Gentoo Logo

Gentoo Weekly Newsletter: November 15, 2004

Content:

1.  Gentoo News

Proud to present: Gentoo Linux 2004.3 release

This is the fourth and final release of Gentoo Linux in 2004, with its main focus on bug fixes and making the release tools more robust and easier to use. Releasing for 2004.3 are all the major architectures supported by Gentoo: amd64, hppa, ppc, sparc, x86, and an initial ppc64 release. There is also an experimental alpha release, along with stages for ia64 and s390. The embedded team has also released stages for arm, mips, ppc, and x86, all of which can be found under /experimental. You can find out more about 2004.3 by checking out the release page and reading the ChangeLog.

Among the highlights of 2004.3: Both amd64 and ppc have switched to gcc 3.4 as their compiler of choice. Sparc is releasing only sparc64 media, amd64 and x86 are both switching to a single kernel for the LiveCD. Best of all has been the improved cooperation between the teams for the various architectures, invisibly ensuring an even more consistent output than previous releases.

2004.3 has been pushed to the mirrors in the past few hours, and is also available via bittorrent on torrents.gentoo.org and tracker.netdomination.org. Delivered to the public as scheduled by 0:00 UTC on Monday, 15 November 2004, it marks the last version in the quarterly schedule adopted for 2004 that is going to be replaced by six-monthly releases next year, with 2005.0 and 2005.1 to be expected in early and mid-2005.

Although Gentoo Linux puts much less emphasis behind releases than other Linux distributions, and adheres to release cycles solely for installation media, the frozen state of each release represents the culmination of the work of each of our developers, and an excellent starting point for new installations of Gentoo Linux. Thanks to all Gentoo developers and community testers for making this our best release ever!

Gentoo's X11 team seeks additional developers

The X11 team needs help with the core X implementations, both xorg-x11 and xfree. In particular, people comfortable with the C language and with diving deep into X are requested to contact Donnie Berkholz and the Developer Relations project as soon as possible: more than 200 open bugs need fixing!

Kernel housecleaning: pruning the tree

The Gentoo Linux kernel maintainers are in the process of doing some housecleaning with the sys-kernel packages in Portage. A number of popular and not-so-popular source packages are unmaintained and outdated, or have been merged with the official Linux kernel development. They have either already been removed from the tree or are in the process of getting replaced by alternatives, and people still running any of them are invited to migrate to different kernel packages at their earliest convenience. A summary list of packages and migration recommendations are listed here, together with an announcement for a behaviour change in the hotplug package (see below in the "Tips and tricks" section).

2.  Future zone

MetaKDE: Split KDE ebuilds

This project by Dan Armak and Simone Gotti implements a long-requested feature: separate ebuilds for all kde applications. Instead of emerge kdebase kdepim, you can now emerge konqueror kmail.

Very few users actually use all or almost all the 300+ kde applications, and packaging them in a few huge, monolithic packages is distinctly un-Gentooish. Splitting them cuts down on emerge time, disk usage and clutter and makes it easier to issue and verify updates, including security alerts. It also allows more fine-grained dependency specification and USE flag usage.

This power comes at a price. The reason the Gentoo KDE packages weren't split long ago is that every ebuild emerged has to unpack a huge tarball and run configure all over again, which takes time. It was calculated that the total overhead for emerging all of KDE in split packages, as opposed to the current monolithic ones, would be several hours. Two years ago this was still deemed unacceptable (for a summary of the discussion see this bug report.

But things have become faster over time - not just hardware, but autotools and the KDE build scripts as well. So much so, that we decided we'd try this and see what happened. The new confcache (see next week's "Future zone" section for details) is also a major bonus. The current status of the project is about 95% complete. An ebuild overlay is at kde-metaebuilds.berlios.de and has no known bugs, just a few missing features. These ebuilds also have some minor improvements that the monolithic ones don't.

We are now starting to merge these ebuilds into Portage proper. The plan is to introduce them gradually, starting with the least used packages. The kdebindings-derived ebuilds are already there and will probably be unmasked by the time you read this. We hope the split ebuilds will become the default in time for KDE 3.4. Meanwhile wide testing by all and sundry would be appreciated.

3.  Gentoo security

zgv: Multiple buffer overflows

zgv contains multiple buffer overflows that can potentially lead to the execution of arbitrary code.

For more information, please see the GLSA Announcement

Portage, Gentoolkit: Temporary file vulnerabilities

dispatch-conf (included in Portage) and qpkg (included in Gentoolkit) are vulnerable to symlink attacks, potentially allowing a local user to overwrite arbitrary files with the rights of the user running the script.

For more information, please see the GLSA Announcement

Kaffeine, gxine: Remotely exploitable buffer overflow

Kaffeine and gxine both contain a buffer overflow that can be exploited when accessing content from a malicious HTTP server with specially crafted headers.

For more information, please see the GLSA Announcement

OpenSSL, Groff: Insecure tempfile handling

groffer, included in the Groff package, and the der_chop script, included in the OpenSSL package, are both vulnerable to symlink attacks, potentially allowing a local user to overwrite arbitrary files with the rights of the user running the utility.

For more information, please see the GLSA Announcement

zip: Path name buffer overflow

zip contains a buffer overflow when creating a ZIP archive of files with very long path names. This could lead to the execution of arbitrary code.

For more information, please see the GLSA Announcement

mtink: Insecure tempfile handling

mtink is vulnerable to symlink attacks, potentially allowing a local user to overwrite arbitrary files with the rights of the user running the utility.

For more information, please see the GLSA Announcement

Apache 2.0: Denial of Service by memory consumption

A flaw in Apache 2.0 could allow a remote attacker to cause a Denial of Service.

For more information, please see the GLSA Announcement

Pavuk: Multiple buffer overflows

Pavuk contains multiple buffer overflows that can allow a remote attacker to run arbitrary code.

For more information, please see the GLSA Announcement

ez-ipupdate: Format string vulnerability

ez-ipupdate contains a format string vulnerability that could lead to execution of arbitrary code.

For more information, please see the GLSA Announcement

Samba: Remote Denial of Service

An input validation flaw in Samba may allow a remote attacker to cause a Denial of Service by excessive consumption of CPU cycles.

For more information, please see the GLSA Announcement

Davfs2, lvm-user: Insecure tempfile handling

Davfs2 and the lvmcreate_initrd script (included in the lvm-user package) are both vulnerable to symlink attacks, potentially allowing a local user to overwrite arbitrary files with the rights of the user running them.

For more information, please see the GLSA Announcement

4.  Heard in the community

gentoo-dev

Media-sound reorganization

Chris White plans to reorganize the whole media-sound category. The almost 300 packages in this category will be split into approximately 15 to 20 new categories. And, as many times before, the arguments for a generally different organization of packages were considered in this thread.

Trojan for Gentoo

After a long time of inactivity on his bug, the original reporter offers a way for rsync mirrors to trojanize Gentoo installs by manipulation of eclasses. Since they are not yet signed, a compromised rsync server could become a great security risk.

Detecting gcj and other gcc language modules

This is the specific case of the general question: Is there a general way to depend on a package built with a specific USE-flag? As it seems, this useful functionality is not yet in portage. At the moment only a few workarounds exist, but it's still the cause of some compile failures and seemingly strange bugs.

5.  Gentoo International

Italy: G-Day update

As reported last week, the Italian Linux Society - a not-for-profit organization that coordinates Italian Linux user groups (LUG) - once a year organizes a "Linux Day", a fundamental event for Linux users in every major Italian city where local LUGs runs meetings, conferences, install parties, and other activities for their community. Linux Day 2004 on 27 November will be held in about one hundred different cities around Italy. The Italian Gentoo community, driven by activists of the GeCHI (Gentoo Channel Italia), has decided to build on the experience of last year's inaugural Gentoo-related event during Linux Day in Venice, and will organize a "Gentoo Day" or G-Day. G-Day is going to be a great opportunity to meet, discuss, share ideas and show Gentoo Linux to other Linux users and beginners. After a bit of discussion where to hold the G-Day, the GeCHI finally settled for Prato last week. The all-day event, presented in co-operation with the Prato Linux User Group (PLUG), will start at 9:30 and finish around midnight on 27 November.

The GeCHI evangelists will set up a demonstration area with PCs, PPCs, and a PlayStation2, where they will show different Gentoo uses and capabilities. Distfiles and rsync mirrors will be provided locally for the convenience of visitors who wish to install Gentoo Linux on their own hardware on the spot. They have prepared brochures showing pros and cons of Gentoo systems, and about using Gentoo in educational, desktop and enterprise environments. Handbooks and CDs will be distributed to people who would like to try Gentoo. During the whole day, in a conference hall next to the demo area, GeCHI speakers will hold talks and Q&A sessions, with topics ranging from "Introduction to Gentoo Linux" for beginners, via "Gentoo in enterprise environments" for professional system administrators, to technical issues like "Securing a Gentoo box" and "Managing multiple Gentoo installations". Proceeds for the gadgetry (T-Shirts, case stickers) sold at the event will be donated to the Gentoo Foundation.

Some live coverage can be tapped into via the Italian Gentoo Fora, in particular this thread in the official Gentoo Forum and the GeCHI's own G-Day forum.

Brazil: Gentoo Linux at CONISLI, São Paulo

CONISLI, the "Congresso Internacional de Software Livre" (International Free Software Conference) in the city of São Paulo was held for the first time only last year, but it has already become one of the most important Free Software events in Brazil. This year it was held on 5 and 6 November at the Palácio das Convenções do Anhembi, already twice as big as the first event at São Paulo's university where it was held in 2003. The main focus this year was on "Developing Software", and on top of various talks and workshops on the conference schedule (including Marcelo Gondim's intriguingly titled presentation "Shopping with Gentoo Linux"), CONISLI also provided exhibition space for free software communities, where the particularly strong Brazilian Gentoo users group set up a booth and held a meeting of their own, to discuss ideas, exchange information and nurture the growth of Gentoo among Brazilian Linux users.


Figure 5.1: Gentoo Linux at CONISLI 2004

Fig. 1: Gentoo Brazil

Note: Left to right: Annihilator, Enderson (Enderson Maia), Chatoo (Wagner Hebert), Angra (Diego R. Grein), Lulyis (Luana Leonor), Toskinha (Sulamita Garcia), fl0cker (Luiz Agostinho), Marcelo_ (Marcelo Lima), Bani (Vanessa Sabino), Aninha (Ana Paula), Gentoo developer AngusYoung (Otavio Piske)

More photos from the event can be found here:

Germany: Annual General Meeting (AGM) of "Friends of Gentoo e.V.", 20 November 2004

The first AGM of the German not-for-profit association "Friends of Gentoo e.V." is going to be held next Saturday, 20 November 2004 from 19:00 at the Gasthof Harlos in Oberhausen, a pub with a history of monthly regional Gentoo user meetings. On the agenda are elections for the board of directors, a report on last year's activities and motions for amendments to the statutes. The meeting is open to the public, but only current members of the association have the right to vote.

Germany: First Gentoo user meeting in Nuremberg, 1 December 2004

Bavaria's second largest city is going to host the next Gentoo user meeting (GUM) in Germany, the first one in this area, organised by a freshly constituted Gentoo User Group Nürnberg (GUGN). If you happen to be around that part of the country on 1 December, meet the others at the Landbierparadies after 19:30. All necessary details including maps can be had at an improvised GUGN website, and a Forum thread coordinates who and how many are planning to show up.

6.  Gentoo in the press

O'Reilly: Knoppix Hacks (October 2004)

"100 Industrial-Strength Tips & Tools" is the subtitle of a brandnew book from O'Reilly, "Knoppix Hacks", published just last month, and hack #36 on p. 110f explains how to "Install Gentoo with Knoppix". Providing several reasons why installing Gentoo Linux is best done from a LiveCD (as opposed to from inside an existing Linux installation), the article promotes doing this not from a Gentoo ISO, but from booting a Knoppix CD. Never mind, as long as you get "all the benefits of having a Gentoo system, such as the excellent portage package manager," as author Alex Garbutt puts it, alongside his personal recommendation of playing Frozen Bubble while waiting for the installation to finish.

7.  Bugzilla

Summary

Statistics

The Gentoo community uses Bugzilla (bugs.gentoo.org) to record and track bugs, notifications, suggestions and other interactions with the development team. Between 07 November 2004 and 14 November 2004, activity on the site has resulted in:

  • 795 new bugs during this period
  • 548 bugs closed or resolved during this period
  • 29 previously closed bugs were reopened this period

Of the 7397 currently open bugs: 129 are labeled 'blocker', 240 are labeled 'critical', and 556 are labeled 'major'.

Closed bug rankings

The developers and teams who have closed the most bugs during this period are:

New bug rankings

The developers and teams who have been assigned the most new bugs during this period are:

8.  Tips and Tricks

Hotplugging? Coldplugging!

Today's tip comes straight from Gentoo's kernel package maintainer and developer department, and it reflects quite an important change in the behaviour of a core mechanism during the boot process. The sys-apps/hotplug package is commonly installed on desktop systems in order to provide automatic loading of modules when hardware is plugged in during system operation. As well as automatically loading modules when new devices are plugged in, the previous hotplug releases also scanned the system hardware at bootup and loaded modules for any detected hardware.

Technically, autoloading modules at bootup is not hotplugging, and as such, this functionality has been removed from the latest hotplug release. If you previously relied on hotplug autoloading modules at bootup and wish to keep it that way, then all you need to do is install the more appropriately named coldplug package:

Code Listing 8.1: Emerge and activate coldplug

emerge coldplug
rc-update add coldplug boot

Bear in mind that it is generally safer to include the modules you want to autoload in the /etc/modules.autoload.d/kernel-2.x file, though. Do yourself a favor and switch back to the canonical way if you ever experience problems with coldplug.

9.  Moves, adds, and changes

Moves

The following developers recently left the Gentoo team:

  • None this week

Adds

The following developers recently joined the Gentoo Linux team:

  • Stefan Schweizer (genstef) - External kernel modules

Changes

The following developers recently changed roles within the Gentoo Linux project:

  • Henrik Brix Andersen (brix) - Kernel

10.  Contribute to GWN

Interested in contributing to the Gentoo Weekly Newsletter? Send us an email.

11.  GWN feedback

Please send us your feedback and help make the GWN better.

12.  GWN subscription information

To subscribe to the Gentoo Weekly Newsletter, send a blank email to gentoo-gwn-subscribe@gentoo.org.

To unsubscribe to the Gentoo Weekly Newsletter, send a blank email to gentoo-gwn-unsubscribe@gentoo.org from the email address you are subscribed under.

13.  Other languages

The Gentoo Weekly Newsletter is also available in the following languages:



Print

Page updated 15 November 2004

Summary: This is the Gentoo Weekly Newsletter for the week of 15 November 2004.

Ulrich Plate
Editor

Dan Armak
Author

Daniel Drake
Author

Chris Gianelloni
Author

Patrick Lauer
Author

Otavio Piske
Author

Gianmaria Visconti
Author

Donate to support our development efforts.

Copyright 2001-2014 Gentoo Foundation, Inc. Questions, Comments? Contact us.