Figure 4.1: Benjamin Judas
Various Infrastructure Upgrades for Gentoo
The Gentoo infrastructure received some good news this week with the donation of two new servers. One server, a dual Xeon with 2GB of RAM, will be used to augment capacity in the main rsync.gentoo.org rotation. The other server, a quad Xeon with 1GB of RAM, will be used as a master bittorrent server. Gentoo Linux would like to thank Melior, Inc. for providing these servers to the Gentoo Linux project.
Additionally, Gentoo Linux recently received a donation from EMC for a license of VMWare GSX Server, which will be used to assist in development efforts of our various internal projects.
Finally, a new, custom list archiving solution is now in closed beta and will be released to the public soon. This archive solution will allow public, read-only access of all our mailing lists, including the gentoo-trustees mailing list. We expect to have this solution publicly available within two weeks.
Documentation
The Documentation Team have recently completed a work cycle to review a large number of the "bugs" reported for documentation, and have implemented a large number of minor corrections to wording or content in the documents. They also have a new Status Update that describes a number of major revisions, including: a new Quick HOWTO on su with X, extensions to the Gentoo Installation Tips 'n Tricks, major edits to the Gentoo Security Guide and several updates to the Gentoo Handbook.
Infrastructure
The Infrastructure team are currently working on moving the Forums server to faster hardware - this upgrade will consist of moving the Apache server (currently a a dual PIII 1GHz/1GB) and database server (dual Xeon 2.4 GHz/2GB) to new platforms: a dual 2.4GHz/1GB and a 3.0GHz/4GB, respectively. This should substantially improve Forums performance, especially during peak loading.
Security
Gentoo is currently working towards inclusion on the vendor-sec mailing list, a limited-access mailing list that includes many major Linux vendors. Membership on the list would permit early access to security alerts and related discussions, prior to general release of the issue.
SpamAssassin: Denial of Service vulnerability
SpamAssassin is vulnerable to a Denial of Service attack when handling certain malformed messages.
For more information, please see the GLSA Announcement
Horde-IMP: Input validation vulnerability for Internet Explorer users
An input validation vulnerability has been discovered in Horde-IMP. This only affects users of Internet Explorer.
For more information, please see the GLSA Announcement
Cfengine: RSA Authentication Heap Corruption
Cfengine is vulnerable to a remote root exploit from clients in AllowConnectionsFrom.
For more information, please see the GLSA Announcement
Roundup: Filesystem access vulnerability
Roundup will make files owned by the user that it's running as accessable to a remote attacker.
For more information, please see the GLSA Announcement
gv: Exploitable Buffer Overflow
gv contains an exploitable buffer overflow that allows an attacker to execute arbitrary code.
For more information, please see the GLSA Announcement
Nessus: "adduser" race condition vulnerability
Nessus contains a vulnerability allowing a user to perform a privilege escalation attack.
For more information, please see the GLSA Announcement
Gaim: MSN protocol parsing function buffer overflow
Gaim contains a remotely exploitable buffer overflow vulnerability in the MSN-protocol parsing code that may allow remote execution of arbitrary code.
For more information, please see the GLSA Announcement
kdebase, kdelibs: Multiple security issues
KDE contains three security issues that can allow an attacker to compromise system accounts, cause a Denial of Service, or spoof websites via frame injection.
For more information, please see the GLSA Announcement
acroread: UUDecode filename buffer overflow
acroread contains two errors in the handling of UUEncoded filenames that may lead to execution of arbitrary code or programs.
For more information, please see the GLSA Announcement
Tomcat: Insecure installation
Improper file ownership may allow a member of the tomcat group to execute scripts as root.
For more information, please see the GLSA Announcement
glibc: Information leak with LD_DEBUG
glibc contains an information leak vulnerability allowing the debugging of SUID binaries.
For more information, please see the GLSA Announcement
4. Featured Developer of the Week
Benjamin Judas
Figure 4.1: Benjamin Judas |
|
This week, we feature Benjamin Judas(beejay), the Gentoo Release Co-ordinator for the x86 architecture. This responsibility involves managing and developing the x86 release media, including the stage tarballs, Live-CDs and GRP installation sets, as well as working with the documentation team to ensure that the install documentation is current. For the recent 2004.2 release, Chris Gianneloni managed the creation of the LiveCD images, allowing Benjamin to focus on the other aspects of the release. This new division of labour, including the sharing of release engineering responsibilities, is likely to be maintained for future releases. However, Benjamin retains primary responsibility for managing and scheduling release points for the x86 platform.
Although Benjamin had been reading about Linux since 1994, it wasn't until 1998 that he took the opportunity to install and use it. His initial introduction was somewhat prosaic: he was "walking through Friedberg (a small town nearby) trying to find some new shoes." He then recounts that "since I didn't find any good looking shoes, I went into a computer store to spend my money there instead." The result was a spanking new set of SuSE-Linux 5.3 Mini-Edition install media. "Hey, 30 bucks...you can't do anything wrong with that price for 6 CDs." He then tells us that it took him 6 months to have the OS working properly and the remainder of a year to strengthen that knowledge. A few years later, an article by Thomas Raschbacher in a German Linux magazine lead him to Gentoo. On August 18th, 2002 (he recalls the date because he ran his first emerge system while at a friends birthday party), Benjamin downloaded and installed the new distro and never looked back.
Benjamin's first contribution to Gentoo took the form of an apache-based online help system, which he asked Alexander Holler, who managed www.gentoo.de, to post for him. Alexander gave him rights on the server and encouraged him to contribute, so Benjamin continued by assisting with translating materials for the German website. By the Fall of 2003, Benjamin had begun using his nascent python skills to hack portage with an interest to developing a Web-based portage front-end. While working on his first task, a package search engine, he was approached by Seemant Kulleen and asked if he would work on Gentoo in a more formal capacity. Benjamin started out as a QA assistant for x86 releases, testing the Live CDs, stages and packages. When Seemant gave up his role co-ordinating the releases, the responsibilities were picked up by Benjamin. In addition to his work on www.gentoo.de and the Release Engineering Team, Benjamin was co-founder of the German Gentoo-NFP (Not-For-Profit) Organization, Friends of Gentoo e.V.. This group represents a formal organization to collect and manage contributions, financial and otherwise, toward fostering and protecting Gentoo development in Germany.
Benjamin works on a collection of four computers that reside around his home desk: an Athlon-Thunderbird 1300 and an IBM Thinkpad R40 are his main working platforms. These are supported by a Sun Ultra 5 which provides DNS, SMTP and IMAP services and an SGI Indy "which doesn't have a particular task - It just sits there and tries to look good." He has recently fallen in love with the zsh shell, and uses vim and catalyst while developing. Evolution, rxvt-unicde, tvtime and Mozilla round out the list of his most-used applications - excepting the occasional round of UT2k3, Simcity 3000 and Heavy Metal F.A.K.K.2.
In real life, Benjamin works at the University Medical Centre of Justus-Liebig-University Giessen, providing desktop application support. He has a formal qualification as an Assistant for Information Technologies - roughly equivalent to a practical diploma in Computer Science. He describes himself as a "typical couch potato". He enjoys watching television and movies - with a penchant for Science Fiction and Horror, with the occasional helping of televised Car Racing. He is an avid reader, and is currently negotiating China Melville's "Perdido Street Station", which he recommends. Benjamin lives in Muecke-Merlau, a small village about 80 Km from Frankfurt, in the Vogelsberg region of Germany - situated on an ancient dormant volcano. He asked for the opportunity to thank Seemant, Daniel, John and Jeff: "Thanks for trusting me and believing in me, helping me and providing constructive Critics!" He also had a message for the Gentoo devs collectively known as "The German Conspiracy": "Thanks for all the hard work to make Gentoo look good in Germany!". And finally, for the rest of us: "Gentoo is like a Goodyear-tire: if it doesn't run straight anymore, you refresh the profile and it will work again."
Always Working as Root
Many hardend Linux and Unix people know that consistently logging in as root isn't a good idea. However many newcomers from the Windows world are not really sure why this is not a good idea. On Windows, most people log in with administrative privileges more often than not. So why should it be any different on Linux? A Linux newcomer asked this question on gentoo-user and got some great reasons, and suggestions for simplifying his transition to a Unix way of life.
Gentoo International is on hiatus this week.
The Gentoo community uses Bugzilla (bugs.gentoo.org) to record and track bugs, notifications, suggestions and other interactions with the development team. Between 07 August 2004 and 13 August 2004, activity on the site has resulted in:
Of the 7002 currently open bugs: 143 are labeled 'blocker', 198 are labeled 'critical', and 557 are labeled 'major'.
The developers and teams who have closed the most bugs during this period are:
The developers and teams who have been assigned the most new bugs during this period are:
Tips and Tricks is looking for a new owner. If you're interested in taking over this section of the GWN, please email gwn-feedback@gentoo.org.
The following developers recently left the Gentoo team:
The following developers recently joined the Gentoo Linux team:
The following developers recently changed roles within the Gentoo Linux project:
Interested in contributing to the Gentoo Weekly Newsletter? Send us an email.
Please send us your feedback and help make the GWN better.
12. GWN Subscription Information
To subscribe to the Gentoo Weekly Newsletter, send a blank email to gentoo-gwn-subscribe@gentoo.org.
To unsubscribe to the Gentoo Weekly Newsletter, send a blank email to gentoo-gwn-unsubscribe@gentoo.org from the email address you are subscribed under.
The Gentoo Weekly Newsletter is also available in the following languages: