Gentoo Weekly Newsletter: March 17th, 2003
Update from the Game Developers Conference As reported earlier, Gentoo Linux was present at the recent Game Developers Conference as an official member of the NVIDIA booth. Dean Bailey was Gentoo's official representative and was joined by Emmett Plant, CEO of Xiph.org. Between Dean, Emmet and the compelling combination of Unreal Tournament 2003 and Gentoo, the conference was a success and introduced many game developers to the wonders of Gentoo Linux.
It's hard to believe that the Gentoo Weekly Newsletter is now almost four months old. The ride so far has been a mixture of fun, frustration and plenty of excitement. Each week, we get several emails commenting on how much people enjoy the GWN which is a great help in keeping the GWN team motivated. In an effort to maintain the quality and comprehensiveness that our readers have come to expect from the GWN, we need your help in filling the following positions on our team:
If you're interested in one of the positions above, please send us an email at gwn-feedback@gentoo.org. Remember that it's folks like you that make the GWN possible. rsync.gentoo.org shows signs of strain as Gentoo Linux continues to grow As most Gentoo Linux users know, rsync.gentoo.org is a very important domain name. What many people don't know, however, is exactly how rsync.gentoo.org works. Currently, rsync.gentoo.org resolves to one of 20 different IP addresses through a process known as DNS round robin resolution. This essentially is a way of randomly distributing the load of rsync.gentoo.org across multiple servers globally. As Gentoo Linux continues to grow, we've continued to add rsync mirrors to our rotation as generous Gentoo users donate their servers and bandwidth to host a mirror of our Portage tree. This past week, Gentoo Linux hit an unusual problem as the number of rsync mirrors in the rsync.gentoo.org rotation increased to the point where the total query response packet size became too large for UDP to handle, causing DNS to fall back on TCP to transmit the larger packet size. Despite the fact that this is perfectly valid behavior according to RFC 1035, many firewalls are still configured to block TCP traffic on port 53. This caused some problems among the Gentoo user community as some folks found themselves unable to resolve rsync.gentoo.org, which also meant they were unable to successfully run emerge sync. As a short-term solution, the number of rsync mirrors in the rsync.gentoo.org rotation was reduced to allow responses to be sent over UDP. As Gentoo Linux continues to grow, however, this will not be a permanent solution. Instead, we're working on two longer-term solutions:
Gentoo Linux launches a "hardened Gentoo" effort An official effort to build a hardened version of Gentoo Linux was launched this week. Built using many of the userland tools, as well as the access controls currently available in Security-Enhanced Linux, this effort should be of interest to anyone running a Gentoo server in an environment that demands a higher level of security. Anyone interested in participating in this effort should sign up on the gentoo-hardened mailing list. Based on requests from Gentoo Linux users, the number of items available at the Gentoo Linux Merchandise Online Store has increased significantly. From posters to golf shirts to bumper stickers, now you can show off Gentoo Linux just about anywhere. Prices have also been reduced on many items as well. Remember that each item purchased from the official online store directly supports the continued development of Gentoo Linux.
The ethereal network monitor application contains a string overflow vulnerability in its SOCKS dissector and a heap overflow in its NTLMSSP code. These vulnerabilities could be used to crash or run arbitrary code under the privileges of the ethereal service by passing a carefully crafted network packet.
A patch which cumulatively resolves several buffer overflows and sandbox violations in Macromedia Flash players has been released. These vulnerabilities could theoretically be used to gain remote access to a target computer. No exploits have been demonstrated.
The file(1) command contains a buffer overflow vulnerability that could be used to execute arbitrary code under the privileges of the target user.
The following new security bugs were posted this week: 3. Featured Developer of the Week Grant Goodyear
Grant Goodyear is an old timer at Gentoo - quite possibly the only current developer who has been with the project longer is Daniel Robbins himself. Grant, who had been using OpenBSD for scientific computing at work found out about Gentoo through Drobbins' articles at IBM's DeveloperWorks. At the time (about three years ago) #gentoo was a channel with only a dozen or so regulars, the 'ebuild' command existed but 'emerge', with its dependency checking did not, there were only a couple hundred packages, the gentoo-dev@gentoo.org mailing list was the bug tracker, and the only real source of information on writing ebuilds was 'man 5 ebuild'. Like many others who eventually became developers, Grant fixed bugs and wrote packages until the lead developers (then just Achim Gottinger and Drobbins) got tired of committing his changes and asked him to become a developer. Now he's a Senior Development Manager, a trouble shooter and occasional source of advice to younger developers. Grant wrote the Desktop Configuration Guide back when Gentoo upgrades meant a new install so that he could recreate his setup each time. He also edited the Install Instructions which countless users have now used to set Gentoo up more or less from scratch on their machines. Grant is an Assistant Professor of Chemistry at Clemson University in South Carolina who publishes all his results in freely (as in speech) available, open scientific journals. He's a theoretical chemist, so he spends a lot of his time using computers (all running Linux) to model chemical processes occurring in liquids. He teaches Physical Chemistry 2, which comprises chemical kinetics, quantum mechanics, statistical mechanics, and spectroscopy to undergraduates who would prefer that understanding the world didn't involve so much math. Grant is forced to run Red Hat on his 16-processor cluster, but his P4 and dual Athlon workstations, web/dns server, laptop, and home desktop all run Gentoo. He uses Fluxbox as his WM, screen with irssi for IRC, konqueror for reading 'ebuild(5)', vim, galeon, evolution, and squirrelmail. He feels obligated to use sendmail because he wrote the ebuild for it, but actually prefers postfix. Grant likes to read science fiction with good character development and happy endings. In his less-than-copious spare time he calls Contra dances. He just got married a few weeks ago, and has accumulated many frequent flier miles visiting his wife Sarah in Houston, Texas from his home in Greenville, South Carolina. Small Inconveniences Success can be a burden, everybody knows that. The Forums, being particularly successful, have had their shares of load problems, and solutions will have to be found rather quickly by switching to a more powerful hardware platform. While efforts are under way, site admin rac has put the brake on a few features that were responsible for bringing down the Forum's performance, notably the number of thread views that is no longer being updated, the list of people being simultaneously online not sorted alphabetically anymore, and a limitation to ego-searches that now includes only the last two weeks of an individual's post count: Kernel Sources - Which Do What? Things were quite easy in the early days of Gentoo with just a handful of kernel source packages to choose from, but the variety of different patchsets, special purpose kernels and platforms at the end of a simple "emerge ***-sources" has grown completely out of proportion. Over the last week, a few descriptions have been put together to update the FAQ about kernel sources in Gentoo, creating a rather impressive document. Still a few blanks to be filled in if you care to add to the knowledge base: Embarrassing DistroWatch Cheat Attempt A particularly stupid git has managed to jeopardize Gentoo's reputation by rigging the page view count on DistroWatch, Ladislav Bodnar's well-known list of available Linux distributions. In Ladislav's words: "Now come on, folks! It's just a page hit ranking, it simply monitors how many times a distribution page gets viewed, nothing more! It's not meant to be taken seriously, which I've stated many times - to no avail". Some people are just hopeless: Mozilla and Java, continued... The classic tale of Mozilla's distaste for a cup of joe on a Gentoo linux system has returned to the gentoo-user list this week. It seems that the lizard has plenty of pent up fire to warrant the use of caffeine. Fortunately this weeks telling contained many success stories on how Gentoo'ers managed to pair the two up. Examples were given for both Sun and Blackdown's JDK integration into Mozilla's plugins. These should provide any Gentoo'er the opportunity to take a crack at games.yahoo.com in no time. Portage-2.0.47-r10 Out for Testing Small changes to the portage system have been coming along this week. Changes include minor corrections and alterations, but also additional features. All of this can be looked up in the changelog, of course. However one new option worth special mention is the change to etc-update that allows for automerging of the config files. So from now on when the occasional emerge -u world is complete and all you have left to do is the etc-update, just let the new automerge feature do the work for you! It should be ready for tests so don't hold back on the feedback. And a little reminder, if something isn't quite as it should be after the etc-update. Try env-update and source /etc/profile both as root. GLSAs and an Automatic Security Package Tool Ideas are forming about the Portage system somehow growing to include the GLSAs. This week has seen a small discussion about how it could come to life. The Gentoo Linux Security Announcements, as you all know, inform us when holes in software packages become a security hazard. And the general consensus is that it would be a very powerful tool if the portage system could not only update packages for us but also apply those very needed security patches. Or maybe even entirely mask them out and only allow for updates to packages with no known security risks. Anyway, I don't think it is too much to say that it would be a most welcome twist to Gentoo! New Dutch Forum Moderators Announced Two new moderators, one Belgian, one Dutch, have been assigned to supervise the Netherlands forum. Long-time Forum dweller Garo and developer Foser have gracefully accepted to split the task between them. The following stable packages were added to portage this week
The Gentoo community uses Bugzilla (bugs.gentoo.org) to record and track bugs, notifications, suggestions and other interactions with the development team. In the last 7 days, activity on the site has resulted in:
There are currently 2586 bugs open in bugzilla. Of these: 66 are labelled 'blocker', 87 are labelled 'critical', and 185 are labelled 'major'. The developers and teams who have closed the most bugs this week are:
The developers and teams who have been assigned the most new bugs this week are:
Using a localized rsync mirror rotation. This week's tip shows you how to take advantage of the new country and continent-specific round robin rsync mirror rotations. The first step is to determine if your country has a round robin rotation assigned to it.
Another option is to use the new continent-level rsync mirror rotations. Currently, the following continent rotations are set up:
Once you have identified which rsync mirror you want to use, edit your /etc/make.conf file and place that value in the SYNC variable.
The following developers recently left the Gentoo team:
The following developers recently joined the Gentoo Linux team:
The following developers recently changed roles within the Gentoo Linux project.
Interested in contributing to the Gentoo Weekly Newsletter? Send us an email. Please send us your feedback and help make GWN better. The Gentoo Weekly Newsletter is also available in the following languages: |
|
