Gentoo Weekly Newsletter: February 10th, 2003
Gentoo Linux at FOSDEM
Gentoo Linux was present at this weekend's FOSDEM,
a meeting of developers of Open Source software. Taking place in Brussels, Belgium, this
year's FOSDEM drew developers from many of the largest Open Source projects, including KDE,
GNOME, PostgreSQL, iptables and others. Daniel Robbins was also present representing the
Gentoo Linux project.
New Release Manager for 1.4
Brad Cowan (bcowan) was recently appointed as the Gentoo Release Coordinator and tasked with
getting Gentoo Linux 1.4, as well as future versions of Gentoo Linux, out the door. So far,
Brad has been busy finalizing the list of packages for the 1.4 Gentoo Reference Platform, as
well as coordinating efforts among the various development managers to determine what needs
to be finished before 1.4 can be officially released.
Icons for Gentoo Linux
Originally reported in last week's Heard In The
Community section, the Gentoo Icon Set has continued to
grow and improve to the point where the full set is now featured on the main Gentoo.org web
site. Currently, with over 160 icons available and more being added each week, this icon
set offers users a comprehensive way to customize their Gentoo Linux systems.
The bladeenc MPR encoder contains a signed integer offset that may be spoofed by a carefully crafted wave file to
execute arbitrary code. An exploit has been demonstrated.
- Severity: Moderate - arbitrary code execution mitigated by requirement for user participation.
- Packages Affected: media-sound/bladeenc prior to bladeenc-0.94.2-r1
- Rectification: Synchronize and emerge -u bladeenc, emerge clean
- GLSA Announcement
The qt-dcgui DirectConnect client has a major vulnerability in the way it parses directory names.
Remote attackers could use this flaw to download files that are not explicitly shared.
- Severity: High - Remote read access to files.
- Packages Affected: net-p2p/qt-dcgui prior to qt-dcgui-0.2.4
- Rectification: Synchronize and emerge -u qt-dcgui, emerge clean
- GLSA Announcement
The slocate file search utility contains a buffer overflow vulnerability that could permit users to gain higher
access privileges on the system. An exploit has been demonstrated.
- Severity: High - Privilege elevataion.
- Packages Affected: sys-apps/slocate prior to slocate-2.7
- Rectification: Synchronize and emerge -u slocate, emerge clean
- GLSA Announcement
The popular SpamAssassin utility is subject to an exploit using escaped '.' characters to provoke a modification
of the stack pointer. This could permit a carefully crafted email to execute arbitrary code on the system.
- Severity: Critical - Remote execution of arbitrary code.
- Packages Affected: dev-perl/Mail-SpamAssassin prior to Mail-SpamAssassin-2.44
- Rectification: Synchronize and emerge -u Mail-SpamAssassin, emerge clean
- GLSA Announcement
New Security Bug Reports
The following new bug report have been submitted to the bugzilla database this week:
Featured Developer of the Week
Figure 3.1: Brandon Low
This week we're featuring Brandon Low, maintainer of the gentoo-sources kernel and the
kernel eclass system used to create kernel source ebuilds. As many of you know, the gentoo-sources are made by applying
various patches to vanilla sources (like the ones you find at
http://www.kernel.org); Brandon's job is to take the various fixes, performance
enhancements, and hardware support patches recommended by Michael J. Cohen, Gentoo's resident kernel colonel, requested
by users, or found by himself to be suitable, and to 'patch-monkey' them all together,
making adjustments to ensure that the various patches work together in order to get a
working kernel. Before being put in gentoo-sources, changes are often tested in
lolo-sources, which is first patched with a bunch of updates then slowly culled until it's
released as gentoo-sources. Brandon's kernels always contain documentation in a
patches.txt.gz file that is put in the documentation directory of the kernel sources, but since
the information often isn't as complete with lolo-sources, he says that the best way to
learn about a kernel patchset is to watch as the patches are applied during the merge process.
The current lolo-sources are based on the Con Kolivas patchset, with the addition of
Gentoo-specific stuff as well as the iptables base and optimization pachsets.
Like Nicholas Jones(who actually
started using Gentoo and helping out with it on his suggestion), Brandon
got his start as a Gentoo developer hanging out in IRC and on Bugzilla making ebuilds and
assisting with bugs. His cool head and tendency to know when a patch would be too much
trouble was what gave him the final word on gentoo-sources. A keen ebuilder, Brandon
continues to make ebuilds for applications that he needs or wants that aren't in the
A student of computer engineering at the Illinois Institute of Technology, Brandon also
works as the general technology specialist at CopyTec - it's no wonder he has trouble balancing the
remaining time between Gentoo and his girlfriend. Brandon has two machines, lost and
found: lost is an Athlon XP workstation, while found is a headless Athlon T-Bird
WWW/mail/DNS server. Here's a long litany of the apps he likes to run on his workstation:
Gaim, Enlightenment, Eterm, Xchat, XMMS, giFT, Midnight Commander, Mozilla, gkrellm2,
lm_sensors, mutt, screen, pork, and bash. In Real Life, Brandon likes to swim, play
GameCube, and rollerblade.
Heard In The Community
What's In A Framebuffer?
Let's call it the Framebuffer Awareness Week. An extraordinary interest in the possibilities (and limitations) of framebuffer consoles, using it in X or in its stead, for TV-out to the big screen, and other tidbits of information has emerged in an unusual density:
Fund Raising Ideas
The forums are notorious for posters throwing tantrums at the installation process or application oddities, but the general mood has always been extremely supportive of Gentoo Linux, its concept and further development. Not astonishing, in this light, that initiatives emerge at regular intervals that try to back up the idealistic support with something more tangible, by raising money for the project as a whole. People are offering money for e-mail-addresses that display their affection for Gentoo, club memberships (Mandrake style) are being discussed, even paying for an overnight ebuild service, in a nutshell: anything that could help to put Gentoo on the next evolutionary stage:
A few threads have dealt with the shortcomings of the software that drives the Forums, phpBB. Its structure sometimes prevents things from being just as powerful as some of the users would like it, but advances are clearly being made. The search function has been modified, searching for all search terms is now the default for both the Search page and the Quick Search text input box, and sometimes things just fall into place with an upgrade to phpBB itself: Posting in Japanese miraculously started to work last week.
What Are Those ._cfg* Files Anyway?
One of the most frequently overlooked features of portage, the etc-update command, has equally frequently been dealt with at the forums. It is a better known fact that critical config files are protected from being automatically overwritten during emerge, but before you struggle with manually editing all those files with names starting on ._cfg that keep appearing below the /etc threshold and elsewhere, you may want to have a look at this thread from last week:
Installing non ebuild software
Contrary to what we'd like to believe, software is still being written on non Gentoo systems and
not packaged as an ebuild. Robert Shar asked if there is a standard method to installing programs
lacking an ebuild. As the responses rolled in, it became clear that there isn't a 'standard' method
of handling non ebuild software, but many clever ways to do it. Collins Richey suggested
the configure script to install the software under /opt and Pat Double thought it would be just as
painless to create an ebuild.
Cal Evans even proposed that a utility to convert an RPM (currently the most popular packaging system) to an ebuild
should be written.
A popular thread emerged (pardon the pun) on gentoo-user sharing the classic tales of administrator
horror stories. From
deleting weeks worth of work
nearly getting fired
from the job, the stories
within are sure to bring back the nostalgic memories of wishing time was reversible... if only for just
one command. There is also a
in the forums. Time heals, and posting does too.
Disk Full?!? Quick resolutions
To Jorge Almeida's astonishment, his fresh Gentoo system was reporting the disk was full after a
KDE 3.1 upgrade. Developer Nick Jones
removing all files under /var/tmp/portage,
/usr/portage/distfiles, and /usr/portage/packages -- noting that distfiles and packages may contain
wanted files that portage would have to download again if they were removed. It was also noted that
cleaning out /var/log is another quick way to free space, especially if a log rotator has not been installed.
Volker Hemmann let us know that his /var/log/.xsession-errors once grew to a size of 3.7GB!
Gentoo XML Database
started a very interesting
thread with "For the fun of it, I created a little tool very custom and untested that will
read the the cache files of gentoo and generate on the stdout a valid xml file. [...]
What's interesting is that the database is generated from a gentoo system pretty easily because of
the presence of the cache. One could easily think about creating a direct ebuilds -> xml db
software instead of passing through the cache."
Vano D proposed its
application "for making a "portage server" serving portage ebuilds and recording the
cache information (as in what is installed with what USE flags) for every single client machine
having an "account" on the db."
Todo/project list for Gentoo.
"I've been using Gentoo now for a couple of months, wrote some ebuilds,
loved gentoo's simplicity(configuration system), etc. BUT, I would like
to get involved more with Gentoo though I don't know where to start or
what to improve." John Nilsson briefly
with "Your todo list is called bugs.gentoo.org =)"
and continued with "Seriously what you could do that I would like is a gentoo-user-wiki.
For Swedish users take a look at http://www.susning.nu
and you'll know what I'm talking about. Is there an English equivalent?"
Follow-up: Portage Database Management.
Ingo Krabbe started
quite a busy thread with his question of wether there were any plans to have Portage use a
database in order to improve speed! Some ideas for its application were tossed in, such as
John Nilsson's: "This db would have more indepth information of every package, HOWTOS, bugs,
discussions all that kind of information you would wan't (mostly just a gentoo specific info
text and link to a homepage I suspect, but you COULD add more)."
Impromptu Gentoo Dev & User Meeting in Barcelona, 12 February 2003
BaSS, one of the Spanish Gentoo developers, is leaving his home town Sevilla for a few days in Barcelona. Perfect occasion to meet him and everybody else who's going to show up at the Sagrada Familia on 12 February, 18:00. In case you don't know who to look out for, he'll wear a black bag with the Gnome and Guadec logos on it...
Snapshot from Japan: Gentoo in User Mode Linux on RedHat 8.0
Masanori "Smiley" Omote isn't really what you call a hardened Gentoo user. He's been running RedHat for ages, and doesn't have any immediate plans to give it up. But his friends at the Tokyo Linux User Group had been pestering him so much about the most elegant of penguins, something was bound to happen. As it turned out, something equally elegant: Smiley, looking for a way to run both gcc 2.9x and 3.x on the same machine at the same time, went and installed Gentoo Linux in a virtual machine in User Mode Linux (UML) on his tiny Sony Vaio C1, a subnotebook sporting a Transmeta CPU, 256 MB and - RedHat 8.0. Now, whether this was the right way to go about it, or even the right order in which to put one on top of the other is a matter of debate, but for someone with a RedHat background, his perfectly documented installation manuscript has a reassuringly familiar look...
The following stable packages were added to portage this week
Note: Because of the pending release of 1.4_final, the Portage tree is currently frozen. As such, no new stable packages were introduced to Portage this week
Updates to notable packages
- sys-apps/portage - portage-2.0.46-r12.ebuild;
- sys-devel/gcc - gcc-3.2.2.ebuild;
- x11-base/xfree - xfree-220.127.116.11.ebuild;
- gnome-base/gnome - gnome-2.2.ebuild; gnome-2.2_rc2-r99.ebuild; gnome-2.2_rc2.ebuild;
- sys-kernel/* - aa-sources-2.4.21_pre4-r1.ebuild; ac-sources-2.4.21_pre3-r5.ebuild; ac-sources-2.4.21_pre4-r1.ebuild; ac-sources-2.4.21_pre4-r2.ebuild; development-sources-2.5.59-r7.ebuild; development-sources-2.5.59-r8.ebuild; linux-headers-2.4.20.ebuild; ppc-sources-benh-2.4.20-r5.ebuild; ppc-sources-crypto-2.4.20.ebuild; sparc-sources-2.4.20-r3.ebuild; usermode-sources-2.4.19-r48.ebuild; xfs-sources-2.4.20_pre6.ebuild;
New USE variables
The Gentoo community uses Bugzilla (bugs.gentoo.org) to record and track
bugs, notifications, suggestions and other interactions with the development team. In the last 7 days, activity
on the site has resulted in:
There are currently 2230 bugs open in bugzilla. Of these: 44 are labelled 'blocker', 77 are labelled 'critical',
and 151 are labelled 'major'.
- 251 new bugs this week
- 1601 total bugs currently marked 'new'
- 577 total bugs curently assigned to developers
- 52 bugs that were previously closed have been reopened.
Closed Bug Rankings
The developers and teams who have closed the most bugs this week are:
New Bug Rankings
The developers and teams who have been assigned the most new bugs this week are:
Tips and Tricks
See which USE variables affect a package during an emerge
One of the most-often requested features in Portage is the ability to quickly and easily see what
effect USE variables have during the emerge process. The release Portage 2.0.46-r12 makes this
To display USE variable effects, use the -v option:
Code Listing 1.1: Display USE variable effects with the -v option
#emerge -vp exim
These are the packages that I would merge, in order:
Calculating dependencies ...done!
[ebuild U ] net-mail/exim-4.12 [4.10] -tcpd +ssl -postgres +mysql +ldap +pam
Moves, Adds and Changes
The following developers recently left the Gentoo team:
- Ric Messier (kilroy)
- Maarten Thibaut (murphy)
The following developers recently joined the Gentoo team:
- Zach Welch (zwelch) -- Gentoo/ARM, distcc
The following developers recently changed roles within the Gentoo project.
- Brad Cowan (bcowan) -- Gentoo Linux Release Coordinator
- Jack Morgan (jmorgan) -- Gentoo Events Coordinator
Contribute to GWN
Interested in contributing to the Gentoo Weekly Newsletter? Send us an email.
Please send us your feedback and help make GWN better.
The Gentoo Weekly Newsletter is also available in the following languages: