Gentoo Logo

Gentoo Weekly Newsletter: December 23rd, 2002

Content:

1.  Official Launch of the Gentoo Weekly Newsletter

Welcome to the inaugural issue of the Gentoo Weekly Newsletter.

The GWN was started as a way of giving the Gentoo community one source of information about the Gentoo Linux project. The GWN will summarize issues and discussions from the community, as well as major news items and announcements, as well as security vulnerabilities, bugs and changes to the Portage tree. As we gather feedback from the user community, we will continue to add features and additional areas of coverage to the GWN, with the ultimate goal being to make this newsletter your main source of information about Gentoo Linux.

The GWN would not be possible without the contributions of various members of the Gentoo community. We are actively seeking additional volunteers to help make the GWN even better. Please see the end of this newsletter for information about how you can help.

2.  Gentoo News

Summary

Gentoo Stable Project Announcement

Maik Schreiber writes:

In light of ~arch masking and the result of more and more ebuilds becoming stacked on the "testing" pile without being removed from there, I took the time to whip up a new web site that is designed to become a central point to remedy that.

The result is a Web site that lists each and every ebuild in the Portage tree. Using this system, users can "mark" a package as running properly on their system. They can also enter comments, such as "fails when using gcc 3.2.1" or other specific information. The developers can then look at the marked packages and, when they feel comfortable that enough users are marking a package as "stable", remove the ~arch masking. With enough Gentoo users providing solid, consistent feedback on the various ebuilds, this system will go a long way towards reducing the number of "problem" ebuilds and improving the overall quality of the Portage tree. Users are encouraged to participate and provide feedback to Maik.

Portage Snafu Causes Confusion in the Community

Recently, an upgraded version of Portage was released (2.0.45-r6) that contained a signficant bug causing gcc to hang when executed. As one might guess, this caused a fair amount of confusion and problems within the Gentoo Linux community. Fortunately, Seemant Kulleen (Gentoo Linux Development Manager) was quick to post some instructions to solve the issues and the new version of Portage was quickly rolled back to the older, stable version. More importantly, this bug helped to identify the need for further definition of the Portage release process to ensure that proper QA is enforced. As a result, Daniel Robbins updated the Gentoo Linux Development Policy with a new chapter dealing specifically with future releases of Portage and informed all developers of this policy clarification.

CVSup Under Consideration as Replacement for rsync

There has been some discussion in the Gentoo developer community about migrating away from Portage's dependency on rsync and instead utilizing CVSup. Currently used in FreeBSD's ports system, CVSup offers a few distinct advantages, as well as challenges, over rsync:

  • Local changes will be preserved if you want them to, just like anoncvs. Anyone who's ever had their package.mask file overwritten by an emerge rsync will appreciate this feature.
  • CVSup is faster and more efficient than rsync. This means that CVSup can improve the efficiency of our Portage mirroring system.
  • CVSup's threaded design allows for file transfer begin almost immediately, unlike rsync which must build a complete file list first. Surprisingly, CVSup uses the rsync algorithm (which is very efficient) internally to synchronize individual files, but uses a better approach than rsync when coordinating the updates of large numbers of files.
  • CVSup is written in Modula 3, which means that transitioning to CVSup will require some non-trivial steps to ensure that we have proper Modula 3 support on all architectures.
  • CVSup also has the added psychological benefit of making FreeBSD users feel more at home.

Policy for CVS Ebuilds in Gentoo

A recurrent theme in the Gentoo Linux community is the issue of CVS ebuilds -- those ebuilds that install a CVS snapshot of software, or those that use the cvs.eclass to install a "live" version of a CVS tree. These ebuilds are popular for things like Phoenix nightly builds. Daniel Robbins has updated the Gentoo Linux Development Policy to reflect Gentoo's stance on CVS ebuilds (both "snapshot" and "live") in the official Portage tree.

3.  Gentoo Security

Summary

GLSA: exim

Exim has a format string bug in its daemon that permits a privileged admin user to perform a root exploit.The exploit has been demonstrated.

  • Severity: low - local root exploit available to exim admin user.
  • Packages Affected: exim
  • Rectification: Synchronize and emerge exim.
  • GLSA Announcement

GLSA: mysql

MySQL has two vulnerabilties, the first related to a heap overflow and the other permitting writing nulls to arbitrary memory addresses. The vulnerabilities permit a remote server crash exploit. No exploit currently reported in the wild.

  • Severity: moderate - DOS attack (server crash).
  • Packages Affected: mysql
  • Rectification: Synchronize and emerge mysql.
  • GLSA Announcement
  • Advisory

GLSA: squirrelmail

Squirrelmail exposes a cross-site scripting vulnerability that permits spoofed information in input for filter_dir and mailbox. This permits an xss attack on the site. A sample exploit has been published.

  • Severity: moderate to high - permits remote scripting
  • Packages Affected: squirrelmail
  • Rectification: Synchronize and emerge squirrelmail.
  • GLSA Announcement
  • Advisory

GLSA: fetchmail

Fetchmail has a buffer overflow in the default configuration that permits a remote DOS or arbitrary code execution as the user fetchmail operates as. No reported exploit in the wild.

  • Severity: high - remote exploitation by the fetchmail user (potentially root).
  • Packages Affected: fetchmail
  • Rectification: Synchronize and emerge fetchmail.
  • GLSA Announcement
  • Advisory

New Security Bug Reports

There are several recent new security bugs posted to bugzilla. Links to the pertinent bugs are found below:

4.  Heard In The Community

Web Forums

Glibc 2.3 stable and painfree

For a week it looked as if compiling the freshly unmasked glibc 2.3 free of errors was like winning in a lottery. Now things are definitely looking up, the highly entertaining thread has been made unsticky, and the general sentiment seems to be that less aggressive compiler flags may well be the only thing you need to do to make it happen.

Distributed Compiling

There has been much discussion on the use of distcc with Gentoo. Given that Gentoo is a "compile-from-source" distribution, distributed compiles would greatly speed up installation times. However, distcc also has some problems that many alert Gentoo users have pointed out.

The following threads reference distcc and its uses:

Gentoo HURD? Gentoo Mach? Gentoo BSD?

The idea of a non-Linux kernel as an additional Gentoo variant has occasionally popped up in the forums before, but the past two weeks have seen a remarkable boost of popularity for the HURD and other microkernels. These threads mostly deal with the question whether there should be a Gentoo HURD or not, but the top one includes an interesting discussion of the underlying microkernel architecture.

gentoo-user

Gentoo 'Stable'

Rainer Groesslinger noted his worries on the current condition of Gentoo 'stable'. To most, it appears that Gentoo's stable branch is veering in the direction of Debian; stable, yet immensley outdated. While this may be desirable for certain production servers, it leaves desktop users in the dust. Rod Roark implies that because Gentoo is source-centered, it has the ability to quickly implement package upgrades. Why then is the 'latest and greatest' stable version of Mozilla 1.2.1 not in Gentoo's stable branch? A solution hasn't been reached, however everyone involved agrees that using http://gentoo-stable.iq-computing.de/ is a good start. If you haven't already, please familarize yourself with the 'Gentoo Linux Stable' site.

The Right Stuff

For those of you who aren't sure if you've "perfected" your system, Bruce Nourish posted an excellent response to a question about cron and log daemons. After all, it is the flexibility that Gentoo encourages which sets it apart from its more mundane competitors. In short, he recommends dcron and syslog-ng. Find out why by following this thread.

gentoo-dev

Portage and Quality Assurance.

The portage-2.0.45-r6 ebuild contains a bug that prevents it from working when installed. Some users expressed that new versions of Portage, as a fundamental part of the Gentoo infrastructure, should go through a more strict quality assurance (QA) process before allowing users to emerge it. Daniel Robbins (Chief Architect of Gentoo Linux) posted his view of this incident.

New MIPS Gentoo Port Effort Started.

Nicholas Wourms wrote a call for participants in a new effort to port Gentoo to the MIPS architecture. "[...] I've been working on it over the last few days. I've almost finished getting a netboot and cd image prepared, after which I plan to start working on ebuilds. So, I wanted to test the waters and see if anyone with a MIPS box (not PS/2) was interested in helping and/or testing this once I have it ready.". Looks like Jeff Utter posted a similar call six months ago!

Suggested Improvement for Portage.

Stefano Peluchetti filed a bug in which he proposes a new functionality in Portage that will allow emerge -p package_name to output not only information about the dependencies of a given package but also the use flags that affect the compilation of the package and its dependencies! Anyone dare to implement it? ;-)

5.  International Gentoo

Quite Literally: Phoenix From the Ashes

The computer center and networking at the University of Twente in the Netherlands were almost totally consumed by a fire that raged through a building on campus four weeks ago. It took the admins a while to restore everything, but they finally have all network services up and running again, including a comparatively powerful Gentoo rsync mirror, reports The DJ, not entirely displeased with the fact that they now have brand new hardware to base their FTP servers on...


Figure 5.1: An arsonist set fire to this building on campus

Fig. 1: An arsonist set fire to this building on campus

Portage, Ports and Other Packagers...

When it comes to Unix vs. Linux, Japan is one of the rare countries where BSD may have a significant headstart. Last Wednesday, Japanese Gentoo evangelist Masatomo Nakano bravely stepped into the lion's den and confronted about 100 participants at the annual Japan Unix Society's (JUS) BSD/Linux Day in Yokohama. One of this year's topics were application packagers for Unix and Linux: Debian's dpkg, Red Hat's rpm, FreeBSD's ports, and Gentoo's portage. "It was relatively easy to make them comprehend what portage is about, because so many people here are FreeBSD users", says Nakano, hoping his intervention on the panel will help Gentoo conquer some of the ground largely occupied by Berkeley derivatives, rather than "Lainacks" - as local BSD zealots deliberately mispronounce it. In a Linux market otherwise dominated by local(ized) distributions like Turbolinux, Plamo and Kondara (reputedly reborn as Momonga Linux), Nakano pledges to continue increasing the popularity of Gentoo Linux in Japan. Japan's Gentoo user community has moved ahead one important step on this path with the grand opening of a brand new website, http://www.gentoo.gr.jp, earlier this month.

6.  Portage Watch

Security Updates (see above)

  • exim - fixed in exim-4.10 and above
  • mysql - fixed in mysql-3.23.54 and above
  • squirrelmail - fixed in squirrelmail-1.2.10 and above
  • fetchmail - fixed in fetchmail-6.20 and above

The following stable packages were added to the portage tree this week

Updates to notable packages

  • Portage - portage-2.0.46-r2
  • Kernels - ac-sources-2.4.20-r2; acpi-sources-2.4.20-r9; ck-sources-2.4.20-r2; development-sources-2.5.52; lolo-sources-2.4.20.1_pre5; sparc-sources-2.4.21_pre1; win4lin-sources-2.4.20-r1
  • mysql - mysql-3.23.54a

New use variables

  • acpi - Adds support for Advanced Configuration and Power Interface
  • apache2 - Chooses Apache2 support when a package supports both Apache1 and Apache2
  • gps - Adds support for Global Positioning System
  • oav - Adds support for anti-virus from the openantivirus.org project

7.  Bugzilla

Summary

Statistics

The Gentoo community uses Bugzilla (bugs.gentoo.org) to record and track bugs, notifications, suggestions and other interactions with the development team. In the last 7 days, activity on the site has resulted in:

  • 224 new bugs this week
  • 1150 total bugs currently marked 'new'
  • 559 total bugs curently assigned to developers
  • 50 bugs that were previously closed have been reopened.

Note: There are currently 1759 bugs open in bugzilla. Of these: 28 are labelled 'blocker', 71 are labelled 'critical', and 103 are labelled 'major'.

The developers and teams with the highest apparent bug-related workload are:

Please lend them (and the entire development team) your good thoughts, spare karma and ongoing support.

Bugs of Note

Each week, we will single out a few bugs for special mention, because they have been provoking significant discussions, they are particularly problematic, they are amusing or simply because they struck our fancy. This week's featured bugs are (in no particular order):

  • Bug 5902 is a discussion about security concerns around running emerge as root, and ways to make it work as an unprivileged user process.
  • Bug 9946, which was a problem with the daily snapshots not updating that was provoking some conversation in the forums, is apparently resolved or about to be so.
  • Bug 11136, about a new MPlayer ebuild to support QuickTime/Sorenson, has been seeing a remarkable amount of traffic - possibly due to the release of LOTR trailers.
  • Bug 11473 discusses problems with the Mozilla-1.2.1 ebuild and plugin support.
  • Bug 8067 was a problem with the absence of PCMCIA support on the 1.4 install disk, which has been resolved.
  • Bug 10578 discusses how to resolve a portage failure after syncing using the rescue portage.

If you have a pet bug that you feel is not getting the care and attention that it deserves, please drop us a note. We can't guarantee that it will make next week's list, but we can guarantee that it will be considered.

8.  Tips and Tricks

Manually resetting a service

Have you ever tried to restart a crashed service and gotten the following error message?

Code Listing 8.1: Error message

* WARNING: service name has already been started

If so, you can manually reset the service with the following command

Code Listing 8.2: Restarting the service

# /etc/init.d/service name zap

9.  Moves, Adds and Changes

Moves

The following devs recently left the Gentoo team:

  • Zach Welch (zwelch)

Adds

The following devs recently joined the Gentoo team:

  • John Christian Stoddart (chiguire) -- Documentation
  • Thomas Raschbacher (LordVan) -- Python/Printing
  • Troy Dack (TaD) -- Testing and Tweaking
  • Jon Portnoy (avenj) -- ICC-based profile for Gentoo
  • Peter Brown (rendhalver) -- XEmacs

Changes

The following devs recently changed roles or took on new responsibilities within the Gentoo project:

  • Sascha Schwabbauer (cybersystem) -- Mail Admin, rsync Admin
  • John Davis (ZhEN) -- Bugzilla

10.  Subscribe to the GWN mailing list

Would you prefer to receive the GWN via email? Subscribe to our mailing list by sending a blank email to gentoo-gwn-subscribe@gentoo.org

11.  Contribute to GWN

Interested in contributing to the Gentoo Weekly Newsletter? Send us an email

12.  GWN Feedback

Please send us your feedback and help make GWN better.



Print

Page updated 23 Dec 2002

Summary: This is the Gentoo Weekly Newsletter for the week of December 23rd, 2002.

Kurt Lieber
Editor

AJ Armstrong
Contributor

Brice Burgess
Contributor

Yuji Carlos Kosugi
Contributor

Rafael Cordones Marcos
Contributor

David Narayan
Contributor

Ulrich Plate
Contributor

Peter Sharp
Contributor

Lanark
Spanish Translation

Donate to support our development efforts.

Copyright 2001-2014 Gentoo Foundation, Inc. Questions, Comments? Contact us.