J_K9 @ Linux

Linux Foundation: A Couple of Links

As you may have heard, the LSB and OSDL merged recently to form the Linux Foundation. There a high hopes that the Linux Foundation will further standardise the main desktop environments and their underlying APIs, package management, and Linux in general. Here are a few links which may give you a better insight into the aims and goals of the Linux Foundation and why standardisation is required (particularly with the desktop environments):

• Linux Foundation: Corporate Lackey or Linux Savior? – This is an interview of Jim Zemlin, the Linux Foundation’s executive director. This provides a look into the future of the Linux Foundation and how it will support the growth and development of Linux. It’s well worth the read!
• Editor’s Note: Orphaned Desktop Environments — This is an article by Brian Proffitt, the editor of the Linux Today news website, concerning the topic of desktop environment/user interface standardisation and why it is required. Which desktop environment, GNOME or KDE, will get the guillotine? Hopefully neither.

Mandriva 2007 Metisse Edition

I’ve tried out Mandriva 2007 Metisse Edition and have discovered a few things which I would like to share:

• Metisse kicks ass, and there’s no doubt about it. The window-rolling copy and paste feature is beautiful in its simplicity and ease-of-use, and I just couldn’t stop playing with it
• It also offers transparency,
• smooth transitions between virtual desktops (there are nine of them by default in Mandriva 2007),
• and makes using Linux even more fun than it was before.

However, in my opinion, it’s still not ready for prime time: there are still a good number of bugs which need to be fixed. I encountered the following:

• A slight jitter of the whole screen when I dragged the bottom of the window beneath GNOME’s bottom toolbar;
• gnome-screenshot refused to work, which is why I have not included any screenshots in this post - first, it worked, but the screenshot ended up being a screenshot of the background alone (no windows or toolbars were included). I think this was because of Metisse running an X server over X, and so gnome-screenshot was taking a screenshot of the lower display rather than Metisse’s. However, all attempts to change the display used by gnome-screenshot were in vain. Then, gnome-screenshot stopped working altogether and kept exiting with a error.
• Not really a ‘bug’ per se, but the window folding is quite rough - it would be nice to have an option of setting the smoothness and thus the CPU-intensiveness of the folded edge.

The inclusion of proprietary drivers (and automatic recognition of your graphics card) makes this experience possible, but unfortunately brings with it its share of criticisms (and for valid reasons). While I do not condone the use of proprietary drivers, although I will freely admit that I use them on every one of my Linux installations, I highly recommend you give this live CD a spin, if only to waste make good use of your time by playing with Metisse’s features!

Metisse: A Work of Art

On first look, you would think that Metisse is just ‘another 3D desktop,’ like XGL/Compiz or AIGLX/Beryl. It goes beyond the static and unexciting desktops that most of us are used to and, like the previously mentioned 3D desktops, adds a bit of spice to the mixture. However, in the words of the developers themselves: “This is not a 3D desktop.” Instead of providing cool and arguably useless effects to show off the potential of the Linux desktop and to satisfy our thirst for eye candy, the Metisse project aims to allow researchers to “design and implement innovative window management techniques.” Metisse is currently being used to improve the user’s experience and increase their productivity: the copy-and-paste video shows one such example. While it could be argued that this feature could have been implemented in Beryl or Compiz, this is just one way in which Metisse’s developers are changing the way people use their desktops, for the better. It also differs in that it (apparently) runs as a secondary X server rather than on a modified one (such as in XGL’s case) or a patched one (like AIGLX) - I shall have to verify this though.

User Interface Façades are another example of what Metisse might allow: users will be able to radically customise the environment of many of their favourite applications to suit their needs, placing their most used functions or features in an appropriate and accessible place. As you can see, each feature of the Metisse project is a step towards the revolutionisation of the desktop experience.

Mandriva has always been one of the main newbie distros, focusing on ease-of-use and a complete environment. Why, then, would the team choose to integrate Metisse into one of their 2007 releases (available from one of their mirrors)? According to them, it’s because Metisse “differs from a classic 3D desktop (”the cube”) in the way that it offers innovative windows interactions, thus enforcing work efficiency.” Mandriva recognise that Metisse could revolutionarise the way users interact with the operating system and they’re enjoying the head-start. Let’s hope that any bugs get ironed out and that more excellent, intuitive and new features appear

I plan to test out the Metisse release of Mandriva later today, so keep your heads up for a review. But, in the meantime, check out the Metisse videos!

The Problem With PHP Application Security

PHP application security and the vulnerabilities which are often found in PHP apps have already been discussed at length. PHP is a great language, but it suffers in that it provides no simple method of escaping special characters when handling input and thus leaves many budding programmers’ web applications vulnerable to remote file inclusion (RFI) exploits, Cross Site Scripting (XSS), SQL injection and a host of other remote exploitation techniques which may allow the attacker to steal confidential data (such as clients’ credit card details), disrupt services and cause many other problems. These techniques allow the attackers to use the web application to do things it was not originally designed for.

The programmer in question can be blamed to a certain extent for not reading up on how to secure their web application, but the problem is that many new programmers are not aware of the fact that they need to escape and clean the data they receive from the application’s inputs in order to stop it from doing what it was not designed to do. They are probably unaware that such types of attacks exist anyway. However, PHP provides limited, complex and slightly obscure functions to secure input handling which are usually insufficient and lack the functionality required to prevent certain attacks. Worse still, many books and tutorials written to teach people with no previous experience how to code in PHP usually omit secure data handling techniques or tips, and provide examples thoughout the book/tutorial which are vulnerable to the attacks mentioned above! This is irresponsible on the authors’ behalf: it’s no wonder that PHP application vulnerabilities accounted for 43% of the security issues found in 2006.

However, all hope is not lost. The Open Web Application Security Project (OWASP) have produced a set of PHP filters which allow the newest of PHP programmers to secure their input data handling methods. Doing so is a simple as downloading the filters, including them in the web app (with a command such as require_once(’sanitize.inc.php’)), storing the input into a variable and then sanitizing the data as shown on the project’s homepage.

It would be better if the PHP developers added functions such as OWASP’s PHP filters into the PHP code itself and if the authors of PHP instruction material added sections on securing input handling, but these filters are far better than nothing

Breathing Life Back Into HyperGet

Some of you may have heard of a project I started over a year ago called HyperGet. What you may not know is that it died in the cold of January 2005 - all but two developers lost contact with the rest of the team (and have not replied since), and the project lost its direction completely as the Lead Developer was one of those who left. However, against all odds, it’s under development again and we’re hoping to release v0.1 (with fairly minimal features) in a few weeks’ time. The description on the project’s homepage is a little out of date, as its functionality has changed and the way in which Xiro (the application which downloads the files) interacts with the PC without internet access. How has it changed? Well, just before the project died, I contacted the excellent developers of Synaptic and the Lead Developer agreed to consider implementing Fido (the package management and dependency resolving part) once v0.1 of Xiro was out. Whether the Synaptic team still want to implement Fido I don’t know, but I’m keeping my fingers crossed! It has been a year since we were last in touch, after all.

Although the LSB Packaging group is working hard to produce a universal package format to make it easier for third-party developers to distribute packages, I suspect it shall be at least another few months (if not longer) until such a package format and its related management system appear and are implemented by most Linux distributions. So, HyperGet will be safe until then - and, after that, we may even be able to alter HyperGet to work with that package format instead of the current .deb, although that will depend on the specification of the package format and management system (ie. how dependencies are handled) that the LSB create.

And, before I finish, I must give my thanks to llama love (now HyperGet’s Lead Developer) for inspiring me and for working so diligently on our project. Keep up the great work

Back To School

Yes, it’s that time of year again. You’re forced to return to a place you hate to learn subjects that do not interest you but which you must take to secure (hah!) a good future. Bah. Mais c’est la vie, unfortunately.

As if returning to boarding school is not bad enough, I sat two AS (Advanced Subsidiary) level French modules yesterday, which is approximately a year and a half earlier than most other people taking French A level will sit them. I’m not going to comment on how they went (I never do) - I’m just hoping for the best

Despite not posting much over Christmas because the majority of my free time was taken up by Project X, I fear that I may post even less now that I have returned to school. However, I will do my best to get two or three articles out a week just to keep my readers happy!

Ext4 And Samba 4 News

Did you know that ext4 is going to be a 48-bit filesystem which supports extents, or that Samba 4 aims to be a complete Open Source Active Directory (AD) replacement - yes, that’s right, Samba 4 aims to handle network authentication, file and print services and be as scalable as AD. If you didn’t (and I didn’t until recently) and would like to find out more about these new features, this article on Enterprise Networking Planet may interest you.

Happy New Year!

Dear one and all,

I wish you a very happy New Year and may 2007 be an even better year than 2006 for you, your family and Open Source software (especially Linux).