Gentoo Weekly Newsletter: December 8th, 2003
We're very pleased to announce the launch of three major efforts: Gentoo Linux 2004, Portage-ng
and catalyst. Starting with the next release of Gentoo Linux (Gentoo Linux
2004,) Gentoo Linux will move to a quarterly release schedule. More info is
available in the Roadmap for Gentoo Linux
In addition, we're pleased to announce the start of development on
"portage-ng," the successor to the ever-popular portage package manager. Learn
more at our Portage project page and our
specification document for Portage-ng development. Portage-ng will be a
true community effort, and we encourage you to get involved.
And then there's catalyst. Starting with Gentoo Linux 2004, all
releases (including LiveCDs) will be fully user-rebuildable using our new catalyst
build technology. Using catalyst, Gentoo users will be able to easily create
their own customized Gentoo releases, LiveCDs, GameCDs -- you name it. The
development version of catalyst supports building stages and GRP sets on
AMD64 (both 64-bit and 32-bit x86), x86 and PowerPC. LiveCD/GameCD building
will be released by the end of the year. Keep up-to-date on catalyst by
visiting our (currently sparse) catalyst
project pages. Enjoy!
Gentoo rsync.gentoo.org server compromised
On 2 December at approximately 03:45 UTC, one of the servers that makes
up the rsync.gentoo.org rotation was compromised, possibly via a remotely
exploitable rsync buffer overflow. Please also be sure to read GLSA-200312-02
and upgrade to kernels without the brk vulnerability.
The compromised system had both an IDS and a file integrity
checker installed and we have a very detailed forensic trail of what
happened once the box was breached, so we are reasonably confident that the
portage tree stored on the box was unaffected. This box has been
removed from all rsync.*.gentoo.org rotations and will remain so until
forensic analysis has been completed and it has been wiped and rebuilt.
For more details, see the
In regards to the hard work involved in logging, tracking down and fixing
this rsync vulnerability, Gentoo would like to extend thanks to Andrea
Barisani, Nedd Ludd, Kurt Lieber, and Corey Shields (of the Gentoo
Infrastructure team,) Michael Warfield and the ISS team, and the rsync development team for
handling the recent issues. A special thanks goes to Dave Monnier, Lead
Security Engineer for the Information Technology Security Office of Indiana
University, and his team, for their assistance as well.
'emerge rsync' etiquette
Over recent weeks we have noticed an increase in the number of connection
attempts people make to the rsync servers per day. Because rsync is quite
intensive on the server (both for CPU and disk access), syncing many times
a day wastes a lot of resources apart from bandwidth; during the time it's
processing such a request it could be serving someone else with a greater
number of changes in their portage tree.
As such, we request that people endeavour to run `emerge sync' at most once
or twice a day; if you have several machines in a LAN, then set up a local
rsync mirror updating from `rsync.gentoo.org' instead of targetting any
We reserve the right to monitor users' connection-rates in order to
preserve server performance.
More praise: Linux Journal
This week Gentoo Linux has received praise from another Linux periodical: Linux Journal. In their review of Gentoo, they say that "In addition to endless customization possibilities and performance improvements, Gentoo offers solid documentation and a strong community support base".
Featured Developer of the Week
Figure 2.1: Arcady Genkin
Our featured developer this week is Arcady Genkin (agenkin), who helps
maintain many of the sound and video ebuilds in portage, notably
alsa-drivers and xine. His primary duties are
implementing bug fixes and ensuring that ebuild packages remain
current. He has significant experience as an Open-Source developer,
having been a core developer on the Squirrelmail project and the
primary author of the nhmon tool
for simultaneous monitoring of a large number of hosts.
Currently residing in downtown Toronto, Canada, Arcady is originally
from St. Petersburg, Russia. He is a graduate of the Engineering
School of Electronics in St. Petersburg, where he studied production
of micro-electronic devices and technical translation. He also has a
Honours Bachelor of Science in Computer Science from the University of
Toronto. He works as a Systems Programmer/Administrator for the
Department of Computer Science at the University of Toronto. The job
primarily comprises programming various tools for automating systems
administration and instructional assistance for Computer Science
courses. According to Arcady, it is "the perfect mix of programming
tasks, ranging from C, Python, Perl and PHP programming to keeping
mail, DNS, web servers running to installing new software".
Arcady's home environment contains six computers: a FreeBSD
firewall/server, two workstations (his is the Gentoo one, we won't
talk about his girlfriend's), a gentoo-based diskless multimedia
station, and two notebooks (his runs Debian). At work, he has some
responsibility for about 200 workstations, 50 Sun Sparc Ultra5 and
Ultra10 X terminals, and a double-handful of servers. His workstation
runs Gentoo. He is a KDE user (largely because of the reliable
keyboard switching between Cyrillic and Latin). He launches XMMS and Tkabber at startup, and does
much of his work in XEmacs.
Arcady enjoys hiking, skiing, watching movies, music and reading. He
is currently learning French and reading Words by Sartre. He
is fond enough of one of e.e. cummings poems to include it in his
.sig: guilt is the cause of more disauders; than history's most
obscene marorders. When asked about Gentoo, he told us that
"Gentoo Linux can be a very convenient tool in experienced hands; its
main advantage is that it is very customizable: it is extremely easy
to add new packages to it, or modify existing ones, including the
packages of the base system".
GLSA: rsync.gentoo.org rotation server compromised
On December 2nd at approximately 03:45 UTC, one of the servers that makes up
the rsync.gentoo.org rotation was compromised via a remote exploit. At this
point, we are still performing forensic analysis. However, the compromised
system had both an IDS and a file integrity checker installed and we have a
very detailed forensic trail of what happened once the box was breached, so
we are reasonably confident that the portage tree stored on that box
The attacker appears to have installed a rootkit and modified/deleted some
files to cover their tracks, but left the server otherwise untouched. The box
was in a compromised state for approximately one hour before it was
discovered and shut down. During this time, approximately 20 users
synchronized against the portage mirror stored on this box. The method used
to gain access to the box remotely is still under investigation. We will
release more details once we have ascertained the cause of the remote
This box is not an official Gentoo infrastructure box and is instead donated
by a sponsor. The box provides other services as well and the sponsor has
requested that we not publicly identify the box at this time. Because the
Gentoo part of this box appears to be unaffected by this exploit, we are
currently honoring the sponsor's request. That said, if at any point, we
determine that any file in the portage tree was modified in any way, we will
release full details about the compromised server.
Lack of proper bounds checking exists in the do_brk() kernel function in
Linux kernels prior to 2.4.23. This bug can be used to give a userland
program or malicious service access to the full kernel address space and
gain root privileges. This issue is known to be exploitable.
All kernel ebuilds in Portage have been bumped or patched and do not contain
this vulnerability. The following is a list of recommended kernels.
- Severity: High
- Packages Affected: <2.4.22
emerge -pv [your preferred kernel sources];
emerge [your preferred kernel sources];
[update the /usr/src/linux symlink];
[compile and install your new kernel];
[emerge any necessary kernel module ebuilds];
- GLSA Announcement
GLSA: exploitable overflow in rsync
Rsync version 2.5.6 contains a vulnerability that can be used to run
arbitrary code. The Gentoo infrastructure team has some reasonably good
forensic evidence that this exploit may have been used in combination with
the Linux kernel brk vulnerability (see GLSA 200312-02) to exploit a
rsync.gentoo.org rotation server (see GLSA-200312-01.)
Please see http://lwn.net/Articles/61541/ for the security advisory released
by the rsync development team.
- Severity: High
- Packages Affected: <2.5.6
- Rectification: emerge sync; emerge >=net-misc/rsync-2.5.7
- GLSA Announcement
New Security Bug Reports
The following new security bugs were posted this week:
Heard in the Community
Compromised Rsync Forum Fallout
Well, yes, of course, the unfortunate attack on one of the servers in Gentoo's community-driven rsync round-robin server structure had its repercussions on the forums, too. Quick overview of the more eminent threads covering this mishap and the way it was dealt with:
Growing demand for the unstable Gimp 1.3 development series has led to a number of threads last week, half of which ended up in the dups bin... Information on how to build the new Gimp, what works and what doesn't (the SANE scanner plugin, sadly, appears to be broken):
Frustrated with his Bash terminal window wrapping long lines of
text into the same line, list member Helder asked for help.
for a great tip for keeping your terminal session updated on how large
your text console or window size is.
More CFLAGS benchmarking
In the latest mailing list CFLAGS thread, the -O parameter
is discussed. Check out what some other users thought as well
as some test results
Kernel modules rebuilder.
Whenever you upgrade your kernel, there are always some packages that need rebuilding. Well here is a handy little program that finds all those packages for you, and rebuilds them for you as well! Also in the replies are some other options to do similar things.
Italy: Gentoo Day 29 November 2003
All too quietly, the Italian Linux Day in Venice organised by the Venezia Free Software Users Group passed us by on Saturday 29 November, particularly embarrassing because the GECHI (an acronym for "Gentoo CHannel Italy" also meaning "gecco" in Italian) hijacked the occasion to organise their first Gentoo Day! Gilberto de Faveri aka MyZelF held a presentation about Gentoo Linux, and the foto album illustrates some other things that happened in the course of the event. Now, had they wanted an announcement of the event before the scheduled date, they'd surely would have told us, wouldn't they...
Germany: Yet Another Oberhausen GLUM
Gentoo Linux User Meetings (GLUMs) seem to be particularly popular in Germany. Gentooists in Oberhausen, the unofficial heart of the Ruhrgebiet region, have scheduled a follow-up meeting to their first gathering two months ago, to be held at Gasthof Harlos in Oberhausen on 10 December 2003. Details are to be had via a mailing list (firstname.lastname@example.org, subscribe by sending a message to gentoo-treffen-subscribe at the same TLD) or via this Forum thread.
The Gentoo community uses Bugzilla (bugs.gentoo.org) to record and track
bugs, notifications, suggestions and other interactions with the development team. Between 28 November 2003 and 04 December 2003, activity
on the site has resulted in:
- 429 new bugs during this period
- 215 bugs closed or resolved during this period
- 13 previously closed bugs were reopened this period
Of the 4328 currently open bugs: 91 are labeled 'blocker', 183 are labeled 'critical', and 321 are labeled 'major'.
Closed Bug Rankings
The developers and teams who have closed the most bugs during this period are:
New Bug Rankings
The developers and teams who have been assigned the most new bugs during this period are:
Tips and Tricks
Backup up files with tar
This weeks tip demonstrates a quick way to back up files using
One of the options for tar is -T which allows you
to specify which files should go in the tar archive. So, create a
file named backup.confand list all files or
directories you want backed up in this file (one per line). Then
run tar and specify -T backup.conf.
Code Listing 7.1: backup.conf
# cat >> /etc/backup.conf
Now use tar to create a backup archive of your files.
Code Listing 7.2: tar -T
# tar -cjf backup-`date +%Y-%m-%d`.tar.bz2` -T /etc/backup.conf
This will archive your files in a file named
backup-YYYY-MM-DD.tar.bz2 (where YYYY is the year, MM
is the month, and DD is the day).
Note: You could also specify an absolute path such as
/backups/backup-`date +%Y-%m-%d.tar.bz` and run the command
as a script from cron on a recurring basis.
Moves, Adds, and Changes
The following developers recently left the Gentoo team:
The following developers recently joined the Gentoo Linux team:
The following developers recently changed roles within the Gentoo Linux project:
Contribute to GWN
Interested in contributing to the Gentoo Weekly Newsletter? Send us an email.
Please send us your feedback and help make the GWN better.
GWN Subscription Information
To subscribe to the Gentoo Weekly Newsletter, send a blank email to email@example.com.
To unsubscribe to the Gentoo Weekly Newsletter, send a blank email to firstname.lastname@example.org from the email address you are subscribed under.
The Gentoo Weekly Newsletter is also available in the following languages: