Gentoo Weekly Newsletter: March 10th, 2003

1. Gentoo News

distcc in a nutshell
Remarkable response to our call for developers

A question often asked by our readers is, "What is distcc?". In a nutshell, distcc allows you to distribute compilation of C or C++ code across several machines on a network. For home users with multiple computers, this means you can distribute the load of compiling KDE 3.1 across all your Gentoo machines. For embedded devices or older computers, it means you can build packages on a faster machine (or group of machines) to take advantage of the increased processing power. distcc works closely with gcc to ensure that distcc distributed compiles produce the same result as using gcc directly.

distcc 1.2.3 was recently marked as stable in the Portage tree, so users are encouraged to try it out and discover the wonders of distributed compiling. Obviously, there's a lot more to distcc than is described here. Users interested in learning more should check out the following resources:

Remarkable response to our call for developers

In last week's GWN, we posted a number of open positions in the Gentoo Linux project. The response to this posting was remarkable, with nearly 75 responses received. As a result, Gentoo Linux now has the assistance of two new documentation editors and a new kernel developer. We're still sorting through the respondents to the Web Developer position and will be contacting folks with regards to that in the coming days.

Where possible, we've tried to send individual responses to each of the respondents. If you haven't received a response, we apologize and thank you for offering to help Gentoo Linux. We'll continue to post open positions in future editions of the GWN, so keep an eye out for them.

2. Gentoo Security

Summary

GLSA: sendmail
GLSA: tcpdump
GLSA: snort
GLSA: mysqlcc
New Security Bug Reports
gentoo-security

GLSA: sendmail

A recently discovered vulnerability in sendmail could permit a remote user to gain root privileges on the server with a carefully crafted email message. A proof-of-concept exploit has been demonstrated, but no exploits in the wild have been reported.

Severity: Critical - Remote Root Exploit
Packages Affected: net-mail/sendmail versions prior to sendmail-8.12.8
Rectification: Synchronize and emerge -u sendmail, emerge clean.
GLSA Announcement
Advisory

GLSA: snort

Snort contains a buffer overflow that may be exploited to run arbitrary code with the privileges of the Snort IDS process, potentially root.

Severity: Critical - Remote Execution of Code
Packages Affected: net-analyzer/snort versions prior to snort-1.9.1
Rectification: Synchronize and emerge -u snort, emerge clean.
GLSA Announcement
Advisory

GLSA: tcpdump

TCPDump contains a vulnerability in the way it parses certain UDP packets that allows a carefully crafted packet to provoke an infinite loop.

Severity: High - Remote DOS
Packages Affected: net-analyzer/tcpdump versions prior to tcpdump-3.7.2
Rectification: Synchronize and emerge -u tcpdump, emerge clean.
GLSA Announcement
Advisory

GLSA: mysqlcc

MySQLcc has its configuration and connection files set as world-readable.

Severity: Moderate - Local Information Exposure
Packages Affected: dev-db/mysqlcc versions prior to mysqlcc-0.8.10-r1
Rectification: Synchronize and emerge -u mysqlcc, emerge clean.

New Security Bug Reports

The following new security bugs were posted this week:

gentoo-security

Arthur Britto started a persistent thread on the gentoo-security list by posting a message complaining about GLSAs (Gentoo-Linux Security Announcements) being cross-posted to gentoo-security and gentoo-announce. The discussion quickly split into two camps - those arguing that redundancy in important messages was valuable and those insisting that a clearly defined single channel for GLSAs was more important. The conversation occasionally evolved into discussions about whether using filters and procmail to strip redundant messages was the right way to resolve it, and even included suggestions for setting up a third, dedicated, list for GLSAs. The thread finally concluded with a plea for it to stop along with the official pronouncement that all GLSAs will in the future be posted only to gentoo-announce, and that gentoo-security should be confined to discussions about security issues rather than security announcements.

3. Featured Developer of the Week

Jared H. Hudson

Figure 3.1: Jared H. Hudson

Jared H. Hudson, whom we feature this week, is the x86 QA Coordintor and the x86 stages/GRPs Coordinator as of Gentoo Linux's latest 1.4_rc3 release candidate. This means he's responsible for making sure that the stages and GRPs work properly so that users can install Gentoo Linux. Jared's involvement with Gentoo (which happens to be the first OSS project he has worked on) began with his fixing a bug in a Gentoo package, impressing a senior developer. Accepting a subsequent invitation to join the team, Jared has been handling bug reports like the other developers, especially in PHP, DNS, emacs, and vim - his areas of expertise. He also created use.desc (located in /usr/portage/profiles/), which lists what the use flags in Gentoo do.

Jared's last job was as a Linux sysadmin for a web hosting company that went bankrupt; now he's seeking employment. He lives in Fayetteville, Arkansas (though he would like to move to Europe) with two cats: Script (she's a script kitty) and Frankie, and a dual Athlon 1200 box running Waimea, and often xmms, emacs, gcc, mozilla, and gaim. Jared loves reading and has been playing Magic: the Gathering lately.

4. Heard In The Community

Web Forums

1.4-rc3-triggered Newbie Influx

Even the oldest hands seem to wear a badge saying "I'm friendly to newbies" these days, setting aside an extraordinary amount of patience and helpful advice for the many newcomers attracted by the third release candidate. Is it safe to use? Will it do what my <insert prior Linux distribution> could do? Will it change my life, water the plants, walk the dog? Just ask, somebody will answer without patronizing or spitting gratuitous flames at you:

New Dutch Forum Moderator Needed

The Dutch forum is in need of someone to crack the whip from time to time. Don't worry, they usually behave exceptionally well. It's all about spotting the occasional duplicate thread, making important announcements sticky and looking over the forum's well-being in general. Post applications to this thread or send a personal message to the site admin who originated the call:

New moderator needed

gentoo-user

Gentoo and the LSB

A hot discussion took place recently regarding Gentoo's compliance with the LSB. Currently there are two issues holding Gentoo from being an "LSB Compliant" distribution. The first being that LSB requires the ability to install RPMs on a system. The second offender is that KDE and Gonome are in different directories, and that the LSB standard can easily be scrutinized ATM. A few suggestions on handling the directory hiearchy of the GUI desktops made their way into the thread, which lead to worthwhile explanations of the different parts of a *nix file system. Remembering that both Gentoo and the LSB are new and developing projects, hopes of a brighter future will come. For now, the LSB experiences mixed attitudes within the Gentoo-user community, from enthusiasts to claims that the LSB is, and will always be a " straight jacket".

CFLAGS... Get your CFLAGS...

As long as there is Gentoo, there will be questions about CFLAGS and compiler optimizations. Due to the fact that Gentoo is a source based distribution, and that these sources are likely to be compiled under the direction of a tweaked out penguin, a lot of emphasis is placed on choosing the best set of options for the system's hardware. For most of us the decision is made quickly by using one of the many examples available for all sorts of hardware. To delve further into the subject, and make sense of what these flags actually mean provides a very insightful read. Jason Giangrande's thread not only surfaced many examples , but provided some links to great explanatory resources.

gentoo-dev

Cruft detecting script

Andy Arbon proposed the creation of a cruft detecting script, i.e. a script that would detect all the files that Portage has lost track of and therefore will lay in the filesystem as long as we do not do something about it. A quick hack was posted by Evan Powers but more tuning and exploring seems to be needed with this useful utility.

Open Gentoo Linux Development Positions

John P. Davis posted an announcement saying that Gentoo Linux is recruiting new developers.

man .vs. man-db

James H. Cloos Jr. mentioned that Gentoo is currently using man which seems quite outdated and that man-db seems a better alternative and it is being used by popular GNU/Linux distributions like Debian and Suse.

5. Gentoo International

Vienna Meeting Report

Fortunately, improvisation is second nature for Gentoo users: If you don't know how to solve a problem, you're not worthy of having one in the first place. Last week, the Vienna Gentoo user crowd had to change the venue for their meeting on the fly because the original location's staff, ("presumably blonde"), had managed to misplace the reservation. As it turned out, the neighboring Community Center of the Austrian Communist Party, Cafe 7Stern, was more hospitable, featuring a waitress with strong beliefs ("Better take a beer like everyone else, laddie") and a wacko lady occasionally visiting the Gentoo table asking why the show on stage wasn't about to begin. Latecomers missed the fun because of the location change, but everybody else was visibly enjoying the meeting, and they're already discussing follow-ups. The full account (in German) is posted here.

Figure 5.1: Gentoo users meet in Vienna

New: Romanian IRC Channel

On Thursday last week, Panzerboy announced the creation of a channel for Romanian Gentoo users on the same IRC network as the others: #gentoo-ro on irc.freenode.net. Feel free to /join...

6. Portage Watch

The following stable packages were added to portage this week

app-emulation/goosnes : A GTK+ frontend for Snes9X http://bard.sytes.net/goosnes/
app-emulation/qmamecat : mame catalog and frontend http://www.mameworld.net/mamecat/
app-emulation/visualboyadvance : gameboy, gameboy color, and gameboy advance emulator http://vboy.emuhq.com/
app-games/poopmup : You are now free to fly around the city and poop on passers-by http://sourceforge.net/projects/poopmup/
app-games/zoom : A fast, clean, modern Z-code interpreter for X http://www.logicalshift.demon.co.uk/unix/zoom/
app-games/toppler : reimplemention of Nebulus using SDL http://toppler.sourceforge.net/
app-games/adonthell : roleplaying game engine http://adonthell.linuxgames.com/
app-games/fbg : A tetris-clone written in OpenGL http://home.attbi.com/~furiousjay/code/fbg.html
app-games/fortune-mod-kernelcookies : A collection of funny lines from the Linux kernel http://unattached.i-no.de/software-misc.shtml
app-games/geki3-KXL : 2D length scroll shooting game http://kxl.hn.org/
app-games/gnocatan : A clone of the popular board game The Settlers of Catan http://gnocatan.sourceforge.net/
app-games/gnubg : GNU BackGammon http://www.gnu.org/software/gnubg/gnubg.html
app-games/grande-KXL : It is a ZANAC type game http://kxl.hn.org/
app-games/pyddr : Dance Dance Revolution! You need this game more than Frozen Bubble http://www.icculus.org/pyddr/
app-games/pyddr-songs : Music for the pyDDR game http://icculus.org/pyddr/
app-games/tuxmathscrabble : math-version of the popular board game for children 4-10 http://sourceforge.net/projects/tuxmathscrabble/
app-games/wastesedge : role playing game to showcase the adonthell engine http://adonthell.linuxgames.com/
app-games/wtf : translates acronyms for you http://www.mu.org/~mux/wtf/
app-games/wumpus : Classic Hunt the Wumpus Adventure Game http://cvsweb.netbsd.org/bsdweb.cgi/src/games/wump/
app-games/crimson : tactical war game in the tradition of Battle Isle http://www.lanipage.de/jens/
app-games/groundhog : Kids card/puzzle game http://home-2.consunet.nl/~cb007736/groundhog.html
app-games/matritsa : Kids card/puzzle game http://imagic.weizmann.ac.il/~dov/freesw/matritsa.html
app-i18n/imhangul : Gtk+-2.0 Hangul Input Modules http://imhangul.kldp.net/
app-i18n/imhangul_status_applet : Status Applet for imhangul http://imhangul.kldp.net/
app-misc/banner : The well known banner program for linux http://cedar-solutions.com
app-misc/cdctl : Utility to control your cd/dvd drive http://cdctl.sourceforge.net/
dev-db/mysqlcc : a MySQL GUI Client http://www.mysql.com/
dev-libs/dvacm4 : dvacm4 provides autoconf macros used by the dv* C++ utilities http://tinf2.vub.ac.be/~dvermeir/software/dv/dvacm/html/
dev-libs/dvcgi : dvcgi provides a C++ interface for C++ cgi programs http://tinf2.vub.ac.be/~dvermeir/software/dv/dvcgi/html/
dev-libs/dvenv : dvenv provides polymorphic tree-structured environments, generalizing the Dv::Util::Props class http://tinf2.vub.ac.be/~dvermeir/software/dv/dvenv/html/
dev-libs/dvmysql : dvmysql provides a C++ interface to mysql http://tinf2.vub.ac.be/~dvermeir/software/dv/dvmysql/html/
dev-libs/dvnet : dvnet provides an interface wrapping sockets into streams http://tinf2.vub.ac.be/~dvermeir/software/dv/dvnet/html/
dev-libs/dvssl : dvssl provides a simple interface to openssl http://tinf2.vub.ac.be/~dvermeir/software/dv/dvssl/html/
dev-libs/dvthread : dvthread provides classes for threads and monitors, wrapped around the posix thread library http://tinf2.vub.ac.be/~dvermeir/software/dv/dvthread/html/
dev-libs/dvutil : dvutil provides some general C++ utility classes for files, directories, dates, property lists, reference counted pointers, number conversion etc. http://tinf2.vub.ac.be/~dvermeir/software/dv/dvutil/html/
dev-tcltk/tclgpgme : Tcl/Tk libraries to gpgme. http://beepcore-tcl.sourceforge.net/
dev-tcltk/tcllib : Tcl Standard Library. http://www.tcl.tk/software/tcllib/
dev-tcltk/tclxml-expat : Tcl wrapper libraries for expat XML parser. http://tclxml.sourceforge.net/
dev-tcltk/tkTheme : Tcl/Tk Theming library. http://www.xmission.com/~georgeps/Tk_Theme/other/
dev-tcltk/tkXwin : Tcl/Tk library to detect idle periods of an X session. http://beepcore-tcl.sourceforge.net/
dev-tcltk/tls : TLS OpenSSL extension to Tcl. http://tls.sourceforge.net/
media-libs/fmod : music and sound effects library, and a sound processing system http://www.fmod.org/
gnome-extra/fontilus : Fontviewer for Nautilus http://www.gnome.org/
net-im/tkabber : Featurefull Jabber client for tcl/tk. http://www.jabber.ru/projects/tkabber/index_en.html
net-irc/konversation : A user friendly IRC Client for KDE3.x http://konversation.sourceforge.net
net-news/knews : A threaded newsreader for X. http://www.matematik.su.se/~kjj/
net-www/mini_httpd : Small forking webserver with optional ssl and ipv6 support http://www.acme.com/software/mini_httpd/
net-www/monkeyd : fast, efficient, (REALLY) small, and easy to configure web server http://monkeyd.sourceforge.net/
sys-kernel/gaming-sources : Full sources for the Gentoo gaming-optimized kernel http://members.optusnet.com.au/ckolivas/kernel/
x11-terms/kuake : A Quake-style terminal emulator http://www.nemohackers.org/index.php?p=kuake
media-sound/id3ed : id3ed is an ID3 tag editor for mp3 files. You can set tags interactively or from the command line, or a combination of both. id3ed can set genre by name or number. You can also remove or view tags. http://www.azstarnet.com/~donut/programs/id3ed.html
media-sound/liteamp : Liteamp - yet another light-weight ogg and mp3 player for gnome http://liteamp.kldp.net
media-sound/takcd : Command line CD player http://bard.sytes.net/takcd/
media-sound/timidity++ : A handy MIDI to WAV converter with OSS and ALSA output support http://www.goice.co.jp/member/mo/timidity/
media-sound/waif : Why Another Infernal Frontend -- console front end for various media-players http://eds.org/~straycat
media-video/filmgimp : motion picture editing tool used for painting and retouching of movies http://filmgimp.org/
media-video/gxine : GTK+ Front-End for libxine http://xine.sourceforge.net/
media-video/kmplayer : MPlayer frontend for KDE http://www.xs4all.nl/~jjvrieze/kmplayer.html

Updates to notable packages

sys-apps/portage - portage-2.0.47-r8.ebuild;
sys-devel/gcc - gcc-3.2.2-r3.ebuild;
sys-libs/glibc - glibc-2.3.2.ebuild;
x11-base/xfree - xfree-4.3.0.ebuild;
sys-kernel/* - ac-sources-2.4.21_pre5-r1.ebuild; ac-sources-2.4.21_pre5-r2.ebuild; ck-sources-2.4.20-r4.ebuild; development-sources-2.5.64.ebuild; gaming-sources-2.4.20.ebuild; gs-sources-2.4.21_pre5.ebuild; lolo-sources-2.4.20.2_pre3.ebuild; lolo-sources-2.4.20.2_pre4.ebuild; mm-sources-2.5.63-r2.ebuild; mm-sources-2.5.64-r1.ebuild; mm-sources-2.5.64-r2.ebuild; ppc-sources-benh-2.4.20-r7.ebuild; ppc-sources-benh-2.4.20-r8.ebuild; redhat-sources-2.4.20.2.48-r1.ebuild; sparc-sources-2.4.20-r4.ebuild; usermode-sources-2.4.19-r49.ebuild; usermode-sources-2.4.19-r50.ebuild; usermode-sources-2.4.19-r51.ebuild; usermode-sources-2.4.20-r1.ebuild;
dev-db/mysql - mysql-3.23.54a-r1.ebuild; mysql-4.0.11a.ebuild;
sys-devel/perl - perl-5.8.0-r10.ebuild;
dev-db/postgresql - postgresql-7.3.2.ebuild;
app-admin/gentoolkit - gentoolkit-0.1.19-r1.ebuild; gentoolkit-0.1.19-r2.ebuild; gentoolkit-0.1.19.ebuild;

New USE variables

dvb - Enables support for Digital Video Broadcast (DVB) cable/satelite TV cards

7. Bugzilla

Summary

Statistics
Closed Bug Ranking
New Bug Rankings

Statistics

The Gentoo community uses Bugzilla (bugs.gentoo.org) to record and track bugs, notifications, suggestions and other interactions with the development team. In the last 7 days, activity on the site has resulted in:

263 new bugs this week
459 bugs closed or resolved this week
7 previously closed bugs were reopened this week.
1971 total bugs currently marked 'new'
485 total bugs currently assigned to developers

There are currently 2517 bugs open in bugzilla. Of these: 60 are labeled 'blocker', 92 are labelled 'critical', and 174 are labelled 'major'.

Closed Bug Rankings

The developers and teams who have closed the most bugs this week are:

New Bug Rankings

The developers and teams who have been assigned the most new bugs this week are:

The x86 Kernel Team, with 64 new bugs
Martin Schlemmer, with 19 new bugs
Jay Pfeifer, with 18 new bugs
Nicholas Jones, with 16 new bugs
Seemant Kulleen, with 11 new bugs

8. Tips and Tricks

Creating a Certificate Authority (CA)

This week's tip shows you how to create your own Certificate Authority used for signing SSL certificates.

The first step is to create your new CA certificate.

Code Listing 1.1: Establishing CA certificates

# cd /etc/ssl
# ./misc/CA.pl -newca
CA certificate filename (or enter to create)

Making CA certificate ...
Using configuration from /etc/ssl/openssl.cnf
Generating a 1024 bit RSA private key
............++++++
............................................++++++
writing new private key to './demoCA/private/cakey.pem'
Enter PEM pass phrase:<your password>
Verifying password - Enter PEM pass phrase:<your password (again)>
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:<your country>
State or Province Name (full name) [Some-State]:<your state/province>
Locality Name (eg, city) []:<your city>
Organization Name (eg, company) [Internet Widgets Pty Ltd]:<your company name>
Organizational Unit Name (eg, section) []:<your department>
Common Name (eg, YOUR name) []:<your name>
Email Address []:<your email>

You now have your own CA with which to sign certificates. Your CA public key is /etc/ssl/demoCA/cacert.pem and your private key is /etc/ssl/demoCA/private/cakey.pem.

Note: When using a certificate signed by your CA, you may get an error about an untrusted CA. In this case, you'll need to publish your CA public key to the client.

9. Moves, Adds and Changes

Moves

The following developers recently left the Gentoo team: