Gentoo Weekly Newsletter: December 23rd, 2002
Official Launch of the Gentoo Weekly Newsletter
Welcome to the inaugural issue of the Gentoo Weekly Newsletter.
The GWN was started as a way of giving the Gentoo community one source of
information about the Gentoo Linux project. The GWN will summarize issues
and discussions from the community, as well as major news items and
announcements, as well as security vulnerabilities, bugs and changes to the
Portage tree. As we gather feedback from the user community, we
will continue to add features and additional areas of coverage to the GWN,
with the ultimate goal being to make this newsletter your main source of
information about Gentoo Linux.
The GWN would not be possible without the contributions of various members
of the Gentoo community. We are actively seeking additional volunteers to
help make the GWN even better. Please see the end of this newsletter for
information about how you can help.
Gentoo Stable Project Announcement
Maik Schreiber writes:
In light of ~arch masking and the result of more and more ebuilds becoming
stacked on the "testing" pile without being removed from there, I took the
time to whip up a new web site that is designed to become a central point to
The result is a Web
site that lists each and every ebuild in the Portage tree. Using this
system, users can "mark" a package as running properly on their system. They
can also enter comments, such as "fails when using gcc 3.2.1" or other specific
information. The developers can then look at the marked packages and, when
they feel comfortable that enough users are marking a package as "stable",
remove the ~arch masking. With enough Gentoo users providing solid, consistent
feedback on the various ebuilds, this system will go a long way towards
reducing the number of "problem" ebuilds and improving the overall quality
of the Portage tree. Users are encouraged to participate and provide feedback
Portage Snafu Causes Confusion in the Community
Recently, an upgraded version of Portage was released (2.0.45-r6) that
contained a signficant bug causing gcc to hang when executed. As
one might guess, this caused a fair amount of confusion and problems within
the Gentoo Linux community. Fortunately, Seemant Kulleen (Gentoo Linux
Development Manager) was quick to post some instructions to solve the issues
and the new version of Portage was quickly rolled back to the older, stable
version. More importantly, this bug helped to identify the need for further
definition of the Portage release process to ensure that proper QA is enforced.
As a result, Daniel Robbins updated the Gentoo Linux Development
Policy with a new chapter dealing specifically with future releases of
Portage and informed all developers of this policy clarification.
CVSup Under Consideration as Replacement for rsync
There has been some discussion in the Gentoo developer community about
migrating away from Portage's dependency on rsync and instead utilizing
CVSup. Currently used in FreeBSD's
ports system, CVSup offers a few distinct advantages, as well as challenges,
Local changes will be preserved if you want them to, just like anoncvs.
Anyone who's ever had their package.mask file overwritten by an emerge
rsync will appreciate this feature.
CVSup is faster and more efficient than rsync. This means that CVSup can
improve the efficiency of our Portage mirroring system.
CVSup's threaded design allows for file transfer begin almost immediately,
unlike rsync which must build a complete file list first. Surprisingly,
CVSup uses the rsync algorithm (which is very efficient) internally to
synchronize individual files, but uses a better approach than rsync when
coordinating the updates of large numbers of files.
CVSup is written in Modula 3, which means that transitioning to CVSup will
require some non-trivial steps to ensure that we have proper Modula 3
support on all architectures.
CVSup also has the added psychological benefit of making FreeBSD users
feel more at home.
Policy for CVS Ebuilds in Gentoo
A recurrent theme in the Gentoo Linux community is the issue of CVS ebuilds
-- those ebuilds that install a CVS snapshot of software, or those that use
the cvs.eclass to install a "live" version of a CVS tree. These
ebuilds are popular for things like Phoenix nightly builds. Daniel Robbins has
updated the Gentoo Linux
Development Policy to reflect Gentoo's stance on CVS ebuilds (both
"snapshot" and "live") in the official Portage tree.
Exim has a format string bug in its daemon that permits a privileged admin
user to perform a root exploit.The exploit has been demonstrated.
- Severity: low - local root exploit available to exim admin user.
- Packages Affected: exim
- Rectification: Synchronize and emerge exim.
MySQL has two vulnerabilties, the first related to a heap overflow and the
other permitting writing nulls to arbitrary memory addresses. The
vulnerabilities permit a remote server crash exploit. No exploit currently
reported in the wild.
- Severity: moderate - DOS attack (server crash).
- Packages Affected: mysql
- Rectification: Synchronize and emerge mysql.
Squirrelmail exposes a cross-site scripting vulnerability that permits spoofed
information in input for filter_dir and mailbox. This permits an xss attack on
the site. A sample exploit has been published.
- Severity: moderate to high - permits remote scripting
- Packages Affected: squirrelmail
- Rectification: Synchronize and emerge squirrelmail.
Fetchmail has a buffer overflow in the default configuration that permits a
remote DOS or arbitrary code execution as the user fetchmail operates as.
No reported exploit in the wild.
Severity: high - remote exploitation by the fetchmail user (potentially
- Packages Affected: fetchmail
- Rectification: Synchronize and emerge fetchmail.
New Security Bug Reports
There are several recent new security bugs posted to bugzilla. Links to the
pertinent bugs are found below:
Heard In The Community
Glibc 2.3 stable and painfree
For a week it looked as if compiling the freshly unmasked glibc 2.3 free of
errors was like winning in a lottery. Now things are definitely looking up,
entertaining thread has been made unsticky, and the general sentiment
seems to be that less aggressive compiler flags may well be the only
thing you need to do to make it happen.
There has been much discussion on the use of distcc with Gentoo. Given that Gentoo is
a "compile-from-source" distribution, distributed compiles would
greatly speed up installation times. However, distcc also has some problems
that many alert Gentoo users have pointed out.
The following threads reference distcc and its uses:
Gentoo HURD? Gentoo Mach? Gentoo BSD?
The idea of a non-Linux kernel as an additional Gentoo variant has occasionally
popped up in the forums before, but the past two weeks have seen a remarkable
boost of popularity for the HURD and other microkernels. These threads mostly
deal with the question whether there should be a Gentoo HURD or not, but the
top one includes an interesting discussion of the underlying microkernel
Rainer Groesslinger noted his worries on the current condition of Gentoo
'stable'. To most, it appears that Gentoo's stable branch is veering in the
direction of Debian; stable, yet immensley outdated. While this may be desirable
for certain production servers, it leaves desktop users in the dust. Rod Roark
implies that because Gentoo is source-centered, it has the ability to quickly
implement package upgrades. Why then is the 'latest and greatest' stable version
of Mozilla 1.2.1 not in Gentoo's stable branch? A solution hasn't been reached,
however everyone involved agrees that using
is a good start. If you haven't already, please familarize yourself with the
'Gentoo Linux Stable' site.
The Right Stuff
For those of you who aren't sure if you've "perfected" your system,
Bruce Nourish posted an excellent response to a question about cron
and log daemons. After all, it is the flexibility that Gentoo encourages
which sets it apart from its more mundane competitors. In short, he recommends
dcron and syslog-ng. Find out why by following this
Portage and Quality Assurance.
The portage-2.0.45-r6 ebuild contains a bug that
prevents it from working when installed. Some users expressed that
new versions of Portage, as a fundamental part of
the Gentoo infrastructure, should go through a more strict
quality assurance (QA) process before allowing users to
emerge it. Daniel Robbins (Chief Architect of Gentoo Linux)
posted his view of
New MIPS Gentoo Port Effort Started.
Nicholas Wourms wrote a
call for participants in a new effort to port
Gentoo to the MIPS architecture. "[...] I've
been working on it over the last few days. I've almost
finished getting a netboot and cd image prepared, after
which I plan to start working on ebuilds. So, I wanted to
test the waters and see if anyone with a MIPS box (not PS/2)
was interested in helping and/or testing this once I have it
ready.". Looks like
Jeff Utter posted a similar
call six months ago!
Suggested Improvement for Portage.
Stefano Peluchetti filed a
in which he proposes a
new functionality in Portage that will allow
emerge -p package_name to output not only information
about the dependencies of a given package
but also the use flags that affect the compilation of the
package and its dependencies! Anyone dare to implement it? ;-)
Quite Literally: Phoenix From the Ashes
The computer center and networking at the University of Twente in the
Netherlands were almost totally consumed by a fire that raged through a
building on campus four weeks ago. It took the admins a while to restore
everything, but they finally have all network services up and running again,
including a comparatively powerful Gentoo rsync mirror, reports The DJ, not
entirely displeased with the fact that they now have brand new hardware
to base their FTP servers on...
Figure 5.1: An arsonist set fire to this building on campus
Portage, Ports and Other Packagers...
When it comes to Unix vs. Linux, Japan is one of the rare countries
where BSD may have a significant headstart. Last Wednesday, Japanese
Gentoo evangelist Masatomo Nakano
bravely stepped into the lion's den and confronted about 100 participants
at the annual Japan Unix Society's (JUS) BSD/Linux Day in Yokohama. One of
this year's topics were application packagers for Unix and Linux: Debian's
dpkg, Red Hat's rpm, FreeBSD's ports, and Gentoo's portage. "It was relatively
easy to make them comprehend what portage is about, because so many people here
are FreeBSD users", says Nakano, hoping his intervention on the panel will help
Gentoo conquer some of the ground largely occupied by Berkeley
derivatives, rather than "Lainacks" - as local BSD zealots deliberately
mispronounce it. In a Linux market otherwise dominated by local(ized)
distributions like Turbolinux, Plamo and Kondara (reputedly reborn as
Momonga Linux), Nakano pledges to continue increasing the popularity of
Gentoo Linux in Japan. Japan's Gentoo user community has moved ahead one
important step on this path with the grand opening of a brand new website,
http://www.gentoo.gr.jp, earlier this month.
Security Updates (see above)
- exim - fixed in exim-4.10 and above
- mysql - fixed in mysql-3.23.54 and above
- squirrelmail - fixed in squirrelmail-1.2.10 and above
- fetchmail - fixed in fetchmail-6.20 and above
The following stable packages were added to the portage tree this week
Updates to notable packages
- Portage - portage-2.0.46-r2
Kernels - ac-sources-2.4.20-r2; acpi-sources-2.4.20-r9;
- mysql - mysql-3.23.54a
New use variables
- acpi - Adds support for Advanced Configuration and Power Interface
apache2 - Chooses Apache2 support when a package supports both Apache1 and
gps - Adds support for Global Positioning System
oav - Adds support for anti-virus from the openantivirus.org project
The Gentoo community uses Bugzilla (bugs.gentoo.org) to record and track
bugs, notifications, suggestions and other interactions with the development
team. In the last 7 days, activity on the site has resulted in:
- 224 new bugs this week
- 1150 total bugs currently marked 'new'
- 559 total bugs curently assigned to developers
- 50 bugs that were previously closed have been reopened.
There are currently 1759 bugs open in bugzilla. Of these: 28 are labelled
'blocker', 71 are labelled 'critical', and 103 are labelled 'major'.
The developers and teams with the highest apparent bug-related workload are:
Please lend them (and the entire development team) your good thoughts, spare
karma and ongoing support.
Bugs of Note
Each week, we will single out a few bugs for special mention, because they have
been provoking significant discussions, they are particularly problematic, they
are amusing or simply because they struck our fancy. This week's featured bugs
are (in no particular order):
Bug 5902 is
a discussion about security concerns around running emerge as root, and
ways to make it work as an unprivileged user process.
which was a problem with the daily snapshots not updating that was
provoking some conversation in the forums, is apparently resolved or about
to be so.
about a new MPlayer ebuild to support QuickTime/Sorenson, has been seeing
a remarkable amount of traffic - possibly due to the release of LOTR
discusses problems with the Mozilla-1.2.1 ebuild and plugin support.
Bug 8067 was
a problem with the absence of PCMCIA support on the 1.4 install disk, which
has been resolved.
discusses how to resolve a portage failure after syncing using the
If you have a pet bug that you feel is not getting the care and attention that
it deserves, please drop us a note. We can't guarantee that it will make next
week's list, but we can guarantee that it will be considered.
Tips and Tricks
Manually resetting a service
Have you ever tried to restart a crashed service and gotten the
following error message?
Code Listing 8.1: Error message
* WARNING: service name has already been started
If so, you can manually reset the service with the following command
Code Listing 8.2: Restarting the service
# /etc/init.d/service name zap
Moves, Adds and Changes
The following devs recently left the Gentoo team:
The following devs recently joined the Gentoo team:
- John Christian Stoddart (chiguire) -- Documentation
- Thomas Raschbacher (LordVan) -- Python/Printing
- Troy Dack (TaD) -- Testing and Tweaking
- Jon Portnoy (avenj) -- ICC-based profile for Gentoo
- Peter Brown (rendhalver) -- XEmacs
The following devs recently changed roles or took on new responsibilities
within the Gentoo project:
- Sascha Schwabbauer (cybersystem) -- Mail Admin, rsync Admin
- John Davis (ZhEN) -- Bugzilla
Subscribe to the GWN mailing list
Would you prefer to receive the GWN via email? Subscribe to our mailing list
by sending a blank email to email@example.com
Contribute to GWN
Interested in contributing to the Gentoo Weekly Newsletter? Send us an email
Please send us your feedback and
help make GWN better.