Jornal Semanal Gentoo: March 24th, 2003
Como tornar-se um desenvolvedor Gentoo Uma pergunta que ouvimos muito dos usuários Gentoo é, "Como posso tornar-me um membro da equipe de desenvolvimento Gentoo?" Amplamente, a resposta a esta questão é simplismente começar a ajudar o processo de desenvolvimento como um usuário. Isto pode ser feito de várias maneiras, muitas delas envolvem o bugs.gentoo.org para uma ajuda. Submetendo correções dos bugs existentes de uma forma consistente é uma maneira garantida de chamar a atenção dos desenvolvedores Gentoo. Adicionamente, frequentemente submeter novos ebuilds é uma outra maneira. Assim como você deve ter percebido, a assiduidade é uma parte importante de todo o processo. Para aquelas pessoas que pensam em tornar-se desenvolvedores, mas não são gurus hackers do kernel ou monges do python, ajudar com o desenvolvimento da documentação Gentoo é uma outra área que os usuários podem contribuir e tornar-se membro da equipe. Seja criando novos documentos ou auxiliando a tradução dos documentos existentes para outras linguagens, a qualidade da documentação é uma parte critica de sucesso geral do Gentoo Linux. Finalmente, como o projeto Gentoo Linux continua a crescer, outros tipos de atividades, como colaboradores do Jornal ou pessoal da infraestrutura, podem ser utéis também. Serão anunciados aqui no Jornal quando for necessário. Então para os que estã interessados em tornar-se parte da equipe Gentoo Linux, matem alguns dos bugs abertos, criem novos ebuilds ou ajudem com a documentação. Colaboradores frequentes serão notificados! Mudanças na maneira do Gentoo Linux suportar CFLAGS CFLAGS sempre foi uma parte importante do toolkit do hacker Gentoo Linux. Configurando as CFLAGS para tirar o proveito máximo da performance é uma técnica usada por muitos, mas ententidas por poucos. Muitos dos bugs encontrados no bugs.gentoo.org são causados por CFLAGS extremamente agressivas no make.conf do usuário. Algumas das maneiras dos desenvolvedores Gentoo negociarem com certas CFLAGS nos ebuilds são conhecidas por causarem problemas. (Muitos dos modulos do kernel, por exemplo, não gosta da opão -fPIC). Entretanto, isto é manuseado na base do caso a caso, não é uma solução definitiva. Em um esforço de criar uma solução de longo prazo, uma discussão foi feita na mailing list dos desenvolvedores Gentoo falando sobre várias opções. No final, a decisão foi alcançada com uma lista de CFLAGS seguras que são oficialmente suportadas pelo Gentoo Linux. Isto significa que se você usa uma destas bandeiras e tem problemas com ela, isto é considerado um bug válido no Gentoo Linux. Usuários estão livres para tentarem qualquer outra CFLAG que queiram, mas os bugs relacionados com estas opções não serão considerados válidos e os usuários serão convidados a testarem um otimização menos agressiva ao compilar um programa especifico. Em tempo, como o gcc continua a sua maturação, a lista das CFLAGS oficialmente suportadas serão revisadas e adicionadas como apropiadas, com o objetivo de suportar o maior número de opções -f possiveis sem perder a nossa qualidade ou tornar-se fontes de bugs. Para complementar, a prática das CFLAGS suportadas vs. não suportadas está em prática já a algum tempo. Entretanto, agora o processo foi formalizado e a lista das CFLAGS suportadas será integrada em nossos documentos de instalação assim como outras documentações aonde for apropriado. Errata da edição da semana passada Como muitos usuários apontaram na semana passada, a secção Tips & Tricks contém um erro na listagem de código. Ao invés de ser SYNC="rsync.us.gentoo.org", deveria ter sido listado como SYNC="rsync://rsync.us.gentoo.org/gentoo-portage". A pessoa que cometeu este erro foi devidamente admoestada e esta semana a secção Tips & Tricks foi feita por nosso colaborador usual, David Narayan, que estava de férias na semana passada (e portanto absolvido de qualquer culpa :).
The samba smbd daemon has a buffer overflow which could permit a remote attacker to gain root privileges on the server.
Linux stable kernels 2.2 and 2.4 have a flaw in ptrace that permits local users to elevate their privileges to root. The flaw is not remotely exploitable. It is not believed that the flaw affects the 2.5 kernel. The following kernel sources have been patched: gentoo-sources, gs-sources, pfeifer-sources, sparc-sources, and xfs-sources. A patch for other sources can be obtained from cvs.
If MySQL's configuration file's are world-writable, it is possible to modify the server's configuration so that MySQL will run as root after a restart. MySQL has been fixed so that it will not load world-writable config files.
OpenSSL is subject to a timing attack which may permit exposure of RSA keys. This vulnerability can be eliminated by enabling RSA blinding. The fix is to enable blinding by default, involving only a trivial performance impact.
The rxvt terminal emulator is subject to remote attack when un-trusted data is displayed to the screen. This exposure permits a DOS attack or (by taking advantage of other vulnerabilities on the system) the potential for system compromise.
Evolution is subject to several vulnerabilities that permit remote attacks ranging from DoS through security bypasses and potential execution of arbitrary code through the use of carefully crafted UUencodes or MIME headers.
Qpopper exposes a buffer overflow which could permit the execution of arbitrary code. The code would normally be executed with the privileges of a user that must be authenticated.
Man contains an error return value bug that could permit a specially formatted man file to execute a program named 'unsafe', if it exists.
Anuncio de novos bugs de segurança Os seguintes novos bugs de segurança foram postados esta semana:
Alexander Holler posted a message to the gentoo-security mailing list describing and offering a link to a proof-of-concept trojan for gentoo that exploits the oft-discussed problem that ebuilds are not signed or otherwise authenticated. Mr. Holler's statement that "nobody .. seems concerned about portage security" provoked some comment, as did the question about whether posting a trojan for an already documented vulnerability was productive or advisable. The discussion continued with some expressions of concern that the issue be addressed soon, including a note from Daniel Robbins indicating a desire to add enhanced security to Portage-2.0. All told, the discussion seems particularly timely, given the recent launch of the hardened gentoo project. 3. Featured Developer of the Week Daniel Ahlberg
esta semana we feature Daniel Ahlberg, one of the watchful eyes who keep Gentoo secure and up-to-date. Monitoring security-related mailing lists and hunting for new package versions, he sends out GLSAs and bumps package versions, facing the constant fear of breaking something when he marks a package as stable. Daniel had been using Gentoo for a couple of months when he saw a discussion on #gentoo-dev about how every package needed to be checked for the license it used, and the new LICENSE keyword added to each ebuild. Later that night he checked the licenses and updated the ebuilds for a couple of categories, and sent them to drobbins and seemant, who asked him to become a developer a couple of days later. Daniel doesn't feel he's done anything extraordinary, but likes the occasional bash script hacks he does. Three years ago Daniel started a company with some of his friends; he still works there, administering the network and servers, making sure others can do their work, and consulting. He likes all the software he uses daily, including bash, nano, phoenix, kde, enlightenment, kmail, xchat, sim, kate, and gkrellm2, and runs Gentoo on his three primary computers: a workstation at home and at work, and his laptop, which is usually connected to his work computer by VNC. Daniel, who lives "somewhere in the upper middle of Sweden", likes to read (he's on his third Tom Clancy novel right now), listen to music, and watch movies. Gentoo GNU/Hurd Project Started Jon Portnoy aka avenj announced last week that he's started working on a port of the Hurd for Gentoo, and he is currently scanning the Forums for people interested in this development. The official discussion about the project and the right place for anyone interested in posting a "me, too" has found its permanent home here: Better Uses for Gentoo As reported last week, the Gentoo store has recently added a few new items, and one of those has inspired some hardware buffs to make it slightly more useful than it already is: Who needs sandwiches and apples in their Gentoo lunchbox when they can have a full-blown PC instead? Carry on: Intel's C Compiler in Gentoo Using the ICC, Intel's C compiler, is still quite limited, both in terms of software that can actually be built with it, and people who try using despite this limitation. Some people like to replace the default GCC with ICC for certain applications, and on occasion they discuss this broadly enough to let others get an idea of what, why and how to do it: Gentoo Installation Success on an RS/6000 Got a dusty old B50 lying around in a broom closet at the office? Here's how to blow some new life into it... Welcome, thanks and congratulations to Forum newcomer JurgyMan for this contribution: Realistic Install timeframe Trey Sizemore started an interesting thread by asking how long it realistically takes to install a Gentoo Linux desktop from stage 1. Most of the responses seemed to indicate that Trey was probably a little optimistic in his initial assessment of getting a full KDE desktop up and running on a PII400 in about a day. Of course, KDE is easily the largest app that needs to be compiled in Trey's setup, so a lighter-weight WM like fluxbox would likely drop his setup time considerably. Command line interface tools Dhruba Bandopadhyay asked for opinions regarding peoples' preferences for command line interface tools. Naturally, lively discussion ensued. ftp/iptables always in emerge world Kurt Hindenberg asked why ftp and iptables always showed up during an emerge world. When it turned out that these packages were being required by the base system profile, a bug report ensued. Status of a Gentoo Installer? Bip Thelin asked wether the creation of a Gentoo installer was in somebody's tasklist. He proposed to implement such an installer in Java. Alain Penders replied with a link to CursingCow, a Python/NEWT installer for Gentoo Linux. Although currently, only the PPC architecture is supported the code does support architecture specific modules. Gentoo developer Dylan Carlson finally replied that eventhough Java would be a good choice for such a task, Python plays a central role in the whole Gentoo infrastructure and it may be difficult to integrate a Java solution in the Gentoo toolchain. ACCEPT_KEYWORDS + bootstrap.sh As one user noticed, early esta semana, during the installation of his Gentoo. The bootstrap process does not use the ACCEPT_KEYWORDS setting from /etc/make.conf. The ACCEPT_KEYWORDS is meant as a tool for easy testing of packages. That is, effectively users can add or remove unstable packages to the usual stable lot. Disregarding the ACCEPT_KEYWORDS setting during bootstrap is not a bug. Rather it is supposed to ease the installation and to secure a stable foundation for the rest of Gentoo to exist on. This is done by specifically choosing well testet packages as opposed to newly released packages. Some argue against this suggesting that it eliminates choices which is not appropriate for the kind of distribution that Gentoo is. And that there really is no point in trying to secure a stable foundation in this way when the rest of the distribution make use of the ACCEPT_KEYWORDS. And the arguments are true, for the most part. Because reading through the /usr/portage/scripts/bootstrap.sh script reveals that the bootstrap process grabs packages from a file describing a default profile. A default profile tailored for a specific architecture (intel, ppc, etc.). So instead of eliminating the choises they have been disguised as profiles, waiting to be modified. The command cd $(readlink -f /etc/make.profile) will bring you to the location of your default profile. A word of caution. When modifying the default profile you can possibly criple your Gentoo installation from step one since version changes could break package dependencies. Gentoo in the Japanese Press Two articles in Japanese about Gentoo were published on the same day last week in different magazines, both written by fervent supporters of GentooJP: Yoshiaki Hagihara, one of the translators of the GWN among other things, has written a very funny seven-pager ("Gentoo Lifestyle -- My days with Gentoo") for LinuxPower Vol. 1, the first issue of this new addition to the growing number of Linux magazines in Japan. And Masatomo Nakano, spiritus rector of the GentooJP project, wrote his piece ("Gentoo again") for the April issue of Software Design. Both magazines are on sale in Japanese bookshops since 18 March. Russian Gentoo Community Set Up! Developer George Shapovalov announced that the "Fellowship of gentoo.ru" has been up and running for almost a month already! The Fellowship was born after growing interest in Gentoo Linux by the Russian speaking community was becoming impossible to overlook, and it's already got its own website) and user support forums. Gentoo.ru also provides translations for Gentoo documentation, carefully supervised by official devs. No need to be shy if you would like to help with translations or any other subotnik, the Fellowship will certainly welcome any such attempt. Real time chat is available on irc.rinet.ru, channel #gentoo. New Mailing List for French Gentoo Users Adding to the support base for French speakers, a new official mailing list, gentoo-user-fr, has been created last week. Between the new list, the French forum and the IRC channel on Freenode for French users, chances to get support for technical questions are on a pretty acceptable level now. International Event Calendar The GWN editorial staff is extremely grateful for information about anything related to conferences, seminars, user meetings, install fest or any other event Gentoo users are organising or participating in. esta semana an impressive number of events has come up, take your pick from those, and send an e-mail to gwn-feedback@gentoo.org if you know of any others:
The following stable packages were added to portage esta semana
The Gentoo community uses Bugzilla (bugs.gentoo.org) to record and track bugs, notifications, suggestions and other interactions with the development team. In the last 7 days, activity on the site has resulted in:
Existe atualmente 3001 bugs abertos no bugzilla. Destes: 70 estão marcados como 'blocker', 108 estão marcados como 'critical', e 228 estão marcados como 'major'. The developers and teams who have closed the most bugs esta semana are:
The developers and teams who have been assigned the most novos bugs esta semana are:
Using tmpfs esta semana's tip shows you how to make use of tmpfs to speed up access time for small temporary files. Tmpfs simulates a filesystem by supporting normal read/writes but the files are stored in memory. This makes access much faster. Note that files stored in tmpfs are not saved between reboots. Also, tmpfs is only recommended for systems with large amounts of memory. First make sure that tmpfs is enabled in your kernel.
/tmp is the most common place for temporary files. We will use tmpfs to mount /tmp
Now that /tmp is mounted, all you have to do is add the following to your /etc/fstab in order to have it load on boot.
Os seguintes desenvolvedores recentemente deixaram a equipe Gentoo:
Os seguintes desenvolvedores juntaram-se a equipe Gentoo Linux:
Os seguintes desenvolvedores recentemente mudaram de atividade no projeto Gentoo:
10. Contribua com GWN (Jornal Semanal Gentoo) Interessado em contribuir com o Gentoo Weekly Newsletter? Nos envie um email Por favor nos envie contribuições e ajude a fazer o GWN melhor. O Jornal Semanal Gentoo também está disponível nas seguintes linguagens: |
|
