Gentoo Weekly Newsletter: April 28th, 2003

1.  Gentoo News

Summary

• Proposed changes to how ebuilds are managed
• Mailing list changes
• Early addition of tcl/tk

Proposed changes to how ebuilds are managed

The explosive growth of Gentoo Linux has brought on its share of growing pains, one of which is the fact that Gentoo Linux now has over 4000 packages in the Portage tree, with under 100 active developers to maintain them all. With a ratio of 40 packages per developer, its no surprise that some applications have fallen behind their most current versions.

In an effort to remedy at least part of this problem, Gentoo developer Dan Armak recently summarized and RFC'd a proposal for reorganizing how Gentoo Linux manages and maintains ebuilds within the Portage tree. The new proposal has four key features:

• All ebuilds should, if at all possible, have at least one maintainer assigned to them. Major ebuilds, such as KDE, GNOME and XFree86 might have two or three developers assigned to them. Realistically, only those ebuilds which are complicated or otherwise unusual are likely to have their own maintainers.
• For the ebuilds that cannot have their own maintainer and are not complicated enough to require one, they will be organized into thematic groups. So, there might be a "sound" category and a "video" category. Each themed group will have one or more maintainers assigned to it who are responsible for watching for newer upstream versions and bumping those ebuilds in the testing branch of Portage.
• These thematic groups are not intended to replace or even necessarily align with Portage categories. Portage categories are a user-side convenience designed to make organizing packages easier. Themed groups of maintainers are a developer-side convenience, designed to ensure complete coverage of the Portage tree.
• Finally, if an ebuild is deemed to be complicated enough to need a dedicated maintainer, it will be listed as "unmaintained" and in need of a new owner. If it is not picked up within a pre-determined amount of time, it will be masked and later dropped from Portage. For those people familiar with Debian Linux, this is similar to the method they use for their package maintenance.

Currently, this solution is in the draft stage and is subject to revision or even complete abandonment if a better solution comes along.

Mailing list changes

Many of the Gentoo Linux mailing lists have been abuzz this week regarding developer communication, the openness of the private gentoo-core list and other issues related to keeping users appraised of the future of Gentoo Linux. In an effort to address these issues, the following changes will be made:

• All communication related to development issues will be kept on gentoo-dev. Previously, because of the signal to noise ratio on dev, many developers chose gentoo-core to discuss development issues. As a result of this, users posting support-related quesitons or other non-development related issues to gentoo-dev may be politely asked to instead post their questions to gentoo-user.
• gentoo-core will continue to be a private list, but relevant issues from it will be summarized here in the GWN. (Actually, this has always been the case since the GWN was first published. We've just never explicitly explained that)
• Depending on how successfuly the efforts are to improve the signal to noise ratio on gentoo-dev, a third list may be created which would be restricted to posting by Gentoo Linux developers only, but read-only to anyone who wishes to subscribe.

Users can help this effort by ensuring that each list is used for its proper purpose. gentoo-user is for support-related questions and general discussion about Gentoo Linux. gentoo-dev is for discussions related to the development of Gentoo Linux.

Early addition of tcl/tk

Earlier this week, tcl-8.4.2 was added to the testing tree ahead of schedule and before the supporting scripts to help users migrate from previous versions of tcl were in place. tcl-8.4.2 requires all applications using tcl to be recompiled before they will function with the new version. The development team is working on a migration strategy to help users migrate from previous versions. In the meantime, anyone using ACCEPT_KEYWORDS="~<arch>" should be aware of the recompilation requirements.

2.  Gentoo Security

Summary

• GLSA: snort
• New Security Bug Reports

GLSA: snort

The snort intrusion detection package has been found to contain an integer overflow vulnerability that could permit a DoS attack on a vulnerable computer. It is theoretically possible to exploit the overflow to run arbitrary code as the snort user, typically root. This compromise may be corrected by disabling the stream4 preprocessor in snort.conf. Doing so reduces the utility of snort.

• Severity: High - Potential remote root compromise, with published defence.
• Packages Affected: net-analyzer/snort versions prior to snort-2.0.0
• Rectification: Synchronize and emerge snort, emerge clean.
• GLSA Announcement
• Advisory

New Security Bug Reports

The following new security bugs were posted this week:

• net-www/monkeyd
• x11-plugins/gkrellm-newsticker

3.  Featured Developer of the Week

George Shapovalov

Figure 3.1: George Shapovalov

This week's featured developer, George Shapovalov, is the caretaker of app-sci and "alternative" parts of dev-lang (mostly Pascal-esque and functional languages like Caml and Haskell) and the coordinator of the Russian Gentoo community, and also spends a lot of time tackling organizational and design-related issues, his most notable contribution being the "distributed ebuild processing system" he proposed. Posted as Bug #1523, it was a proposed method to ease the load on the core developers' shoulders by delegating ebuild review to users. George submitted this suggestion after he had used Gentoo for a while and had submitted several ebuilds; apparently it caused quite a bit of debate in gentoo-core, and resulted in an invitation to the Gentoo team. While the proposal hasn't been implemented completely, parts of it have been, and George feels that Portage is slowly moving closer to what he suggested. On the Russian front, George coordinates the translation of documentation and the GWN (Russian version coming soon to a browser near you), as well as the community at www.gentoo.ru, comprising forums, a mailing list, and, soon to come, social activities.

Trading nice features for tightness, George runs KDE apps like konqueror and kmail for day-to-day stuff under Fluxbox. The other apps he uses are quite standard, although being in charge of app-sci he ends up playing with quite a few fun and special apps. His workspace, an IBM Thinkpad A21m (P3 800, 512MB RAM, 20GB HD) follows him around everywhere; he also has two boxen at home, one serving as a workstation for his wife, the other serving files and routing. When not busy helping shape the future of Portage or translating documents, George can be found doing graduate work in biophysics at Caltech in Pasadena, CA, spending time with his family, or on the occasional mountain climbing or biking trip. He'll be graduating soon, and is thinking of going to Europe, quite possibly Germany.

4.  Heard In The Community

Web Forums

Two New Moderators

The Gentoo Forums continue to grow at their own mind-boggling pace, and at times some reenforcement of the happy lot that assumes responsibility for moderation is necessary. Last week, bsolar and andrd joined the group of moderators offering some guidance in polite speech to the occasional hothead, redirecting posts to appropriate context, deleting duplicate threads and the rare occurrences of spam posts:

• New moderators andrd and bsolar

Everything You Always Wanted to Know About Framebuffers, Boot- And Other Splashes

Cleanliness and a well-presented desktop have always been in good standing with Gentoo users, at least as far as the Forum dwellers are concerned. Now Narada has shown admirable consideration for his fellow desktop Gentooists, by providing a very concise manual for all those who haven't quite come to terms with framebuffers and other graphic tricks:

• The Gentoo Framebuffer, Bootsplash & Grubsplash How-To

gentoo-user

Public Key Signing

A hot topic in the gentoo-user list was that of PGP keys, encryption and secure communications in general. Lots of good information popped up in the thread. Notably, the Reverand Jeffrey Paul preached the dangers of ignorance in cryptography and recommended this PDF as required reading. In summary of the thread, due to the nature of the communities trust in its members, it should not be easy to get your key signed by just anybody. There are pay services offering "Digital IDs", however that's beside the point. A good place to get connected is at your local LUG (Linux User Group), or better yet, at the next Gentoo gathering.

• Public Key Signing

Upgrading Gentoo RCs (release canidates)

This week it was Joel Palimus asking the question, ".. is there then any reason to install a later release candidate or final release?". Not surprisingly, the -user community responded with a unanimous 'no'. Once you have a base system installed and working, it is brought completely up to date through a series of emerge 'syncs' and 'update worlds'. It was stated, however, that the move from Gentoo 1.2 to 1.4 was a little more rocky. The upgrade required recompiling the whole system with a 'emerge -e world' due to the compiler changing from gcc 2.95 to gcc 3.2. Once gcc-config was released, however, it allowed gcc 2.95.3-r8 and gcc 3.x compilers to co-exist peacefully, making the upgrade even easier. Janne Johansson provided an excellent explanation sourced from the gcc website. And yes, you can rest safely knowing the GWN team will announce any special circumstances in the future.

• Question about Release Canidates

gentoo-dev

Several Portage Trees

Francisco Gimeno started a big thread with his "I was wondering about having several portage trees to allow external distributor having repositories of packages." He received several comments from Foser and Method, along with other Gentoo developers, regarding the problems that may arise if such a thing was allowed. Of chief concern is how to properly track dependencies and cache metadata across multiple trees.

Initscripts written in Python

An interesting proposal was brought on, about writing the Gentoo init scripts in python. To form a consistency with portage. Read about the pros and cons.

Ebuild naming policy

Is there one? And if so which one? Here is the full discussion as to how do names come to the Portage tree. Reading the Gentoo Linux Developers HOWTO might come in handy too!

5.  Gentoo International

The Gentoo Weekly Newsletter is pleased to announce the creation of a Turkish version of the GWN. For our Turkish users, you can now enjoy the GWN in your native toungue.

Interested in translating the GWN into a different language? As you can see from each issue that comes out, translating the GWN is a fair amount of work. As such, we prefer to have teams of at least 2-3 people per language, rather than having just one person per language. This helps to distribute the load and also ensures that vacations, illnesses and family emergencies don't disrupt our publishing schedule. If you'd like to help translate the GWN, please send an email to gwn-feedback@gentoo.org.

6.  Portage Watch

The following stable packages were added to portage this week

• app-games/orbital-eunuchs-sniper: Snipe terrorists from your orbital base http://icculus.org/oes
• dev-python/quixote: Python HTML templating framework for developing web applications. http://www.mems-exchange.org/software/quixote/
• media-video/mtxdrivers: Drviers for the Matrox Parhelia card. http://www.matrox.com/mga/products/parhelia/home.cfm
• net-www/davfs2: a Linux file system driver that allows you to mount a WebDAV server as a local disk drive. Davfs2 uses Coda for kernel driver and neon for WebDAV interface. http://dav.sourceforge.net
• sys-apps/selinux-base-policy: Gentoo base policy for SELinux http://www.gentoo.org
• x11-plugins/asbutton: A simple dockable application launcher for use in AfterStep. http://www.tigr.net
• x11-themes/gaim-smileys: Snapshot of Available Gaim Smiley Themes http://gaim.sourceforge.net/themes.php

Updates to notable packages

• x11-wm/fluxbox: fluxbox-0.9.0.ebuild;
• sys-kernel/*: ac-sources-2.4.21_pre7-r1.ebuild; ac-sources-2.4.21_rc1-r1.ebuild; ck-sources-2.4.20-r6.ebuild; development-sources-2.5.68.ebuild; gaming-sources-2.4.20-r2.ebuild; genkernel-1.0.ebuild; gentoo-sources-2.4.20-r3.ebuild; gs-sources-2.4.21_pre7-r1.ebuild; gs-sources-2.4.21_rc1.ebuild; hardened-sources-2.4.20-r2.ebuild; mm-sources-2.5.67-r2.ebuild; mm-sources-2.5.67-r3.ebuild; mm-sources-2.5.67-r4.ebuild; mm-sources-2.5.68-r1.ebuild; openmosix-sources-2.4.20-r3.ebuild; pfeifer-sources-2.4.20.1_pre7.ebuild; selinux-sources-2.4.20-r4.ebuild; xfs-sources-2.4.20-r3.ebuild;
• dev-php/php: php-4.3.1-r2.ebuild;
• app-admin/gentoolkit: gentoolkit-0.1.19-r4.ebuild; gentoolkit-0.1.19-r5.ebuild;

New USE variables

• ladcca: Adds Linux Audio Developer's Configuration and Connection API support (LADCCA)
• nhc98: Use the nhc98 Haskell compiler instead of GHC if the package supports it
• prebuilt: Flag to enable or disable options for prebuilt (GRP) packages (eg. due to licensing issues)
• xinerama: Add support for XFree86's xinerama extension, which allows you to stretch your display across multiple monitors

7.  Bugzilla

Summary

• Statistics
• Closed Bug Ranking
• New Bug Rankings

Statistics

The Gentoo community uses Bugzilla (bugs.gentoo.org) to record and track bugs, notifications, suggestions and other interactions with the development team. In the last 7 days, activity on the site has resulted in:

• 241 new bugs this week
• 443 bugs closed or resolved this week
• 8 previously closed bugs were reopened this week.
• 2495 total bugs currently marked 'new'
• 398 total bugs currently assigned to developers

There are currently 2952 bugs open in bugzilla. Of these: 49 are labeled 'blocker', 111 are labeled 'critical', and 236 are labeled 'major'.

Closed Bug Rankings

The developers and teams who have closed the most bugs this week are:

• Daniel Robbins, with 23 closed bugs
• The KDE Team, with 19 closed bugs
• Seth Chandler, with 16 closed bugs
• The Gnome Team, with 14 closed bugs

New Bug Rankings

The developers and teams who have been assigned the most new bugs this week are:

• The X-Free Team, with 33 new bugs
• Martin Schlemmer, with 17 new bugs
• Seth Chandler, with 13 new bugs
• Nicholas Jones, with 11 new bugs

8.  Tips and Tricks

Privilege Separation in Portage

One nice feature of Portage is that it can drop privileges and compile as a less privileged user. It can also sandbox most phases of the installation. This week's tip shows you how to enable these features of Portage to increase the security of your system.

The first step is to create the portage user and group accounts. Portage will use these accounts when running its processes.

#  groupadd -g 250 portage
#  useradd -u 250 -g 250 -s /bin/false portage

The next step is to fix the ownership on the areas portage will need access to. By default, these directories are /usr/portage, /var/tmp/portage.

# chown -R portage:portage /usr/portage
# chown -R portage:portage /var/tmp/portage

After the ownership has been set properly, you need to enable the features for privilege separate in /etc/make.conf. To do this, you need to edit the FEATURES line.

(FEATURES should look something like the following)
FEATURES="sandbox userpriv usersandbox"

Portage is now set up to drop root privileges and build packages under the portage user account. To test it, use the command top. When you have top open, type u to display processes for a specific user, and type portage at the prompt to display processes for portage. Now emerge something, and watch as the portage user shows up as the owner of all the commands.

9.  Moves, Adds and Changes

Moves

The following developers recently left the Gentoo team:

• none this week

Adds

The following developers recently joined the Gentoo Linux team:

• Tavis Ormandy (taviso) -- Gentoo Linux/Alpha
• Todd Berman (tberman) -- sendmail, java
• Michael Sterrett (msterrett) -- miscellaneous
• Michael Fitzpatrick (leachim) -- xfree
• Fred Van Andel (fava) -- ufed
• Chuck Brewer (killian) -- net-dialup
• Thomas Schutz (murray_b) -- bug-wranglers
• Caleb Tennis (caleb) -- kde
• Tal Peer (coredumb) -- php
• Bip Thelin (bip) -- php, tomcat
• Paul de Vrieze (pauldv) -- kde

Changes

The following developers recently changed roles within the Gentoo Linux project.

• none this week

10.  Contribute to GWN

Interested in contributing to the Gentoo Weekly Newsletter? Send us an email.

11.  GWN Feedback

Please send us your feedback and help make GWN better.

12.  GWN Subscription Information

To subscribe to the Gentoo Weekly Newsletter, send a blank email to gentoo-gwn-subscribe@gentoo.org.

To unsubscribe to the Gentoo Weekly Newsletter, send a blank email to gentoo-gwn-unsubscribe@gentoo.org from the email address you are subscribed under.

13.  Other Languages

The Gentoo Weekly Newsletter is also available in the following languages:

• Dutch
• English
• German
• French
• Japanese
• Italian
• Portuguese (Brazil)
• Portuguese (Portugal)
• Spanish
• Turkish