Gentoo Weekly Newsletter: June 23rd, 2003

1.  Gentoo News

Summary

• Where is Gentoo Linux 1.4?
• The Meta Package project
• Two additional new source mirrors for North America
• GWN looking for additional translators

Where is Gentoo Linux 1.4?

One of the most often asked questions in the Gentoo Forums, mailing lists and IRC channels is, "When will Gentoo Linux 1.4 be released?" While we don't have an exact date to answer that question, we will provide an update on the progress made towards 1.4 later on. First, however, let's clear up one common misconception that many Gentoo users have. Releases do not matter in Gentoo Linux. If you install any version of Gentoo Linux and complete an emerge -u world, congratulations, you are running the most current version of Gentoo Linux. You can start with one of the current LiveCDs for installation purposes, or you can use any number of other alternatives. Either way, you're going to end up with a cutting-edge, fully-optimized installation of Gentoo Linux, tailored to your specifications.

So why does Gentoo Linux have numbered releases at all? Good question and one that has been debated internally amongst the development team. There are some features of Gentoo Linux that are tied to version numbers, most notably the Gentoo Reference Packages and the LiveCD used for installation.

As for the promised update about the current status of Gentoo Linux 1.4, work continues towards our goals and milestones tied to 1.4. Work has been done towards an optional script that will allow users to automatically set CFLAGS and CHOST variables. Improvements to stager have been made available in the experimental section of our distfile mirrors and new GRP packages are being prepped as well. As with all Gentoo products, a release will be made when the product has met our quality and stability standards, and it is not tied to any specific date.

The Meta Package project

As recently announced, Gentoo has joined forces with DarwinPorts and Fink to provide a collection of quality, freely-distributable software to the Macintosh OS X community. More information can be found at metapkg.org.

Two additional new source mirrors for North America

Continuing the recent trend we're pleased to announce two new Gentoo Linux source mirrors in North America, graciously provided by Seren Innovations and Adelie Linux.

Based in Minneapolis, Seren Innovations explores and deploys cutting-edge entertainment and communications technologies that will serve their customer's needs today and in the future. Their Astound-brand cable TV, high-speed Internet and telephone services are delivered over an advanced, hybrid fiber-coax network. They've built a network in the St. Cloud area of Minnesota, are building another in Contra Costa County, Calif., and will be announcing additional markets in the coming months.

Adelie Linux is an initiative of Cyberlogic in Montreal, Canada. The Adelie Linux Team is composed of analysts, interns, students and professors from various partners. The project is active in linux-based technologies and development, including Single System Image technologies for use in clusters as well as other products and technologies.

GWN looking for additional translators for Portuguese (Brazil) version

The Gentoo Weekly Newsletter is looking for help with its Portuguese (Brazil) translation. Candidates should have a solid understanding of both written Brazillian Portuguese as well as written English. Interested parties should send an email to gwn-feedback@gentoo.org.

2.  Gentoo Security

Summary

• GLSA: kon2
• GLSA: atftp
• GLSA: mod_php php
• GLSA: cups
• GLSA: ghostscript
• GLSA: lprng
• GLSA: gzip
• GLSA: man
• New Security Bug Reports

GLSA: mod_php php

The PHP emalloc() function suffers from an integer overflow vulnerability. Because the emalloc() function is used frequently, it presents a significant security risk. In addition, str_repeat() array_pad() have integer overflow vulnerabilities.

• Severity: High - Potential arbitrary code execution.
• Packages Affected: dev-php/mod_php and dev-php/php versions prior to 4.3.2
• Rectification: Synchronize and emerge mod_php and/or php, emerge clean.
• GLSA Announcement
• Advisory
• Advisory
• Advisory

GLSA: cups

CUPS allows remote attackers to cause a denial of service using an incomplete print request to port 631.

• Severity: Moderate - Remote DoS.
• Packages Affected: net-print/cups prior to cups-1.1.18-r5
• Rectification: Synchronize and emerge cups, emerge clean.
• GLSA Announcement

GLSA: ghostscript

The ps2epsi program in ghostscript uses an insecurely created file to configure ghostscript. This could permit files to be overwritten for the user invoking ps2epsi.

• Severity: Moderate - Local security compromise.
• Packages Affected: app-text/ghostscript prior to ghostscript-7.05.6-r2
• Rectification: Synchronize and emerge ghostscript, emerge clean.
• GLSA Announcement

GLSA: lprng

The lprng package permits local users to overwrite arbitrary files via a symbolic link attack on the /tmp/before file.

• Severity: Moderate - Local security compromise.
• Packages Affected: net-print/lprng prior to lprng-3.8.12-r1
• Rectification: Synchronize and emerge lprng, emerge clean.
• GLSA Announcement

GLSA: gzip

The znew and gzexe programs in the gzip package allows local users to overwrite arbitrary files via a symlink attack on temporary files.

• Severity: Moderate - Local security compromise.
• Packages Affected: sys-apps/gzip prior to gzip-1.3.3-r2
• Rectification: Synchronize and emerge gzip, emerge clean.
• GLSA Announcement

GLSA: man

The man program contains a format string vulnerability, related to the use of an optional catalog file.

• Severity: Moderate - Local security compromise.
• Packages Affected: sys-apps/man prior to man-1.51-r5
• Rectification: Synchronize and emerge man, emerge clean.
• GLSA Announcement
• Advisory

New Security Bug Reports

The following new security bugs were posted this week:

• sys-apps/pam
• media-sound/mikmod
• net-analyzer/ethereal
• app-games/gnocatan
• app-games/nethack
• app-text/noweb
• app-text/xpdf
• app-text/xpdf
• net-ftp/proftpd
• net-www/phpBB

3.  User stories

No user story this week

This section takes a little break this week, but will be back in the next issue!

4.  Featured Developer of the Week

D.M.D. Ljungmark, aka Spider

Figure 4.1: D.M.D. Ljungmark, aka Spider

This week we're featuring Spider, who maintains many of the Gnome ebuilds as well as some others spread around the tree. Spider was actually a member of the Gnome Packaging Project when he switched from his own reworked distribution to Gentoo, and so his involvement began with the building of Gnome2 packages as well as some loose ends to the project like Vi, Nethack, POVRay, and others. Right now he's working on porting the Ximian G2D patches to Gentoo; otherwise he generally follows releases and works to ensure a smooth path to get them into the tree. A member of the Gnome Foundation in addition to the Gnome Packaging Project, Spider has also written hints and tips for LinuxFromScratch, and his proudest achievement to date is the Migration Guide.

A minimalist command-line junky with a soft spot for well-designed CLI tools and other things that "wrap around your fingers" like lftp, zsh, and epiphany, Spider is currently using two 1GHz Athlon machines: one testing Ximian Gnome on Gentoo, the other running Openbox, sylpheed, xchat-1.8, and a horde of aterms running zsh and/or vim.

Spider was a judo instructor who spent a lot of time in the dojos but is now suffering chronic depression, social phobia, and anxiety disorder in his mid twenties. Currently on a disability pension and taking a summer break from social rehabilitation, he says he spends too much of his time by his computer. He's also been feeding his music addiction, dabbling in the questionable art of digital photography, and having heated arguments with friends and acquaintances while feeding his Mocha addiction in various cafes. Spider lives in Norrköping, and stays awake for too long to sit and watch the dawn outside his window, and swears a lot at the fact that it never gets dark out there (Because this is as dark as the night gets there).

5.  Heard in the Community

Web Forums

LiveUSB? Keychain to Boot

A very interesting discussion has slowly been growing around the ability of recent BIOSes to boot not only from traditional devices like CDs, floppies or network drives, but from removable USB sticks with flash memory, too. The small plug-in stubs are available with anything from 64 MB well into the GB range, and are well worth the effort if you want to carry your Gentoo about, or boot Linux on somebody else's PC. The gist: You can easily write data back to a USB device, try that with a silver platter...

• Linux on a USB Flash Drive
• Build a Gentoo install/boot/rescue LiveCD USB

Growing Collection of Local Email Setup Howtos

If your ISP's mail server alone isn't good enough for you anymore, you'll be thinking about setting up your own services inside the home network. Check the forums for several flavours of interesting solutions to a very common problem:

• Email System For The Home Network
• [TIP] Local Mail Only
• Sendmail & Fetchmail for e-mail access.
• Mutt and the Single User

gentoo-user

Improving The Mozilla Web Browsing Experience

Seeing that installing or finding plugins for the Mozilla Web Browser can sometimes be a pain, Mknecht made a suggestion to improve the situation. His suggestion included creating an all-inclusive ebuild that would grab most plugins automatically. Other users came up with different ideas, ranging from manual installs, to a full fledged "gentoo service site" that would automatcally point you to the needed plugins for various file formats. The thread can be found here.

• Improving The Mozilla Web Browsing Experience

6.  Gentoo International

Internationalization of gentoo.org

You hear a distant rumble... Initiated by FRLinux, some of the translators busy hacking away at portions of the Gentoo website, including this newsletter, have started an initiative to internationalize the Gentoo website itself. There's a motion on bugs.gentoo.org that tries to win support for Net- and FreeBSD-like language handling for the entire website, linguistically transparent and completely consistent over all versions. Suggestions include links from the main website to international efforts on {ISO country code}.gentoo.org, and you can join the discussion either via Bugzilla or the Forums, in a thread called "Gentoo International Community" (it's in French, do feel free to open an English thread about the same subject in Other Things Gentoo).

7.  Portage Watch

8.  Bugzilla

Summary

• Statistics
• Closed Bug Ranking
• New Bug Rankings

Statistics

The Gentoo community uses Bugzilla (bugs.gentoo.org) to record and track bugs, notifications, suggestions and other interactions with the development team. Between 13 Jun 2003 and 19 Jun 2003, activity on the site has resulted in:

• 322 new bugs during this period
• 446 bugs closed or resolved during this period
• 8 previously closed bugs were reopened this period

Of the 3334 currently open bugs: 56 are labeled 'blocker', 138 are labeled 'critical', and 275 are labeled 'major'.

Closed Bug Rankings

The developers and teams who have closed the most bugs during this period are:

• The Perl Team, with 15 closed bugs
• The KDE Team, with 11 closed bugs
• Seemant Kulleen, with 11 closed bugs
• Dean Bailey, with 10 closed bugs
• Mike Frysinger, with 10 closed bugs

New Bug Rankings

The developers and teams who have been assigned the most new bugs during this period are:

• The x86 Kernel Team, with 14 new bugs
• The KDE Team, with 6 new bugs
• The Sound Team, with 6 new bugs
• Nicholas Jones, with 5 new bugs
• Peter Johanson, with 5 new bugs
• Matthew Kennedy, with 5 new bugs
• The Perl Team, with 5 new bugs

9.  Tips and Tricks

Querying Portage with etcat

This week's tip shows you how to use the etcat command to retrieve information on Portage, USE flags, package versions, and much more.

While there are other package query utilities such as qpkg or epm, etcat has some unique features. Some of these features include the ability to display the amount of disk space a particular package is using, the USE flags the package was compiled with, and the versions available for a package.

The first step is installing the app-admin/gentoolkit package from Portage. This installs etcat (among other utilities) to /usr/bin.

# emerge app-admin/gentoolkit

To view the size of the package, use etcat size [package].

# etcat size mozilla
[ Results for search key : mozilla ]
[ Applications found : 4 ]

 Only printing found installed programs.

* mozilla-firebird-bin-0.5
           Total Files : 338
            Total Size : 20925.18 KB
* mozilla-1.3-r1
           Total Files : 3155
            Total Size : 52073.05 KB

# etcat size evolution
[ Results for search key : evolution ]
[ Applications found : 1 ]

 Only printing found installed programs.

* evolution-1.2.4
           Total Files : 1421
            Total Size : 33456.65 KB

# etcat size fluxbox
[ Results for search key : fluxbox ]
[ Applications found : 1 ]

 Only printing found installed programs.

* fluxbox-0.1.14-r1
           Total Files : 26
            Total Size : 806.92 KB

To look at the USE flags a package was compiled with, use etcat uses [package]. For example, the following command shows which USE flags Postfix was compiled with.

# etcat uses net-mail/postfix
[ Colour Code : set unset ]
[ Legend      : (U) Col 1 - Current USE flags        ]
[             : (I) Col 2 - Installed With USE flags ]

 U I [ Found these USE variables in : net-mail/postfix-2.0.9 ]
 + + ssl     : Adds support for Secure Socket Layer connections
 + + mysql   : Adds mySQL support
 + + sasl    : Adds support for the Simple Authentication and Security Layer
 + + ldap    : Adds LDAP support (Lightweight Directory Access Protocol)
 - - ipv6    : Adds support for IP version 6
 - - maildir : Adds support for maildir (~/.maildir) style mail spools
 - - mbox    : Adds support for mbox (/var/spool/mail) style mail spools

# etcat uses fluxbox
[ Colour Code : set unset ]
[ Legend      : (U) Col 1 - Current USE flags        ]
[             : (I) Col 2 - Installed With USE flags ]

 U I [ Found these USE variables in : x11-wm/fluxbox-0.1.14-r1 ]
 - - kde      : Adds support for kde-base/kde (K Desktop Enviroment)
 + + gnome    : Adds GNOME support
 + + nls      : unknown
 + - xinerama : Add support for XFree86's xinerama extension, which allows you to stretch
                your display across multiple monitors
 + + truetype : Adds support for FreeType and/or FreeType2 fonts

To see which versions of a specific package are available, use etcat versions [package]

# etcat versions kde-base/kde
[ Results for search key : kde-base/kde ]
[ Applications found : 1 ]

*  kde-base/kde :
        [   ] kde-base/kde-2.2.2-r1 (2)
        [   ] kde-base/kde-3.0.4 (3.0)
        [   ] kde-base/kde-3.0.5a (3.0)
        [   ] kde-base/kde-3.0.5b (3.0)
        [   ] kde-base/kde-3.1.1a (3.1)
        [   ] kde-base/kde-3.1.1 (3.1)
        [   ] kde-base/kde-3.1.2 (3.1)
        [   ] kde-base/kde-3.1 (3.1)

# etcat versions net-mail/evolution
[ Results for search key : net-mail/evolution ]
[ Applications found : 1 ]

*  net-mail/evolution :
        [   ] net-mail/evolution-1.2.3 (0)
        [  I] net-mail/evolution-1.2.4 (0)
        [M~ ] net-mail/evolution-1.3.92 (2)
        [M~ ] net-mail/evolution-1.4.0 (0)

# etcat versions net-www/apache
[ Results for search key : net-www/apache ]
[ Applications found : 1 ]

*  net-www/apache :
        [   ] net-www/apache-1.3.27 (1)
        [   ] net-www/apache-1.3.27-r1 (1)
        [M~ ] net-www/apache-1.3.27-r2 (1)
        [   ] net-www/apache-1.3.27-r3 (1)
        [M~ ] net-www/apache-1.3.27-r4 (1)
        [M~ ] net-www/apache-2.0.43-r1 (2)
        [M~ ] net-www/apache-2.0.44 (2)
        [M~ ] net-www/apache-2.0.45 (2)
        [M~I] net-www/apache-2.0.46 (2)

For more detailed information, type man etcat. For a quick overview of available options, just type etcat.

10.  Quote/Signature of the week

This week we feature the current signature of forums guru carambola5: "Deck of Cards: $1.29. Card Table: $14.99. "101 Solitaire Variations" book: $6.59. Finding a cheaper replacement for the one thing Windows is ideal for: priceless."

11.  Moves, Adds and Changes

Moves

The following developers recently left the Gentoo team:

• none this week

Adds

The following developers recently joined the Gentoo Linux team:

• none this week

Changes

The following developers recently changed roles within the Gentoo Linux project.

• none this week

12.  Contribute to GWN

Interested in contributing to the Gentoo Weekly Newsletter? Send us an email.

13.  GWN Feedback

Please send us your feedback and help make GWN better.

14.  GWN Subscription Information

To subscribe to the Gentoo Weekly Newsletter, send a blank email to gentoo-gwn-subscribe@gentoo.org.

To unsubscribe to the Gentoo Weekly Newsletter, send a blank email to gentoo-gwn-unsubscribe@gentoo.org from the email address you are subscribed under.

15.  Other Languages

The Gentoo Weekly Newsletter is also available in the following languages:

• Dutch
• English
• German
• French
• Japanese
• Italian
• Polish
• Portuguese (Brazil)
• Portuguese (Portugal)
• Russian
• Spanish
• Turkish