Gentoo Logo

Gentoo Weekly Newsletter: January 27th, 2003

Content:

1.  Gentoo News

Summary

Gentoo Linux at LinuxWorld Expo

Gentoo Linux had a strong showing at last week's LinuxWorld Expo. Showing off the recently-released Linux port of Unreal Tournament 2003, the Gentoo booth drew large crowds throughout the show. Many of the attendees were unfamiliar with Gentoo Linux, so this was a great opportunity to educate a highly-targeted audience about the many benefits of Gentoo. While we received inquiries from a wide range of people, there seemed to be a specific interest from the scientific community, with several attendees expressing an interest in using Gentoo Linux for their research projects.

It was also a great opportunity for many of the developers and avid Gentoo users to finally meet face to face. All told, nearly a dozen developers showed up for part or all of the show. Amazingly, few people looked like they do on IRC. For those who were unable to attend LWE, we've included a few pictures with this week's issue.


Figure 1.1: The Gentoo Linux booth at LinuxWorld Expo

Fig. 1: The Gentoo Linux booth at LWE


Figure 1.1: Gerk spent much of his time burning CDs for attendees

Fig. 1: Gerk burns CDs


Figure 1.1: Seemant Kulleen (left) and Daniel Robbins

Fig. 1: seemant and drobbins

GLSAs being integrated into Portage

Nick Jones announced his intention to integrate Gentoo Linux Security Announcements into Portage The proposed method is converting GLSAs to XML format to allow for easy integration into Portage, allowing users to only update packages that are affected by GLSAs. While the details still need to be worked out, this will certainly be a welcome feature by many Gentoo users and will make running Gentoo on servers where stability is paramount an easier task.

2.  Gentoo Security

Summary

GLSA: vim vim-core gvim

The vim editor and associated packages contain a bug which permits execution of un-sandboxed modeline commands. This permits a maliciously crafted textfile to execute arbitrary code with the user's privileges. The advisory also notes an unconfirmed report of a similar problem with local variables in emacs. An exploit has been demonstrated..

  • Severity: Moderate to High - arbitrary code execution.
  • Packages Affected: app-editors/vim-core (prior to 6-1-r4), vim (prior to 6.1-r19), gvim (prior to 6.1-r6).
  • Rectification: Synchronize and emerge -u vim-core vim gvim
  • GLSA Announcement
  • Advisory

GLSA: cvs

Maliciously malformed directory names can be used to trigger an error in CVS that can result in a global pointer being freed twice. This condition could be used to determine heap memory locations as a prelude to other attacks using the CVS servers' privilege level (potentially root). No exploits in the wild are reported.

  • Severity: Critical - remote information leak, security exposure of systems vulnerable to double-free pointer bugs.
  • Packages Affected: dev-util/cvs versions prior to 1.11.5
  • Rectification: Synchronize and emerge -u cvs
  • GLSA Announcement
  • Advisory

GLSA: kde-2.2.x

In some cases, KDE may fail to properly quote execution parameters. This could permit arbitrary command execution (with the target user's privileges) through the use of carefully crafted URLs, email addresses and filenames. Exploits have been demonstrated. This report is related to an earlier report of a vulnerability in kde-3.0.x.

  • Severity: High - remote execution of code, exploits in the wild.
  • Packages Affected: kde-base/kde2.2.x
  • Rectification: Synchronize and emerge -u kde
  • GLSA Announcement
  • Advisory

Note: The updated ebuilds for kde-2.2.2 are currently only marked stable for x86.

New Security Bug Reports

There are no new security bugs this week. The mpg123 bug mentioned last week:

remains open, but the message traffic implies that the issue may not be a concern for the version currently in the portage tree. The bug is still open because of a potential issue with frame size calculation in the current version.

3.  Featured Developer of the Week

Nicholas Jones


Figure 3.1: Nicholas Jones

Fig. 1: Nicholas Jones aka carpaski

Nicholas Jones, this week's (and the inaugural) Featured Developer, is the current maintainer of Portage. Subscribers to the mailing lists will have his response to the recent /etc/make.conf fiasco fresh in their minds, whereas those who frequent the IRC channel (#gentoo on irc.freenode.net) or the forums will have seen him as carpaski, responding to Portage feature requests and resolving various problems. IRC, actually, is where Nick got started with the Gentoo team: a regular who helped out with things and submitted ebuilds and patches, the developers snapped him up and got him onboard. Now, as Portage maintainer, he plans and codes new features for Portage, making sure that changes are as modular as possible to facilitate testing and debugging, as well as reviewing bug reports, looking for problems to solve and features that can be merged into portage.

A self-proclaimed console junky, Nick's favorite applications include Midnight Commander, vi, lsof, and bash. He uses Enlightenment 16.5 - and only Enlightenment 16.5 - for window management, and mutt for mail. Using his scripting skills, Nick has done some work remotely administering UNIX machines, and has also worked as a network engineer on a US goverment backbone. Amazingly enough, when he's not busy hacking and testing Portage or doing administration work, you'll find him studying at the Illinois Institute of Technology in Chicago, IL. After all that it's hard to imagine that he'd have time left for other pursuits, but Nick says he likes wine and music - both listening to it and playing it on guitar, as well as frisbee and racquetball.

4.  Heard In The Community

Web Forums

emerge-webrsync Tool Problems

A recent thread in the forums was promoted to an alert when it was discovered that an upgrade to the emerge-webrsync tool from the gentoolkit had resulted in the potential for it to delete the /usr directory on machines where it was run. emerge-webrsync is a tool for automatically updating the local portage directory from the daily snapshots on machines that are prevented from using emerge sync (for example, on machines behind firewalls that block rsync). A number of users reported substantial (and possibly unrecoverable) damage to their installations. The problem was reported in this bug report. The issue was apparently resolved in gentoolkit-r11.

Much Moaning About Ibiblio

People all over the planet are struggling to get decent download speeds from the Ibiblio server that provides the packages for Gentoo installations. Not a major problem as long as everybody was content to grab a stage1 tarball and take it from there, but since the introduction of the Gentoo Reference Platform and its collection of precompiled binaries, the CD images have grown to "normal" size around 500 MB each, and the complaints are getting louder, on the IRC channels and the forums. If it wasn't for the fact that many of those complaining have simply failed to embrace any of the dozens of mirrors listed at the official Gentoo website and Ibiblio itself...

Automatic Writing Resurrected

One of the Forum's all-time classics is back: After a break over Christmas and New Year's, the "Story By Post" thread has been reanimated. Knitted with one-liners that fit exceptionally well within the general direction the story will take (except that nobody actually knows where it's going), each contribution adds to a great recital involving (so far) the marmalade cat, Ellen Feiss, the wonder boy, Peter Falk and many others still rubbing their eyes in disbelief, wondering how they ended up starring in a prose artifact hovering on a technical support forum. Another thread in a similar genre has been left alone for a while - well, until now. This one actually comes with its own meta-thread:

Forum Statistics

fghellar, one of the Forum's bodhisattvas and an honorary headcounter, has posted an update on the number of users currently registered at the site. Hard to estimate how many of these are active or at least passively reading stuff, but the sheer numbers are impressive. Constantly updated statistics can be watched by clicking on the official statistics link in the top menu, but for a historical perspective on growth in the Gentoo forums check the first link:

gentoo-user

More praise for Phoenix

A lengthy discussion took place on gentoo-user about the buggy misbehavior of Mozilla. It seems that almost everyone and their mother has complained about bad plugin support, sluggishness and crashes -- especially when dealing with Gentoo's Mozilla sources. Even with Rafa's tip on compiling Mozilla without mail and news support and Steve's point on using the mozilla.org tarballs, the complaints remained widespread. Phoenix was mentioned as an alternative and the audience gave nothing but praise. Phoenix is a non-bloated redesign of the Mozilla browser component which admittedly runs much faster and embraces the java and flash plugins on Gentoo systems without hesitation. The thread even encouraged happy Mozilla users to switch to Phoenix. If you've been fighting with Mozilla, you may want to experiment with Phoenix if you don't need Moz's mail & news.

Kernel Performance

Most of us gentoo users are not satisfied with an OK system. We'd much rather have our software tweaked just enough to squeeze an extra 5hp out of that already souped up 750hp big block. The number one place to muster this extra horsepower is the Linux kernel. We can worry about the CFLAGS later. Gentoo is stocked with many different kernel sources other than the -gentoo ones, and all come with their unique advantages and disavantages as determined by the patches involved with them. These patches are applied against the 'vanilla' source resulting in a modified kernel. An example of these patches, rmap , was described within the thread. Aniruddha Shankar started the discussion by boasting his happines with using Con Kolivas's kernel (-ck sources) for his desktop system. As always, Gentoo users are encouraged to tailor their system to their needs, and a good place to start is the kernel.

gentoo-dev

Methods for managing etc files.

Jeff Kowing asked about the techniques to use to manage updateing etc files after an upgrade. Matthew Walker answer very succinctly that etc-update may be what he was looking for.

Gentoo-sources vs "stock" kernels.

Dewet Diener wrote to ask: "I'm wondering what the general status of gentoo-sources is compared to the more "stock" kernels, like vanilla and -ac? Is it being used in production-class setups without hitches?". Kim Nielsen replied with "The gentoo kernel is quite stable but Gentoo was never ment as a server distribution even though it serves just as well as others like Redhat or Debian. It was intedned for network/developer use." Thomas T. Veldhouse chipped in with: "I don't think there is any such intent. By what I can see and know about Gentoo, it is for any use that one sees fit. It was never designed for any particular application. [...] it is up to the administrator to make sure that gentoo changes don't hose a production machine".

5.  Gentoo International

Unofficial European Gentoo Websites

While the official Gentoo website struggles to keep up with the multilingual cacophony created by the enormous wave of popularity crashing over its head, many non-English websites have taken over the part of support for local communities. Today we take a closer look at some European sites: French-speaking users, for example, have been blessed with a dynamic news and discussion site of their own for many months now. The forum section is not as active as the French board at forums.gentoo.org, but manages to coexist peacefully. But the real strength of "Da Gentoo" lies in its news coverage, delivered not only to common browsers: Gentoofr.org news are being served for PDAs and for WAP-enabled mobile phones. The German Gentoo project is probably the oldest outside of the US (it started sometime back in April 2002), but hasn't lost its appetite yet. Gentoo.de (like many other international sites, e.g. Korea and Japan) is focussed on documentation, but more importantly provides a large number of supplementary "regional" ebuilds with spellcheckers and localized Openoffice-bin versions, and the occasional tool for users with specific homegrown problems (a PPPoE tarball for DSL users in Germany can be downloaded from the project's FTP-server). The Danish site has its emphasis equally on projects and development, and is currently looking for contributors and people who can help with PHP coding. The news section definitely needs a blood transfusion, there haven't been any updates since May 2002. The Norwegian website has a comparatively low profile, apparently content to just provide a few links to mirror servers and information resources. But it's highly unfair to just point out the websites: The most buzz for the buck comes from the many non-English IRC channels on Freenode! Anybody who wants to get a feel for the huge user base Gentoo has in many European countries, just check out the Dutch or the Portuguese #gentoo-nl or #gentoo-pt channels via irc.freenet.org... With a channel like #gentoo-fi, who needs a Finnish website, and the Swedes even have their own IRC statistics:

6.  Portage Watch

The following stable packages were added to portage this week

Note: Because of the pending release of 1.4_final, the Portage tree is currently frozen. As such, no new stable packages were introduced to Portage this week

Updates to notable packages

  • sys-devel/gcc - gcc-3.2.1-r7.ebuild;
  • sys-kernel/* - aa-sources-2.4.21_pre3-r1.ebuild; development-sources-2.5.59-r1.ebuild; development-sources-2.5.59-r2.ebuild; development-sources-2.5.59.ebuild; gs-sources-2.4.21_pre3-r1.ebuild; gs-sources-2.4.21_pre3-r2.ebuild; mips-sources-2.4.19.ebuild; openmosix-sources-2.4.20-r2.ebuild;
  • net-www/apache - apache-2.0.44.ebuild;
  • app-admin/gentoolkit - gentoolkit-0.1.17-r10.ebuild; gentoolkit-0.1.17-r11.ebuild;

7.  Bugzilla

Summary

Statistics

The Gentoo community uses Bugzilla (bugs.gentoo.org) to record and track bugs, notifications, suggestions and other interactions with the development team. In the last 7 days, activity on the site has resulted in:

  • 258 new bugs this week
  • 1491 total bugs currently marked 'new'
  • 559 total bugs curently assigned to developers
  • 54 bugs that were previously closed have been reopened.
There are currently 2104 bugs open in bugzilla. Of these: 40 are labelled 'blocker', 76 are labelled 'critical', and 144 are labelled 'major'.

The current list of developers' open bugs may be found at the Gentoo Bug Count Report.

Closed Bug Rankings

The developers and teams who have closed the most bugs this week are:

New Bug Rankings

The developers and teams who have been assigned the most new bugs this week are:

8.  Tips and Tricks

Using Procmail and SpamAssassin to Block Spam and Filter Mailing Lists

The proliferation of unsolicited email, or spam, is becoming more and more widespread. However, there are many tools to help prevent spam. This week, we look at using Procmail and SpamAssassin to filter incoming mail and to block incoming spam. Procmail is a mail filter than can be used to sort incoming mail into separate folders as well as many other types of mail preprocessing. SpamAssassin is a mail filter that uses heuristic scanning to identify spam.

Since both Procmail and SpamAssassin are in Portage, installation is a simple emerge.

Code Listing 1.1: Installing Procmail and SpamAssassin

# emerge net-mail/procmail
# emerge dev-perl/Mail-SpamAssassin

(Add the SpamAssassin daemon to the default runlevel)
# rc-update add spamd default

Important: When upgrading Perl to a higher version, you need to re-emerge dev-perl/Net-DNS, dev-perl/HTML-Parser, and dev-perl/Time-HiRes or SpamAssassin will exit and possibly discard valid emails.

Each procmail filter is known as a recipie. To keep things organized, we're going to create the directory $HOME/.procmail for separate recipies.

Code Listing 1.1: Creating ~/.procmail

% mkdir $HOME/.procmail

Upon invocation, procmail first reads the $HOME/.procmailrc file. This file should contain the location of your mailbox and where to look for other recipies.

Code Listing 1.1: Example $HOME/.procmailrc

VERBOSE=no

DEFAULT="$HOME/.maildir/"
MAILDIR="$HOME/.maildir/"

PMDIR="$HOME/.procmail"
LOGFILE="$PMDIR/log"

INCLUDERC=$PMDIR/lists.rc
INCLUDERC=$PMDIR/spam.rc

Note: This assumes that you are using the Maildir method of storing email. If you are using the mbox method, simply change .maildir to your mbox folder and remove the trailing slash

Important: $HOME/.procmailrc is read from top to bottom. This means that your recipies will be read in the order in which they appear. Procmail stops checking on the first recipie that matches. Keeping lists.rc above spam.rc ensures that mailing lists filters are checked first, avoiding expensive spam checking operations where possible.

The next step is to set up mailing list filters. Since most lists use the List-Id header, we can easily filter out mailing lists from normal email.

Code Listing 1.1: Example $HOME/.procmail/lists.rc

:0
*   ^List-Id: Gentoo Linux mail <gentoo-security\.gentoo\.org>
.gentoo-security/

:0
*   ^List-Id: Gentoo Linux mail <gentoo-user\.gentoo\.org>
.gentoo-user/

Note: To see the actual List-Id header, you may need view all email headers. See your mail client's documentation to enable that feature.

Next, we can set up the spam filter. This recipie first invokes SpamAssassin using spamc and then checks the X-Spam-Status header. If the message is identified as spam, it is moved to the spam folder.

Code Listing 1.1: Example $HOME/.procmail/spam.rc

:0 fw
| /usr/bin/spamc -f

:0
* X-Spam-Status: Yes
.spam/

Warning: While SpamAssassin is very good, it is not 100% accurate so using /dev/null as your spam folder may result in some lost email. It is better to move spam to a separate folder and manually delete messages.

Note: spamc connects to the SpamAssassin daemon (spamd). If for some reason you cannot use the daemon, SpamAssassin can be called directly using /usr/bin/spamassassin -a

You should now be set up to filter your email and block most spam. For more information on Procmail or SpamAssassin, see their system documentation with man procmail and perldoc Mail::SpamAssassin or the associated websites at http://www.procmail.org and http://www.spamassassin.org.

9.  Moves, Adds and Changes

Moves

The following developers recently left the Gentoo team:

  • none this week

Adds

The following developers recently joined the Gentoo team:

  • none this week

Changes

The following developers recently changed roles within the Gentoo project.

  • none this week

10.  Contribute to GWN

Interested in contributing to the Gentoo Weekly Newsletter? Send us an email.

11.  GWN Feedback

Please send us your feedback and help make GWN better.

12.  Other Languages

The Gentoo Weekly Newsletter is also available in the following languages:



Print

Page updated 27th Jan 2003

Summary: This is the Gentoo Weekly Newsletter for the week of January 27th, 2003.

Kurt Lieber
Editor

AJ Armstrong
Contributor

Brice Burgess
Contributor

Yuji Carlos Kosugi
Contributor

Rafael Cordones Marcos
Contributor

David Narayan
Contributor

Ulrich Plate
Contributor

Peter Sharp
Contributor

Mathy Vanvoorden
Dutch Translation

Tom Van Laerhoven
Dutch Translation

Roel Adriaans
Dutch Translation

Nicolas Ledez
French Translation

Guillaume Plessis
French Translation

Eric St-Georges
French Translation

John Berry
French Translation

Martin Prieto
French Translation

Michael Kohl
German Translation

Steffen Lassahn
German Translation

Matthias F. Brandstetter
German Translation

Thomas Raschbacher
German Translation

Marco Mascherpa
Italian Translation

Claudio Merloni
Italian Translation

Daniel Ketel
Japanese Translation

Yoshiaki Hagihara
Japanese Translation

Andy Hunne
Japanese Translation

Yuji Carlos Kosugi
Japanese Translation

Ventura Barbeiro
Portuguese (Brazil) Translation

Bruno Ferreira
Portuguese (Portugal) Translation

Lanark
Spanish Translation

Rafael Cordones Marcos
Spanish Translation

Julio Castillo
Spanish Translation

Sergio Gómez
Spanish Translation

Pablo Pita Leira
Spanish Translation

Carlos Castillo
Spanish Translation

Tirant
Spanish Translation

Jaime Freire
Spanish Translation

Lucas Sallovitz
Spanish Translation

Donate to support our development efforts.

Copyright 2001-2014 Gentoo Foundation, Inc. Questions, Comments? Contact us.