Computerworld Blogs

Computerworld have set up a dedicated blogging area on their site at Computerworld blogs

There are a few of us there; all dedicated to blogging on different news stories in a range of different areas and topics. You can read my blog at the dedicated Martin MC Brown Computerworld blog.

Alternatively, you can subscribe to my dedicated RSS feed.

You can see that we’ve been populated it over the last week or so; there are already blog posts from me, and others, about a variety of topics.

Please feel free to read and either comment there, or here and let me know how I’m getting on.

FOSS Anniversaries

In the last LinuxWorld article I wrote for the magazine I talked about FOSS anniversaries, mostly because a number of important projects turned into double figures, and yet most people let it pass them by.

Talk to young programmers and developers today and you’d be fooled into thinking that free/open source software (FOSS) was a relatively new invention. Those crusty old folk among us (myself included, born in that prehistoric era of the early ’70s) know that it goes back a little further than that.

Many of us become dewy-eyed about our memories of Linux when it first came out - or the first Red Hat release. In fact, many of the FOSS projects that we take for granted today are a heck of a lot of older than people realize.

And my final request:

To try and redress the balance I’m starting a FOSS anniversaries project. Initially it’s going to be held on my personal blog at http://mcslp.com - click on the FOSS Anniversaries link to go to the page. If I get enough interest, I’ll consider improving on it and moving it elsewhere. Until then, if you’ve got some additions or corrections, use the contact form to let me know.

Here is the FOSS Anniversaries page, which is on this site. If you want me to update anything, use the Contact page.

Session Tracking With Apache

My new piece on how to track user sessions on your website with Apache is available on ServerWatch.com. Here’s an excerpt:

Using HTTP logs to track the users who visit your site isn’t always as useful as you think it’s going to be. While metrics, like the total number of page hits and, within that, page hits over time or from a specific IP address, easily identify, they don’t always tell how people are viewing your site or answer specific questions the marketing department may pose.

This article looks at how to track progress through a site using an Apache module and provides answers to some of the more complex marketing-led questions that may be posed.

Read on for the rest of the article.

Kyle Rankin, Knoppix Hacks

Knoppix is not just another Linux distribution. Unlike many Linux alternatives, Knoppix doesn’t need to be installed; everything runs from a CD (called a ‘Live CD’ distribution). While Live CDs aren’t unique to Knoppix, it is the way the Knoppix CD is packaged that makes the difference. Knoppix includes intelligent hardware detection – it can automatically identify nearly everything on your machine and then make the bet of it – and the CD includes a wide selection of programs, from typical Linux applications through to repair utilities and tools.

I talked to Kyle Rankin, author of Knoppix Hacks about how the book idea was formed, how he chose the contents and some of the things you can do with Knoppix.

Knoppix HacksOK - I can’t make up my mind whether I’ve fallen in love with Knoppix or the Knoppix Hacks book. What lead to the production of this book?

A friend of mine works at O’Reilly heard that they were looking for someone to do a Knoppix book for them. Not too long before he had seen me use Knoppix at an installfest to resize someone’s Windows partition and set up Debian in a relatively short amount of time. He approached me with the news and encouraged me to send them a book proposal. I had never written a book before, but I personally used Knoppix a lot, especially as a recovery tool. I thought a Hacks book applied to Knoppix was a great idea so I started jotting down ideas and submitted a formal proposal for the book that was accepted. Add months of furious writing and Knoppix Hacks was born. I started the book liking Knoppix and finished the book absolutely loving it.

What impressed me most is the range and usefulness of the hacks - I immediately felt like trying them out, even if I didn’t want to image my partition. How did you pick the hacks that made it into the book?

Thanks. When writing the book, I realized that you could organize the ways that people use Knoppix into a few general categories: desktop use, a Linux installer, a systems administrator tool, a rescue CD, and as a platform to create your own live CD. We had a discussion about whether to make the book mostly focused on more advanced topics like system recovery, sysadmin hacks, and remastering, but decided that it since Knoppix was used by all sorts of people at many different skill levels, it made more sense to represent all of the different types of use in different chapters. In particular, when I wrote the Linux and Windows repair chapters, I tried to think of all of the different recovery scenarios that I have found myself in, and how I used Knoppix to fix it. My goal was to create a list of common recovery steps that a sysadmin in a jam would reach for before anything else. Along the way I discovered some really clever recovery techniques you could use Knoppix for that I hadn’t known about previously (like Windows registry hacking).

Knoppix is obviously a practical way to do a great many things; can it also be used as a general desktop OS?

Knoppix was actually originally created just to be a portable Linux distribution for Klaus Knopper to take with him to different computers. From the very beginning it was intended first and foremost to be a desktop OS. The excellent hardware detection makes it much easier to take the CD from computer to computer, and there are a number of scripts in place that allow you to keep your settings no matter what computer you are in front of.

What do you do about user storage. Can I use a USB key for example?

Yes, you can use basically any writable media you might have (that Knoppix can detect) to store user files including floppy drives, hard drives on the system, and USB keys. There are a few different scripts included with Knoppix that automate the process of storing data to writable media so it’s really just a matter of a few clicks to save settings. Then you just use a cheat code when you boot Knoppix to tell it to restore your settings the next time you boot. 5. Staying on the topic of alternative storage mediums, is it possible to use Knoppix on DVD, USB Key or smaller storage mediums, like Compact Flash? Knoppix can be remastered and used on a DVD and in fact there are a few Knoppix variants that have done just this. In fact, Klaus Knopper has announced his intention to start shipping a formal DVD version of Knoppix as soon as this summer. Knoppix is pretty large, so the process of stripping it down to smaller media such as a USB key or flash drive can be difficult. Luckily there already are a number of other distributions such as Feather Linux that make it easy to set up and use on a USB key.

Is there any reason why I shouldn’t simply write my Knoppix image to my hard disk and never use the CD ever again?

A number of people have installed Knoppix to a hard drive as a permanent solution over the years, and in fact there is a nice GUI that automates the process. However, Knoppix was designed to be run from CD-ROM and Klaus mixes packages from a number of different Debian repositories. This can make upgrading in the future quite a headache so I generally recommend people to immediately dist-upgrade to Debian Sid if they install Knoppix (and I include a hack in the book that talks about how to do this). Alternatively there are other distributions that make Debian easy to install like Ubuntu and Kanotix that are also much easier to upgrade.

Some of the tools represent what can only be classed as an administrators dream. Image partitioning, copying and repair tools are all on the Knoppix CD. Could you tell us a little more about these hacks and how they can be exploited?

It’s actually pretty amazing how many different administrator tools Knoppix includes. Some of the things that really surprised me were the complete Apache and BIND servers that were included on the CD so in a pinch you could set up a number of different emergency servers. A friend of mine actually used this idea when a webserver of his was hacked into. He needed to be able to serve the pages while not having the server actually be up and running, so he booted Knoppix and served the web pages directly from its Apache server. It’s especially interesting to introduce Knoppix to a systems administrator who is mostly used to proprietary (and often expensive) Windows admin tools. You can use dd or partimage to image disks locally or over the network, you can graphically resize partitions on the fly with QTParted, you can scan systems for viruses and rootkits, perform forensics scanning, wipe hard drives, plus a number of other things all from this single free CD. Also, Knoppix makes for a great sanity check when you suspect hardware is bad. You can not only test the RAM, but you can also test hardware from the CD.

The Knoppix idea seems so obvious - does it surprise you that it’s a relatively recent invention?

Over time there have been a number of different rescue floppies and CDs like tomsrtbt and the old LinuxCare bootable business card, but what continues to surprise me with Knoppix is just how incredibly flexible and useful the CD is. You can use it to demo Linux to a newcomer, fix a broken Windows system, and scan a Linux server for rootkits all from the same CD. There are hundreds of different Live CDs out there, many based on Knoppix, but I’ve found that I keep coming back to Knoppix for day-to-day use just because of how flexible it is.

I’m hoping you have a Knoppix Hacks Volume 2 in the works?

Well, I have actually recently finished a Knoppix Pocket Reference for O’Reilly that should be out in July. As the name indicates it is much more referential and even though it is small, covers a lot of ground that Knoppix Hacks didn’t cover while containing a lot of the sort of Knoppix tips you’d want to carry around in your pocket. As far as a second edition of Knoppix Hacks, Knoppix continues to add interesting functionality (for instance, I can think of a number of really powerful Hacks you can do just with the new UnionFS system in 3.8) so a second edition is a possibility but nothing is officially planned or anything.

Obviously MacGyver is a favourite, but is there anything else you like to watch when relaxing?

What is this ‘relaxing’ you speak of? Actually when I’m not working or writing, I like to watch the Daily Show and have been a long time fan of the Simpsons. I’ve noticed my wife and I have been watching more movies these days than TV shows (probably Netflix has something to do with that). Any remaining free time I have seems to be absorbed by IRC.

Kyle Rankin Bio

Kyle is a system administrator for The Green Sheet, Inc., the current president of the North Bay Linux Users Group, and the author of Knoppix Hacks. Kyle has been using Linux in one form or another since early 1998. In his free time he does pretty much the same thing he does at work–works with Linux.

David Sklar, Essential PHP Tools: Modules, Extensions, and Accelerators

Hardening Apache
PHP is a popular web development/deployment platform and you can get even more out of the platform by using the extensions and tools available on the web to extend PHP’s capabilities. I talk to David Sklar, author of Essential PHP, about his new book and PHP development.

Why do you use PHP?

It’s proven itself to be a flexible and capable solution for building lots of web applications. I’m a big fan of the "use the right tool for the job" philosophy. PHP isn’t the right tool for every job, but when you need to build a dynamic web app, it’s hard to beat.

Could you tell me what guided your thoughts on the solutions you feature in the book?

They’re solutions to problems I’ve needed to solve. Code reuse is a wonderful thing and PEAR makes it easy. It’s a frustrating waste of time to write code that does boring stuff like populate form fields with appropriately escaped user input when you’re redisplaying a form because of an error. HTML_QuickForm does it for you. The Auth module transparently accomodates many different kinds of data stores for authentication information. One project might require a database, another an LDAP server. With PEAR Auth, the only difference between the two would be one or two lines of configuration for Auth.

Do you think PHP provides a richer environment for Web publishing than, say, Perl or Python?

I don’t know much about Python, so I can’t compare it with PHP. I know a moderate amount about Perl, so I can (moderately) compare it with Perl. (And if those caveats aren’t enough, I’ll also add that "environment" is a loaded term — I suppose it could encompass not just the functions and libraries in a language, but IDEs, debugging and deployment tools, and so on.)

The big difference for me, when it comes to web development, between PHP and Perl is that the PHP interpreter assumes that a given program is going to be generating a web page (unless you tell it otherwise), while the Perl interpreter assumes (again, unless you tell it otherwise) that a given program is going to read a bunch of stuff from standard in, mess with it, and print it to standard out.

In PHP, you don’t have to do anything special to access form, cookie, and URL variables — they’re in the auto-global arrays $_POST, $_COOKIE, and $_GET. Similarly, HTTP headers are in $_SERVER. The PHP interpreter emits a Content-Type: text/html header unless to tell it to do something else. In Perl, you have to go through some rigamole (admittedly, just a little bit of rigamarole) to do that web-centric set up.

(The flip of this, of course, is that if you want to write a program in PHP to munge files, you have to do more work than in Perl.)

Perl is a great programming language and you can use it to solve web programming problems quite capably. So is PHP.

You seem to be a fan of Web Services, do you see them as simply a useful tool, or a more serious way of providing services over the web?

Like many things, promise_of("Web Services") > current_usefulness("Web Services"). A lot of the neat stuff about SOAP – automatically generating WSDL from classes and encoding and decoding complex data types is more difficult in PHP because of PHP’s loosey-goosey type system. Nevertheless, I think SOAP can be great in situations where you need custom data types and you have sharp separations between the folks who implement and maintain the functionality being exposed by SOAP and the folks who use those functions. When you have control over both ends of the conversation, or don’t need to encapsulate such complicated relationships in your data structure, XMLRPC or just a homegrown RESTful interface is fine.

Security is vital part of web programming, particularly when working with forms and other data. Any tips?

htmlspecialchars(): encode external input with htmlspecialchars() or htmlentities() before printing it to avoid cross-site scripting and cross-site request forgery attacks. Not doing this is probably the most widely committed PHP (and web application development) security error.

Similarly, encode external input before putting it into your database. PEAR DB’s placeholders do this for you automatically, which is a great convenience. Each database extension has its own function for doing this, and there’s the generic addslashes() function as well.

In the larger security scheme of things, I would also encourage developers to think of security as a process, not as an end state. The place you want to get to is not that your application is "secure," but that it is "secure enough." The specific definition of "secure enough" depends on how much time and money you have, what kind of data your application is dealing with, and what the consequences are if something goes wrong.

There are, certainly, some security-related practices that are so easy to implement and so catastrophic if you don’t (like escaping external input before printing it or putting it into the database) that you should always do them. But thinking about security means evaluating tradeoffs.

You cover a number of different code caching solutions, how much time can you really save using these systems?

The benchmarks in the book indicate about a 280% speedup. The specific speedup you get varies with your applications behavior, so I’d advise anyone considering code caches to test them with an actual application you’re going to use. It’s a really easy way to get a performance boost, though, since you don’t have to edit any of your code – just install the code cache, restart your web server, and you’re all done.

Do you have a favourite PHP tool?

That’s a tough question. My favorite PHP function is strtotime() but I don’t know if that qualifies as a tool. I like the XDebug extension a lot. I do most of my coding in XEmacs but I’ve started to play around with IDEs like the Zend Studio and Komodo, so one of those might become my favorite tool sometime soon.

Your preferred platform for PHP deployment?

Apache 1.3 running on Linux. It’s stable, flexible, and you can’t beat the price tag.

Any thoughts on PHP5 you’d like to share with our readers?

If you’ve never used PHP before, now is the time to start! With PHP5, you get all of the great things about PHP 4 — comprehensive function library, incredibly easy deployment of web applications, connectivity to lots of different database programs. Plus, you get all of the goodies that the new version brings: robust Object Oriented programming support, revamped XML processing that makes it a snap to parse simple XML documents and gives you the full DOM API when you need to do XML heavy lifting, and bells and whistles like exceptions, iterators, and interfaces.

What advice would you give to anybody considering PHP as their development platform?

Make a personal or hobby project your first PHP application, something like keeping track of your books or CDs, a personal URL bookmark database, or league statistics for your kids’ soccer games. Your first app isn’t going to be perfect. It will have security problems, it won’t be as fast as it could be, the database schema won’t be optimized and so on. But that’s fine. Just get a feel for what PHP can do. Make your second project the one that matters for your job or whomever else is counting on you.

What made you start up PX?

It was definitely a case of scratching one’s own itch. When I started it, there weren’t a lot of places to look for code that someone else had written in PHP to solve a certain problem. The site gets very steady usage — it’s nice to see folks continuing to turn to it for solutions.

It’s nice to see another IT-savvy cook, do you have a particular culinary speciality?

I’m flattered that you called me an "IT-savvy cook" instead of a "cooking-savvy programmer"! I recently got a slow cooker, so I’ve been trying lots of new things in that. I also like baking and making desserts: even if something goes wrong so that the results are not cosmetically perfect, they still taste good.

David Sklar Bio

David Sklar is an independent consultant specializing in technical training, software development, and strategic planning. He is the author of Learning PHP 5 (O’Reilly), Essential PHP Tools (Apress), and PHP Cookbook (O’Reilly).

After discovering PHP as a solution to his web programming needs in 1996, he created the PX (http://px.sklar.com), which enables PHP users to exchange programs. Since then, he has continued to rely on PHP for personal and professional projects.

David is an instructor at the New School University and has spoken at many conferences, including the O’Reilly Open Source Conference, the EGovOS Open Source/Open Standards Conference, and the International PHP Conference.

When away from the computer, David eats mini-donuts, plays records, and likes to cook. He lives in New York City and has a degree in Computer Science from Yale University.

Tony Mobily, Hardening Apache

Hardening Apache
It is the administration task we love to hate: securing a website. Apache forms the backbone of most websites so it makes sense to start there. In Hardening Apache, Tony Mobily does just that, starting with the basics of creating of a secure Apache installation and moving on to more in depth techniques for securing Apache installations from attack. Let’s see what Tony has to say when I talk to him about his new book and how to approach security, Apache and otherwise.

One of the key elements I get from your book is the back to basics approach. For example, I know a lot of companies with extensive login systems that leave their server room doors wide open. Do you it’s best to work from the inside out or the outside in when setting up security?

I believe that you always need to get the right person for the job. For example, if you need to re-tile your bathroom, you don’t call a wood worker. It’s the same with computer security; "physical" security (e.g. preventing people from breaking in) and "logical" security (preventing crackers and script kiddies from using your servers and resources) are very different things which require very different skills and training.

In this field - in fact, in any field - improvisation is just not an option.

If a company asked me to secure their physical network, I would redirect them to Steve, a friend of mine who does just that. Steve tells me amazing stories of sniffing packets by just placing a device next to the cable, for example, or other stories which I would see nicely in a James Bond movie rather than real life.

Even "logical" security branches out! I wouldn’t be able to audit the source code of a complex program, for example.
The problem is that even though improvisation shouldn’t be an option, it still happens. When a manager installs updates on a Unix system, or (worse) a service pack on a Windows machine, he is improvising and putting his systems at risk - full stop.

To go back to the question, security is a problem that has to be faced as a whole. To connect to the example I made earlier, a good physical design will prevent problems such as random people getting to close to a network cable and sniffing packets, or people accessing the servers’ consoles. On the other hand, a good logical design will mean that any piece of information will be encrypted, and if intruders did manage to access the cable, they won’t be able to do anything with the collected information.

Apache 1.3.x or Apache 2.x?

For me, there is no doubt: Apache 2.x.
It’s not just a matter of wanting to use the latest piece of software at any cost.

The problem with security is that often you are tied to the Apache version you are using. For example, if you use Apache 1.3.x for long enough on a complex web site, eventually you will be using a number of modules which are only available on Apache 1.3.x. In this common situation, upgrading to Apache 2.x can be really hard and might even require redesigning some parts of your web sites in order to use different technologies. The longer you leave it, the harder it will be to actually upgrade.

The problem is that eventually, you will have to upgrade because the 1.3.x branch of Apache will no longer be supported and patched anymore. It might not be soon, but it will happen. A lazy system administrator, at that point, will find himself (or herself) with an unpatchable system and, what’s worse, he or she won’t be able to upgrade without majorly disrupting the hosted web sites.

You make good use of the warnings and notifications made by sites like CVE and ApacheWeek. Are these sites that Apache administrators should be checking regularly?

Yes, absolutely.
Checking sites like ApacheWeek is both necessary and boring. I think there is also fear - sometimes you are just about to go on holiday or go home, and you discover that your production server has a security hole as big as a crater, and you urgently need to recompile the whole thing!
These sites are crucial to make sure that system administrators don’t live in their own "little world", and can realize that software is not just something they install on their computers and it works; software changes, evolves, improves, stumble across problems, and so on.

You use a lot of sample exploits to demonstrate weaknesses. Is it worth creating a tool-kit for checking these exploits against your site?

Writing such a tool-kit is a good idea in theory. In practice, however, there isn’t really much point because you know that if you upgrade your Apache server when you need to, then the security problems will be fixed.

What would you say was the weakest part, security wise, of most websites ?

That’s a hard question! It took me a while to work out what the most sensible answer is: the weakest part is the lack of maintenance and upgrade.
The problem is that keeping a system updated is hard work. If you manage 40, 50, or 150 Unix systems, then keeping up with all of them does require a whole lot of skills, because at that point the shell is just not good enough. You need to use something like CFEngine to configure them, and other automated tools to keep an eye on their security.

Here is an example: I have my own server, where I host my personal web site, my friends’ email, their small sites and so on.
I receive my email from LogWatch every day.

Today, it read:

**Unmatched Entries**
Illegal user patrick from 161.53.202.3
Illegal user patrick from 161.53.202.3
Illegal user rolo from 161.53.202.3
[…]
Illegal user john from 161.53.202.3
Illegal user test from 161.53.202.3
Illegal user merc from 151.31.36.81

Normally, I would run whois, find out who manages those networks, and report these attempts. Well, today I simply didn’t have the time. I am writing this answer on a train to London. Tomorrow I will be in Brunei, and in three days I will be back to Perth. My Internet connection is expensive and erratic. So here I am, Mr. 161.53.202.3 tried to attack me and he won’t be reported. And that’s only one person (me) with only one server!

Do you advocate the use of ‘cracker’ tools for testing?

That’s another tough one.

Well, I don’t advocate the /use/ of such tools. However, I am strongly against making these tools illegal.

Crackers and script kiddies, at the end of the day, are our friends (!). If you compared the Internet to an living organism, they are like those nasty (biological) viruses which occasionally knock you down and give you a tremendous sore throat, but are necessary to keep your body alert and your antibodies "trained". Also, if you catch a cold you can’t blame it completely on the virus - you’ve got to wonder if your body is healthy.

I believe it’s the same with the Internet: crackers will randomly try and get into your system (literally!). You have to make sure your defences are strong enough and well organized, so that when that happens you are prepared.

Some big companies won’t accept that. They will try to make tools such as Nexus illegal. Why? Maybe because they think that if such tools are not available anymore, then crackers will simply disappear. Or who knows, maybe they would like to sell testing tools to certified companies for a lot of money…

You cover quite a few security modules. Which would pick, and why, as the best modules?

The best and most useful module in my opinion is mod_dosevasive written by Jonathan A. Zdziarski. I believe Jonathan deserves a monument dedicated to him, also because he wrote DSPAM (which saves my life on a daily basis).

I believe that it should be part of the default Apache installation - in fact, I wonder if the Apache group would.

Tell us what your ‘Apache in Jail’ chapter is all about.

Well, jailing can be extremely complicated, but at the same time it is a very powerful tool against crackers.

Thanks to the system call "chroot()", you can tell a program what the root directory is when it runs. For example, you could run Apache making it believe that the root directory ("/") is "/cage/apache". This means that Apache will not be able to see anything outside "/cage/apache" - which is while you say that it’s "jailed". If a cracker does manage to use a buffer overflow exploit against your server, and get Apache to execute arbitrary commands, there will be nothing in /bin or /sbin to be executed, because /cage/apache/bin and /cage/apache/sbin will be nearly empty!

In my book, I tried to explain how to "jail" Apache step by step, by trying to make the readers aware of why and how everything was done. This deep understanding is necessary, because it is really quite tricky to use more complex software and third party modules on a jailed Apache.

You have some unusual outside interests. How did you end up sharing your life between Apache security with Jazz and Ballet?

At the moment it looks like I have a broken knee and I haven’t danced in ages (2 months), which is very sad. Classical Ballet (I am hopeless at jazz) has become part of me. As you can imagine, I spend a lot of time sitting down in front of a computer. Dancing is my escape: I love classical music, and I love feeling fit. You see, when you are training at ballet, you are a sort of a super-human: you never get tired, you are very flexible, and you generally feel good (and as this is a serious interview, I won’t mention the fun of making six pirouettes suddenly in the middle of the footpath while having a stroll with friends).

It’s funny, because I never considered the two things (computers and dancing) to be in contrast.

Anything in the pipeline?

Well, right now I am working on "Free Software Magazine" (www.freesoftwaremagazine.com), a magazine which concentrates entirely on free software.
It has been amazingly challenging. The first issue (January 2005) required a huge effort from many people, but the result is really rewarding.

Tony Mobily Bio

Tony Mobily is the project coordinator of Free Software Magazine.

When he is not talking about himself in the third person, Tony Mobily, BSc, is an ordinary human being, enjoying his life in the best city in the world: Perth (Western Australia). He is a senior system administrator and security expert, and is knowledgeable in several internet technologies. He loves Linux, Apache, Perl, C, and Bash.

Tony has been in the publishing industry his whole life, starting from the Italian magazine Dev. (he is lucky enough to be bilingual) in 1996.

He is also trained in Classical Ballet (ISTD), and fighting his way through learning hip hop and jazz. He also writes short and long stories, and keeps a blog at http://www.mobily.com.

Matthias Warkus, The Official GNOME 2 Developer’s Guide

The Official GNOME 2 Developers Guide
Install Linux and the chances are you’ll be given the choice between a GNOME or KDE desktop. GNOME is the better known of the two, but if you want to development applications that use the GNOME environment where do you start? Well a good place would be Matthias Warkus’ new book, The Official GNOME 2 Developers Guide. I talk to Matthias and ask him about the GNOME system and environment, along with one or two other topics.

Could you describe to us what GNOME is?

GNOME is one of the leading projects developing user-friendly free software. The GNOME community effort includes the GNOME Desktop & Developer Platform, probably the most advanced free desktop environment around, translations, documentation and many third-party applications.

What you actually see on a computer said to be "running GNOME" is a tightly integrated, no-frills desktop system, on par with any commercial offering.

What is the benefit of the GNOME system over more traditional window managers, like Motif?

Actually, neither GNOME nor Motif are window managers, though both include one :)

The difference is so huge it’s hard to decide where to start. Not only is GNOME’s basic GUI technology (GTK+) much more advanced than the Motif toolkit (it can, for example, display right-to-left scripts such as Hebrew or CJK scripts such as Chinese), but the overall goal of the system is much more ambitious. What GNOME is trying to do is to integrate all system components well, and not in the traditional Unix way of providing a default that will work in 90% of all cases, whereas in all other cases, something has to be fixed by hand; GNOME intends to completely and "Just Work" in all supported environments.

You can witness this sort of integration in the new GNOME support for removable media. Whatever you insert or plug into the system, be it a CD, DVD, digital camera or USB stick, it will instantly be recognised and an appropriate window to access it will be opened.

GNOME seems to encompass a lot more than window dressing. Using your book I was able to create quite complex applications with some fairly advanced widgets with less than a hundred lines of code. Is this fairly common of the GNOME environment?

The GTK+ library stack, which sits at the core of GNOME, includes very powerful widgets, such as the file chooser, colour picker etc., but especially the text and tree/column view widgets based on the model-view-controller paradigm.

Other GNOME libraries bring even higher-level functionality. GNOME tries as much as possible to prevent programmers from reinventing the wheel.

You’ve managed to get a good balance in the book between the examples and the reference material. Do you have a favourite example from the book?

I suppose my favourite example would be the GdkPixbuf demo (pp. 132-136), a little thingy that lets you can change the scale and saturation of an image with two sliders. I think it’s less than 300 lines, half of which is comments and whitespace. Very neat example, and impressively small in size considering it’s pure C and not something higher-level such as Python or Java.

Could you tell us a bit more about gconf?

GConf is the solution to the recurring problem of where to store and how to sensibly process configuration values. It’s a self-documenting, typesafe database with a tree structure that is usually saved in XML. Applications connect handlers to GConf keys, and any changes to a key, whether from the app itself, another instance of it or an external configuration tool, will at once apply to all running instances. There is a GConf editor to centrally change all system settings. Default settings can be provided and mandatory settings can be enforced centrally, for all users. The new GConf editor includes special administrator functions to do this. This is essential for the large installations where GNOME is getting popular these days: There are organisations rolling out GNOME on several tens of thousands of desktop computers.

I suppose you could call GConf the Windows registry done right. People used to hate central configuration databases because the nightmare that is the Windows registry was the only one they knew. GConf is starting to change that. It’s really a good idea.

I’ll admit to being new to GnomeVFS. Is this something that could be adopted wider amongst the Linux community?

Actually, because GNOME is not Linux-only, it would need to be adopted across a broader set of platforms. Perhaps the people working on cross-desktop standards specifications at freedesktop.org will make this real one day, who knows?

Anyway, GNOME-VFS is a very nice interface to access files in a network-transparent and asynchronous way. I think it’s performance has improved a lot over the last months, too. Writing a GNOME application, there’s no reason to use the old libc file access functions anymore; using GNOME-VFS, your application will, at no extra cost, be able to process remote files as well as local files.

Your book focuses on the C API. Are there any other alternatives?

GNOME has officially supported language bindings for C++ (making use of all C++ features in the canonical way, unlike, for example, Qt), for Java, Perl and Python. Especially Python is popular as an RAD language; in combination with the Glade user interface builder, you can write productive GNOME applications in no time flat.

Unofficial language bindings exist for many languages, including exotic ones; there are bindings for (at least) C#, D, Eiffel, Erlang, Euphoria, Felix, Gauche, Guile, Haskell, JavaScript, Objective-Caml, Pascal, Pike, PHP, Ruby, Scheme, S-Lang, Smalltalk, Tcl, TOM and XBase, though the degree of support varies widely.

Programming GNOME in C# is becoming popular, and the Ruby bindings do also seem to have some success.

What do you think of KDE?

GNOME would not exist without KDE. Probably free software’s desktop ambitions wouldn’t be as visible as they are today. We all owe a great deal to the KDE project.

Being used to GNOME, most KDE applications look confusing to me. I like GNOME’s philosophy of keeping user interfaces as lean as possible. One example: In the default setting, KDE’s file manager presents so many toolbar, sidebar and status bar icons to me that I instinctively want it to just go away again.

I also like GNOME’s way of keeping the number of distinct user-visible components low by integrating new functionality into existing applications. Work is currently being done on a CD/DVD burning framework that will integrate audio CD burning into the audio player etc.; unlike KDE, we don’t think writing an all-singing, all-dancing Nero clone with four different configuration dialogues, several toolbars and theme-able icons is the way to go. Don’t get me wrong - I seriously love the job they did on the underlying functionality and I use K3B all the time. But I don’t really think the interface is appropriate.

Is there a future for both alternatives, or do you seem some kind of merging in the future?

GNOMEs well-integrated, no-nonsense desktop with the excellent Evolution groupware client and several administration and lockdown features seems to be better suited to the large-scale free software desktop deployments we are seeing at the moment than KDE.

I don’t think that KDE will ever go away. Neither will GNOME, for that matter. Some years ago, many KDEers kept telling GNOME to just fold and merge with KDE; I don’t hear this anymore. With different views on how user interfaces should look and work and how functionality should be distributed across the system, there is a place in the world for both.

What’s your favourite cartoon character?

Hard question. I suppose that would be Piro from MegaTokyo, with Warren from Absurd Notions and Cerulean the Dragon from "Why the long face" a close second and third.

What are you working on at the moment?

I’m not really working on any GNOME-related things at the moment. My focus is on getting on with my studies; I’m in my fifth semester of philosophy, sociology and French, and my main activity is to learn ancient Greek, which is taking up much of my spare time.

I intend to review the original German edition of my book for an eventual revised and extended second edition, but it seems it’ll be hard to find a publisher, and I haven’t got the time at the moment anyway. I hope someday I’ll have more time to consecrate to working and writing on GNOME.

Matthias Warkus Bio

Matthias Warkus was born and raised in one of the most rural regions of Germany. He started using Linux out of sheer boredom at the age of sixteen. Shortly afterwards, he got involved with GNOME, first as a translator, later also doing promotional work, holding many GNOME-related talks in Germany. He considers himself to be better at writing than at coding, and thus went on to write the Official GNOME 2 Developer’s Manual. Currently, he is a student of philosophy. When he’s not struggling with lofty theories in class or discussing them with his friends in one of Marburg’s countless pubs, he enjoys reading, writing and playing the piano.

Knoppix Hacks

Knoppix HacksKnoppix is not just another Linux distribution. Unlike many Linux alternatives, Knoppix doesn’t need to be installed; everything runs from a CD (called a ‘Live CD’ distribution). While Live CDs aren’t unique to Knoppix, it is the way the Knoppix CD is packaged that makes the difference. Knoppix includes intelligent hardware detection – it can automatically identify nearly everything on your machine and then make the bet of it – and the CD includes a wide selection of programs, from typical Linux applications through to repair utilities and tools.
In Knoppix Hacks you get 100 tips on using Knoppix, from simply running Knoppix through to customizing your Knoppix installation, repairing Linux and Windows machines using Knoppix and setting up emergency, Knoppix based, routers, file and web servers.
In the same way that Knoppix itself is immensely useful in hundreds of different ways, so is this book.

Knoppix Hacks packs a lot of information into a very small space; the book isn’t quite pocket sized, but it’s the smaller format paperback (slightly wider than the Knoppix CD included inside the back cover) and just 300 pages long. Don’t let this fool you though. The book is organized a bit like an FAQ – although organized for tips, rather than questions and answers. They range from a simple two page guides to running Knoppix up to more extensive multi-page tips on specific topics. The book is grouped into sections, starting with the simple tasks of booting Knoppix and using it as a desktop operating system. We then move onto the real meat of the book; using Knoppix in an emergency. Two final sections then look at more advanced techniques and customizing your own Knoppix CD with your favourite list of software and tools.

The book (and Knoppix) will appeal to a wide range of people. Linux users will appreciate the speed with which you can be running within a Linux environment, on pretty much any machine, using the enclosed CD.
If you use Knoppix as your desktop operating system (and many do, because of it’s wide support), then the tips in the book will be useful, but you shouldn’t use it as a guide to using Linux. There are tips for desktop users, for example for multimedia playback, browsing the Internet (including a useful guide to mobile GPRS users), but the main focus is definitely at the more expert user and system administrator.
Because Knoppix runs entirely from the CD it makes an ideal solution when you need an emergency system, but don’t have time to install it, or when you want to repair an existing system, and can’t do so using the existing operating system tools. Knoppix Hacks shows you how to use Knoppix to set up a quick server, for example for file sharing or web serving. It also includes extensive details on using Knoppix when repairing both Linux and Windows systems.
There’s a good gamut of topics here. For example, under Linux you can repair Lilo and Grub boot loaders, repair and reconfigure partitions and filesystems and even tips on migrating to new hard drives or RAID volumes. For Windows users there are tips for repairing the bootloader, re-organize partitions and even tools and information on editing the Windows registry, NT passwords and downloading patches. Put together, the repair tools alone should get you out of the majority of holes with relative ease.

In the same way that Knoppix itself is immensely useful in hundreds of different ways, so is this book. It is hard not to get hooked on trying different things from the book, even if you don’t really have a direct need for them.
The books content and style is easy to use and understand and each hack is both straightforward and detailed. There’s more than just a quick overview of what needs to be done here; you get side information, background details and dependency information too. If a particular hack needs more than Knoppix (for example, the wardriving example also needs a GPS system and USB to serial adaptor), then information is included on that too.

If there is a downside to the book it’s that it ends just slightly to quickly. Once you start using Knoppix and the tips in the book you want to know how to do more and more. The books tone is light and welcoming, and so packed with information that it comes as quite a surprise when book is over.
This is far from a criticism, but I’m certainly hoping for a ‘Knoppix Hacks Volume 2’ in the near future.

All the MCB Guru blogs that are fit to print