Gentoo Logo

Gentoo Weekly Newsletter: January 13th, 2003

Content:

1.  Gentoo News

Summary

Portage Tree Frozen for Gentoo Linux 1.4_rc3/final

On January 8th, the Portage Tree was frozen pending the next release of Gentoo Linux 1.4. Packages that are unmasked in Portage as of this date will will make it into what hopefully becomes 1.4_final. As part of Gentoo's new formal release policy, only changes that fix bugs or security problems will be allowed from now until release. Gentoo Linux 1.4 is currently in the "Build and Test" phase where assigned builders for each architecture build a "generic CPU" set of stage tarballs using a current Portage snapshot.

gcc Changes to Gentoo Linux

gcc was recently upgraded to 3.2.1-r6 in the Portage tree, causing some confusion in the community. As part of this upgrade, Gentoo Linux now offers the ability to run both 2.95.x and 3.2.x versions of gcc on the same system using a new gcc-config tool that allows the user to manually select which version of gcc to use when emerging a new package. With this new upgrade comes some steps that users of Gentoo Linux need to follow on a 1.4 system:

Code Listing 1.1: gcc-3.2.1-r6 upgrade process

		# emerge -u gcc
		# env-update && source /etc/profile 
		(portage should do the env-update for you, but it can't hurt to do it twice)
		
		  If you have colorgcc emerged, you will need to remerge it
		# emerge colorgcc
		
		  If you have autoclean disabled, you will need to unmerge old versions of gcc
		# emerge clean gcc
		
		  Finally, make sure old versions of gcc have been successfully emerged
		# emerge gentoolkit (only if you haven't already emerged it)
		# qpkg -I -v -nc gcc
		
		  You should only see the following output
		# gcc-3.2.1-r6
		# gcc-2.95.3-r8 (only for systems that also have gcc-2.9.x installed)
		# gcc-config-1.2.7

Users still using Gentoo Linux 1.2 should follow these steps when emerging gcc-2.95.3-r8:

Code Listing 1.2: gcc-2.95.3-r8 upgrade process

		# emerge -u gcc
		# env-update && source /etc/profile
		(portage should do the env-update for you, but it can't hurt to do it twice)
		
		  If you have colorgcc emerged, you will need to remerge it
		# emerge colorgcc
		
		  If you have autoclean disabled, you will need to unmerge old versions of gcc
		# emerge clean gcc
		
		  Finally, make sure old versions of gcc have been successfully emerged
		# emerge gentoolkit (only if you haven't already emerged it)
		# qpkg -I -v -nc gcc
		
		  You should only see the following output
		# gcc-3.2.1-r6 (only for systems that also have gcc-3.2.1 installed)
		# gcc-2.95.3-r8 
		# gcc-config-1.2.7

Gentoo Users Have Even More Control with virtual/bootloader and virtual/editor

Based on a suggestion by Charles Brewer, Gentoo Linux now offers users more control over their bootloaders and editors. With the new virtual/bootloader and virtual/editor packages. For virtual/bootloader, x86 users can install their choice of lilo or grub. Previously, grub was a dependency of the base system. The virtual/editor package allows users to select from a number of editors, including joe, vile, elvis, vi, vim, emacs, xemacs, nano and pico. Users wishing to take advantage of these new packages to get rid of either grub or nano can follow these instructions:

Code Listing 1.3: virtual/bootloader upgrade process to change from grub to lilo

		# emerge rsync
		# emerge lilo
		# emerge unmerge grub

Users wishing to get rid of nano can follow these instructions:

Code Listing 1.4: virtual/editor upgrade process to change to a different editor

		# emerge rsync
		# emerge your_favorite_editor (where your_favorite_editor is one of the editors listed above)
		# emerge unmerge nano

2.  Gentoo Security

Summary

GLSA: libpng

The affected libraries do not properly calculate offsets which permits a remote buffer overflow attack and potential execution of arbitrary code as well as potential DoS attacks by crashing the affected machine.

  • Severity: high - remote execution of code.
  • Packages Affected: libpng-1.2.5-r1 and earlier
  • Rectification: Synchronize and emerge libpng. If running libpng-1.0.12-r1 or earlier as well, that slot can be updated by emerging media-libs/libpng-1.0.12-r2
  • GLSA Announcement
  • Advisory

GLSA: lcdproc

The lcdproc system contains several boundary condition bugs that could permit a remote DoS (server crash) attack or remote execution of arbitrary code. An exploit has been published.

  • Severity: high - remote execution of code, published exploit.
  • Packages Affected: lcdproc-0.4.1-r1 and earlier
  • Rectification: Synchronize and emerge lcdproc.
  • GLSA Announcement
  • Advisory

GLSA: httpfetcher

The httpfetcher library is exposed to several buffer overflow vulnerabilities. This library is used in several other packages, and could potentially permit execution of arbitrary code on affected platforms. Sample exploits have been published.

  • Severity: high - remote execution of code, published exploit.
  • Packages Affected: http-fetcher-1.0.1 and earlier
  • Rectification: Synchronize and emerge http-fetcher.
  • GLSA Announcement
  • Advisory

GLSA: monopd

The monodpd game server contains a buffer overflow which may permit remote execution of arbitrary code.

  • Severity: high - remote execution of code.
  • Packages Affected: monopd-0.4.3-r1 and earlier
  • Rectification: Synchronize and emerge monopd.
  • GLSA Announcement
  • Advisory

GLSA: libmcrypt

Improper input validation and small memory leaks in the libmcrypt encryption library permit remote DoS (server crash) attacks against affected platforms.

  • Severity: moderate - remote DoS.
  • Packages Affected: libmcrypt-2.5.1-r4 and earlier
  • Rectification: Synchronize and emerge libmcrypt.
  • GLSA Announcement

GLSA: dhcpcd

The dhcpcd server can be configured to execute an external script (/sbin/dhcpcd-*.exe). The external script uses values from the server that are improperly validated and may be exploited by a malicious DHCP server. There is potential for the execution of arbitrary commands with root privileges. The affected dhcpcd option is not setup by default in Gentoo.

  • Severity: high - exposure of root privileges.
  • Packages Affected: dhcpcd-1.3.20_p0-r1 and earlier
  • Rectification: Synchronize and emerge dhcpcd.
  • GLSA Announcement
  • Advisory

New Security Bug Reports

There were no new security bug reports this week. An older issue with mod_php has apparently been resolved, but no GLSA has been released at the time of this writing, and the bug report remains open. See:

3.  Heard In The Community

Web Forums

Can't stop the progress

A number of threads this week deal with the joys and pitfalls of the two most prominent new features in the pending release of Gentoo Linux 1.4, prelinking binaries and the Gentoo Reference Platform. Recommended reading for anyone who wants to try their hands:

And the winner is...

env-update && source /etc/profile... The transition to gcc3.2.1-r6 over the holidays has led to an incredible number of questions. "gcc: command not found", "make menuconfig doesn't work" and other panic attacks have all but dominated the forums over the past week. That the same sort of thing has been haunting the IRC channels, the newsgroup alt.os.linux.gentoo and the mailing list wasn't exactly helpful. Ladies and Gentoomen, the authoritative answer lies in this thread: update your environment...

A closer look at the wallflowers

Far from the battlefields of the editor flame wars or the overclocker's jihad, a decisively pacifist thread has quietly evolved around applications that deserve more public attention than they get. If you've ever wondered whether there was more to the Linux desktop than what's in the KDE menu, but couldn't quite keep up with the constant buzz on Freshmeat.net, you'll be interested to know that there's a thread presenting a few select, yet widely ignored pieces of software, lovingly described by your fellow Gentooists:

gentoo-user

Setting the clock right: ntpdate deprecated in favor of ntpd

People on the user mailing list were having fun this week trying to keep their computer clocks in sync with an NTP server. Including a few inevitable top vs. bottom posting messages, over 50 articles have been dealing with the correct setting for ntpd, the daemon that takes care of synchronizing your computer's clock with the real world. Anything you always wanted to know about NTP, but were afraid to ask can be found here.

gentoo-dev

Building a Second System.

John Nilsson posted an e-mail asking how to use an athlon-xp optimized system to compile a base system for a 486. This question looks like a particular case of the more general: how does one compile packages on a faster system to install them on a slower one (and optimized for the slower one)? Timo A. Hummel proposed a "hard" solution. Arnold deVos chipped in with his two cents and John Nilsson himself came up with what seems The Right Thing (TM): distcc.

IUSE Variable Clarification. Burton Samograd asked what the correct use for the IUSE variable inside ebuilds is. This started quite a long thread in which two different interpretations were given. Nick Jones mentioned an upcoming feature in portage which he named rebuild-on-use-change. This feature should take care of rebuilding affected packages when changing USE flags. Maik Schreiber offered an explanation: "USE flags per definition define _optional_ features. So in your case, if the package _requires_ ncurses, you don't list it in IUSE (since you don't even pay attention to the "ncurses" USE flag anyway)." He also mentioned a possible origin of the word IUSE.

4.  Gentoo International

Gentoo User Group Korea

2003 is Asia's turn to promote Linux on a large scale, says the horoscope. Korea is already very much at the forefront of this development, being particularly blessed with Linux activists - think Hancom Office, think YOPY. Korea also has one of the more active Gentoo user communities on the planet. Jungmin Seo, on the Gentoo dev team since November last year, doubles as webmaster for a message forum at http://users.gentoo.or.kr. The software in use is a Korean open source PHP bulletin board system, JSBoard, and the site underwent a complete redesign only last month. On top of that, there's a very active #gentoo IRC channel with a few dozen regulars at irc.hanirc.org, and not less than three complete mirror sites. Seo, who is living on and off in Korea and England, is working on Gentoo documentation "and some CJK stuff", he says, but tries to distribute the user group's management workload as much as possible. In spite of its webmaster sweating profusely under exam stress at the University of York these days, the community site is going to see a major face-lift to its other sections, namely the Wiki and the screenshot gallery are being completely refurbished.


Figure 4.1: Neat: The completely redesigned Korean Gentoo User Group website

Fig. 1

Do US export restrictions apply to Gentoo?

An innocent forum thread has raised some uncertainty about the legality of using Gentoo in countries under US embargo. Some major distributions seem to fall under these regulations and refuse to ship to destinations covered in the EAR, others have a more relaxed view of things. But no matter which degree of paranoia or libertarianism the software vendors choose to adopt for themselves, is it legal to download the sources for ssh from Havana or Pyongyang as long as the mirror that serves the files is physically located outside of the United States? Probably not, but it does look next to impossible to enforce any form of restrictive policy on a highly volatile, internationally fuzzy object like Gentoo Linux...

5.  Portage Watch

The following stable packages were added to portage this week

Updates to notable packages

  • sys-apps/portage - portage-2.0.47.ebuild; portage-2.0.47_pre4.ebuild;
  • kde-base/kde - kde-3.1_rc6.ebuild;
  • sys-kernel/* - sparc-sources-2.4.20-r1.ebuild; xfs-sources-2.4.20_pre3.ebuild;
  • dev-db/mysql - mysql-4.0.7.ebuild;
  • dev-php/php - php-4.3.0-r1.ebuild;
  • sys-devel/perl - perl-5.8.0-r8.ebuild;
  • app-admin/gentoolkit - gentoolkit-0.1.17-r6.ebuild; gentoolkit-0.1.17-r7.ebuild; gentoolkit-0.1.17-r8.ebuild;

6.  Bugzilla

Summary

Statistics

The Gentoo community uses Bugzilla (bugs.gentoo.org) to record and track bugs, notifications, suggestions and other interactions with the development team. In the last 7 days, activity on the site has resulted in:

  • 267 new bugs this week
  • 1305 total bugs currently marked 'new'
  • 537 total bugs curently assigned to developers
  • 49 bugs that were previously closed have been reopened.
There are currently 1891 bugs open in bugzilla. Of these: 38 are labelled 'blocker', 72 are labelled 'critical', and 114 are labelled 'major'.

GWN has decided to modify the list of developers from those with a large number of open bugs to those who have closed a large number of bugs. The developers and teams who have closed the most bugs this week are:

The current list of developers' open bugs may be found at the Gentoo Bug Count Report.

Bugs of Note

Each week, we will single out a few bugs for special mention, because they have been provoking significant discussions, they are particularly problematic, they are amusing or simply because they struck our fancy. This week's featured bugs are (in no particular order):

  • Bug 12246, although closed, deserves mention because of the traffic in forums and the mailing lists about correcting a lost gcc link (after emerging gcc-3.2.1-r6) with env-update.
  • Bug 13614 is related to the bug above, and remains open because colorgcc is broken by the new gcc.
  • Bug 13255 discusses problems with emerge hanging when an rsync server is not responding (or a firewall is blocking the port) for initial gentoo installs.
  • Bug 13055 describes a requested enhancement to portage that would include USE flags information on emerge -p calls. A nice example of community interaction on feature requests.
  • Bug 12538 is a fairly high-traffic bug about difficulties compiling kdelibs with qt-3.1.1

7.  Tips and Tricks

Keeping track of emerge world

Gentoo ebuilds sometimes require post-install configuration. Typically these ebuilds will notify you of any necessary commands to run. However, when running an emerge update world, these notices can scroll by very quickly and get lost as subsequent packages are installed. To get around this, we can send the output of emerge to a logfile. We use the 'tee' command to accomplish this since 'tee' allows us to watch the emerge in process in addition to writing to a file.

Code Listing 7.1

(The --deep option could also be used here)
# emerge --update world 2>&1 | tee -a /tmp/emerge.log

Note: The 2>&1 construct means that both errors and output will be logged. For more information on input/output redirection see http://linux.oreillynet.com/pub/a/linux/lpt/13_01.html

8.  Moves, Adds and Changes

Moves

The following developers recently left the Gentoo team:

  • none this week

Adds

The following developers recently joined the Gentoo team:

  • none this week

Changes

The following developers recently changed roles within the Gentoo project.

  • none this week

9.  Subscribe to the GWN mailing list

Would you prefer to receive the GWN via email? Subscribe to our mailing list by sending a blank email to gentoo-gwn-subscribe@gentoo.org.

10.  Contribute to GWN

Interested in contributing to the Gentoo Weekly Newsletter? Send us an email.

11.  GWN Feedback

Please send us your feedback and help make GWN better.

12.  Other Languages

The Gentoo Weekly Newsletter is also available in the following languages:

Print

Page updated 13th Jan 2003

Summary: This is the Gentoo Weekly Newsletter for the week of January 13th, 2003.

Kurt Lieber
Editor

AJ Armstrong
Contributor

Brice Burgess
Contributor

Yuji Carlos Kosugi
Contributor

Rafael Cordones Marcos
Contributor

David Narayan
Contributor

Ulrich Plate
Contributor

Peter Sharp
Contributor

Mathy Vanvoorden
Dutch Translation

Tom Van Laerhoven
Dutch Translation

Nicolas Ledez
French Translation

Guillaume Plessis
French Translation

Eric St-Georges
French Translation

John Berry
French Translation

Martin Prieto
French Translation

Michael Kohl
German Translation

Steffen Lassahn
German Translation

Matthias F. Brandstetter
German Translation

Thomas Raschbacher
German Translation

Marco Mascherpa
Italian Translation

Claudio Merloni
Italian Translation

Daniel Ketel
Japanese Translation

Yoshiaki Hagihara
Japanese Translation

Andy Hunne
Japanese Translation

Yuji Carlos Kosugi
Japanese Translation

Ventura Barbeiro
Portuguese (Brazil) Translation

Bruno Ferreira
Portuguese (Portugal) Translation

Lanark
Spanish Translation

Rafael Cordones Marcos
Spanish Translation

Julio Castillo
Spanish Translation

Jaime Freire
Spanish Translation

Sergio Gómez
Spanish Translation

Donate to support our development efforts.

Copyright 2001-2013 Gentoo Foundation, Inc. Questions, Comments? Contact us.