Gentoo Logo

Gentoo Weekly Newsletter: December 30th, 2002

Content:

1.  Gentoo News

Summary

Gentoo to be at LinuxWorld Expo in January

Daniel Robbins and other members of the Gentoo Linux team will be at LinuxWorld Expo January 22nd-24th in New York City. They will be manning booth #8 at the .org pavillion and hope to have an impressive display of graphics hardware showing off Gentoo Linux. If you're in the area, stop by and show your support for Gentoo Linux!

Gentoo Linux 1.4 Release Schedule and Feature Update

Daniel Robbins recently announced the planned Release Schedule for Gentoo 1.4_rc3, which will hopefully be released as Gentoo 1.4_final. While the Release Shedule is subject to change based on bugs and user feedback, the current release date is planned for January 14, 2003, just in time for Linux World 2003 in New York. New for Gentoo is a more formal release process, comprised of five main stages that take the 1.4_rc3/1.4_release candidate through a testing and QA process that should improve the quality and stability of the final system.

1.4_final will take the improvements introduced in rc1 and rc2 and also add:

  • Fully integrated Xft2 support
  • New baselayout to remove dependency on tmpfs
  • expanded GRP package set
  • integrated optional prelink support

As this release makes its way through the Release Schedule process, the quality and stability of this version will determine whether it receives the "1.4_final" designation. As with any unreleased product, features and dates may change as we get closer to the deadline.

Gentoo Linux 1.4_rc2 to be Released on December 31st

The last release candidate prior to the final version of Gentoo Linux 1.4 is scheduled to be released on December 31st. As several Gentoo users have already discovered, most of the 1.4_rc2 files have already been placed on ibiblio. Last minute additions to rc2 not ready at press time included some finishing touches to the installation CDs (LiveCDs) and documentation. New to the 1.4_rc2 release are:

  • The first release of the Gentoo Reference Platform (GRP) -- a collection of ebuilds specifically tested for stability.
  • New LiveCDs with increased hardware support, better technology and more eye candy.
  • Upgraded versions of gcc, binutils, portage and many other packages.

Users interested in living on the bleeding edge can see the new LiveCD technology in action by trying out one of the experimental LiveCDs.

New Kernel Development Strategy

Daniel Robbins recently proposed a new kernel development strategy for Gentoo Linux, with the main goals being to improve hardware support and stability of the kernels used in the Gentoo project. As part of this strategy, Gentoo would leverage many of the hardware patches that make their way into the Red Hat kernel tree since most hardware vendors seek out Red Hat as their primary/only Linux partner. In addition to taking advantage of the improved hardware support in the Red Hat kernel source tree, Gentoo users would also benefit from additional features and functionality not normally found in the Red Hat kernel, including XFS, EVMS and Win4Lin, as well as others. Furthermore, the focus of gentoo-sources and xfs-sources would likely diverge somewhat, with gentoo-sources focusing more on high performance and xfs-sources intent on maximum hardware compatiblity and kernel functionality.

New Formal Release Schedule Process

As part of the 1.4 release process, Daniel Robbins proposed a formal Release Schedule to ensure that the entire Gentoo development team knows what the process and schedule is for future releases. Key to the new policy is the migration away from one single "release manager", with one person in charge of everything, to more of a "release process" whereby the entire development team helps manage the release, based on one set of common instructions. At a high level, the new Release Schedule consists of 5 main steps:

  • Initial Decision -- The actual decision to release a new version of Gentoo Linux.
  • Package Upgrades Phase -- A period of time (generally 14 days) where the developers focus on moving packages from an unstable (masked) state to a stable (unmasked) state.
  • Build and Test -- Assigned builders for each architecture build a "generic CPU" set of stage tarballs using a current Portage snapshot.
  • Release Build and Test -- A full-scale, distributed build effort begins to build the full new Gentoo Linux release or release candidate including GRP package sets.
  • Release -- The new version of Gentoo Linux is released to the Gentoo community.

2.  Gentoo Security

Summary

GLSA: openldap

Several buffer overflows and other bugs exist that could allo remote attackers to exploit to gain access to systems running vulnerable LDAP servers.

  • Severity: high - potential remote execution of arbitrary code.
  • Packages Affected: openldap-2.0.25-r2
  • Rectification: Synchronize and emerge cyrus-sasl.
  • GLSA Announcement
  • Advisory

GLSA: cyrus-imapd

Cyrus' Sieve implementation contains a couple of classic string based buffer overflows in script parsing code. Anyone who can execute Sieve scripts can exploit these bugs. Versions up to libSieve 2.1.2 and Cyrus IMAP 2.1.10 are affected.

  • Severity: high - potential remote execution of arbitrary code.
  • Packages Affected: cyrus-imapd 2.1.10 and earlier
  • Rectification: Synchronize and emerge cyrus-imapd.
  • GLSA Announcement
  • Advisory

GLSA: cyrus-sasl

Insufficient buffer length checking in user name canonicalization may allow attacker to execute arbitrary code on servers using Cyrus SASL library.

  • Severity: high - potential remote execution of arbitrary code.
  • Packages Affected: cyrus-sasl 2.1.9
  • Rectification: Synchronize and emerge cyrus-sasl.
  • GLSA Announcement
  • Advisory

GLSA: KDE-3.0.x

KDE-3.0.x sometimes fails to quote command parameters in calls to the shell. This means that a carefully crafted emails and web pages may permit the attacker to pass arbitrary commands using the victim's system privileges. Exploits are known to exist.

  • Severity: high - potential remote execution of arbitrary code under victim's privileges.
  • Packages Affected: kde-3.0.4 and earlier in the kde-3.x series.
  • Rectification: Synchronize and emerge kde.
  • GLSA Announcement
  • Advisory

GLSA: canna

The canna server versions 3.6 and earlier expose a heap overflow that permits a remote exploit that has been demonstrated, but not reported in the wild. In addition, the same server versions fail to validate some request cases.

  • Severity: moderate to high - DOS attack and information exposure, remote exploit permits execution with same privileges as the canna server.
  • Packages Affected: canna-3.6
  • Rectification: Synchronize and emerge canna.
  • GLSA Announcement
  • Advisory

GLSA: wget

Wget could permit a malicious ftp site operator to overwrite certain key files and potentially gain privileges on the target computer through replacing executable files. No cases in the wild have been reported.

  • Severity: moderate - DOS and remote exploit mitigated by requirement for victim participation.
  • Packages Affected: wget-1.8.2-r1 and earlier
  • Rectification: Synchronize and emerge wget.
  • GLSA Announcement

GLSA: perl

Perl's Safe module (Safe.pm) exposes a potential vulnerability in that, if a safe compartment is reused it is no longer safe (due to an inability to alter operation masks).

  • Severity: moderate - somewhate obscure and requires code that reuses safe compartments.
  • Packages Affected: perl-5.8.0-r5 and earlier
  • Rectification: Synchronize and emerge perl or (less drastic) emerge Safe.
  • GLSA Announcement
  • Advisory

New Security Bug Reports

The past week has not seen any significant new security bugs posted to bugzilla. Therefore, we will use this section to provide a summary of currently open security bugs on the system (we should note that most of these 'bugs' have been fixed in packages that are currently in testing, and could be unmasked and emerged now):

3.  Heard In The Community

Web Forums

Forums Crashed - Back Online

Nitro writes that the Forum's backbone, the MySQL server that makes the phpBB surface ripple, was unreachable on Christmas Eve (probably out having an eggnog somewhere warm and cozy). The downtime was caused when a new server being brought online crashed. Things have since been migrated back to the old server and the new server is undergoing further stress testing. Fortunately, nothing has gone missing, the entire database has been restored, and only those few people who created new accounts during the brief period of downtime will have to do so again.

Dual boot alert!

People have been unwrapping their Christmas presents, and this may well be the reason behind the current wave of dual boot configurations reflected in the forums. This at least is the impression one gets from the sudden flurry of activity documented in the threads listed below. For people planning on setting up Gentoo in a dual configuration with a legacy operating system, these are as good a place as any to start from:

Gentoo Linux Users Everywhere

What is one to do with an optimized Gentoo system after all the emerging is done? Several active topics have formed as centers for the organization of Gentoo teams for such diverse distributed computing projects as SETI@home, distributed.net's RC-5-72, Folding@home, and ClimatePrediction.Net. Properly niced(nice is used to run a program with modified scheduling priory), clients for these projects can use systems' spare CPU cycles, doing (potentially) constructive work without any adverse effect on performance. The SETI@home team is currently the largest, with 85 users from all over the world and a whopping 76 CPU years, but the Folding@home team is quite active as well. For more information about setting up the clients, joining the teams, and the effects of SETI@home participation on one enthusiastic user's electric bill, among other things, see the following threads:

gentoo-user

Gentoo vs. FreeBSD

Portage, Gentoo's package management system, undoubtedly resembles the ports system found in FreeBSD. So, which is better? Gentoo advocates will argue that newer is of course better, as exemplified by evolution. FreeBSD loyalists remind us of Marlon Brando in the Godfather, things were better back then. Truthfully it would be silly to draw such simple conclusions. Charles Burns posted an excellent response comparing the two different OSes. When it comes to desktops or less popular hardware, there is no substitute for Gentoo.

Don't fear the downgrade

Every once in awhile an emerge preview will notify you that it is going to downgrade an important package. For instance, emerging edb may downgrade freetype, instilling an instant fear of losing those good looking fonts. Fear not. Many packages coexist happily with each other and the newer versions will not be removed after the 'downgrade'. For example, Glib2 and Glib1 also behave well on the same system. Jean Smith has posted a suggestion that will hopefully clear up this confusion.

gentoo-dev

Final Release of Gentoo?

M. Zuelsdorff wrote to say: "I am following the the discussion in the gentoo-dev group for more than a year now. All I see is "a problem with this" and "a problem with that". Some days ago, something even appeared to be "really fucked up". My question: When do you expect Gentoo to become a final usable release?" . Most of the answers in the thread agreed in that human nature might play some role here and make us take time to complain more often than we do to say things work for us. Arthur Britto chipped in with: "You've just highlighted one of the biggest problems with Gentoo: manual problem discovery and resolution. When a package breaks, someone must (1) manually discover it, (2) search mailing lists for Gentoo and the application, (3) search the forums for Gentoo and the application, (4) attempt reasonable diagnostics to insure the problem is not just with their system, (5) if they are competent they might try to solve the problem, and (6) share their problem with the community." Finally, Daniel Robbins (Chief Architect of Gentoo Linux) closed the thread with the steps being taken in order to improve quality control.

USE Flags Selector.

John Nilsson wrote an e-mail in which he exposed his interest in writing an interface for selecting USE flags and GCC flags. Turns out, this interface already exists in the form of ufed and kportage. But, as always, with free software, there is room for improvements! ;-)

4.  Gentoo International

Yet Another French Linux Documentation

The French Gentoo community is very excited about a brand new Linux installation and configuration guide by Christian Casteyde. Not exactly built to order for Gentooists (he appears to be a SuSE and Slackware man himself), it is a very extensive and up-to-date documentation, with a strong emphasis on additional features of XFree86 4.x and kernel 2.4.x. He calls it Yet Another "Guide d'Installation de Linux", or YAGIL, and it certainly looks like enough of a reason to brush up your French.

Gentoo Shinnenkai - New Year's Party at Gentoo-JP...

In what can only be called an effort at Doing The Right Thing, the Japanese Gentoo activists have agreed on a date for the first get-together of the year 2003. With the precise location still to be announced, all of Japan's Gentoo users and developers present in Tokyo on that date will meet on 17 January 2003, starting at 19:00. The easiest way to tell them you're coming is probably the IRC channel, #gentoo-ja on irc.freenode.net, or you can drop a mail to the organizers.

5.  Portage Watch

Security Updates (see above)

  • openldap - fixed in openldap-2.0.27 and above
  • cyrus-imapd - fixed in cyrus-imapd-2.1.11 and above
  • cyrus-sasl - fixed in cyrus-sasl-2.1.10 and above
  • Perl - fixed in perl-5.6.10-r10 / perl-5.8.0-r6 and above
  • wget - fixed in wget-1.8.2-r2 and above
  • canna - fixed in canna-3.6-r1 and above
  • kde-3.0.x - fixed in kde-3.0.5a and above

The following stable packages were added to portage this week

Updates to notable packages

  • sys-apps/portage - portage-2.0.47_pre1.ebuild; portage-2.0.47_pre2.ebuild;
  • kde-base/kde - kde-3.0.5a.ebuild;
  • sys-kernel/* - development-sources-2.5.53.ebuild; lolo-sources-2.4.20.1_pre6.ebuild; lolo-sources-2.4.20.1_pre7.ebuild; lolo-sources-2.4.20.1_pre8.ebuild; openmosix-sources-2.4.20-r1.ebuild; usermode-sources-2.4.19-r36.ebuild; usermode-sources-2.4.19-r37.ebuild; usermode-sources-2.4.19-r38.ebuild; usermode-sources-2.4.19-r39.ebuild; usermode-sources-2.4.19-r40.ebuild; xfs-sources-2.4.20_pre1.ebuild; xfs-sources-2.4.20_pre2.ebuild;
  • sys-devel/perl - perl-5.8.0-r7.ebuild;

6.  Bugzilla

Summary

Statistics

The Gentoo community uses Bugzilla (bugs.gentoo.org) to record and track bugs, notifications, suggestions and other interactions with the development team. In the last 7 days, activity on the site has resulted in:

  • 190 new bugs this week
  • 1166 total bugs currently marked 'new'
  • 535 total bugs curently assigned to developers
  • 54 bugs that were previously closed have been reopened.

There are currently 1755 bugs open in bugzilla. Of these: 29 are labelled 'blocker', 74 are labelled 'critical', and 104 are labelled 'major'.

The developers and teams with the highest apparent bug-related workload are:

Please lend them (and the entire development team) your best wishes, toothbrush and continuing support.

Bugs of Note

Each week, we will single out a few bugs for special mention, because they have been provoking significant discussions, they are particularly problematic, they are amusing or simply because they struck our fancy. This week's featured bugs are (in no particular order):

  • Bug 9459 discusses apparent problems with intermittent file corruption after incorrect shutdowns on ReiserFS using Gentoo-Sources.
  • Bug 12537 discusses problems with the latest baselayout changing the gid of smmsp - which provokes problems with sendmail.
  • Bug 8324 critiques the lack of a keyboard language select (for non-US keyboards) in the 1.4 install CD release candidate. Daniel Robbins has indicated that this will be resolved by the final release.
  • Bug 11384 discusses a problem compiling glibc using -march=pentium4. The issue is apparently inherent in the current gcc code, so it cannot be fixed. However, the bug is an excellent example of interaction between the reporter and the developer.
  • Bug 9633 indicates a problem with booting the 1.4 install CD release candidate on certain architectures (Fujitsu P2000) without the ability to specify boot parameters. Apparently, the resolution may require a modification to the install kernel, which seems likely.

7.  Tips and Tricks

Getting information about installed packages

New Gentoo users often ask how to get a list of installed packages from the Portage tree, but what many of those who give answers might not know is the abundance of tools that can be used to do so. From Portage's pkglist, the gentoolkit's qpkg and epm(an rpm work-alike), to walking the /var/db/pkg/ directory structure yourself, there are definitely quite a few choices. Here are two ways to list all installed packages, first using pkglist (found in /usr/lib/portage/bin/, which is often not in $PATH), the second running find on /var/db/pkg/:

Code Listing 7.1: Using pkglist

# pkglist

Code Listing 7.2: Using find

# find /var/db/pkg/ -mindepth 2 -maxdepth 2 -printf "%P\n"

A list of files that belong to a package can be generated by either epm or qpkg; to find out which files belong to the xmms package, try one of:

Code Listing 7.3: Using epm

# epm -ql xmms

Code Listing 7.4: Using qpkg

# qpkg -l xmms

And lastly, if you want to know to which package a file belongs, here are two ways:

Code Listing 7.5: Using epm

# epm -qf /usn/bin/namei

Code Listing 7.6: Using qpkg

# qpkg -f /usr/bin/namei

8.  Moves, Adds and Changes

Moves

The following developers recently left the Gentoo team:

  • none this week

Adds

The following developers recently joined the Gentoo team:

  • Jan Seidel (tuxus) -- MIPS
  • John Lennard (yakmoose) -- win4lin
  • Christian Birchinger (joker) -- Sparc

Changes

The following developers recently changed roles within the Gentoo project:

  • none this week

9.  Subscribe to the GWN mailing list

Would you prefer to receive the GWN via email? Subscribe to our mailing list by sending a blank email to gentoo-gwn-subscribe@gentoo.org

10.  Contribute to GWN

Interested in contributing to the Gentoo Weekly Newsletter? Send us an email

11.  GWN Feedback

Please send us your feedback and help make GWN better.



Print

Page updated 30 Dec 2002

Summary: This is the Gentoo Weekly Newsletter for the week of December 30th, 2002.

Kurt Lieber
Editor

AJ Armstrong
Contributor

Brice Burgess
Contributor

Yuji Carlos Kosugi
Contributor

Rafael Cordones Marcos
Contributor

David Narayan
Contributor

Ulrich Plate
Contributor

Peter Sharp
Contributor

Lanark
Spanish Translation

Marco Mascherpa
Italian Translation

Claudio Merloni
Italian Translation

Ventura
Portugese (Brazil) Translation

Donate to support our development efforts.

Copyright 2001-2014 Gentoo Foundation, Inc. Questions, Comments? Contact us.