Gentoo Logo

Gentoo Weekly Newsletter: April 14th, 2003

Content:

1.  Gentoo News

Summary

Gentoo Linux 1.4_rc4 Released

Earlier this week, the decision was made to release the next version of Gentoo Linux 1.4 as Release Candidate 4, rather than Final. Improvements to the rc4 release include much better hardware detection on the LiveCD installation disc as well as major updates to various packages in the Portage tree. The decision to issue another release candidate was made due to a number of reasons, including:

  • Binary packages required for the Gentoo Reference Platform have yet to be built or tested. Until these are completed, 1.4_final cannot be released.
  • The version of baselayout currently marked as "stable" still depends on tmpfs. One of the goals of 1.4 from the beginning was to eliminate baselayout's dependency on tmpfs. There is a masked version of baselayout in Portage that solves this issue, but it has not received adequate testing as of yet. (Anyone using or willing to test this version of baselayout is encouraged to report their results on Gentoo Stable)
  • Automated Kernel Building is currently undergoing testing for inclusion in 1.4_final

New Unreal Tournament 2003 Game CD

A new Unreal Tournament 2003 Game CD has been released and can be downloaded here as well as any of our other mirrors. This CD allows you to run the Unreal Tournament 2003 demo directly from CD, with no installation required. Just boot your computer from the CD and play! The latest CD includes a highly-optimized gaming kernel, which significantly improves overall gameplay. Other improvements include the latest NVIDIA drivers (1.0.4349) with GeForce FX support, preliminary bootsplash support, full autodetection of all hardware and countless other enhancements. This GameCD does require a modern NVIDIA graphics card to run the ut2003-demo.

You can also run the latest demo on your existing Gentoo Linux system provided you have a modern NVIDIA graphics card. Just type emerge ut2003-demo and then type ut2003-demo to start the game. The use of the gaming-sources kernel is recommended for optimum gaming performance and responsiveness.

2.  Gentoo Security

Summary

GLSA: samba

The Samba server is subject to a buffer overflow in a string copy routine that could be exploited to gain remote root access to the vulnerable server.

  • Severity: Critical - Potential remote root compromise.
  • Packages Affected: net-fs/samba versions prior to samba-2.2.8a
  • Rectification: Synchronize and emerge samba, emerge clean.
  • GLSA Announcement
  • Advisory

GLSA: kde-3.x

KDE's use of Ghostscript to process PostScript and PDF files is subject to a security vulnerability permitting the execution of arbitrary shell commands embedded in such files, using the user privilege level. This attack could be implemented by posting maliciously crafted files to webservers or embedding them in emails.

  • Severity: Critical - Remote execution of commands, information exposure.
  • Packages Affected: kde-base/kde version 3 prior to kde-3.0.5b or kde-3.1.1a
  • Rectification: Synchronize and emerge kde OR \=kde-base/kde-3.0.5b, emerge clean, restart kde.
  • GLSA Announcement
  • Advisory

Note: The patch versions of kde are currently only marked stable for x86. If you have successfully compiled and merged 3.1.1a or 3.0.5a on any other architecture please report this to kde@gentoo.org .

GLSA: kde-2.x

KDE's use of Ghostscript to process PostScript and PDF files is subject to a security vulnerability permitting the execution of arbitrary shell commands embedded in such files, using the user privilege level. This attack could be implemented by posting maliciously crafted files to webservers or embedding them in emails.

  • Severity: Critical - Remote execution of commands, information exposure.
  • Packages Affected:
    1. kde-base/kdebase version 2 prior to kdebase-2.2.2-r5
    2. kde-base/kdelibs version 2 prior to kdelibs-2.2.2a-r1
    3. kde-base/kdegraphics version 2 prior to kdegraphics-2.2.2-r2
  • Rectification:
    1. emerge sync
    2. emerge \=kde-base/kdebase-2.2.2-r5
    3. emerge \=kde-base/kdelibs-2.2.2a-r1
    4. emerge \=kde-base/kdegraphics-2.2.2-r2
    5. emerge clean
    6. restart kde
  • GLSA Announcement
  • Advisory

GLSA: setiathome

The popular Seti-At-Home distributed computing client application is subject to a buffer overflow vulnerability that could be used to execute arbitrary code - this would require spoofing of the client connection to the server. The client also transmits system information in plain text, including processor type and OS.

  • Severity: High - Remote execution of code, information compromise.
  • Packages Affected: app-sci/setiathome versions prior to setiathome-3.08
  • Rectification: Synchronize and emerge setiathome, emerge clean.
  • GLSA Announcement
  • Advisory

GLSA: Apache

Version 2 of the Apache HTTP server is subject to a memory leak in the way it handles large numbers of consecutive linefeed characters. This could be used by a remote attacker to exhaust system resources on a vulnerable server.

  • Severity: Moderate - Remote DoS.
  • Packages Affected: net-www/apache version 2 prior to apache-2.0.45
  • Rectification: Synchronize and emerge \=net-www/apache-2.0.45, emerge clean.
  • GLSA Announcement
  • Advisory

New Security Bug Reports

There were no new security bugs this week that are still outstanding.

3.  Featured Developer of the Week

Bob Johnson


Figure 3.1: Bob Johnson, aka LiveWire

Fig. 1: Bob Johnson, aka LiveWire

The Gentoo LiveCD is the tool that got Gentoo Linux onto most people's systems and is often the first impression of Gentoo that users get. This week's featured developer, Bob Johnson, is in charge of the livecd-ng scripts that are used to make the LiveCDs (curious readers can go ahead and emerge it since it's in Portage), and has been building the last few x86 LiveCDs. His work with the LiveCDs mostly involves listening to users complain about how they can't get the LiveCD to boot or get their NIC working, and then working to fix the problem. Bob's involvement with the Gentoo team began when he was suddenly asked to get the xfs-sources kernel ready for the 1.4-rc2 LiveCD in 24 hours when he had only been running Gentoo for about two weeks. In addition to working on livecd-ng and the x86 CDs, Bob also maintains xfs-sources and gs-sources (to find out about these and other kernels, read KC6:Which Sources? in the forums.)

Bob's main box is an Athlon XP 2100+ with 512MB RAM, seven hard drives (four SCSI, three IDE), dual NVIDIA cards with a 19-inch monitor attached to each and running KDE, which Bob used to think was ugly but now, at version 3.1, loves. He uses VMWare a lot for testing, and doesn't know what he'd do without it.

Bob owns a concrete and excavating company, and has been in the business for seventeen years. He's been married for fifteen years, has a thirteen-year-old-daughter, and has two beagles in his home in Indianapolis, Indiana. During the summer he spends a lot of time at the lake, slalom water skiing, and waxing the 20-foot Caravelle he bought last year when he isn't boating.

4.  Heard In The Community

Web Forums

Happy Birthday, Gentoo Forums!

The first post to the freshly installed Gentoo Forums was an announcement by Forum founder Nitro on 9 April 2002: "This forum is my shot at helping users of Gentoo (including myself)." What started as a humble affair on a cable connection has quickly developed into one of the most successful and exciting tech support venues on the web, with an average of 700 new posts every day, five-digit user head count and a peculiar atmosphere that sets it apart from most other Linux forums. People here are polite, eloquent, uncommonly helpful to others and generally the best of folks. Congratulations to us all:

Automatic Hardware Configuration Using Profiles

Making clever use of the runlevels in Gentoo, Optilude contributed scripts and documentation for configuring your hardware according to different profiles last week, thank you very much:

Running Business Software in Gentoo: How to Install Oracle 9.2

Problems with Oracle under Gentoo Linux had been dragging on since December, doubtlessly due to problems with gcc and its libraries. Finally we've come to a happy ending. Make sure your glibc is in order, run the Oracle installer and enjoy:

gentoo-user

Getting the most USE out of it...

The USE flag system portage implements may well pose as a source of anxiety for the Gentoo newbie. Carlos Gonzalez began a thread exemplifying the somewhat complicated process of having to modify USE flags on a per package basis (stripping JAVA for a PHP emerge). Thankfully the thread mentioned a tool created to simplify the process of managing these USE flags, ufed -- Use Flag Editor, where flags are explained and can be toggled on and off. Carl Hudkins noted his *wish* that ufed would be included on Gentoo's LiveCD.

p2p for the masses

It's finally happened, p2p has gone mainstream and the sheer amount of KaZa'ers are rivaling the once dominant Napster network. While some Gentoo users have jumped on the bandwagon by installing Kazaa lite using wine (a MS Windows emulator), Chris Graves wants to get down with p2p clients native to Linux. The good news is that Linux is far from lacking in p2p clients, and that the network was in fact pioneered with open source clients developed for Linux. Keppy mentions Gentoo's commitment to these programs in the form of the portage directory: /usr/portage/net-p2p/. Limewire a popular open source p2p client written in Java was also recommended, though not in portage.

gentoo-dev

Performance in Gentoo

The Linux kernel project has given rise to quite a few derivatives over the years. And while the Kernel project tries to maintain a stable kernel befitting a general public. The spawned derivatives implement a wide variety of changes often brought by many different people. This plethora of minds and opinions going into the kernel is its strength. Then naturally it becomes hard to choose.

One way to reduce the dilemma of choosing is simply trying out the different major distributions. This way we can see how the specific distribution performs the task it is set to do.

While performing a little speed test, this user noticed that apparantly the Gentoo kernel had a relative performance low compared to the Red Hat installed kernel.

The discussion itself evolves around a specific system call monitored with a specific lmbench. But for those of you eeking to test your linux box here are a couple of resources you might want to take a look at.

First of all, don't forget that the kernel is not the distribution. Never compare the incomparable. Remember, similar configurations, similar platforms, similar patches and so on. Now, having a good test foundation we need a tool - which Gentoo provides here. And there is a benchmarking howto available at TLDP

Now, as annoying as this can be, the trick is knowing what flag goes with what package. And also remember that there are default flags set.

The way around the first dilemma is to run the command "emerge -pv [package_name]" this will show what flags go with what package package

And the default flags are not apparant either. However the command "grep -A 3 USE /etc/make.profile/make.defaults" will reveal the secret. But caution, do not change the make.defaults. Rather modify your make.conf and you can even build your own USE string from scratch. To compose your own list of USE flags you set USE="-* [your flag list]". Where "-*" unsets all flags and "[your flag list]" simply is the string of flags you choose to enable.

Gentoo as a binary release?

The question was raised as to why Gentoo does not provide a binary package system. Binary vs. source has always been a point of contention among Gentoo users. Many want the convenience and speed offered by binary packages while others decry such efforts as taking focus away from making Gentoo Linux the best source-based distribution available.

As some users may already know, Gentoo Linux is working on providing a limited subset of binary packages in the form of the Gentoo Reference Platform. Applications such as KDE, XFree86 and other large applications will be offered in both source and binary form in order to provide a choice to our users. The first "official" release of the Gentoo Reference Platform will come with the final release of Gentoo Linux 1.4.

5.  Gentoo International

Taiwanese Gentoo Initiatives Merging

In a big push for the fledgling Chinese Gentoo user communities, Gentoo Taiwan GOT, gentoo.org.tw) was set up last week. Patrick Hsieh, the coordinator, and a few zealous Gentooists are merging their strength to establish a local Gentoo organization in Taiwan. They're not only promoting Gentoo to the Taiwanese Linux user sphere, but also making every effort to help localizing Gentoo Linux for the realm of the Big5 Chinese encoding. "We already have a dedicated rsync server (rsync.gentoo.org.tw) and an ambitious new forum (http://openbazaar.net) plus an almost ready gentoo FTP server(ftp.gentoo.org.tw). And definitely more and more users will see how we make the difference," says Patrick Hsieh. The GOT web portal is also under construction and about to be unveiled in a few days.

Meanwhile Back in Reality: Italian Consultancy Deploys Gentoo Linux

Verona, a rather attractive spot in Northern Italy, is better known for its historic arena dating from the Roman empire (and notorious for butchering opera master pieces at that same location). A lesser known fact is that it's currently spearheading Gentoo's move to professional corporate use: Euronia, a technology consultancy firm in Verona, made the switch from SuSE to Gentoo Linux for their own computers as early as release 1.0, and started offering services based on Gentoo six months ago. Their customers include Banca Populare di Verona e Ravenna, the largest banking group in the region, where Euronia set up a proxy for 7500 users, a reverse SSL proxy, secure FTP and other servers, all powered by Gentoo Linux. At Antex (a major HR consultancy in Italy), the tax calculations for 150,000 pay checks each month are done on a Gentoo-based SQL server, and a handful of other banks had Euronia switch their web servers to Gentoo as their operating system, too. Euronia's push for Gentoo Linux in corporate server solutions is easily explained: "We find that Gentoo Linux is the most advanced distro available", says Andrea Gagliardi, head of technology at Euronia. "We build solutions for customers, like the servers we usually base on EVMS-enabled Vanilla kernels with a dozen other stable patches thrown in, or our embedded Xfree on Aquapads (diskless tablet PCs). Nothing we've tried makes setting up and deploying all those customizations more manageable than Gentoo".

6.  Portage Watch

The following stable packages were added to portage this week

Updates to notable packages

  • sys-apps/portage - portage-2.0.48_pre2.ebuild;
  • x11-base/xfree - xfree-4.3.0-r2.ebuild;
  • kde-base/kde - kde-3.0.5b.ebuild; kde-3.1.1a.ebuild;
  • sys-kernel/* - hardened-sources-2.4.20-r1.ebuild; hppa-sources-2.4.20_p32.ebuild; mm-sources-2.5.67-r1.ebuild; ppc-sources-benh-2.4.20-r10.ebuild;

7.  Bugzilla

Summary

Statistics

The Gentoo community uses Bugzilla (bugs.gentoo.org) to record and track bugs, notifications, suggestions and other interactions with the development team. In the last 7 days, activity on the site has resulted in:

  • 261 new bugs this week
  • 302 bugs closed or resolved this week
  • 7 previously closed bugs were reopened this week.
  • 2493 total bugs currently marked 'new'
  • 452 total bugs currently assigned to developers

There are currently 3010 bugs open in bugzilla. Of these: 55 are labeled 'blocker', 119 are labeled 'critical', and 245 are labeled 'major'.

Closed Bug Rankings

The developers and teams who have closed the most bugs this week are:

New Bug Rankings

The developers and teams who have been assigned the most new bugs this week are:

8.  Tips and Tricks

Using /dev/loop to view a CD image

This week's tip explains how to use the loop device to view or share files from a CD image or ISO file.

First, you need to make sure you have support in your kernel. It can be configured as a module so there's no need to reboot if you don't have support.

Code Listing 8.1: Installing the kernel module

(configure the following option)
Block Devices
-> <M> Loopback device support

#  make dep && make modules modules_install
#  insmod loop

To view the contents of an iso file, just mount the iso on a loopback device. For example, here we mount gentoo-basic-x86-1.4_rc4.iso to gentoo-1.4_rc4/.

Code Listing 8.2: Mounting an iso on a loopback device

# mount gentoo-basic-x86-1.4_rc4.iso gentoo-1.4_rc4 -o loop=/dev/loop1,blocksize=1024

Now you can view the directory gentoo-1.4_rc4 just as if it were part of your regular filesystem.

9.  Moves, Adds and Changes

Moves

The following developers recently left the Gentoo team:

  • none this week

Adds

The following developers recently joined the Gentoo Linux team:

  • Ivan Zenkov (zenkov) -- Russian documentation
  • Andres Loeh (kosmikus) -- haskell stuff
  • Michele Balistreri (brain) -- KDE
  • Todd Sunderlin (todd) -- Gentoo/Sparc
  • Joshua Kinard (Kumba) -- Gentoo/Sparc, Gentoo/Mips

Changes

The following developers recently changed roles within the Gentoo Linux project.

  • none this week

10.  Contribute to GWN

Interested in contributing to the Gentoo Weekly Newsletter? Send us an email.

11.  GWN Feedback

Please send us your feedback and help make GWN better.

12.  Other Languages

The Gentoo Weekly Newsletter is also available in the following languages:



Print

Page updated 14 April 2003

Summary: This is the Gentoo Weekly Newsletter for the week of April 14th, 2003.

Kurt Lieber
Editor

AJ Armstrong
Contributor

Brice Burgess
Contributor

Yuji Carlos Kosugi
Contributor

Rafael Cordones Marcos
Contributor

David Narayan
Contributor

Ulrich Plate
Contributor

Peter Sharp
Contributor

Kim Tingkaer
Contributor

Mathy Vanvoorden
Dutch Translation

Tom Van Laerhoven
Dutch Translation

Peter Dijkstra
Dutch Translation

Bernard Bernieke
Dutch Translation

Vincent Verleye
Dutch Translation

Jochen Maes
Dutch Translation

Ben De Groot
Dutch Translation

Jelmer Jaarsma
Dutch Translation

Matthieu Montaudouin
French Translation

Martin Prieto
French Translation

Michael Kohl
German Translation

Steffen Lassahn
German Translation

Matthias F. Brandstetter
German Translation

Thomas Raschbacher
German Translation

Klaus-J. Wolf
German Translation

Marco Mascherpa
Italian Translation

Claudio Merloni
Italian Translation

Christian Apolloni
Italian Translation

Daniel Ketel
Japanese Translation

Yoshiaki Hagihara
Japanese Translation

Andy Hunne
Japanese Translation

Yuji Carlos Kosugi
Japanese Translation

Yasunori Fukudome
Japanese Translation

Ventura Barbeiro
Portuguese (Brazil) Translation

Bruno Ferreira
Portuguese (Portugal) Translation

Gustavo Felisberto
Portuguese (Portugal) Translation

Ricardo Jorge Louro
Portuguese (Portugal) Translation

Lanark
Spanish Translation

Rafael Cordones Marcos
Spanish Translation

Julio Castillo
Spanish Translation

Sergio Gómez
Spanish Translation

Pablo Pita Leira
Spanish Translation

Carlos Castillo
Spanish Translation

Tirant
Spanish Translation

Jaime Freire
Spanish Translation

Lucas Sallovitz
Spanish Translation

Donate to support our development efforts.

Copyright 2001-2014 Gentoo Foundation, Inc. Questions, Comments? Contact us.