Gentoo Weekly Newsletter: March 24th, 2003

1.  Gentoo News

Summary

• How to become a Gentoo developer
• Changes in the way Gentoo Linux supports CFLAGS
• errata from last week's issue

A question we hear a lot from Gentoo users is, "How can I become a member of the Gentoo development team?" Largely, the answer to this question is simply to start assisting the development process as a user. This can be done via numerous ways, most of which involve bugs.gentoo.org to an extent. Submitting bug fixes for existing bugs on a consistent basis is one sure way to get the attention of the Gentoo developers. Additionally, consistently submitting new ebuilds is another way. As you may have noticed, consistency is an important part of the overall process.

For those folks who still want to become a developer, but aren't kernel hacking gurus or python mongers, helping with the development of Gentoo's documentation is another area where users can contribute and become members of the team. Whether it's creating new documents or assisting in translating existing documents into other languages, the quality of our Documentation is a critical part of the overall success of Gentoo Linux.

Finally, as the Gentoo Linux project continues to grow, other types of roles, such as GWN contributors and infrastructure people, may become available as well. They will be announced here in the Gentoo Weekly Newletter on an as-needed basis. So for those of you interested in becoming part of the Gentoo Linux team, take a crack at some open bugs, creating new ebuilds or helping out with documentation. Regular contributors will get noticed!

Changes in the way Gentoo Linux supports CFLAGS

CFLAGS have always been an important part of the Gentoo Linux hacker's toolkit. Tweaking CFLAGS to eke out every last drop of performance is a technique that is used by many, but fully understood by few. Many of the bugs filed on bugs.gentoo.org are directly caused by overly aggressive CFLAGS in a user's make.conf file. One of the ways that the Gentoo Linux developers deal with this is by stripping out certain CFLAGS in ebuilds where they are known to cause problems. (Most kernel modules, for instance, don't like the -fPIC option) However, this is handled on a case-by-case basis, which is not a long-term solution.

In an effort to come up with a long term solution, a discussion was had on the internal Gentoo Linux developer's mailing list talking about various options. In the end, the decision was reached to come up with a list of safe CFLAGS that will be officially supported by Gentoo Linux. This means if you use one of these flags and have problems with it, it will be considered a valid bug in Gentoo Linux. Users are still free to try any and all other CFLAGS as they see fit, but bugs filed in relation to these options may not be considered valid and the user may be asked to try less-aggressive optimization settings when compiling that specific program. Over time, as gcc continues to mature, the list of officially supported CFLAGS will be reviewed and added to as appropriate, with the goal being to support as many -f options s possible without overwhelming our QA and bugfix resources.

To a large extent, this practice of supported vs. unsupported CFLAGS has been in practice for quite some time now. However, now the process will be formalized and the list of supported CFLAGS will be integrated into our installation docs as well as our other documentation where appropriate.

errata from last week's issue

As many readers pointed out, last week's Tips & Tricks section contained an error in one of the code listings. Instead of SYNC="rsync.us.gentoo.org", it should have been listed as SYNC="rsync://rsync.us.gentoo.org/gentoo-portage". The person making the error has been properly tarred and feathered and this week's Tips & Tricks section is brought to you by our normal contributor, David Narayan, who was on vacation last week. (and thus is absolved from all blame :))

2.  Gentoo Security

Summary

• GLSA: samba
• GLSA: kernel
• GLSA: mysql
• GLSA: openssl
• GLSA: rxvt
• GLSA: evolution
• GLSA: qpopper
• GLSA: man
• New Security Bug Reports
• gentoo-security

GLSA: samba

The samba smbd daemon has a buffer overflow which could permit a remote attacker to gain root privileges on the server.

• Severity: Critical - Remote root exposure.
• Packages Affected: net-fs/samba versions prior to samba-2.2.8
• Rectification: Synchronize and emerge samba, emerge clean.
• GLSA Announcement
• Advisory

GLSA: kernel

Linux stable kernels 2.2 and 2.4 have a flaw in ptrace that permits local users to elevate their privileges to root. The flaw is not remotely exploitable. It is not believed that the flaw affects the 2.5 kernel. The following kernel sources have been patched: gentoo-sources, gs-sources, pfeifer-sources, sparc-sources, and xfs-sources. A patch for other sources can be obtained from cvs.

• Severity: High - Kernel compromise, privilege elevation.
• Packages Affected: Linux kernel versions 2.2, 2.4
• Rectification: Synchronize and emerge kernel sources for your system, recompile and install kernel.
• GLSA Announcement
• Advisory

GLSA: mysql

If MySQL's configuration file's are world-writable, it is possible to modify the server's configuration so that MySQL will run as root after a restart. MySQL has been fixed so that it will not load world-writable config files.

• Severity: High - Privilege elevation.
• Packages Affected: dev-db/mysql versions prior to mysql-3.23.56
• Rectification: Synchronize and emerge mysql, emerge clean.
• GLSA Announcement
• Advisory

GLSA: openssl

OpenSSL is subject to a timing attack which may permit exposure of RSA keys. This vulnerability can be eliminated by enabling RSA blinding. The fix is to enable blinding by default, involving only a trivial performance impact.

• Severity: High - Cryptographic exposure.
• Packages Affected: dev-libs/openssl versions prior to openssl-0.9.6i-r1
• Rectification: Synchronize and emerge openssl, emerge clean.
• GLSA Announcement
• Advisory

GLSA: rxvt

The rxvt terminal emulator is subject to remote attack when un-trusted data is displayed to the screen. This exposure permits a DOS attack or (by taking advantage of other vulnerabilities on the system) the potential for system compromise.

• Severity: High - Remote System Compromise.
• Packages Affected: x11-terms/rxvt versions prior to rxvt-2.7.8-r6
• Rectification: Synchronize and emerge rxvt, emerge clean.
• GLSA Announcement
• Advisory

GLSA: evolution

Evolution is subject to several vulnerabilities that permit remote attacks ranging from DoS through security bypasses and potential execution of arbitrary code through the use of carefully crafted UUEncodes or MIME headers.

• Severity: High - Multiple exposures to remote attack.
• Packages Affected: versions prior to evolution-1.2.3
• Rectification: Synchronize and emerge , emerge clean.
• GLSA Announcement
• Advisory

GLSA: qpopper

Qpopper exposes a buffer overflow which could permit the execution of arbitrary code. The code would normally be executed with the privileges of a user that must be authenticated.

• Severity: Moderate - arbitrary code execution, mitigated by requirement for user authentication.
• Packages Affected: net-mail/qpopper versions prior to qpopper-4.0.5
• Rectification: Synchronize and emerge qpopper, emerge clean.
• GLSA Announcement
• Advisory

GLSA: man

Man contains an error return value bug that could permit a specially formatted man file to execute a program named 'unsafe', if it exists.

• Severity: Moderate - arbitrary code execution, mitigated by requirement for local access and program installation.
• Packages Affected: versions prior to
• Rectification: Synchronize and emerge , emerge clean.
• GLSA Announcement
• Advisory

New Security Bug Reports

The following new security bugs were posted this week:

• net-irc/bitchx
• dev-java/*
• kerberos
• net-im/gaim
• sys-apps/baselayout
• media-libs/net-bpm
• sys-libs/glibc
• net-mail/mutt
• net-www/mod_ssl

gentoo-security

Alexander Holler posted a message to the gentoo-security mailing list describing and offering a link to a proof-of-concept trojan for gentoo that exploits the oft-discussed problem that ebuilds are not signed or otherwise authenticated. Mr. Holler's statement that "nobody .. seems concerned about portage security" provoked some comment, as did the question about whether posting a trojan for an already documented vulnerability was productive or advisable. The discussion continued with some expressions of concern that the issue be addressed soon, including a note from Daniel Robbins indicating a desire to add enhanced security to Portage-2.0. All told, the discussion seems particularly timely, given the recent launch of the hardened gentoo project.

3.  Featured Developer of the Week

Daniel Ahlberg

Figure 3.1: Daniel Ahlberg, aka aliz

This week we feature Daniel Ahlberg, one of the watchful eyes who keep Gentoo secure and up-to-date. Monitoring security-related mailing lists and hunting for new package versions, he sends out GLSAs and bumps package versions, facing the constant fear of breaking something when he marks a package as stable. Daniel had been using Gentoo for a couple of months when he saw a discussion on #gentoo-dev about how every package needed to be checked for the license it used, and the new LICENSE keyword added to each ebuild. Later that night he checked the licenses and updated the ebuilds for a couple of categories, and sent them to drobbins and seemant, who asked him to become a developer a couple of days later. Daniel doesn't feel he's done anything extraordinary, but likes the occasional bash script hacks he does.

Three years ago Daniel started a company with some of his friends; he still works there, administering the network and servers, making sure others can do their work, and consulting. He likes all the software he uses daily, including bash, nano, phoenix, kde, enlightenment, kmail, xchat, sim, kate, and gkrellm2, and runs Gentoo on his three primary computers: a workstation at home and at work, and his laptop, which is usually connected to his work computer by VNC. Daniel, who lives "somewhere in the upper middle of Sweden", likes to read (he's on his third Tom Clancy novel right now), listen to music, and watch movies.

4.  Heard In The Community

Web Forums

Gentoo GNU/Hurd Project Started

Jon Portnoy aka avenj announced last week that he's started working on a port of the Hurd for Gentoo, and he is currently scanning the Forums for people interested in this development. The official discussion about the project and the right place for anyone interested in posting a "me, too" has found its permanent home here:

• Repost: Anyone interested in Gentoo GNU/Hurd?
• Avenj's page on Gentoo GNU/Hurd development

Better Uses for Gentoo Gadgetry

As reported last week, the Gentoo store has recently added a few new items, and one of those has inspired some hardware buffs to make it slightly more useful than it already is: Who needs sandwiches and apples in their Gentoo lunchbox when they can have a full-blown PC instead? Carry on:

• Other uses for the Gentoo Lunch box
• The lunchbox order page at the Gentoo store

Intel's C Compiler in Gentoo

Using the ICC, Intel's C compiler, is still quite limited, both in terms of software that can actually be built with it, and people who try using despite this limitation. Some people like to replace the default GCC with ICC for certain applications, and on occasion they discuss this broadly enough to let others get an idea of what, why and how to do it:

• Anyone else using ICC?
• replace gcc with Intel CC?

Gentoo Installation Success on an RS/6000

Got a dusty old B50 lying around in a broom closet at the office? Here's how to blow some new life into it... Welcome, thanks and congratulations to Forum newcomer JurgyMan for this contribution:

• Gentoo on RS6000 B50 HOWTO - first draft

gentoo-user

Realistic Install timeframe

Trey Sizemore started an interesting thread by asking how long it realistically takes to install a Gentoo Linux desktop from stage 1. Most of the responses seemed to indicate that Trey was probably a little optimistic in his initial assessment of getting a full KDE desktop up and running on a PII400 in about a day. Of course, KDE is easily the largest app that needs to be compiled in Trey's setup, so a lighter-weight WM like fluxbox would likely drop his setup time considerably.

• Realistic Install timeframe

Command line interface tools

Dhruba Bandopadhyay asked for opinions regarding peoples' preferences for command line interface tools. Naturally, lively discussion ensued.

• Command line interface tools

ftp/iptables always in emerge world

Kurt Hindenberg asked why ftp and iptables always showed up during an emerge world. When it turned out that these packages were being required by the base system profile, a bug report ensued.

• ftp/iptables always in emerge world

gentoo-dev

Status of a Gentoo Installer?

Bip Thelin asked wether the creation of a Gentoo installer was in somebody's tasklist. He proposed to implement such an installer in Java. Alain Penders replied with a link to CursingCow, a Python/NEWT installer for Gentoo Linux. Although currently, only the PPC architecture is supported the code does support architecture specific modules. Gentoo developer Dylan Carlson finally replied that even though Java would be a good choice for such a task, Python plays a central role in the whole Gentoo infrastructure and it may be difficult to integrate a Java solution in the Gentoo toolchain.

ACCEPT_KEYWORDS + bootstrap.sh

As one user noticed, early this week, during the installation of his Gentoo. The bootstrap process does not use the ACCEPT_KEYWORDS setting from /etc/make.conf.

The ACCEPT_KEYWORDS is meant as a tool for easy testing of packages. That is, effectively users can add or remove unstable packages to the usual stable lot.

Disregarding the ACCEPT_KEYWORDS setting during bootstrap is not a bug. Rather it is supposed to ease the installation and to secure a stable foundation for the rest of Gentoo to exist on. This is done by specifically choosing well tested packages as opposed to newly released packages.

Some argue against this suggesting that it eliminates choices which is not appropriate for the kind of distribution that Gentoo is. And that there really is no point in trying to secure a stable foundation in this way when the rest of the distribution make use of the ACCEPT_KEYWORDS.

And the arguments are true, for the most part. Because reading through the /usr/portage/scripts/bootstrap.sh script reveals that the bootstrap process grabs packages from a file describing a default profile. A default profile tailored for a specific architecture (intel, ppc, etc.). So instead of eliminating the choices they have been disguised as profiles, waiting to be modified. The command cd $(readlink -f /etc/make.profile) will bring you to the location of your default profile.

A word of caution. When modifying the default profile you can possibly cripple your Gentoo installation from step one since version changes could break package dependencies.

5.  Gentoo International

Gentoo in the Japanese Press

Two articles in Japanese about Gentoo were published on the same day last week in different magazines, both written by fervent supporters of GentooJP: Yoshiaki Hagihara, one of the translators of the GWN among other things, has written a very funny seven-pager ("Gentoo Lifestyle -- My days with Gentoo") for LinuxPower Vol. 1, the first issue of this new addition to the growing number of Linux magazines in Japan. And Masatomo Nakano, spiritus rector of the GentooJP project, wrote his piece ("Gentoo again") for the April issue of Software Design. Both magazines are on sale in Japanese bookshops since 18 March.

Russian Gentoo Community Set Up!

Developer George Shapovalov announced that the "Fellowship of gentoo.ru" has been up and running for almost a month already! The Fellowship was born after growing interest in Gentoo Linux by the Russian speaking community was becoming impossible to overlook, and it's already got its own website) and user support forums. Gentoo.ru also provides translations for Gentoo documentation, carefully supervised by official devs. No need to be shy if you would like to help with translations or any other subotnik, the Fellowship will certainly welcome any such attempt. Real time chat is available on irc.rinet.ru, channel #gentoo.

New Mailing List for French Gentoo Users

Adding to the support base for French speakers, a new official mailing list, gentoo-user-fr, has been created last week. Between the new list, the French forum and the IRC channel on Freenode for French users, chances to get support for technical questions are on a pretty acceptable level now.

International Event Calendar

The GWN editorial staff is extremely grateful for information about anything related to conferences, seminars, user meetings, install fest or any other event Gentoo users are organizing or participating in. This week an impressive number of events has come up, take your pick from those, and send an e-mail to gwn-feedback@gentoo.org if you know of any others:

• Austria: The Vienna community is turning openly hedonistic... They've barely recovered from their last meeting, yet up comes a plan for the next one. Date: 1 April, venue to be decided via this thread in the German forum.
• Portugal: Gentoo-stronghold Coimbra (and certainly one of the most pleasant locations to be in around spring) is the venue for the 7th "Encontro de Gestão e Tecnologias da Informação", co-organized by Gentoo Forum moderator RoadRunner and other Gentooists, to be held on 2 April in the Auditório da Reitoria at Coimbra University. An indisputable highlight of this conference will be the afternoon podium discussion about "Free Software Use in Public Administrations", with the Marketing Director of Microsoft Portugal and the head of the Portuguese Linux distribution Caixa Magica fencing it out on stage. Further information here, if you're planning on attending the show, tell the others here, please.
• France: Same day, similar subject, 800 kilometres further north... A conference in Paris about opportunities for free software use in small and medium sized companies may serve as a venue for an informal meeting of Gentoo users, all the details are here.
• Denmark & Sweden: Also on 2 April, the Skåne Sjælland LUG is getting a fully-fledged Gentoo presentation by Klavs. Details were hard to get by before this week's GWN deadline, but the presenter will certainly be able to guide you if you make yourself heard in this forum thread.
• UK: In an almost forgotten thread in the Forums, brum-based mr-simon is looking for Gentooists to join him at the Linux User & Developer Expo in Birmingham on 15/16 April.
• GermanyStill way ahead, but worth noting: 14 May is the tentative date for Gentoo users in the Köln/Bonn region to organize their first meeting. Expressions of interest in joining the crowd go here.

6.  Portage Watch

The following stable packages were added to portage this week

• app-doc/ebook-gcc : GCC 3.2 EBook.
• app-sci/lin-seti : A Seti@Home cache manager, cache-compatible with Seti Driver. Can be run as system daemon. http://lin-seti.sourceforge.net/
• dev-java/avalon-logkit : LogKit is an easy-to-use Java logging toolkit designed for secure, performance-oriented logging. http://avalon.apache.org/
• dev-java/commons-cli : The CLI library provides a simple and easy to use API for working with the command line arguments and options. http://jakarta.apache.org/commons/logging.html
• dev-java/gnu-jaxp : GNU JAXP, a free implementation of SAX parser API, DOM Level 2, Sun JAXP 1.1. http://www.gnu.org/software/classpathx/jaxp/
• dev-java/velocity : A Java-based template engine that allows easy creation/rendering of documents that format and present data. http://jakarta.apache.org/velocity/
• dev-perl/Convert-ASN1 : A Convert Perl Module http://www.cpan.org/modules/by-module/Convert/Convert-ASN1-0.16.readme
• media-gfx/gif2png : gif2png http://www.tuxedo.org/~esr/gif2png/
• net-mail/vacation : automatic mail answering program http://vacation.sourceforge.net/
• sys-apps/reoback : Reoback Backup Solution http://reoback.penguinsoup.org/
• sys-devel/oskit : Building blocks for a x86 operating system. http://www.cs.utah.edu/flux/oskit/
• app-dicts/freedict-eng-fra :
• app-dicts/freedict-fra-eng :

Updates to notable packages

• kde-base/kde - kde-3.1.1.ebuild;
• gnome-base/gnome - gnome-2.2.1.ebuild;
• sys-kernel/* - aa-sources-2.4.21_pre5-r1.ebuild; aa-sources-2.4.21_pre5-r2.ebuild; development-sources-2.5.65.ebuild; gentoo-sources-2.4.20-r2.ebuild; gs-sources-2.4.21_pre5-r1.ebuild; mm-sources-2.5.65-r1.ebuild; mm-sources-2.5.65-r2.ebuild; pfeifer-sources-2.4.20.1_pre1.ebuild; selinux-sources-2.4.20-r1.ebuild; sparc-sources-2.4.20-r6.ebuild; xfs-sources-2.4.20-r1.ebuild; xfs-sources-2.4.20-r2.ebuild; xfs-sources-2.4.20.ebuild;
• dev-db/mysql - mysql-3.23.56.ebuild;

Updates to notable packages

• sys-apps/portage - portage-2.0.47-r10.ebuild;
• x11-base/xfree - xfree-4.3.0-r1.ebuild;
• sys-kernel/* - ac-sources-2.4.21_pre5-r3.ebuild; gaming-sources-2.4.20-r1.ebuild; lolo-sources-2.4.20.2_pre5.ebuild; mm-sources-2.5.64-r4.ebuild; mm-sources-2.5.64-r5.ebuild; mm-sources-2.5.64-r6.ebuild; wolk-sources-4.0_rc2.ebuild; wolk-sources-4.0_rc3.ebuild;
• dev-db/mysql - mysql-4.0.11a-r1.ebuild;
• app-admin/gentoolkit - gentoolkit-0.1.19-r3.ebuild;

New USE variables

• none this week

7.  Bugzilla

Summary

• Statistics
• Closed Bug Ranking
• New Bug Rankings

Statistics

The Gentoo community uses Bugzilla (bugs.gentoo.org) to record and track bugs, notifications, suggestions and other interactions with the development team. In the last 7 days, activity on the site has resulted in:

• 275 new bugs this week
• 294 bugs closed or resolved this week
• 9 previously closed bugs were reopened this week.
• 2161 total bugs currently marked 'new'
• 465 total bugs currently assigned to developers

There are currently 3001 bugs open in bugzilla. Of these: 70 are labeled 'blocker', 108 are labeled 'critical', and 228 are labeled 'major'.

Closed Bug Rankings

The developers and teams who have closed the most bugs this week are:

• Martin Schlemmer, with 16 closed bugs
• Seemant Kulleen, with 14 closed bugs
• The Gnome Team, with 13 closed bugs
• Martin Holzer, with 13 closed bugs

New Bug Rankings

The developers and teams who have been assigned the most new bugs this week are:

• The x86 Kernel Team, with 19 new bugs
• The Gnome Team, with 12 new bugs
• Nick Hadaway, with 9 new bugs
• Nicholas Jones, with 9 new bugs
• Martin Holzer, with 7 new bugs

8.  Tips and Tricks

Using tmpfs

This week's tip shows you how to make use of tmpfs to speed up access time for small temporary files. Tmpfs simulates a filesystem by supporting normal read/writes but the files are stored in memory. This makes access much faster. Note that files stored in tmpfs are not saved between reboots. Also, tmpfs is only recommended for systems with large amounts of memory.

First make sure that tmpfs is enabled in your kernel.

# cd /usr/src/linux
# make menuconfig
    Enable File Systems --> 
        [*] Virtual memory system support
        (Enable this option)

# make dep && make clean bzImage

(Make sure /boot is mounted before this step)
# cp /usr/src/linux/arch/i386/boot/bzImage /boot

/tmp is the most common place for temporary files. We will use tmpfs to mount /tmp

# mount -t tmpfs tmpfs /tmp

Now that /tmp is mounted, all you have to do is add the following to your /etc/fstab in order to have it load on boot.

tmpfs   /tmp    tmpfs   defaults    0 0

9.  Moves, Adds and Changes

Moves

The following developers recently left the Gentoo team:

• none this week

Adds

The following developers recently joined the Gentoo Linux team:

• Felix De Vliegher (Popsickle) -- LiveCD, KDE
• Philip Walls (malverian) -- media-gfx, distributed computing stuff
• Matthew Rickard (frogger) -- ProPolice
• Jeraimee Hughes (a.sleep) -- Gentoo Infrastructure

Changes

The following developers recently changed roles within the Gentoo Linux project.

• Mark Guertin (gerk) -- Retired as Gentoo/PPC Project Lead

10.  Contribute to GWN

Interested in contributing to the Gentoo Weekly Newsletter? Send us an email.

11.  GWN Feedback

Please send us your feedback and help make GWN better.

12.  Other Languages

The Gentoo Weekly Newsletter is also available in the following languages:

• Dutch
• English
• German
• French
• Japanese
• Italian
• Portuguese (Brazil)
• Portuguese (Portugal)
• Spanish