Gentoo Weekly Newsletter: December 30th, 2002
Gentoo to be at LinuxWorld Expo in January Daniel Robbins and other members of the Gentoo Linux team will be at LinuxWorld Expo January 22nd-24th in New York City. They will be manning booth #8 at the .org pavillion and hope to have an impressive display of graphics hardware showing off Gentoo Linux. If you're in the area, stop by and show your support for Gentoo Linux! Gentoo Linux 1.4 Release Schedule and Feature Update Daniel Robbins recently announced the planned Release Schedule for Gentoo 1.4_rc3, which will hopefully be released as Gentoo 1.4_final. While the Release Shedule is subject to change based on bugs and user feedback, the current release date is planned for January 14, 2003, just in time for Linux World 2003 in New York. New for Gentoo is a more formal release process, comprised of five main stages that take the 1.4_rc3/1.4_release candidate through a testing and QA process that should improve the quality and stability of the final system. 1.4_final will take the improvements introduced in rc1 and rc2 and also add:
As this release makes its way through the Release Schedule process, the quality and stability of this version will determine whether it receives the "1.4_final" designation. As with any unreleased product, features and dates may change as we get closer to the deadline. Gentoo Linux 1.4_rc2 to be Released on December 31st The last release candidate prior to the final version of Gentoo Linux 1.4 is scheduled to be released on December 31st. As several Gentoo users have already discovered, most of the 1.4_rc2 files have already been placed on ibiblio. Last minute additions to rc2 not ready at press time included some finishing touches to the installation CDs (LiveCDs) and documentation. New to the 1.4_rc2 release are:
Users interested in living on the bleeding edge can see the new LiveCD technology in action by trying out one of the experimental LiveCDs. New Kernel Development Strategy Daniel Robbins recently proposed a new kernel development strategy for Gentoo Linux, with the main goals being to improve hardware support and stability of the kernels used in the Gentoo project. As part of this strategy, Gentoo would leverage many of the hardware patches that make their way into the Red Hat kernel tree since most hardware vendors seek out Red Hat as their primary/only Linux partner. In addition to taking advantage of the improved hardware support in the Red Hat kernel source tree, Gentoo users would also benefit from additional features and functionality not normally found in the Red Hat kernel, including XFS, EVMS and Win4Lin, as well as others. Furthermore, the focus of gentoo-sources and xfs-sources would likely diverge somewhat, with gentoo-sources focusing more on high performance and xfs-sources intent on maximum hardware compatiblity and kernel functionality. New Formal Release Schedule Process As part of the 1.4 release process, Daniel Robbins proposed a formal Release Schedule to ensure that the entire Gentoo development team knows what the process and schedule is for future releases. Key to the new policy is the migration away from one single "release manager", with one person in charge of everything, to more of a "release process" whereby the entire development team helps manage the release, based on one set of common instructions. At a high level, the new Release Schedule consists of 5 main steps:
Several buffer overflows and other bugs exist that could allo remote attackers to exploit to gain access to systems running vulnerable LDAP servers.
Cyrus' Sieve implementation contains a couple of classic string based buffer overflows in script parsing code. Anyone who can execute Sieve scripts can exploit these bugs. Versions up to libSieve 2.1.2 and Cyrus IMAP 2.1.10 are affected.
Insufficient buffer length checking in user name canonicalization may allow attacker to execute arbitrary code on servers using Cyrus SASL library.
KDE-3.0.x sometimes fails to quote command parameters in calls to the shell. This means that a carefully crafted emails and web pages may permit the attacker to pass arbitrary commands using the victim's system privileges. Exploits are known to exist.
The canna server versions 3.6 and earlier expose a heap overflow that permits a remote exploit that has been demonstrated, but not reported in the wild. In addition, the same server versions fail to validate some request cases.
Wget could permit a malicious ftp site operator to overwrite certain key files and potentially gain privileges on the target computer through replacing executable files. No cases in the wild have been reported.
Perl's Safe module (Safe.pm) exposes a potential vulnerability in that, if a safe compartment is reused it is no longer safe (due to an inability to alter operation masks).
The past week has not seen any significant new security bugs posted to bugzilla. Therefore, we will use this section to provide a summary of currently open security bugs on the system (we should note that most of these 'bugs' have been fixed in packages that are currently in testing, and could be unmasked and emerged now): Forums Crashed - Back Online Nitro writes that the Forum's backbone, the MySQL server that makes the phpBB surface ripple, was unreachable on Christmas Eve (probably out having an eggnog somewhere warm and cozy). The downtime was caused when a new server being brought online crashed. Things have since been migrated back to the old server and the new server is undergoing further stress testing. Fortunately, nothing has gone missing, the entire database has been restored, and only those few people who created new accounts during the brief period of downtime will have to do so again. Dual boot alert! People have been unwrapping their Christmas presents, and this may well be the reason behind the current wave of dual boot configurations reflected in the forums. This at least is the impression one gets from the sudden flurry of activity documented in the threads listed below. For people planning on setting up Gentoo in a dual configuration with a legacy operating system, these are as good a place as any to start from: Gentoo Linux Users Everywhere What is one to do with an optimized Gentoo system after all the emerging is done? Several active topics have formed as centers for the organization of Gentoo teams for such diverse distributed computing projects as SETI@home, distributed.net's RC-5-72, Folding@home, and ClimatePrediction.Net. Properly niced(nice is used to run a program with modified scheduling priory), clients for these projects can use systems' spare CPU cycles, doing (potentially) constructive work without any adverse effect on performance. The SETI@home team is currently the largest, with 85 users from all over the world and a whopping 76 CPU years, but the Folding@home team is quite active as well. For more information about setting up the clients, joining the teams, and the effects of SETI@home participation on one enthusiastic user's electric bill, among other things, see the following threads:
Gentoo vs. FreeBSD Portage, Gentoo's package management system, undoubtedly resembles the ports system found in FreeBSD. So, which is better? Gentoo advocates will argue that newer is of course better, as exemplified by evolution. FreeBSD loyalists remind us of Marlon Brando in the Godfather, things were better back then. Truthfully it would be silly to draw such simple conclusions. Charles Burns posted an excellent response comparing the two different OSes. When it comes to desktops or less popular hardware, there is no substitute for Gentoo. Don't fear the downgrade Every once in awhile an emerge preview will notify you that it is going to downgrade an important package. For instance, emerging edb may downgrade freetype, instilling an instant fear of losing those good looking fonts. Fear not. Many packages coexist happily with each other and the newer versions will not be removed after the 'downgrade'. For example, Glib2 and Glib1 also behave well on the same system. Jean Smith has posted a suggestion that will hopefully clear up this confusion. Final Release of Gentoo? M. Zuelsdorff wrote to say: "I am following the the discussion in the gentoo-dev group for more than a year now. All I see is "a problem with this" and "a problem with that". Some days ago, something even appeared to be "really fucked up". My question: When do you expect Gentoo to become a final usable release?" . Most of the answers in the thread agreed in that human nature might play some role here and make us take time to complain more often than we do to say things work for us. Arthur Britto chipped in with: "You've just highlighted one of the biggest problems with Gentoo: manual problem discovery and resolution. When a package breaks, someone must (1) manually discover it, (2) search mailing lists for Gentoo and the application, (3) search the forums for Gentoo and the application, (4) attempt reasonable diagnostics to insure the problem is not just with their system, (5) if they are competent they might try to solve the problem, and (6) share their problem with the community." Finally, Daniel Robbins (Chief Architect of Gentoo Linux) closed the thread with the steps being taken in order to improve quality control. USE Flags Selector. John Nilsson wrote an e-mail in which he exposed his interest in writing an interface for selecting USE flags and GCC flags. Turns out, this interface already exists in the form of ufed and kportage. But, as always, with free software, there is room for improvements! ;-) Yet Another French Linux Documentation The French Gentoo community is very excited about a brand new Linux installation and configuration guide by Christian Casteyde. Not exactly built to order for Gentooists (he appears to be a SuSE and Slackware man himself), it is a very extensive and up-to-date documentation, with a strong emphasis on additional features of XFree86 4.x and kernel 2.4.x. He calls it Yet Another "Guide d'Installation de Linux", or YAGIL, and it certainly looks like enough of a reason to brush up your French. Gentoo Shinnenkai - New Year's Party at Gentoo-JP... In what can only be called an effort at Doing The Right Thing, the Japanese Gentoo activists have agreed on a date for the first get-together of the year 2003. With the precise location still to be announced, all of Japan's Gentoo users and developers present in Tokyo on that date will meet on 17 January 2003, starting at 19:00. The easiest way to tell them you're coming is probably the IRC channel, #gentoo-ja on irc.freenode.net, or you can drop a mail to the organizers.
The following stable packages were added to portage this week
The Gentoo community uses Bugzilla (bugs.gentoo.org) to record and track bugs, notifications, suggestions and other interactions with the development team. In the last 7 days, activity on the site has resulted in:
There are currently 1755 bugs open in bugzilla. Of these: 29 are labelled 'blocker', 74 are labelled 'critical', and 104 are labelled 'major'. The developers and teams with the highest apparent bug-related workload are:
Please lend them (and the entire development team) your best wishes, toothbrush and continuing support. Each week, we will single out a few bugs for special mention, because they have been provoking significant discussions, they are particularly problematic, they are amusing or simply because they struck our fancy. This week's featured bugs are (in no particular order):
Getting information about installed packages New Gentoo users often ask how to get a list of installed packages from the Portage tree, but what many of those who give answers might not know is the abundance of tools that can be used to do so. From Portage's pkglist, the gentoolkit's qpkg and epm(an rpm work-alike), to walking the /var/db/pkg/ directory structure yourself, there are definitely quite a few choices. Here are two ways to list all installed packages, first using pkglist (found in /usr/lib/portage/bin/, which is often not in $PATH), the second running find on /var/db/pkg/:
A list of files that belong to a package can be generated by either epm or qpkg; to find out which files belong to the xmms package, try one of:
And lastly, if you want to know to which package a file belongs, here are two ways:
The following developers recently left the Gentoo team:
The following developers recently joined the Gentoo team:
The following developers recently changed roles within the Gentoo project:
9. Subscribe to the GWN mailing list Would you prefer to receive the GWN via email? Subscribe to our mailing list by sending a blank email to gentoo-gwn-subscribe@gentoo.org Interested in contributing to the Gentoo Weekly Newsletter? Send us an email Please send us your feedback and help make GWN better. |
|