Gentoo Weekly Newsletter: October 6, 2003

1.  Gentoo News

Summary

• Gentoo Linux Performance Metrics

Gentoo Linux Performance Metrics

On 23 Sep 2003, Jose Alberto Suarez Lopez gave a presentation at HispaLinux 2003 where he demonstrated the load-time performance of the official Gentoo Linux 1.4 release. Gentoo Linux 1.4 for Pentium III, with and without prelink, were compared with a default Mandrake 9.1 installation on a Pentium III. The results - Gentoo Linux 1.4 with prelink did better than Mandrake 9.1 across the board, and even without prelinking Mozilla loaded nearly twice as quickly in Gentoo, and NetBeans loaded more than twice as fast.

The conclusions we can glean from this are that the default optimizations in Gentoo Linux for Pentium III make a significant difference in in "real world" application load-time performance. Also, prelinking seems to greatly improve the load time of KDE apps. Gentoo Linux is able to generally deliver better overall performance than other Linux distributions because we try to offer the latest and best free software technologies to our users, like the latest compiler toolchains, and because we ship pre-built binary packages that have been optimized for specific CPU models (and also provide an easy way for users to "build Gentoo from scratch." For more information, read the rest of the findings. To pick up your own optimized build or release of Gentoo, visit the Gentoo Store.

2.  Gentoo Security

Summary

• GLSA: teapop
• GLSA: mpg123
• GLSA: net-ftp/proftpd
• GLSA: media-video/mplayer
• GLSA: openssl

GLSA: teapop

Description:

teapop suffers from a sql injection in the postgresql and mysql authentication module.

• Severity: High - sql injection, remote exploit.
• Packages Affected: <teapop-0.3.7
• Rectification: emerge sync; emerge teapop; emerge clean
• GLSA Announcement

GLSA: mpg123

Description:

mpg123 contains a heap based buffer overflow that would allow an remote attacker to execute arbitrary code on the victims machine.

• Severity: High - buffer overflow.
• Packages Affected: <0.59r-r3
• Rectification: emerge sync; emerge mpg123; emerge clean
• GLSA Announcement

GLSA: net-ftp/proftpd

Summary:

ISS X-Force discovered a vulnerability that could be triggered when a specially crafted file is uploaded to a proftpd server.

• Severity: High - ASCII File Remote Compromise Vulnerability.
• Packages Affected: <net-ftp/proftpd-1.2.9_rc2
• Rectification: emerge sync; emerge '>=net-ftp/proftpd-1.2.9_rc2'; emerge clean
• GLSA Announcement

GLSA: media-video/mplayer

Summary:

A remotely exploitable buffer overflow vulnerability was found in MPlayer. A malicious host can craft a harmful ASX header, and trick MPlayer into executing arbitrary code upon parsing that header.

• Severity: High - Buffer Overflow Vulnerability
• Packages Affected: <mplayer-0.91 =mplayer-1.0_pre1
• Rectification: emerge sync; emerge =media-video/mplayer-0.92; emerge clean
• GLSA Announcement

GLSA: openssl

Quote from OpenSSL advisory:

"1. Certain ASN.1 encodings that are rejected as invalid by the parser can trigger a bug in the deallocation of the corresponding data structure, corrupting the stack. This can be used as a denial of service attack. It is currently unknown whether this can be exploited to run malicious code. This issue does not affect OpenSSL 0.9.6.

2. Unusual ASN.1 tag values can cause an out of bounds read under certain circumstances, resulting in a denial of service vulnerability.

3. A malformed public key in a certificate will crash the verify code if it is set to ignore public key decoding errors. Public key decode errors are not normally ignored, except for debugging purposes, so this is unlikely to affect production code. Exploitation of an affected application would result in a denial of service vulnerability.

4. Due to an error in the SSL/TLS protocol handling, a server will parse a client certificate when one is not specifically requested. This by itself is not strictly speaking a vulnerability but it does mean that *all* SSL/TLS servers that use OpenSSL can be attacked using vulnerabilities 1, 2 and 3 even if they don't enable client authentication."

• Severity: Medium - remote exploit
• Packages Affected: <0.9.6k
• Rectification: emerge sync; emerge openssl; emerge clean
• GLSA Announcement

New Security Bug Reports

The following new security bugs were posted in the past week:

• Apache 2.0.47 & mod_cgi: denial of service

3.  Featured Developer of the Week

Thomas Raschbacher

Figure 3.1: Thomas Raschbacher

This week, we are featuring Thomas Raschbacher (LordVan), the head of Gentoo's printing team and frequent contributer of fixes and ebuilds for python and DVB. He also serves on the German translation team, including managing the translation of our beloved GWN. He primarily works on developing new ebuilds and patching old ones. In addition to his work with Gentoo, Thomas has provided translation for the Gnome project and patch work for Twisted, as well as some work on smaller projects. He is quite proud of some of the web development work he has completed using Twisted, and plans to open source it.

Thomas is a relatively old hand at Linux, having started with Slackware in 1996. He moved to Gentoo almost immediately on hearing of the project in August of 2002. Thomas became a developer for the distro in December of that year, after (as he says) "being too annoying about my ebuilds and fixes getting submitted" to Seemant Kulleen. Thomas describes Gentoo as a "damn nice distro that I wish I could do more for".

Thomas lives in Judenau-Baumgarten, Lower Austria. He has completed Technical Informatics studies at Higher Technical School as well as his Matura (equivalent to A-Levels or Matriculation). He is self-employed in computer sales consulting, including web design and Linux support. He is an avid martial artist, currently studying Ninjutsu (as well as studying Japanese). He also enjoys traditional geek fare of Star Trek, Anime and Manga. In that vein, the favorite quote he shared is from the Anime classic End of Evangelion (a conversation between the characters Shinji and Rei): "Then... where is my dream? It is the continuation of reality. Where is... my reality? It is at the end of your dream.". Finally, Thomas is active in organizing and attending LAN parties.

Thomas does most of his work on a Celeron server, development workstation and a production web server. In addition, he has a laptop, a Zaurus handheld, and an assortment of test stations and servers. His primary development tools include python, sed and grep. He communicates using mutt, MozillaFirebird, Xchat-2 and MozillaThunderbird. He is also fond of gnotime, a fully-featured time tracker. Like many of us, his first task on waking it to check his email.

4.  Heard in the Community

Latter Days PHP

Back in the days of just a few thousand Forum users it used to be excessive trigger-happiness whenever triplets or even more counts of the same post appeared in the Forums. But these days the reason for repetitive postings (vulgo: postorrhea) were sluggish to non-forthcoming responses from the database whenever someone hit the submit button under heavy traffic conditions, and yes, multiple posts can indeed occur even if the submit button is hit only once. While the moderators of the German forum, to alleviate the burden a little, have actually started asking people to point out useless, duplicate, very old and unresponded threads that may be deleted without anyone missing them, the hardly bearable performance issues have led site admin klieber to kick off an open discussion about possible alternatives to the current forum software, phpBB, soliciting opinions about commercial packages as a potential replacement:

• Migrating to a commercial PHP-based forums package
• Ablösung von phpBB? Boardprobleme und Co.(in German)

Portage on the Web

With stable.gentoo.org being shelved for the time being, and the package database on the main Gentoo website somewhat tightlipped when it comes to comments and status overviews for packages, thrasher6670 had the idea to set up a semi-automated, yet interactive site keeping track of the content of the Portage tree and offering possibilities to add user impressions for each package. From what he says himself in the thread he started (repeated on site), thrasher6670 could use some help with the web design...

• Portage website (the thread)
• Portage website (the site)

Non-English GWN Via Mail

Yes, it's possible, even without mailing lists for each individual language. Thanks to Ginko for his nice little Perl script that automatically downloads, converts and mails fresh GWN copies whenever they appear at the Gentoo website:

• GWN automagically sent to your Mailbox

gentoo-user

Benchmarking/Tweaking your Videocard

Want to get that last FPS out of your ATI/Nvidia video adapter? Might want to check out this interesting thread on testing and configuring AGPGART .

Lightweight FileManagers for Gentoo

Many users were attracted to Gentoo because it offered a lightweight, "only what you want" type solution for their needs. Likewise some users enjoy the same kind of desktop. Take a look at this thread for a few suggestions of some.

gentoo-dev

The Great Gentoo Bug Hunt!

Don't bother with looking for easter eggs at easter, start looking for some gentoo bugs and win some free hardware! Interested in becoming a master sleuth for gentoo? Have a look here for the guidelines, and start squashing!

5.  Gentoo International

Germany: Reminders for this Week's Events

The Frankfurt area Gentooists managed to sneak their meeting past the GWN: It was announced, held and over before we looked at the corresponding forum thread... However, this year's busiest German Gentoo week is about to start, and we would like to hammer a few reminders home to anyone in the general area at that time:

• 8 October: Ruhrgebiet Gentoo User Meeting in Oberhausen(precise location description at the link)

• 9 October: Köln/Bonn Gentoo User Meeting in Bonn

• 11 October: Practical Linux Day in Gießen(featuring a Gentoo booth and presentation)

6.  Portage Watch

Portage Watch is on hiatus this week.

7.  Bugzilla

Summary

• Statistics
• Closed Bug Ranking
• New Bug Rankings

Statistics

The Gentoo community uses Bugzilla (bugs.gentoo.org) to record and track bugs, notifications, suggestions and other interactions with the development team. Between 26 September 2003 and 02 October 2003, activity on the site has resulted in:

• 496 new bugs during this period
• 464 bugs closed or resolved during this period
• 13 previously closed bugs were reopened this period

Of the 4140 currently open bugs: 92 are labeled 'blocker', 196 are labeled 'critical', and 335 are labeled 'major'.

Closed Bug Rankings

The developers and teams who have closed the most bugs during this period are:

• George Shapovalov, with 37 closed bugs
• Gentoo Linux Gnome Desktop Team, with 26 closed bugs
• PHP Bugs Team, with 22 closed bugs
• Gentoo Games, with 20 closed bugs
• Gentoo Sound Team, with 14 closed bugs

New Bug Rankings

The developers and teams who have been assigned the most new bugs during this period are:

• Portage team, with 25 new bugs
• Martin Schlemmer, with 13 new bugs
• Gentoo Linux Gnome Desktop Team, with 11 new bugs
• x86 Kernel Team, with 10 new bugs
• Gentoo Sound Team, with 9 new bugs

8.  Tips and Tricks

Using qpkg

This week's tip demonstrates some basic uses of the "query package" (qpkg) which allows you to perform get information about installed or uninstalled packages on your system. It can be used to find package ownership of files, to find duplicate packages, to list the files installed by a package, and more.

To get qpkg you need to install app-portage/gentoolkit.

# emerge app-portage/gentoolkit
  

Now that you have qpkg installed, you can start using it to examine your system. The first example is figuring out which package owns which file. This is done with the --find-file (or alternatively --find-pattern option.

(Which package owns /etc/crontab?)
% qpkg --find-file /etc/crontab
sys-apps/vcron *

(What version of vcron? (--verbose))
% qpkg --find-file --verbose /etc/crontab
sys-apps/vcron-3.0.1-r1 *

(Where's the ebuild for this file? (--verbose --verbose))
% qpkg --find-file --verbose --verbose /etc/crontab
   /var/db/pkg/sys-apps/vcron-3.0.1-r1/vcron-3.0.1-r1.ebuild
sys-apps/vcron-3.0.1-r1 *
  

To list all the files a package installed, use the --list option.

% qpkg --list units
(Directories were snipped for brevity)
app-sci/units-1.74 *
CONTENTS:
/usr/bin/units
/usr/share/doc/units-1.74
/usr/share/doc/units-1.74/README.gz
/usr/share/doc/units-1.74/NEWS.gz
/usr/share/doc/units-1.74/INSTALL.gz
/usr/share/doc/units-1.74/COPYING.gz
/usr/share/doc/units-1.74/ChangeLog.gz
/usr/share/man/man1/units.1.gz
/usr/share/info/units.info.gz
/usr/share/units/units.dat
  

The last example shows you how to find which packages depend on a specified package using --query-deps.

% qpkg --installed --query-deps mozilla
net-www/mozilla-1.4-r3 *
DEPENDED ON BY:
        net-mail/evolution-1.4.3
        net-www/galeon-1.3.9

This should get you started with qpkg. For more options see qpkg --help or man 1 qpkg.

9.  Moves, Adds and Changes

Moves

The following developers recently left the Gentoo team:

• none this week

Adds

The following developers recently joined the Gentoo Linux team:

• Brad House (brad_mssw) -- amd64
• Joel Hillster (hillster) -- miscellanious ebuilds
• Rob Cakebread (pythonhead) -- python

Changes

The following developers recently changed roles within the Gentoo Linux project.

• none this week

10.  Contribute to GWN

Interested in contributing to the Gentoo Weekly Newsletter? Send us an email.

11.  GWN Feedback

Please send us your feedback and help make the GWN better.

12.  GWN Subscription Information

To subscribe to the Gentoo Weekly Newsletter, send a blank email to gentoo-gwn-subscribe@gentoo.org.

To unsubscribe to the Gentoo Weekly Newsletter, send a blank email to gentoo-gwn-unsubscribe@gentoo.org from the email address you are subscribed under.

13.  Other Languages

The Gentoo Weekly Newsletter is also available in the following languages:

• Dutch
• English
• German
• French
• Japanese
• Italian
• Polish
• Portuguese (Brazil)
• Portuguese (Portugal)
• Russian
• Spanish
• Turkish