Gentoo Logo

Gentoo Weekly Newsletter: March 17th, 2003

Content:

1.  Gentoo News

Summary

Update from the Game Developers Conference

As reported earlier, Gentoo Linux was present at the recent Game Developers Conference as an official member of the NVIDIA booth. Dean Bailey was Gentoo's official representative and was joined by Emmett Plant, CEO of Xiph.org. Between Dean, Emmet and the compelling combination of Unreal Tournament 2003 and Gentoo, the conference was a success and introduced many game developers to the wonders of Gentoo Linux.


Figure 1.1: Dean Bailey in the jungle hat and Emmet Plant in the suit at the GDC

Fig. 1: Alron and Emmet Plant at the GDC

GWN looking for contributors

It's hard to believe that the Gentoo Weekly Newsletter is now almost four months old. The ride so far has been a mixture of fun, frustration and plenty of excitement. Each week, we get several emails commenting on how much people enjoy the GWN which is a great help in keeping the GWN team motivated. In an effort to maintain the quality and comprehensiveness that our readers have come to expect from the GWN, we need your help in filling the following positions on our team:

  • Mailing List Coordinator -- Follow the threads on gentoo-user, gentoo-dev and some of the other more popular mailing lists. Work with the other mailing list coordinators to write up a summary of the top 3-4 threads of each list
  • Forums Coordinator -- Follow the forums on the Gentoo Forums. Work with the other mailing list coordinators to write up a summary of the top 3-4 threads on the forums for that week
  • Feature writer -- Have an idea for an article you want to write for the GWN? Let us know!

If you're interested in one of the positions above, please send us an email at gwn-feedback@gentoo.org. Remember that it's folks like you that make the GWN possible.

rsync.gentoo.org shows signs of strain as Gentoo Linux continues to grow

As most Gentoo Linux users know, rsync.gentoo.org is a very important domain name. What many people don't know, however, is exactly how rsync.gentoo.org works. Currently, rsync.gentoo.org resolves to one of 20 different IP addresses through a process known as DNS round robin resolution. This essentially is a way of randomly distributing the load of rsync.gentoo.org across multiple servers globally. As Gentoo Linux continues to grow, we've continued to add rsync mirrors to our rotation as generous Gentoo users donate their servers and bandwidth to host a mirror of our Portage tree.

This past week, Gentoo Linux hit an unusual problem as the number of rsync mirrors in the rsync.gentoo.org rotation increased to the point where the total query response packet size became too large for UDP to handle, causing DNS to fall back on TCP to transmit the larger packet size. Despite the fact that this is perfectly valid behavior according to RFC 1035, many firewalls are still configured to block TCP traffic on port 53. This caused some problems among the Gentoo user community as some folks found themselves unable to resolve rsync.gentoo.org, which also meant they were unable to successfully run emerge sync.

As a short-term solution, the number of rsync mirrors in the rsync.gentoo.org rotation was reduced to allow responses to be sent over UDP. As Gentoo Linux continues to grow, however, this will not be a permanent solution. Instead, we're working on two longer-term solutions:

  • Migrating to the use of continent and country codes for rsync mirror rotations. Please see this week's Tips & Tricks section for examples on how to set up your box to use this new system.
  • Changing our core DNS infrastructure to allow the continued expansion of the rsync.gentoo.org rotation without causing the response packet to become too large. Look for more information about this in a future version of the Gentoo Weekly Newsletter.

Gentoo Linux launches a "hardened Gentoo" effort

An official effort to build a hardened version of Gentoo Linux was launched this week. Built using many of the userland tools, as well as the access controls currently available in Security-Enhanced Linux, this effort should be of interest to anyone running a Gentoo server in an environment that demands a higher level of security.

Anyone interested in participating in this effort should sign up on the gentoo-hardened mailing list.

New items at the Gentoo Store

Based on requests from Gentoo Linux users, the number of items available at the Gentoo Linux Merchandise Online Store has increased significantly. From posters to golf shirts to bumper stickers, now you can show off Gentoo Linux just about anywhere. Prices have also been reduced on many items as well. Remember that each item purchased from the official online store directly supports the continued development of Gentoo Linux.

2.  Gentoo Security

Summary

GLSA: ethereal

The ethereal network monitor application contains a string overflow vulnerability in its SOCKS dissector and a heap overflow in its NTLMSSP code. These vulnerabilities could be used to crash or run arbitrary code under the privileges of the ethereal service by passing a carefully crafted network packet.

  • Severity: High - Remote DOS, code execution.
  • Packages Affected: net-analyzer/ethereal versions prior to ethereal-0.9.10
  • Rectification: Synchronize and emerge ethereal, emerge clean.
  • GLSA Announcement
  • Advisory

GLSA: netscape-flash

A patch which cumulatively resolves several buffer overflows and sandbox violations in Macromedia Flash players has been released. These vulnerabilities could theoretically be used to gain remote access to a target computer. No exploits have been demonstrated.

  • Severity: High - Remote code execution.
  • Packages Affected: net-www/netscape-flash versions prior to netscape-flash-6.0.79
  • Rectification: Synchronize and emerge netscape-flash, emerge clean.
  • GLSA Announcement
  • Advisory

GLSA: file

The file(1) command contains a buffer overflow vulnerability that could be used to execute arbitrary code under the privileges of the target user.

  • Severity: Moderate - Privilege elevation, mitigated by requirement for target participation.
  • Packages Affected: sys-apps/file versions prior to file-3.4.1
  • Rectification: Synchronize and emerge file, emerge clean.
  • GLSA Announcement
  • Advisory

New Security Bug Reports

The following new security bugs were posted this week:

3.  Featured Developer of the Week

Grant Goodyear


Figure 3.1: Grant Goodyear, aka g2boojum

Fig. 1: Grant Goodyear, aka g2boojum

Grant Goodyear is an old timer at Gentoo - quite possibly the only current developer who has been with the project longer is Daniel Robbins himself. Grant, who had been using OpenBSD for scientific computing at work found out about Gentoo through Drobbins' articles at IBM's DeveloperWorks. At the time (about three years ago) #gentoo was a channel with only a dozen or so regulars, the 'ebuild' command existed but 'emerge', with its dependency checking did not, there were only a couple hundred packages, the gentoo-dev@gentoo.org mailing list was the bug tracker, and the only real source of information on writing ebuilds was 'man 5 ebuild'. Like many others who eventually became developers, Grant fixed bugs and wrote packages until the lead developers (then just Achim Gottinger and Drobbins) got tired of committing his changes and asked him to become a developer. Now he's a Senior Development Manager, a trouble shooter and occasional source of advice to younger developers. Grant wrote the Desktop Configuration Guide back when Gentoo upgrades meant a new install so that he could recreate his setup each time. He also edited the Install Instructions which countless users have now used to set Gentoo up more or less from scratch on their machines.

Grant is an Assistant Professor of Chemistry at Clemson University in South Carolina who publishes all his results in freely (as in speech) available, open scientific journals. He's a theoretical chemist, so he spends a lot of his time using computers (all running Linux) to model chemical processes occurring in liquids. He teaches Physical Chemistry 2, which comprises chemical kinetics, quantum mechanics, statistical mechanics, and spectroscopy to undergraduates who would prefer that understanding the world didn't involve so much math. Grant is forced to run Red Hat on his 16-processor cluster, but his P4 and dual Athlon workstations, web/dns server, laptop, and home desktop all run Gentoo. He uses Fluxbox as his WM, screen with irssi for IRC, konqueror for reading 'ebuild(5)', vim, galeon, evolution, and squirrelmail. He feels obligated to use sendmail because he wrote the ebuild for it, but actually prefers postfix.

Grant likes to read science fiction with good character development and happy endings. In his less-than-copious spare time he calls Contra dances. He just got married a few weeks ago, and has accumulated many frequent flier miles visiting his wife Sarah in Houston, Texas from his home in Greenville, South Carolina.

4.  Heard In The Community

Web Forums

Small Inconveniences

Success can be a burden, everybody knows that. The Forums, being particularly successful, have had their shares of load problems, and solutions will have to be found rather quickly by switching to a more powerful hardware platform. While efforts are under way, site admin rac has put the brake on a few features that were responsible for bringing down the Forum's performance, notably the number of thread views that is no longer being updated, the list of people being simultaneously online not sorted alphabetically anymore, and a limitation to ego-searches that now includes only the last two weeks of an individual's post count:

Kernel Sources - Which Do What?

Things were quite easy in the early days of Gentoo with just a handful of kernel source packages to choose from, but the variety of different patchsets, special purpose kernels and platforms at the end of a simple "emerge ***-sources" has grown completely out of proportion. Over the last week, a few descriptions have been put together to update the FAQ about kernel sources in Gentoo, creating a rather impressive document. Still a few blanks to be filled in if you care to add to the knowledge base:

Embarrassing DistroWatch Cheat Attempt

A particularly stupid git has managed to jeopardize Gentoo's reputation by rigging the page view count on DistroWatch, Ladislav Bodnar's well-known list of available Linux distributions. In Ladislav's words: "Now come on, folks! It's just a page hit ranking, it simply monitors how many times a distribution page gets viewed, nothing more! It's not meant to be taken seriously, which I've stated many times - to no avail". Some people are just hopeless:

gentoo-user

Mozilla and Java, continued...

The classic tale of Mozilla's distaste for a cup of joe on a Gentoo linux system has returned to the gentoo-user list this week. It seems that the lizard has plenty of pent up fire to warrant the use of caffeine. Fortunately this weeks telling contained many success stories on how Gentoo'ers managed to pair the two up. Examples were given for both Sun and Blackdown's JDK integration into Mozilla's plugins. These should provide any Gentoo'er the opportunity to take a crack at games.yahoo.com in no time.

gentoo-dev

Portage-2.0.47-r10 Out for Testing

Small changes to the portage system have been coming along this week. Changes include minor corrections and alterations, but also additional features. All of this can be looked up in the changelog, of course. However one new option worth special mention is the change to etc-update that allows for automerging of the config files. So from now on when the occasional emerge -u world is complete and all you have left to do is the etc-update, just let the new automerge feature do the work for you! It should be ready for tests so don't hold back on the feedback.

And a little reminder, if something isn't quite as it should be after the etc-update. Try env-update and source /etc/profile both as root.

GLSAs and an Automatic Security Package Tool

Ideas are forming about the Portage system somehow growing to include the GLSAs. This week has seen a small discussion about how it could come to life. The Gentoo Linux Security Announcements, as you all know, inform us when holes in software packages become a security hazard. And the general consensus is that it would be a very powerful tool if the portage system could not only update packages for us but also apply those very needed security patches. Or maybe even entirely mask them out and only allow for updates to packages with no known security risks. Anyway, I don't think it is too much to say that it would be a most welcome twist to Gentoo!

5.  Gentoo International

New Dutch Forum Moderators Announced

Two new moderators, one Belgian, one Dutch, have been assigned to supervise the Netherlands forum. Long-time Forum dweller Garo and developer Foser have gracefully accepted to split the task between them.

6.  Portage Watch

The following stable packages were added to portage this week

Updates to notable packages

  • sys-apps/portage - portage-2.0.47-r10.ebuild;
  • x11-base/xfree - xfree-4.3.0-r1.ebuild;
  • sys-kernel/* - ac-sources-2.4.21_pre5-r3.ebuild; gaming-sources-2.4.20-r1.ebuild; lolo-sources-2.4.20.2_pre5.ebuild; mm-sources-2.5.64-r4.ebuild; mm-sources-2.5.64-r5.ebuild; mm-sources-2.5.64-r6.ebuild; wolk-sources-4.0_rc2.ebuild; wolk-sources-4.0_rc3.ebuild;
  • dev-db/mysql - mysql-4.0.11a-r1.ebuild;
  • app-admin/gentoolkit - gentoolkit-0.1.19-r3.ebuild;

New USE variables

  • lirc - Adds support for lirc (Linux's Infra-Red Remote Control)

7.  Bugzilla

Summary

Statistics

The Gentoo community uses Bugzilla (bugs.gentoo.org) to record and track bugs, notifications, suggestions and other interactions with the development team. In the last 7 days, activity on the site has resulted in:

  • 284 new bugs this week
  • 417 bugs closed or resolved this week
  • 6 previously closed bugs were reopened this week.
  • 2047 total bugs currently marked 'new'
  • 479 total bugs currently assigned to developers

There are currently 2586 bugs open in bugzilla. Of these: 66 are labelled 'blocker', 87 are labelled 'critical', and 185 are labelled 'major'.

Closed Bug Rankings

The developers and teams who have closed the most bugs this week are:

New Bug Rankings

The developers and teams who have been assigned the most new bugs this week are:

8.  Tips and Tricks

Using a localized rsync mirror rotation.

This week's tip shows you how to take advantage of the new country and continent-specific round robin rsync mirror rotations.

The first step is to determine if your country has a round robin rotation assigned to it.

Code Listing 1.1: Using host to determine country-specific gentoo domains

$ host rsync.no.gentoo.org
rsync.no.gentoo.org has address 80.239.42.138
If your country doesn't have an rsync mirror rotation set up yet, you'll see something like the following:

Code Listing 1.1: Not all countries have rsync mirrors yet

$ host rsync.mx.gentoo.org
Host rsync.mx.gentoo.org not found: 3(NXDOMAIN)

Note: You'll need to emerge the bind-tools package in order to use host

Note: Not sure what your two-letter country code is? Here is the official list.

Another option is to use the new continent-level rsync mirror rotations. Currently, the following continent rotations are set up:

  • rsync.namerica.gentoo.org -- North America
  • rsync.samerica.gentoo.org -- South America
  • rsync.europe.gentoo.org -- Europe
  • rsync.asia.gentoo.org -- Asia
  • rsync.au.gentoo.org -- Australia (same as the country code)

Once you have identified which rsync mirror you want to use, edit your /etc/make.conf file and place that value in the SYNC variable.

Code Listing 1.1: SYNC set to use the rsync.us.gentoo.org rotation

SYNC="rsync://rsync.us.gentoo.org/gentoo-portage/"

9.  Moves, Adds and Changes

Moves

The following developers recently left the Gentoo team:

  • none this week

Adds

The following developers recently joined the Gentoo Linux team:

  • Patrick Kursawe (phosphan) -- bug fixes and miscellaneous stuff
  • Sven Vermeulen (SwifT) -- Dutch documentation

Changes

The following developers recently changed roles within the Gentoo Linux project.

  • none this week

10.  Contribute to GWN

Interested in contributing to the Gentoo Weekly Newsletter? Send us an email.

11.  GWN Feedback

Please send us your feedback and help make GWN better.

12.  Other Languages

The Gentoo Weekly Newsletter is also available in the following languages:



Print

Page updated 17 March 2003

Summary: This is the Gentoo Weekly Newsletter for the week of March 17th, 2003.

Kurt Lieber
Editor

AJ Armstrong
Contributor

Brice Burgess
Contributor

Yuji Carlos Kosugi
Contributor

Rafael Cordones Marcos
Contributor

David Narayan
Contributor

Ulrich Plate
Contributor

Peter Sharp
Contributor

Kim Tingkaer
Contributor

Mathy Vanvoorden
Dutch Translation

Tom Van Laerhoven
Dutch Translation

Roel Adriaans
Dutch Translation

Peter Dijkstra
Dutch Translation

Nicolas Ledez
French Translation

Guillaume Plessis
French Translation

John Berry
French Translation

Martin Prieto
French Translation

Michael Kohl
German Translation

Steffen Lassahn
German Translation

Matthias F. Brandstetter
German Translation

Thomas Raschbacher
German Translation

Marco Mascherpa
Italian Translation

Claudio Merloni
Italian Translation

Daniel Ketel
Japanese Translation

Yoshiaki Hagihara
Japanese Translation

Andy Hunne
Japanese Translation

Yuji Carlos Kosugi
Japanese Translation

Yasunori Fukudome
Japanese Translation

Ventura Barbeiro
Portuguese (Brazil) Translation

Bruno Ferreira
Portuguese (Portugal) Translation

Gustavo Felisberto
Portuguese (Portugal) Translation

Ricardo Jorge Louro
Portuguese (Portugal) Translation

Lanark
Spanish Translation

Rafael Cordones Marcos
Spanish Translation

Julio Castillo
Spanish Translation

Sergio Gómez
Spanish Translation

Pablo Pita Leira
Spanish Translation

Carlos Castillo
Spanish Translation

Tirant
Spanish Translation

Jaime Freire
Spanish Translation

Lucas Sallovitz
Spanish Translation

Donate to support our development efforts.

Copyright 2001-2014 Gentoo Foundation, Inc. Questions, Comments? Contact us.