Gentoo Logo

Gentoo Weekly Newsletter: November 1, 2004

Content:

1.  Gentoo News

Report from last week's Linux World Expo in Germany (Frankfurt)

The Linux World Conference & Expo in Frankfurt is one of Germany's top 5 specialized fairs, with 15,000 visitors and its main focus on commercial Linux offerings. The exhibition serves as a platform for Linux products and development, and is complemented by a conference program spanning all three days. Gentoo was present in the ".org Pavilion" next to a lot of other non-commercial community projects. The German non-profit association "Förderverein Gentoo e.V." had been in charge of organization, and brought together more than ten Gentoo developers from Germany, Austria and the Switzerland to man the booth.


Figure 1.1: The usual suspects

Fig. 1: Gentoo LWE booth staff

Note: Left to right: zypher (Marc Hildebrand), dj-submerge (Marc Herren), visiting GWN editor Ulrich Plate, swegener (Sven Wegener), crouching ian! (Christian Hartmann), PyLon (Lars Weiler), yah (Michael van Bracht), pYrania (Markus Nigbur), amne (Wernfried Haas), stkn (Stefan Knoblich) and tantive (Michael Imhof)

There was quite some interest in the large variety of supported platforms displayed at the Gentoo booth this year, from various x86 and PPC laptops to three Ultra-Sparc machines, and even a Siemens Primergy quadruple Xeon server. With half a dozen hosts constantly building base systems or emerging applications, a dedicated Mini-ITX based distfiles server was put in place as a local repository right at the booth, very convenient for both staff and Gentoo users passing by. Several visitors came to get special support for their Gentoo installations, or just wanted to meet some of the developers involved in the project. One of their most frequent request was a "server edition" or "Enterprise Gentoo", with a more stabilized tree and more comfort for updates in a production environment - hardly surprising, since the LWE is a predominantly commercial trade fair.

Special LWE edition Gentoo x86 LiveCDs (nicknamed "Fizzlewizzle") featuring German localizations of KDE, extensive documentation and a nightview of Frankfurt's office district on the CD label were distributed at the booth. Both the ISO image (remastered by Tobias Scherbaum) and Christian Hartmann's artwork to print directly onto the media can be downloaded from here.


Figure 1.2: Gentoo LiveCD LWE edition cover

Fig. 2: LWE edition

Mixed messages were heard from neighboring exhibitors: While Sven Herzberg of the Gnome booth was kind enough to point out that Gentoo's bugzilla (unlike his own project's older version) provides buglists in iCalendar format for import into Evolution, Sun Microsystems had disappointing news about the future availability of Java on the PowerPC platform - none planned, unfortunately. Their project Looking Glass remains quite an eyecatcher, though.

Call for help: Experienced J2EE developers needed

Karl Trygve Kalleberg of Gentoo's Java team really needs help: "Judging from the number of bugs and requests for feature enhancements that we've been assigned in the recent past, there must have been increased interest in Java applications since the release of Eclipse," explains Karl. The first request for additional help went out in August, but this time there's a tad more urgency to it: If you're an experienced Java developer, especially with a J2EE track record, please mail Karl and the Gentoo recruiters team today.

Coming up: Gentoo Bugday on Saturday, 6 November 2004

Gentoo Bugday is a monthly event where users and developers gather on IRC to fix lots of bugs. This unique opportunity to meet the devs and directly participate in fixing problems has been hugely successful, in the past. A dedicated IRC channel has been set aside for this collaborative effort, #gentoo-bugs on irc.freenode.org, and if you want to participate, all you have to do is /join the channel.

2.  Gentoo security

MySQL: Multiple vulnerabilities

Several vulnerabilities including privilege abuse, Denial of Service, and potentially remote arbitrary code execution have been discovered in MySQL.

For more information, please see the GLSA Announcement

Gaim: Multiple vulnerabilities

Multiple vulnerabilities have been found in Gaim which could allow a remote attacker to crash the application, or possibly execute arbitrary code.

For more information, please see the GLSA Announcement

MIT krb5: Insecure temporary file use in send-pr.sh

The send-pr.sh script, included in the mit-krb5 package, is vulnerable to symlink attacks, potentially allowing a local user to overwrite arbitrary files with the rights of the user running the utility.

For more information, please see the GLSA Announcement

Netatalk: Insecure tempfile handling in etc2ps.sh

The etc2ps.sh script, included in the Netatalk package, is vulnerable to symlink attacks, potentially allowing a local user to overwrite arbitrary files with the rights of the user running the utility.

For more information, please see the GLSA Announcement

socat: Format string vulnerability

socat contains a format string vulnerability that can potentially lead to remote or local execution of arbitrary code with the privileges of the socat process.

For more information, please see the GLSA Announcement

mpg123: Buffer overflow vulnerabilities

Buffer overflow vulnerabilities have been found in mpg123 which could lead to execution of arbitrary code.

For more information, please see the GLSA Announcement

rssh: Format string vulnerability

rssh is vulnerable to a format string vulnerability that allows arbitrary execution of code with the rights of the connected user, thereby bypassing rssh restrictions.

For more information, please see the GLSA Announcement

PuTTY: Pre-authentication buffer overflow

PuTTY contains a vulnerability allowing an SSH server to execute arbitrary code on the connecting client.

For more information, please see the GLSA Announcement

GPdf, KPDF, KOffice: Vulnerabilities in included xpdf

GPdf, KPDF and KOffice all include vulnerable xpdf code to handle PDF files, making them vulnerable to execution of arbitrary code upon viewing a malicious PDF file.

For more information, please see the GLSA Announcement

Archive::Zip: Virus detection evasion

Email virus scanning software relying on Archive::Zip can be fooled into thinking a ZIP attachment is empty while it contains a virus, allowing detection evasion.

For more information, please see the GLSA Announcement

3.  Heard in the community

Web forums

To sleep - perchance to dream: ay, there's the patch

Ending many months of insomnia in PowerBooks, Gentoo/PPC developer JoseJX reported in a Forum thread on Wednesday that Benjamin Herrenschmidt, the PPC kernel maintainer, has published his latest enhancement to the power management of portable Macs, more specifically for putting the aluminium PowerBooks with ATi graphics chipsets to sleep. Benh's patch seems to apply cleanly to Gentoo's development sources 2.6.9-r1, and a wave of gratitude is washing over the PPC forum:

gentoo-user

Analogue distributions

Users commented on a new linux distribution vidalinux which is based on Gentoo. It uses the Gentoo system tools and portage as its package manager.

Master USE

Several discussions arose this week regarding USE flags in Portage. USE flags provide a convenient approach to managing support and dependency information when emerging packages. Understanding what flags are necessary and how they might impact a system's configuration can be challenging for new users.

Binary pop

One user noticed that etc-update was asking them to overwrite /etc/X11/xdm binary files in addition to just configuration files.

gentoo-dev

A few glibc changes

Travis Tilley has again done some (major) changes to Gentoo's glibc. This includes enabling some sanity checks, and improved DNS and mDNS handling.

"Planet Gentoo" blog aggregator

Daniel Drake presents a proposal for a Gentoo Blog Aggregator to provide users and developers with a better overview of developments in Gentoo. The ensuing discussion centered more on the usefulness of such a service, as many people dislike blogs.

GLEP 29: USE flag grouping

In another GLEP started this week, Ciaran McCreesh proposes some new input on USE flag groups. This should enable users to select groups (for example, @KDE, @MULTIMEDIA), but the fine details (what does @KDE -@GNOME do?) are still not perfectly worked out.

4.  Gentoo in the press

Newsforge (30 October 2004)

Joe Barr has written a tongue-in-cheek piece answering the question what the choice of Linux distributions says about a person. According to Barr, Gentoo's motto is "If it moves, compile it," supposedly making it the distribution most appealing to lone ranger types like John Wayne.

5.  Bugzilla

Summary

Statistics

The Gentoo community uses Bugzilla (bugs.gentoo.org) to record and track bugs, notifications, suggestions and other interactions with the development team. Between 24 October 2004 and 30 October 2004, activity on the site has resulted in:

  • 802 new bugs during this period
  • 378 bugs closed or resolved during this period
  • 19 previously closed bugs were reopened this period

Of the 7368 currently open bugs: 115 are labeled 'blocker', 255 are labeled 'critical', and 551 are labeled 'major'.

Closed bug rankings

The developers and teams who have closed the most bugs during this period are:

New bug rankings

The developers and teams who have been assigned the most new bugs during this period are:

6.  Tips and Tricks

nice and PORTAGE_NICENESS

Last week's GWN introduced brandnew Portage features, this week we'd like to take you back to a venerable, sturdy old feature that's hot nonetheless: PORTAGE_NICENESS. Let's look at some basics first.

Very simply put, the Linux kernel has a (process) scheduler that selects which process to run next in your system. One factor influencing the scheduler's decision about which process to assign CPU time to, is the priority of a process. Processes with a high priority will run before those with a lower priority, and processes with the same priority will take turns in running, one after the other and over again.

Better have a look at it for yourself: Run top from a terminal on your host and pay special attention to the PR and NI columns:

Code Listing 6.1: Sample top output

  PID USER      PR  NI  VIRT  RES  SHR S %CPU %MEM    TIME+  COMMAND
 8005 root      20   0 85188  33m  57m R  3.3  6.7   8:43.77 X
 8148 tobias    20  10 25624 2376  24m S  0.3  0.5   0:00.60 xscreensaver
    1 root      20   0  2476  552 2304 S  0.0  0.1   0:00.31 init
    2 root      39  19     0    0    0 S  0.0  0.0   0:00.00 ksoftirqd/0
    3 root      15  -5     0    0    0 S  0.0  0.0   0:00.09 events/0

The PR column indicates the priority level of a process, the value in the NI column displays the so-called nice value of process, which allows you to adjust the priority of a running process. Possible values range from -20 (very high priority), via 0 (standard priority) to 20 (very low priority). In our little example the xscreensaver process has a higher nice value than X, which indicates that X has a higher priority than xscreensaver.

Now, how do we make this work to our advantage when using Portage?

If you keep using your computer while compiling packages you will notice that your box is much less responsive as usal. This is caused by having two "groups" of processes with the same nice priority: your usual running tasks on one side, and emerge (and its child processes) on the other. Now, if you could renice emerge and its children to a higher nice (i.e. lower priority!) value, compiling would inevitably take somewhat longer, but you could use your workstation without noticing much difference to its usual performance. That's what the PORTAGE_NICENESS parameter in /etc/make.conf is for:

Code Listing 6.2: Put this in /etc/make.conf

PORTAGE_NICENESS="15"

You can generally "renice" individual processes from the commandline, (e.g. renice 0 -p 8148 to prioritize xscreensaver in the above example), but this will not work with emerge, as Portage reads the PORTAGE_NICENESS setting from /etc/make.conf once and executes all child processes with the specified nice value.

7.  Moves, adds, and changes

Moves

The following developers recently left the Gentoo team:

  • None this week

Adds

The following developers recently joined the Gentoo Linux team:

  • None this week

Changes

The following developers recently changed roles within the Gentoo Linux project:

  • None this week

8.  Contribute to GWN

Interested in contributing to the Gentoo Weekly Newsletter? Send us an email.

9.  GWN feedback

Please send us your feedback and help make the GWN better.

10.  GWN subscription information

To subscribe to the Gentoo Weekly Newsletter, send a blank email to gentoo-gwn-subscribe@gentoo.org.

To unsubscribe to the Gentoo Weekly Newsletter, send a blank email to gentoo-gwn-unsubscribe@gentoo.org from the email address you are subscribed under.

11.  Other languages

The Gentoo Weekly Newsletter is also available in the following languages:



Print

Page updated 1 November 2004

Summary: This is the Gentoo Weekly Newsletter for the week of 1 November 2004.

Ulrich Plate
Editor

Brian Downey
Author

Patrick Lauer
Author

Tobias Scherbaum
Author

Emmet Wagle
Author

Lars Weiler
Author

Donate to support our development efforts.

Copyright 2001-2014 Gentoo Foundation, Inc. Questions, Comments? Contact us.