Happy Birthday LibreOfficeBy Sean Michael Kerner | September 28, 2011
From the 'Time Flies' files:
Has it been a year already? Time sure does fly.
This week the The Document Foundation celebrated its' 1-year anniversary. That's 1 year since they forked OpenOffice to go a new route with LibreOffice.
A year ago, I was skeptical that OpenOffice would survive the split. As it turns out, Oracle has a lot of fight in them and hey they never give up easily either.
Oracle's Apache OpenOffice project is alive and time will tell how well it is progressing. But it is still around.
LibreOffice on the hand has become the default/defacto standard open office suite for Linux distros. It is also the tool that I rely on to make my living as a journalist. I use LibreOffice every day and am thankful to all those that contributed to it and made it what it is:
A functional office environment that I can run without the need to buy more RAM on a regular basis.
Let's face facts here, OpenOffice is bloated and takes way too much system resources, LibreOffice has improved that significantly, but there is still clearly much work to be done.
According to the Document Foundation there are some 25 million users of LibreOffice today. The code has come from 330 contributors that have made more than 25,000 commits. They also note that, SUSE and community volunteers new to the project have provided around 25 percnet each of the commits, with a further 20 percent coming from RedHat and another 20 percent coming from the OpenOffice.org code base.
Happy Birthday and I can't wait to see what's in store for year two!
CentOS goes continuousBy Sean Michael Kerner | September 27, 2011
From the 'Just Release 6.1 Already' files:
The CentOS Linux distribution has a problem. They were months late in getting CentOS 6 released and as a result CentOS 6 users were not getting the most up-to-date security patches.
CentOS is a clone of Red Hat Enterprise Linux (RHEL). RHEL 6.1 was released in May, providing Red Hat's customers with new hardware and security updates. CentOS is still not out with a CentOS 6.1 release, but they're not leaving their users hanging.
"There is now a Continuous Release repository for CentOS 6 which aims to keep users secure by including patches that will show up in a future CentOS 6.1 release," Karanbir Singh wrote in a posting."This repository contains rpms to be included in the next CentOS-6.x release ( 6.1 ). Because these include security and bugfix updates, we strongly recommend everyone using CentOS-6 install and update their system using this repository."
This is good news for CentOS users. It means that you can actually deploy CentOS 6 without painting a target on your server.
I suspect that many CentOS 5.x users have delayed the CentOS 6 migration due to security concerns and this new repository might be a big help.
Then again, CentOS does keep up to date with RHEL 5.x at a significantly faster pace (blame Red Hat's packaging for RHEL 6?). It's not clear to me whether or not CentOS will be able to keep the same pace for RHEL 6.x as they do for 5.x. With a continuous release repository though, does it really matter anymore?
CentOS 6.x users will get patches much faster than waiting for the big milestone release. It is important to remember though that RHEL updates are more than just security updates, they're also hardware and feature updates too.
Linux 3.1 release delayed for kernel.org and Linus' vacationBy Sean Michael Kerner | September 22, 2011
From the 'Merge Window Dynamics' files:
The Linux kernel is developed and released at a rapid pace that seems to almost never slow down.
For the upcoming Linux 3.1 kernel, it's a pace that will be just a bit slower in terms of the actual release due to a number of factors.
For one, kernel.org remains offline after a reported hack at the end of August. Yes I know that development continues at GitHub but Linus Torvalds wants to do the Linux 3.2 merge on kernel.org.
The other factor is that Linus is going on vacation.
"It is becoming clear that I might as well not release the final 3.1 until after my upcoming vacation early October - otherwise the next merge window
would just be total chaos," Torvalds wrote in an LKML post. "A merge window with kernel.org being off just really wouldn't work, and doing a release only to then have some chaotic merge window followed by travel seems crazy."
There is also at least one other reason for the (slight) delay that will affect the Linux 3.1 release. Torvalds also had some 'issues' with some untested patches that came in at the beginning of the week.
"I really wanted to release -rc7 today. But no way am I applying these kinds of totally untested patches," Torvalds wrote on Monday. "Can you guys please get your act together?"
I suppose there are a number of reasons why a merge using Github won't work (well), and clearly Torvalds knows best when it comes to trying to avoid merge chaos. Let's all just keep our fingers crossed that the good folks at kernel.org have everything set and are good to go after Torvalds enjoys a well-deserved vacation.
Red Hat Engineer Calls out Windows 8 Secure Boot as a Linux RiskBy Sean Michael Kerner | September 21, 2011
From the 'GRUB Killer' files:
Red Hat developer Matthew Garrett has discovered a potential Linux killing feature in Windows 8.
Microsoft's next major OS is set include a secure boot. The system will prevent any executable from loading unless they are signed by a specific set of keys. The problem with that is non-key signed executable - say Linux - might not be able to put on a piece of hardware that has been built for Windows.
That's a problem.
Many of us, (myself included) have hardware that was originally running Windows (the so-called Microsoft tax). That hardware has since been re-imaged or dual-booted to load something else, namely Linux.
The Windows 8 secure boot process could potentially eliminate that ability on new hardware.
"Microsoft requires that machines conforming to the Windows 8 logo program and running a client version of Windows 8 ship with secure boot enabled," Garrett blogged. "A system that ships with only OEM and Microsoft keys will not boot a generic copy of Linux."
That said Garrett added that, "there's no indication that Microsoft will prevent vendors from providing firmware support for disabling this feature and running unsigned code."
In my view there are a few potential solutions to this issue:
1) Buy bare metal. If you buy a bare metal machine without the Microsoft tax than this isn't going to be an issue.
2) Grub replacement. As it stands Grub would likely not work under a strict interpretation of Microsoft's safe bootloader approach, that said, when something doesn't work in open source, there is an 'itch to scratch' and history has shown as that itches don't get left unscratched for long.
3) It won't happen with small vendors. Big vendors like Dell, HP and Lenovo are likely to preload and be part of this program. Smaller vendors that pre-load on site likely won't and will find their own workarounds too.
4) Virtualize. No this is not an ideal solution...but, if the secure boot can be linked to say Hyper-V (i know...),easy enough to run Linux virtualized.
None of these solutions are ideal and the Windows 8 secure boot could be a real problem. The good news is that developers like Matthew Garrett are watching. Microsoft isn't going to surprise anyone this time.
Monty's Problem with MySQLBy Sean Michael Kerner | September 20, 2011
From the 'Open Core is not Open Source' files:
The open source MySQL database became the popular success that it is today, due to the fact that it is open source. MySQL is freely available and in the beginning, all of its features were too.
Things changed over the years, MySQL went corporate, there was an Enterprise Edition, dual licensing and oh yeah they were acquired by Sun and then Oracle.
Oracle recently released a number of commercial extensions to MySQL which the founder of MySQL, Monty Widenius isn't too fond of. Then again, Monty wasn't fond of commercial extensions at MySQL AB or under Sun either.
Monty's issue isn't about making money from open source, it's about locking users into an open core model.
"What is most important to understand about an Open Core project is that it has nothing to do with an open source project," Monty blogged. "If you are depending on a single closed source component then you have to regard the whole project as a closed source project as you lose all the benefits of open source."
Monty added that at least one of the components that is now set to be a closed source module is a Thread pool feature that wasn't originally developed by Oracle.
"The thread pool was originally developed by Ebay for MySQL 5.0 and contributed to MySQL to be include in MySQL 5.1," Monty blogged. "Only the new scheduler interface code was added to MySQL 5.1 while the thread pool itself was added (but accidentally with a slower implementation) into MySQL 6.0. Oracle never back ported the thread pool code to the MySQL 5.5 community version and now also the MySQL 6.0 tree is deleted."
That issue aside, the open source model does work, since Monty's MariaDB (which is a fork of MySQL) has the same thread pool technology. Thanks to the open source licensing that is the core of MySQL, Monty has been able to build MariaDB as a fork providing choice to users.
Those that don't want to pay Oracle have a choice. The core of MySQL remains free and Oracle does continue to build it out in a more aggressive manner than Sun ever did. Oracle was able to push out MySQL 5.5 and version 5.6 is now in preview.
If by some chance Oracle did move to strangle MySQL open source code, MariaDB is there and Monty is clearly ready to step in and reclaim leadership. Isn't open source great?
Lightning Set to Strike at MozillaBy Sean Michael Kerner | September 20, 2011
From the "It's About Time!" files:
One of the big things that Mozilla's Thunderbird has been missing for years is a calendar. It's usually the number one thing I hear about whenever anyone compares Thunderbird against Outlook.
That's where the Mozilla Lightning project is supposed to come in - providing a Calendar plugin (based on Mozilla Sunbird) for Thunderbird.
The only problem is that the project has seemingly been delayed, for years.
The last time I wrote about Lightning was nearly two years ago, when we were all expecting Lightning 1.0 to be released.
Guess what? After years of debate and delay, Lightning 1.0 is being released this month. September 27th to be precise.
"...some users and especially corporate users are cautious when they read beta and don't see that it has the same quality as all our other releases," Mozilla developer Philipp Kewisch wrote in a blog post. "Aside from that we also had trouble with uploading releases to addons.mozilla.org (they are automatically marked beta and require admin intervention to make them public for everyone) and we are constantly in need of new sub-version numbers."
Mozilla's Calendar efforts have lagged behind for years, so it's great to see this change. Sure, it's mostly a nomenclature change, but it is a significant one that will bring new life to Sunbird and Lightning.
It's a move that is looooooong overdue.
Mike Shaver Leaves Mozilla, againBy Sean Michael Kerner | September 15, 2011
From the 'He'll be Back' files:
Mozilla project founding member, Mike Shaver today announced his resignation from Mozilla.
Shaver has a long and colorful history with Mozilla, going back to its original home at Netscape and AOL. The last I had heard was that Shaver was the VP of Engineering at Mozilla - a position he inherited after Mike "Schrep" Schroepfer left for Facebook in 2008. Mozilla's PR team however has advised me that he is currently Vice President of Technical Strategy.
In any event, he's leaving and we don't know who will be replacing him (if anyone can).
"I’ve decided that it’s time for me to move on from the Mozilla Corporation, where I have enjoyed 6 years surrounded by incredible people doing incredible things on (and to) the web. I haven’t yet decided what’s next, though I have some exciting opportunities to explore," Shaver wrote in a blog post.
Mozilla sent me the following statement about Shaver's resignation:
"Mike's made tremendous contributions to Mozilla over the past decade in a variety of technical and executive leadership roles. He's left a legacy of outstanding managers and leaders across the organization. While we'll miss his day-to-day contribution, we look forward to his continued involvement as a long-standing and respected leader in the Mozilla project."
This isn't the first time that Shaver has left Mozilla, as a project anyways.
Back in the year 2000, Shaver left the then fledging Mozilla.org project , that at the time was operating within AOL's Netscape division. Yeaah, I know Mozilla of the year 2000 and 2011 are two very different beasts, part of that is due to Shaver's influence.
Personally, I don't think this is the last we'll see of Shaver as a Mozilla staffer. Mozilla is a project that creates a family atmosphere amongst its team.
In any event, best of luck to you Mike -- wherever your path takes you.
CentOS gets with the RHEL 5.7 ProgramBy Sean Michael Kerner | September 14, 2011
From the 'Catching Up' files:
CentOS took a lot of flack from all angles around the extreme delayed release of CentOS 6. That was a release that came out in July, some 8 months after the upstream Red Hat Enterprise Linux 6 release.
While CentOS lagged on RHEL 6, they're doing much better keeping up with RHEL 5.x.
That's a great thing for CentOS and its large community of users. There are a lot of enterprises and hosting vendors that rely on CentOS and it's critical that they have up-to-date distros. Sure those same groups could just pay for RHEL, but hey why pay when you can get if for free?
CentOS still isn't quite out of the woods when it comes to tracking RHEL. Oracle is still significantly faster and Scientific Linux has been pretty good too. It still remains to be seen how well the project can keep up on the RHEL 6.x side too, which is another key challenge that CentOS will need to overcome, sooner rather than later.
In terms of features for CentOS 5.7, security is the big winner this time around. CentOS 5.7 (like RHEL 5.7) includes OpenSCAP which is an open source implementation of the Security Content Automation Protocol (SCAP) framework for creating a standardized approach for maintaining secure systems.
It's time to name Fedora 17 - Make It So Picard !By Sean Michael Kerner | September 13, 2011
From the 'Where's Beefy Miracle?' files:
It's that time of year again - when the Fedora community is asked to come up with the name of an upcoming Fedora release. This time it's Fedora 17, which won't be out until 2012.
Fedora 16 is currently set for release on November 1st and has the codename Verne.
The way that the Fedora naming system works is that there is supposed to be some kind of connection in name to the previous release. The Fedora 15 release was codenamed Lovelock.
"The link between Lovelock and Verne was "both are names of futurologists," the Fedora wiki explains. "The link between Verne and the new Fedora 17 release name must be different than that link, and different from any other previous link."
There are already some great names listed on the Fedora wiki as possible candidates for Fedora 17. My personal favorite is:
No, this is not a reference to Jean-Luc Picard, Captain of NCC-1701D and E in Star Trek:TNG. The Fedora wiki notes:
Auguste Piccard was a Swiss physicist, inventor and explorer and invented a deep boat called Bathyscaphe - btw this would be a great name as well - which reached a record maximum depth of about 11,000 meters.
The Fedora Project is accepting name ideas until September 20th.
Good Luck Linux FoundationBy Sean Michael Kerner | September 13, 2011
From the 'So Say We All' files:
I'm a huge fan of The Linux Foundation. It has had an incredibly positive impact on the Linux landscape. It is a unique vendor neutral organization that is an essential and integral part of Linux.
The Linux Foundation this week was hit by a security breach that has taken its sites including LinuxFoundation.org and Linux.com offline.
Yes, I really feel for the Linux Foundation, I know from experience that dealing with security breaches is a time consuming and involving process. Forensic analysis of logs and events is a challenging thing to do, especially when it's not entirely clear what you're looking for.
It's not clear at this point precisely where the breach came from that hit the Linux Foundation. I suspect (not having any direct information other than what has been publicly disclosed) is that one user was somehow taken over (via password sniffing or..?) and then that account was used as a basis for some kind of privilege escalation within the system. It's not an uncommon scenario and one that isn't easy to deal with.
The Linux Foundation has disclosed that they don't store passwords in plaintext.
"However an attacker with access to stored password would have direct access to conduct a brute force attack," the Foundation has stated.
In any event, this is something that I hear about both theoretically and otherwise in session after session at Black Hat in any given year. None of us are immune.
I personally wish the great people at the Linux Foundation the best of luck and success in quickly identifying root cause. I also hope they can quickly come up with best practices to prevent such incidents in the future.
While I know that a breach is not something anyone ever wants, I would suspect that out of this event, the Linux Foundation and its' sites will be even more secure than before.
As a user and fan of all things that the Linux Foundation does, I'm looking forward to their quick return to full service.
Video: Inside the new Mozilla Toronto OfficeBy Sean Kerner | September 09, 2011
From the 'Moving Up' files:
Mozilla Toronto recently moved offices and I got the chance to check out their new digs.
Their former offices certainly weren't the worst in tech, but they weren't the best either. The new Mozilla Toronto office is significantly larger than the old one, it's got hardwood floors, great coffee and lots of collaboration space. There is a mix of open concept workspace, hangout space, real offices and conference rooms.
It's a great space for Mozillians to work and talk about the web and make it a better place for us all.
The problem with githubBy Sean Michael Kerner | September 08, 2011
From the 'Ok, maybe Kernel.org is better for Linux' files:
Earlier this week, I blogged about my hope for Linux moving permanently to Github. I'm a huge fan of github and it works well for me and tens of thousands of others.
But as it turns out, it doesn't work out to be the best choice for Linux kernel development.
This week, Linus Torvalds has already posted multiple messages to LKML which show the problems with Github as it currently exists.
"Guys, when using some general git hosting site, I really want some proof that you are you. Not just a "please pull"," Torvalds wrote. "
Tell me *why* I should believe that this is a real pull request from the proper source. Otherwise I'll just wait until kernel.org is back to life, where random people can't just create repositories and send email."
That's a problem isn't it?
Github's great strength is that it has no barriers to entry. But that strength is also a risk when you can't verify authenticity of ownership. Yes there are solutions.
Sure github could enforce some kind of crypto signature setup or other common type of identity authentication, it's not that hard. I suppose this is a time-based problem.
If kernel.org service is restored in the next week, I suspect Torvalds will move back to kernel.org without hesitation. But what happens if it's a month?
I have no doubt that the longer the kernel.org outage persists, the more likely Torvalds (or someone else) will create solutions that solve the github problems. In a system where anyone can build a tree, trust does take time.
Linux should move to github, permanentlyBy Sean Michael Kerner | September 06, 2011
From the 'Kernel.org Hack Fallout' files:
Last week's hack of kernel.org is an event that should never have happened. Yes it's true that the nature of Linux development means that the kernel itself isn't at much risk for the actual hack. The fact that kernel.org maintainers were unaware of the hack for 17 days is extremely disturbing.
The hack has disrupted operations on kernel.org which has prompted Linus Torvalds to release Linux 3.1 rc 5 on github - that's right github - instead of kernel.org
Now officially speaking at this point, Torvalds has stated that the github repo will become just another mirror once kernel.org is restored.
From my personal perspective, I'm hoping that the github site remains the core site for kernel development.
Even now, kernel.org does not list the Linux 3.1 rc 5 link (even as a link to Github) and who knows how long it will take kernel.org administrators to finish their security audit. I think that it is entirely conceivable (and maybe even probable) that the Linux 3.1 release itself will be made available first on Github as well.
Github is a good home for Linux. Sure Github is 'just' a hosting repo site for Linus' kernel git tree but it has got great tools and a usable interface too.
There are a lot of people (myself included) that spend lots of time on github and having Linux there is really a step forward. Github's built-in site tools make it easier/faster for regular humans to look at and work with code (and hey we can't forget the cloning) all through a browser interface.
Just take a look at the stats on Github already for Linux, after barely 24 hours of Linux availability. There are already 1,943 watchers and 126 forks; from an activity perspective there have been nearly 50,000 page views for the project since it was launched.
Having Linux on Github also means that Linux benefit from the security, management and infrastructure that Github already has - that's an an economy of scale that the great people and kernel.org (talented and dedicated as they are) can't match.