Gentoo Weekly Newsletter: January 20th, 2003

Kurt Lieber  Editor
AJ Armstrong  Contributor
Brice Burgess  Contributor
Yuji Carlos Kosugi  Contributor
Rafael Cordones Marcos  Contributor
David Narayan  Contributor
Ulrich Plate  Contributor
Peter Sharp  Contributor
Mathy Vanvoorden  Dutch Translation
Tom Van Laerhoven  Dutch Translation
Roel Adriaans  Dutch Translation
Nicolas Ledez  French Translation
Guillaume Plessis  French Translation
Eric St-Georges  French Translation
John Berry  French Translation
Martin Prieto  French Translation
Michael Kohl  German Translation
Steffen Lassahn  German Translation
Matthias F. Brandstetter  German Translation
Thomas Raschbacher  German Translation
Marco Mascherpa  Italian Translation
Claudio Merloni  Italian Translation
Daniel Ketel  Japanese Translation
Yoshiaki Hagihara  Japanese Translation
Andy Hunne  Japanese Translation
Yuji Carlos Kosugi  Japanese Translation
Ventura Barbeiro  Portuguese (Brazil) Translation
Bruno Ferreira  Portuguese (Portugal) Translation
Lanark  Spanish Translation
Rafael Cordones Marcos  Spanish Translation
Julio Castillo  Spanish Translation
Jaime Freire  Spanish Translation
Sergio Gómez  Spanish Translation

Updated 20th Jan 2003

1.  Gentoo News

Summary

Next Release of Gentoo Linux to be 1.4_rc3

The next release of Gentoo Linux is expected to be released as 1.4_rc3, rather than 1.4_final. This decision was based on a number of factors, including:

And, most importantly, any final release of Gentoo Linux needs to be as stable as possible before being released to our users.

Gentoo PPC developer presents at MIT

The following was a late addition to this week's GWN and therefore may not appear in all translated versions.

Rajiv Manglani, one of Gentoo's developers for the PowerPC platform (and an alumni of the Massachusetts Institute of Technology himself), is going to give a presentation featuring an overview of Gentoo Linux and a demo of a finished system. Curtains go up at the MIT (building no. 4, room 237) on Tuesday, 21 January 2003, from 19:00-20:00, and if you plan on attending, please RSVP to sipb-iap-gentoo@mit.edu.

2.  Gentoo Security

Summary

GLSA: dhcp

ISC's dhcp package has several buffer overflow vulnerabilities which could permit an attacker to remotely execute arbitrary code. No exploits have been reported.

GLSA: fnord

A buffer overrun in fnord's CGI code has been discovered. However, the affected function does not return, so it is unlikely that an exploit could be developed.

GLSA: mod_php php

A flaw in php's wordwrap() function could, if used against user input, be subject to a buffer overfolow. No exploit has been reported.

New Security Bug Reports

New security bug reports this week include:

3.  Heard In The Community

Web Forums

Gentoo on Laptops

Anybody who's ever tried to put Linux from a Firewire or PCMCIA CD drive onto their notebook PC will instantly recognise the need for support, no matter how Linux-savvy you thought you were: This is the grand art of dealing with hardware that's been misconfigured by vendors and BIOS manglers for use with pre-installed operating systems beyond the point where a simple "install from CD" manual can bail you out. Fortunately, the forums are full of threads dealing with the peculiarities of portable PCs. There's even a Gentoo-driven movement to set up an alternative to Linux-on-Laptops.net, the most famous, but infrequently updated resource for anybody looking to install Linux on something they can carry about. Here's a collection of some of the more active threads in this field, topmost the pointer to Gentoo's own "Linux-on-the-go":

Forum Surveys

As the forum user base is steadily growing, the results of opinion polls are becoming more and more representative. The average Gentoo user seems to pay between 30 and 60 USD a month for a 500+ kbit/s Internet connection, lack proper chairs for their computer desks and drive around in Japanese pickup trucks. Most of these polls lack any sort of scientific value, but some of them are fun to watch. Impossible to list them all, check these popular ones and search yourself for others:

Linux PDAs: Sharp Zaurus and Gentoo

A fair number of threads deal with configuration issues to connect the currently best-known Linux PDAs, the Sharp Zaurus series, via USB-networking to their Gentoo desktops. Given the growing range of models and the rather cumbersome tuning necessities of the usbdnet driver, this is hardly astonishing, but in spite of all the tools being present in the kernel sources, many people in the forums have been unable to get it to run. If you have managed and remember how you did it, here's where you could make a few people very happy:

gentoo-user

Research solves problems

A recent thread about portage 2.0.46-r6 accidently overwriting /etc/make.conf triggered some heat amongst the audience. Gentoo developer Nicholas Jones insisted that this was not an accident (bug), but rather that the poster failed to mention his unique circumstances and assumed that portage 2.0.46-r6 was at fault. It has been resolved that portage copied the original /etc/make.conf to /etc/.cfg0000_make.conf as it should with all config files residing in the /etc directory. This default behavior is configured via "CONFIG_PROTECT" in the environment settings. The thread also makes it clear that Gentoo developers encourage research before accusations.

KMail with S/MIME and PGP/MIME support

Stephen Boulet posted a message asking how to get KMail and OpenPGP to work properly together. Paul de Vrieze responded and noted a bug he had filed regarding the topic. A lengthy discussion ensued about the various intricacies associated with key management and signatures in general. This thread is a great resource for anyone attempting to get PGP and/or S/MIME working in KMail. Users looking for a more general HOWTO on using GnuPG to sign emails should see this week's Tips and Tricks section.

gentoo-dev

Little Tool for Portage.

Alastair Tse wrote: "A couple of months ago, I wrote a small tool to help me view changelogs for packages in the portage. After a while, I added various features I thought were useful, like calculating the size of a installed package, and viewing the enabled USE variables for an ebuild." The tool is called etcat: Portage Information Extractor. Nick Jones said that recent versions of portage do also provide information on Changelog entries with the --changelog command-line option.

4.  Gentoo International

Akemashite Omedetou Gozaimasu

...or happy new year in Japanese. Friday night saw the first GentooJP New Year's Celebration, an event that is almost certain to become a tradition, at least for this year's 15 inaugural participants. Everybody who's anybody in Tokyo's bustling Gentoo scene was there, downing large quantities of beer and sake while trying hard not to spill anything on the laptops lying around, munching happily away at Kimchi-Nabe (fish of all denominations swimming in a bowl of Korean spicy cabbage...) and talking shop, of course, what else is there. Sadly missing were Gentooists from the Kansai area, including a number of prominent ebuilders from Osaka and Kyoto, who are of course much more seriously working people and never seem to make it to drinking events in Tokyo. [NB: The GWN team invites you to keep us informed about similar events in your countries.]

A Forum for Gentoo Users in China

While the mainstream user base on the official Gentoo Forums is slowly growing out of proportion, the inability to display Chinese has lead to a few frustrated comments by Gentooists from China. Until the official forums can add support for CJK character sets, Chinese Gentooists may want to check out the bustling community active in a Chinese Gentoo forum on LinuxSir.com. Combining what they like to call "DIY Linux", the forum gathers users of both Gentoo and Linux-from-scratch under one umbrella. It is hosted on Linux,Sir!, one of the larger Chinese-language techie communities, emanating that typical BBS-style mix of technical support and entertainment centered around various Linux distributions. LinuxSir currently accomodates roughly 7500 users, predominantly from Shanghai, Chengdu, Dalian, but also from outside mainland China, of course. The popularity of the Gentoo forum is second only to Redhat, but towering over Debian, SuSE, Mandrake and Turbolinux, in spite of their better-known CJK support and adaptability to Chinese users. The software used for Linux,Sir! (vBulletin) is MySQL-based just like forums.gentoo.org, and defaults to GB2312 encoding (Simplified Chinese character set).

5.  Portage Watch

The following stable packages were added to portage this week

Updates to notable packages

6.  Bugzilla

Summary

Statistics

The Gentoo community uses Bugzilla (bugs.gentoo.org) to record and track bugs, notifications, suggestions and other interactions with the development team. In the last 7 days, activity on the site has resulted in:

There are currently 1984 bugs open in bugzilla. Of these: 36 are labelled 'blocker', 72 are labelled 'critical', and 120 are labelled 'major'.

The current list of developers' open bugs may be found at the Gentoo Bug Count Report.

Closed Bug Rankings

The developers and teams who have closed the most bugs this week are:

New Bug Rankings

The developers and teams who have been assigned the most new bugs this week are:

7.  Tips and Tricks

Using GnuPG to digitally sign emails

GNU Privacy Guard (GnuPG) is an open source version of the commercial Pretty Good Privacy (PGP) software for creating digital signatures. This weeks Tips and Tricks will cover the creation of a key, exporting your key to a public keyserver, and finally adding your digital signature to email.

Code Listing 7.1: Installing GnuPG

# emerge gnupg

(Create the .gnupg directory)
# mkdir $HOME/.gnupg

Code Listing 7.2: Creating a new key

#  gpg --gen-key
gpg (GnuPG) 1.2.1; Copyright (C) 2002 Free Software Foundation, Inc.
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions. See the file COPYING for details.

Please select what kind of key you want:
   (1) DSA and ElGamal (default)
   (2) DSA (sign only)
   (5) RSA (sign only)
Your selection? 1

About to generate a new ELG-E keypair.
              minimum keysize is  768 bits
              default keysize is 1024 bits
    highest suggested keysize is 2048 bits
What keysize do you want? (1024) 1024

Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 0
Key does not expire at all
Is this correct (y/n)? y

You need a User-ID to identify your key; the software constructs the user id
from Real Name, Comment and Email Address in this form:
    "Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>"

Real name: John Doe
Email address: john.doe@example.com
Comment:

You selected this USER-ID:
	"John Doe <john.doe@example.com>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
You need a Passphrase to protect your secret key.

(Make sure you pick a good password and DON'T FORGET IT)
Enter passphrase: secret
Repeat passphrase: secret

We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.

gpg: /home/johndoe/.gnupg/trustdb.gpg: trustdb created
public and secret key created and signed.
key marked as ultimately trusted.

(The eight character string is your Key ID (in this case, A268D066))
pub  1024D/A268D066 2003-01-17 John Doe <john.doe@example.com>
     Key fingerprint = D435 4979 610B 0BAB F107  64F8 FAF5 94E0 A268 D066
sub  1024g/AB3B30AF 2003-01-17

Now that your key has been made, it needs to be exported to a public keyserver. While this is not required, it's the easiest way for others to get your public key information and verify your information. To send your key, you'll first need to know your Key ID.

Code Listing 7.3: Finding your Key ID

(Your Key ID is the eight character string after 1024D/)
% gpg --list-keys
/home/johndoe/.gnupg/pubring.gpg
-------------------------------
pub  1024D/A268D066 2003-01-17 John Doe <john.doe@example.com>
sub  1024g/AB3B30AF 2003-01-17

Now you can export your key.

Code Listing 7.4: Export your key to a public keyserver

% gpg --send-keys --keyserver wwwkeys.pgp.net A268D066
gpg: success sending to `wwwkeys.pgp.net' (status=200)

Now that your key has been created and published, you can start using it to sign emails. You'll need to remember your Key ID for this step. If you don't remember it, see the above code listing (Finding your Key ID).

Use the following steps to set up encryption in Evolution:

  1. Click on Tools->Settings.
  2. Select the Mail Accounts button and the account that will be using the key.
  3. Click Edit and then the Security tab. Enter your Key ID in the field entitled PGP/GPG Key ID.
  4. Click OK.
Now when you compose a message, select Security->PGP Sign to add your digital signature to your email.

$HOME/.muttrc

Code Listing 7.5: GPG settings in ~/.muttrc

set pgp_decode_command="gpg %?p?--passphrase-fd 0? --no-verbose --batch --output - %f"
set pgp_verify_command="gpg --no-verbose --batch --output - --verify %s %f"
set pgp_decrypt_command="gpg --passphrase-fd 0 --no-verbose --batch --output - %f"
set pgp_sign_command="gpg --no-verbose --batch --output - --passphrase-fd 0 --armor \
    --detach-sign --textmode %?a?-u %a? %f"
set pgp_clearsign_command="gpg --no-verbose --batch --output - --passphrase-fd 0 --armor \
    --textmode --clearsign %?a?-u %a? %f"
(Insert your Key ID after the --encrypt-to option prefixed by 0x)
set pgp_encrypt_only_command="gpg --batch --quiet --no-verbose --output - --encrypt \ 
    --textmode --armor --always-trust --encrypt-to 0x<your key ID> -- -r %r -- %f"
set pgp_encrypt_sign_command="gpg --passphrase-fd 0 --batch --quiet --no-verbose --textmode \
    --output - --encrypt --sign %?a?-u %a? --armor --always-trust --encrypt-to 0x<your key ID> -- -r %r -- %f"
set pgp_import_command="gpg --no-verbose --import -v %f"
set pgp_export_command="gpg --no-verbose --export --armor %r"
set pgp_verify_key_command="gpg --no-verbose --batch --fingerprint --check-sigs %r"
set pgp_list_pubring_command="gpg --no-verbose --batch --with-colons --list-keys %r" 
set pgp_list_secring_command="gpg --no-verbose --batch --with-colons --list-secret-keys %r" 
set pgp_autosign=yes
set pgp_sign_as=0x<your key ID>
set pgp_replyencrypt=yes
set pgp_timeout=1800
set pgp_good_sign="^gpg: Good signature from"

When you compose a message, press p to sign or encrypt. To only sign your email, select s. Then you can send your message and it will be signed with your digital signature.

The above tips will help you get up and running with gpg, but it is not by any means a complete guide. You should also read GnuPG's excellent documentation section to learn more about important concepts like key revocation, key signing and webs of trust.

8.  Moves, Adds and Changes

Moves

The following developers recently left the Gentoo team:

Adds

The following developers recently joined the Gentoo team:

Changes

The following developers recently changed roles within the Gentoo project.

9.  Subscribe to the GWN mailing list

Would you prefer to receive the GWN via email? Subscribe to our mailing list by sending a blank email to gentoo-gwn-subscribe@gentoo.org.

10.  Contribute to GWN

Interested in contributing to the Gentoo Weekly Newsletter? Send us an email.

11.  GWN Feedback

Please send us your feedback and help make GWN better.

12.  Other Languages

The Gentoo Weekly Newsletter is also available in the following languages: