Gentoo Weekly Newsletter: January 20th, 2003
Next Release of Gentoo Linux to be 1.4_rc3
The next release of Gentoo Linux is expected to be released as 1.4_rc3, rather than 1.4_final. This decision was based on a number of factors, including:
And, most importantly, any final release of Gentoo Linux needs to be as stable as possible before being released to our users.
- KDE 3.1 is not yet released, but is expected to be released imminently
- The 2.4.20 kernel is experiencing IDE problems on x86. While patches are in the pipeline to fix these issues,
they require more testing before being declared "stable"
- gcc-3.2.1-r6 has been recently released and requires additional testing
- Recent upgrades to XFree86 require additional testing
Gentoo PPC developer presents at MIT
The following was a late addition to this week's GWN and therefore may not appear in all translated versions.
Rajiv Manglani, one of Gentoo's developers for the PowerPC
platform (and an alumni of the Massachusetts Institute of Technology
himself), is going to give a presentation featuring an overview of
Gentoo Linux and a demo of a finished system. Curtains go up at the MIT
(building no. 4, room 237) on Tuesday, 21 January 2003, from
19:00-20:00, and if you plan on attending, please RSVP to
ISC's dhcp package has several buffer overflow vulnerabilities which could permit an attacker to remotely
execute arbitrary code. No exploits have been reported.
- Severity: high - remote execution of code.
- Packages Affected: net-misc/dhcp versions prior to dhcp-3.0_p2 (3.0_p2 is the fix package)
- Rectification: Synchronize and emerge -u dhcp
- GLSA Announcement
A buffer overrun in fnord's CGI code has been discovered. However, the affected function does not return, so it
is unlikely that an exploit could be developed.
- Severity: low - probably unexploitable.
- Packages Affected: net-www/fnord-1.6
- Rectification: Synchronize and emerge -u fnord
- GLSA Announcement
GLSA: mod_php php
A flaw in php's wordwrap() function could, if used against user input, be subject to a buffer overfolow. No exploit
has been reported.
- Severity: moderate - difficult to exploit.
- Packages Affected: dev-php/php-4.2.3 and earlier; dev-php/mod_php-4.2.3 and earlier
- Rectification: Synchronize and emerge -u php and/or mod_php
- GLSA Announcement
New Security Bug Reports
New security bug reports this week include:
Heard In The Community
Gentoo on Laptops
Anybody who's ever tried to put Linux from a Firewire or PCMCIA CD drive onto their notebook PC will instantly recognise the need for support, no matter how Linux-savvy you thought you were: This is the grand art of dealing with hardware that's been misconfigured by vendors and BIOS manglers for use with pre-installed operating systems beyond the point where a simple "install from CD" manual can bail you out. Fortunately, the forums are full of threads dealing with the peculiarities of portable PCs. There's even a Gentoo-driven movement to set up an alternative to Linux-on-Laptops.net, the most famous, but infrequently updated resource for anybody looking to install Linux on something they can carry about. Here's a collection of some of the more active threads in this field, topmost the pointer to Gentoo's own "Linux-on-the-go":
As the forum user base is steadily growing, the results of opinion polls are becoming more and more representative. The average Gentoo user seems to pay between 30 and 60 USD a month for a 500+ kbit/s Internet connection, lack proper chairs for their computer desks and drive around in Japanese pickup trucks. Most of these polls lack any sort of scientific value, but some of them are fun to watch. Impossible to list them all, check these popular ones and search yourself for others:
Linux PDAs: Sharp Zaurus and Gentoo
A fair number of threads deal with configuration issues to connect the currently best-known Linux PDAs, the Sharp Zaurus series, via USB-networking to their Gentoo desktops. Given the growing range of models and the rather cumbersome tuning necessities of the usbdnet driver, this is hardly astonishing, but in spite of all the tools being present in the kernel sources, many people in the forums have been unable to get it to run. If you have managed and remember how you did it, here's where you could make a few people very happy:
Research solves problems
about portage 2.0.46-r6 accidently overwriting /etc/make.conf
triggered some heat amongst the audience. Gentoo developer Nicholas Jones
insisted that this was not an accident (bug), but rather that the poster failed
to mention his unique circumstances and assumed that portage 2.0.46-r6 was
at fault. It has been resolved that portage copied the original /etc/make.conf to
/etc/.cfg0000_make.conf as it should with all config files residing in the /etc
directory. This default behavior is configured via "CONFIG_PROTECT" in the environment
settings. The thread also makes it clear that Gentoo developers encourage research before
KMail with S/MIME and PGP/MIME support
Stephen Boulet posted a message asking how to get
KMail and OpenPGP to work properly together. Paul de Vrieze responded
and noted a bug he had filed regarding the topic. A lengthy
ensued about the various intricacies associated with key management and signatures in general. This thread is a great resource for anyone attempting to get
PGP and/or S/MIME working in KMail. Users looking for a more general HOWTO on using GnuPG to sign emails should see this week's
Tips and Tricks section.
Little Tool for Portage.
"A couple of months ago,
I wrote a small tool to help me view changelogs for packages in the
portage. After a while, I added various features I thought were useful,
like calculating the size of a installed package, and viewing the
enabled USE variables for an ebuild." The tool is called
Portage Information Extractor. Nick Jones
that recent versions of
portage do also provide information on Changelog entries with
the --changelog command-line option.
Akemashite Omedetou Gozaimasu
...or happy new year in Japanese. Friday night saw the first GentooJP New Year's Celebration, an event that is almost certain to become a tradition, at least for this year's 15 inaugural participants. Everybody who's anybody in Tokyo's bustling Gentoo scene was there, downing large quantities of beer and sake while trying hard not to spill anything on the laptops lying around, munching happily away at Kimchi-Nabe (fish of all denominations swimming in a bowl of Korean spicy cabbage...) and talking shop, of course, what else is there. Sadly missing were Gentooists from the Kansai area, including a number of prominent ebuilders from Osaka and Kyoto, who are of course much more seriously working people and never seem to make it to drinking events in Tokyo. [NB: The GWN team invites you to keep us informed about similar events in your countries.]
A Forum for Gentoo Users in China
While the mainstream user base on the official Gentoo Forums is slowly growing out of proportion, the inability to display Chinese has lead to a few frustrated comments by Gentooists from China. Until the official forums can add support for CJK character sets, Chinese Gentooists may want to check out the bustling community active in a Chinese Gentoo forum on LinuxSir.com. Combining what they like to call "DIY Linux", the forum gathers users of both Gentoo and Linux-from-scratch under one umbrella. It is hosted on Linux,Sir!, one of the larger Chinese-language techie communities, emanating that typical BBS-style mix of technical support and entertainment centered around various Linux distributions. LinuxSir currently accomodates roughly 7500 users, predominantly from Shanghai, Chengdu, Dalian, but also from outside mainland China, of course. The popularity of the Gentoo forum is second only to Redhat, but towering over Debian, SuSE, Mandrake and Turbolinux, in spite of their better-known CJK support and adaptability to Chinese users. The software used for Linux,Sir! (vBulletin) is MySQL-based just like forums.gentoo.org, and defaults to GB2312 encoding (Simplified Chinese character set).
The following stable packages were added to portage this week
Updates to notable packages
- sys-apps/portage - portage-2.0.46-r6.ebuild; portage-2.0.46-r8.ebuild; portage-2.0.46-r9.ebuild;
- x11-base/xfree - xfree-188.8.131.52-r2.ebuild;
- sys-kernel/* - ac-sources-2.4.21_pre3-r2.ebuild; ac-sources-2.4.21_pre3-r3.ebuild; ac-sources-2.4.21_pre3-r4.ebuild; alpha-sources-2.4.20-r2.ebuild; development-sources-2.5.55.ebuild; development-sources-2.5.56.ebuild; development-sources-2.5.57.ebuild; development-sources-2.5.58.ebuild; gentoo-sources-2.4.20-r1.ebuild; gs-sources-2.4.21_pre3.ebuild; lolo-sources-184.108.40.206.ebuild; lolo-sources-220.127.116.11_rc3.ebuild; sparc-sources-2.4.20-r2.ebuild; xfs-sources-2.4.20_pre4.ebuild; xfs-sources-2.4.20_pre5.ebuild;
- dev-php/php - php-4.3.0-r2.ebuild;
- sys-devel/perl - perl-5.8.0-r9.ebuild;
- app-admin/gentoolkit - gentoolkit-0.1.17-r9.ebuild;
The Gentoo community uses Bugzilla (bugs.gentoo.org) to record and track
bugs, notifications, suggestions and other interactions with the development team. In the last 7 days, activity
on the site has resulted in:
There are currently 1984 bugs open in bugzilla. Of these: 36 are labelled 'blocker', 72 are labelled 'critical',
and 120 are labelled 'major'.
- 265 new bugs this week
- 1382 total bugs currently marked 'new'
- 548 total bugs curently assigned to developers
- 54 bugs that were previously closed have been reopened.
The current list of developers' open bugs may be found at the
Gentoo Bug Count Report.
Closed Bug Rankings
The developers and teams who have closed the most bugs this week are:
New Bug Rankings
The developers and teams who have been assigned the most new bugs this week are:
Tips and Tricks
Using GnuPG to digitally sign emails
GNU Privacy Guard (GnuPG) is an open source version of the commercial Pretty Good Privacy (PGP) software for creating digital signatures. This weeks Tips and Tricks will cover the creation of a key, exporting your key to a public keyserver, and finally adding your digital signature to email.
Code Listing 7.1: Installing GnuPG
# emerge gnupg
# mkdir $HOME/.gnupg
Code Listing 7.2: Creating a new key
# gpg --gen-key
gpg (GnuPG) 1.2.1; Copyright (C) 2002 Free Software Foundation, Inc.
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions. See the file COPYING for details.
Please select what kind of key you want:
(1) DSA and ElGamal (default)
(2) DSA (sign only)
(5) RSA (sign only)
Your selection? 1
About to generate a new ELG-E keypair.
minimum keysize is 768 bits
default keysize is 1024 bits
highest suggested keysize is 2048 bits
What keysize do you want? (1024) 1024
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0) 0
Key does not expire at all
Is this correct (y/n)? y
You need a User-ID to identify your key; the software constructs the user id
from Real Name, Comment and Email Address in this form:
"Heinrich Heine (Der Dichter) <email@example.com>"
Real name: John Doe
Email address: firstname.lastname@example.org
You selected this USER-ID:
"John Doe <email@example.com>"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
You need a Passphrase to protect your secret key.
Enter passphrase: secret
Repeat passphrase: secret
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: /home/johndoe/.gnupg/trustdb.gpg: trustdb created
public and secret key created and signed.
key marked as ultimately trusted.
pub 1024D/A268D066 2003-01-17 John Doe <firstname.lastname@example.org>
Key fingerprint = D435 4979 610B 0BAB F107 64F8 FAF5 94E0 A268 D066
sub 1024g/AB3B30AF 2003-01-17
Now that your key has been made, it needs to be exported to a public keyserver. While this is not required, it's the easiest way for others to get your public key information and verify your information.
To send your key, you'll first need to know your Key ID.
Code Listing 7.3: Finding your Key ID
% gpg --list-keys
pub 1024D/A268D066 2003-01-17 John Doe <email@example.com>
sub 1024g/AB3B30AF 2003-01-17
Now you can export your key.
Code Listing 7.4: Export your key to a public keyserver
% gpg --send-keys --keyserver wwwkeys.pgp.net A268D066
gpg: success sending to `wwwkeys.pgp.net' (status=200)
Now that your key has been created and published, you can start using it to sign emails. You'll need to remember your Key ID for this step. If you don't remember it, see the above code listing (Finding your Key ID).
Use the following steps to set up encryption in Evolution:
Now when you compose a message, select Security->PGP Sign to add your digital signature to your email.
- Click on Tools->Settings.
- Select the Mail Accounts button and the account that will be using the key.
- Click Edit and then the Security tab. Enter your Key ID in the field entitled PGP/GPG Key ID.
- Click OK.
Code Listing 7.5: GPG settings in ~/.muttrc
set pgp_decode_command="gpg %?p?--passphrase-fd 0? --no-verbose --batch --output - %f"
set pgp_verify_command="gpg --no-verbose --batch --output - --verify %s %f"
set pgp_decrypt_command="gpg --passphrase-fd 0 --no-verbose --batch --output - %f"
set pgp_sign_command="gpg --no-verbose --batch --output - --passphrase-fd 0 --armor \
--detach-sign --textmode %?a?-u %a? %f"
set pgp_clearsign_command="gpg --no-verbose --batch --output - --passphrase-fd 0 --armor \
--textmode --clearsign %?a?-u %a? %f"
set pgp_encrypt_only_command="gpg --batch --quiet --no-verbose --output - --encrypt \
--textmode --armor --always-trust --encrypt-to 0x<your key ID> -- -r %r -- %f"
set pgp_encrypt_sign_command="gpg --passphrase-fd 0 --batch --quiet --no-verbose --textmode \
--output - --encrypt --sign %?a?-u %a? --armor --always-trust --encrypt-to 0x<your key ID> -- -r %r -- %f"
set pgp_import_command="gpg --no-verbose --import -v %f"
set pgp_export_command="gpg --no-verbose --export --armor %r"
set pgp_verify_key_command="gpg --no-verbose --batch --fingerprint --check-sigs %r"
set pgp_list_pubring_command="gpg --no-verbose --batch --with-colons --list-keys %r"
set pgp_list_secring_command="gpg --no-verbose --batch --with-colons --list-secret-keys %r"
set pgp_sign_as=0x<your key ID>
set pgp_good_sign="^gpg: Good signature from"
When you compose a message, press p to sign or encrypt. To only sign your email, select s. Then you can send your message and it will be signed with your digital signature.
The above tips will help you get up and running with gpg, but it is not by any means a complete guide. You should also read GnuPG's excellent documentation section to learn more about important concepts like key revocation, key signing and webs of trust.
Moves, Adds and Changes
The following developers recently left the Gentoo team:
The following developers recently joined the Gentoo team:
- Alain Penders (RexOrient) -- Subversion and nforce2 kernel hacking
The following developers recently changed roles within the Gentoo project.
Subscribe to the GWN mailing list
Would you prefer to receive the GWN via email? Subscribe to our mailing list by sending a blank email to firstname.lastname@example.org.
Contribute to GWN
Interested in contributing to the Gentoo Weekly Newsletter? Send us an email.
Please send us your feedback and help make GWN better.
The Gentoo Weekly Newsletter is also available in the following languages: