Gentoo Logo

Gentoo Weekly Newsletter: October 6, 2003

Content:

1.  Gentoo News

Summary

Gentoo Linux Performance Metrics

On 23 Sep 2003, Jose Alberto Suarez Lopez gave a presentation at HispaLinux 2003 where he demonstrated the load-time performance of the official Gentoo Linux 1.4 release. Gentoo Linux 1.4 for Pentium III, with and without prelink, were compared with a default Mandrake 9.1 installation on a Pentium III. The results - Gentoo Linux 1.4 with prelink did better than Mandrake 9.1 across the board, and even without prelinking Mozilla loaded nearly twice as quickly in Gentoo, and NetBeans loaded more than twice as fast.

The conclusions we can glean from this are that the default optimizations in Gentoo Linux for Pentium III make a significant difference in in "real world" application load-time performance. Also, prelinking seems to greatly improve the load time of KDE apps. Gentoo Linux is able to generally deliver better overall performance than other Linux distributions because we try to offer the latest and best free software technologies to our users, like the latest compiler toolchains, and because we ship pre-built binary packages that have been optimized for specific CPU models (and also provide an easy way for users to "build Gentoo from scratch." For more information, read the rest of the findings. To pick up your own optimized build or release of Gentoo, visit the Gentoo Store.

2.  Gentoo Security

Summary

GLSA: teapop

Description:

teapop suffers from a sql injection in the postgresql and mysql authentication module.

  • Severity: High - sql injection, remote exploit.
  • Packages Affected: <teapop-0.3.7
  • Rectification: emerge sync; emerge teapop; emerge clean
  • GLSA Announcement

GLSA: mpg123

Description:

mpg123 contains a heap based buffer overflow that would allow an remote attacker to execute arbitrary code on the victims machine.

  • Severity: High - buffer overflow.
  • Packages Affected: <0.59r-r3
  • Rectification: emerge sync; emerge mpg123; emerge clean
  • GLSA Announcement

GLSA: net-ftp/proftpd

Summary:

ISS X-Force discovered a vulnerability that could be triggered when a specially crafted file is uploaded to a proftpd server.

  • Severity: High - ASCII File Remote Compromise Vulnerability.
  • Packages Affected: <net-ftp/proftpd-1.2.9_rc2
  • Rectification: emerge sync; emerge '>=net-ftp/proftpd-1.2.9_rc2'; emerge clean
  • GLSA Announcement

GLSA: media-video/mplayer

Summary:

A remotely exploitable buffer overflow vulnerability was found in MPlayer. A malicious host can craft a harmful ASX header, and trick MPlayer into executing arbitrary code upon parsing that header.

  • Severity: High - Buffer Overflow Vulnerability
  • Packages Affected: <mplayer-0.91 =mplayer-1.0_pre1
  • Rectification: emerge sync; emerge =media-video/mplayer-0.92; emerge clean
  • GLSA Announcement

GLSA: openssl

Quote from OpenSSL advisory:

"1. Certain ASN.1 encodings that are rejected as invalid by the parser can trigger a bug in the deallocation of the corresponding data structure, corrupting the stack. This can be used as a denial of service attack. It is currently unknown whether this can be exploited to run malicious code. This issue does not affect OpenSSL 0.9.6.

2. Unusual ASN.1 tag values can cause an out of bounds read under certain circumstances, resulting in a denial of service vulnerability.

3. A malformed public key in a certificate will crash the verify code if it is set to ignore public key decoding errors. Public key decode errors are not normally ignored, except for debugging purposes, so this is unlikely to affect production code. Exploitation of an affected application would result in a denial of service vulnerability.

4. Due to an error in the SSL/TLS protocol handling, a server will parse a client certificate when one is not specifically requested. This by itself is not strictly speaking a vulnerability but it does mean that *all* SSL/TLS servers that use OpenSSL can be attacked using vulnerabilities 1, 2 and 3 even if they don't enable client authentication."

  • Severity: Medium - remote exploit
  • Packages Affected: <0.9.6k
  • Rectification: emerge sync; emerge openssl; emerge clean
  • GLSA Announcement

New Security Bug Reports

The following new security bugs were posted in the past week:

3.  Featured Developer of the Week

Thomas Raschbacher


Figure 3.1: Thomas Raschbacher

Fig. 1: Thomas Raschbacher

This week, we are featuring Thomas Raschbacher (LordVan), the head of Gentoo's printing team and frequent contributer of fixes and ebuilds for python and DVB. He also serves on the German translation team, including managing the translation of our beloved GWN. He primarily works on developing new ebuilds and patching old ones. In addition to his work with Gentoo, Thomas has provided translation for the Gnome project and patch work for Twisted, as well as some work on smaller projects. He is quite proud of some of the web development work he has completed using Twisted, and plans to open source it.

Thomas is a relatively old hand at Linux, having started with Slackware in 1996. He moved to Gentoo almost immediately on hearing of the project in August of 2002. Thomas became a developer for the distro in December of that year, after (as he says) "being too annoying about my ebuilds and fixes getting submitted" to Seemant Kulleen. Thomas describes Gentoo as a "damn nice distro that I wish I could do more for".

Thomas lives in Judenau-Baumgarten, Lower Austria. He has completed Technical Informatics studies at Higher Technical School as well as his Matura (equivalent to A-Levels or Matriculation). He is self-employed in computer sales consulting, including web design and Linux support. He is an avid martial artist, currently studying Ninjutsu (as well as studying Japanese). He also enjoys traditional geek fare of Star Trek, Anime and Manga. In that vein, the favorite quote he shared is from the Anime classic End of Evangelion (a conversation between the characters Shinji and Rei): "Then... where is my dream? It is the continuation of reality. Where is... my reality? It is at the end of your dream.". Finally, Thomas is active in organizing and attending LAN parties.

Thomas does most of his work on a Celeron server, development workstation and a production web server. In addition, he has a laptop, a Zaurus handheld, and an assortment of test stations and servers. His primary development tools include python, sed and grep. He communicates using mutt, MozillaFirebird, Xchat-2 and MozillaThunderbird. He is also fond of gnotime, a fully-featured time tracker. Like many of us, his first task on waking it to check his email.

4.  Heard in the Community

Latter Days PHP

Back in the days of just a few thousand Forum users it used to be excessive trigger-happiness whenever triplets or even more counts of the same post appeared in the Forums. But these days the reason for repetitive postings (vulgo: postorrhea) were sluggish to non-forthcoming responses from the database whenever someone hit the submit button under heavy traffic conditions, and yes, multiple posts can indeed occur even if the submit button is hit only once. While the moderators of the German forum, to alleviate the burden a little, have actually started asking people to point out useless, duplicate, very old and unresponded threads that may be deleted without anyone missing them, the hardly bearable performance issues have led site admin klieber to kick off an open discussion about possible alternatives to the current forum software, phpBB, soliciting opinions about commercial packages as a potential replacement:

Portage on the Web

With stable.gentoo.org being shelved for the time being, and the package database on the main Gentoo website somewhat tightlipped when it comes to comments and status overviews for packages, thrasher6670 had the idea to set up a semi-automated, yet interactive site keeping track of the content of the Portage tree and offering possibilities to add user impressions for each package. From what he says himself in the thread he started (repeated on site), thrasher6670 could use some help with the web design...

Non-English GWN Via Mail

Yes, it's possible, even without mailing lists for each individual language. Thanks to Ginko for his nice little Perl script that automatically downloads, converts and mails fresh GWN copies whenever they appear at the Gentoo website:

gentoo-user

Benchmarking/Tweaking your Videocard

Want to get that last FPS out of your ATI/Nvidia video adapter? Might want to check out this interesting thread on testing and configuring AGPGART .

Lightweight FileManagers for Gentoo

Many users were attracted to Gentoo because it offered a lightweight, "only what you want" type solution for their needs. Likewise some users enjoy the same kind of desktop. Take a look at this thread for a few suggestions of some.

gentoo-dev

The Great Gentoo Bug Hunt!

Don't bother with looking for easter eggs at easter, start looking for some gentoo bugs and win some free hardware! Interested in becoming a master sleuth for gentoo? Have a look here for the guidelines, and start squashing!

5.  Gentoo International

Germany: Reminders for this Week's Events

The Frankfurt area Gentooists managed to sneak their meeting past the GWN: It was announced, held and over before we looked at the corresponding forum thread... However, this year's busiest German Gentoo week is about to start, and we would like to hammer a few reminders home to anyone in the general area at that time:

6.  Portage Watch

Portage Watch is on hiatus this week.

7.  Bugzilla

Summary

Statistics

The Gentoo community uses Bugzilla (bugs.gentoo.org) to record and track bugs, notifications, suggestions and other interactions with the development team. Between 26 September 2003 and 02 October 2003, activity on the site has resulted in:

  • 496 new bugs during this period
  • 464 bugs closed or resolved during this period
  • 13 previously closed bugs were reopened this period

Of the 4140 currently open bugs: 92 are labeled 'blocker', 196 are labeled 'critical', and 335 are labeled 'major'.

Closed Bug Rankings

The developers and teams who have closed the most bugs during this period are:

New Bug Rankings

The developers and teams who have been assigned the most new bugs during this period are:

8.  Tips and Tricks

Using qpkg

This week's tip demonstrates some basic uses of the "query package" (qpkg) which allows you to perform get information about installed or uninstalled packages on your system. It can be used to find package ownership of files, to find duplicate packages, to list the files installed by a package, and more.

To get qpkg you need to install app-portage/gentoolkit.

Code Listing 8.1: Installing gentoolkit

# emerge app-portage/gentoolkit
  

Now that you have qpkg installed, you can start using it to examine your system. The first example is figuring out which package owns which file. This is done with the --find-file (or alternatively --find-pattern option.

Note: To get a complete list of packages and the version installed on your machine use the command qpkg --installed --verbose.

Code Listing 8.2: Finding the package that owns a file

(Which package owns /etc/crontab?)
% qpkg --find-file /etc/crontab
sys-apps/vcron *

(What version of vcron? (--verbose))
% qpkg --find-file --verbose /etc/crontab
sys-apps/vcron-3.0.1-r1 *

(Where's the ebuild for this file? (--verbose --verbose))
% qpkg --find-file --verbose --verbose /etc/crontab
   /var/db/pkg/sys-apps/vcron-3.0.1-r1/vcron-3.0.1-r1.ebuild
sys-apps/vcron-3.0.1-r1 *
  

To list all the files a package installed, use the --list option.

Code Listing 8.3: Listing all the files installed by a package

% qpkg --list units
(Directories were snipped for brevity)
app-sci/units-1.74 *
CONTENTS:
/usr/bin/units
/usr/share/doc/units-1.74
/usr/share/doc/units-1.74/README.gz
/usr/share/doc/units-1.74/NEWS.gz
/usr/share/doc/units-1.74/INSTALL.gz
/usr/share/doc/units-1.74/COPYING.gz
/usr/share/doc/units-1.74/ChangeLog.gz
/usr/share/man/man1/units.1.gz
/usr/share/info/units.info.gz
/usr/share/units/units.dat
  

The last example shows you how to find which packages depend on a specified package using --query-deps.

Code Listing 8.4: Finding dependencies

% qpkg --installed --query-deps mozilla
net-www/mozilla-1.4-r3 *
DEPENDED ON BY:
        net-mail/evolution-1.4.3
        net-www/galeon-1.3.9

Note: Not specifying --installed causes qpkg to look inside the entire Portage tree which is probably not what you want.

This should get you started with qpkg. For more options see qpkg --help or man 1 qpkg.

9.  Moves, Adds and Changes

Moves

The following developers recently left the Gentoo team:

  • none this week

Adds

The following developers recently joined the Gentoo Linux team:

  • Brad House (brad_mssw) -- amd64
  • Joel Hillster (hillster) -- miscellanious ebuilds
  • Rob Cakebread (pythonhead) -- python

Changes

The following developers recently changed roles within the Gentoo Linux project.

  • none this week

10.  Contribute to GWN

Interested in contributing to the Gentoo Weekly Newsletter? Send us an email.

11.  GWN Feedback

Please send us your feedback and help make the GWN better.

12.  GWN Subscription Information

To subscribe to the Gentoo Weekly Newsletter, send a blank email to gentoo-gwn-subscribe@gentoo.org.

To unsubscribe to the Gentoo Weekly Newsletter, send a blank email to gentoo-gwn-unsubscribe@gentoo.org from the email address you are subscribed under.

13.  Other Languages

The Gentoo Weekly Newsletter is also available in the following languages:



Print

Page updated 6 October 2003

Summary: This is the Gentoo Weekly Newsletter for the week of October 6th, 2003.

Yuji Carlos Kosugi
Editor

AJ Armstrong
Contributor

Brian Downey
Contributor

Cal Evans
Contributor

Chris Gavin
Contributor

Luke Giuliani
Contributor

Shawn Jonnet
Contributor

Michael Kohl
Contributor

Kurt Lieber
Contributor

Rafael Cordones Marcos
Contributor

David Narayan
Contributor

Gerald J Normandin Jr.
Contributor

Ulrich Plate
Contributor

Mathy Vanvoorden
Dutch Translation

Hendrik Eeckhaut
Dutch Translation

Jorn Eilander
Dutch Translation

Bernard Kerckenaere
Dutch Translation

Peter ter Borg
Dutch Translation

Jochen Maes
Dutch Translation

Roderick Goessen
Dutch Translation

Gerard van den Berg
Dutch Translation

Matthieu Montaudouin
French Translation

Martin Prieto
French Translation

Antoine Raillon
French Translation

Sebastien Cevey
French Translation

Jean-Christophe Choisy
French Translation

Thomas Raschbacher
German Translation

Steffen Lassahn
German Translation

Matthias F. Brandstetter
German Translation

Lukas Domagala
German Translation

Tobias Scherbaum
German Translation

Daniel Gerholdt
German Translation

Marc Herren
German Translation

Tobias Matzat
German Translation

Marco Mascherpa
Italian Translation

Claudio Merloni
Italian Translation

Christian Apolloni
Italian Translation

Stefano Lucidi
Italian Translation

Yoshiaki Hagihara
Japanese Translation

Katsuyuki Konno
Japanese Translation

Yuji Carlos Kosugi
Japanese Translation

Yasunori Fukudome
Japanese Translation

Takashi Ota
Japanese Translation

Radoslaw Janeczko
Polish Translation

Lukasz Strzygowski
Polish Translation

Michal Drobek
Polish Translation

Adam Lyjak
Polish Translation

Krzysztof Klimonda
Polish Translation

Atila "Jedi" Bohlke Vasconcelos
Portuguese (Brazil) Translation

Eduardo Belloti
Portuguese (Brazil) Translation

João Rafael Moraes Nicola
Portuguese (Brazil) Translation

Marcelo Gonçalves de Azambuja
Portuguese (Brazil) Translation

Otavio Rodolfo Piske
Portuguese (Brazil) Translation

Pablo N. Hess -- NatuNobilis
Portuguese (Brazil) Translation

Pedro de Medeiros
Portuguese (Brazil) Translation

Ventura Barbeiro
Portuguese (Brazil) Translation

Bruno Ferreira
Portuguese (Portugal) Translation

Gustavo Felisberto
Portuguese (Portugal) Translation

José Costa
Portuguese (Portugal) Translation

Luis Medina
Portuguese (Portugal) Translation

Ricardo Loureiro
Portuguese (Portugal) Translation

Sergey Galkin
Russian Translator

Sergey Kuleshov
Russian Translator

Alex Spirin
Russian Translator

Dmitry Suzdalev
Russian Translator

Anton Vorovatov
Russian Translator

Denis Zaletov
Russian Translator

Lanark
Spanish Translation

Fernando J. Pereda
Spanish Translation

Lluis Peinado Cifuentes
Spanish Translation

Zephryn Xirdal T
Spanish Translation

Guillermo Juarez
Spanish Translation

Jesús García Crespo
Spanish Translation

Carlos Castillo
Spanish Translation

Julio Castillo
Spanish Translation

Sergio Gómez
Spanish Translation

Aycan Irican
Turkish Translation

Bugra Cakir
Turkish Translation

Cagil Seker
Turkish Translation

Emre Kazdagli
Turkish Translation

Evrim Ulu
Turkish Translation

Gursel Kaynak
Turkish Translation

Donate to support our development efforts.

Copyright 2001-2014 Gentoo Foundation, Inc. Questions, Comments? Contact us.