the anticipated shipment of its 'Conroe' Duo and Extreme processors by up to four days, according to Taiwanese manufacturers. [ But the delay was not officially confirmed by Intel. ] The graphics chipsets to support the CPUs will also have a July 27th ship date [and this may be the cause]. Also, its entry-level Celeron D 360 CPU, now the last part to use the Pentium 4 NetBurst microarchitecture, will be introduced on September 1. [So there may be a back-to-school price war in September.]

Wikipedia presents: Alien insults for rookies

http://news.com.com/2061-10786_3-6087132.html?tag=xtra.ml

The next time a Klingon shouts that your mother has a smooth forehead, you will know how to insult him back, thanks to a Wikipedia list of fictional expletives — curses and insults from books, TV series and movies, mainly science fiction and fantasy. [ Check it out at : http://en.wikipedia.org/wiki/List_of_fictional_expletives]

Free file backup and synchronization online with MediaMax

Streamload, a leading provider of online digital media services, today announced Streamload MediaMax 1.5, the latest version of its online media center. The new Streamload MediaMax service is the first in the online storage space offering a full suite of media sharing and remote access applications that include free file backup and file synchronization in one online service.

Streamload MediaMax allows users to easily store, organize, access, and share their digital media collection . Version 1.5 integrates the management and sharing of online and offline media by integrating free client software, called Streamload MediaMax XL, into the Streamload MediaMax service using a drag and drop window on their desktop. It also automatically performs regular backups of designated folders from their PC and it synchronizes files across multiple computers and devices every time new files are added, changed or deleted on their computer. A benefit of MediaMax's automatic backup and sync is always having files when and where they are needed without the hassle of manual uploads.

Users of the service can also invite friends and family to sync folders on their computers. Without any additional effort, users can automatically share photos and personal video instantaneously with others who are subscribed to their synchronized folders.

Streamload MediaMax runs on Windows, Mac OS and Linux. The standard service is free and comes with 25 GB of online storage. A premium account gives subscribers 250 GB of storage for $9.95 per month, and the elite subscription offers 1000 GB for $29.95 per month (when paid annually.) For more information and to download the free Streamloader desktop software visit http://www.mediamax.com.

Scientists OK Gore's movie for accuracy / USA Today

[from -- http://www.usatoday.com/tech/science/2006-06-27-gore-science-truth_x.htm]

The nation's top climate scientists are giving "An Inconvenient Truth", Al Gore's documentary on global warming, five stars for accuracy.

The former vice president's movie — replete with the prospect of a flooded New York City, an inundated Florida, more and nastier hurricanes, worsening droughts, retreating glaciers and disappearing ice sheets — mostly got the science right, said all 19 climate scientists who had seen the movie or read the book and answered questions from The Associated Press.

The AP contacted more than 100 top climate researchers by e-mail and phone for their opinion. Among those contacted were vocal skeptics of climate change theory. Most scientists had not seen the movie, which is in limited release, or read the book.

But those who have seen it had the same general impression: Gore conveyed the science correctly; the world is getting hotter and it is a manmade catastrophe-in-the-making caused by the burning of fossil fuels.

Talkback: Discuss this article with The Answer Gang

Howard Dyckoff is a long term IT professional with primary experience at Fortune 100 and 200 firms. Before his IT career, he worked for Aviation Week and Space Technology magazine and before that used to edit SkyCom, a newsletter for astronomers and rocketeers. He hails from the Republic of Brooklyn [and Polytechnic Institute] and now, after several trips to Himalayan mountain tops, resides in the SF Bay Area with a large book collection and several pet rocks.

LG Tips

   From the slave log in to the master using ssh X forwarding

		slave:$ ssh -X luser at master

	Then run "x2x" on the master via this ssh session as follows

		master:$ x2x -from :0 -to $DISPLAY -west &

	Here you replace west with the appropriate direction (west
	equals left and north equals up) in which the monitor of the
	"slave" is.

	On the slave you run "linuxvnc"

		slave:$ linuxvnc &

	This will give you a port number (usually 5900) which you
	must use below. I'll use 5900 as the port since that is
	standard. Next start an ssh tunnel to the master.

		slave:$ ssh -f -N -R 5900:localhost:5900 master 

	Finally on the master you run

		master:$ x2vnc -west localhost:0 &

	On the slave you need a VNC server like "WinVNC" for Windows
	and "OSXVnc" for Mac OS X. You also need "ssh" unless you allow
	the VNC server to accept connections over the net (bad
	security). You then follow the same sequence:
		(a) start the VNC server on slave
		(b) start the ssh tunnel on slave
		(c) start x2vnc on master.

   ln -s /dev/null /var/tmp/null.raw
   ln -s /var/tmp/null.raw /var/tmp/record.raw

Talkback: Discuss this article with The Answer Gang

How Fonts Interact with the X Server and X Clients

By Thomas Adam

[ The following is taken from a reply the author sent to TAG in response to a question about fonts. Some of the answers in TAG are so good that they simply deserve to be made into articles. :) -- Ben ]

Introduction

Behind the scenes, there's a fair amount that happens when an application requests the use of a font. Because many default installations include both the X server and their respective clients on the same machine, a lot of the functionality is masked. However, the X server plays a pivotal role in managing the fonts stored under it.

There are usually two different mechanisms at work, as far as fonts are concerned: one of them makes use of a font server, the other does not.

Fonts and their location

Taking a typical system that doesn't use a font server, font definitions are a property of the X server; that is, it knows and keeps track of which fonts are on your system. X11 defaults to looking for fonts in /usr/lib/X11/fonts/*.

Typically, a standard definition from /etc/X11/XF86Config-4 (and newer xorg.conf) files might look like:

Section "Files"
    FontPath        "unix/:7100"          # local font server
    # if the local font server has problems, we can fall back on these
    FontPath        "/usr/lib/X11/fonts/misc"
    FontPath        "/usr/lib/X11/fonts/cyrillic"
    FontPath        "/usr/lib/X11/fonts/75dpi/"
    FontPath        "/usr/lib/X11/fonts/100dpi/"
    FontPath        "/usr/X11R6/lib/X11/fonts/sgi"
    FontPath        "/usr/lib/X11/fonts/Type1"
    FontPath        "/usr/lib/X11/fonts/CID"
    FontPath        "/usr/lib/X11/fonts/100dpi:unscaled"
    FontPath        "/usr/lib/X11/fonts/75dpi:unscaled"

An application can request a font to display, and the X server will obligingly look for it in the hash of directories it stores (much like the one above). The command 'xset q' will list that information [1], and indeed font paths can be added to with 'xset +fp /some/location/'.

However, that does nothing more than append the directory definition. In order for the X server to become aware of the fact that a new location has been added, one has to rehash that with 'xset fp rehash'.

Font descriptions

There's a convenience mechanism within X11 fonts, and that is to alias font names. If we ignore TrueType fonts for the moment, the command 'xlsfonts' lists fonts like this:

-adobe-avant garde gothic-book-o-normal--0-0-0-0-p-0-iso8859-1
-adobe-courier-bold-o-normal--17-120-100-100-m-100-iso10646-1
...
[ Many more lines elided ]

Let's take one of them as an example — here's what each part does:

Figure 1: Structure of a typical font.

That's a lot of information, right? Well, yes, it is, but it's a lot of very useful information. Roughly (and off the top of my head) here's what each part means:

• Foundry refers to the company that produced the font (Adobe in this case).
• The family refers to the font type.
• The weight is the display of the font (which also includes normal).
• The various pixels and points refer to the size of the font with respect to the resolution of the displayed font (that's horizontal and vertical resolutions.)
• Spacing refers to whether the font is monospaced (m) or proportional (p).

All of this is very dull and boring, and of course it would be a nightmare if one had to remember all of that information in one go. This is where aliasing and wildcarding become useful.

Most X11 applications that use the X11 Resource Database (XRDB) allow various resources to be set with an appropriate font. Example:

*xterm.font: *courier-bold-o-*-120*

That should be pretty self-explanatory, right? That's analogous to the often used command-line [2] of:

<program> -fn '*courier-bold-o-*-120*'

The X server then has to look up that font, expanding the wildcard as it goes. This is largely left down to the user to ensure that the correct placement of any wildcards is accurate, since it will on many occasions match nothing or unintentional fonts due to it. The X server will traverse whatever is in its fontpath, in the order the directories are listed, until a matched font is found. I cannot stress the order enough — it's analogous to the way a binary is searched for, in one's $PATH. The first matching font is whatever is found within the list of fontpaths, even if two or more fonts are matched by the wildcard.

Aliasing is slightly different, in that rather than the user relying on wildcard matching, a "font.alias" file holds short names for fonts (alternate names, if you will). Here's a snippet of one:

lucidasans-bolditalic-8    -b&h-lucida-bold-i-normal-sans-11-80-100-100-p-69-iso885 9-1

Essentially, it's a two column file, with the alternate name in column one, and the actual font name in the second column. As before, if you use an alias to load a font, the X server will search each font directory in turn. This has the added benefit of being able to specify aliases for fonts in other directories.

A fonts.alias file is also associated with a fonts.dir file. You can think of this file as a massive database that the XServer uses. It's a bit like font.alias, except that this file lists the following:

Actual Font Name		Font Name

When you ask the X server to search for a font, it will look in fonts.dir to ascertain the font based on either the long name, or the alias (since the alias is mapped before the fonts.dir is looked in.) If you've ever used the mkfontdir(1) command, this is what it does — creates font.dir files in each and every fontpath listed.

Font Servers

Now onto font servers: You don't need them. Really — unless you're in some large multinational corporation that has hundreds of workstations connecting to an X server with different vendors. In the R5 release of X11, they were used for uniformity, to ensure that font names remained consistent, so that applications could load fonts, thus sharing them. What happens is something like the following:

Figure 2: How XFS interacts with the X server and X client(s)

The machine "Server" has a number of services running on it -- including the XFS (X Font Server). The local X server running on a client is hence told to use a font server (which is typical of the line):

FontPath "unix/:7100" 

The font server responds by supplying the X server on the client with a list of font names applications (X clients) can load and display on the screen. (Under the hood there's a lot which goes on, but I'll skip that.) Note the "role reversal" here [3]: the X server is the client with respect to the font server — hence it is itself a "font client" — other examples include a printer, which would also talk to the font server, where necessary (although not shown in the above diagram).

Old versions of Red Hat used to insist on running a TrueType font server, for no other reason than presumably to annoy everyone.

[1] Programatically, this can be achieved via the XSetFontPath() call.

[2] Note the hard quotation marks here, so as not to perform globbing at the shell.

[3] Rick Moen comments: Unix newcomers are often confused by the notion of applications being X11 clients and the graphical display being driven by a server process, which somehow is opposite to people's expectations. They think: surely the applications are serving up display data, thus making them servers, which the graphical display is receiving, thus making it a client. However, what's being served up, to both local applications and remote ones via X11 network access, is the graphical display software's drawing services, as a central system facility for all applications that need it. Thus the applications are, for that purpose, clients.

Talkback: Discuss this article with The Answer Gang

Creating a Rudimentary Kiosk System using FVWM

By Thomas Adam

Introduction

It is always interesting to see how and where Linux is used within the wider community, especially where the general public are concerned. Indeed, it is quite often the case for public libraries to use a batch of computer terminals to offer a portal via their own intranet so that they can do searches for books, renew overdue books, etc.

However, ensuring that those terminals only provide that specific service can be something of a challenge. Because they're public-facing terminals, their functionality is likely to be limited to a specific subset of the available applications. Ensuring that these applications are the only ones the user of the terminal sees, along with making sure that no other application is accessible unless it's explicitly needed in such a way that it doesn't break the system can be an interesting task, to say the least.

This is where some sort of kiosk comes into play. Note that the concept is nothing new, although the current HOWTO on the issue is somewhat out of date. FVWM, which is mentioned in the above HOWTO, has advanced a lot since it was written. Of course, since then, desktop environments such as KDE have also had a kiosk extension added to them.

This article will focus on using Firefox as the main and only application the user will be using. By using FVWM to manage this application, it is possible to provide restrictions not only on the application, but also the environment the user will be using.

The motivation for this article is mostly derived from a series of e-mails I have been exchanging with someone who seems to be trying to setup a kiosk system in a corporate environment. The actual content of the e-mail that turned into this article (as a very odd coincidence) is born out of an e-mail from another TAG member, who asked the same question.

Originally, I had planned to discuss how to lock down Firefox. While this is applicable within the context of this article, it's also somewhat less restrictive, given that different people require different circumstances. Firefox itself has a series of extensions dedicated to kiosk browsing that you can further use to lock Firefox down. This article will concentrate on getting a window manager (FVWM) to do the rest of the work.

Preliminaries

• Run the application maximized
• Possibly remove window decorations (run full-screen)
• Ensure that Firefox is the only application running
• Ensure that's the only application that can be run

From first principles, here's what your ~/.fvwm/config file ought to contain. Note that any decoration changes for this are out of scope for this article; if you don't like hideous pink borders, change them. (I'm going to suggest FVWM version >=2.5.16; anything I write here won't work on FVWM 2.4.X).

Enter FVWM

StartFunction is a function that FVWM runs at both restarts and init. So, in this, all that's needed is to start your application. Since there are some crude preventative measures one can take to ensure this application doesn't die once the WM has loaded, we'll just start this at init time.

DestroyFunc StartFunction
AddToFunc   StartFunction
+ I Test (Init) Exec exec firefox

That's that, all taken care of. Next thing to consider is whether you want any window decorations or not, for Firefox. Let's assume for the moment that you do want the title and borders, but want to restrict the buttons that appear on the title. That's fine; just set a style line for it:

Style Firefox-bin NoButton 1, NoButton 2, NoButton 4, ResizeHintOverride

NoButton removes a button from being displayed in the title. ResizeHintOverride makes those column-dependent aware applications not worry about it. The number buttons are ordered thus, on a titlebar:

+----------------------------------------------------------+
| .  .  .  .  .                              .  .  .  .  . |
+----------------------------------------------------------+
| 1  3  5  7  9                             10  8  6  4  2 |
|                                                          |

Typically (and as is the default), buttons 1, 2, and 4 are defined for normal operations of displaying a menu (button 1) and minimising and maximising an application (buttons 4 and 2 respectively).

The next thing to do is remove any possible mouse bindings on the title bar that could disrupt its operation, or that could cause some arbitrary operation to be performed on it. This also includes bindings for both the frame and the sides of the window.

Mouse 1 SF A -
Mouse 1 T  A -
Mouse 2 SF A -
Mouse 2 T  A -

That's just an example. You ought to do the same for key bindings, although by default FVWM defines no key bindings other than bringing up a popup menu.

So what happens once the application starts? You'll presumably want it maximised. Read the FvwmEvent article for details of this. Essentially, the following could be used:

DestroyModuleConfig FE-SM: *
*FE-SM: Cmd Function
*FE-SM: add_window StartFirefoxMaximised

Module FvwmEvent FE-SM

That sets up FvwmEvent using a module alias of 'FE-SM'. It's listening for the add_window event, and hence will call the 'StartFirefoxMaximised' when any new window is mapped. As for what StartFirefoxMaximised looks like:

DestroyFunc StartFirefoxMaximised
AddToFunc   StartFirefoxMaximised
+ I ThisWindow (Firefox-bin, !Maximized) Maximize 

The function says that if the window mapped matches "Firefox-bin" as either its window name, class, or resource (class in this case), and it is not maximised, to maximise it.

And that's it, right? Pffft, if only. What if, by some means unknown to us, the window were un-maximised? That's not something we probably want within this kiosk environment, much less allowing the window to be moved once it has been maximised. That's OK, since we can restrict this. You might think it's a simple case of adding to the style definition we defined for Firefox earlier:

 Style firefox  NoButton 1, NoButton 2, NoButton 4, FixedSize, FixedPosition, !Maximizable

But that's not quite true. What happens here is that the style preferences are applied before the add_window event is triggered. Whilst it is true that "FixedSize" and "FixedPosition" do exactly what we want (i.e., doesn't allow resizing, or moving the window, or not allowing the window to become un-maximized, respectively), we have to apply it afterwards. This is where the WindowStyle command can be used.

The WindowStyle command works like Style, except that it pertains to a specific window currently mapped and visible. Under the hood, it just assigns various struct events via the window's WindowId, but that's out of scope, here. Hence in the StartFirefoxMaximised function, we can now expand upon this further:

DestroyFunc StartFirefoxMaximised
AddToFunc   StartFirefoxMaximised
+ I ThisWindow (Firefox-bin, !Maximized) Maximize 
+ I ThisWindow WindowStyle FixedSize, FixedPosition, !Maximizable
+ I UpdateStyles

I mentioned earlier that you may or may not want any window decorations. If that's the case, then you can do the following to turn them off:

Style firefox !Title, !Borders, HandleWidth 0, BorderWidth 0

That's a bit better, right? Well, maybe. There's still a few other considerations that should be taken into account. When a window is mapped, it is put into a layer (layer 4 by default, which can be changed using the DefaultLayers command). This is fine, but means some windows can cover up this window. This is unlikely to happen here, given that it's unlikely you're going to be running any other application, but, for the theoretical concept alone, it's best to perhaps put this window into a much higher layer than normal.

Style Firefox-bin  NoButton 1, NoButton 2, NoButton 4, Layer 8

FVWM (like several other window managers) has virtual desktops. Wooo. You aren't going to need them here, so ditch them. You can do this using the DesktopSize command, and perhaps the DesktopName command , to define how many desks you want.

DesktopSize 1x1
DesktopName Main

Hence the DesktopSize command restricts us to one page defining a single desk, whose name is "Main". I also alluded to earlier ensuring that you turn off all mouse bindings. This is also true of the root window that might bring up any menus.

Mouse 1 R A -
Mouse 0 R A -
Mouse 2 R A -

Again, it's unlikely to much of an issue, given the application runs in some sort of full screen mode, but it's better to cover one's bases than not at all.

There are two more things that need mentioning. Ensuring that the Firefox window is the only running instance can be a little tricky. We could prepend some stuff to the StartFirefoxMaximised function to try and enforce such a policy.

DestroyFunc StartFirefoxMaximised
AddToFunc   StartFirefoxMaximised
+ I ThisWindow (!Firefox-bin) Close
+ I ThisWindow (Firefox-bin, !Maximized, !Transient) Maximize 
+ I TestRc (Match) ThisWindow WindowStyle FixedSize, FixedPosition, !Maximizable
+ I UpdateStyles

...although that may or may not be overkill for some purposes. It might be the case, of course, that you only want to allow a certain subset of applications to run. This would presumably be via Firefox itself (perhaps some filetypes spawn mplayer or RealPlayer), hence you could expand upon StartFirefoxMaximised even more.

DestroyFunc StartFirefoxMaximised
AddToFunc   StartFirefoxMaximised
+ I ThisWindow (!"App1|App2|App3|App4") Close
+ I ThisWindow (Firefox-bin, !Maximized) Maximize 
+ I ThisWindow WindowStyle FixedSize, FixedPosition, !Maximizable
+ I UpdateStyles

'ThisWindow (!"App1|App2|App3|App4") Close' says something like the following: "If the window just created is not one of App1 or App2 or App3 or App4, then close it." Thus, in this way, one can conditionally place restrictions.

One final consideration. How do you ensure that the Firefox window is never closed? Well, FVWM has a style consideration "!Closable" that when applied means the application cannot be closed... almost. It only goes as far as trying to circumvent the various events generated. It does not, for example, stop xkill closing the application, or for some external source to do so.

You could use some sort of script to monitor whether the application is still running (which assumes this script also runs Firefox).

#!/bin/sh
firefox &          
ffpid=$!      

while sleep 60; do
  [ kill -0 $ffpid ] || {
	# Spawn firefox
	firefox &
	break
  }
done

But that's far from ideal. You might be better off using FvwmEvent to monitor when windows are closed, and to respawn them as apropos. Hence adding to the "FE-SM" definition from earlier.

*FE-SM: destroy_window CheckWindowClosed 

Tells that module alias to now also listen for any windows closing and take action. The function CheckWindowClosed might look like this.

DestroyFunc CheckWindowClosed
AddToFunc   CheckWindowClosed
+ I ThisWindow (Firefox-bin) Exec exec firefox

That works, right? Well, yes it does. But what if there were more than one instance of Firefox running? What if we wanted to respawn this application only if the last remaining instance of this application died? That's no problem:

DestroyFunc CheckWindowClosed
AddToFunc   CheckWindowClosed
+ I None (Firefox-bin) Exec exec firefox

None will only work if there's no instances of the matched window being asked for — in this case, "Firefox-bin".

Conclusion

Some may argue that the use of a window manager is in itself overkill, given that one could easily dispense with using one, and just start Firefox in fullscreen mode as soon as X11 is logged into. However, that's potentially disastrous, given that the windows aren't controlled. A transient window (such as an open dialogue box) wouldn't be managed — if it were opened in an awkward place on the screen, there's be no way of moving it. Neither, of course, does not using a window manager preclude the possibility of closing other windows (applications) down that don't ultimately belong there.

In short, there is no real solution or easy answer to creating a true kiosk system. At best it can simply be managed by enforcing certain rules specific to its environment.

Talkback: Discuss this article with The Answer Gang

A Brief Introduction to VMware Player

By Edgar Howell

The other day on the way home from work, between the streetcar and the bus, I spent a couple of minutes at the train station bookstore, and picked up a magazine with a DVD containing 10 new "Linux-PCs". Hmmmm...

After getting off the bus, but before I had a chance to complete the walk home, it began to rain. That ruined all hopes of being able to mow the lawn... so I decided to investigate the DVD, instead.

As it turned out, it contained VMware Player and 10 virtual machines, or VMs: Damn Small Linux, Fedora Core 4, Pocketlinux, and so on. It was beginning to look as if the weekend would have some sunshine, after all!

Just What Is VMware?

For those not familiar with virtualization in general, or VMware in particular, virtualization has been around in the mainframe world for some 30-odd years. It enables effectively simultaneous execution of more than one instance of operating systems — including, in the case of VMware, ones that would not normally even be able to execute on the physically available hardware. This is a remarkable accomplishment that requires convincing the operating system that it really has sole ownership of the hardware environment it requires.

This unfairly terse description falls horribly short of doing justice to the amazing feat - but there is no shortage of far more detailed descriptions on the Internet.

Installation

As usual, the first step is to install VMware Player. Well organized by VMware, installation was a real no-brainer. I did read the prompts and consider the responses, but wound up just accepting the defaults offered by the installation script.

Perhaps it was an idiosyncrasy of the particular magazine that I picked up (it actually addresses users of Wimp/OS), but they had used a compression program I neither had nor had ever heard of. No problem - it was available at SourceForge, and just needed to be installed.

[ '7zip' is actually not a Wind0ws-centric program at all; it's been available for Linux for quite a while now. To quote Debian's package listing, "7-Zip is the file archiver that archives with the highest compression ratios. The program supports 7z (that implements LZMA compression algorithm), ZIP, Zip64, CAB, RAR, ARJ, GZIP, BZIP2, TAR, CPIO, RPM and DEB formats. Compression ratios with the new 7z format are 30 to 50% better than ratios with the ZIP format." Good stuff, in other words... except that their RAR compressor is non-free. -- Ben ]

web@linux:~/vm> cp /media/usbdisk_1/p7zip_4.39_x86_linux_bin.tar.bz2 .
web@linux:~/vm> ls
p7zip_4.39_x86_linux_bin.tar.bz2
web@linux:~/vm> bunzip2 p7zip_4.39_x86_linux_bin.tar.bz2
web@linux:~/vm> ls
p7zip_4.39_x86_linux_bin.tar
web@linux:~/vm> tar xf p7zip_4.39_x86_linux_bin.tar
web@linux:~/vm> ls p7zip_4.39
bin  ChangeLog  contrib  DOCS  install.sh  man1  README  TODO
web@linux:~/vm> ls p7zip_4.39/bin
7z  7za  7zCon.sfx  7zr  Codecs  Formats
web@linux:~/vm> cp p7zip_4.39/bin/7za .
web@linux:~/vm> l
total 8360
drwxr-xr-x   3 web users    4096 2006-05-20 17:24 ./
drwxr-xr-x  15 web users    4096 2006-05-20 17:20 ../
-rwxr-xr-x   1 web users 1198328 2006-05-20 17:24 7za*
drwxr-xr-x   6 web users    4096 2006-05-20 17:24 p7zip_4.39/
-rwxr-xr-x   1 web users 7331840 2006-05-20 17:23 p7zip_4.39_x86_linux_bin.tar*
web@linux:~/vm> 

After that, installation of the VMs was quite straight-forward.

web@linux:~/vm> cp /media/dvd/ubuntu/computer/pc_gratis/dsl-linux.exe .
web@linux:~/vm> ./7za x dsl-linux.exe

7-Zip (A) 4.39 beta  Copyright (c) 1999-2006 Igor Pavlov  2006-04-13
p7zip Version 4.39 (locale=en_US.UTF-8,Utf16=on,HugeFiles=on,1 CPU)

Processing archive: dsl-linux.exe

Extracting  dsl-linux
Extracting  dsl-linux/nvram
Extracting  dsl-linux/dsl-test-250.vmdk
Extracting  dsl-linux/other24xlinux.vmx

Everything is Ok
web@linux:~/vm>

Now, VMware Player was fully functional and could execute the available VMs.

Using Virtual Machines

Under SUSE with KDE, click on the panel icon for K Menu, then 'System' -> 'More Programs' -> 'VMware Player'.

Navigation is not particularly challenging. As a first test, I chose Damn Small Linux from the 'vm' directory.

Solitaire is a bit sluggish on this 2.6 GHz Celeron(tm), but bearable. In any case, the following definitely isn't SUSE!

When the bottom line shows "To grab input, press Ctrl+G", you can move the cursor over the window as usual. Once you press Ctrl+G, the cursor belongs to that window, and it is necessary to press Ctrl+Alt to effectively de-activate that window and free the cursor. Ctrl-Alt-F2 and the like still work as usual.

At this point, I halted the VM and shut VMware Player down. Then, I rebooted the hardware. Upon restarting this VM, the former status was restored:

Before re-starting VMware Player, I also added another couple of VMs. The following looks interesting for this long-time SUSE user, at least:

Indeed, after logon:

And for the skeptics in the crowd, yes, both are active at the same time:

The initial boot of a VM takes quite a while, just as does booting hardware. On the other hand, restarting a VM that has been active for a while is extremely fast.

Activating the network was no problem at all. In each of two VMs, after a right-click on the "Ethernet" button, I selected "host-only" and then assigned IP-addresses as in "ifconfig eth0 172.16.48.130 up". After that, ping worked as expected:

Sharing Hardware

VMware Player seems to share the hardware with the native operating system quite well. While using Midnight Commander under SUSE to copy VMs from the DVD into the appropriate directory, I started Ubuntu under VMware, and it discovered the DVD drive and went into update mode (synaptic). That slowed down the copying considerably, but it worked just fine.

It is interesting that there is almost no limit to the number of VMs available. VMware doesn't use partitions; each VM exists within its own directory. I renamed the Ubuntu directory and unpacked it again, creating a clone. When the renamed VM was started, it came up with the status at the point where it had been shutdown. The new VM went through the usual (simulated) hardware boot.

The SUSE VM is 10.0, which is my most-current version. After placing the distribution DVD in the drive and clicking on the "CD-ROM" button, there was no problem using YaST to add software to the VM. Although VMware Player doesn't support creating new VMs, they clearly can be updated. Since YaST uses RPMs, installing one ought to work, and I would expect that to be the case for a tarball, as well.

Finite Resources

But don't get over-confident in starting VMs! At least my resources are finite:

Networking

After assigning an appropriate IP-address such that the Ubuntu VM was on the same sub-net as the network printer, it was possible to ping it. Similarly for the notebook, manually assigned IP-address 192.168.0.100. This required using the "Ethernet" button to change the status of the network from "host-only" to "bridged".

There was no trouble using SSH to log onto the notebook from Ubuntu, or the other way around, although this of course required using the ad-hoc IP-addresses rather than host names.

Why Bother?

Some time ago, when I mentioned to someone that I was interested in checking out virtualization on a PC, his response was "Why?" Wow, someone even more skeptical than I am! But the question is certainly legitimate.

Typically the "traditional" reason to use virtualization in this environment has been consolidation of servers, as in a server farm that has lots of hardware idle most of the time. Particularly if hosting for customers who may be competitors, virtualization provides clean separation of VMs as opposed to simply providing service for many customers on one machine.

However, I don't have a server farm in need of consolidation in the office at home, and I doubt that most readers do either. However, if you think about it, this can be a very interesting technology, although certainly not of use to everybody.

As you saw above, given available VMs, it is essentially trivial to make an unfamiliar environment available in a non-trivial way. As a long-time SUSE user, I'm not at all familiar with GNOME. Disparaging comments by others notwithstanding, I am interested in playing around with GNOME, which is very different from what I am used to.

Indeed, this environment should be ideal for both teachers and students. One of the things that I really appreciate about GNU/Linux is the ability to learn new things at my own pace, at home, when I have the time and at no or minimal expense. Without a great deal of effort on my part, I can now get familiar with several distributions I might never have had the time for.

Someone teaching a course could set up a series of exercises for his students, and just needs to copy a handful of VMs onto CD-ROM. This would be very effective for a course on some Linux distribution, particularly if the students have only Wimp/OS at home.

Or consider the need to do regression tests. The fact that every VM restarts at the point it had been shut down would be extremely nice for testing. Set up initial conditions and save the directory to ensure that every test later run actually is testing the same thing, unaffected by any side-effects of something else run between tests.

Philosophy 101

To those who might object to VMware's proprietary business model, I would reply that it is another tool on the market, and, from my perspective as a consultant, I like having it in my toolbox. Very many years ago, on a job-interview, I had to admit that I didn't yet have any experience with one particular package. Someone else got that job. Made sense then, makes sense today. Do you want to be the one to say "I can learn that"? How about "Been there, done that"?

In my opinion, virtualization is going to be very important, very soon. I am really looking forward to my first machine with Vanderpool or Pacifica technology.

Conclusion

This "brief" introduction comes nowhere near doing justice to the accomplishment of VMware. It can be installed under Wimp/OS to run GNU/Linux or the other way around (if your proprietary EULA license gives you access to or permits your producing the appropriate VM). Or merely to isolate a test-bed from a production environment, as in the above.

There were problems, but not all of them were due to the product. Likely attributable to VMware are problems with reboot and date/time, although it might be argued that these are not bugs but features. Using "reboot" or "shutdown -r now" returns the VM to single-user mode. I couldn't figure out how to get "startx --:1" under SUSE to do any good. And after having used VMware's "Quit" button to shut down a VM for a couple of days, on restart it has the date and time of shutdown. Well, in some scenarios that does make sense.

VMware certainly does require significant resources. The version of Solitaire that comes with SUSE will finish a game automatically if told to try; natively, on a notebook with 1 GB of memory, it moves about 5 cards per second. Under VMware, however, it takes about 2 seconds per card. ping can take so long that it seems to have hung: in spite of reporting 0.352 ms, the wall-clock time was closer to 10 seconds!

This is not the responsibility of VMware, but my PC has only 512 MB - which sure seemed like a lot at the time. Two instances of Ubuntu can be started in that, but their response times are egregiously slow. A third instance fails due to lack of memory.

A general problem with an environment where several different systems can be played with is inexperience with each, by definition (again, not relevant to VMware specifically.) It took frustratingly long to find a command line with GNOME. Although Ubuntu claimed to be using a German keyboard, it wasn't and I couldn't convince it to do so — but, then, SUSE with the same problem was difficult, because SaX2 wouldn't execute consistently.

If the VM available to you doesn't correspond to your hardware, you might be in trouble. Given appropriate distribution media, it is possible to update software. However, what if the VM doesn't even know about DVDs or writing to CD? Well, there's always networking out to the native operating system.

Nonetheless, never was it so easy -- without having to worry about repartitioning or zapping the MBR -- to get so many different operating systems functional on one machine, not only without their getting in each other's way but able to co-operate with each other.

Talkback: Discuss this article with The Answer Gang

Edgar is a consultant in the Cologne/Bonn area in Germany. His day job involves helping a customer with payroll, maintaining ancient IBM Assembler programs, some occasional COBOL, and otherwise using QMF, PL/1 and DB/2 under MVS.

(Note: mail that does not contain "linuxgazette" in the subject will be rejected.)

Subversion: Installation, Configuration — Tips and Tricks

By Muthaiah Ramanathan

Introduction

This article is about installing and configuring Subversion v. 1.3.x; the installation was performed under Fedora Core 4, but should not be very different under other distributions. This article will not touch upon the usual subjects — i.e., where to download Subversion and what distro-specific commands should be used to install and configure this open source version control system.

To the novice/beginner, Subversion is a version control tool from the free/open-source world, designed to replace (and completely take over) the old horse, CVS. We will not be delving in-depth into how and why Subversion works the way it is working currently, and that is not the objective of this article.

Multiple Subversion(s)

Using system commands, check whether you already have Subversion installed. If so, verify the version before proceeding to install the latest. It is quite possible to have multiple versions installed in the same system.

Multiple Subversions — v. 1.2.3 and v. 1.3.0 — are installed in this system, for example:

[ram@lemuria ~]$ whereis svnversion
svnversion: /usr/bin/svnversion /usr/local/bin/svnversion /usr/share/man/man1/svnversion.1.gz
[ram@lemuria ~]$ /usr/bin/svnversion --version
svnversion, version 1.2.3 (r15833)
   compiled Aug 26 2005, 03:42:45

Copyright (C) 2000-2005 CollabNet.
Subversion is open source software, see http://subversion.tigris.org/
This product includes software developed by CollabNet (http://www.Collab.Net/).

[ram@lemuria ~]$ /usr/local/bin/svnversion --version
svnversion, version 1.3.0 (r17949)
   compiled May 20 2006, 23:55:41

Copyright (C) 2000-2005 CollabNet.
Subversion is open source software, see http://subversion.tigris.org/
This product includes software developed by CollabNet (http://www.Collab.Net/).

Pre-Installation Checks

Subversion repository storage can be based on any one of the following:

• FSFS-based repository storage
• Berkeley DB-based storage

At the time of creating the repository, the user has the choice of using either one of the storage types to hold the repository. By default, the storage type is FSFS enabled. [1]

With Subversion, access to the repository also has multiple choices, which can be any one among the following:

1. local file-system access,
2. HTTP-based access, and,
3. secure shell-based access.

How does one know for which mode of "repository access" Subversion has been configured/installed? To see the answer, run the following command:

svn --version

On my system, the output from the above command looks like this:

[ram@localhost ~]$ svn --version
svn, version 1.3.1 (r19032)
   compiled Apr  4 2006, 06:38:16

Copyright (C) 2000-2006 CollabNet.
Subversion is open source software, see http://subversion.tigris.org/
This product includes software developed by CollabNet (http://www.Collab.Net/).

The following repository access (RA) modules are available:

* ra_dav : Module for accessing a repository via WebDAV (DeltaV) protocol.
  - handles 'http' scheme
  - handles 'https' scheme
* ra_svn : Module for accessing a repository using the svn network protocol.
  - handles 'svn' scheme
* ra_local : Module for accessing a repository on local disk.
  - handles 'file' scheme

Q&A: Before Installing Subversion

Take time and try to find the answers to the following questions before proceeding to install and configure Subversion.

• Type of repository access required: file-system, SSH, HTTP.
• Restrictions on repositories: open-to-all, restrictive access with special groups for each repository, etc.
• Version of Subversion to be used, along with version of one's "httpd" server.

Whatever your answers, always create one special/common Subversion group ("svnusers") to which users can be assigned; to these users, Subversion repositories can be opened-up for access. (For example, with the common group, the repository could be a play area/scratch pad sort of setup, where "everyone" can practise Subversion and familiarise themselves with the tool.)

The next task is to create a special user ("apache") for running the "httpd" server. This user can be added to that special/common group created for the needs of Subversion.

On my system, the results look like this:

[ram@localhost ~]$ grep apache /etc/passwd
apache:x:48:48:Apache:/var/www:/sbin/nologin
[ram@localhost ~]$ grep svn /etc/group
svnusers:x:501:ram,apache,root

NOTE: The "apache" user is part of the "svnusers" group, but can be configured in such a way as to have two special groups for Subversion — one group for those that access the repositories via "http" and another for access via "file-system".

One final word on Web server "httpd". Always install the "httpd" server first, before Subversion. Subversion is built on APR (Apache Portable Runtime) libraries, which provide all the interfaces that Subversion requires for its basic functionalities on different OSes, like disk access, network access, memory management, etc.

Subversion with Apache

Pre-Installation Tips

It is always good to install Subversion from its sources. [2] In such a case, the "configure" script from the Subversion source should be run like this (assuming that the "httpd" server is already installed):

./configure --with-apr=/full/path/to/apr-config --with-apr-util=/full/path/to/apr-util-config

Post-installation Tips

After installing Subversion, I proceeded to play around with it using "http" access, but things did not happen as I expected: A quick look at the Web server logs revealed that "http" requests were failing. Thanks to people on the 'svnforum' mailing list, the problem was quickly revealed: it concerned the APR libraries used in Subversion source compilation.

Using the "ldd" command, I verified the APR libraries used in 'mod_dav_svn.so' and 'httpd', but they did not match — meaning that "httpd" and mod_dav_svn were not referring to the same APR libraries they should be.

[ram@lemuria ~]$ ldd /lnx_data/apache2.0.54/modules/mod_dav_svn.so | grep apr
        libaprutil-1.so.0 => /lnx_data/apache2.0.54/lib/libaprutil-1.so.0 (0xb7def000)
        libapr-1.so.0 => /lnx_data/apache2.0.54/lib/libapr-1.so.0 (0xb7d59000)
[ram@lemuria ~]$ ldd /lnx_data/apache2.0.54/bin/httpd | grep apr
        libaprutil-1.so.0 => /lnx_data/apache2.0.54/lib/libaprutil-1.so.0 (0xb7f8f000)
        libapr-1.so.0 => /lnx_data/apache2.0.54/lib/libapr-1.so.0 (0xb7f6d000)

"mod_dav_svn.so" should be linked to the same APR libraries as used by "httpd", and fixing that took care of the problem.

Repository Access using HTTP

Following successful installation of Apache and Subversion, next, repository access via http:// schema must be configured in "</path/to/apache/conf>/httpd.conf". Some of the parameters that can be configured are related to hosting the repository; other parameters are related to the special/common user and group for Apache and Subversion:

# If you wish httpd to run as a different user or group, you must run
# httpd as root initially and it will switch.
#
# User/Group: The name (or #number) of the user/group to run httpd as.
# It is usually good practice to create a dedicated user and group for
# running httpd, as with most system services.
#
User apache
Group apache_svn

After creating the repository and configuration, it's time to bring-up the Web server and start accessing the repository via http:// schema. As you can see below, the "httpd" server is started and running as that special/common user, "apache":

[ram@lemuria ~]$ ps auxw | grep apache
root      2984  0.7  0.6   7616  2848 ?   Ss   19:46   0:00 /lnx_data/apache2.0.54/bin/httpd -k start
apache    2985  0.0  0.4   7616  1900 ?   S    19:46   0:00 /lnx_data/apache2.0.54/bin/httpd -k start
apache    2986  0.0  0.4   7616  1900 ?   S    19:46   0:00 /lnx_data/apache2.0.54/bin/httpd -k start
apache    2987  0.0  0.4   7616  1900 ?   S    19:46   0:00 /lnx_data/apache2.0.54/bin/httpd -k start
apache    2988  0.0  0.4   7616  1900 ?   S    19:46   0:00 /lnx_data/apache2.0.54/bin/httpd -k start
apache    2989  0.0  0.4   7616  1900 ?   S    19:46   0:00 /lnx_data/apache2.0.54/bin/httpd -k start

Configuring svnserve

As stated in the Subversion manual, the svnserve program is a lightweight server capable of communicating to clients over TCP/IP using a custom, stateful protocol. Clients can use svnserve services using either svn:// or svn+ssh:// access schema. However, before that, svnserve must be configured. Here, again, there are multiple options: svnserve can be configured to run by "inetd" or as a standalone daemon process.

Authentication Options

In the following examples I have configured two separate "svnserve" daemons, again on the same system, both serving different repositories and listening to different ports. For one of the repositories, authentication options are turned on using Subversion's built-in authentication and authorization mechanisms.

The result of configuring multiple repositories under "svnserve" is shown here.

Subversion's built-in authentication configured using "/path/to/repository/conf/svnserve.conf" is shown here.

The svnserve.conf shown in the previous example has many entries and one among them is password-db = passwd. This passwd file can be located in the same directory as "svnserve.conf" and sample entries of this file are shown here.

If "passwd-db = passwd" is turned on but there are no real entries in the "passwd" file, you'll see errors like this one:

[ram@lemuria svntest_project]$ svn commit -m "added the first test C file"
svn: Commit failed (details follow):
svn: /lnx_data/report_holder/svntest_project/conf/svnserve.conf:18: Section header expected

As can be seen here, commit operations will run successfully once the appropriate entries are defined in svnserve.conf and passwd.

NOTE: The passwd file referred to above is not the same as the system file, /etc/passwd. The system file cannot be used in svnserve's configuration.

Summary

In this brief article, I have tried to highlight basic parameters and options usable for configuring Subversion with or without Apache. It's also a good idea to go through Subversion documentation to clarify your doubts on this tool's usage. Many a time, it is worthwhile to consult people (e.g., the Subversion users mailing list) and seek guidance towards resolving Subversion problems.

[1] Rick Moen comments: Since all Linux Gazette editorial production is managed via svn (Subversion), we've tallied up considerable experience with both of these repository options over the years, and can heartily recommend the stability advantages of the newer FSFS option, which uses platform-independent flatfiles rather than database storage: Our experience with the older BerkeleyDB ("BDB") option was that improperly terminating svn processes would often wedge the repository if they died during commits, requiring an irksome "recovery" operation before work could resume. FSFS repositories are also less trouble to backup.

[2] Rick Moen comments: The usual cranky-sysadmin advice applies: In my view, as a matter of administrative best practices, compiling source code from an upstream maintainer's source tarball should be your last resort, if good official packages from your Linux distribution or trustworthy, quality unofficial packages constructed for your Linux distribution don't exist, only then should you use upstream tarballs as a fallback. Even then, check to see if the the tarball provides build instructions, e.g., an rpm SPEC file, for your distribution.

Why? Any time you skip the work done by distribution package maintainers and work directly with upstream source code, you're implicitly agreeing to either perform all of that work yourself or suffer the consequences of its absence. Most people have little conception of how much work that is, or its value. Package maintainers monitor upstream releases to select which have the best mix of new features and debugging (newer not necessarily being better), usually apply patches to adapt them to distribution-specific needs, and sometimes code and apply security patches the upstream programmer never even thought of. Moreover, they do this on an ongoing basis, making improvements available to a myriad of systems, keeping those systems updated without their admins needing to worry, let alone duplicate that work.

Talkback: Discuss this article with The Answer Gang

Coding a Simple Packet Sniffer

By Amit Saha

This article has been removed from this issue following revelation of excessive direct copying from a primary source. Linux Gazette was not aware of that copying until recently, and regrets it.
-- Ben Okopnik, Editor-in-Chief

Talkback: Discuss this article with The Answer Gang

The author is a 3rd year Computer Engineering Undergraduate at Haldia Institute of Technology, Haldia. His interests include Network Protocols, Network Security, Operating systems, and Microprocessors. He is a Linux fan and loves to hack the Linux kernel.

The Foolish Things We Do With Our Computers

By Ben Okopnik

"Foolish Things" is a now-and-again compilation we run based on our readers' input; once we have several of these stories assembled in one place, we get to share them with all of you. If you enjoy reading these cautionary tales of woe, proud stories of triumph, and just plain weird and fun things that happen between humans and silicon, that's great; if you have some to share so that others may enjoy them, even better. Please send them to .

[ You can even tell us that it happened to A Friend of Yours, and we'll believe you. ]

-- Ben

A Black Mark on Their Reputation

Karl-Heinz Herrmann

We have a nice SCSI HP ScanJet that's been sitting around for years; once in a while, we use it to scan X-ray films with a full A4 backlight. After some PC rearranging, it got moved and stopped working. The PC to which it was attached had SCSI cables that were too long (which worked fine before), but, after being shifted, the PC's SCSI disk would only run at lowest async speed. We changed about everything on the chain including the SCSI adapter in the stripped-down PC, but nothing helped. After giving up on connecting the scanner, I put in the network card again: the AGP graphics card stopped working, no screen output whatsoever. Pull the network card out: screen acts OK. Hm.

Dismissing the PC as too flaky and ancient to care about (PII 400), I decided to plug the HP scanner into my Linux laptop just to check it — and it worked perfectly. I then plugged it into a mini-tower similar to the discarded one, and it worked fine. So all is fine, right? Not so. After moving it around on the table and arranging the cables nicely, it wouldn't work. Then I realised that the scanner wasn't making the "normal noises" on power up: it would move the sledge inside a short way — and then nothing. When it was working, it would move the scan head back and forth for a few seconds, and then switch off the light. That was when we decided the scanner had a real problem after all, and sent it to a repair shop — but they sent it back saying the board was defective and they couldn't get a replacement, since it's too ancient.

There it was, sitting on the desk — a huge thing, sturdy beyond anything, and the board is "gone" just like that? By moving it a bit? I decided to open it up and look for a bad contact somewhere, maybe close to the SCSI connector. After I got the case open (tricky to find the last two screws), I saw a bit of the circuit board and the flat cables. Looks flawless to me — fine mechanics, cable guides everywhere. So, I switch it on, the head moves a little and stops with the light on — so it's still not OK. But the light is blinding me, so I put a sheet of paper on it — at which point, the head moves back and forth, goes to the 'park' position and switches off the light. (??!) It was reproducible, too. I turn around the top cover, and there is the white strip used for calibrating the scan sensors before each scan. I rub my finger over it, and it comes up black; I clean the glass plate from the inside, put it on, and — the scanner works perfectly. Damaged board indeed.... These fellows didn't even open it up.

Letting Out the Magic Smoke

Ben Okopnik

This is a story that I'm telling on myself rather than exposing someone else's foolishness; as they say, "it was in a far country, and besides, the wench is dead" — and I'm smarter (I hope!) than I was then. Many, many years ago — those of you who were working with computers then will have a good idea of when, once you read this — when I was just a PFY and still learning the computer repair trade, I was working on a relatively new machine that I had brought home from a client's place. The problem was that the motherboard manufacturer (long since out of business — and with good reason) used tiny rivets to connect the layers on the opposite sides of the board instead of properly plating everything all the way through. Well, as time went on, and thermal expansion flexed the board microscopically, these rivets came loose — and so did the connections. Randomly. Sometimes yes and sometimes no — and sometimes maybe; depending on the weather, the humidity, how recently the computer had been pounded with a fist, etc.

Expensive as it was back then — and it was very expensive indeed — I had convinced this client to replace all these boards. He agreed, through gritted teeth, but got me to promise that I would try my best to keep his old boards working as long as possible..., so I spent a lot of time soldering these rivets, using a contact-cleaning file around their edges to get at least some kind of connection, or trying to solder hair-fine wires to the traces. (This worked very rarely, since the traces were so thin that they'd burn up as soon as you touched them with a soldering iron.)

Back then, the standard bit of advice was to leave the computer plugged in but turned off while you worked on it; this provided a local ground that you were always touching and decreased the chance of blowing the chips — which were very sensitive to static back then. The board that I was working on was fairly new, and had just started showing that random behavior. As usual, I plugged it in, made sure it was turned off, and was twiddling my tiny file while quietly cursing to myself — when suddenly, the chip next to the rivet, which I just happened to touch with the file, EXPLODED. I mean, literally — blew out a chunk of its ceramic packaging so I could see the silicon underneath.

I was completely flabbergasted. I had made absolutely sure that I switched it off; I knew that the capacitors in the PC power supply were designed to discharge in a fraction of a second after shutdown... What happened? I grabbed my voltmeter and started poking around in the machine, and figured it out after about two hours of measurements:

(Yep... it was that long ago.)

I felt really awful, but... I did indeed follow the agreement I had with that client: that board couldn't be repaired anymore, and needed to be replaced. I forgot to mention that I was the one that contributed to its slightly earlier demise.

P.S. I never signed up for that kind of serfdom anything like that again - and I always used a grounding strap instead of a plugged-in chassis since that day. :)

Orientation Week

Rick Moen

The time having come to concoct a replacement for my server-grade 486DX2 EISA/VLB-bus Linux host, I decided one day to build a new machine from best-of-breed parts (well, within limits set by my being a cheapskate).

I happened to have an excellent tower case and PC Power & Cooling power supply handy, a pair of Adaptec PCI SCSI host adapters, a SoundBlaster Pro, Matrox G200 video, a couple of large, fast IBM SCSI hard drives, a Plextor SCSI CDR, and a pair of 3Com 3C509B 10 megabit ethernet cards. (Hey, all it had to do was potentially max out a 1.54 megabit T-1 line, OK?) That left the matter of motherboard and parts attendant thereto.

After some checking, I bought a nice little FIC PA-2007 Socket-7-type motherboard. Then, from my favourite vendors (SA Technology), I acquired 128 MB of Crucial Technology SDRAM capable of running at CAS2 operation at 100MHz, an AMD K6/233 CPU, and a big-kahuna heat sink with a fan on top that uses ball bearings instead of the standard, noisy, failure-prone sleeve bearings. The ensemble was designed to be highly reliable, and at the same time hackable if I ever decided to join the then-pervasive overclocking madness.

Anyhow, I banged everything together. It seemed to work fine. The big tower case, low-heat-output CPU, and major cooling capacity meant that the thing ran very cool and reasonably quiet, even with the two very fast IBM 10,000 RPM SCSI hard drives.

As was my custom, I started compiling a kernel after a bit. That compile errored out with a SIG11. Hmm. Tried again. Errored out even faster, and at a different point in the compile. Odd. Do I have bad RAM?

Shut down and re-seated the RAM. Went downstairs to the CoffeeNet (a recently reborn 1990s Linux-based Internet cafe I'd helped build) for a caffeine infusion. Came back, powered up, ran the compile. No problems. Ran the compile again: SIG11. Ran it again: SIG11 at a different place. Ran it with only half the RAM: Same symptoms. Ran it with the other half: Same. Didn't seem to be a RAM problem(?).

Slept on the problem. Woke up, fired up the machine, ran a compile: No problem. Ran it again: No problem. Ran it a third time: SIG11. Ran it again: Same error, different spot.

Pondered the problem for a bit: It seemed as if the error was kicking in only after the system reached heat equilibrium, but not during the initial 30 minutes of operation when the system was still stone-cold. But that didn't make much sense: I opened up the case and re-verified that the system really was an engineer's dream of conservative design, and that even the 10,000 RPM drives were running cool.

I drove down from San Francisco to the Palo Alto Fry's and bought both the heat-conductive pads you can sandwich between CPUs and their heat sinks and the thermal paste you can use instead. I was going to make double-sure that I had good contact, there, before taking the CPU back to SA Technology and looking like an idiot if it turned out to be perfectly OK.

I took the heat sink off the CPU, cleaned both off, put paste on them and pressed them together. For some reason, perhaps on account of some bell ringing in my unconscious mind, a few minutes later I pulled them apart again to look at the two pieces more closely.

And swore.

The Socket-7 motherboard socket for the K6 has a square outline, and the pins have a square pattern, with one corner of the CPU's pin-layout being different so you won't destroy it by putting it in the wrong way. When you put the CPU into the socket, if you aren't looking too closely (cue ominous music), you think: square socket, square CPU with a keyed feature to keep you from screwing up, square heatsink/fan assembly. 1, 2, 3 — done. Foolproof. (Well, no.)

The top surface of the CPU turned out to have a heatsink-contact surface that extended only across maybe 70% of the lateral distance, and the other 30% was sunk down lower.

---------------------
|            |      |
|            |      |
|            |      |
|            |      |
|  contact   |      |
|  surface   |      | 
|            |      | 
|            |      |
---------------------

I'd accidentally rotated the heatsink 180 degrees, so that its contact surface was staggered over to the right-hand-side:

---------------------
|      |            |
|      |            |
|      |            |
|      |            |
|      |   contact  |
|      |   surface  |
|      |            |
|      |            |
---------------------

Only a little strip in the middle was actually touching, so all the other thermal paste was still protruding up into the air, un-squashed. Most of the CPU top surface was getting zero help with cooling, and instead was radiating out into a nice warm, insulating air pocket under the heatsink.

If this had been an Athlon or P4 Coppermine, the CPU probably would have committed seppuku, but the K6 was completely undamaged and has been happily cranking away ever since.

But that experience confirmed me in my prejudice that a cool CPU (like a cool system generally) is much, much, much to be preferred over one that runs hot and needs heroic measures like huge amounts of forced air flow to stave off disaster. Those other ones may be faster — but usually (for most machine roles) don't even manifest that speed in ways you especially care about.

Talkback: Discuss this article with The Answer Gang

Ben is the Editor-in-Chief for Linux Gazette and a member of The Answer Gang.

Ben was born in Moscow, Russia in 1962. He became interested in electricity at the tender age of six, promptly demonstrated it by sticking a fork into a socket and starting a fire, and has been falling down technological mineshafts ever since. He has been working with computers since the Elder Days, when they had to be built by soldering parts onto printed circuit boards and programs had to fit into 4k of memory. He would gladly pay good money to any psychologist who can cure him of the recurrent nightmares.

His subsequent experiences include creating software in nearly a dozen languages, network and database maintenance during the approach of a hurricane, and writing articles for publications ranging from sailing magazines to technological journals. After a seven-year Atlantic/Caribbean cruise under sail and passages up and down the East coast of the US, he is currently anchored in St. Augustine, Florida. He works as a technical instructor for Sun Microsystems and a private Open Source consultant/Web developer. His current set of hobbies includes flying, yoga, martial arts, motorcycles, writing, and Roman history; his Palm Pilot is crammed full of alarms, many of which contain exclamation points.

He has been working with Linux since 1997, and credits it with his complete loss of interest in waging nuclear warfare on parts of the Pacific Northwest.