Gentoo Logo

Jornal Semanal Gentoo: March 24th, 2003

Content:

1.  Noticias Gentoo

Resumo

Como tornar-se um desenvolvedor Gentoo

Uma pergunta que ouvimos muito dos usuários Gentoo é, "Como posso tornar-me um membro da equipe de desenvolvimento Gentoo?" Amplamente, a resposta a esta questão é simplismente começar a ajudar o processo de desenvolvimento como um usuário. Isto pode ser feito de várias maneiras, muitas delas envolvem o bugs.gentoo.org para uma ajuda. Submetendo correções dos bugs existentes de uma forma consistente é uma maneira garantida de chamar a atenção dos desenvolvedores Gentoo. Adicionamente, frequentemente submeter novos ebuilds é uma outra maneira. Assim como você deve ter percebido, a assiduidade é uma parte importante de todo o processo.

Para aquelas pessoas que pensam em tornar-se desenvolvedores, mas não são gurus hackers do kernel ou monges do python, ajudar com o desenvolvimento da documentação Gentoo é uma outra área que os usuários podem contribuir e tornar-se membro da equipe. Seja criando novos documentos ou auxiliando a tradução dos documentos existentes para outras linguagens, a qualidade da documentação é uma parte critica de sucesso geral do Gentoo Linux.

Finalmente, como o projeto Gentoo Linux continua a crescer, outros tipos de atividades, como colaboradores do Jornal ou pessoal da infraestrutura, podem ser utéis também. Serão anunciados aqui no Jornal quando for necessário. Então para os que estã interessados em tornar-se parte da equipe Gentoo Linux, matem alguns dos bugs abertos, criem novos ebuilds ou ajudem com a documentação. Colaboradores frequentes serão notificados!

Mudanças na maneira do Gentoo Linux suportar CFLAGS

CFLAGS sempre foi uma parte importante do toolkit do hacker Gentoo Linux. Configurando as CFLAGS para tirar o proveito máximo da performance é uma técnica usada por muitos, mas ententidas por poucos. Muitos dos bugs encontrados no bugs.gentoo.org são causados por CFLAGS extremamente agressivas no make.conf do usuário. Algumas das maneiras dos desenvolvedores Gentoo negociarem com certas CFLAGS nos ebuilds são conhecidas por causarem problemas. (Muitos dos modulos do kernel, por exemplo, não gosta da opão -fPIC). Entretanto, isto é manuseado na base do caso a caso, não é uma solução definitiva.

Em um esforço de criar uma solução de longo prazo, uma discussão foi feita na mailing list dos desenvolvedores Gentoo falando sobre várias opções. No final, a decisão foi alcançada com uma lista de CFLAGS seguras que são oficialmente suportadas pelo Gentoo Linux. Isto significa que se você usa uma destas bandeiras e tem problemas com ela, isto é considerado um bug válido no Gentoo Linux. Usuários estão livres para tentarem qualquer outra CFLAG que queiram, mas os bugs relacionados com estas opções não serão considerados válidos e os usuários serão convidados a testarem um otimização menos agressiva ao compilar um programa especifico. Em tempo, como o gcc continua a sua maturação, a lista das CFLAGS oficialmente suportadas serão revisadas e adicionadas como apropiadas, com o objetivo de suportar o maior número de opções -f possiveis sem perder a nossa qualidade ou tornar-se fontes de bugs.

Para complementar, a prática das CFLAGS suportadas vs. não suportadas está em prática já a algum tempo. Entretanto, agora o processo foi formalizado e a lista das CFLAGS suportadas será integrada em nossos documentos de instalação assim como outras documentações aonde for apropriado.

Errata da edição da semana passada

Como muitos usuários apontaram na semana passada, a secção Tips & Tricks contém um erro na listagem de código. Ao invés de ser SYNC="rsync.us.gentoo.org", deveria ter sido listado como SYNC="rsync://rsync.us.gentoo.org/gentoo-portage". A pessoa que cometeu este erro foi devidamente admoestada e esta semana a secção Tips & Tricks foi feita por nosso colaborador usual, David Narayan, que estava de férias na semana passada (e portanto absolvido de qualquer culpa :).

2.  Segurança Gentoo

Resumo

GLSA: samba

The samba smbd daemon has a buffer overflow which could permit a remote attacker to gain root privileges on the server.

  • Gravidade: Critical - Remote root exposure.
  • Pacotes afetados: net-fs/samba versões anteriores à samba-2.2.8
  • Correção: Synchronize and emerge samba, emerge clean.
  • GLSA Announcement
  • Advisory

GLSA: kernel

Linux stable kernels 2.2 and 2.4 have a flaw in ptrace that permits local users to elevate their privileges to root. The flaw is not remotely exploitable. It is not believed that the flaw affects the 2.5 kernel. The following kernel sources have been patched: gentoo-sources, gs-sources, pfeifer-sources, sparc-sources, and xfs-sources. A patch for other sources can be obtained from cvs.

  • Gravidade: High - Kernel compromise, privilege elevation.
  • Pacotes afetados: Linux kernel versions 2.2, 2.4
  • Correção: Synchronize and emerge kernel sources for your system, recompile and install kernel.
  • GLSA Announcement
  • Advisory

GLSA: mysql

If MySQL's configuration file's are world-writable, it is possible to modify the server's configuration so that MySQL will run as root after a restart. MySQL has been fixed so that it will not load world-writable config files.

  • Gravidade: High - Privilege elevation.
  • Pacotes afetados: dev-db/mysql versões anteriores à mysql-3.23.56
  • Correção: Synchronize and emerge mysql, emerge clean.
  • GLSA Announcement
  • Advisory

GLSA: openssl

OpenSSL is subject to a timing attack which may permit exposure of RSA keys. This vulnerability can be eliminated by enabling RSA blinding. The fix is to enable blinding by default, involving only a trivial performance impact.

  • Gravidade: High - Cryptographic exposure.
  • Pacotes afetados: dev-libs/openssl versões anteriores à openssl-0.9.6i-r1
  • Correção: Synchronize and emerge openssl, emerge clean.
  • GLSA Announcement
  • Advisory

GLSA: rxvt

The rxvt terminal emulator is subject to remote attack when un-trusted data is displayed to the screen. This exposure permits a DOS attack or (by taking advantage of other vulnerabilities on the system) the potential for system compromise.

  • Gravidade: High - Remote System Compromise.
  • Pacotes afetados: x11-terms/rxvt versões anteriores à rxvt-2.7.8-r6
  • Correção: Synchronize and emerge rxvt, emerge clean.
  • GLSA Announcement
  • Advisory

GLSA: evolution

Evolution is subject to several vulnerabilities that permit remote attacks ranging from DoS through security bypasses and potential execution of arbitrary code through the use of carefully crafted UUencodes or MIME headers.

  • Gravidade: High - Multiple exposures to remote attack.
  • Pacotes afetados: versões anteriores à
  • Correção: Synchronize and emerge , emerge clean.
  • GLSA Announcement
  • Advisory

GLSA: qpopper

Qpopper exposes a buffer overflow which could permit the execution of arbitrary code. The code would normally be executed with the privileges of a user that must be authenticated.

  • Gravidade: Moderate - arbitrary code execution, mitigated by requirement for user authentication.
  • Pacotes afetados: net-mail/qpopper versões anteriores à qpopper-4.0.5
  • Correção: Synchronize and emerge qpopper, emerge clean.
  • GLSA Announcement
  • Advisory

GLSA: man

Man contains an error return value bug that could permit a specially formatted man file to execute a program named 'unsafe', if it exists.

  • Gravidade: Moderate - arbitrary code execution, mitigated by requirement for local access and program installation.
  • Pacotes afetados: versões anteriores à
  • Correção: Synchronize and emerge , emerge clean.
  • GLSA Announcement
  • Advisory

Anuncio de novos bugs de segurança

Os seguintes novos bugs de segurança foram postados esta semana:

gentoo-security

Alexander Holler posted a message to the gentoo-security mailing list describing and offering a link to a proof-of-concept trojan for gentoo that exploits the oft-discussed problem that ebuilds are not signed or otherwise authenticated. Mr. Holler's statement that "nobody .. seems concerned about portage security" provoked some comment, as did the question about whether posting a trojan for an already documented vulnerability was productive or advisable. The discussion continued with some expressions of concern that the issue be addressed soon, including a note from Daniel Robbins indicating a desire to add enhanced security to Portage-2.0. All told, the discussion seems particularly timely, given the recent launch of the hardened gentoo project.

3.  Featured Developer of the Week

Daniel Ahlberg


Figure 3.1: Daniel Ahlberg, aka aliz

Fig. 1: Daniel Ahlberg, aka aliz

esta semana we feature Daniel Ahlberg, one of the watchful eyes who keep Gentoo secure and up-to-date. Monitoring security-related mailing lists and hunting for new package versions, he sends out GLSAs and bumps package versions, facing the constant fear of breaking something when he marks a package as stable. Daniel had been using Gentoo for a couple of months when he saw a discussion on #gentoo-dev about how every package needed to be checked for the license it used, and the new LICENSE keyword added to each ebuild. Later that night he checked the licenses and updated the ebuilds for a couple of categories, and sent them to drobbins and seemant, who asked him to become a developer a couple of days later. Daniel doesn't feel he's done anything extraordinary, but likes the occasional bash script hacks he does.

Three years ago Daniel started a company with some of his friends; he still works there, administering the network and servers, making sure others can do their work, and consulting. He likes all the software he uses daily, including bash, nano, phoenix, kde, enlightenment, kmail, xchat, sim, kate, and gkrellm2, and runs Gentoo on his three primary computers: a workstation at home and at work, and his laptop, which is usually connected to his work computer by VNC. Daniel, who lives "somewhere in the upper middle of Sweden", likes to read (he's on his third Tom Clancy novel right now), listen to music, and watch movies.

4.  Ouvimos na Comunidade

Web Forums

Gentoo GNU/Hurd Project Started

Jon Portnoy aka avenj announced last week that he's started working on a port of the Hurd for Gentoo, and he is currently scanning the Forums for people interested in this development. The official discussion about the project and the right place for anyone interested in posting a "me, too" has found its permanent home here:

Better Uses for Gentoo

As reported last week, the Gentoo store has recently added a few new items, and one of those has inspired some hardware buffs to make it slightly more useful than it already is: Who needs sandwiches and apples in their Gentoo lunchbox when they can have a full-blown PC instead? Carry on:

Intel's C Compiler in Gentoo

Using the ICC, Intel's C compiler, is still quite limited, both in terms of software that can actually be built with it, and people who try using despite this limitation. Some people like to replace the default GCC with ICC for certain applications, and on occasion they discuss this broadly enough to let others get an idea of what, why and how to do it:

Gentoo Installation Success on an RS/6000

Got a dusty old B50 lying around in a broom closet at the office? Here's how to blow some new life into it... Welcome, thanks and congratulations to Forum newcomer JurgyMan for this contribution:

gentoo-user

Realistic Install timeframe

Trey Sizemore started an interesting thread by asking how long it realistically takes to install a Gentoo Linux desktop from stage 1. Most of the responses seemed to indicate that Trey was probably a little optimistic in his initial assessment of getting a full KDE desktop up and running on a PII400 in about a day. Of course, KDE is easily the largest app that needs to be compiled in Trey's setup, so a lighter-weight WM like fluxbox would likely drop his setup time considerably.

Command line interface tools

Dhruba Bandopadhyay asked for opinions regarding peoples' preferences for command line interface tools. Naturally, lively discussion ensued.

ftp/iptables always in emerge world

Kurt Hindenberg asked why ftp and iptables always showed up during an emerge world. When it turned out that these packages were being required by the base system profile, a bug report ensued.

gentoo-dev

Status of a Gentoo Installer?

Bip Thelin asked wether the creation of a Gentoo installer was in somebody's tasklist. He proposed to implement such an installer in Java. Alain Penders replied with a link to CursingCow, a Python/NEWT installer for Gentoo Linux. Although currently, only the PPC architecture is supported the code does support architecture specific modules. Gentoo developer Dylan Carlson finally replied that eventhough Java would be a good choice for such a task, Python plays a central role in the whole Gentoo infrastructure and it may be difficult to integrate a Java solution in the Gentoo toolchain.

ACCEPT_KEYWORDS + bootstrap.sh

As one user noticed, early esta semana, during the installation of his Gentoo. The bootstrap process does not use the ACCEPT_KEYWORDS setting from /etc/make.conf.

The ACCEPT_KEYWORDS is meant as a tool for easy testing of packages. That is, effectively users can add or remove unstable packages to the usual stable lot.

Disregarding the ACCEPT_KEYWORDS setting during bootstrap is not a bug. Rather it is supposed to ease the installation and to secure a stable foundation for the rest of Gentoo to exist on. This is done by specifically choosing well testet packages as opposed to newly released packages.

Some argue against this suggesting that it eliminates choices which is not appropriate for the kind of distribution that Gentoo is. And that there really is no point in trying to secure a stable foundation in this way when the rest of the distribution make use of the ACCEPT_KEYWORDS.

And the arguments are true, for the most part. Because reading through the /usr/portage/scripts/bootstrap.sh script reveals that the bootstrap process grabs packages from a file describing a default profile. A default profile tailored for a specific architecture (intel, ppc, etc.). So instead of eliminating the choises they have been disguised as profiles, waiting to be modified. The command cd $(readlink -f /etc/make.profile) will bring you to the location of your default profile.

A word of caution. When modifying the default profile you can possibly criple your Gentoo installation from step one since version changes could break package dependencies.

5.  Gentoo International

Gentoo in the Japanese Press

Two articles in Japanese about Gentoo were published on the same day last week in different magazines, both written by fervent supporters of GentooJP: Yoshiaki Hagihara, one of the translators of the GWN among other things, has written a very funny seven-pager ("Gentoo Lifestyle -- My days with Gentoo") for LinuxPower Vol. 1, the first issue of this new addition to the growing number of Linux magazines in Japan. And Masatomo Nakano, spiritus rector of the GentooJP project, wrote his piece ("Gentoo again") for the April issue of Software Design. Both magazines are on sale in Japanese bookshops since 18 March.

Russian Gentoo Community Set Up!

Developer George Shapovalov announced that the "Fellowship of gentoo.ru" has been up and running for almost a month already! The Fellowship was born after growing interest in Gentoo Linux by the Russian speaking community was becoming impossible to overlook, and it's already got its own website) and user support forums. Gentoo.ru also provides translations for Gentoo documentation, carefully supervised by official devs. No need to be shy if you would like to help with translations or any other subotnik, the Fellowship will certainly welcome any such attempt. Real time chat is available on irc.rinet.ru, channel #gentoo.

New Mailing List for French Gentoo Users

Adding to the support base for French speakers, a new official mailing list, gentoo-user-fr, has been created last week. Between the new list, the French forum and the IRC channel on Freenode for French users, chances to get support for technical questions are on a pretty acceptable level now.

International Event Calendar

The GWN editorial staff is extremely grateful for information about anything related to conferences, seminars, user meetings, install fest or any other event Gentoo users are organising or participating in. esta semana an impressive number of events has come up, take your pick from those, and send an e-mail to gwn-feedback@gentoo.org if you know of any others:

  • Austria: The Vienna community is turning openly hedonistic... They've barely recovered from their last meeting, yet up comes a plan for the next one. Date: 1 April, venue to be decided via this thread in the German forum.
  • Portugal: Gentoo-stronghold Coimbra (and certainly one of the most pleasant locations to be in around spring) is the venue for the 7th "Encontro de Gestão e Tecnologias da Informação", co-organized by Gentoo Forum moderator RoadRunner and other Gentooists, to be held on 2 April in the Auditório da Reitoria at Coimbra University. An indisputable highlight of this conference will be the afternoon podium discussion about "Free Software Use in Public Administrations", com the Marketing Director of Microsoft Portugal and the head of the Portuguese Linux distribution Caixa Magica fencing it out on stage. Further information here, if you're planning on attending the show, tell the others here, please.
  • France: Same day, similar subject, 800 kilometres further north... A conference in Paris about opportunities for free software use in small and medium sized companies may serve as a venue for an informal meeting of Gentoo users, all the details are here.
  • Denmark & Sweden: Also on 2 April, the Skåne Sjælland LUG is getting a fully-fledged Gentoo presentation by Klavs. Details were hard to get by before esta semana's GWN deadline, but the presenter will certainly be able to guide you if you make yourself heard in this forum thread.
  • UK: In an almost forgotten thread in the Forums, brum-based mr-simon is looking for Gentooists to join him at the Linux User & Developer Expo in Birmingham on 15/16 April.
  • GermanyStill way ahead, but worth noting: 14 May is the tentative date for Gentoo users in the Köln/Bonn region to organize their first meeting. Expressions of interest in joining the crowd go here.

6.  Portage Watch

The following stable packages were added to portage esta semana

Updates to notable packages

  • kde-base/kde - kde-3.1.1.ebuild;
  • gnome-base/gnome - gnome-2.2.1.ebuild;
  • sys-kernel/* - aa-sources-2.4.21_pre5-r1.ebuild; aa-sources-2.4.21_pre5-r2.ebuild; development-sources-2.5.65.ebuild; gentoo-sources-2.4.20-r2.ebuild; gs-sources-2.4.21_pre5-r1.ebuild; mm-sources-2.5.65-r1.ebuild; mm-sources-2.5.65-r2.ebuild; pfeifer-sources-2.4.20.1_pre1.ebuild; selinux-sources-2.4.20-r1.ebuild; sparc-sources-2.4.20-r6.ebuild; xfs-sources-2.4.20-r1.ebuild; xfs-sources-2.4.20-r2.ebuild; xfs-sources-2.4.20.ebuild;
  • dev-db/mysql - mysql-3.23.56.ebuild;

Updates to notable packages

  • sys-apps/portage - portage-2.0.47-r10.ebuild;
  • x11-base/xfree - xfree-4.3.0-r1.ebuild;
  • sys-kernel/* - ac-sources-2.4.21_pre5-r3.ebuild; gaming-sources-2.4.20-r1.ebuild; lolo-sources-2.4.20.2_pre5.ebuild; mm-sources-2.5.64-r4.ebuild; mm-sources-2.5.64-r5.ebuild; mm-sources-2.5.64-r6.ebuild; wolk-sources-4.0_rc2.ebuild; wolk-sources-4.0_rc3.ebuild;
  • dev-db/mysql - mysql-4.0.11a-r1.ebuild;
  • app-admin/gentoolkit - gentoolkit-0.1.19-r3.ebuild;

New USE variables

  • lirc - Adds support for lirc (Linux's Infra-Red Remote Control)

7.  Bugzilla

Resumo

Statistics

The Gentoo community uses Bugzilla (bugs.gentoo.org) to record and track bugs, notifications, suggestions and other interactions with the development team. In the last 7 days, activity on the site has resulted in:

  • 275 novos bugs esta semana
  • 294 bugs fechados ou resolvidos esta semana
  • 9 bugs previamente fechados reabertos esta semana.
  • 2161 total de bugs atualmente marcados como 'new'
  • 465 total de bugs atualmente marcados por desenvolvedores

Existe atualmente 3001 bugs abertos no bugzilla. Destes: 70 estão marcados como 'blocker', 108 estão marcados como 'critical', e 228 estão marcados como 'major'.

Rankings dos Bugs Fechados

The developers and teams who have closed the most bugs esta semana are:

Rankings dos Novos Bugs

The developers and teams who have been assigned the most novos bugs esta semana are:

8.  Tips and Tricks

Using tmpfs

esta semana's tip shows you how to make use of tmpfs to speed up access time for small temporary files. Tmpfs simulates a filesystem by supporting normal read/writes but the files are stored in memory. This makes access much faster. Note that files stored in tmpfs are not saved between reboots. Also, tmpfs is only recommended for systems with large amounts of memory.

First make sure that tmpfs is enabled in your kernel.

Code Listing 8.1: Enabling tmpfs in the kernel

# cd /usr/src/linux
# make menuconfig
    Enable File Systems --> 
        [*] Virtual memory system support
        (Enable this option)

# make dep && make clean bzImage

(Make sure /boot is mounted before this step)
# cp /usr/src/linux/arch/i386/boot/bzImage /boot

/tmp is the most common place for temporary files. We will use tmpfs to mount /tmp

Code Listing 8.2: Mounting /tmp with tmpfs

# mount -t tmpfs tmpfs /tmp

Now that /tmp is mounted, all you have to do is add the following to your /etc/fstab in order to have it load on boot.

Code Listing 8.3: Add the following line to your stab file

tmpfs   /tmp    tmpfs   defaults    0 0

9.  Moves, Adds and Changes

Moves

Os seguintes desenvolvedores recentemente deixaram a equipe Gentoo:

  • nenhum esta semana :-)

Adds

Os seguintes desenvolvedores juntaram-se a equipe Gentoo Linux:

  • Felix De Vliegher (Popsickle) -- LiveCD, KDE
  • Philip Walls (malverian) -- media-gfx, distributed computing stuff
  • Matthew Rickard (frogger) -- ProPolice
  • Jeraimee Hughes (a.sleep) -- Gentoo Infrastructure

Changes

Os seguintes desenvolvedores recentemente mudaram de atividade no projeto Gentoo:

  • Mark Guertin (gerk) -- Retired as Gentoo/PPC Project Lead

10.  Contribua com GWN (Jornal Semanal Gentoo)

Interessado em contribuir com o Gentoo Weekly Newsletter? Nos envie um email

11.  GWN Feedback

Por favor nos envie contribuições e ajude a fazer o GWN melhor.

12.  Outras linguas

O Jornal Semanal Gentoo também está disponível nas seguintes linguagens:



Print

Page updated 24 Março 2003

Summary: Este é o Jornal Semanal Gentoo da semana de 24 de março de 2003.

Kurt Lieber
Editor

AJ Armstrong
Colaborador

Brice Burgess
Colaborador

Yuji Carlos Kosugi
Colaborador

Rafael Cordones Marcos
Colaborador

David Narayan
Colaborador

Ulrich Plate
Colaborador

Peter Sharp
Colaborador

Kim Tingkaer
Colaborador

Mathy Vanvoorden
Tradução Holandês

Tom Van Laerhoven
Tradução Holandês

Peter Dijkstra
Tradução Holandês

Bernard Bernieke
Tradução Holandês

Vincent Verleye
Tradução Holandês

Jochen Maes
Tradução Holandês

Ben De Groot
Tradução Holandês

Jelmer Jaarsma
Tradução Holandês

Nicolas Ledez
Tradução Francês

Guillaume Plessis
Tradução Francês

John Berry
Tradução Francês

Martin Prieto
Tradução Francês

Michael Kohl
Tradução Alemão

Steffen Lassahn
Tradução Alemão

Matthias F. Brandstetter
Tradução Alemão

Thomas Raschbacher
Tradução Alemão

Marco Mascherpa
Tradução Italiano

Claudio Merloni
Tradução Italiano

Daniel Ketel
Tradução Japonês

Yoshiaki Hagihara
Tradução Japonês

Andy Hunne
Tradução Japonês

Yuji Carlos Kosugi
Tradução Japonês

Yasunori Fukudome
Tradução Japonês

Ventura Barbeiro
Tradução Português do Brasil

Bruno Ferreira
Tradução Português de Portugal

Gustavo Felisberto
Tradução Português de Portugal

Ricardo Jorge Louro
Tradução Português de Portugal

Lanark
Tradução Espanhol

Rafael Cordones Marcos
Tradução Espanhol

Julio Castillo
Tradução Espanhol

Sergio Gómez
Tradução Espanhol

Pablo Pita Leira
Tradução Espanhol

Carlos Castillo
Tradução Espanhol

Tirant
Tradução Espanhol

Jaime Freire
Tradução Espanhol

Lucas Sallovitz
Tradução Espanhol

Donate to support our development efforts.

Copyright 2001-2014 Gentoo Foundation, Inc. Questions, Comments? Contact us.