Gentoo Weekly Newsletter: May 5th, 2003

1.  Gentoo News

Summary

• Feature list for next release of Gentoo Linux 1.4
• Rsync etiquette guidelines
• New mailing lists available
• Policy discussion regarding accessing users' boxes

Feature list for next release of Gentoo Linux 1.4

Daniel Robbins recently posted a list of features that will be completed before the next release of Gentoo LInux 1.4. Features include:

• baselayout being migrated away from any dependencies on tmpfs
• A CFLAGS guide incorporated into install docs, including reasonable examples for typical use cases, such as servers, desktops, etc.
• An optional script that users could run to automatically set CFLAGS and CHOST based on CPU. (for at least x86 and ppc)
• Creation and testing of various packages for the Gentoo Reference Platform
• A new kernel script, tentatively called "genkernel", that will assist users with creating their own kernels

Rsync etiquette guidelines

The continued growth of Gentoo Linux has placed more and more demands on our mirror system. Both source mirrors as well as rsync mirrors continue to show dramatic increases in usage. As we continue to grow, the importance of using our mirroring system responsibly becomes more critical. As such, here are some rsync etiquette guidelines to keep in mind as you emerge sync:

• Sync 1-2 times per day, maximum. There's being on the bleeding edge, and there is being just plain silly. Analysis of rsync logs show that a few discourteous users syncing 10, 15 or even 25 times per day are using a disproportionate amount of rsync mirror resources. Rsync mirror maintainers have been encouraged to use iptables rules to limit people who are abusing the system.
• Use the rotations, not individual servers Please do not single out specific rsync mirrors and hard-code them in your configuration files. Doing so places undue stress on particular mirrors. By using country- or continent-specific rotations, you are able to select servers that are geographically close to you, yet still distribute the load over a number of servers.
• Report bad mirrors on bugs.gentoo.org If you notice a server in the rotation that is not responding or is showing signs of other problems, please report it on bugs.gentoo.org immediately. Many users simply assume that someone else will file the bug report, which results in nobody ever finding a bug report until a Gentoo developer happens to notice the problem. By filing bug reports sooner, we can catch and remove problematic mirrors from our rotation much faster.

Remember that all of our rsync mirrors rely entirely upon donated resources. Thus, being respectful of these donated resources is not only a common courtesy, but essential if we are to support the continued growth of Gentoo Linux.

New mailing lists available

Over the past few weeks, a number of new Gentoo Linux mailing lists have been created for our users. Among them include:

• gentoo-performance -- highly technical discussions regarding resolving performance issues in Gentoo
• gentoo-mips -- Discussions about running Gentoo on the MIPS architecture

Policy discussion regarding accessing users' boxes

Recently, the Gentoo Linux development team discussed whether or not it was acceptable to remotely access users' boxes (with the consent of the user) to assist with debugging and troubleshooting a specific problem. Some developers voiced concerns about unwarranted finger pointing that might arise if something went wrong during the process. Others raised concerns about setting unreasonable expectations among the Gentoo Linux user base. After a lengthy discussion, the majority of developers seemed to agree that, while accessing users' boxes should not be a regular occurance, it may be acceptable in certain circumstances, such as trying to track down a particularly troublesome bug.

2.  Gentoo Security

Summary

• GLSA: openssh
• GLSA: monkeyd
• GLSA: pptpd
• GLSA: mgetty
• GLSA: balsa
• New Security Bug Reports

GLSA: openssh

OpenSSH has a vulnerability which permits a timing attack that can reveal the identities of valid users on the target system. This information greatly enhances the system's vulnerability to brute-force attacks and weak passwords.

• Severity: Critical - Security information compromise.
• Packages Affected: net-misc/openssh versions prior to openssh-3.6.1_p2
• Rectification: Synchronize and emerge openssh, emerge clean.
• GLSA Announcement
• Advisory

GLSA: monkeyd

The monkeyd web server contains a buffer overflow vulnerability in its handling of POST requests. This could theoretically be used to implement a DoS attack, or to execute arbitrary code under the privileges of the monkey server.

• Severity: High - Remote code execution.
• Packages Affected: net-www/monkeyd versions prior to monkeyd-0.6.3
• Rectification: Synchronize and emerge monkeyd, emerge clean.
• GLSA Announcement
• Advisory

GLSA: pptpd

The PPTP daemon contains a buffer overflow in its handling of PPTP packet headers. This could be used to remotely load executable code into the server's stack.

• Severity: High - Remote code execution.
• Packages Affected: net-dialup/pptpd versions prior to pptpd-1.1.3.20030409
• Rectification: Synchronize and emerge pptpd, emerge clean.
• GLSA Announcement
• Advisory

GLSA: mgetty

The fax spool in mgetty is world-writable, which permits unprivileged users to modify transmission privileges. In addition, there is a buffer overflow vulnerability in mgetty that could be used for a DoS attack or to execute arbitrary code.

• Severity: High - Remote code execution, privilege escalation.
• Packages Affected: net-dialup/mgetty versions prior to mgetty-1.1.30
• Rectification: Synchronize and emerge mgetty, emerge clean.
• GLSA Announcement

GLSA: balsa

The balsa email client shares a buffer overflow vulnerability with mutt. This vulnerability could be used to remotely crash balsa or to execute arbitrary code with the user's privileges.

• Severity: High - Remote code execution.
• Packages Affected: net-mail/balsa versions prior to balsa-2.0.10
• Rectification: Synchronize and emerge balsa, emerge clean.
• GLSA Announcement
• Advisory

New Security Bug Reports

The following new security bugs were posted this week:

• net-mail/qpopper

3.  Featured Developer of the Week

Alastair Tse

Figure 3.1: Alastair Tse, aka liquidx

This week we feature Alastair Tse, who is involved with the Gentoo GNOME team, Python modules and programs and general bug fixing. A Python fanatic and KDE-basher/GNOME-user, Alastair takes care of various Gtk/GNOME packages, especially troublesome ones like Evolution, and unofficially looks after dev-python. He has also recently released etcat, a tool that allows power users to get more information from Portage more quickly, and which is now part of the gentoolkit. Like Larry the Cow, Alastair began using Gentoo after being frustrated by the other distros, fell in love with the ability to tweak the way packages were built (until then he had been maintaining his own .spec files), started contributing patches and ebuilds and eventually got noticed and invited to join the team.

Alastair's favorite apps include Epiphany, Xchat2, Gaim, Straw, Evolution, Gnome-Terminal, feh, zsh, and python-bash, and he runs them on a slim Sony Vaio N505-VE (Celeron 333Mhz, 128MB RAM; to those of you who are surprised that Alastair runs those apps on such a machine, he says it's because he's a very patient person). Alastair, now 23, grew up between Melbourne, Australia, and Hong Kong, moved to Sydney, Australia to study after an incident involving a banana and some pajamas, and got a Computer Engineering degree there at the University of New South Wales. After working there for a year as a sysadmin, he left the beaches and kangaroos of Australia for mad cow England, where he is studying for a PhD at the University of Cambridge's Laboratory of Communication Engineering. Along with the exotic animals he left in Australia his hobbies, which included watching and playing basketball and soccer, watching F1 races, driving, and playing Nintendo GameCube. He also has a personal website at http://www.liquidx.net/

4.  Heard In The Community

Web Forums

GCC 3.3

Highly acclaimed, much anticipated, finally here: GCC 3.3 has been available as an ebuild since Thursday, and folks in the forums are giving it a try:

• GCC 3.3

News from the Zetagrid GLUE Team

"We are Michael Imhof, resistance is futile" is the powerful mantra of Gentoo Linux Users Everywhere (GLUE) participating in the Zetagrid competition, the famous grid computing hunt for proof or rejection of Riemann's Hypothesis. If you want to participate, make sure you use Tantive's user ID and mail address - only individual users can win the 10,000 USD prize, and dozens of Gentoo workstations all over the planet are using Tantive's ID to advance even higher than the current 4th rank. If Michael Imhof wins, all the money goes to Gentoo.

• Zetagrid GLUE-team --> We are in the TOP 5 (5 Apr 2003)
• Zetagrid GLUE Team FAQ
• Zetagrid Homepage
• Riemann Hypothesis

gentoo-user

X responsiveness

Does the jerkiness of X under a heavy load got you down? Apparently it was for a number of Gentoo'ers in the -user community. Checkout this thread to readup on the methods used to speedup a sometimes sluggish X. As usual, there's a plethora of system enhancing solutions to choose from, some applicable, some not. In short make sure your harddrive settings are properly tweaked and if you're not using the caffeinated -ck sources, to run your X server with higher priority.

5.  Gentoo International

Regional German Gentoo User Meeting in Cologne

After many weeks of indecision about the agenda and - even more importantly - the ultimate choice of a venue, the Greater Cologne/Bonn Area Gentooists have decided on what will just have to be the perfect spot for their initial get-together: On Wednesday, 14 May 2003, from 18:00 with undoubtedly open end, everybody who's anybody in West-German Gentooism will be at Hellers Brauhaus, located on Roonstrasse in Cologne. As for many other regional Gentoo user meetings, this one has a coordination thread in the Forums, for you to announce your participation.

Gentoo Weekly Newsletter now available in Russian, as well

For our growing Russian community of Gentoo Linux users, we are pleased to announce that you can now enjoy the Gentoo Weekly Newsletter in Russian each week

6.  Portage Watch

7.  Bugzilla

Summary

• Statistics
• Closed Bug Ranking
• New Bug Rankings

Statistics

The Gentoo community uses Bugzilla (bugs.gentoo.org) to record and track bugs, notifications, suggestions and other interactions with the development team. In the last 7 days, activity on the site has resulted in:

• 265 new bugs this week
• 360 bugs closed or resolved this week
• 6 previously closed bugs were reopened this week.
• 2522 total bugs currently marked 'new'
• 386 total bugs currently assigned to developers

There are currently 2964 bugs open in bugzilla. Of these: 48 are labeled 'blocker', 107 are labeled 'critical', and 237 are labeled 'major'.

Closed Bug Rankings

The developers and teams who have closed the most bugs this week are:

• Nicholas Jones, with 33 closed bugs
• The KDE Team, with 22 closed bugs
• Martin Schlemmer, with 20 closed bugs
• Martin Holzer, with 15 closed bugs
• The X86 Kernel Team, with 14 closed bugs

New Bug Rankings

The developers and teams who have been assigned the most new bugs this week are:

• Martin Schlemmer, with 14 new bugs
• The Games Team, with 13 new bugs
• Nicholas Jones, with 13 new bugs
• The X-Free Team, with 12 new bugs
• Martin Holzer, with 11 new bugs

8.  Tips and Tricks

Adding Users with Superadduser

Adding users to a system can be tedious. It involves creating an account, setting a password, and creating a home directory. This week's tip shows how to make adding users easier with the use of superadduser.

#  emerge app-admin/superadduser 

Using superadduser is very easy. Just run the command and follow the prompts.

(Replace the examples with your own information)
# superadduser

Login name for new user []: johndoe

User id for johndoe [ defaults to next available]: 

Initial group for johndoe [users]: 

Additional groups for johndoe (seperated
with commas, no spaces) []:

johndoe's home directory [/home/johndoe]: 

johndoe's shell [/bin/bash]: 

johndoe's account expiry date (YYYY-MM-DD) []: 

OK, I'm about to make a new account. Here's what you entered so far:

New login name: johndoe
New UID: [Next available]
Initial group: users
Additional groups:
Home directory: /home/johndoe
Shell: /bin/bash
Expiry date: [no expiration]

This is it... if you want to bail out, hit Control-C.  Otherwise, press
ENTER to go ahead and make the account.

ENTER

Making new account...

Changing the user information for johndoe
Enter the new value, or press ENTER for the default
        Full Name []: John Doe
        Room Number []: 
        Work Phone []: 
        Home Phone []: 
        Other []: 

New UNIX password: user_password
Retype new UNIX password: user_password
Done...

9.  Moves, Adds and Changes

Moves

The following developers recently left the Gentoo team:

• Seth Chandler (sethbc)
• Michael Fitzpatrick (leachim)

Adds

The following developers recently joined the Gentoo Linux team:

• none this week

Changes

The following developers recently changed roles within the Gentoo Linux project.

• none this week

10.  Contribute to GWN

Interested in contributing to the Gentoo Weekly Newsletter? Send us an email.

11.  GWN Feedback

Please send us your feedback and help make GWN better.

12.  GWN Subscription Information

To subscribe to the Gentoo Weekly Newsletter, send a blank email to gentoo-gwn-subscribe@gentoo.org.

To unsubscribe to the Gentoo Weekly Newsletter, send a blank email to gentoo-gwn-unsubscribe@gentoo.org from the email address you are subscribed under.

13.  Other Languages

The Gentoo Weekly Newsletter is also available in the following languages:

• Dutch
• English
• German
• French
• Japanese
• Italian
• Portuguese (Brazil)
• Portuguese (Portugal)
• Russian
• Spanish
• Turkish