Gentoo Weekly Newsletter: October 11, 2004

1.  Gentoo News

Portage breaks through the 100,000 files ceiling

In early 2002, synchronizing the Portage tree was usually done in a few seconds. At less than 10,000 files, there wasn't much to wait for, and certainly no real need for today's option in /etc/make.conf that limits syncs to certain parts of the Portage tree. If they want to do the same thing today, Gentoo users must allow for significantly more time: Since Friday last week, the Portage tree contains more than 100,000 files, leaving little to desire in terms of ebuilds for popular and lesser-known applications. Thousands of enhancements, security or Gentoo-specific patches to merge with the original sources, even for different versions of applications available via Portage are included in the tree. Counting toward the total sum are also an increasing number of genuine Gentoo developments, like catalyst or tenshi. Congratulations to all who contributed to this impressive record!

Ten PegasosPPC desktops on their way to Gentoo developers

Freescale Semiconductor, Inc., a Motorola company that took over production of the PowerPC chips from the mother recently, is donating a large number of computers to various open-source projects, in order to evaluate if there is a market for Linux on PowerPC desktops. Ten of the machines, PegasosPPC desktops with 1 GHz G4 CPUs, are being sent to Gentoo developers in the U.S. and in Europe over the next two weeks. The machines will go to the base system, security and hardened herds, one each to Gentoo's X11 and Gnome maintainers, three more to test accessibility, web applications and media/video, and the rest go to the embedded and PPC projects. The Gentoo developers are excited and would like to express their gratitude for this generous donation to Freescale Inc.

Figure 1.1: Inside the PegasosPPC: G4 CPU, Radeon 9200 graphics

The producers of the donated PegasosPPCs, the Luxemburg-based company Genesi S.a.r.l., is unique in openly and actively supporting Linux for desktop PowerPCs, regardless of its own operating system, MorphOS, shipped pre-installed, too. 3D acceleration isn't available yet, but CPU upgrades will be easier than usual in the PowerPC world: Both 7447A 1.3 GHz processors that do not require active cooling, and a dual-CPU card will be available in a couple of months. Since the G3/G4-series from both IBM and Freescale are pin-compatible, CPU upgrades can be done as soon as the new processors hit the shelves. Freescale will be releasing 2 GHz CPUs soon and is also working on a series of dual-core CPUs.

Turkish GWN translation reanimated

After more than a year of inactivity, a Turkish translation of the GWN is available again since last week. Thanks to Bahadir Kandemir, the Turkish users of Gentoo join the Japanese, Italian and German readers of the GWN who receive regular service in their own languages. Several other languages still need additional help. Volunteers can contact gwn-feedback.

2.  Gentoo security

Netpbm: Multiple temporary file issues

Utilities included in old Netpbm versions are vulnerable to multiple temporary files issues, potentially allowing a local attacker to overwrite files with the rights of the user running the utility.

For more information, please see the GLSA Announcement

NetKit-telnetd: buffer overflows in telnet and telnetd

Buffer overflows exist in the telnet client and daemon provided by netkit-telnetd, which could possibly allow a remote attacker to gain root privileges and compromise the system.

For more information, please see the GLSA Announcement

PHP: Memory disclosure and arbitrary location file upload

Two bugs in PHP may allow the disclosure of portions of memory and allow remote attackers to upload files to arbitrary locations.

For more information, please see the GLSA Announcement

Cyrus-SASL: Buffer overflow and SASL_PATH vulnerabilities

Cyrus-SASL contains two vulnerabilities that might allow an attacker to completely compromise the vulnerable system.

For more information, please see the GLSA Announcement

CUPS: Leakage of sensitive information

CUPS leaks information about user names and passwords when using remote printing to SMB-shared printers which require authentication.

For more information, please see the GLSA Announcement

ed: Insecure temporary file handling

The ed utility is vulnerable to symlink attacks, potentially allowing a local user to overwrite or change rights on arbitrary files with the rights of the user running ed, which could be the root user.

For more information, please see the GLSA Announcement

ncompress: Buffer overflow

compress and uncompress, which could be used by daemon programs, contain a buffer overflow that could lead to remote execution of arbitrary code with the rights of the daemon process.

For more information, please see the GLSA Announcement

3.  Heard in the community

gentoo-user

Groupware products

Looking for recommendations for groupware products? Several different packages are listed for consideration in this thread:

• Groupware solution

Local.start errors

Setting up an interrupt at boot time for a low latency test kernel, Mark Knecht added a local.start script that doesn't work as expected. A quick resolution is offered in this thread:

• setup commands in local.start

Last emerge sync

How does one determine when the last emerge sync was run? Several suggestions went into this thread:

• when was last sync?

Athcool risk

Athcool is a powersaving utility for Athlon CPUs, but the ebuild claims it may cause instability. Here's what users have really experienced:

• athcool - how safe is it?

gentoo-dev

A new cron herd

The base-system herd has many extra packages that don't really belong into base-system but lacks other maintainers. To reduce the workload, all cron daemons will be outsourced to the new cron herd. Other package groups may follow in the near future.

• A new cron herd

Portage subcategories

This thread discussed the advantages and disadvantages of extending the package categories from category/package to category/subcategory/.../package. At the moment, portage is unable to handle it, and the usefulness of such a change is not obvious.

• Portage subcategories

Portage in embedded systems?

How big is portage, and how do embedded systems with low memory handle it?

• Portage in embedded systems?

Moving passwd from /usr/bin to /bin

This small change will help in system recovery. For example, fsck wants the root password but might fail if /usr/bin is not mounted (which might not be the case during bootup/recovery).

• Moving passwd from /usr/bin to /bin

4.  Gentoo International

Antarctica: First Gentoo penguin webcam online

No, the German GARS-O'Higgins Station on the tip of the Antarctic Peninsula was not built for watching Gentoo penguins breed - but since last week it does have a webcam that serves this exact purpose. The station's mission, financed and run by German federal research organizations, is to receive and store vast amounts of geodetic data beaming down on its 9m antenna from various European Space Agency satellites in orbit, forwarding them for number-crunching at data centers in Germany. On 29 September 2004, the GARS team installed its fourth web camera, this one donated by elementary school schildren and other private sponsors back home, and pointed it to a spot where a Gentoo penguin colony takes shelter from the wind during the Antarctic summer, between mid-October and April. The first Gentoos started coming here years ago, right after the antenna and its concrete foundation were built, and have been growing in numbers ever since. Whether they like the place because it's warm and cuddly, or because of the average Gentoo's affinity to technology, is clearly beside the point. At the time of this writing there isn't much to see besides rocks and snow, but the birds should waddle in within the month, says Martin Grund, the penguin fan who had the idea for the Gentoo webcam and organised its setup. The camera (a Mobotix M10 Secure Dual) has a StrongARM CPU and runs Linux, by the way.

Figure 4.1: Gentoo penguins and their favorite iceberg

5.  Gentoo in the press

IEEE Computing in Science and Engineering (Volume 6 Issue 5, September/October 2004)

The IEEE's journal of Computing in Science and Engineering has published a paper by George K. Thiruvathukal titled Gentoo Linux: The Next Generation of Linux. Thiruvathukal is an associate professor at Loyola University in Chicago, and an ardent Gentoo activist, who recommends using it in his advanced Linux classes at the university. His article for the IEEE describes why Gentoo "is a good choice for scientists, and how its structure gives us the flexibility and ease of management we need." Only the abstract is accessible free of charge on the IEEE website, if you want to read the full article, you need to purchase the document (35 USD), or go to a library that subscribes to the journal.

AnandTech (4 October 2004)

A report by Kristopher Kubicki at AnandTech is really about Linux 3D AGP GPU Roundup: More Cutting Edge Penguin Performance and just mentions Gentoo en passant, but in nice enough words to point it out here: "It may be due to the circles that we run in, but the sheer interest for Linux among our peers seems to have peaked 100-fold what it was last year. Simple, clean distros like SuSE, Fedora Core and Mandrake have done wonders to the Windows migration crowd - and then there is the whole Gentoo sensation as well," writes Kubicki in his introduction to AnandTech's hardware benchmarking report for high performance 3D graphics cards.

ZDNet Tech Update (7 October 2004)

David Berlind writes under the headline "Microsoft Surrounded?" that Linux shows promise for the desktop, but must adopt the ease of use seen in Mac OS X, for example, especially with regard to network, management and resource sharing: "Leading the way on that front (according to ZDNet's readers) is the Gentoo distribution."

Dallas Morning News (7 October 2004)

Titled "Love that Linux - Programmer finds happiness in moving Microsoft out of his life", an article by Doug Bedell draws a portrait of Gentoo Linux user Mike Owens, CIO at a real estate company and busy migrating proprietary Windows environments to Linux. Registration is compulsory to be able to read this article.

The Triangle (1 October 2004)

The student newspaper of Drexel University carries an article by Kevin Lynch about Linux distribution choices, comparing the "almost idiot-proof configurations" of RPM-based distributions to "the sporty young Gentoo" and others. The article's message is borrowed from Indiana Jones and the Holy Grail: "Choose wisely."

The Triangle (8 October 2004)

The same Kevin Lynch writes about the Linux Standard Base (LSB) just one week later: "Most of the controversy surrounding the LSB is over the chosen installation package method, the Red Hat's Package Manager format. [...] Gentoo Linux must redesign its entire package system to conform to the LSB standards."

Maximum PC (October 2004 issue)

On page 36 of this print-only magazine, editor Will Smith writes in an article on must-have features for Longhorn, the next version of Windows: "Finding and installing new applications is ludicrously easy on most Linux distros these days. Microsoft needs to make finding new apps and loading them on a PC as easy as emerge does on Gentoo or apt-get does on Debian. I'm sick of the Installshield installer."

6.  Bugzilla

Summary

• Statistics
• Closed bug ranking
• New bug rankings

Statistics

The Gentoo community uses Bugzilla (bugs.gentoo.org) to record and track bugs, notifications, suggestions and other interactions with the development team. Between 03 October 2004 and 09 October 2004, activity on the site has resulted in:

• 655 new bugs during this period
• 402 bugs closed or resolved during this period
• 20 previously closed bugs were reopened this period

Of the 7116 currently open bugs: 134 are labeled 'blocker', 237 are labeled 'critical', and 530 are labeled 'major'.

Closed bug rankings

The developers and teams who have closed the most bugs during this period are:

• Gentoo's Team for Core System packages, with 66 closed bugs
• media-video herd, with 20 closed bugs
• Jeremy Huddleston, with 19 closed bugs
• Java team, with 14 closed bugs
• AMD64 Porting Team, with 13 closed bugs
• Gentoo Security, with 12 closed bugs
• Gentoo Games, with 12 closed bugs
• Net-Mail Packages, with 10 closed bugs

New bug rankings

The developers and teams who have been assigned the most new bugs during this period are:

• Gentoo's Team for Core System packages, with 31 new bugs
• AMD64 Porting Team, with 15 new bugs
• Gentoo Games, with 13 new bugs
• Gentoo Toolchain Maintainers, with 11 new bugs
• osx porters, with 9 new bugs
• media-video herd, with 9 new bugs
• Gnustep herd, with 9 new bugs
• Gentoo Linux Gnome Desktop Team, with 9 new bugs

7.  Tips and Tricks

OpenVPN primer

There are as many advantages to VPN tunnels as there are different VPN scenarios. One easy implementation is the "OpenVPN via tun-device" solution. An example: you'd like to connect your laptop to your LAN at home so that you can use your mail client without reconfiguring it anytime you switch from home to internet and back. Let's say your mail-server is 192.168.1.10 in your LAN (192.168.1.0/24) at home, and you have got a router/firewall providing access to the Internet. You connect from work or school and want to read mail. OpenVPN can create two virtual devices for you when connecting two computers through an encrypted tunnel. Naturally you then have the possibility of forwarding traffic into the networks behind them, and thus would be "virtually connected" to your LAN behind the firewall. To enable this, either your firewall or a server behind it should run OpenVPN (if you choose a server in your LAN, you'll have to forward the destination port to the OpenVPN server).

Here's what you need to do:

         [*] Networking support
                Networking options  --->
          [ ] Amateur Radio support  --->
          < > IrDA (infrared) subsystem support  --->
          < > Bluetooth subsystem support  --->
          [*] Network device support
          < >   Dummy net driver support
          < >   Bonding driver support
          < >   EQL (serial line load balancing) support
          <M>   Universal TUN/TAP device driver support  (This option must be enabled)

Make sure this module exists and can be loaded. Next, install OpenVPN and it dependencies.

emerge openvpn

Now on both server and client, create a directory for your configuration:

mkdir /etc/openvpn
mkdir /etc/openvpn/myhomelan

Inside that directory, create a shared key for your VPN session and copy that key to the client's directory, /etc/openvpn/myhomelan.

cd /etc/openvpn/myhomelan
openvpn --genkey --secret myhomelan-key.txt

Now for the tricky part, the routing. It is important that the two tun devices on the client and server use IP addresses from the same subnet. The configuration files shown below list the type of device, the two end-points of the tunnel, the compression method and the UDP-port on which the tunnel is established. Finally privileges are dropped to user and group as listed:

dev tun
ifconfig 172.16.1.1 172.16.1.20  (IP of the local tun device and its peer)
secret /etc/openvpn/myhomelan/myhomelan-key.txt
comp-lzo
port 5000
user nobody
group nobody

The client's configuration needs the tunnel's destination address. This is often a dynamic DNS address, sometimes a fixed IP, depending on your ISP. You also need to route to your home LAN (192.168.1.0 in our example). You can call a shell script from the configuration file that accordingly sets a route.

remote <servers.dynamic.dns.address>   (or your VPN server's external IP if you have a fixed one)
dev tun
ifconfig 172.16.1.20 172.16.1.1        (IP of the local tun device and its peer)
secret /etc/openvpn/myhomelan/myhomelan-key.txt
comp-lzo
port 5000
user nobody
group nobody
up /etc/openvpn/myhomelan/route.sh      (sets up the route to the network behind the VPN server)

The route command would need to set the client's gateway for the network 192.168.1.0 to its peer's address (172.16.1.1 in our setup).

#!/bin/bash
route add -net 192.168.1.0 netmask 255.255.255.0 gw 172.16.1.1

That's it. Start OpenVPN on the server and the client, and check the devices with ifconfig and the routes with route -n. Success!

8.  Moves, adds, and changes

Moves

The following developers recently left the Gentoo team:

• None this week

Adds

The following developers recently joined the Gentoo Linux team:

• None this week

Changes

The following developers recently changed roles within the Gentoo Linux project:

• None this week

9.  Contribute to GWN

Interested in contributing to the Gentoo Weekly Newsletter? Send us an email.

10.  GWN feedback

Please send us your feedback and help make the GWN better.

11.  GWN subscription information

To subscribe to the Gentoo Weekly Newsletter, send a blank email to gentoo-gwn-subscribe@gentoo.org.

To unsubscribe to the Gentoo Weekly Newsletter, send a blank email to gentoo-gwn-unsubscribe@gentoo.org from the email address you are subscribed under.

12.  Other languages

The Gentoo Weekly Newsletter is also available in the following languages:

• Danish
• Dutch
• English
• German
• French
• Japanese
• Italian
• Polish
• Portuguese (Brazil)
• Portuguese (Portugal)
• Russian
• Spanish
• Turkish