Grid Application Server based on LAMP

From one of my Friend Saifi:-

LAMP (Linux, Apache, MySQL, PHP/Python/PERL) is usually considered
the common platform of choice for Web applications and services.

Building upon LAMP, an opensource startup ActiveGrid (www.activegrid.com) has
come up with a XML std. based Services Architecture that provides a highly tuned
"text pump" that acts like a "bus" in a transaction intensive data center.

The term "bus" has the connotation of an integration platform.

Take a look at Peter Yared's blog at http://peteryared.blogspot.com/
for the details. He is the founder, CEO of the company.

For the technically inclined, here comes an opensource solution
that uses and builds on WS-* set of standards.

All the news that robots pick

Chalk it up to a difficult week for Google's automated news service, which aims to best traditional newspapers with mathematical algorithms and robots crawling the Web.

The Web search giant was hit with a lawsuit from French news agency Agence France Presse, forcing it to start to pull thousands of photos and news stories from its service. Then critics lashed out over its decision to include reports from National Vanguard, a publication that espouses white supremacy. In response, Google said it will remove the publication from its index.

Both are black eyes to Google's theory that computers virtually unassisted by human editors can pick the top stories of the day and beat traditional media at its own craft.

Google's own description of the service, which is still in beta after three years, defies the two instances that cropped up this week: "Google News is a highly unusual news service in that our results are compiled solely by computer algorithms, without human intervention."

The tensions hit on the growing pains of changing news consumption and distribution. On the one hand, readers are eagerly using aggregation services like Google News to save time and find news they're interested in from one location. But the digital melting pot of news also has raised questions about the need for standards that go beyond what technology can provide.

"It's a searchable newsstand, and it's a wonderful source," said Janice E. Castro, director of Graduate Journalism Programs at Northwestern University's Medill School of Journalism and former editor of Time.com. "But you're used to being able to say, 'There's the good newspaper; there's the poor stuff.' In search, it's all the same color and all the same size, and it's not ranked by quality."

"The best is mixed up with things that are far from the best," Castro said.

Google's feet are being held to the fire because it uses its technology to mine the depths of the Web to compile news. Yahoo News, in contrast, searches for news but also forms partnerships with content providers to populate its service. Google declined to comment on whether it has licensing deals with content owners.

In addition, Google News and similar news aggregation sites have become considerably powerful, forcing news organizations like the AFP to rethink their purpose and news distribution strategies. An increasing number of people turn to search as a way to access news, and many publishers have failed to answer readers' shifting appetites fast enough. That's been perilous to news organizations because aggregators siphon traffic that was once theirs.

John Battelle, a Web search pundit and former publisher of The Industry Standard, said that Google is an object of concern for publishers because it has yet to form a business model for its aggregation service, as opposed to Yahoo.

"That creates fear, uncertainty and doubt around their true intentions with the product," Battelle wrote in an e-mail, though he does not believe those intentions are "evil."

Visitors to Google News have nearly doubled to 5.9 million visitors since February 2004, according to ComScore Media Metrix. Yet Google News is not as popular as New York Times Digital, CNN, AOL News or Yahoo News, the leading news destination online.

Google uses algorithms to find popular news of the day and to cluster different sources on a given story, with links and photos from various publishers. But behind Google's technology, the company has pre-selected roughly 4,500 sources of information, and it continually reviews new sources to include in its searchable collection.

The question on many critics' minds is, what standards does Google use to select a news source?

"We're demanding transparency of mainstream news. Well, it's high time we get transparency from Google News," Jeff Jarvis, a blogger and president of Advance.net, wrote on Buzz Machine.

Jarvis added: "Google: Release a complete list of your news sources now. And institute a means for questioning those choices and for suggesting other choices now."

The call for transparency was in response to revelations that the National Vanguard was included in Google News' index. And according to the blog HonestReporting.com, Google News has previously included Jihad Unspun, a Web site that publishes anti-Semitic content.

Google spokesman Steve Langdon said the company does not allow hate content into its news service. "If we are made aware of articles that include hate content, we will remove them," he said.

The company has several guidelines for choosing news sources, including ensuring that the publication is edited. But it does not detail those guidelines on its site, except to say that "news sources are selected without regard to political viewpoint or ideology, enabling you to see how different news organizations are reporting the same story."

Aggregators vs. publishers
Google is also facing dissent from at least one of its news sources. Last week, AFP sued Google for allegedly using its news articles and photos without authorization. The French company is suing for $17.5 million in damages and seeks to permanently bar Google from using its materials.

Despite Google's policy to remove content at a publisher's request, AFP sued the company for past damages. Most publishers, however, want to be included in Google News because they believe it is a benefit to them and their readers, Langdon said.

AFP's complaint charges that Google infringes on its copyright by reusing its story "leads" as well as the headlines and photos.

Fred von Lohmann, an attorney at the Electronic Frontier Foundation, said a legal precedence has been established that allows Web publishers to link to thumbnail images, however. He also said the use of headlines and excerpts from the lead of a news story is fair use, and believes that Google is in the right.

"It would be a different World Wide Web if you had to ask for permission before you linked to something, and the same thing applies to news," Lohmann said.

Still, Google could face more of these lawsuits and pressure to engineer a more transparent news service.

"There's this weird tension," said Eric Goldman, assistant professor at the University of Marquette. "On the one hand, they need to tighten up who's included in their index, but then on the other hand, if they're too tight, someone is going to zip by them with hotter fresher news."

GPL 3 not expected to split free-software world

Some developers are concerned that the introduction of the third version of the GNU General Public License could split the free-software world, but the Free Software Foundation is confident that these fears are unfounded.

The FSF has denied that there is a risk that free-software projects could fork when the next version of the GNU General Public License, or GPL, becomes available.

Over the last few weeks, free-software developers from various projects have expressed concerns about the next version of the GPL. In a posting to the legal mailing list for the Debian Linux distribution, OpenOffice.org volunteer Daniel Carrera pointed out that as Linux is currently only distributed under GPL 2, it could face problems when GPL version 3 is released.

"My understanding is that Linux is distributed under the GPLv2 exclusively," Carrera said in the posting. "Given the vast number of Linux contributors, this means that Linux won't be able to migrate to the GPLv3 when it comes out, correct?"

Debian maintainer Matthew Palmer agreed that this was the case and said he was worried that when GPL 3 comes out, some free-software projects could split into separate branches. "I fear a lot of unpleasant forking action when the GPLv3 comes out," Palmer said.

Palmer said some developers may decide to license their projects only under versions 2 or 3 of the GPL, while others may choose to license under multiple versions of the license. This could result in "license-incompatible forks," according to Palmer.

But Eben Moglen, general counsel of the Free Software Foundation, said Thursday that there shouldn't be a problem in persuading Linux developers to migrate to GPL 3, as the license will be developed with their input.

"I don't think it will be a difficulty," Moglen said. "When the FSF finishes its work to produce the first discussion draft of GPL 3, there will be an extended comment period, which will be a chance for everybody to have their say. We will take as long in listening as people need to take."

GPL 3 is likely to include changes that take into account international copyright law and patent threats, according to Moglen.

It is not surprising that the next version of the GPL has attracted a lot of interest as it is the basis for a "multibillion-dollar industry," according to Moglen. "In a market that size, there are a lot of participants and a lot of people with interests," Moglen said.

Moglen was unable to say when GPL 3 would be released, though he suggested that it would be available in the next year or two. He is confident that when GPL 3 is released, people will be pleased with the outcome.

"When it's all over, people will say about the GPL 3, 'It's better, it's not that different--what's all the fuss about?'" Moglen said. "People have to trust that we know what we're doing." This echoes his previous statements, in which he said the process was "going to be a screaming match some days, but it is going to be a noble effort when it's over."

He said today's free-software industry owed a debt of gratitude to version 2 of the GPL. "A very large field came into existence as a function of the correctness of Richard Stallman's ideas," Moglen said.

Programmers bypass Red Hat Linux fees

It took Red Hat 16 months to produce the newest version of its premium Linux product, which went on sale in February for as much as $2,499 per computer per year.

It took a group of programmers less than two weeks to release a free clone. But the move could help Red Hat as much as it appears to hurt it.

The clone is from a project called CentOS--Community Enterprise Operating System--one of several "Red Hat rebuilders" that have partially nullified Red Hat's business decision in 2003 to stop giving away its supported and certified product for free. CentOS and others--Lineox, White Box Linux, Tao Linux, X/OS Linux and Scientific Linux--all rebuild a copy of Red Hat Enterprise Linux from the source code components Red Hat releases.

The clones are both a boon and a bane for Red Hat, which used an aggressive pricing plan to profit from its status as the top seller of the open-source operating system.

On the one hand, the rebuilders draft off Red Hat's labors while depriving the company of potential customers for its software and the support that goes along with it. On the other, though, they help cement the dominance of Red Hat's software and spread it to those who might eventually decide Red Hat's services and reliability are worth the price.

It's clear, however, that many Red Hat clone users aren't likely to embrace the original anytime soon.

"I don't pay for Linux, and I have absolutely no need for a Red Hat-style subscription (for) support," said Collins Richey, a Denver Linux enthusiast who uses CentOS on his personal computers to keep them compatible with work machines. "I'm considering recommending CentOS for limited use as a trial project...at work."

Red Hat chooses to see the glass as half full, with spokeswoman Leigh Day calling the clones "good news" because they could attract new customers.

"If they try versions that are not supported or supported inadequately, they will get a hint of the value propositions that are available for Linux and ultimately turn to a company that can support their businesses," Day said.

Red Hat did clamp down partway on CentOS in February. Its lawyers demanded the rebuilder strip out trademarked Red Hat names and logos.

However, if Red Hat truly wanted to hamper the rebuilders, it could stop its current practice of releasing its product's source code in the convenient packages called source RPM files.

"Red Hat should be thanked for making this so easy for all of the rebuild efforts," said Greg Kurtzer, who founded the Caos Foundation that runs the CentOS project. "I am not going to fault them for trying to make money."

Red Hat will continue releasing the source RPM files. "What we're doing now we'll continue to do for the long term," Day said.

Despite the availability of alternatives, Red Hat subscription sales increased from 33,000 in the quarter ended November 2003 to 132,000 a year later. That's solid growth, but it's not as high as the peak of 144,000 in the quarter ended August 2004. Red Hat is expected to release sales figures for its most recent quarter on March 31.

Some see an upper limit to how much the Linux seller can charge. "The real reason Linux is our choice is cost," said Brian Trudeau of Eastek International in Buffalo, N.Y., a CentOS user. "Why pay for Red Hat when it costs as much as Windows?"

Send in the clones
There are several prominent RHEL rebuild projects besides CentOS:

• Finnish Lineox, which released its clone of RHEL 4 on Feb. 25, charges between 5 euros and 15 euros ($7 to $20) per server for its software update service.
• White Box Enterprise Linux was born when Red Hat dropped its freely available commercial product, Red Hat Linux, said project founder John Morris, who runs dozens of servers and personal computers using Linux at Beauregard Parish Public Library in DeRidder, La. "We have workstation hardware that costs less than a RHEL contract, so something had to give when Red Hat dumped Red Hat Linux in favor of RHEL, and thus WBEL was born," he said.
• Tao Linux is a "community supported" version not intended for mission-critical computers; users are expected to solve problems on their own or with help from mailing lists.
• Scientific Linux is maintained by programmers at Fermi National Accelerator Laboratory and other labs. It's geared for technical tasks at labs and universities.
• X/OS Linux, for which X/OS, a computing company in Amsterdam, sells support.

CentOS in the limelight
CentOS was an offshoot of a separate Linux project called Caos Linux, said Kurtzer, who is a Lawrence Berkeley National Laboratory administrator and a programmer as well. But it turned out the Caos Foundation's more popular project was a rebuild of RHEL.

"For a new distribution to be widely used, it must demonstrate to the community that the project and the product are both stable, reliable solutions," Kurtzer said. "But because CentOS is based on a known codebase, it was able to short-circuit the typical path and become an almost instant success."

Kurtzer doesn't have firm numbers, but he estimates there are thousands, perhaps tens of thousands, of CentOS users. The first version was announced in December 2003.

CentOS doesn't veer from the Red Hat course. "The point...is to be as legally identical as possible," Kurtzer said. CentOS tries, for example, to build security updates as quickly as possible, with an informal guarantee of a 24-hour turnaround after Red Hat releases the original.

CentOS isn't exactly free. The Caos Foundation asks for a $12 server per year donation to defray download costs, though few beyond some companies pay, Kurtzer said.

The support question
After Red Hat launched RHEL, it also began a project called Fedora. That version of Linux is available for free, but it's a fast-changing and unsupported product geared for hobbyists and programmers who can help work the kinks out of the latest software packages.

RHEL, in contrast, changes slowly, with updates released roughly every 18 months so hardware and software companies have time to certify that their products work with the operating system. Support of a particular Red Hat version lasts for seven years for those who pay an annual support subscription.

"Enterprises may have been disabused of the notion that Linux is free, but that doesn't mean they want to pay through the nose for it just because it has (software partner) support," said RedMonk analyst James Governor.

There are risks to leaving the official Red Hat fold, though. A customer isn't going to get much hand-holding, for example.

"We support three forms of Linux: Red Hat Enterprise Linux, Novell's Suse Linux Enterprise Server and Asianux," said Anne Pace, a spokeswoman for storage specialist EMC. "We chose those three because when we scan our customers, those seem to be the versions of Linux that our customers seem to be going with."

EMC will try to help customers using other versions, Pace said. But if they're using a Linux version EMC doesn't support, "we can only go so far, so they'll probably need to be diverted back to the Linux company to try to figure it," she said.

Oracle, a major software power and Linux backer, supports the same three Linux versions as EMC, but it has a stricter policy because it wants to keep the number of varying Linux versions to a minimum.

"Oracle wants to prevent fragmentation in the Linux distribution space," Monica Kumar, senior manager of Oracle's Linux product marketing, said in a statement. "Because of the indeterminate number of possible distributions and Oracle's desire to see customers succeed, it is necessary to confine enterprise-class support to those distributions that Oracle believes can be successfully deployed and supported in enterprise-class environments."

Do it yourself
Many who opt for Red Hat rebuilds are confident of their own expertise, though.

"I've had years' worth of support from Red Hat and have never called them once," said Jacob Leaver, a senior systems administrator who uses CentOS at his employer, a Washington-based Internet service provider. "I find that I can usually provide the answer to a technical problem using a Google search."

That's also enough support for Claire Connelly, a systems administrator who helps run 66 Linux servers at Harvey Mudd College's Mathematics Department.

"Convincing me to run RHEL on more of our systems would require Red Hat to add some significant value over community rebuilds or other distributions," Connolly said. "I don't have a problem with giving Red Hat some money, as they do a great job contributing code and support to the community. The problem is that their current pay-for-support structure doesn't work very well for our situation. As an academic institution, we don't have tons of money to throw around for 'enterprise-level support.'"

A year and a half after Red Hat introduced the first version of RHEL, it announced deep discounts to education customers that had been alienated by the pricing choice.

But those educational discounts haven't been steep enough for some others, either. The University of Manchester uses Linux on a "couple hundred" workstations and servers, said Niels Walet, a professor with the university's School of Physics and Astronomy. His main concerns with Red Hat are support and fees, he said. He's moving several CentOS systems under his purview to Scientific Linux to maintain compatibility among university groups.

Some clone users could be drawn into the Red Hat fold, though. One is Maciej Zenczykowski, a CentOS user and student in Poland who runs Linux on three university servers and four Internet servers for his own and three other apartment buildings. He'd be willing to pay $50 to $100 per year for software support, and he needs the RHEL compatibility to ensure that software from Hewlett-Packard works properly.

"Frankly, I wanted to go with RHEL 4 on (an) enterprise-level server at the university. I even had the $50 ready for an academic license," he said. But Red Hat's Polish reseller was charging about $120, and trying to coax longer-term support payments out of the university's financial department was frustrating, so CentOS won out.

Freedom from bureaucracy is one of the reasons Dave Parsley, an administrator at Alfred University in New York, founded Tao Linux.

"It's always easier to pop a DVD into the drive to install it and not register and not do any paperwork," Parsley said. "It's like the old days of Linux--just install and go."

Google to support R&D in Indian varsities

Google, which recently opened its R&D centre in Bangalore, has announced initiatives to promote research in Indian universities.

Google stated that be it a faculty member or a student who gets his research paper accepted for a few major computer science conferences globally, it will sponsor the candidate for the event.

Google has zeroed in on seven international conferences including the 14th International World Wide Web Conference, Conference on Management of Data, Association of Computational Linguistics, International Conference on Machine Learning, Conference on Research and Development in Information Retrieval, Conference on Object-Oriented Programming, Systems, Languages & Applications besides the Symposium on Operating Systems Principles across the globe.

According to Google India, this is an initiative it is taking to identify talent in basic computer science engineering and is an effort to promote research.

The company also recently announced the winners of its India Code Jam contest, another initiative to identify talent in the South Asian region. Code Jam is an online programming competition in skills assessment and competitive software development.

Said a spokesperson for Google India: "The Google India Code Jam is a demonstration of the value Google places on excellent programming. In addition to celebrating the top programmers in the region, we also hope that the competition will provide further opportunities to attract strong computer scientists to our R&D centre here."

A student from Singapore, Adrian K Poernomo won the contest this year, which was the third Google Code Jam contest and the first in India.

"The India Code Jam is an extension of our annual Code Jam contest and celebrates the art of computer science, demonstrating to professionals everywhere the value Google places on coding," the spokesperson added.

Mandrake, SuSE Offer New Linux Features

Mandrake's and SuSE's Linux distributions fit well into the roles of mainstream desktop and of low-cost small-business server—filling a sizable void left by Linux market share leader Red Hat Inc. Red Hat's offerings are divided between the annual-subscription-priced Red Hat Enterprise Linux and the community-supported Fedora Core.

On the desktop, SuSE Linux 9.1 and Mandrakelinux 10 offer a better out-of-the-box experience than Fedora Core, which, due to redistribution-related license issues, lacks several key applications, such as a Java Virtual Machine, a Macromedia Flash plug-in and libraries for playing MP3 music files. Mandrakelinux 10 and SuSE Linux 9.1 also feature much nicer software installation tools than either of Red Hat's Linux distributions.

While some corporate users require applications that are available only for Windows, there are generally good Linux alternatives available. Both distributions we tested ship with a large number of these Linux applications—SuSE comes with five CD-ROMs and Mandrake ships with eight.

The latest versions of Mandrake and SuSE are also great candidates for setting up small and midsize departmental servers—server software is one of Linux's strengths, and both of these distributions provide administrators with a wide range of server applications, along with tools to configure and manage them.

SuSE Linux Professional 9.1 costs $105, or $70 for an upgrade version. SuSE 9.1 also comes in a $35 Personal edition, which we did not test. The Personal edition lacks the printed manuals and some of the server and developer software that ships with the Pro version.

Mandrakelinux 10 comes in $230 PowerPack+, $85 PowerPack and $50 Discovery versions. We tested the PowerPack+ edition, which contains a wide range of server applications, including the Kolab groupware server. This version also includes 90 days of Web-based support and five free telephone support incidents (within 60 days).

Both distributions are priced well below Microsoft's Windows Small Business Server 2003, which costs $599 to $1,499 and requires the purchase of client access licenses beyond the five that these prices include.

Mandrakelinux 10 runs on Pentium-or-better x86 machines. An AMD-64 version of Mandrakelinux 10 was in release-candidate stage at press time—the latest official version of Mandrakelinux with AMD-64 support is Version 9.2.

SuSE Linux 9.1 supports both Pentium-or-better and AMD-64 machines in the same package.

Mozilla fixes risky Firefox flaw

The Mozilla Foundation issued a patch for a major security flaw in its Firefox browser on Wednesday and advised people to update their software.

The problem is caused by a buffer overflow in legacy Netscape code still included in the browser for animating GIF images, Chris Hofmann, director of engineering for Mozilla, said. Similar memory problems have affected Mozilla's browsers and Microsoft's Internet Explorer in the past. A malicious attacker could exploit them by creating carefully crafted image files that, when viewed by a victim in a browser, execute a program and compromise the system.

The flaw was discovered by Internet Security Systems, a network protection company, and patched before the public learned of the issue, Hofmann said.

"We are staying ahead and being proactive in fixing the code," he said. "The deciding factor, in this case, was the potential for this: It's a little easier for hackers to turn it into an exploit that could be dangerous."

The Mozilla Foundation released version 1.02 of Firefox on Wednesday to fix the problem and asked that all users to download and apply the patch.

Recently published data has prompted questions about the security of Firefox. Security technology provider Symantec said in this week's Internet Threat Report that during the second half of last year, 21 vulnerabilities affected Mozilla browsers and 13 flaws affected Internet Explorer.

However, only seven of the flaws in Firefox were considered "highly severe," compared with nine in Internet Explorer.

Mozilla's Hofmann pointed to the data as a positive indication that the developers were doing a good job of securing the Firefox code.

"As the data shows, the flaws are of lesser severity," he said. "The kinds of things the Microsoft's browser is vulnerable to is much more worrisome."

On Tuesday, Mozilla president Mitchell Baker predicted that Firefox won't suffer nearly as many security flaws as Internet Explorer and that the increasing popularity of the open-source browser won't change that.

"Microsoft has a proven track record with Internet Explorer," Microsoft said in statement. "We continue to make significant investments in Internet Explorer, including Windows XP Service Pack 2, which features a much stronger security infrastructure to help thwart malware attacks, block suspicious content and eliminate many common spoofing attempts. In addition, Internet Explorer 7 will be a major upgrade that will focus on security."

Mozilla is currently reviewing the roughly 2 million lines of code that makes up the Firefox browser to find similar vulnerabilities to those patched Wednesday. Last August, the organization offered a bounty to anyone who finds significant flaws in the software. The developers are looking with particular intensity at the legacy code that remains in the browser.

"Most of the things that we are looking at and fixing are potential exploits that no one has figured out how to exploit yet," Hofmann said.

Firefox tool gets slick

Rip, mix--get burned?

That's one cautionary note making the rounds along with a popular new extension for Firefox that lets people customize Web pages they visit without the knowledge or cooperation of Web publishers. The extension, dubbed Greasemonkey, lets people run what's known as a "user script," which alters a Web page as the page is downloaded.

That capability has gained the extension an avid following of Web surfers who want to customize the sites they visit, removing design glitches and stripping sites of ads. But the extension comes with substantial security risks and could stir trouble among site owners who object to individual, custom redesigns of their pages.

"Publishers for now seem to accept that it's OK for users to make some changes," said Danny Sullivan, editor of Search Engine Watch. "I can tell my browser not to run JavaScript, for example, and that could override what the publisher wants the page to do. But people are still struggling with where the line is. Some of these things may go to court, but I think in the long run publishers...will adapt...or develop other ways to combat it."

The idea of letting Web site visitors alter pages they visit isn't new. Many pages use the World Wide Web Consortium's Cascading Style Sheets recommendation to let users do just that--adjust colors, font sizes and other style elements.

Greasemonkey goes well beyond such superficial changes. Among other things, Greasemonkey can strip out ads, a feature that's sure to prove controversial with publishers, if it crosses over to the mainstream.

Web site customization tools that give Web surfers the ability to "rip and mix" Web page elements have drawn fire in the past when publishers balked at alterations. Google, for example, got into hot water with some sites after it released a toolbar that offers Web surfers the option of inserting hyperlinks into pages through its AutoLink feature.

In 2001, Microsoft abandoned the Smart Tags feature in Windows XP, which would have linked words in a Web page to pages of Microsoft's choosing.

By manipulating the Dynamic HTML, or DHTML, of a Web page, Greasemonkey scripts can perform a host of tasks, according to the GreaseMonkey UserScripts page. They can, for example, transform story links on The New York Times site and take readers to ad-free, printable versions. They can also change Slashdot's colors and make the site "less ugly," the page says.

Others are designed to execute more substantial changes, such as making connections to Yahoo Mail and Gmail more secure. One, called "Butler," is meant to remove ads on Google results pages, add links to competing search sites, and remove image copy restrictions from Google Print. (CNET News.com's tests of various scripts showed that some were more successful than others at delivering promised results.)

In what could signal a trend toward user scripts, Norwegian browser maker Opera Software has picked up the idea, adding similar functionality to beta 3 of Opera 8, acknowledging Greasemonkey on its Web site.

Regardless of how Web sites react to Greasemonkey--Google wasn't immediately available for comment on the various Google-oriented Greasemonkey scripts--the extension will have to face down substantial security concerns.

The trouble with Greasemonkey and user scripts in general is that scripts can be used for both good and ill, and end users scanning through lists of enticing scripts might fail to distinguish between malicious and benign code.

"A user JavaScript file can in no way harm your computer or stored data, but badly written files can slow down Opera, and malicious files can spy on your browsing," browser maker Opera warns in a Web posting about the new feature in its latest beta. "Never install and use a script library from someone you don't know and trust--if in doubt, post in the Opera forums, newsgroups or mailing lists and ask if the script you would like to use is well written and exploit-free."

User scripts also could facilitate password-stealing schemes, said security consultant Richard Smith, who runs the ComputerBytesMan Web site.

"The bad guys could likely create a script for stealing usernames and passwords in log-in forms using this tool," Smith said. "They would still need to break into someone's computer to install the script, but the tool would make the theft process much easier."

Aaron Boodman, the 26-year-old programmer in Seattle who wrote Greasemonkey, declined to comment on the extension or on its security implications.

But in a recent posting to his Web site, he acknowledged its security liabilities, and worried that Greasemonkey would become vulnerable as a result of its increasing notoriety.

"A hacker could create a script that does something users want, but also makes a call to the hacker's server, sending your cookies to that machine," Boodman wrote. "He could even scan for password fields and upload those....At this point, I'm only comfortable because the (Greasemonkey) community is relatively small and techie. It would be difficult for a hacker to distribute a malicious script in this environment."

In his posting, Boodman said he was open to ideas on improving Greasemonkey's security.

For now, he urged caution along the same lines that Opera did.

"All I can say is that just like any other software, you should think a tiny bit before installing a user script," Boodman wrote. "Make sure the author is someone you trust, or at least in a social network you trust."

Mozilla: We're more secure than Microsoft

Even with increased popularity, the Firefox Web browser won't face as many security problems as Internet Explorer, according to the president of the Mozilla Foundation.

"There is nothing that will be perfect," said Mitchell Baker, president and chief lizard wrangler of the Mozilla Foundation, during a panel discussion at PC Forum here. (PC Forum is owned by CNET Networks, publisher of News.com.)

Still, Firefox, developed by the Mozilla Foundation, won't harbor nearly as many security flaws as those that have Microsoft's Internet Explorer, and increasing popularity won't change that, Mitchell predicted.

Some critics challenge that assumption. Symantec CEO John Thompson and other security executives have claimed that open-source programs will become more vulnerable as they pick up more users, because more hackers will become attracted to it.

Last month, Mozilla issued a major security update to fix several flaws, including one that would allow domain spoofing.

"There is this idea that market share alone will make you have more vulnerabilities," Baker said. "It is not relational at all."

Part of Firefox's better security profile comes from how it is developed, compared with Internet Explorer, she said. "Not being in the operating system is a phenomenal advantage for us," Baker said.

Another benefit, Baker said, comes from the fact that Firefox does not support Active X plug-ins. For years, some consumers and analysts have dinged Firefox because it couldn't run Active X.

"It turns out it is only less convenient until you get hacked," she said. "Then it becomes a disadvantage."

Mozilla is part of an industry effort to create an Active X alternative that would let plug-in applications such as Macromedia Flash run within the Web browser without the security risks associated with Active X. Others involved in that effort include browser makers Opera Software and Apple Computer, and plug-in makers Sun Microsystems, Macromedia and Adobe Systems.

In general, classic code flaws tend to be fairly easy to fix once they are found, she said. More difficult problems to guard against are the ones that exploit human behavior, like phishing.

"In some of these cases, the solution is very difficult to determine," she said. "There are some circumstances where the speed won't be as fast."

On another note, Baker added that the open-source movement still faces some growing pains. Large commercial customers are often not completely comfortable with open-source licensing, particularly because they are familiar with traditional licensing models.

She also said that new forms of public licenses are inevitable, as are conflicts and inconsistencies between different public licenses.

"If someone comes up with something, they have the right to determine the terms under which they give it away," she said.

Novell announces small-business Linux bundle

Novell has packaged several Linux-based products into a suite geared for small business, Chief Executive Jack Messman said Monday.

The package includes Suse Linux Enterprise Server, or SLES, for up to three servers; Novell Linux Desktop for personal computers; GroupWise server software for managing e-mail, contacts and calendars; and eDirectory for managing computers.

The software will be available March 31 at a cost of $475 per five computer users, up to 100. The server software may be used on up to three servers, Novell said. Messman announced the software at the company's annual Brainshare conference in Salt Lake City.

The package is the Waltham, Mass., company's latest move to elevate its Linux products. Novell, the biggest Linux seller after Red Hat, also is trying to compete against Microsoft and to convince customers of its venerable NetWare operating systems to move to Linux.

Messman said Monday that Novell is tailoring Linux for high-performance technical computing, a market increasingly dominated by clusters of lower-end machines running Linux. The open-source operating system has been popular in that market, in part because it's available for free, but that no-cost availability has made the business hard to reach for Linux sellers that want to charge a fee.

Novell hopes to change that. "In the next few months, you'll learn about multiple activities, from special pricing to high-performance focused components that we're currently working to deliver," Messman said.

Jump-starting Linux sales is important for Novell. In the company's most recent quarter, NetWare and SLES revenue were less than hoped.

Another part of the Linux push was the first shipment of Open Enterprise Server earlier in March, which includes a copy of SLES along with each copy of NetWare.

GroupWise promotion
Messman also announced on Monday a second program to give away SLES for free: The software will be included with a forthcoming version of GroupWise, code-named Sequoia, that's scheduled to ship this summer.

Novell announced in February that it's making a lower-end competitor to Sequoia, NetMail, into an open-source project called Hula. But customers shouldn't be worried that the move means an end to GroupWise, which will be supported until at least 2015, Messman said.

Two new versions of GroupWise are planned: "Aspen," scheduled for release in fall 2006, and "Cedar," scheduled for spring 2008. In addition, Netmail will be supported through 2010, and Novell will help customers migrate to Hula if they want, the company said.

Messman boasted that Hula is becoming a dominant part of the open-source software realm. "The initial interest and contributions to Hula show that Hula is already on course to become in collaboration (software) what Apache is to Web servers," Messman said.

GroupWise today competes chiefly with Microsoft Exchange and IBM's Domino and Notes.

Starting Market Start
Also Monday, Messman announced a new program called Market Start, through which Novell will help smaller companies promote and profit from their open-source software--in return for a piece of the action.

Market Start will combine Novell's Linux products with open-source software from companies that need a boost in sales and marketing. Novell plans to provide support for the products and expects to share revenue from their sales.

"Lots of venture-funded companies spend on R&D to develop their products, but a significant cost is getting it to market. If you spend $1 on research and development, you probably spend $10 to go to market," Messman said. "We'll ensure all the components work together and we'll take them to market through Novell sales channels."

Market Start will kick off with a small number of partnerships, said Angie Anderson, general manager of the program. "We hope to get at least two or three by the end of the year," she said. "But as we grow the program over the next few years, we easily see it going to the tens or hundreds."

Among the areas in which Novell is looking for Market Start partners is accounting, customer relationship management and health care. "We've got a list of 75 open-source projects we're looking at," Anderson said. "We're trying to slim that to 10."

Defender of the Linux faith

I read this article from a NEWS Portal

Earlier this week, open-source developer Harald Welte personally handed warning letters to 13 technology companies that he says are using Linux in violation of the license that governs the software.

Welte distributed the letters at the CeBit technology show in Hannover, Germany. Among the recipients were telecom giant Motorola and PC manufacturer Acer.

Welte is one of the core developers of the Linux kernel firewall engine Netfilter/iptables and the maintainer of the packet filter subsystem in the Linux kernel. In 2004, he set up Gpl-violations.org, which aims to prevent companies from contravening the rules set down in the GNU General Public License.

Since setting up the project, Welte has made 25 agreements with companies that were violating the GPL, as well as setting up two preliminary injunctions and one court order. Each of these companies used GPL code without making the altered source code available--a requirement of the licence.

ZDNet UK spoke to Welte about tracking down those companies that violate the GPL and how he persuades them to comply.

Q: Why is it important to stop people from violating the GPL?
Welte: You can use all the code out there for free, but if you do modifications, you have to give them back to the community--it's a fairness thing. If we allowed violations to become common, the system would be out of equilibrium. This would result in fewer contributions and it would have a large negative impact on the motivation of developers.

How do you find out whether companies have used GPL-licensed code?
Welte: It's quite hard without having the source code. All you can do is look at the firmware with a hex editor. You can often spot error messages or function names from GPL-licensed code. For example, there is an error message in the Netfilter code that says, "Rusty needs more caffeine." If someone writes a firewall they are very unlikely to come up with the same error message.

If somebody wants to obfuscate the fact that they have used the (GPL-licensed) source code, they can write a program to automatically change the error messages or strings. But if they try to hide it, it's a wilful copyright violation, which is a more serious legal offence.

What happens when you tell companies that they are violating the GPL?
Welte: Lots of companies that we are going after are resellers, so even if the device is sold as Fujitsu Siemens, it's not made by them but is an OEM device. With resellers it's easier, as we simply tell them, and they then put pressure on their upstream vendors.

In some cases, we got an out-of-court agreement and the company agreed to stop distributing software that doesn't comply with the GPL licence, but then did it again. This happened with Belkin and Netgear--half a year after signing the agreement, they introduced new products that came without any indication of source code availability. This has now been sorted out, and they are fully compliant.

In general, we haven't had trouble persuading companies to comply, apart from (PC connectivity company) Sitecom.

What happened with Sitecom?
Welte: When we found out about Sitecom's GPL violation, my lawyer asked them to sign a declaration to stop distributing software that didn't comply with the GPL licence. We didn't receive their signed declaration within the deadline, so we applied for a preliminary injunction. After they received the injunction, they filed an appeal. The court ruled that it will uphold the preliminary injunction.

Even though you have won every case so far, surely there's potential cost involved in pursuing these cases?
Welte: There is a cost of 10,000 euros ($13,282) per case, although the party who loses the case pays all the legal fees. It's not that I have that amount of money spare, but it's worth the risk.

What do companies need to do to make sure their software is GPL compliant?
Welte: The only thing you need to do to comply with the GPL licence is to release the source code. GPL offers two possible ways--you can either include the source code when you distribute the binary program, or you can provide a written offer to provide the source code, which must then be provided to all third parties that request it. If companies are only using GPL-licensed software internally, they only need to distribute the source code to their employees.

What source code do companies need to release?
Welte: The free software parts that they have used and anything that is derived from that. If they write additional programs--for example, a front end that is not derived from GPL licensed code--they do not need to release the code for that.

What gives you the legal right to pursue the GPL violations?
Welte: Most of the violations we're seeing are happening in the embedded market. They are running the Linux kernel, and I have copyright on parts of the Linux kernel. In the cases that went to court, it was me as an individual copyright holder (against the company in question).

Everyone who writes code holds the copyright, unless they work for a company. Alan Cox is employed by Red Hat, so the copyright of the code he writes while at Red Hat is held by Red Hat.

You say on your Web site that you are hoping to get other free-software enthusiasts involved. How is this going?
Welte: It's hard to find people who want to get involved in the project. Most developers don't mind reverse-engineering code to show a lawyer that there has been GPL violation. But dealing with lawyers is something that most developers are not keen on. I myself don't like dealing with legal issues, as it keeps me from writing code.

What is the future of the project--will you keep running it independently, or will you try get the help of other organizations?
Welte: I'm still evaluating the options. I've been talking to my lawyer and to Free Software Foundation (FSF) representatives about this. There are two options--to do it within the FSF Europe, or to fund a separate not-for-profit organization.

Whatever organization it might be, if it gets involved legally, it will need to draw up an agreement with the copyright holder. Some developers might not want to sign an agreement with the FSF. I personally don't have any problems with the FSF, but some people think it's too religious. Some people wrongly think the FSF equals Richard Stallman (president of the FSF), and some people have an issue with Richard.

Some people have criticised the GPL for being business-unfriendly, what do you think?
Welte: I totally disagree.

How do you think the GPL compares with other licenses?
Welte: It's a philosophical question. The BSD licence allows you to integrate and modify without giving back modifications, while GPL expects you to give back modifications. These are two philosophies of how you develop software. Which you chose depends on the project. For example, if you have a new standard and want it to spread quickly, it's better to use the BSD licence, rather than the GPL.

Mozilla Application Suite - Transition Plan

n 2003 we announced our intention to shift development focus from the integrated Mozilla Application Suite (commonly referred to as "Seamonkey") to a new generation of applications -- the Mozilla Firefox browser and the Mozilla Thunderbird mail and news client. That shift in focus occurred almost immediately, as the Mozilla Foundation was formed and we hired the lead developers for Mozilla Firefox and Mozilla Thunderbird. At that time we also stated our intention to maintain a long-lived, stable 1.7.x version of Seamonkey. We noted that a number of commercial distributors ship Seamonkey and will need the means to maintain it for their customers. There is also a user and developer base that is fond of Seamonkey and would like to maintain it. We have continued with this maintenance plan as well, with a 1.7.6 release scheduled for the next few weeks.

In the last few months we have also been releasing a series of 1.8 alpha and beta releases. The goal of these releases has been to test the changes to the back-end aspects of our codebase. Most users are familiar only with the "front-end" of our code -- the actual end user applications that provide browsing and mail functionality. But underneath this layer of code is a deep, complex layer of infrastructure that makes things work behind the scenes. There's no reason for end users to be aware of this foundation, just as most of us aren't aware of the details of the foundation of the skyscrapers we visit. But it is critical, and continued development and testing of this layer is vital to keeping our applications healthy.

The ongoing alpha and beta releases of Seamonkey 1.8 have suggested that the Mozilla Foundation itself will be creating a 1.8 final release. This is not our plan. The 1.8 releases have been for testing our backend. We intend that the 1.7.x line of releases will be the last long-lived, maintained versions released by the Mozilla Foundation. There is no doubt that the series of 1.8 alpha and beta releases have caused some confusion about whether there would be a 1.8 product released by the Mozilla Foundation. In addition, a set of people have done a non-trivial amount of work on 1.8 features, thinking this would be part of an official Mozilla Foundation release. This has been a major error on our part. These contributors have reason to be unhappy with us. We can only apologize, at the same time recognizing that apologies only go so far and can't fix the error.

Our plan for the Seamonkey suite is as follows:

1. The 1.7.x line will be the last set of Seamonkey products released and maintained by the Mozilla Foundation. The Mozilla Foundation will provide infrastructure for those interested in working on the 1.7.x releases, which we expect will include a number of vendors who provide these products to their customers. We've committed to support the 1.7 branch some time ago. If we ship 1.8 we'll need to support that as well, and we just can't manage supporting that many versions as well as Firefox and Thunderbird releases.


2. The Mozilla Foundation will provide infrastructure support (CVS access, bugzilla, development tools, etc) for community members who wish to continue to develop Seamonkey. This community group may wish to do formal releases of Seamonkey, much as the Sunbird and Minimo developers do. We support this. We probably won't use the same naming conventions, as we need to be clear that this is not a Mozilla Foundation product release.


3. Boris Zbarsky has posted an open letter to the Mozilla Foundation signed by a set of interested parties, laying out a community transition plan. We support this plan and will work with interested parties to figure out strategy. There will undoubtedly be some implementation details to be worked out (e.g., can we actually use Seamonkey as a formal trademark, how do we work the tinderbox machines, etc.).

The dedication to the product, the initiative of the developers and the proposal of the transition plan as a solution are all hallmarks of the Mozilla community. We support this effort completely.

Updates on MySql

New Release of MySQL Community Edition (4.1.10a) is Now Available

This is a maintenance release of the 4.1 version, mainly fixing recently discovered bugs. This release includes:

• Security improvement: The server creates .frm, .MYD, .MYI,.MRG, .ISD, and .ISM table files only if a file with the same name does not already exist
• Security improvement: User-defined functions should have at least one symbol defined in addition to the `xxx' symbol that corresponds to the main `xxx()' function.
• Please note that these changes affect the way in which User Defined Functions (UDF) are loaded. Please refer to the section "User-defined Function Security Precautions" in the manual: http://dev.mysql.com/doc/mysql/en/udf-security.html

For detailed information on what is new visit »
Source and binaries are available to download »

New Release of MySQL (4.0.24) is Now Available

This release includes:

• 'InnoDB': Added configuration option and settable global variable 'innodb_autoextend_increment' for setting the size in megabytes by which 'InnoDB' tablespaces are extended when they become full. The default value is 8, corresponding to the fixed increment of 8MB in previous versions of MySQL.Schemas replace the user/user-group feature.
• InnoDB: Do not acquire an internal 'InnoDB' table lock in 'LOCK TABLES' if 'AUTOCOMMIT=1'. This helps in porting old 'MyISAM' applications to `InnoDB'. 'InnoDB' table locks in that case caused deadlocks very easily.

For detailed information on what is new visit »
Source and binaries are available to download »

Key open-source programming tool due for overhaul

The entire realm of open-source software could get a performance boost if all goes well with a plan to overhaul a crucial programming tool called GCC.

Almost all open-source software is built with GCC, a compiler that converts a program's source code--the commands written by humans in high-level languages such as C--into the binary instructions a computer understands. The forthcoming GCC 4.0 includes a new foundation that will allow that translation to become more sophisticated, said Mark Mitchell, the GCC 4 release manager and "chief sourcerer" of a small company called CodeSourcery.

"The primary purpose of 4.0 was to build an optimization infrastructure that would allow the compiler to generate much better code," Mitchell said.

Compilers are rarely noticed outside the software development community, but GCC carries broad significance. For one thing, an improved GCC could boost performance for the open-source software realm--everything from Linux and Firefox to OpenOffice.org and Apache that collectively compete with proprietary competitors from Microsoft, IBM and others.

For another, GCC is a foundation for an entire philosophy of cooperative software development. It's not too much of a stretch to say GCC is as central an enabler to the free and open-source programming movements as a free press is to democracy.

GCC, which stands for GNU Compiler Collection, was one of the original projects in the Gnu's Not Unix effort. Richard Stallman launched GNU and the accompanying Free Software Foundation in the 1980s to create a clone of Unix that's free from proprietary licensing constraints.

The first GCC version was released in 1987, and GCC 3.0 was released in 2001. A company called Cygnus Solutions, an open-source business pioneer acquired in 1999 by Linux seller Red Hat, funded much of the compiler's development.

But improving GCC isn't a simple matter, said Evans Data analyst Nicholas Petreley. There have been performance improvements that came from moving from GCC 3.3 to 3.4, but at the expense of backwards-compatibility: Some software that compiled fine with 3.3 broke with 3.4, Petreley said.

RedMonk analyst Stephen O'Grady added that updating GCC shouldn't compromise its ability to produce software that works on numerous processor types.

"If they can achieve the very difficult goal of not damaging that cross-platform compatibility and backwards-compatibility, and they can bake in some optimizations that really do speed up performance, the implications will be profound," O'Grady said.

What's coming in 4.0
GCC 4.0 will bring a foundation to which optimizations can be added. Those optimizations can take several forms, but in general, they'll provide ways that the compiler can look at an entire program.

For example, the current version of GCC can optimize small, local parts of a program. But one new optimization, called scalar replacement and aggregates, lets GCC find data structures that span a larger amount of source code. GCC then can break those objects apart so that object components can be stored directly in fast on-chip memory rather than in sluggish main memory.

"Optimization infrastructure is being built to give the compiler the ability to see the big picture," Mitchell said. The framework is called Tree SSA (static single assignment).

However, Mitchell said the optimization framework is only the first step. Next will come writing optimizations that plug into it. "There is not as much use of that infrastructure as there will be over time," Mitchell said.

One optimization that likely will be introduced in GCC 4.1 is called autovectorization, said Richard Henderson, a Red Hat employee and GCC core programmer. That feature economizes processor operations by finding areas in software in which a single instruction can be applied to multiple data elements--something handy for everything from video games to supercomputing.

GCC 4.0 also introduces a security feature called Mudflap, which adds extra features to the compiled program that check for a class of vulnerabilities called buffer overruns, Mitchell said. Mudflap slows a program's performance, so it's expected to be used chiefly in test versions, then switched off for finished products.

Also coming will be a preview of technology to compile programs written in Fortran 95, an updated version of a decades-old programming language still popular for scientific and technical tasks, Henderson said. And software written in the C++ programming language should run faster--"shockingly better" in a few cases, Henderson added.

GCC is a very general-purpose compiler. It can handle programs written in languages including C, C++, Java, Fortran, Pascal, Objective-C and Ada. It can generate software for processors including x86 models such as Pentium and Opteron, Sun's Sparc, Hewlett-Packard's PA-RISC, IBM's Power and mainframe processors, Intel's Itanium, MIPS, ARM, Hitachi's SuperH and Motorola's 68000 series.

"The promise of GCC has been portability and cross-platform support over speed," O'Grady said.

GCC has about 10 core programmers, Mitchell said. The commercialization and professionalization wave that arrived with Linux and other high-profile open-source projects has affected GCC.

"In terms of people writing the lion's share of code, most are doing it for a living at this point, in contrast to 10 years ago," Mitchell said. "A lot of the development work is very time-consuming and needs to have a long-term commitment. It's hard to do it during a two-week break during semesters."

CodeSourcery, with about a dozen employees, makes money by selling services around GCC and related low-level programming components such as the GNU C Library (glibc) of pre-written software components. For example, other companies pay CodeSourcery to support new operating systems or processors.

Other options
GCC isn't the only option available to programmers, of course. It's not even the only open-source compiler.

A start-up called PathScale offers an open-source compiler that's compatible with GCC 3.3. "Our company is trying to be the GCC alternative for people who care about high performance," said Len Rosenthal, vice president of marketing for PathScale.

PathScale's compiler is a version of the Open64 compiler released by Silicon Graphics as open-source software. It's in use at several national laboratories for supercomputing tasks, but Rosenthal said the compiler produces faster software even with general-purpose programs.

Rosenthal understands what PathScale is up against with GCC. "It's everywhere," he said. But PathScale still has a strong ambition: "Our goal is to be the default compiler on x86," the chip family that includes Intel's Pentium, he said.

A better-established GCC competitor is Intel, whose compilers are recognized to be the gold standard for software running on x86 chips. James Reinders, director of marketing and business software and the products division, proudly points out that the widely used MySQL open-source database uses Intel's compiler.

But in a curious twist, the very same compiler engineers at Intel also help with GCC. That's because GCC is a crucial tool to bring software to Intel's processors. For example, Intel helped adapt GCC so it could produce software for its Itanium processor, Reinders said.

"Obviously it's well-adopted," Reinders said. "GCC has a role in the community that it would be foolish to think it's not important."

Mozilla freezes Seamonkey

The Mozilla Foundation is shuffling development priorities away from its software suite as the popularity of its Firefox browser soars.

In a letter posted to the nonprofit's Web site Thursday, the group said it would no longer develop features for its Mozilla Application Suite, otherwise known as Seamonkey, nor release a 1.8 version. But it will continue to provide developer support for its current 1.7 version.

Instead, the company will maintain focus on its Firefox browser and Thunderbird e-mail application, as it has since 2003, according to the letter.

"If we ship (Seamonkey) 1.8, we'll need to support that as well, and we just can't manage supporting that many versions as well as Firefox and Thunderbird releases," the letter stated.

The shift comes as Mozilla's Firefox has emerged as a viable rival to Microsoft's dominant Internet Explorer Web browsing software. The open-source software has put Microsoft on the defensive by garnering nearly 27 million downloads since its November final release. Thunderbird has received more than 4 million downloads.

Last month, Microsoft reversed itself and said it would release IE 7 with the next update of Windows XP. Previously, the company had said upgrades to IE would come only as part of the next major version of Windows, code-named Longhorn.

Still, Firefox's market share, which has increased rapidly overall, has begun to grow at a slower pace in the past month.

MySQL 4.1.10a and 4.0.24 Released

MySQL 4.1.10a and MySQL 4.0.24, new versions of the popular Open Source/Free Software Database Management System, have been released. They are now available for download in source and binary form for a number of platforms at http://dev.mysql.com/downloads/.

Both the 4.1.10a and 4.0.24 releases include fixes for recently reported potential security vulnerabilities in the creation of temporary table file names and the handling of User Defined Functions (UDFs).

Novell to ship Xen in next Linux

The next version of Novell's SuSE Linux product, shipping in mid-April, will let users run multiple versions of the operating system simultaneously, the company said on Thursday.

The support for multiple instances of the operating system in SuSE Linux Professional 9.3 comes through software called Xen, an open-source package that competes with products from Microsoft and EMC's VMware and has won big-name endorsements. Novell is adding the technology, which is useful for a number of tasks, to give programmers new abilities, said Greg Mancusi-Ungaro, director of marketing for SuSE Linux.

Xen provides a foundation called a virtual machine that an operating system thinks is a real computer. Running an operating system on such a foundation provides developers a painless way to test new software without risking damage to a primary computer. For example, they don't have to worry that a crash will corrupt essential system files.

However, Xen is still in fairly raw form. The software will be included with the Linux version but isn't installed by default, Mancusi-Ungaro said.

Novell announced the new Linux version at the CeBit trade show in Germany on Thursday. The cost in Europe--where SuSE Linux sales are strongest--will be 74 euros ($99), but U.S. pricing won't be set until closer to the product launch date, Mancusi-Ungaro said.

SuSE Linux Professional is geared for desktop computer tasks such as word processing, programming or playing digital videos. Novell hopes Windows users wanting to breathe new life into older computers will be interested.

Novell will offer a "Live DVD" version that can be run directly off a DVD drive to let people experiment with but not install the software. And about eight weeks after release, an installable version will be available for free download, Mancusi-Ungaro said.

SuSE Linux Professional 9.3 also adds the Linphone software for voice over Internet Protocol (VoIP); the Firefox Web browser; and the F-Spot photo organizer software. And it comes with the latest versions of graphical interface software, GNOME 2.10 and KDE 3.4.

The Professional product line changes more quickly and includes newer features than the company's premium product, SuSE Linux Enterprise Server.

Xen is "hypervisor" software that runs directly on a computer's hardware, managing operating system access to memory, input-output subsystem and other resources. So far, Xen only can run modified versions of Linux on x86 processors such as Intel's Pentium, but work is under way to extend it to other operating systems and processor domains.

Red Hat, the No. 1 Linux seller, also has begun adding Xen support to its Fedora version geared for Linux enthusiasts and programmers. The virtualization tasks Xen and its rivals must accomplish are expected to become easier with the arrival of new processor support from Intel in 2005 and Advanced Micro Devices in 2006.

What's wrong with Java?

Big Blue's software business was once considered an industry laggard, anchored to its mainframe business.

Now IBM software is a $15 billion business, happy to use its market clout to influence standards and push open-source software.

But where does a $96 billion behemoth find rapid growth? For IBM, the answer lies in emerging markets around the world and among midsize companies. That's why winning over developers and application providers is a critical goal for IBM's software chief, Steve Mills. The senior vice president and group executive recently spoke with CNET News.com about the company's strategy and weighed in on what he thinks is wrong with the Java community process.

Q: I've spoken with some people who say IBM is fed up with the Java Community Process (which oversees changes to Java). Is IBM dissatisfied?
Mills: We've been vocal on how we think the Java Community Process can improve. It's a community process as long as Sun (Microsystems) agrees with what the community decides to do. Our position has been Java would be better served if it existed in a more democratic standards process, rather than one where one company had super-majority rights over everyone else.

I think the community process works well at times. And at other times it gets bogged in, "Well, what does Sun want?" It ceases to be less a community at that point. But we knew that going in, so there's nothing new there as far as this issue is concerned. We have the view that the market of Java licensees--and for that matter, even Sun--could be better served by an alternative approach. They incur a lot of expense today they would not have to incur if the process operated differently.

Sun has voiced concerns that a change to the process, such as an open-source project model, would result in forking of the standard. Do you think that's a valid concern?
Mills: Well, no. That's silly. Standards can be sustained through standards bodies. If something is Java, it's certifiable to be Java and could be called Java only if it's certifiable as Java. Otherwise you're in violation of a trademark. That can be enforced through a standards-body structure, just as it can be by an individual (company), so I don't see that as a problem.

As open-source products move into more and more areas, will there be more pressure on your low-end Express line? Will you have to charge less for it down the road?
Mills: I'm already as cheap as anything out there. I have no problem with (open-source database company) MySQL, (open-source Java application server) JBoss or those things. I price at the same level for that level of use.

But those products are still worth your development investment?
Mills: The efficiency of development brought on by componentization and design means that for very nominal increments, I can take the basic structure and apply it at the lower end of the market and afford to put a very low price on it. And I hope that, frankly, some customers at the bottom will want more function over time.

The IBM software group has acquired many companies in the past few years--
Mills: We've bought 40 companies in ten years.

How do you choose which companies to acquire?
Mills: We're not buying out of the blue. It's not "Gee, that's interesting, maybe I should buy it" kind of thing. It's not spontaneous purchasing behavior at all. It's a well-thought out set of notions about things we think we need in our portfolio to meet customer requirements. The acquisitions have worked well as a technique, because we choose well and we spend a great deal of time crafting the integration plan with the company usually about a year.

How do you integrate these smaller companies into a large organization like IBM and not lose the employees?
Mills: Our view is you can make (a small company) part of a larger company and sustain the energy and the enthusiasm. Those two things are not contradictory of each other. But in order to do that, you got to have a creative way to make them feel part of IBM, while not losing the intrinsic value of what they were doing.

It's not about separation, it's not about names, it's not about brand--those are all externals. When you make (a small company) part of larger IBM--when your leverage it through enormous "go to market" structure, big software sales force, market reach, much wider portfolio, deep capability--(you) can you make that small acquisition and properly attach it to the rest of the software organization, and make it much bigger marketplace initiative.

When IBM acquired Lotus, the idea was to keep it independent.
Mills: That was 10 years ago. It was June of 1995. If you go back 10 years, we didn't have much experience in this, and there were lessons to be learned. Hindsight is always 20/20. Clearly there were aspects of Lotus, Tivoli and earlier acquisitions we did, if we did it again today, we'd do it differently.

Look at Rational (which IBM acquired in 2002) Rational is not a separator from IBM. The customer sees it as part of IBM. So they're dealing with IBM. The name can still be there, doesn't have to be in the way.

It's when your name becomes your reason for being. Instead of being what you do, you're about your name. I don't get up in the morning--I'm not like some of these athletes that talk about themselves, "Steve this" or "Steve that." I don't refer to myself in the third person. It's not about "Steve." It's about what I do.

You can't let companies get so egocentric, where it's all about sustaining this identity. It's really about the purpose you're there for--build a business, succeed, grow. That's where you want to anchor the motivation.

Do you expect the pace of acquisitions will stay the same?
Mills: We've been averaging about a half-dozen a year, most of them being small. So there's no reason we can't continue.

What's your take on the view that industry consolidation in software is going to speed up and that midsize companies are going to get squeezed?
Mills: Look, the bigger companies are going to get bigger. And there are going to be more companies. The amount of venture money is roughly comparable to the late 1990s, in terms of dollar amounts. There are lots of new companies being formed all the time Those that want to harp on consolidation are not looking at the whole spectrum.

Why the push to sign on business partners in emerging markets?
Mills: To grow our business, we need to go wider and deeper. The software vendor community is made up with thousands and thousands of independent software vendors. We're trying to do more business with more people. So it's widening and deepening our market reach.

You often hear about adoption of open-source software, such as Linux, in China. Is that your area of focus?
Mills: We are the largest software provider in China. Our revenues are greater than other companies selling software in China.

Who is the competition in emerging markets?
Mills: The usual suspects. All the multinationals.

Several times, IBM has said that the small and medium-size business is a "must-win" battle for the company. Is that where the growth in the industry is?
Mills: Oh, for sure. It's not that there isn't growth with larger businesses as well. Given our size and our aspirations, we have to extend into the midmarket.

There's a lot of business there that we're not getting to. And we're not going to get to it without a business partner network that's not bigger in size.

Torvalds switches to Apple

Linux creator Linus Torvalds is now running an Apple Macintosh as his main desktop, largely for work reasons but also because he's not one to pass up a bargain.

Torvalds, who initially created Linux for the Intel x86 platform, revealed to the Linux Kernel Mailing List in February during a discussion on kernel size reduction that his main desktop machine no longer featured an x86 processor. Hence, Torvalds said, a patch specific to the x86 platform that he was submitting to the list for consideration was totally untested.

ZDNet Australia was intrigued by this remark and sought to question Torvalds on why the man who helped revolutionize the use of Unix on the x86 platform would move away from it, and where he had moved to.

Torvald's response came quickly and succinctly. "My main machine these days is a dual 2GHz G5 (aka PowerPC 970)--it's physically a regular Apple Mac, although it obviously only runs Linux, so I don't think you can call it a Mac any more ;)" he wrote.

"As to the why...Part of it is simply that I wanted to try something else, and I felt like there were enough people testing the x86 side that it certainly didn't need me. Part of it is that I personally believe there are two main architectures out there: Power and x86-64 are what _I_ think are the two most relevant ones, and I decided that I had to at least check the other side of it out seriously if I really believed that," he wrote.

But the kernel guru sought to stop any potential accusations of favoritism in their tracks: "And don't read anything really deep into that--Linux supports 20+ architectures, and the fact that I personally think that two of them are more likely to be the most relevant really doesn't mean all that much. It's just a personal quirk of mine."

As it turns out, this key figure behind the Linux insurgency is probably not all that different from any other technology enthusiast.

"Oh, and part of it is that I got the machine for free," said Torvalds. "I'm really a technology whore."

He did not specify who provided the computer.

Wipro, Red Hat team up

Wipro Infotech announced a tie up with global Linux vendor Red Hat to offer Linux services to enterprises in India, here on Monday. This will be Wipro Infotech's first move to offer Linux services in India.

A statement released by the company said that as part of the agreement, Wipro Infotech will offer application, migration, upgradating, desktop and enterprise management services, apart from basic services, to Linux customers.

The company will also provide consulting resources to customers to enable them to choose solutions with optimal performance that improve productivity and time to market.

"With this move, Wipro's services offerings will be a one-stop shop for customers, irrespective of the operating environment they use," said T D Thandava Murthy, chief executive, Wipro services.

Red Hat exec takes over Open Source Initiative

The Open Source Initiative, a group seeking to become more influential in matters concerning the cooperative-programming philosophy, has seen its second change of leadership in less than a month.

Michael Tiemann, vice president of open-source affairs at Linux seller Red Hat and an OSI board member, has taken over from Russell Nelson as president pro tem, Red Hat and Nelson confirmed on Friday.

The Open Source Initiative grants official open-source status to various software licenses and now is working to reduce the number of such licenses.

Nelson was named OSI president Feb. 1, taking over from co-founder Eric Raymond. Tiemann took over Feb. 23 and will continue in his role at Red Hat.

"We thought that Michael would be a better president," Nelson said of the change, declining to share further details. Nelson will remain a board member and active in the group, he said.

He and Tiemann will be getting more company on the board, however: OSI plans to expand the board from five members to nine, Nelson said.

"If we're going to take on more work, we need more people," he said. OSI also wants better international representation from areas such as Brazil that are active in open-source software.

Among the projects OSI hopes to tackle are reducing the proliferation of open-source licenses--not an easy task--and creating a matrix that will enable people to compare details of all open-source licenses, Nelson said.

Removable Drives and Scanners in Linux

t’s been a while since I checked out the “Stealth Desktop” article series by Eduardo Sánchez at Open for Business, so I thought I’d pop over and sniff around. Part IV of the series, “Removable Drives and Scanners”, was posted back in September. Guess it has been a while…

Experienced users aren't going to get much out of this, as it primarily deals with... well, mounting removeable drives and accessing scanners. However, newbies among you may get some good information. Specifically, Eduardo explains the /etc/fstab file and shows us what we can expect in mounting floppies and CD-ROM drives, including external USB units.

The scanner section is also rather straightforward, and will show you how to find out where your scanner is mounted on the /dev filesystem tree. Also, if you've been having trouble getting Xsane to work, there's a great tip on using a binary off the manufacturer's CD to apply the firmware to your scanner.

The article series focuses on the Slackware distribution, but much of the information Eduardo discusses applies to a broad range of distros or involves using standard KDE tools.

If you find yourself intersted in the first articles in the series, here's some quick links:

Part I: Finding a New Distro (why he chose Slackware)
Part II: Sight and Sound (getting audio and video working)
Part III: Managing Users, Fonts and Printers (self-explanatory)

Eduardo closes in saying he plans one more article in the series to cover getting online and installing new software. Near as I can tell, that article has not yet appeared. However, OFB's search feature appears to be broken, so it might be worth trying again in a few days.

SQLite Database which one is the fastest?

The race is on at sqlite.org where they conduct a series of speed tests for Linux databses using SQLite 2.7.6, PostgreSQL 7.1.3, and MySQL 3.23.41.

SQLite finish first, MySQL is the runner up, with PostgreSQL trailing the pack.

Note to Access users: MySQL can do 25,000 inserts in two seconds. SQLite can do it in less than one second. While Access is great for desktop work, I shudder to think how it would stack up in this test.

A summary of the test;

• SQLite 2.7.6 is significantly faster (sometimes as much as 10 or 20 times faster) than the default PostgreSQL 7.1.3 installation on RedHat 7.2 for most common operations.

• SQLite 2.7.6 is often faster (sometimes more than twice as fast) than MySQL 3.23.41 for most common operations.

• SQLite does not execute CREATE INDEX or DROP TABLE as fast as the other databases. But this is not seen as a problem because those are infrequent operations.

• SQLite works best if you group multiple operations together into a single transaction.

The results presented here come with the following caveats:

• These tests did not attempt to measure multi-user performance or optimization of complex queries involving multiple joins and subqueries.

• These tests are on a relatively small (approximately 14 megabyte) database. They do not measure how well the database engines scale to larger problems.

Firefox 1.0.1 out, takes care of most security bugs

The first update to FireFox is out. Firefox 1.0.1 aims to fix a slew of vulnerabilities. Foremost among those are domain-spoofing and cross-site scripting bugs. 1.0.1's release was pushed forward in order to take care of the International Domain Name bug. That particular bug results from Firefox's implement of the IDN specification which allows the use of non-English characters in URL names. The IDN issue is not unique to Firefox, as it also affects Opera, Safari, and OmniWeb — but not Internet Explorer.

Also fixed is another bug that enables web sites to force content into another site's window if the target name of the window is known.

This other bug could result in a malicious Web site spoofing the content of a pop-up window opened from the second site. The Mozilla Foundation is working with Sun to fix the Java spoof and is collaborating with Opera and Safari to find a solution to the cookie-injection bug.

A new problem that is affecting multiple users is Firefox 1.0.1 crashing when a user types a query into a search bar. It seems to affect most those people who installed 1.0.1 on top of 1.0. One solution is uninstalling 1.0 and then installing 1.0.1, and according to Bugzilla, that bug has since been fixed.

Here is a summary of Chris Charlton about what's new in Firefox 1.0.1:

• Improved stability
• International Domain Names are now displayed as punycode. (To show International Domain Names in Unicode, set the "network.IDN_show_punycode" preference to false.)
• Several security fixes.

These Release Notes cover what's new, download and installation instructions, known issues and frequently asked questions for the Firefox 1.0 release. Please read these notes and the bug filing instructions before reporting any bugs to Bugzilla.

Firefox 1.0.1 aims to fix a slew of vulnerabilities. Foremost among those are domain-spoofing and cross-site scripting bugs. According to the Mozilla Foundation, 1.0.1's release was pushed forward in order to take care of the International Domain Name bug. That particular bug results from Firefox's implement of the IDN specification which allows the use of non-English characters in URL names. So substituting the "a" in amazon.com with а will result in Firefox displaying "аmazon.com" in the address bar, while directing users to an entirely different site. The IDN issue is not unique to Firefox, as it also affects Opera, Safari, and OmniWeb — but not Internet Explorer.

Also fixed is another bug that enables web sites to force content into another site's window if the target name of the window is known. This could result in a malicious Web site spoofing the content of a pop-up window opened from the second site. Left unpatched for now are a Java plug-in tab spoof which can occur when opening untrusted sites in a new tab, and a cross-domain cookie-injection bug. The Mozilla Foundation is working with Sun to fix the Java spoof and is collaborating with Opera and Safari to find a solution to the cookie-injection bug.

Based on the reactions of some early adopters, 1.0.1 could have used a little more quality assurance testing before its release. The primary problem that is affecting multiple users is Firefox 1.0.1 crashing when a user types a query into a search bar, a rather irritating bug that should have been caught. It seems to affect most those people who installed 1.0.1 on top of 1.0. One solution is uninstalling 1.0 and then installing 1.0.1, and according to Bugzilla, that bug has since been fixed.

Since its 1.0 release last fall, Firefox has been downloaded over 25 million times and has made some significant market share gains against Internet Explorer. With increased market share will come increased attention, not only from users and the press, but from malware writers as well. Keeping quality updates coming to address security bugs in a timely fashion will go a long way towards maintaining the buzz and momentum.

Google's secret of success? Dealing with failure

The technical wizardry behind Google's successful search engine may come down to a blindingly obvious insight: PCs crash.

On Wednesday, Urs Hoelzle, a vice president of engineering and of operations at the search giant, shed some light on how Google's data centers operate. Many people consider the company's operations expertise more valuable than the actual search algorithms that launched the enterprise.

Hoelzle spoke at EclipseCon, a conference for application programmers that's going on till Thursday here.

The way Google has been able to build out its computing infrastructure for millions, rather than tens of millions, of dollars is by buying relatively cheap machines. Looking at hardware costs, company engineers saw that purchasing a few high-end servers, with eight or more powerful processors, costs significantly more than dozens of simpler "commodity" servers.

The trick is to make these racks of hardware operate in tandem and to ensure that the failure of one machine does not derail an operation, such as returning a search query or serving up an ad.

Consider a home PC, Hoelzle said. Optimistically, a consumer PC might crash once in three years from a software glitch or hardware problem.

"At Google scale...if you have thousands of PCs, you can expect one (failure) a day," he said. "So you better deal with that in an automated way, or you will have service outages."

Google, known for its rigorous hiring practices aimed at attracting the brightest minds in computer science, has created a number of software tools to handle its computing installation.

The company wrote its own file system, called Google File System, which is optimized for handling large, 64 megabyte blocks of data. Significantly, the file system was designed to assume that a failure, such as a failed disk or unplugged network cable, can happen at any time.

Data is replicated in three places, and there is a "master" machine that can locate copies of a piece of data, such as a keyword index, if the original is out of commission.

"You make the software tolerate failures. If you can expect failures, then this is what makes cheap commodity PCs viable for Internet services," Hoelzle said.

Google's PC servers, which number in the thousands, run a stripped-down version of Linux, which is based on the Red Hat distribution but is really just the operating system kernel modified for Google, he added.

The company has also devised a system for handling massive amounts of data and returning rapid responses to queries. Google splits the Web into millions of pieces, or "shards" in Google tech speak, which are replicated in case of failure.

Not surprisingly, the company creates an index of words that appear on the Web, which it stores as an array of large files. But it also has document servers, which hold copies of Web pages that Google crawls and downloads.

Another important engineering feat done by Google is to make writing programs that run across thousands of servers very straightforward, according to Hoelzle. Normally, building applications to run in a "parallel" configuration of servers requires specialized tools and skills.

Google's programming tool, called MapReduce, which automates the task of recovering a program in case of a failure, is critical to keeping the company's costs down.

"Cost is really the sum of what the equipment you need to do the work costs and how much programming time you need to put into getting something useful," Hoelzle said, adding that Google has started using MapReduce more widely over the past year.

Finally, Google has created "batch" job scheduling software that acts as a sort of taskmaster for millions of operations. Called the Global Work Queue, it breaks up computing jobs into many smaller tasks and distributes them across machines.

For all its built-in redundancy in case of failure, the system doesn't address all problems, Hoelzle revealed. During the presentation, he showed a photo of six fire trucks responding to an emergency at a Google data center in an undisclosed location.

He would not reveal any specific details on the mishap except to say that "it wasn't about one machine going down."

In a follow-up interview with CNET News.com, Hoelzle said the cost of power is another important factor in Google's data center designs.

"The physical cost of operations, excluding people, is directly proportional to power costs," he said. "(Power) becomes a factor in running cheaper operations in a data center. It's not just buying cheaper components but you also have to have an operating expense that makes sense."