Gentoo Weekly Newsletter: February 24th, 2003
Gentoo Linux partners with NeTraverse
The Gentoo Linux project recently reached an agreement with NeTraverse to bring Win4Lin to
Gentoo users at a reduced price. Win4Lin lets you run Windows applications under Gentoo Linux at native speeds and can help bridge the
gap between the stability of Linux and the vast number of Windows applications.
Gentoo users who purchase the Gentoo Edition of Win4Lin enjoy a $10 discount off the
regular $89.99 price. Additionally, each purchase helps support further development of Gentoo Linux. There is also a 30-day trial version
of Win4Lin available in the Portage tree.
Gentoo Linux 1.4 Update
We reported back in January that Gentoo Linux
1.4_rc3 was due to be released on January 14th, based on the timeline laid out by the newly-adopted Formal Release Process. Obviously, this release has yet to make it out the door and users and
developers alike have increasingly complained about the recurring delays, stale Portage tree and general confusion that seems to surround
the release process. Fortunately, with the recent
appointment of Brad Cowen as the Gentoo Release Coordinator, the 1.4 release process seems to have regained some of its lost momentum.
Brad recently updated the Gentoo developer team regarding the status of the next release candidate, 1.4_rc3:
I just wanted to take a moment and let everyone know where we stand as
far as a release goes. Plans are to release an official RC3 on Thursday
the 27th. This rc will include stages from the sparc, x86, and ppc
teams. The x86 port will be a limited release meaning a single "one size
fits all" compiled set of stages and no GRP will be packaged.
Brad went on to say that, after the rc3 release, he plans to adhere closely to the formal release process. This also means that, post rc3,
the Portage tree will be unfrozen for a period of 2 weeks or so where developers will be able to migrate masked packages over to an unmasked
Pictures of FOSDEM
As reported earlier,
Gentoo Linux was at FOSDEM and, by all accounts, the event was a success. As with LinuxWorld in New York, many
of the attendees were previously unfamiliar with Gentoo Linux, so this was a great opportunity to help spread
the word about Gentoo Linux in Europe and also meet lots of other free software developers. Daniel Robbins also
had the opportunity to speak with Richard Stallman at length, where they discussed...free software, of course :).
Here are some photos of the event for those who were unable to attend in person.
Figure 1.1: Jack Morgan, Verwilst and Popsickle at Fosdem -- or is this a Coke commercial?
Figure 1.1: Wout Mertens and Daniel Robbins discover a quantum singularity
Webmin contain a vulnerability which could permit
unauthenticated access. No
exploits in the wild have been reported.
- Severity: Critical - Remote Access with Administrative Privileges
- Packages Affected: app-admin/webmin versions prior to webmin-1.070
- Rectification: Synchronize and emerge -u webmin, emerge clean.
OpenSSL may permit an attacker, by performing a man-in-the-middle attack and measuring the relative times for
rejection of modified cipher texts, to determine which error condition (padding or verification) caused the
modified texts to be rejected. This information is adequate to initiate an adaptive attack which may result in
exposure of the plaintext. The attack has been demonstrated in principle.
- Severity: Critical - Remote Encryption Compromise
- Packages Affected: dev-libs/openssl versions prior to openssl-0.96i or openssl-0.9.7a
- Rectification: Synchronize and emerge -u openssl, emerge clean.
- GLSA Announcement
Bitchx may be caused to segfault with a malformed packet, exposing a denial-of-service vulnerability.
- Severity: Moderate - Remote DOS for non-critical service.
- Packages Affected: net-irc/bitchx versions prior to bitchx-1.0.19-r4
- Rectification: Synchronize and emerge -u bitchx, emerge clean.
- GLSA Announcement
PHP 4.3.0 introduced a bug which prevents the cgi-security options '--enable-force-cgi-redirect' and
'cgi.force_redirect'. This could permit an attacker to gain access to the server file system using the web server's
privileges on systems that use the PHP CGI module.
- Severity: High - Remote Exposure of Filesystem
- Packages Affected: dev-php/mod_php-4.3.0
- Rectification: Synchronize and emerge -u mod_php, emerge clean.
- GLSA Announcement
Nethack contains a buffer overflow vulnerability that may permit elevation of the player's privileges to that
of the game's uid. An exploit has been published. The primary use of this exploit would be to modify the high score
and character files. However, any privilege elevation is a security fault, and could be dangerous if nethack's uid has
- Severity: Low - Privilege Elevation to A Game
- Packages Affected: app-games/nethack versions prior to nethack-3.4.0-r6
- Rectification: Synchronize and emerge -u nethack, emerge clean.
- GLSA Announcement
The w3m browser (a text-based browser sometimes used within emacs) fails to properly escape img tags in html. This
vulnerability could be exploited by a carefully crafted web page to access files on the local machine.
- Severity: High - Remote Exposure of Filesystem
- Packages Affected: net-www/w3m versions prior to w3m-0.3.2.2
- Rectification: Synchronize and emerge -u w3m, emerge clean.
- GLSA Announcement
The syslinux bootloader exposes several security flaws when run with root privileges. The code has been modified
to use the mtools package for accessing the disk. Syslinux should not be run with setuid.
- Severity: High - Root Privilege Exposure.
- Packages Affected: sys-apps/syslinux versions prior to syslinux-2.02
- Rectification: Synchronize and emerge -u syslinux, emerge clean.
- GLSA Announcement
The default error page in the mailman list server web interface exposes a cross-site scripting vulnerability that
could permit remote execution of code using the server's privilege level.
- Severity: High - Remote Execution of Code.
- Packages Affected: net-mail/mailman versions prior to mailman-2.1.1
- Rectification: Synchronize and emerge -u mailman, emerge clean.
- GLSA Announcement
New Security Bug Reports
The following new security bugs were posted this week:
Featured Developer of the Week
John P. Davis
Figure 3.1: John P. Davis
John P. Davis, this week's featured
developer, is Senior Developer/Coordinator for the Gentoo Linux
Documentation team and the administrator of Gentoo's
Bugzilla system. John, who
started off by writing the
Printing HOWTO, coordinates developers and translators on
documentation and hacks on the Bugzilla source to make it as functional
as possible. He takes pride in making the Bugzilla system as useful as
possible to users and devs, and is amazed at how the documentation team
is shaping up. For now Gentoo is the only OSS project John has worked
on, but he hopes to change that in the future.
John has an Athlon XP workstation running RAID0 and an Athlon server
which hosts uberdavis.com,
his playpen. (currently undergoing renovations) He uses Enlightenment with an Aqua theme, Sylheed for
mail, and likes iconv, iptables, grep, sed, the GIMP, and nmap. During
the day John studies computer science at Mount Union College in Alliance,
OH, as well as working at his college's help desk. He enjoys spending
time with his girlfriend Mary, drinking Bawls, mountain biking, skiing,
scuba diving, as well as college life in general.
Heard In The Community
Mother Tongue Campaigning
The message is simple: First you need to achieve critical mass by posting into a thread that registers how many people would be interested in a separate forum conducted in their own language, then the FAQ and a few other documents need translation, a moderator or two needs to volunteer, and if sufficiently convincing evidence for a lively community has built up, just watch that admin machine go. The Italians were off to a quick start last week and are gaining momentum, but the Japanese community isn't anywhere near critical mass and needs some serious campaigning before a Japanese language forum can be set up. Lack of interest is unlikely, but a lot of the guys on the #gentoo-jp IRC channel don't seem to have a forum ID yet...
Emulating the Unspeakable
The gamers were the first class of users to discuss which emulator or virtual machine wins the Windows look-a-like contest, but running commercial Windows applications in Linux has become a widespread pattern since the more serious desktop publishing crowd has made inroads into Open Source operating systems, while requiring the use of professional software from vendors who so far have bluntly refused to code for Linux. It's not as if there was a lack of choice in terms of tools to do so, between Wine and Plex86 or Bochs (fresh version 2.0.2 released just a week ago) on the free-of-charge side of things, and the more powerful commercial equivalents Crossover, WineX, Win4Lin and VMware on their flipside, the only remaining problem is to pick one. Flame wars of the past used erupt over whether one should do that or not, but for some time the debate has been centered on a more pragmatic question: how to do it most efficiently. The forums reflect all this and more, including Netraverse, the company behind Win4Lin, stepping forward with a special Gentooified build at a significant markdown...
Yet Another Architecture: Gentoo on MIPS
Last week the usually rather calm Alternate Architectures forum saw an influx of people who reported about Gentoo Linux on SGI Indy and Indigo2. About two months into the latest initiative to port Gentoo to MIPS machines, successful installations so far include R4400 and R5000 driven models. If you own an Elan or Extreme or maybe an O2 and wonder what else than Irix you can run on it, join the Indy posse on their new IRC channel, #gentoo-mips on irc.freenode.net, and in one or both of these threads (top for evangelism, bottom for caveats):
Combining components from leaking capaciters to hot CPUs often makes it hard to diagnose hardware problems. Sipping coffee, closing your eyes and seeing the faulty component is a great method, although it may not work for non Jedi Masters. Bruno Lustosa has been suffering from suspicious failed compiles in a number of threads. Is it the bios? Memory? CPU? Evil Kernel? After many supportive suggestions, Bruno appears on the verge of victory. Ernie Shroder, in particular, reminded us of a great article by the man himself, Dr. Daniel Robbins. The article makes a worth-while read as Robbins takes us through the ins and outs of diagnosing CPU and RAM problems on a linux system.
Upon asking about kivo, of all things, the tool epm was brought up. EPM is available as an ebuild (sys-apps/epm) with the description: rpm workalike for Gentoo Linux. This is meant to provide for easier transistion from a Red Hat system, allowing Red Hatters to feel at home by typing 'epm -qf `which kivio'.
An extremely grueling discussion took place involving the Gentoo init system. Remarkably, the details of Gentoo's system versus other SysV implementations hardly surfaced. What was at stake was Phil Barnet's apparent demand for "abstraction" scripts, in particular the 'service' script, available in other distributions. The counter point expressed typical Gentoo mannerism, offered in one of Andrew Dacey's many rebuttals, "The whole point of Gentoo is to be configurable, almost nothing is forced onto the user. With this in mind, no abstraction layer from another OS or distro should be included by default, no matter how common that OS or distro is". Suggestions for ebuilds were offerend as the debate waged on.
Regional Gentoo User Meetings in Europe
The Viennese Gentooists have agreed on a date and a venue: Tuesday, 4 March 2003, 19:00 onwards at the
Siebensternbräu, Siebensterngasse 19 in 1070 Wien. If you're free and in the area that day and would like to join them, announce your intentions with a reply to this thread in the forums for a headcount. Meanwhile, users from Northern Germany are looking into opportunities for a meeting this week in or around Hamburg, but the details didn't make it in time for this newsletter. They, too, have a thread in the forums to coordinate the exact date and venue.
Svenska Gentoo IRC Hemsida
http://gentoo.linux.se is the shiny new address for the Swedish Gentoo web presence, so far "only" a web appendix to the notorious IRC channel. It includes the channel statistics, some user profiles of a few IRC regulars, and a pastebot for uploading a quick config file or error message from a borked ebuild, and generating a URL for it to be pasted into the #gentoo-se channel on irc.freenode.net.
Italian Documentation Taskforce
While his compatriots are busy campaigning for an Italian forum, Marco Mascherpa has set up a mailing list for Italian translators to join in the effort of going through the entire pile of Gentoo documentation and creating new or embellishing existing Italian versions. If your Italian is up to the task and you would like to help, send an email to Marco today.
The following stable packages were added to portage this week
Note: Because of the pending release of 1.4_final, the Portage tree is currently frozen. As such, no new stable packages were introduced to Portage this week
Updates to notable packages
- sys-apps/portage - portage-2.0.47-r2.ebuild;
- gnome-base/gnome - gnome-2.2-r2.ebuild;
- sys-kernel/* - aa-sources-2.4.21_pre4-r3.ebuild; development-sources-2.5.60-r2.ebuild; development-sources-2.5.61-r1.ebuild; development-sources-2.5.61.ebuild; development-sources-2.5.62.ebuild; gs-sources-2.4.21_pre4.ebuild; hppa-sources-2.4.20_p27.ebuild; lolo-sources-220.127.116.11_pre2.ebuild; redhat-sources-18.104.22.168.8.0.ebuild;
- dev-db/mysql - mysql-4.0.10.ebuild;
- dev-php/php - php-4.3.1.ebuild;
- sys-devel/perl - perl-5.6.1-r11.ebuild;
The Gentoo community uses Bugzilla (bugs.gentoo.org) to record and track
bugs, notifications, suggestions and other interactions with the development team. In the last 7 days, activity
on the site has resulted in:
There are currently 2411 bugs open in bugzilla. Of these: 46 are labelled 'blocker', 82 are labelled 'critical',
and 171 are labelled 'major'.
- 294 new bugs this week
- 336 bugs closed or resolved this week
- 8 previously closed bugs were reopened this week.
- 1796 total bugs currently marked 'new'
- 558 total bugs curently assigned to developers
Closed Bug Rankings
The developers and teams who have closed the most bugs this week are:
New Bug Rankings
The developers and teams who have been assigned the most new bugs this week are:
Tips and Tricks
Mirror, Mirror On The Wall
As Gentoo's userbase grows, a common complaint is the slowdown of its primary mirrors. Many people in the community have responded, adding more mirrors to help distribute the load. So where do you find these mirrors? One way is to look on the website at http://www.gentoo.org/main/en/mirrors.xml. The other (easier) way is to use the handy mirrorselect tool. MirrorSelect is a simple ncurses interface that allows you to select which mirror(s) you want to use for your machine.
MirrorSelect is available in Portage, so a simple emerge is all that's necessary to install it.
Code Listing 1.1: Installing MirrorSelect
# emerge mirrorselect
To use MirrorSelect, simply run mirrorselect at a terminal prompt and then select your preferred mirror(s).
Code Listing 1.1: Using MirrorSelect
Figure 1.1: Using MirrorSelect
When you're done selecting mirrors, select OK, and your /etc/make.conf will be updated with your new mirrors.
Code Listing 1.1
Selected: ftp://ftp.gtlib.cc.gatech.edu/pub/gentoo http://gentoo.oregonstate.edu http://distro.ibiblio.org/gentoo
Mirrors set successfully
Moves, Adds and Changes
The following developers recently left the Gentoo team:
The following developers recently joined the Gentoo team:
- Robert Coie (rac) -- perl, bughunting
- James Boddington (Aiken) -- Gentoo/SPARC, Gentoo/ARM
- Jon Ellis (jje) -- music stuffs
- Alastair Tse (liquidx) -- python, GNOME, Gentoo/ARM
- Ken Nowack (antifa) -- Gentoo Documentation
The following developers recently changed roles within the Gentoo project.
Contribute to GWN
Interested in contributing to the Gentoo Weekly Newsletter? Send us an email.
Please send us your feedback and help make GWN better.
The Gentoo Weekly Newsletter is also available in the following languages: