THE OPEN PITT What's cooking in Linux and Open Source in Western Pennsylvania =========================================================================== Issue 22 March 2006 www.wplug.org =========================================================================== In this issue: Security through Obscurity Book Review: Producing Open Source Software February Roundup Links of the Month --------------------------------------------------------------------------- Coming Events Mar. 11: General User Meeting, Topic: Database Administration. 10am to 2pm, 3002 Newell-Simon Hall, CMU Apr. 1: General User Meeting, Topic: Linux on PowerPC. 10am to 2pm, 3002 Newell-Simon Hall, CMU Apr. 29: Special Presentation, Topic: Virtualization with Bob Good of VMware. 10am to 2pm, 3305 Newell-Simon Hall, CMU The public is welcome at all events --------------------------------------------------------------------------- Security through Obscurity by Bill Moran Most computer people with any networking experience will tell you that "security through obscurity is no security at all." What does this mean? On the surface, it seems rather silly. After all, the most common security mechanism is to password-protect the computer, and then hide (obscure) the password from anyone who doesn't need access. Obviously, this isn't what the phrase means. It usually refers to any attempt to hide an insecure system as a substitute for securing it. Some examples include moving a telnet server to an unusual port and teaching your web server to lie about its version number. In both cases these are workarounds, and lousy ones. You're better off replacing telnet with the encryption-using ssh, and updating your web server instead of continuing to use one with vulnerabilities. The fact remains, however, that these "obscurity" techniques do provide some measure of security. Why the saying, then? Security works best when deployed in layers. Imagine someone is shooting at pistol at you. If you hold up a single sheet of paper in the bullet's path, it's not likely to be of much help. A phone book, however, might just save your life, yet the phone book is nothing more than hundreds of those flimsy sheets of paper. Security is the same way. If moving telnet to an obscure port is your only method of security, you're doing the equivalent of holding up a sheet of paper to stop a bullet. On the other hand, moving your ssh server to an obscure port, if done in conjunction with other good security practices, is like adding another sheet of paper to an already thick phone book. The rule against security through obscurity is the result of people trying to find a workaround that avoided fixing the real cause of the vulnerability. Perhaps a better phrasing would be "merely obscuring security holes does not improve security." Bill Moran is WPLUG's Chair. --------------------------------------------------------------------------- Book Review: Producing Open Source Software by Patrick Wagstrom Author: Karl Fogel Publisher: O'Reilly Media ISBN: 0596007590 $24.95, 302 pages, 2005 The processes and best practices of developing Open Source software can seem obvious to seasoned veterans while simultaneously being cryptic and confusing to newcomers. Traditionally, the best way to learn and understand them was to spend considerable time working on a project, slowly being brought up to date and more into the fold. While this works well for some projects, it presents difficulties for others. _Producing Open Source Software_, written by one of the primary authors of the Subversion version control system, attempts to unravel this process for both new contributors and old pros just the same. Each of its nine chapters examines a different issue that successful Open Source projects must address. The first three chapters address the landscape of Open Source software and how to get started running an Open Source project. The author highlights the dual needs of Open Source software at the early stages: acquiring users and acquiring developers. Without these two elements, your project is doomed. To meet these goals, it is important to survey the landscape and ensure that your project will be useful and will not duplicate an existing Open Source project--a factor that could limit the number of users and developers willing to participate. After this brief introduction, the book covers topics such as money, social infrastructure, communication, and licenses. Also included are the nuts and bolts of packaging and daily development. At the end, several useful appendices list different version control systems and bug trackers, amongst other things. The author tries hard throughout the book not to overly bias the reader in one direction or another. Even during the discussion of version control systems, where he has a vested interest, he objectively points out the advantages and disadvantages of each one. One of the biggest issues that Fogel addresses is communication in Open Source projects. He makes it very clear that Open Source development is not something that can be done in a cave. Rather, at all times you must be aware of how you are communicating. Beginning with several tips on creating useful web pages for people to download your project, and then moving to complex topics such as how to handle difficult people on mailing lists, the advice seems pointed and helpful. Despite the fact that it may be easier to assume knowledge on the part of users, or take a conversation private to avoid conflict, he stresses the need to take the time to accurately document decisions and discussions on a mailing list. This allows users to find the material much more easily in the future. While _Producing Open Source Software_ covers lots of ground and was thought-provoking regarding issues Open Source developers face, it still had a few shortcomings. The author tries to address everyone, from a college student looking to pick up some skills in his spare time, to corporate behemoths like IBM and Sun. In doing so, there are many parts of the book that may seem overly simplified or simply irrelevant to some. However, this attribute can also be a blessing because it results in a book that you can easily give to your company CIO, boss, friend, or even a relative who just started college. As an academic researching Open Source software, I've been to many conferences where people who claimed to be studying how it works just didn't get it--instead believing that the world operates just as Eric Raymond described it in _The Cathedral and the Bazaar._ Often I wished that I could point them to a book that described the actual process of Open Source development today, rather than a grandiose philosophical vision of it. While it's not perfect, _Producing Open Source Software_ comes the closest to that goal of anything that I've found and is a welcome addition to my library. More information on the book can be found at the web site . Patrick Wagstrom is a Ph.D. candidate at Carnegie Mellon University researching communication and collaboration in Open Source development. He has been using Linux since 1994. --------------------------------------------------------------------------- February Roundup Feb. 4 General User Meeting: This meeting was termed "Linux Demo Day" with the express purpose of introducing new users to the world of computers running on Linux. Vance Kochenderfer began with an overview of how a Linux system goes together. Office applications --including word processing, presentations, e-mail, calendaring, and instant messaging--were shown off by Beth Lynn Eicher. Mike Hansell followed up by firing up some Linux games. And David Ostroske rounded things out by demonstrating typical home uses such as web browsing with Firefox (and its many feature-adding extensions), playing Internet streaming audio, and managing files. Feb. 11 Tutorial: Continuing the new user theme, Beth Lynn Eicher presented her Linux Basics Tutorial. Packed into less than three hours were a wide range of subjects like selecting a Linux distribution, finding support, installing and updating software, basic system administration commands, and keeping your system secure. A PDF version of her slides is available at . --------------------------------------------------------------------------- Links of the Month by Michael P. O'Connor This month I am going to look at a few Open Source news sites. Several sites collect together links to news stories on other sites. First up is which as you might guess focuses mainly on Linux. So does Mad Penguin ; it also contains some original reviews and interviews. Links to news about all operating systems, plus features, interviews, and editorials are found at . To stay current on the new releases of all the Linux and BSD distributions, has you covered. The Distrowatch Weekly column is an easy way to keep up. Two sites which feature a lot of their own original reporting on issues related to Open Source are and . To get news oriented toward the use of Linux as a desktop operating system, try . On the more technical side, Linux Weekly News gives a lot of information on development activity. If you want to focus specifically on Open Source kernels, is a perfect choice. Be sure to send in any suggestions to me at . Till next month, enjoy these links! =========================================================================== The Open Pitt is published by the Western Pennsylvania Linux Users Group Editors: Elwin Green, Vance Kochenderfer Copyright 2006 Western Pennsylvania Linux Users Group. Any article in this newsletter may be reprinted elsewhere in any medium, provided it is not changed and attribution is given to the author and WPLUG.