Apple open source software vulnerabilities

Similar Messages

• What happened to the Apple open source software page?

  I have used a lot of the open source software that Apple listed on their website. The address used to be:
  http://www.apple.com/downloads/macosx/unix_open_source/
  But that just directs to a cheesy downloads page with links to app store, etc.
  Does anybody know what happend to this part of the Apple web site? Is it just moved and I'm too dumb to find it? I've tried to search these forums, and the googles, but nothing coherant comes through!

  This is the developer page though, and doesn't contain the wealth of applications that were hosted (and kept up to date). These included GIMP, carbon emacs, etc.
  I realize many of these are available from macports, or even by building from the source in many cases, but some of these programs seem to have been only hosted and updated from this page.

• Huge Hole in Open Source Software Found, Leaves Millions Vulnerable

  Huge Hole in Open Source Software Found, Leaves Millions Vulnerable
  Debian, the Linux variant used largely by security professionals, and Ubuntu, the variant most commonly used by home users are both affected. Furthermore, Windows servers may be compromised as well if they are using keys generated on Linux systems.
  Ironically the bug originated from an automated tool known as Valgrind which is supposed to reduce programming bugs which lead to security vulnerabilities. It found that a block memory was not being properly initialized, meaning that it would contain random information. The automated tool politely inserted code to clean up the block of memory making it all zeros. The only problem was that the system was intentionally using the block's unknown to get randomness to generate the keys. The library also gets randomness from mouse movements, keystroke timings, network packet arrival timings, and even microvariations in hard drive speed.
  The Valgrind code caused errors, so the programmers simply commented out all the code, including the other methods of generating randomness on accident. Only the code which utilized the process ID, an integer ranging from 0 to 32,767, remained to provide randomness. It turns out the "fix" turned grievous error was not the work of the OpenSSL programmers themselves, but of the Debian team, known for their security expertise.
  OpenSSL developer Ben Laurie raged, "Never fix a bug you don't understand! Had Debian [sent the bug to us] in this case, we (the OpenSSL Team) would have fallen about laughing, and once we had got our breath back, told them what a terrible idea this was. But no, it seems that every vendor wants to 'add value' by getting in between the user of the software and its author."

  firewalker - this was discussed here and on our mailing lists at the time the vulnerability was discovered, approximately two weeks ago. It's always a good idea to search the forum before posting.
  http://bbs.archlinux.org/viewtopic.php?id=48660
  Thread closed.

• Apple Open Source Repository Cloning URL?

  What is the URL for contributing to the Apple Open Source web site's repository?  Please answer this question either here, here at Stack Overflow, or at both places. 

  etresoft wrote:
  RandomDSdevel wrote:
  if Apple doesn't allow contributions to its open-source repository, then why does it even exist?  Open-sourcing should go both ways!  If Apple wants to use old code, then shouldn't it be mirroring a fork?) 
  Sorry, I don't have those answers. Just what are you looking for anyway? Apple's open source repository, such as it is, is pretty much ignored by everyone. Apparently nobody even bothered to look for things like the old "goto fail" bug that sat there in the open for years and essentially disabled all certificate checking on Macs and iOS. I have seen a few people who actually tried to compile something from it. They usually get frustrated pretty quickly. Many of those projects have dependencies on code that isn't public. In theory, that is what you would want to do if you actually wanted to modify some open source product included in OS X so you could get the exact same build settings. In practice, that is virtually impossible. If you want real open source, you aren't going to find it at Apple. And why do you care about Objective-C anyway? Apple just killed it with Swift. It is a dead-end language.
  I'm interested in the Objective-C source code because I was wondering if there might be a way to make something better than today's Objective-C++ with today's C++ (C++11/14/1z, etc., …) in order to fix today's Objective-C++.  I was thinking of calling the project 'Objective-C++ Re:coded' or something like that.  Besides, I'm curious about how Objective-C works and wanted to save it from the dustbin.  If this pans out, somebody might be able to create a version of Swift written in its results! 

• How to Download SAP HANA " R " Open Source software ???

  Hi SAP HANA Experts,
  I had read that it is the open source software from SAP AG.....
  I want to download the SAP HANA " R " Software, Can anyone of you please provide me the link to download it.

  Hello Sekhar,
  As mentioned in SAP HANA R Integration Guide, To compile R, download the R (version 2.15) source package from the R Project for Statistical Computing website.
  R: The R Project for Statistical Computing
  Regards,
  Ning Tong

• Relying on 3rd-Party/Open Source Software for fully functionality in Vi

  Is it just me or are open source software engineers doing a better job than actual Creative software engineers?
  There are several threads linking to 3rd-Party hacks to get the majority of Creative Apps working in Vista. As well as this there are the KXProject Drivers floating around which appear to offer better compatability than the current Creative drivers.
  What's going on Creative? How many Software Engineers do you actually have working for you?
  Why is it, people you don't even pay are making much greater developments and progress in drivers and software for Vista?
  But i guess they're not charging customers to purchase?updates on?CD. I remember when the Audigy was released, instead of offering downloads, Creative actually asked people to buy an updated CD with software and drivers on. Of course we were only?charged for postage, but very expensi've postage nevertheless.Message Edited by AnnoyedCustomer on 03-09-200703:3 PM

  Hi welcome to the forum, I hope you find lots of help here and we look forward to your contributions as well
  In regards to your questions:
  1: No, you just put a swf file on the server
  2. You can host the smaller app on your site and then give them an iframe linking to it
  3. Nope, no problems there
  Hope this helps
  Best regards
  Nikos

• What do you think open source software is missing?

  What do you think open source software is missing? Can be any general gripe, missing tools, missing support, etc.
  I'm waiting for a skype replacement with a windows and linux client. I only use the video and voice functionality.

  @ ngoonee
  [I don't consider it OT, so I write it here - hope that OP doesn't mind]
  Wrt Paul Davis, he seems to get $4-5k/month now so things are looking up a bit for him. Who's to blame if the community isn't able to come up with enough support for it's prime members? Also, there are parts of the world where you can live rather comfortably on $4k/month. You just have to beware of the dragons ;-)
  Open Source is a lot like socialism: work as hard as you can, get as much as you need. In theory, it could work: some would eat 2x the avg but work 5x the avg while others would be the other way round. In practise ... People are lazy, people are evil.
  Why should they pay for sth if they don't have to? Why should they be interested in GNU / Linux? Because it's free? Hey, I've got tons of "free" apps, piracy ahoy! (Or should I say "arrrrr")
  Maybe that's the reason many 'big names' went to work for Microsoft: their dignity didn't allow them to beg for support.

• Making money from Open Source Software

  Hi Guys,
  I'm thinking of committing a cardinal sin and charging for some software I have been writing. Before I am executed by an angry mob (with pitch-forks) I wanted to explain why..
  I want to work with OS Software as my main career. My main aim is to create a company which can help start-up companies with their IT infrastructure. I am developing a system (which uses Arch Linux as the base-OS) which is similar to eBox (but is much more Windows and Mac friendly... including Single Sign On authentication for all clients); so these companies can save thousands (and sometime tens of thousands) of dollars/pounds on licensing and expensive hardware. (My system currently only required 256MB RAM and runs much faster than Winblows!).
  But herein lies my problem. If my system is based around MIT/GPL software such as Kerberos, DNSMasq, IPTables, LDAP etc... how can I make any money from it?
  What I'd like to do is to be hands on and go in and setup the systems myself; so I could charge labor and not have to invest a great deal of time on my own infrastructure (ie. making it idiot proof); but as getting software running on Arch is so trivial; I don't think I could sustain a business on this alone.
  I also read somewhere about a company who wrapped up Open Office.org and Firefox in an OS and sold it. It stuff like this legal? How do they get around selling something which is unmodified versions of OS software???
  My other option is a support contract for each company; which is probably my best option. I charge for a days labor for the initial installation (after topology designs have been signed-off) and then charge the company yearly for 24/7 support.
  Does anyone have experience making a living from FOSS? Does anyone have any suggestions or warnings for me?
  I'd love to keep my software open source; but I'd also like to eat! :S
  Thanks,
  tommed

  Our SOHO is managed by myself for the daily tasks, but I give the real administration of our network (installing, upgrading, debugging, adding new features etc.) to a self-employed Debian developer.
  He has set us up a system like the one you describe: Kerberos, LDAP, NFS, mail, asterisk etc. He has only charged us for the work he has spent making this happen. From our off-the-record-talks I gather that he does varying stuff, so it wouldn't pay off for him to spend time in making a solution for 1 case (admittedly, a case that you could easily adapt for other projects)
  Myself I'm writing a program in PHP to manage our office. It's more of a single frontend for all the free software that we are using already. I'm planning on the long term to release this frontend in a free license, only charging people for the cost to set it up and to maintain it.
  I'm by no means a GPL-specialist, but I think this is the way to do this.

• Installing open source software remotely

  I am a trifle bit confused why many hosting companies offer
  one-step installation of Joomla, Wordpress, etc. on the remote
  server, when these applications require extensive testing--a
  potential disaster in the making in a shared hosting environment.
  Installing locally, then testing via XAMPP or some other server
  seems a much safer bet, though it is extremely tedious...

  > these
  > applications require extensive testing
  Do they? They seem to be tried and true established
  applications in wide use
  out there.
  -Darrel

• Free/open source plotting software

  The objective:
  Data processing, mostly one X and one Y axis, recorded from sensors.
  Formatting, to change how the chart looks, e.g. fonts of the axis label, weight and dashed lines of the plot, addition of lines or arrows.
  What's been found:
  Gnumeric and google spreadsheet.
  There is a wonder what the Free/open source software users among the research people are using. I ran into LaTeX and thinks it's a good software. Anything like this would be nice.
  Thanks.

  Fine. I found QtiPlot working really well on Linux systems with ease of availability free of charge. No flame setting (as I think Mac OS and linux are both Unix-like), but it's a bit hard to compile on Mac OS X.

• Open Source - Commercial Software?

  There's a lot of great open source code out there that comes in really handy for all sorts of common programming tasks. But upon reading carefully the licensing agreements, it seems to me that it's generally illegal to include such code in any standard commercial application.
  Example:
  A young programmer gets hired by a small software development company. The company gets a contract with a local business to write some custom applications for in-house use, and our programmer friend gets handed the specs. Several components of the software he is asked to write are already available as open source, and certainly more robust than anything he could write on his own.
  Legally, he only has two options:
  Convince his company and their client to release the final program as open source - even though it may have no use outside of their business and was never intended for public sale.
  Write all the code himself, ignoring the open source resources, taking much longer to create an inferior product.
  Does this make sense? Am I misunderstanding these license agreements? It would seem to me that, for instance, all those great and useful Apache products are perfect for commercial applications and indeed seem to be developed with that in mind. (I can't imagine using Log4J in a tiny program I hack out at home to organize my hard drive etc)
  Note that there is a difference between open source software (MySQL, Apache web server, other such apps), and open source tools (Log4J, Apache commons, many more) in that the tools are not really useful on their own but instead are used as part of other programs. The licenses seem to allow free use of the software, but require open-sourcing of any derivative software - meaning that a company can use MySQL as a database for anything they wish, but a developer working for that company can't use Log4J to write a frontend for that database without releasing the frontend as open source???

  But upon reading carefully the
  licensing agreements, it seems to me that it's
  generally illegal to include such code in anystandard
  commercial application.I don't think so, although I'm no more a lawyer than
  you are. The licence agreements vary widely. When I
  look at the agreement for log4j, for example, I only
  see the requirement that I have to put a copyright
  notice and an acknowledgement in my software. No
  prohibitions at all. That one's pretty
  straightforward. But I'm still trying to make sense of
  the LGPL.It all depends on the license.
  Apache license allows ANY use and license for software using it as long as the Apache license is made available with a mention that components under that license have been used.
  GPL on the other hand indeed requires that everything using any code released under GPL be released under GPL as well.
  So if you were to write a 10MB application using a single 1KB GPLd module you have no choice but to release all your code under the GPL as well. This makes code under GPL impossible to use in commercial products or anything for which code needs to remain in-house for any reason.
  Most other licenses fall somewhere in between. mySQL for example allows non-commercial use under any license but commercial use is barred unless you pay a license fee (in which case you get a different license).

• What open-source packages ship with Mac OS X Mavericks?

  Hi,
  Is there a definitive list of open-source packages in Mac OS X? I notice openssh, postgresql, perl, python, ruby, etc.
  Thanks,
  Mike

  There is nothing new in GPLv3 about proprietary and open source software. Apple would be entitled to include any stand-alone GPLv3 software in current versions of OS X without being required to release any source code. It is the new, anti-patent clauses in GPLv3 that are incompatible with Apple's business model. Since Apple distributes software, it would be required to give up all patents if it used any GPLv3 software. GPLv3 was written specificially to punish Apple for its strong position in favour of intellectual property rights and to favour companies like Amazon, Facebook, and Google that sell services and advertisements using other people's intellectual property.
  Open source is not equal to GPL. Apple actively supporta a number of open source projects. That effort is more diffcult due to the viral nature of GPL. GPL is one of the worst things to ever happen to open source.

• Logging with whereabouts using open source and freeware

  You can find the html version of this at:
  http://www.acelet.com/whitepaper/loggingWithWhereabouts.html
  Logging with whereabouts using open source and freeware
  The purpose of logging is to find out what had happened when needed. When the
  time comes to read log messages, you want to know both the log message and its
  whereabouts (class name, method name, file name and line number). So you need
  to hard code whereabouts.
  But hard coded whereabouts are very difficult to maintain: when you modify your
  source code, line number changes; when you copy and paste a line, its class name
  and method name change. If whereabouts are wrong, you introduce bugs in your logging
  logic and the log messages are useless at the best.
  This article shows you an example of using freeware Redress tool to rectify whereabouts
  programmatically in your Makefile or Ant build file. So your whereabouts are always
  correct for both Java and JSP source file.
  Redress tool is part of SuperLogging at http://www.ACElet.com. SuperLogging also
  provides an open source wrapper Alog.java, which redirects log method calls to
  your favorite logging package. Redress tool can rectify whereabouts information
  on all Alog's method calls in your application. So, if you call Alog's log methods,
  these calls will be rectified by Redress.
  JDK 1.4 introduces a new utility package java.util.logging. The example in this
  article is based on JDK logging. Log4J is a cousin of JDK logging. Log4J users
  should have no difficulties to modify this example for Log4J. Both JDK logging
  and Log4J are excellent logging software for single JVM.
  Note: Redress tool rectifies method calls on Alog, not JDK logging. You need to
  call Alog instead of JDK logging in your application.
  Source code of Alog.java
  The following is the source code of Alog's JDK logging version. It serves as an
  library file and should be on your CLASSPATH:
  * Copyright Acelet Corp. 2000. All rights reserved
  * License agreement begins >>>>>>>>>> <br>
  * This program (com.acelet.opensource.logging.Alog) ("Software") is an
  * open source software. <p>
  * LICENSE GRANT. The Software is owned by Acelet Corporation ("Acelet").
  * The Software is licensed to you ("Licensee"). You are granted a
  * non-exclusive right to use, modify, distribute the Software for either
  * commercial or non-commercial use for free, as long as: <br>
  * 1. this copyright paragraph remains with this file. <br>
  * 2. this source code (this file) must be included with distributed
  * binary code.<br>
  * NO WARRANTY. This comes with absolutely no warranty. <p>
  * <<<<<<<<<< License agreement ends <p><p>
  * The purpose of releasing this open source program is to prevent vendor
  * lock in. <p>
  * You can code your program using this class to indirectly use Acelet
  * SuperLogging (com.acelet.logging). If later you want to swith to other
  * logging package, you do not need to modify your program. All you have
  * to do is: <p>
  * 1. modify this file to redirect to other logging packages. <br>
  * 2. replace existing com.acelet.opensource.Alog with your modified one. <br>
  * 3. you may have to reboot your EJB server to make the changes effect.<br>
  * <p>
  * This program is just a wrapper. For detail information about the methods
  * see documents of underline package, such as com.acelet.logging.Logging.
  * <p>
  * Visit http://www.ACElet.com for more information.
  * <p>
  * This file is a modified for using JDK logging as an EXAMPLE.
  * <br>
  * You can use Redress tool to keep your whereabouts information
  * always correct. See http://www.ACElet.com/freeware for detail.
  * <p>
  * Please see http://www/ACElet.com/opensource if you want to see the
  * original version.
  package com.acelet.opensource.logging;
  import java.util.logging.*;
  public final class Alog {
  * Log level value: something will prevent normal program execution.
  public static int SEVERE = 1000;
  * Log level value: something has potential problems.
  public static int WARNING = 900;
  * Log level value: for significant messages.
  public static int INFO = 800;
  * Log level value: for config information in debugging.
  public static int CONFIG = 700;
  * Log level value: for information such as recoverable failures.
  public static int FINE = 500;
  * Log level value: for information about entering or returning a
  * method, or throwing an exception.
  public static int FINER = 400;
  * Log level value: for detail tracing information.
  public static int FINEST = 300;
  static Logger logger;
  static {
  logger = Logger.getLogger("");
  public Alog() {
  public static void alert(String subject, String message) {
  public static void error(String text, int level, String fullClassName,
  String methodName, String baseFileName, int lineNumber) {
  String[] para = {lineNumber + "", baseFileName};
  logger.logp(getLevel(level), fullClassName, methodName, text, para);
  public static Level getLevel(int levelValue) {
  if (levelValue == SEVERE)
  return Level.SEVERE;
  else if (levelValue == WARNING)
  return Level.WARNING;
  else if (levelValue == INFO)
  return Level.INFO;
  else if (levelValue == CONFIG)
  return Level.CONFIG;
  else if (levelValue == FINE)
  return Level.FINE;
  else if (levelValue == FINER)
  return Level.FINER;
  else if (levelValue == FINEST)
  return Level.FINEST;
  else
  return Level.ALL;
  public static void log(String text, int level, String fullClassName,
  String methodName, String baseFileName, int lineNumber) {
  String[] para = {lineNumber + "", baseFileName};
  logger.logp(getLevel(level), fullClassName, methodName, text, para);
  public static void sendMail(String to, String from, String subject,
  String text) throws Exception {
  public static void sendMail(String to, String cc, String bcc, String from,
  String subject, String text) throws Exception {
  Test program
  The simple test program is Test.java:
  import com.acelet.opensource.logging.Alog;
  public class Test {
  public static void main(String argv[]){
  Alog.log("Holle world", Alog.SEVERE, "wrongClassName", "wrongMethod",
  "wrongFileName", -1);
  How to run the test program
  1. Compile Alog.java (JDK 1.4 or later, not before):
  javac Alog.java
  2. Download freeware Redress tool from http://ACElet.com/freeware.
  3. Run Redress tool:
  java -cp redress.jar Test.java
  4. Check Test.java. The Alog.log method call should be rectified.
  5. Run test program:
  java Test
  You should see log message with correct class name and method name.

  Hi;
    I found this code and would like to share it with you :
  JCoDestination destination = JCoDestinationManager
    .getDestination(DESTINATION_NAME2);
    JCoFunction function = destination.getRepository().getFunction(
    "RFC_FUNCTION_SEARCH");
    if (function == null)
    throw new RuntimeException("RFC_FUNCTION_SEARCH not found in SAP.");
    function.getImportParameterList().setValue("FUNCNAME", "*");
    function.getImportParameterList().setValue("GROUPNAME", "*");
    try {
    function.execute(destination);
    JCoTable funcDetailsTable = function.getTableParameterList()
    .getTable("FUNCTIONS");
    int totalNoFunc = funcDetailsTable.getNumRows();
    if (totalNoFunc > 0) {
    for (int i = 0; i < totalNoFunc; i++) {
    System.out.println("Function Name: "
    + funcDetailsTable.getValue(i));
    } catch (AbapException e) {
    System.out.println(e.toString());
    return;
    System.out.println("RFC_FUNCTION_SEARCH finished");
  It is working and retrieving FM.
  Regards
  Anis

• Good site for Video Editing tools (open source)

  I'm a recent convert to Mac, and I'm having a hard time finding comparable tools to what is available via open source on the Windows side. Specifially in the H.264 arena. There are a multitude of open source encoding tools for Windows. I'm sure there have to be some for Mac. Are there any good sites that list these? I'm tried versiontracker and The Mac Orchard, but I'm hoping for something more specific like VideoHelp.com
  Any suggestions? I'm looking for encoding software that can do inverse telecine, import DivX/Xvid/DV, Trim video (to remove letterboxing), and encode to H.264.
  Thanks!

  Can't help with the video stuff, but since you're a newcomer to the Mac, see these:
  Switching from Windows to Mac OS X,
  Basic Tutorials on using a Mac,
  MacFixIt Tutorials,
  MacTips, and
  Switching to the Mac: The Missing Manual, Leopard Edition.
  And a link to open source software: http://sourceforge.net/ Search for *multimedia for Mac*.
  Additionally, *Texas Mac Man* recommends:
  Quick Assist.
  Welcome to the Switch To A Mac Guides, and
  A guide for switching to a Mac.

• Open-source projects on Oracle

  I had actually asked this question a while ago, but the answer from Oracle was a little vague.
  Is it legal to use the downloadable versions of the Oracle database, AS, and other tools (such as JDeveloper) to author open-source software?
  Thanks,
  Sean

  A better way to say it would be
  Oracle corporation delivers free kit of full oracle10g solution which include database,AS,DS and many other CD's with the free evaluation license. you can use these product only for evaluation of the product or for study purpose but you can not use them in production/development environment. for a production/development environment you must purchase a license according to given requirements.