Gentoo Weekly Newsletter: January 27th, 2003
Gentoo Linux at LinuxWorld Expo
Gentoo Linux had a strong showing at last week's LinuxWorld Expo. Showing off the recently-released Linux
port of Unreal Tournament 2003, the Gentoo booth drew large crowds throughout the show. Many of the
attendees were unfamiliar with Gentoo Linux, so this was a great opportunity to educate a highly-targeted
audience about the many benefits of Gentoo. While we received inquiries from a wide range of people,
there seemed to be a specific interest from the scientific community, with several attendees expressing
an interest in using Gentoo Linux for their research projects.
It was also a great opportunity for many of the developers and avid Gentoo users to finally meet
face to face. All told, nearly a dozen developers showed up for part or all of the show.
Amazingly, few people looked like they do on IRC. For those who were unable to attend LWE, we've
included a few pictures with this week's issue.
Figure 1.1: The Gentoo Linux booth at LinuxWorld Expo
Figure 1.1: Gerk spent much of his time burning CDs for attendees
Figure 1.1: Seemant Kulleen (left) and Daniel Robbins
GLSAs being integrated into Portage
Nick Jones announced his intention to integrate Gentoo Linux Security Announcements into Portage
The proposed method is converting GLSAs to XML format to allow for easy integration into Portage,
allowing users to only update packages that are affected by GLSAs. While the details still need to be
worked out, this will certainly be a welcome feature by many Gentoo users and will make running Gentoo
on servers where stability is paramount an easier task.
GLSA: vim vim-core gvim
The vim editor and associated packages contain a bug which permits execution of un-sandboxed modeline commands.
This permits a maliciously crafted textfile to execute arbitrary code with the user's privileges. The advisory also
notes an unconfirmed report of a similar problem with local variables in emacs. An exploit has been demonstrated..
- Severity: Moderate to High - arbitrary code execution.
- Packages Affected: app-editors/vim-core (prior to 6-1-r4), vim (prior to 6.1-r19), gvim (prior to 6.1-r6).
- Rectification: Synchronize and emerge -u vim-core vim gvim
- GLSA Announcement
Maliciously malformed directory names can be used to trigger an error in CVS that can result in a global pointer being freed twice.
This condition could be used to determine heap memory locations as a prelude to other attacks using the CVS servers' privilege level
(potentially root). No exploits in the wild are reported.
- Severity: Critical - remote information leak, security exposure of systems vulnerable to double-free pointer bugs.
- Packages Affected: dev-util/cvs versions prior to 1.11.5
- Rectification: Synchronize and emerge -u cvs
- GLSA Announcement
In some cases, KDE may fail to properly quote execution parameters. This could permit arbitrary command execution (with the target user's privileges)
through the use of carefully crafted URLs, email addresses and filenames. Exploits have been demonstrated.
This report is related to an earlier report of a vulnerability in kde-3.0.x.
- Severity: High - remote execution of code, exploits in the wild.
- Packages Affected: kde-base/kde2.2.x
- Rectification: Synchronize and emerge -u kde
- GLSA Announcement
Note: The updated ebuilds for kde-2.2.2 are currently only marked stable for x86.
New Security Bug Reports
There are no new security bugs this week. The mpg123 bug mentioned last week:
remains open, but the message traffic implies that the issue may not be a concern for the version currently in the portage tree.
The bug is still open because of a potential issue with frame size calculation in the current version.
Featured Developer of the Week
Figure 3.1: Nicholas Jones
Nicholas Jones, this week's (and the inaugural) Featured Developer, is the current maintainer of Portage. Subscribers to the mailing lists will have his response to the recent /etc/make.conf fiasco fresh in their minds, whereas those who frequent the IRC channel (#gentoo on irc.freenode.net) or the forums will have seen him as carpaski, responding to Portage feature requests and resolving various problems. IRC, actually, is where Nick got started with the Gentoo team: a regular who helped out with things and submitted ebuilds and patches, the developers snapped him up and got him onboard. Now, as Portage maintainer, he plans and codes new features for Portage, making sure that changes are as modular as possible to facilitate testing and debugging, as well as reviewing bug reports, looking for problems to solve and features that can be merged into portage.
A self-proclaimed console junky, Nick's favorite applications include Midnight Commander, vi, lsof, and bash. He uses Enlightenment 16.5 - and only Enlightenment 16.5 - for window management, and mutt for mail. Using his scripting skills, Nick has done some work remotely administering UNIX machines, and has also worked as a network engineer on a US goverment backbone. Amazingly enough, when he's not busy hacking and testing Portage or doing administration work, you'll find him studying at the Illinois Institute of Technology in Chicago, IL. After all that it's hard to imagine that he'd have time left for other pursuits, but Nick says he likes wine and music - both listening to it and playing it on guitar, as well as frisbee and racquetball.
Heard In The Community
emerge-webrsync Tool Problems
A recent thread in the
forums was promoted to an alert when it was discovered that an upgrade to
the emerge-webrsync tool from the gentoolkit had resulted in the potential for it to delete the /usr directory on machines where it was run.
emerge-webrsync is a tool for automatically updating the local portage
directory from the daily snapshots on machines that are prevented from using
emerge sync (for example, on machines behind firewalls that block rsync). A
number of users reported substantial (and possibly unrecoverable) damage to
their installations. The problem was reported in this bug report. The
issue was apparently resolved in gentoolkit-r11.
Much Moaning About Ibiblio
People all over the planet are struggling to get decent download speeds from the Ibiblio server that provides the packages for Gentoo installations. Not a major problem as long as everybody was content to grab a stage1 tarball and take it from there, but since the introduction of the Gentoo Reference Platform and its collection of precompiled binaries, the CD images have grown to "normal" size around 500 MB each, and the complaints are getting louder, on the IRC channels and the forums. If it wasn't for the fact that many of those complaining have simply failed to embrace any of the dozens of mirrors listed at the official Gentoo website and Ibiblio itself...
Automatic Writing Resurrected
One of the Forum's all-time classics is back: After a break over Christmas and New Year's, the "Story By Post" thread has been reanimated. Knitted with one-liners that fit exceptionally well within the general direction the story will take (except that nobody actually knows where it's going), each contribution adds to a great recital involving (so far) the marmalade cat, Ellen Feiss, the wonder boy, Peter Falk and many others still rubbing their eyes in disbelief, wondering how they ended up starring in a prose artifact hovering on a technical support forum. Another thread in a similar genre has been left alone for a while - well, until now. This one actually comes with its own meta-thread:
fghellar, one of the Forum's bodhisattvas and an honorary headcounter, has posted an update on the number of users currently registered at the site. Hard to estimate how many of these are active or at least passively reading stuff, but the sheer numbers are impressive. Constantly updated statistics can be watched by clicking on the official statistics link in the top menu, but for a historical perspective on growth in the Gentoo forums check the first link:
More praise for Phoenix
A lengthy discussion took place on gentoo-user about the buggy misbehavior of Mozilla. It seems that almost
everyone and their mother has complained about bad plugin support, sluggishness and crashes -- especially when
dealing with Gentoo's Mozilla sources. Even with Rafa's
on compiling Mozilla without mail and news support
on using the mozilla.org tarballs, the complaints remained widespread. Phoenix was mentioned
as an alternative and the audience gave nothing but praise. Phoenix is a non-bloated redesign of the Mozilla browser
component which admittedly runs much faster and embraces the java and flash plugins on Gentoo systems without
even encouraged happy Mozilla users to switch to Phoenix. If you've been fighting with Mozilla,
you may want to experiment with Phoenix if you don't need Moz's mail & news.
Most of us gentoo users are not satisfied with an OK system. We'd much rather have our software tweaked just enough
to squeeze an extra 5hp out of that already souped up 750hp big block. The number one place to muster this extra horsepower
is the Linux kernel. We can worry about the CFLAGS later. Gentoo is stocked with many different kernel sources other than the -gentoo ones, and all come
with their unique advantages and disavantages as determined by the patches involved with them. These patches are applied
against the 'vanilla' source resulting in a modified kernel. An example of these patches,
, was described within the thread.
Aniruddha Shankar started the
by boasting his happines with using Con Kolivas's kernel (-ck sources) for his desktop system. As always,
Gentoo users are encouraged to tailor their system to their needs, and a good place to start is the kernel.
Methods for managing etc files.
asked about the
techniques to use to manage updateing etc files after an upgrade. Matthew Walker answer
that etc-update may be what he was looking for.
Gentoo-sources vs "stock" kernels.
Dewet Diener wrote
to ask: "I'm wondering what the general status of gentoo-sources is compared to the more
"stock" kernels, like vanilla and -ac? Is it being used in production-class setups without
hitches?". Kim Nielsen replied
with "The gentoo kernel is quite stable but Gentoo was never ment as a server distribution even though it
serves just as well as others like Redhat or Debian. It was intedned for network/developer use."
Thomas T. Veldhouse chipped in
with: "I don't think there is any such intent. By what I can see and know about
Gentoo, it is for any use that one sees fit. It was never designed for any
particular application. [...] it is up to the administrator to make sure that gentoo changes
don't hose a production machine".
Unofficial European Gentoo Websites
While the official Gentoo website struggles to keep up with the multilingual cacophony created by the enormous wave of popularity crashing over its head, many non-English websites have taken over the part of support for local communities. Today we take a closer look at some European sites: French-speaking users, for example, have been blessed with a dynamic news and discussion site of their own for many months now. The forum section is not as active as the French board at forums.gentoo.org, but manages to coexist peacefully. But the real strength of "Da Gentoo" lies in its news coverage, delivered not only to common browsers: Gentoofr.org news are being served for PDAs and for WAP-enabled mobile phones. The German Gentoo project is probably the oldest outside of the US (it started sometime back in April 2002), but hasn't lost its appetite yet. Gentoo.de (like many other international sites, e.g. Korea and Japan) is focussed on documentation, but more importantly provides a large number of supplementary "regional" ebuilds with spellcheckers and localized Openoffice-bin versions, and the occasional tool for users with specific homegrown problems (a PPPoE tarball for DSL users in Germany can be downloaded from the project's FTP-server). The Danish site has its emphasis equally on projects and development, and is currently looking for contributors and people who can help with PHP coding. The news section definitely needs a blood transfusion, there haven't been any updates since May 2002. The Norwegian website has a comparatively low profile, apparently content to just provide a few links to mirror servers and information resources. But it's highly unfair to just point out the websites: The most buzz for the buck comes from the many non-English IRC channels on Freenode! Anybody who wants to get a feel for the huge user base Gentoo has in many European countries, just check out the Dutch or the Portuguese #gentoo-nl or #gentoo-pt channels via irc.freenet.org... With a channel like #gentoo-fi, who needs a Finnish website, and the Swedes even have their own IRC statistics:
The following stable packages were added to portage this week
Note: Because of the pending release of 1.4_final, the Portage tree is currently frozen. As such, no new stable packages were introduced to Portage this week
Updates to notable packages
- sys-devel/gcc - gcc-3.2.1-r7.ebuild;
- sys-kernel/* - aa-sources-2.4.21_pre3-r1.ebuild; development-sources-2.5.59-r1.ebuild; development-sources-2.5.59-r2.ebuild; development-sources-2.5.59.ebuild; gs-sources-2.4.21_pre3-r1.ebuild; gs-sources-2.4.21_pre3-r2.ebuild; mips-sources-2.4.19.ebuild; openmosix-sources-2.4.20-r2.ebuild;
- net-www/apache - apache-2.0.44.ebuild;
- app-admin/gentoolkit - gentoolkit-0.1.17-r10.ebuild; gentoolkit-0.1.17-r11.ebuild;
The Gentoo community uses Bugzilla (bugs.gentoo.org) to record and track
bugs, notifications, suggestions and other interactions with the development team. In the last 7 days, activity
on the site has resulted in:
There are currently 2104 bugs open in bugzilla. Of these: 40 are labelled 'blocker', 76 are labelled 'critical',
and 144 are labelled 'major'.
- 258 new bugs this week
- 1491 total bugs currently marked 'new'
- 559 total bugs curently assigned to developers
- 54 bugs that were previously closed have been reopened.
The current list of developers' open bugs may be found at the
Gentoo Bug Count Report.
Closed Bug Rankings
The developers and teams who have closed the most bugs this week are:
New Bug Rankings
The developers and teams who have been assigned the most new bugs this week are:
Tips and Tricks
Using Procmail and SpamAssassin to Block Spam and Filter Mailing Lists
The proliferation of unsolicited email, or spam, is becoming more and more widespread. However, there are many tools to help prevent spam. This week, we look at using Procmail and SpamAssassin to filter incoming mail and to block incoming spam. Procmail is a mail filter than can be used to sort incoming mail into separate folders as well as many other types of mail preprocessing. SpamAssassin is a mail filter that uses heuristic scanning to identify spam.
Since both Procmail and SpamAssassin are in Portage, installation is a simple emerge.
Code Listing 1.1: Installing Procmail and SpamAssassin
# emerge net-mail/procmail
# emerge dev-perl/Mail-SpamAssassin
# rc-update add spamd default
When upgrading Perl to a higher version, you need to re-emerge dev-perl/Net-DNS, dev-perl/HTML-Parser, and dev-perl/Time-HiRes or SpamAssassin will exit and possibly discard valid emails.
Each procmail filter is known as a recipie. To keep things organized, we're going to create the directory $HOME/.procmail for separate recipies.
Code Listing 1.1: Creating ~/.procmail
% mkdir $HOME/.procmail
Upon invocation, procmail first reads the $HOME/.procmailrc file. This file should contain the location of your mailbox and where to look for other recipies.
Code Listing 1.1: Example $HOME/.procmailrc
This assumes that you are using the Maildir method of storing email. If you are using the mbox method, simply change .maildir to your mbox folder and remove the trailing slash
$HOME/.procmailrc is read from top to bottom. This means that your recipies will be read in the order in which they appear. Procmail stops checking on the first recipie that matches. Keeping lists.rc above spam.rc ensures that mailing lists filters are checked first, avoiding expensive spam checking operations where possible.
The next step is to set up mailing list filters. Since most lists use the List-Id header, we can easily filter out mailing lists from normal email.
Code Listing 1.1: Example $HOME/.procmail/lists.rc
* ^List-Id: Gentoo Linux mail <gentoo-security\.gentoo\.org>
* ^List-Id: Gentoo Linux mail <gentoo-user\.gentoo\.org>
To see the actual List-Id header, you may need view all email headers. See your mail client's documentation to enable that feature.
Next, we can set up the spam filter. This recipie first invokes SpamAssassin using spamc and then checks the X-Spam-Status header. If the message is identified as spam, it is moved to the spam folder.
Code Listing 1.1: Example $HOME/.procmail/spam.rc
| /usr/bin/spamc -f
* X-Spam-Status: Yes
While SpamAssassin is very good, it is not 100% accurate so using /dev/null as your spam folder may result in some lost email. It is better to move spam to a separate folder and manually delete messages.
spamc connects to the SpamAssassin daemon (spamd). If for some reason you cannot use the daemon, SpamAssassin can be called directly using /usr/bin/spamassassin -a
You should now be set up to filter your email and block most spam. For more information on Procmail or SpamAssassin, see their system documentation with man procmail and perldoc Mail::SpamAssassin or the associated websites at http://www.procmail.org and http://www.spamassassin.org.
Moves, Adds and Changes
The following developers recently left the Gentoo team:
The following developers recently joined the Gentoo team:
The following developers recently changed roles within the Gentoo project.
Contribute to GWN
Interested in contributing to the Gentoo Weekly Newsletter? Send us an email.
Please send us your feedback and help make GWN better.
The Gentoo Weekly Newsletter is also available in the following languages: