Gentoo Logo

Gentoo Weekly Newsletter: April 1st, 2003

Content:

1.  Gentoo News

Summary

Portage 2.1 to adopt RPM format for LSB compliance

In what will likely prove to be a controversial decision, Portage 2.1 will adopt the RPM format for all packages moving forward. The use of ebuilds will be deprecated in favor of the defacto RPM standard. The primary driver for this decision was to ensure compliance with the Linux Standard Base specification, which mandates RPM support for package management.

The developers have been hard at work to make this migration as easy as possible. Already a proof-of-concept ebuild2rpm script is in place and being tested by a pilot group of developers. Unfortunately, because of the architectural differences between the two formats, some features will not be supported once Gentoo moves to RPM. USE variables are one such feature; sandbox security is another. However, the added benefit brought about by full LSB compliance should far outweigh the loss of these two minor features.

Additionally, because of LSB's required library support, the xfree86 package will move to become part of the base Gentoo Linux system, rather than an optional addition. Users interested in learning more about the Linux Standard Base should read the LSB FAQ or the full LSB 1.3 specification.

Note: This is an April Fool's joke.

Gentoo/PPC team restructuring

As announced in last week's issue, Mark Guertin (gerk) recently retired from the Gentoo Linux project. Replacing Mark as the Gentoo/PPC lead will be Pieter Van den Abeele (pvdabeel). Assisting Pieter in the PPC development efforts will be Luca, Graham, and Seth, who have been appointed as second-tier leads for the group. The new structure provides for more distributed leadership on the PPC developer team and offers more flexibility and redundancy.

Release schedule announced for Gentoo Linux 1.4_rc4

Brad Cowan (bcowan) recently announced the release schedule for Gentoo Linux 1.4_rc4:

  • Sun March 23rd - Package Upgrades Phase Starts - The development team is encouraged to move things from unstable ("~" masked) state to stable for the next 14 days.
  • Sun March 30th - Build and Test Phase - Generic CPU stage tarballs are made and tested from the current CVS tree for the next 7 days with jhhudso and QA testers reporting any bugs found.
  • Sun April 6th - End Package Upgrades phase - Start Build and Test Phase with an official CVS snapshot.
  • Wed April 9th - Official Release Decision - a determination is made as to whether this next release will be an "official release" or release candidate. The Development Lead for each arch, the Release Coordinator, the Development Manager, and the Chief Architect all come to a final unanimous decision in this matter.

2.  Gentoo Security

Summary

GLSA: stunnel

The stunnel SSL port wrapper is vulnerable to a timing attack against OpenSSL that may expose RSA keys.

  • Severity: High - Cryptographic exposure.
  • Packages Affected: net-misc/stunnel versions prior to stunnel-3.22-r2
  • Rectification: Synchronize and emerge stunnel, emerge clean.
  • GLSA Announcement
  • Advisory

GLSA: mod_SSL

The Apache module mod_SSL is vulnerable to a timing attack against OpenSSL that may expose RSA keys.

  • Severity: High - Cryptographic exposure.
  • Packages Affected: net-www/mod_ssl versions prior to mod_ssl-2.8.14
  • Rectification: Synchronize and emerge mod_ssl, emerge clean.
  • GLSA Announcement
  • Advisory

GLSA: glibc

An integer overflow vulnerability in the xdrmem_getbytes() function provided as part of glibc could permit a remote exploit attack.

  • Severity: High - Remote exploit possible.
  • Packages Affected: sys-libs/glibc versions prior to glibc-2.3.1-r4 (glibc-2.2.5-r8 on ARM systems).
  • Rectification: Synchronize and emerge glibc, emerge clean.
  • GLSA Announcement
  • Advisory

GLSA: openssl

It has been discovered that OpenSSL is vulnerable to a sophisticated attack involving opening millions of SSL/TLS connections to a server in order to perform a private-key operation using the server's RSA key. The key itself is not compromised.

  • Severity: High - Cryptographic exposure.
  • Packages Affected: dev-libs/openssl versions prior to openssl-0.9.6i-r2
  • Rectification: Synchronize and emerge openssl, emerge clean.
  • GLSA Announcement
  • Advisory

GLSA: mutt

The mutt mail client contains a vulnerability in its IMAP support that could permit a malicious IMAP server operator to crash the reader or potentially execute commands on the vulnerable system.

  • Severity: High - Remote code execution.
  • Packages Affected: net-mail/mutt versions prior to mutt-1.4.1
  • Rectification: Synchronize and emerge mutt, emerge clean.
  • GLSA Announcement
  • Advisory

GLSA: bitchx

The bitchx IRC client is vulnerable to buffer-overflows, permitting malicious server operators or man-in-the-middle attackers to perform DoS attacks.

  • Severity: Moderate - remote DoS.
  • Packages Affected: net-irc/bitchx versions prior to bitchx-1.0.19-r5
  • Rectification: Synchronize and emerge bitchx, emerge clean.
  • GLSA Announcement
  • Advisory

GLSA: zlib

The zlib system library contains a buffer-overflow vulnerability in its gzprintf() function. This vulnerability could be used to corrupt the call stack.

  • Severity: Moderate - local DoS.
  • Packages Affected: sys-libs/zlib versions prior to zlib-1.1.4-r1
  • Rectification: Synchronize and emerge zlib, emerge clean.
  • GLSA Announcement
  • Advisory

New Security Bug Reports

The following new security bugs were posted this week:

3.  Featured Developer of the Week

Karl Trygve Kalleberg


Figure 3.1: Karl Trygve Kalleberg, aka karltk

Fig. 1: Karl Trygve Kalleberg, aka karltk

Karl Trygve Kalleberg maintains dev-lisp and dev-java with a few other developers, as well as several other languages and compilers and the eminently useful gentoolkit. This mostly entails fixing ebuild bugs and verifying new submissions; Karl also spends much time arguing with the other developers about how to improve Gentoo Linux's development process, a goal for which he has crafted tools like lintool and munchie. A Gentoo developer since summer 2001, Karl has worked on many other OSS projects, including the Savage3D driver for the Utah-GLX project, the Linux port to the Sega Dreamcast, a multi-language documentation system, the Norwegian translations of AbiWord and the Gimp (the first to Bokmål, the latter to Nynorks, two different dialects of Norwegian), and some other projects you can see listed on his personal page at SourceForge, but most of these projects, as well as his involvement with Gentoo were preempted by his Master's thesis: transformations for the CodeBoost transformation system which he presented on the 21st of March at the University of Bergen. Now he's back in all of his capacities, including that of comic relief for the Gentoo development team.

Karl has a nice dual Athlon 2000+ box with a Kyro II video card and an IDE RAID, but as of late he only visits it through ssh. He's currently borrowing an Athlon 1800+ running Redhat (his excuse: it's nice to know what the other distros look like once in a while), and is waiting for a replacement for his iBook, which he bought in January and which has broken down twice (Karl says that Apple's customer support is the worst service he's come across, including the tax authorities, but will gladly use an iBook if Apple decides to send him a working one). He uses Fluxbox and KDE depending on the occasion, with Galeon and Sylpheed for browsing and mail. Karl's other favorite apps include zsh, most, irssi, and ssh, and he suffers from withdrawal symptoms whenevr he tries to ditch the bloated, horrible, emacs, which is nevertheless home.

Karl used to design computer languages until the company he worked for caved in last summer, and afterwards he worked at a very cool ISP. Now unwittingly applying for a PhD position in computer science, he continues to study medicine at the Norwegian university of Technology and Science as a break from all the CS. Also, he enjoys various forms of roleplaying, generally Ars Magica interspersed with some happy-go-lucky Sci Fi stints. Believe it or not, his girlfriend's name is Tilde; the fact that she works for an evil cell phone company is offset by her understanding of obscure Unix jokes, and she lives with him in Trondheim, Norway. Karl was born in the coastal town of Haugesund but escaped to Bergen when he discovered that not all city halls were supposed to be pink. The city hall in Bergen was nondistinct, and there he was subjeced to Solaris and IRIX before he accidentally installed Linux and was not able to get it off.

Karl left the link between Bergen and Trodheim in a shroud of mystery, as to appear inscrutable.

4.  Heard In The Community

Web Forums

CFLAGS Central Revival

Floating point conversion functions in GCC, the standard C compiler suite, are susceptible of creating bugs when compiling with -march=pentium4. Some people circumvent this by "downgrading" to -march=pentium3, some deny bugginess altogether. Say hello to a renewed discussion of compiler optimizations:

Finally: Gentoo on the Xbox

A fresh post by Forum newbie, ShALLaX, sent shivers of relief +down many a Gentooist's spine: You can do a stage1 installation and run Gentoo Linux on your Xbox!

Note: This is not an April Fool's joke.

gentoo-user

Gentoo Migration Strategies

Matt Garman asked about migration strategies for moving from Debian to Gentoo. The resulting thread gave Matt some helpful hints and also touched upon the "requirement" of having a separate, 100MB boot partition.

Money Dance is Not Dead

Alex Combas inquired about running Money Dance on Gentoo. There was some confusion about whether or not Money Dance was still an actively-developed program, but it was eventually clarified that Money Dance is, in fact, still an active product.

gentoo-dev

Managing Disk Space

Andy Arbon posted a script for assisting in the tidying of binary packages built by portage.

Destroying Dependancies

Per Wigren had some troubles with dependancies when mysql was upgraded from 3.23 to 4.0 and proposed a solution to solve the problem going forward. Alain Penders pointed out that reverse dependancy checking in portage would likely solve Per's problem.

5.  Gentoo International

Gentoo Hanami

Cherry blossom season in Japan. While the weather report of Japanese TV stations still brings daily coverage of the full-bloom-front that is slowly moving towards the north of the country, the usual GentooJP suspects have already fulfilled their traditional "hanami" duty last Friday. For those unfamiliar with the expression: Hanami is a cherry blossom viewing event better described as an annual mass hysteria with the aim of getting seriously drunk in a park with preferrably large numbers of cherry trees and watching the petals float gently to the ground while noisily dancing around on much too blue plastic sheets. Roughly a dozen of GentooJP activists decided on Shinjuku Gyoen as a venue, a particularly nice and fairly central spot in Tokyo, but believe it or not: nobody brought a camera... Hoping for next year then, lads.

German Police Runs on Gentoo-ARM

Government agencies in Europe are known to be much more open towards Linux and Open Source Software than those of other countries. In their latest move, the BKA (the German equivalent of its more universally known cousins FBI or Scotland Yard) has started deploying Gentoo-ARM-based PDAs for use of its officers in the field. "They will mainly use it for playing MP3s of phone conversations in abduction cases", says Hein Bloed, head of the IT department at BKA's headquarters in Wiesbaden. PDAs have been part of the standard equipment at the BKA for many years, but the sudden decision to replace PocketPC with ARM-based Gentoo Linux came as a surprise. The Gentoo-ARM developer team says there are rumours of a PocketPC virus accidentally spread throughout the organization by their own computer crime department following a raid on illegal software importers in the port of Hamburg two months ago.

Note: This is an April Fool's joke.

Erratum: Gentoo Presentation in Denmark on 1 April, not 2 April!

We apologize to Klavs Klavsen for the misinformation carried in last week's GWN: His presentation to the mixed Danish and Swedish SSLUG is going to take place on 1 April, i.e. Tuesday, at DKUUG/Symbion, Fruebjergvej 3 in Copenhagen East, starting at 19:30 in room M4.

6.  Portage Watch

The following stable packages were added to portage this week

Updates to notable packages

  • sys-apps/portage - portage-2.0.47-r12.ebuild;
  • sys-devel/gcc - gcc-3.2.2-r2.ebuild;
  • sys-libs/glibc - glibc-2.2.5-r8.ebuild; glibc-2.3.1-r4.ebuild;
  • sys-kernel/* - development-sources-2.5.66.ebuild; mips-headers-2.4.21.ebuild; mm-sources-2.5.65-r3.ebuild; mm-sources-2.5.65-r4.ebuild; mm-sources-2.5.66-r1.ebuild; ppc-sources-benh-2.4.20-r9.ebuild; selinux-sources-2.4.20-r2.ebuild; wolk-sources-4.0_rc4.ebuild;
  • dev-db/mysql - mysql-4.0.12.ebuild;

New USE variables

  • mpi - Adds MPI (Message Passing Interface) layer to the apps that support it
  • selinux - Adds support for Security Enhanced Linux (to build a more secure set of packages and kernel

7.  Bugzilla

Summary

Statistics

The Gentoo community uses Bugzilla (bugs.gentoo.org) to record and track bugs, notifications, suggestions and other interactions with the development team. In the last 7 days, activity on the site has resulted in:

  • 311 new bugs this week
  • 311 bugs closed or resolved this week
  • 12 previously closed bugs were reopened this week.
  • 2349 total bugs currently marked 'new'
  • 466 total bugs currently assigned to developers

There are currently 2880 bugs open in Bugzilla. Of these: 72 are labeled 'blocker', 104 are labeled 'critical', and 233 are labeled 'major'.

Closed Bug Rankings

The developers and teams who have closed the most bugs this week are:

New Bug Rankings

The developers and teams who have been assigned the most new bugs this week are:

8.  Tips and Tricks

Synchronizing System Date/Time with rdate

This week's tip shows you how to keep your system's date and time synced without the hassle of NTP. The command rdate allows you to get the time from a server running NTP but doesn't require you to set up your own NTP server.

First make sure that you have rdate installed.

Code Listing 8.1: Installing rdate

# emerge rdate

To sync your computer clock, run rdate -s. You should probably change which server you use so as not to overload one particular one. Here is a list of public Stratum 2 servers that you can use.

Code Listing 8.2: Using rdate

# rdate -s ntp0.cornell.edu

To keep your machine automatically synced, you may want to make use of crontab.

Code Listing 8.3: Adding rdate to crontab

(Add the following to /etc/crontab to sync on the first day of the week.
)
* * * * 0 rdate -s ntp0.cornell.edu

9.  Moves, Adds and Changes

Moves

The following developers recently left the Gentoo team:

  • Nicholas Henke (roughneck)
  • Maik Schreiber (blizzy)

Adds

The following developers recently joined the Gentoo Linux team:

  • Arun Thomas (sindian) -- Gentoo/ARM, gentoo-hardened

Changes

The following developers recently changed roles within the Gentoo Linux project.

  • none this week

10.  Contribute to GWN

Interested in contributing to the Gentoo Weekly Newsletter? Send us an email.

11.  GWN Feedback

Please send us your feedback and help make GWN better.

12.  Other Languages

The Gentoo Weekly Newsletter is also available in the following languages:



Print

Page updated 1 April 2003

Summary: This is the Gentoo Weekly Newsletter for the week of April 1st, 2003.

Kurt Lieber
Editor

AJ Armstrong
Contributor

Brice Burgess
Contributor

Yuji Carlos Kosugi
Contributor

Rafael Cordones Marcos
Contributor

David Narayan
Contributor

Ulrich Plate
Contributor

Peter Sharp
Contributor

Kim Tingkaer
Contributor

Mathy Vanvoorden
Dutch Translation

Tom Van Laerhoven
Dutch Translation

Peter Dijkstra
Dutch Translation

Bernard Bernieke
Dutch Translation

Vincent Verleye
Dutch Translation

Jochen Maes
Dutch Translation

Ben De Groot
Dutch Translation

Jelmer Jaarsma
Dutch Translation

Nicolas Ledez
French Translation

Guillaume Plessis
French Translation

John Berry
French Translation

Martin Prieto
French Translation

Michael Kohl
German Translation

Steffen Lassahn
German Translation

Matthias F. Brandstetter
German Translation

Thomas Raschbacher
German Translation

Klaus-J. Wolf
German Translation

Marco Mascherpa
Italian Translation

Claudio Merloni
Italian Translation

Daniel Ketel
Japanese Translation

Yoshiaki Hagihara
Japanese Translation

Andy Hunne
Japanese Translation

Yuji Carlos Kosugi
Japanese Translation

Yasunori Fukudome
Japanese Translation

Ventura Barbeiro
Portuguese (Brazil) Translation

Bruno Ferreira
Portuguese (Portugal) Translation

Gustavo Felisberto
Portuguese (Portugal) Translation

Ricardo Jorge Louro
Portuguese (Portugal) Translation

Lanark
Spanish Translation

Rafael Cordones Marcos
Spanish Translation

Julio Castillo
Spanish Translation

Sergio Gómez
Spanish Translation

Pablo Pita Leira
Spanish Translation

Carlos Castillo
Spanish Translation

Tirant
Spanish Translation

Jaime Freire
Spanish Translation

Lucas Sallovitz
Spanish Translation

Donate to support our development efforts.

Copyright 2001-2014 Gentoo Foundation, Inc. Questions, Comments? Contact us.