Gentoo Weekly Newsletter: October 6, 2003
Gentoo Linux Performance Metrics
On 23 Sep 2003, Jose Alberto Suarez Lopez gave a presentation at HispaLinux 2003 where he demonstrated the load-time performance of the official Gentoo Linux 1.4 release. Gentoo Linux 1.4 for Pentium III, with and without prelink, were compared with a default Mandrake 9.1 installation on a Pentium III. The results - Gentoo Linux 1.4 with prelink did better than Mandrake 9.1 across the board, and even without prelinking Mozilla loaded nearly twice as quickly in Gentoo, and NetBeans loaded more than twice as fast.
The conclusions we can glean from this are that the default optimizations in Gentoo Linux for Pentium III make a significant difference in in "real world" application load-time performance. Also, prelinking seems to greatly improve the load time of KDE apps. Gentoo Linux is able to generally deliver better overall performance than other Linux distributions because we try to offer the latest and best free software technologies to our users, like the latest compiler toolchains, and because we ship pre-built binary packages that have been optimized for specific CPU models (and also provide an easy way for users to "build Gentoo from scratch." For more information, read the rest of the findings. To pick up your own optimized build or release of Gentoo, visit the Gentoo Store.
teapop suffers from a sql injection in the postgresql and mysql authentication module.
- Severity: High - sql injection, remote exploit.
- Packages Affected: <teapop-0.3.7
- Rectification: emerge sync; emerge teapop; emerge clean
- GLSA Announcement
mpg123 contains a heap based buffer overflow that would allow an remote attacker to execute arbitrary code on the victims machine.
- Severity: High - buffer overflow.
- Packages Affected: <0.59r-r3
- Rectification: emerge sync; emerge mpg123; emerge clean
- GLSA Announcement
ISS X-Force discovered a vulnerability that could be triggered when a specially crafted file is uploaded to a proftpd server.
- Severity: High - ASCII File Remote Compromise Vulnerability.
- Packages Affected: <net-ftp/proftpd-1.2.9_rc2
- Rectification: emerge sync; emerge '>=net-ftp/proftpd-1.2.9_rc2'; emerge clean
- GLSA Announcement
A remotely exploitable buffer overflow vulnerability was found in MPlayer. A malicious host can craft a harmful ASX header, and trick MPlayer into executing arbitrary code upon parsing that header.
- Severity: High - Buffer Overflow Vulnerability
- Packages Affected: <mplayer-0.91 =mplayer-1.0_pre1
- Rectification: emerge sync; emerge =media-video/mplayer-0.92; emerge clean
- GLSA Announcement
Quote from OpenSSL advisory:
"1. Certain ASN.1 encodings that are rejected as invalid by the parser can trigger a bug in the deallocation of the corresponding data structure, corrupting the stack. This can be used as a denial of service attack. It is currently unknown whether this can be exploited to run malicious code. This issue does not affect OpenSSL 0.9.6.
2. Unusual ASN.1 tag values can cause an out of bounds read under certain circumstances, resulting in a denial of service vulnerability.
3. A malformed public key in a certificate will crash the verify code if it is set to ignore public key decoding errors. Public key decode errors are not normally ignored, except for debugging purposes, so this is unlikely to affect production code. Exploitation of an affected application would result in a denial of service vulnerability.
4. Due to an error in the SSL/TLS protocol handling, a server will parse a client certificate when one is not specifically requested. This by itself is not strictly speaking a vulnerability but it does mean that *all* SSL/TLS servers that use OpenSSL can be attacked using vulnerabilities 1, 2 and 3 even if they don't enable client authentication."
- Severity: Medium - remote exploit
- Packages Affected: <0.9.6k
- Rectification: emerge sync; emerge openssl; emerge clean
- GLSA Announcement
New Security Bug Reports
The following new security bugs were posted in the past week:
Featured Developer of the Week
Figure 3.1: Thomas Raschbacher
This week, we are featuring Thomas
Raschbacher (LordVan), the head of Gentoo's printing team and
frequent contributer of fixes and ebuilds for python and DVB. He also
serves on the German translation team, including managing the
translation of our beloved GWN. He primarily works on developing new
ebuilds and patching old ones. In addition to his work with Gentoo,
Thomas has provided translation for the Gnome project and patch work
for Twisted, as well
as some work on smaller projects. He is quite proud of some of the
web development work he has completed using Twisted, and plans to open
Thomas is a relatively old hand at Linux, having started with
Slackware in 1996. He moved to Gentoo almost immediately on hearing
of the project in August of 2002. Thomas became a developer for the
distro in December of that year, after (as he says) "being too
annoying about my ebuilds and fixes getting submitted" to Seemant Kulleen. Thomas describes
Gentoo as a "damn nice distro that I wish I could do more for".
Thomas lives in Judenau-Baumgarten, Lower Austria. He has completed
Technical Informatics studies at Higher Technical School as well as
his Matura (equivalent to A-Levels or Matriculation). He is
self-employed in computer sales consulting, including web design and
Linux support. He is an avid martial artist, currently studying Ninjutsu (as well as
studying Japanese). He also enjoys traditional geek fare of Star
Trek, Anime and Manga. In that vein, the favorite quote he shared is
from the Anime classic End of Evangelion (a conversation
between the characters Shinji and Rei): "Then... where is my dream?
It is the continuation of reality. Where is... my reality? It is at
the end of your dream.". Finally, Thomas is active in organizing
and attending LAN parties.
Thomas does most of his work on a Celeron server, development
workstation and a production web server. In addition, he has a
laptop, a Zaurus handheld, and an assortment of test stations and
servers. His primary development tools include python,
sed and grep. He communicates using mutt,
MozillaFirebird, Xchat-2 and MozillaThunderbird.
He is also fond of gnotime, a fully-featured time tracker.
Like many of us, his first task on waking it to check his email.
Heard in the Community
Latter Days PHP
Back in the days of just a few thousand Forum users it used to be excessive trigger-happiness whenever triplets or even more counts of the same post appeared in the Forums. But these days the reason for repetitive postings (vulgo: postorrhea) were sluggish to non-forthcoming responses from the database whenever someone hit the submit button under heavy traffic conditions, and yes, multiple posts can indeed occur even if the submit button is hit only once. While the moderators of the German forum, to alleviate the burden a little, have actually started asking people to point out useless, duplicate, very old and unresponded threads that may be deleted without anyone missing them, the hardly bearable performance issues have led site admin klieber to kick off an open discussion about possible alternatives to the current forum software, phpBB, soliciting opinions about commercial packages as a potential replacement:
Portage on the Web
With stable.gentoo.org being shelved for the time being, and the package database on the main Gentoo website somewhat tightlipped when it comes to comments and status overviews for packages, thrasher6670 had the idea to set up a semi-automated, yet interactive site keeping track of the content of the Portage tree and offering possibilities to add user impressions for each package. From what he says himself in the thread he started (repeated on site), thrasher6670 could use some help with the web design...
Non-English GWN Via Mail
Yes, it's possible, even without mailing lists for each individual language. Thanks to Ginko for his nice little Perl script that automatically downloads, converts and mails fresh GWN copies whenever they appear at the Gentoo website:
Benchmarking/Tweaking your Videocard
Want to get that last FPS out of your ATI/Nvidia video adapter? Might want to check out this interesting thread on
testing and configuring AGPGART
Lightweight FileManagers for Gentoo
Many users were attracted to Gentoo because it offered a lightweight, "only what you want" type solution for their needs.
Likewise some users enjoy the same kind of desktop. Take a look at
for a few suggestions of some.
The Great Gentoo Bug Hunt!
Don't bother with looking for easter eggs at easter, start looking for some gentoo bugs and win some free hardware! Interested in becoming a master sleuth for gentoo? Have a look
here for the guidelines, and start squashing!
Germany: Reminders for this Week's Events
The Frankfurt area Gentooists managed to sneak their meeting past the GWN: It was announced, held and over before we looked at the corresponding forum thread... However, this year's busiest German Gentoo week is about to start, and we would like to hammer a few reminders home to anyone in the general area at that time:
Portage Watch is on hiatus this week.
The Gentoo community uses Bugzilla (bugs.gentoo.org) to record
and track bugs, notifications, suggestions and other interactions
with the development team. Between 26 September 2003 and 02
October 2003, activity on the site has resulted in:
- 496 new bugs during this period
- 464 bugs closed or resolved during this period
- 13 previously closed bugs were reopened this period
Of the 4140 currently open bugs: 92 are labeled 'blocker', 196 are labeled 'critical', and 335 are labeled 'major'.
Closed Bug Rankings
The developers and teams who have closed the most bugs during this period are:
New Bug Rankings
The developers and teams who have been assigned the most new bugs during this period are:
Tips and Tricks
This week's tip demonstrates some basic uses of the "query
package" (qpkg) which allows you to perform get information
about installed or uninstalled packages on your system. It can be used to
find package ownership of files, to find duplicate packages, to list the
files installed by a package, and more.
To get qpkg you need to install app-portage/gentoolkit.
Code Listing 8.1: Installing gentoolkit
# emerge app-portage/gentoolkit
Now that you have qpkg installed, you can start using it to examine
your system. The first example is figuring out which package owns which
file. This is done with the --find-file (or alternatively
To get a complete list of packages and the version installed on your
machine use the command qpkg --installed --verbose.
Code Listing 8.2: Finding the package that owns a file
% qpkg --find-file /etc/crontab
% qpkg --find-file --verbose /etc/crontab
% qpkg --find-file --verbose --verbose /etc/crontab
To list all the files a package installed, use the --list
Code Listing 8.3: Listing all the files installed by a package
% qpkg --list units
The last example shows you how to find which packages depend on a
specified package using --query-deps.
Code Listing 8.4: Finding dependencies
% qpkg --installed --query-deps mozilla
DEPENDED ON BY:
Not specifying --installed causes qpkg to look inside the
entire Portage tree which is probably not what you want.
This should get you started with qpkg. For more options see qpkg
--help or man 1 qpkg.
Moves, Adds and Changes
The following developers recently left the Gentoo team:
The following developers recently joined the Gentoo Linux team:
- Brad House (brad_mssw) -- amd64
- Joel Hillster (hillster) -- miscellanious ebuilds
- Rob Cakebread (pythonhead) -- python
The following developers recently changed roles within the Gentoo Linux project.
Contribute to GWN
Interested in contributing to the Gentoo Weekly Newsletter? Send us an email.
Please send us your feedback and help make the GWN better.
GWN Subscription Information
To subscribe to the Gentoo Weekly Newsletter, send a blank email to firstname.lastname@example.org.
To unsubscribe to the Gentoo Weekly Newsletter, send a blank email to email@example.com from the email address you are subscribed under.
The Gentoo Weekly Newsletter is also available in the following languages: