Gentoo Weekly Newsletter: December 15th, 2003

1.  Gentoo News

Summary

• Gentoo Managers' Meeting Summary: 1 Dec. 2003

The summary and log for the Gentoo Managers' Meeting held on December 1 have been posted to the Gentoo Managers' Meetings page. At this meeting, a new release naming scheme for Gentoo, a status update on GLEP 14, and automatic acceptance of licenses was discussed.

Under the new release naming scheme, outlined on the Release Engineering page and accepted unanimously by the managers, the naming scheme will be "2004.1" for the first release of next year.

GLEP 14 is designed to "check a Gentoo system for identified security holes or auto-apply security fixes." Developer Marius Mauch outlined the progress of its implementation: the DTD needs to be finalized, a website with GLSAs using an XSL stylesheet is complete but lacks an index and is not online, and a QT tool to aide the writing of GLSAs is being written. (Update: the DTD has been rewritten completely, which will delay everything by a few weeks.) Also, inclusion in Portage will have to wait until the ability to sign files is implemented.

Lastly, in response to the many threads in gentoo-dev requesting the ability to arbitrarily accept certain licenses, a make.conf variable called ACCEPT_LICENSES similar to ACCEPT_KEYWORDS is being planned. Since this will require a change to Portage, a GLEP will be written to outline the design philosophy and implementation details.

2.  Featured Developer of the Week

Robin Hugh Johnson

Figure 2.1: Robin Hugh Johnson

This week's featured developer is Robin Hugh Johnson (robbat2), the primary maintainer for Gentoo's PHP and QMail packages (among others), as well as one of the CVS administrators and a lead for developing a Web Application installer, as specified in GLEP 11. He has been a Linux user since 1997, cycling through Redhat and other distros before settling in with Slackware in 1999. He tried Gentoo in late 2002 and very soon thereafter converted all of his boxen over to the new distro.

Robin became a developer by way of his annoyance with USE flags and their tracking. He put together some scripts for managing them more efficiently and posted them to bugzilla. The end result were some proposed changes to ufed and an invitation to Robin to become a developer to implement them. His responsibilities have steadily increased since then. Robin is no newcomer to open source development - he was a core contributor to the phpMyAdmin project, where he wrote the entire parser and query coloring/syntax highlighting system.

Robin is a former native of Durban, South Africa who is currently living and working just outside Vancouver, Canada. A former professional Systems Administrator, he is now employed as a part-time Zope and Linux consultant while he attends school at the former Technical University of British Columbia (now Simon Fraser University - Surrey). He currently shares his home with his parents and an even dozen computers. He frequently finds himself working from Windows, with several PuTTY windows and Cygwin/X running. The first application he launches in Linux is GKrellM. In Windows, it is WinAmp. He is also fond of Vim, CVS and IntelliJ IDEA. He uses FluxBox for a WM and mutt for mail.

When Robin isn't at a computer, he is usually reading, cycling or spending time with his fiance - he directs us to the gentoo-dev fortunes for more information on the latter. He offered a statement by the venerable Don Knuth as a favorite quote: "Beware of bugs in the above code; I have only proved it correct, not tried it." Robin also told us that Gentoo is "not for those that can't read documentation!", and encourages people to check the docs twice before asking a dev - Gentoo's documentation is one of its strengths.

3.  Gentoo Security

Summary

• GLSA: cvs
• GLSA: gnupg

GLSA: cvs

Quote from http://ccvs.cvshome.org/servlets/NewsItemView?newsID=84:

Stable CVS 1.11.10 has been released. Stable releases contain only bug fixes from previous versions of CVS. This release fixes a security issue with no known exploits that could cause previous versions of CVS to attempt to create files and directories in the filesystem root. This release also fixes several issues relevant to case insensitive filesystems and some other bugs. We recommend this upgrade for all CVS clients and servers!"

• Severity: Minimal
• Packages Affected: <=1.11.9
• Rectification: emerge sync; emerge -pv '>=dev-util/cvs-1.11.10'; emerge '>=dev-util/cvs-1.11.10'; emerge clean
• GLSA Announcement

GLSA: gnupg

Two flaws have been found in GnuPG 1.2.3.

First, ElGamal signing keys can be compromised. These keys are not commonly used. Quote from http://lists.gnupg.org/pipermail/gnupg-announce/2003q4/000276.html:

"Phong Nguyen identified a severe bug in the way GnuPG creates and uses ElGamal keys for signing. This is a significant security failure which can lead to a compromise of almost all ElGamal keys used for signing. Note that this is a real world vulnerability which will reveal your private key within a few seconds."

Second, there is a format string flaw in the 'gpgkeys_hkp' utility which "would allow a malicious keyserver in the worst case to execute an arbitrary code on the user's machine." See the advisory for details.

• Severity: Minimal
• Packages Affected: <1.2.3-r4
• Rectification: emerge sync; emerge -pv '>=app-crypt/gnupg-1.2.3-r5'; emerge '>=app-crypt/gnupg-1.2.3-r5'; emerge clean;
• GLSA Announcement

New Security Bug Reports

The following new security bugs were posted this week:

• Trusted Platform Modules
• sec-policy/selinux-base-policy

4.  Heard in the Community

ALSA and the 2.6 Kernels

One of those threads that have been lingering for months, went stale at times, only to be revived by latecomers with similar problems, slowly growing more and more interesting, and finally becoming an almost encompassing solution provider for anything that might go wrong with sound in 2.6.0-beta kernels:

• ALSA & 2.6 kernel mini HOW-TO?

USB Automounter

Genotix was tired of manually mounting the filesystems on removable media. So he went and wrote his own script to automatically access a USB flash memory stick, and donated it to the Gentoo Forums:

• USB Stick Automounter>

gentoo-user

Gentoo Kernel Issues

This week a few users reported USB problems with the 2.4.20-gentoo-r9 kernel. A bug was filed in Bugzilla, and you might want to read the thread if you've experienced problems.

Sound File Compression

One of the more interesting posts this week involved testing the compression levels of some different audio compression codecs, like ogg, mp3, and interestingly, bz2. Some good reading, as well as insight on how sound compression works. Check it out.

Planning on Failure

When you have a Dad, a Gentoo Linux PC, and 350 miles between you and them, how do you ensure reliability? Mark Knecht presented this intriguing question and got plenty of useful suggestions that could be helpful in administrating any remote Gentoo system.

gentoo-dev

Free Source, Open Source and FLOSS.

Always thought that these two things meant the same thing? Well think again. Here's a thread dealing with some of the issues around open source and free software, including some interesting differences. It was all started off by a proposal around enhancing the security of open source projects.

Moving of CFLAGS.

Where CFLAGS have traditionally been found in make.conf, this post proposes moving them to individual ebuilds. Sounds like a lot of effort? Well maybe it is, but have a look at the rationale before you decide.

5.  Gentoo International

Hungary: New Gentoo User Group Effort

MaGenTa (Magyar Gentoo Tal?lkahelyan), a clever acronym for "Hungarian Gentoo Meeting Point", is the name of an endeavour to set up an active Hungarian Gentoo user portal with facts, FAQs and forae. Initiated by Thomas Ferencz (who is doubling as the lead translator for the new Hungarian documentation section at the main Gentoo website), the MaGenTa group has been set up last summer, and slowly built up to currently 60 registered users, and growing... If you're Hungarian is up to the task, go and join the Magyars at the website, or at their IRC channel #gentoo-hu on freenode.net..

6.  Bugzilla

Summary

• Statistics
• Closed Bug Ranking
• New Bug Rankings

Statistics

The Gentoo community uses Bugzilla (bugs.gentoo.org) to record and track bugs, notifications, suggestions and other interactions with the development team. Between 05 December 2003 and 11 December 2003, activity on the site has resulted in:

• 458 new bugs during this period
• 306 bugs closed or resolved during this period
• 9 previously closed bugs were reopened this period

Of the 4283 currently open bugs: 91 are labeled 'blocker', 178 are labeled 'critical', and 308 are labeled 'major'.

Closed Bug Rankings

The developers and teams who have closed the most bugs during this period are:

• Gentoo KDE team, with 15 closed bugs
• Gentoo Linux Gnome Desktop Team, with 14 closed bugs
• Mirror Admins, with 10 closed bugs
• Sven Vermeulen, with 9 closed bugs
• Gentoo Games, with 9 closed bugs

New Bug Rankings

The developers and teams who have been assigned the most new bugs during this period are:

• Core System Packages Team, with 13 new bugs
• x86-Kernel Team, with 11 new bugs
• Gentoo KDE team, with 11 new bugs
• media-gfx Herd, with 11 new bugs
• Portage Team, with 11 new bugs

7.  Tips and Tricks

Tips for 'ls'

This week's tip demonstrates some useful variations of one of the most common commands in a linux system: ls.

Use '-s' to print the file size and '-S' to sort by file size.

(add -r to print in reverse)
# ls -sSh
    

Use '-t' and '--time-style=long-iso' to print files sorted by modification time in a standard output format.

# ls -lgot --time-style=long-iso
    

Use '--sort=extension' to sort files by their extension (to see perl scripts, shell scripts, etc. listed in a group).

# ls -lgo --sort=extension

(or sort by version)
# ls -lgo --sort=version
    

There are many more options, but these are just a few that may prove to be useful.

8.  Moves, Adds, and Changes

Moves

The following developers recently left the Gentoo team:

• none this week

Adds

The following developers recently joined the Gentoo Linux team:

• none this week

Changes

The following developers recently changed roles within the Gentoo Linux project:

• none this week

9.  Contribute to GWN

Interested in contributing to the Gentoo Weekly Newsletter? Send us an email.

10.  GWN Feedback

Please send us your feedback and help make the GWN better.

11.  GWN Subscription Information

To subscribe to the Gentoo Weekly Newsletter, send a blank email to gentoo-gwn-subscribe@gentoo.org.

To unsubscribe to the Gentoo Weekly Newsletter, send a blank email to gentoo-gwn-unsubscribe@gentoo.org from the email address you are subscribed under.

12.  Other Languages

The Gentoo Weekly Newsletter is also available in the following languages:

• Dutch
• English
• German
• French
• Japanese
• Italian
• Polish
• Portuguese (Brazil)
• Portuguese (Portugal)
• Russian
• Spanish
• Turkish