Linuxgram has a short item saying Venezuela’s Banco Mercantil has “ripped out 30 NT servers and replaced them with an IBM S/390
mainframe running SuSE Linux.”

Alan Cox and the kernel team are in high gear. Here’s another release. It’s at ftp://ftp.kernel.org/pub/linux/kernel/people/alan/2.4/. Intermediate diffs are available from http://www.bzimage.org.

2.4.4-ac4
o Fix future domain scsi (Carlo Prelz)
o Merge Linux 2.4.5pre1
o Fix ipx without sysctl compile (Pavel Roskin)
o Revert fork changes to match Linus 2.4.5pre1
o Drop the threaded core dump code
| It can go back in when it works
o Drop pa-risc work – it’ll be easier to resync
just once as pa has moved on a lot
o Add spin_lock_prefetch to get_empty_inode (me)
| Experimenting
o Kbuild has moved (Keith Owens)
o Update kernel docs on memory barriers (Rusty Russell)
o Move es1370 pci_enable and do some cleanup (Marcus Meissner)
o Fix netfilter overuse of __exit (Rusty Russell)
o Fix alpha build bug (Michal Jaegermann)
o Fix tigon1 build (Olivier Galibert)
o Fix tmpfs deadlocks writing into a file from
an mmap of itself (Christoph Rohland)
o Fix missing (but harmless) return in vmtruncate (Al Viro)

2.4.4-ac3
o Fix hang on boot with SMP (Andrea Arcangeli)
| and fixes a few more uglies too
o freevxfs module name was wrong (should be
freevxfs.o) (me)
o Update alloc_etherdev docs (Erik Mouw)
o Remove dead funcs, put back ip_set_manually
in the ipconfig code (David Miller, Arnaldo Carvalho de Melo)
o Fix SA_ONSTACK standards violation (for x86) (Christian Ehrhardt)
| Other arch maintainers should check.
o Add another species of SB AWE 32 (Bill Nottingham)
o SE401 USB camera driver (Jeroen Vreeken)
o Correct MAX_HD and make stuff static in ps2esdi (Hal Duston)
o Fix inode-nr corruption (Al Viro)
o Fix pgd_alloc for user mode linux (Jeff Dike)
o Fix UML hostfs for get_hardsect_size (Jeff Dike)
o Tidy up APM options setting, add module opts (Stephen Rothwell)
o Fix acm open race (Oliver Neukum)
o Further bounce buffer fixes (Arjan van de Ven)
o ACPI updates (Andrew Grover)
o Move pci_enable_device earlier on via audio (Arjan van de Ven)

From Open Source advocate Eric S. Raymond: About an hour after I posted “Beware the Microsoft shell game!”, the
company that wants you to trust your digital identity and your vital
business data to its .NET application servers admitted that there is
an easy root crack in the standard build of Windows 2000 running the
IIS
web server. Code for this exploit has been sighted in the wild.

What this means is that unless a knowledgeable sysadmin has taken
explicit action to prevent it, any 15-year-old who can copy code off
the
Internet can use Microsoft’s IIS to bypass your firewall, bypass your
password system, and gain administrator-level access to the machine
that hosts your webserver. They can inspect, alter or delete files at
will no matter how you have them secured. They can also use root-level
access to that machine as a springboard for attacks on other systems
inside your firewall.

A writeup on this latest in the apparently unending stream of gaping
holes in Microsoft’s security is at:

http://www.eeye.com/html/Research/Advisories/AD20010501.html.

This is about bad as it gets, folks. It’s a big, nasty problem even by
Microsoft’s security-bug-of-the-month standards.

At Craig Mundie’s anti-open-source sermonette in New York tomorrow (Thursday),
I hope someone will have the temerity to ask him a few simple
questions:

1. Should Microsoft’s record on security inspire confidence in
customers considering entrusting their digital identities to
Microsoft’s Hailstorm system and their critical business
data to .NET?

2. Even the most cursory inspection of sites that specialize in
tracking security bugs (such as CERT and BugTraq) suggests that
open-source operating systems such as Linux and the BSDs have
a far better security record than Microsoft Windows, both in
having fewer vulnerabilities and in more rapid deployment of
fixes. How does Microsoft propose to close the technology gap
and catch up to the quality level of these systems?

3. How can potential operating-system customers with millions
(perhaps billions) of dollars riding on the security of their
computer systems form a rational estimate of their exposure
if they cannot inspect the source code of those systems?

4. If the answer to question 3 is “You can see the source code if
you’re a big enough company to pay us for the privilege”, then why
should customers have to pay for the privilege of doing the job
Microsoft’s own QA teams so frequently bungle?

5. How would you respond to the following statement: “Any engineer or
executive who, disregarding best practices, entrusts
security-critical functions to closed-source software is committing
an actionable breach of their responsibility to their employer?”

—
Eric S. Raymond

If a thousand men were not to pay their tax-bills this year, that would
… [be] the definition of a peaceable revolution, if any such is
possible.
— Henry David Thoreau

Wired News carries word of patent 6,219,045, issued to Worlds.com, and covering the use of avatars and other information within a three-dimensional virtual world. Considering the popularity of games like EverQuest and Asheron’s Call, the patent could prove to be a windfall for tiny Worlds.com.

From the New York Times (free registration still required): “Microsoft is
preparing a broad campaign countering
the movement to give away and share
software code, arguing that it potentially
undermines the intellectual property of countries
and companies. At the same time, the company
is acknowledging that it is feeling pressure from
the freely shared alternatives to its commercial
software … (A speech to be given Thursday) is part of an effort by Microsoft to
raise questions about the limits of innovation
inherent in the open-source approach and to
suggest that companies adopting the approach
are putting their intellectual property at risk.”

Bruce Perens writes, “I’ve written an essay on Software Patents vs. Free Software, and the danger that software patents pose for the Free Software developer. In addition, there are details about the summit meeting I’ve called on Free Software and The Law. Thanks! – Bruce“

“We selected Martin Baulig and Sander Vesik to take the lead on building
a Release Team and work with the folks who volunteered to put together a
GNOME 2.0 release plan. This will include a listing of all the top-level
tasks that need to be accomplished, along with preliminary due-dates…”

Minutes of the GNOME Board meeting 1 May 2001
From: Daniel Veillard 
To: foundation-announce@gnome.org
Cc: foundation-list@gnome.org,  gnome-hackers@gnome.org
Date: Thu, 3 May 2001 05:50:02 -0400


Minutes of the GNOME Board meeting 1 May 2001
          =============================================


Presents:
=========

    Havoc Pennington (chairing)
    Miguel de Icaza
    Raph Levien
    Daniel Veillard  (minutes)
    Dan Mueth               
    John Heard              
    Owen Taylor
    Bart Decrem
    Maciej Stachowiak (:15)

Missing:
========

    Federico


Regrets:
========

    Jim Gettys

Decisions:
==========

   - The board selected the Gnome-2.0 Release coordinators Martin Baulig and
     Sander Vesik, asking them to build the Release Team for Gnome-2.0 with
     the help of the others candidates
   - The GNOME Foundation membership proposal has been approved as the
     GNOME Membership Policy 1.0

Action Done:
============

  ACTION: Bart will follow the 'small conferences' meeting and will report in
          one month
     => Rebecca will be the Conference Master for Gnome
        She will double check that Guadec 3 can be done in Spain

  ACTION: Maciej will post to Gnome-Hacker to get people stepping in as
          Gnome-2.0 coordinator.
     => done

  ACTION: Havoc make sure that we get the 2.0 volunteers and what need to get
          done to start the release coordinator work
     => done

Action:
=======

  ACTION: Havoc send the AB list to the board looking for completion
          of the member liasons.
     => still pending


  ACTION: John try to get a Copyright assigment form and procedure for the
          GNOME Foundation

Discussion:
===========

- Fundation:

  not much to report, still some lawyer work needed.

- Release coordinators:

  Martin Baulig, Sander Vesik, George Lebl, Chris Lahey, Jonathan Blandford,
Peter Teichman and Dave Camp  expressed interest in helping with the 
GNOME 2.0 release, according to the discussions and plans that came out
of GUADEC. Also, Jody Goldberg wants to help on the office/apps part of it.

  We selected Martin Baulig and Sander Vesik to take the lead on building
a Release Team and work with the folks who volunteered to put together a
GNOME 2.0 release plan. This will include a listing of all the top-level
tasks that need to be accomplished, along with preliminary due-dates for
each of these and a full committee roster with specific responsibilities
assigned to each team member.

  We'd like to see quick progress on this, and have at least the committee
structure and responsibilities flushed out within 2 weeks.

  It is relatively clear that the work of doing the release coordination
for GNOME 2.0 will be larger than what was needed for GNOME 1.4. We hope
that Martin and Sander will be able build a strong team covering the
various tasks needed, the following ones were listed (but the list is far
from complete):
    - PR coordinator
    - documentation/QA coordinator
    - library freeze
    - porting
    - translation
    - UI freeze
   
- Membership policy:

  The community had many opportunities to review it. There were no negative
  feedback. So we adopt the proposal as GNOME Membership Policy 1.0

  Interesting points discussed:
    - we want the Gnome project to stay open to anybody who want to contribute
      to it
    - Opening to the ISV community is okay but people should not just use it but
      helping or contributing the project is still required to qualify.


Daniel

-- 
Daniel Veillard      | Red Hat Network http://redhat.com/products/network/
veillard@redhat.com  | libxml Gnome XML XSLT toolkit  http://xmlsoft.org/
http://veillard.com/ | Rpmfind RPM search engine http://rpmfind.net/

Kelly McNeill writes “In several articles published on the osOpinion.com site last year, I warned everyone about what was coming down the pike from Microsoft.

The articles warned that Microsoft’s .NET product strategy was just a faint whisper of what Microsoft actually intends for the long-term. That strategy is to get the consuming public completely dependent (in one way or another) on Microsoft, and to have us pay for that privilege. Prior to .NET, Microsoft enjoyed a relatively unchallenged position in the browser and development tools product markets.”

chrisabraham writes,
beehive is proud to be the only Zope Training Provider in both Europe
and North America. We are now offering training courses in
Washington, D.C., and Berlin Germany. Please check out our schedule
at www.beehive.de. Washington, DC, will be offering two courses per month, a day-long
DTML and a day-long ZClass course, beginning on the 24th and 25th of
May, 2001. The ZClass course will be held the day after the DTML
course to allow students to easily attend both.

DTML course overview
The beehive DTML course is designed to describe all important
DTML-tags and their use in internet-applications. On the basis of
many practical examples, the participant can learn how to work out
solutions for tasks that an internet-developer is confronted with.
Each participant receives more than 40 pages of accompanying-material
that reflect the course-contents employing many practice-approach
examples, diagrams, and reference-tables. In that documentation about
Zope and DTML is somewhat limited, this collection of DTML
information is extremely valuable.

ZCLASS course overview
beehive’s ZClass course focuses its attention on the use of Zope
classes–so-called ZClasses. Using Zope’s ZClasses web-developers can
develop internet-applications without any knowledge about python.
Each participant gets extensive accompanying-material and a bound
copy of beehive’s ebook “ZClasses”.

beehive elektronische medien GmbH has written the book on Zope.
Three paper books to be published this Summer and four ebook
tutorials available from the website have made beehive’s reputation
in the Zope community, a community of well over the 10,000 members of
Zope.org. beehive has always made Zope education and publishing job
one. With the success of beehive’s Zope courses in Europe, North
America is the obvious next step.

For more information about beehive elektronische medien GmbH visit
the web site at www.beehive.de or either phone Berlin at +49 30 84 78
20 or Washington at +1 202 548 0410.

Contact:
beehive North America,
1231 Pennsylvania Ave, SE, Washington, DC 20003,
Contact: Chris Abraham, (202) 548-0410
cja@beehive.de http://www.beehive.de.

– By Grant Gross –

Red Hat and the Open Source Initiative will likely celebrate a UCITA victory this month, but the celebration will be shared with backers of the Maryland software license law, not in spite of them.

Maryland Gov. Parris N. Glendening is expected to sign a bill that exempts Open Source software from “mandatory warranties” found in the state’s Uniform Computer Information Transactions Act, on the urging of Red Hat and the Open Source Initiative.

The bill passed both houses of the Maryland legislature unanimously, and the change is part of Red Hat’s larger effort to work with UCITA advocates to rework parts of the legislation that are distasteful to the Open Source community. Mark Webbink, senior vice president and general counsel for Red Hat, says he sees UCITA as a “somewhat benign” law on the whole, and believes some of the objections to UCITA in the Open Source community have come from misunderstandings of what the law does.

However, Red Hat and the Open Source Initiative did approach the Maryland legislature
about what types of software were exempted from warranties required in the state’s version of UCITA. “In Maryland, the legislature determined that they wanted to add a number of consumer protection provisions to UCITA,” Webbink says, “and in the process, although they thought they were taking into account Open Source software … they in fact didn’t quite get there.”

Changes to the law

The original Maryland UCITA bill passed in 2000 exempted “free software” from having to provide a warranty, says Democratic Delegate Kumar Barve, sponsor of the original legislation and chairman of the Maryland House of Delegates Subcommittee on Science and Technology. But there was confusion over whether that could be interpreted to mean proprietary software that for whatever reason isn’t purchased, Barve says, so the new bill gives the exemption only to software that has its source code freely available and that allows unlimited copies to be made.

Maryland legislators recognized quickly why exempting Open Source software from the mandated warranties made sense, Webbink says. “How do you impose a warranty on some hacker who’s in Romania, written a piece of the code, and given it away for free?”

What’s UCITA?

The National Conference of Commissioners on Uniform State Laws is pitching UCITA to states as “model legislation” to apply the Uniform Commercial Code to software sales. In 2000, Maryland and Virginia passed versions of UCITA, although Virginia’s law doesn’t go into effect until this July. Seven other states and the District of Columbia have considered UCITA bills.

Many members of the Open Source community have objected to several parts of UCITA, including the warranty section. They’ve also objected to its limits on reverse engineering and to the “self-help” section, which seems to allow software companies to shut down software if the user doesn’t pay the license fee by a deadline. (For Open Source community objections to UCITA, here’s an explanation at everything2, and Slashdot has a number of articles about the effects of UCITA.)

Working with UCITA

Webbink says some of those fears may be “misapplied,” and Red Hat is working with the uniform law commission to change other parts of UCITA.

Barve notes, for example, that the self-help section of Maryland’s UCITA was amended to not apply to individual customers, only bulk customers such as corporations, and Webbink says such self-help laws were already on the books before UCITA.

“What UCITA did was say, ‘Yes, it’s permitted, but by golly, if you’re going to exercise self help, you’re going to do it according to these rules,’ ” Webbink says. “Does [UCITA] perpetuate self-help? Yes, it does. However, does it put it in a box? Yes, it does, and that box is relatively consumer-friendly.”

Barve says he’s still surprised at the amount of heated criticism he’s taken from shepherding UCITA in Maryland a year ago. He acknowledges that UCITA protects the intellectual property of proprietary software companies, but he sees intellectual property rights as a driving force in the U.S. economic system.

“UCITA was never as bad as its opponents said it was and never as good as its proponents said it was,” Barve says. “I don’t think we made a mistake here. I think we made a fundamentally correct policy decision.”

Where UCITA may stop being “somewhat benign” is when more states begin to adopt it, and each add their own changes to the law, as Maryland’s legislature did, Webbink says.
Dozens of variations of UCITA could give Open Source advocates nightmares as they try to chase down problem areas in bills from New Hampshire to Arizona.

To prevent that scenario, Red Hat has been taking the Open Source cause to the uniform law commission itself. Red Hat wants to “talk about issues that are important to Open Source and how they may be able to modify this model language to better address our concerns and make the legislation more palatable to members of the community,” says Red Hat’s lawyer.

Proposed changes

Webbink has approached the commission about making a couple of changes in the model UCITA. One proposed change would recognize Free Software and Open Source licenses in the law, to “acknowledge they exist in the firmament of computer software licenses,” he says.

Another change, in the preliminary stage of talks, would guarantee a right to reverse engineer software. “Naturally, if the statute is going to permit reverse engineering, you have to address off-setting interests between the Open Source community and proprietary vendors,” Webbink says.

However, Webbink believes a compromise can be crafted, with proprietary vendors on board, that allows a person purchasing a software license to reverse-engineer the software to write interfaces for the software. His example: A Linux programmer purchasing a popular word-processing program and using its source code to port it to Linux. With Red Hat’s proposal, UCITA would allow such reverse engineering and override any prohibitions in the word-processor’s license agreement.

Currently, there’s no Open Source industry group that deals with legislative issues, although Webbink says Red Hat’s efforts have been received well both on Capitol Hill and in Maryland’s statehouse. Red Hat worked with the Open Source Initiative to craft the change in Maryland’s UCITA.

Community obligation

Webbink says Red Hat and other Open Source companies are talking about an industry-wide legislative lobbying effort, but nothing’s happened yet. “I understand [other companies’] concern that they don’t want us to come across as the sole leaders of the thing,” he says.

In the meantime, Red Hat plans to continue pushing for the Open Source community with lawmakers, he says. “Both our board and our management feel that we are now left in a position where we need to take a leadership role in protecting the interests of the community at large,” he adds. “That’s not to say that there aren’t other companies that aren’t doing the same thing, but … somebody’s got to take the initiative on these kinds of things, and we feel like we’ve got an obligation to do that.”

Webbink promises to keep his ear to the ground as Red Hat advocates for the community. “As we push for what we believe the agenda should be, we will be constantly seeking affirmation from other members of the community to make sure we’re not going off in a tangent that they aren’t in agreement with.”