Gentoo Weekly Newsletter: January 20th, 2003

1.  Gentoo News

Summary

• Next Release of Gentoo Linux to be 1.4_rc3
• Gentoo PPC developer presents at MIT

Next Release of Gentoo Linux to be 1.4_rc3

The next release of Gentoo Linux is expected to be released as 1.4_rc3, rather than 1.4_final. This decision was based on a number of factors, including:

• KDE 3.1 is not yet released, but is expected to be released imminently
• The 2.4.20 kernel is experiencing IDE problems on x86. While patches are in the pipeline to fix these issues, they require more testing before being declared "stable"
• gcc-3.2.1-r6 has been recently released and requires additional testing
• Recent upgrades to XFree86 require additional testing

Gentoo PPC developer presents at MIT

The following was a late addition to this week's GWN and therefore may not appear in all translated versions.

Rajiv Manglani, one of Gentoo's developers for the PowerPC platform (and an alumni of the Massachusetts Institute of Technology himself), is going to give a presentation featuring an overview of Gentoo Linux and a demo of a finished system. Curtains go up at the MIT (building no. 4, room 237) on Tuesday, 21 January 2003, from 19:00-20:00, and if you plan on attending, please RSVP to sipb-iap-gentoo@mit.edu.

2.  Gentoo Security

Summary

• GLSA: dhcp
• GLSA: fnord
• GLSA: mod_php php
• New Security Bug Reports

GLSA: dhcp

ISC's dhcp package has several buffer overflow vulnerabilities which could permit an attacker to remotely execute arbitrary code. No exploits have been reported.

• Severity: high - remote execution of code.
• Packages Affected: net-misc/dhcp versions prior to dhcp-3.0_p2 (3.0_p2 is the fix package)
• Rectification: Synchronize and emerge -u dhcp
• GLSA Announcement
• Advisory

GLSA: fnord

A buffer overrun in fnord's CGI code has been discovered. However, the affected function does not return, so it is unlikely that an exploit could be developed.

• Severity: low - probably unexploitable.
• Packages Affected: net-www/fnord-1.6
• Rectification: Synchronize and emerge -u fnord
• GLSA Announcement
• Advisory

GLSA: mod_php php

A flaw in php's wordwrap() function could, if used against user input, be subject to a buffer overfolow. No exploit has been reported.

• Severity: moderate - difficult to exploit.
• Packages Affected: dev-php/php-4.2.3 and earlier; dev-php/mod_php-4.2.3 and earlier
• Rectification: Synchronize and emerge -u php and/or mod_php
• GLSA Announcement
• Advisory

New Security Bug Reports

New security bug reports this week include:

• media-sound/mpg123
• app-editors/vim

3.  Heard In The Community

Web Forums

Gentoo on Laptops

Anybody who's ever tried to put Linux from a Firewire or PCMCIA CD drive onto their notebook PC will instantly recognise the need for support, no matter how Linux-savvy you thought you were: This is the grand art of dealing with hardware that's been misconfigured by vendors and BIOS manglers for use with pre-installed operating systems beyond the point where a simple "install from CD" manual can bail you out. Fortunately, the forums are full of threads dealing with the peculiarities of portable PCs. There's even a Gentoo-driven movement to set up an alternative to Linux-on-Laptops.net, the most famous, but infrequently updated resource for anybody looking to install Linux on something they can carry about. Here's a collection of some of the more active threads in this field, topmost the pointer to Gentoo's own "Linux-on-the-go":

• Linux On the Go
• Software suspend
• /proc/cpuinfo shows incorrect MHz for Pentium 800
• Is there a way to sync my laptop with my desktop?
• Vaio R505 w/ Slimdock
• LCD Screen X problems

Forum Surveys

As the forum user base is steadily growing, the results of opinion polls are becoming more and more representative. The average Gentoo user seems to pay between 30 and 60 USD a month for a 500+ kbit/s Internet connection, lack proper chairs for their computer desks and drive around in Japanese pickup trucks. Most of these polls lack any sort of scientific value, but some of them are fun to watch. Impossible to list them all, check these popular ones and search yourself for others:

• How much do you pay for your internet?
• How fast is your internet connection?
• Post a picture of your actual desktop
• What cars do you drive?
• So, what did you name YOUR computer(s)?

Linux PDAs: Sharp Zaurus and Gentoo

A fair number of threads deal with configuration issues to connect the currently best-known Linux PDAs, the Sharp Zaurus series, via USB-networking to their Gentoo desktops. Given the growing range of models and the rather cumbersome tuning necessities of the usbdnet driver, this is hardly astonishing, but in spite of all the tools being present in the kernel sources, many people in the forums have been unable to get it to run. If you have managed and remember how you did it, here's where you could make a few people very happy:

• Zaurus network problem reward if your advice is successful!
• usbdnet patch
• Zaurus and Gentoo
• Is the Sharp Zaurus any good?

gentoo-user

Research solves problems

A recent thread about portage 2.0.46-r6 accidently overwriting /etc/make.conf triggered some heat amongst the audience. Gentoo developer Nicholas Jones insisted that this was not an accident (bug), but rather that the poster failed to mention his unique circumstances and assumed that portage 2.0.46-r6 was at fault. It has been resolved that portage copied the original /etc/make.conf to /etc/.cfg0000_make.conf as it should with all config files residing in the /etc directory. This default behavior is configured via "CONFIG_PROTECT" in the environment settings. The thread also makes it clear that Gentoo developers encourage research before accusations.

KMail with S/MIME and PGP/MIME support

Stephen Boulet posted a message asking how to get KMail and OpenPGP to work properly together. Paul de Vrieze responded and noted a bug he had filed regarding the topic. A lengthy discussion ensued about the various intricacies associated with key management and signatures in general. This thread is a great resource for anyone attempting to get PGP and/or S/MIME working in KMail. Users looking for a more general HOWTO on using GnuPG to sign emails should see this week's Tips and Tricks section.

gentoo-dev

Little Tool for Portage.

Alastair Tse wrote: "A couple of months ago, I wrote a small tool to help me view changelogs for packages in the portage. After a while, I added various features I thought were useful, like calculating the size of a installed package, and viewing the enabled USE variables for an ebuild." The tool is called etcat: Portage Information Extractor. Nick Jones said that recent versions of portage do also provide information on Changelog entries with the --changelog command-line option.

4.  Gentoo International

Akemashite Omedetou Gozaimasu

...or happy new year in Japanese. Friday night saw the first GentooJP New Year's Celebration, an event that is almost certain to become a tradition, at least for this year's 15 inaugural participants. Everybody who's anybody in Tokyo's bustling Gentoo scene was there, downing large quantities of beer and sake while trying hard not to spill anything on the laptops lying around, munching happily away at Kimchi-Nabe (fish of all denominations swimming in a bowl of Korean spicy cabbage...) and talking shop, of course, what else is there. Sadly missing were Gentooists from the Kansai area, including a number of prominent ebuilders from Osaka and Kyoto, who are of course much more seriously working people and never seem to make it to drinking events in Tokyo. [NB: The GWN team invites you to keep us informed about similar events in your countries.]

A Forum for Gentoo Users in China

While the mainstream user base on the official Gentoo Forums is slowly growing out of proportion, the inability to display Chinese has lead to a few frustrated comments by Gentooists from China. Until the official forums can add support for CJK character sets, Chinese Gentooists may want to check out the bustling community active in a Chinese Gentoo forum on LinuxSir.com. Combining what they like to call "DIY Linux", the forum gathers users of both Gentoo and Linux-from-scratch under one umbrella. It is hosted on Linux,Sir!, one of the larger Chinese-language techie communities, emanating that typical BBS-style mix of technical support and entertainment centered around various Linux distributions. LinuxSir currently accomodates roughly 7500 users, predominantly from Shanghai, Chengdu, Dalian, but also from outside mainland China, of course. The popularity of the Gentoo forum is second only to Redhat, but towering over Debian, SuSE, Mandrake and Turbolinux, in spite of their better-known CJK support and adaptability to Chinese users. The software used for Linux,Sir! (vBulletin) is MySQL-based just like forums.gentoo.org, and defaults to GB2312 encoding (Simplified Chinese character set).

5.  Portage Watch

The following stable packages were added to portage this week

• app-emulation/win4lin : Win4Lin allows you run Windows applications somewhat natively http://www.netraverse.com/
• app-games/gxmame : GXMame is a frontend for XMame using the GTK library, the goal is to provide the same GUI as mame32 http://gmame.sourceforge.net
• app-misc/mime-types : Provides mime.types file http://www.gentoo.org/
• app-misc/xnc : A ile manager for X Window system very similar to Norton Commander, with a lot of features. http://xnc.dubna.su/
• app-sci/tbass : Balsa is both a framework for synthesising asynchronous hardware systems and the language for describing such systems http://www.cs.man.ac.uk/amulet/projects/balsa/
• app-sci/systemc : A C++ based modeling platform for VLSI and system-level co-design http://www.systemc.org/
• app-sci/vstgl : Visual Signal Transition Graph Lab http://vstgl.sourceforge.net/
• app-text/mftrace : traces TeX fonts to PFA or PFB fonts (formerly pktrace) http://www.cs.uu.nl/~hanwen/mftrace/
• dev-lang/stratego : Stratego term-rewriting language http://www.stratego-language.org
• dev-lang/erlang : Erlang programming language, runtime environment, and large collection of libraries http://www.erlang.org/
• dev-lang/bigwig : a high-level programming language for developing interactive Web services. http://www.brics.dk/bigwig/
• dev-libs/cgicc : A C++ class library for writing CGI applications http://www.cgicc.org
• dev-libs/libevent : A library to execute a function when a specific event occurs on a file descriptor http://monkey.org/~provos/libevent/
• dev-util/cproto : generate C function prototypes from C source code http://cproto.sourceforge.net/
• media-gfx/icoutils : A set of programs for extracting and converting images in Microsoft Windows icon and cursor files (.ico, .cur). http://www.student.lu.se/~nbi98oli
• media-gfx/pfaedit : postscript font editor and converter http://pfaedit.sourceforge.net/
• net-analyzer/nagios-core : Nagios 1.0 core - Host and service monitor cgi, docs etc... http://www.nagios.org/
• net-analyzer/nagios-imagepack : Nagios imagepacks - Icons and pictures for Nagios http://www.nagios.org
• net-mail/sylpheed-claws : Bleeding edge version of Sylpheed http://sylpheed-claws.sf.net
• net-misc/arpd : ARP reply daemon enables a single host to claim all unassigned addresses on a LAN for network monitoring or simulation http://www.citi.umich.edu/u/provos/honeyd/
• net-www/adzapper : redirector for squid that intercepts advertising, page counters and some web bugs http://adzapper.sourceforge.net/
• net-www/squirm : A redirector for Squid http://squirm.foote.com.au
• sys-devel/cc-config : Utility to change the gcc compiler being used. http://www.gentoo.org/
• sys-libs/lrmi : LRMI is a library for calling real mode BIOS routines under Linux. http://www.sourceforge.net/projects/lrmi/

Updates to notable packages

• sys-apps/portage - portage-2.0.46-r6.ebuild; portage-2.0.46-r8.ebuild; portage-2.0.46-r9.ebuild;
• x11-base/xfree - xfree-4.2.99.3-r2.ebuild;
• sys-kernel/* - ac-sources-2.4.21_pre3-r2.ebuild; ac-sources-2.4.21_pre3-r3.ebuild; ac-sources-2.4.21_pre3-r4.ebuild; alpha-sources-2.4.20-r2.ebuild; development-sources-2.5.55.ebuild; development-sources-2.5.56.ebuild; development-sources-2.5.57.ebuild; development-sources-2.5.58.ebuild; gentoo-sources-2.4.20-r1.ebuild; gs-sources-2.4.21_pre3.ebuild; lolo-sources-2.4.20.1.ebuild; lolo-sources-2.4.20.1_rc3.ebuild; sparc-sources-2.4.20-r2.ebuild; xfs-sources-2.4.20_pre4.ebuild; xfs-sources-2.4.20_pre5.ebuild;
• dev-php/php - php-4.3.0-r2.ebuild;
• sys-devel/perl - perl-5.8.0-r9.ebuild;
• app-admin/gentoolkit - gentoolkit-0.1.17-r9.ebuild;

6.  Bugzilla

Summary

• Statistics
• Closed Bug Ranking
• New Bug Rankings

Statistics

The Gentoo community uses Bugzilla (bugs.gentoo.org) to record and track bugs, notifications, suggestions and other interactions with the development team. In the last 7 days, activity on the site has resulted in:

• 265 new bugs this week
• 1382 total bugs currently marked 'new'
• 548 total bugs curently assigned to developers
• 54 bugs that were previously closed have been reopened.

The current list of developers' open bugs may be found at the Gentoo Bug Count Report.

Closed Bug Rankings

The developers and teams who have closed the most bugs this week are:

• The Gnome Team, with 13 closed bugs
• Martin Schlemmer, with 13 closed bugs
• John P. Davis, with 12 closed bugs
• Mike Frysinger, with 10 closed bugs
• Michael Cummings, with 8 closed bugs

New Bug Rankings

The developers and teams who have been assigned the most new bugs this week are:

• Michael Cummings, with 25 new bugs
• Daniel Robbins, with 12 new bugs
• Martin Schlemmer, with 11 new bugs
• The Gnome Team, with 9 new bugs

7.  Tips and Tricks

Using GnuPG to digitally sign emails

GNU Privacy Guard (GnuPG) is an open source version of the commercial Pretty Good Privacy (PGP) software for creating digital signatures. This weeks Tips and Tricks will cover the creation of a key, exporting your key to a public keyserver, and finally adding your digital signature to email.

# emerge gnupg

(Create the .gnupg directory)
# mkdir $HOME/.gnupg

#  gpg --gen-key
gpg (GnuPG) 1.2.1; Copyright (C) 2002 Free Software Foundation, Inc.
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions. See the file COPYING for details.

Please select what kind of key you want:
   (1) DSA and ElGamal (default)
   (2) DSA (sign only)
   (5) RSA (sign only)
Your selection? 1

About to generate a new ELG-E keypair.
              minimum keysize is  768 bits
              default keysize is 1024 bits
    highest suggested keysize is 2048 bits
What keysize do you want? (1024) 1024

Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 0
Key does not expire at all
Is this correct (y/n)? y

You need a User-ID to identify your key; the software constructs the user id
from Real Name, Comment and Email Address in this form:
    "Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>"

Real name: John Doe
Email address: john.doe@example.com
Comment:

You selected this USER-ID:
	"John Doe <john.doe@example.com>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
You need a Passphrase to protect your secret key.

(Make sure you pick a good password and DON'T FORGET IT)
Enter passphrase: secret
Repeat passphrase: secret

We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.

gpg: /home/johndoe/.gnupg/trustdb.gpg: trustdb created
public and secret key created and signed.
key marked as ultimately trusted.

(The eight character string is your Key ID (in this case, A268D066))
pub  1024D/A268D066 2003-01-17 John Doe <john.doe@example.com>
     Key fingerprint = D435 4979 610B 0BAB F107  64F8 FAF5 94E0 A268 D066
sub  1024g/AB3B30AF 2003-01-17

Now that your key has been made, it needs to be exported to a public keyserver. While this is not required, it's the easiest way for others to get your public key information and verify your information. To send your key, you'll first need to know your Key ID.

(Your Key ID is the eight character string after 1024D/)
% gpg --list-keys
/home/johndoe/.gnupg/pubring.gpg
-------------------------------
pub  1024D/A268D066 2003-01-17 John Doe <john.doe@example.com>
sub  1024g/AB3B30AF 2003-01-17

Now you can export your key.

% gpg --send-keys --keyserver wwwkeys.pgp.net A268D066
gpg: success sending to `wwwkeys.pgp.net' (status=200)

Now that your key has been created and published, you can start using it to sign emails. You'll need to remember your Key ID for this step. If you don't remember it, see the above code listing (Finding your Key ID).

Use the following steps to set up encryption in Evolution:

1. Click on Tools->Settings.
2. Select the Mail Accounts button and the account that will be using the key.
3. Click Edit and then the Security tab. Enter your Key ID in the field entitled PGP/GPG Key ID.
4. Click OK.

set pgp_decode_command="gpg %?p?--passphrase-fd 0? --no-verbose --batch --output - %f"
set pgp_verify_command="gpg --no-verbose --batch --output - --verify %s %f"
set pgp_decrypt_command="gpg --passphrase-fd 0 --no-verbose --batch --output - %f"
set pgp_sign_command="gpg --no-verbose --batch --output - --passphrase-fd 0 --armor \
    --detach-sign --textmode %?a?-u %a? %f"
set pgp_clearsign_command="gpg --no-verbose --batch --output - --passphrase-fd 0 --armor \
    --textmode --clearsign %?a?-u %a? %f"
(Insert your Key ID after the --encrypt-to option prefixed by 0x)
set pgp_encrypt_only_command="gpg --batch --quiet --no-verbose --output - --encrypt \ 
    --textmode --armor --always-trust --encrypt-to 0x<your key ID> -- -r %r -- %f"
set pgp_encrypt_sign_command="gpg --passphrase-fd 0 --batch --quiet --no-verbose --textmode \
    --output - --encrypt --sign %?a?-u %a? --armor --always-trust --encrypt-to 0x<your key ID> -- -r %r -- %f"
set pgp_import_command="gpg --no-verbose --import -v %f"
set pgp_export_command="gpg --no-verbose --export --armor %r"
set pgp_verify_key_command="gpg --no-verbose --batch --fingerprint --check-sigs %r"
set pgp_list_pubring_command="gpg --no-verbose --batch --with-colons --list-keys %r" 
set pgp_list_secring_command="gpg --no-verbose --batch --with-colons --list-secret-keys %r" 
set pgp_autosign=yes
set pgp_sign_as=0x<your key ID>
set pgp_replyencrypt=yes
set pgp_timeout=1800
set pgp_good_sign="^gpg: Good signature from"

When you compose a message, press p to sign or encrypt. To only sign your email, select s. Then you can send your message and it will be signed with your digital signature.

The above tips will help you get up and running with gpg, but it is not by any means a complete guide. You should also read GnuPG's excellent documentation section to learn more about important concepts like key revocation, key signing and webs of trust.

8.  Moves, Adds and Changes

Moves

The following developers recently left the Gentoo team:

• none this week

Adds

The following developers recently joined the Gentoo team:

• Alain Penders (RexOrient) -- Subversion and nforce2 kernel hacking

Changes

The following developers recently changed roles within the Gentoo project.

• none this week

9.  Subscribe to the GWN mailing list

Would you prefer to receive the GWN via email? Subscribe to our mailing list by sending a blank email to gentoo-gwn-subscribe@gentoo.org.

10.  Contribute to GWN

Interested in contributing to the Gentoo Weekly Newsletter? Send us an email.

11.  GWN Feedback

Please send us your feedback and help make GWN better.

12.  Other Languages

The Gentoo Weekly Newsletter is also available in the following languages:

• Dutch
• English
• German
• French
• Japanese
• Italian
• Portuguese (Brazil)
• Portuguese (Portugal)
• Spanish