Gentoo Weekly Newsletter: February 24th, 2003
Gentoo Linux partners with NeTraverse The Gentoo Linux project recently reached an agreement with NeTraverse to bring Win4Lin to Gentoo users at a reduced price. Win4Lin lets you run Windows applications under Gentoo Linux at native speeds and can help bridge the gap between the stability of Linux and the vast number of Windows applications. Gentoo users who purchase the Gentoo Edition of Win4Lin enjoy a $10 discount off the regular $89.99 price. Additionally, each purchase helps support further development of Gentoo Linux. There is also a 30-day trial version of Win4Lin available in the Portage tree. We reported back in January that Gentoo Linux 1.4_rc3 was due to be released on January 14th, based on the timeline laid out by the newly-adopted Formal Release Process. Obviously, this release has yet to make it out the door and users and developers alike have increasingly complained about the recurring delays, stale Portage tree and general confusion that seems to surround the release process. Fortunately, with the recent appointment of Brad Cowen as the Gentoo Release Coordinator, the 1.4 release process seems to have regained some of its lost momentum. Brad recently updated the Gentoo developer team regarding the status of the next release candidate, 1.4_rc3: I just wanted to take a moment and let everyone know where we stand as far as a release goes. Plans are to release an official RC3 on Thursday the 27th. This rc will include stages from the sparc, x86, and ppc teams. The x86 port will be a limited release meaning a single "one size fits all" compiled set of stages and no GRP will be packaged. Brad went on to say that, after the rc3 release, he plans to adhere closely to the formal release process. This also means that, post rc3, the Portage tree will be unfrozen for a period of 2 weeks or so where developers will be able to migrate masked packages over to an unmasked state. As reported earlier, Gentoo Linux was at FOSDEM and, by all accounts, the event was a success. As with LinuxWorld in New York, many of the attendees were previously unfamiliar with Gentoo Linux, so this was a great opportunity to help spread the word about Gentoo Linux in Europe and also meet lots of other free software developers. Daniel Robbins also had the opportunity to speak with Richard Stallman at length, where they discussed...free software, of course :). Here are some photos of the event for those who were unable to attend in person.
Webmin contain a vulnerability which could permit unauthenticated access. No exploits in the wild have been reported.
OpenSSL may permit an attacker, by performing a man-in-the-middle attack and measuring the relative times for rejection of modified cipher texts, to determine which error condition (padding or verification) caused the modified texts to be rejected. This information is adequate to initiate an adaptive attack which may result in exposure of the plaintext. The attack has been demonstrated in principle.
Bitchx may be caused to segfault with a malformed packet, exposing a denial-of-service vulnerability.
PHP 4.3.0 introduced a bug which prevents the cgi-security options '--enable-force-cgi-redirect' and 'cgi.force_redirect'. This could permit an attacker to gain access to the server file system using the web server's privileges on systems that use the PHP CGI module.
Nethack contains a buffer overflow vulnerability that may permit elevation of the player's privileges to that of the game's uid. An exploit has been published. The primary use of this exploit would be to modify the high score and character files. However, any privilege elevation is a security fault, and could be dangerous if nethack's uid has additional permissions.
The w3m browser (a text-based browser sometimes used within emacs) fails to properly escape img tags in html. This vulnerability could be exploited by a carefully crafted web page to access files on the local machine.
The syslinux bootloader exposes several security flaws when run with root privileges. The code has been modified to use the mtools package for accessing the disk. Syslinux should not be run with setuid.
The default error page in the mailman list server web interface exposes a cross-site scripting vulnerability that could permit remote execution of code using the server's privilege level.
The following new security bugs were posted this week: 3. Featured Developer of the Week John P. Davis
John P. Davis, this week's featured developer, is Senior Developer/Coordinator for the Gentoo Linux Documentation team and the administrator of Gentoo's Bugzilla system. John, who started off by writing the Gentoo Linux Printing HOWTO, coordinates developers and translators on documentation and hacks on the Bugzilla source to make it as functional as possible. He takes pride in making the Bugzilla system as useful as possible to users and devs, and is amazed at how the documentation team is shaping up. For now Gentoo is the only OSS project John has worked on, but he hopes to change that in the future. John has an Athlon XP workstation running RAID0 and an Athlon server which hosts uberdavis.com, his playpen. (currently undergoing renovations) He uses Enlightenment with an Aqua theme, Sylheed for mail, and likes iconv, iptables, grep, sed, the GIMP, and nmap. During the day John studies computer science at Mount Union College in Alliance, OH, as well as working at his college's help desk. He enjoys spending time with his girlfriend Mary, drinking Bawls, mountain biking, skiing, scuba diving, as well as college life in general. Mother Tongue Campaigning The message is simple: First you need to achieve critical mass by posting into a thread that registers how many people would be interested in a separate forum conducted in their own language, then the FAQ and a few other documents need translation, a moderator or two needs to volunteer, and if sufficiently convincing evidence for a lively community has built up, just watch that admin machine go. The Italians were off to a quick start last week and are gaining momentum, but the Japanese community isn't anywhere near critical mass and needs some serious campaigning before a Japanese language forum can be set up. Lack of interest is unlikely, but a lot of the guys on the #gentoo-jp IRC channel don't seem to have a forum ID yet... Emulating the Unspeakable The gamers were the first class of users to discuss which emulator or virtual machine wins the Windows look-a-like contest, but running commercial Windows applications in Linux has become a widespread pattern since the more serious desktop publishing crowd has made inroads into Open Source operating systems, while requiring the use of professional software from vendors who so far have bluntly refused to code for Linux. It's not as if there was a lack of choice in terms of tools to do so, between Wine and Plex86 or Bochs (fresh version 2.0.2 released just a week ago) on the free-of-charge side of things, and the more powerful commercial equivalents Crossover, WineX, Win4Lin and VMware on their flipside, the only remaining problem is to pick one. Flame wars of the past used erupt over whether one should do that or not, but for some time the debate has been centered on a more pragmatic question: how to do it most efficiently. The forums reflect all this and more, including Netraverse, the company behind Win4Lin, stepping forward with a special Gentooified build at a significant markdown... Yet Another Architecture: Gentoo on MIPS Last week the usually rather calm Alternate Architectures forum saw an influx of people who reported about Gentoo Linux on SGI Indy and Indigo2. About two months into the latest initiative to port Gentoo to MIPS machines, successful installations so far include R4400 and R5000 driven models. If you own an Elan or Extreme or maybe an O2 and wonder what else than Irix you can run on it, join the Indy posse on their new IRC channel, #gentoo-mips on irc.freenode.net, and in one or both of these threads (top for evangelism, bottom for caveats): Hardware Issues Combining components from leaking capaciters to hot CPUs often makes it hard to diagnose hardware problems. Sipping coffee, closing your eyes and seeing the faulty component is a great method, although it may not work for non Jedi Masters. Bruno Lustosa has been suffering from suspicious failed compiles in a number of threads. Is it the bios? Memory? CPU? Evil Kernel? After many supportive suggestions, Bruno appears on the verge of victory. Ernie Shroder, in particular, reminded us of a great article by the man himself, Dr. Daniel Robbins. The article makes a worth-while read as Robbins takes us through the ins and outs of diagnosing CPU and RAM problems on a linux system. RedHatism Upon asking about kivo, of all things, the tool epm was brought up. EPM is available as an ebuild (sys-apps/epm) with the description: rpm workalike for Gentoo Linux. This is meant to provide for easier transistion from a Red Hat system, allowing Red Hatters to feel at home by typing 'epm -qf `which kivio'. More RedHatism An extremely grueling discussion took place involving the Gentoo init system. Remarkably, the details of Gentoo's system versus other SysV implementations hardly surfaced. What was at stake was Phil Barnet's apparent demand for "abstraction" scripts, in particular the 'service' script, available in other distributions. The counter point expressed typical Gentoo mannerism, offered in one of Andrew Dacey's many rebuttals, "The whole point of Gentoo is to be configurable, almost nothing is forced onto the user. With this in mind, no abstraction layer from another OS or distro should be included by default, no matter how common that OS or distro is". Suggestions for ebuilds were offerend as the debate waged on. Regional Gentoo User Meetings in Europe The Viennese Gentooists have agreed on a date and a venue: Tuesday, 4 March 2003, 19:00 onwards at the Siebensternbräu, Siebensterngasse 19 in 1070 Wien. If you're free and in the area that day and would like to join them, announce your intentions with a reply to this thread in the forums for a headcount. Meanwhile, users from Northern Germany are looking into opportunities for a meeting this week in or around Hamburg, but the details didn't make it in time for this newsletter. They, too, have a thread in the forums to coordinate the exact date and venue. Svenska Gentoo IRC Hemsida http://gentoo.linux.se is the shiny new address for the Swedish Gentoo web presence, so far "only" a web appendix to the notorious IRC channel. It includes the channel statistics, some user profiles of a few IRC regulars, and a pastebot for uploading a quick config file or error message from a borked ebuild, and generating a URL for it to be pasted into the #gentoo-se channel on irc.freenode.net. Italian Documentation Taskforce While his compatriots are busy campaigning for an Italian forum, Marco Mascherpa has set up a mailing list for Italian translators to join in the effort of going through the entire pile of Gentoo documentation and creating new or embellishing existing Italian versions. If your Italian is up to the task and you would like to help, send an email to Marco today. The following stable packages were added to portage this week
The Gentoo community uses Bugzilla (bugs.gentoo.org) to record and track bugs, notifications, suggestions and other interactions with the development team. In the last 7 days, activity on the site has resulted in:
The developers and teams who have closed the most bugs this week are:
The developers and teams who have been assigned the most new bugs this week are:
Mirror, Mirror On The Wall As Gentoo's userbase grows, a common complaint is the slowdown of its primary mirrors. Many people in the community have responded, adding more mirrors to help distribute the load. So where do you find these mirrors? One way is to look on the website at http://www.gentoo.org/main/en/mirrors.xml. The other (easier) way is to use the handy mirrorselect tool. MirrorSelect is a simple ncurses interface that allows you to select which mirror(s) you want to use for your machine. MirrorSelect is available in Portage, so a simple emerge is all that's necessary to install it.
To use MirrorSelect, simply run mirrorselect at a terminal prompt and then select your preferred mirror(s).
When you're done selecting mirrors, select OK, and your /etc/make.conf will be updated with your new mirrors.
The following developers recently left the Gentoo team:
The following developers recently joined the Gentoo team:
The following developers recently changed roles within the Gentoo project.
Interested in contributing to the Gentoo Weekly Newsletter? Send us an email. Please send us your feedback and help make GWN better. The Gentoo Weekly Newsletter is also available in the following languages: |
|
