Gentoo Logo

Gentoo Weekly Newsletter: November 22, 2004

Content:

1.  Gentoo News

Gentoo 2004.3 x86 release on DVD

The Gentoo Store now delivers the entire 2004.3 release for the x86 architecture, including all binary packages for the supported subarchitectures (x86, i686, Pentium 3, Pentium 4 and Athlon XP) on a single bootable DVD.

It also provides a set of two DVDs that contains a complete archive of the 2004.3 release distfiles, including all necessary source code except for the games category that was omitted for space reasons. The store profits go partly to the Gentoo Foundation, helping in establishing the not-for-profit entity, the server infrastructure and other Gentoo development-related support.

Gentoo documentation updates and extensions

A flurry of activity coming from kernel developer Daniel Drake has enriched the Gentoo documentation last week. Aside from updates to numerous kernel guides and primers, he also authored a mantelpiece for the Gentoo documentation collection, a brandnew "Complete Gentoo Linux 2.6 Migration Guide" that answers all the questions that Gentoo users moving on from the 2.4 kernel series may have.

On the workflow side of things the documentation team has been preoccupied with a few shortcomings of AxKit for a while, i.e. the XML preprocessor responsible for converting the internal XML structure of all web-hosted content at www.gentoo.org to HTML. AxKit is running only with Apache v1, for example, and looks somewhat unmaintained with its lack of significant updates for some time. Xavier Neys and Sven Vermeulen have therefore started replacing AxKit with gorg, its promising successor capable of delivering the missing features. As always, the update page of the documentation project has all these and other important changes, including some gruesome work done on existing files to make the translators' job a little easier.

2.  Future zone

Portage CVS

Sometimes it's nice to show to the users that there's a fair amount of work going into Portage, despite the gaps between stable releases. Portage 2.0.51 hasn't been out more than a month, but its CVS version now has - in a mostly stable fashion - the following features:

  • confcache
  • prelink (auto-prelink binaries as they are merged)
  • verify-rdepend (verify a package links only to stated rdepends)
  • userpriv_fakeroot (run install phase under fakeroot, removing the need for root privs from all building phases but setup)

Aside from feature additions, and code cleanup that's already started, --regen (checking and updating the dependency path) is now 33% faster, and metadata updates (post rsync'ing) are quicker by almost half in baseline tests.

Then there's the work on the environment settings. Ebuilds now should be able to be completely uninstalled without anything of the tree existing. Nothing but the relevant profile is needed for this, which basically means that Portage developers can start modifying eclasses again without having to worry about backwards compatability going back years.

Also - nifty little trick - the old "I updated ssl, libssl.so got shifted, and now wget won't work and I can't fetch any sources" issue is addressed via a bundled Python-based fetch implementation - if the exit code from the fetch call is indicative of missing libraries or binaries, it tries the bundled lib instead. In tests Brian Herring has done in a system gutted of openssl, the bundled lib has soldiered on, promising that users could get out of that jam.

Some work is going into sync refactoring, too: The CVS format was made more flexible, and snapshot support was added in, meaning the need for emerge-webrsync is vanishing.

The CVS development is a bit embryonic at the moment, with a lot of work left, but these and more changes will not take long before they come your way - the diff between portage-2.0.51 and the version in CVS is already larger than 400KB.

3.  Gentoo security

Ruby: Denial of Service issue

The CGI module in Ruby can be sent into an infinite loop, resulting in a Denial of Service condition.

For more information, please see the GLSA Announcement

BNC: Buffer overflow vulnerability

BNC contains a buffer overflow vulnerability that may lead to Denial of Service and execution of arbitrary code.

For more information, please see the GLSA Announcement

SquirrelMail: Encoded text XSS vulnerability

Squirrelmail fails to properly sanitize user input, which could lead to a compromise of webmail accounts.

For more information, please see the GLSA Announcement

GIMPS, SETI@home, ChessBrain: Insecure installation

Improper file ownership allows user-owned files to be run with root privileges by init scripts.

For more information, please see the GLSA Announcement

Fcron: Multiple vulnerabilities

Multiple vulnerabilities in Fcron can allow a local user to potentially cause a Denial of Service.

For more information, please see the GLSA Announcement

4.  Heard in the community

Web forums

CD burning and Gentoo kernel 2.6.9

Gentoo developer Daniel Drake is soliciting testers for a replacement bugfix he's done on Gentoo's development kernel (and managed to get included in the official tree for 2.6.10). As CD and DVD burning has been under fire since 2.6.7 because of security concerns with simulated SCSI commands being sent to the devices, fixes that weren't making things any better had to be replaced with a saner approach. Check this thread and tell him what you think:

gentoo-dev

RAM-voracious ebuilds?

What can be done if during installation an ebuild needs lots of RAM (gtk2hs) or large amounts of disk space (OpenOffice.org)? Since the build process might fail on some systems, it would be useful to have portage check these resources before starting the build. Is there a sane and cross-platform way of doing this? /proc/ does not exist on all platforms, after all.

Handling important upgrade messages

Many ebuilds give important hints about changes in behaviour, configuration files etc. These messages are spewed to the screen during the installation, and therefore usually scroll away during multi-package upgrades. This prevents users from seeing many important messages in an easy way (and no, sitting eight hours watching the messages scroll by doesn't count). This thread explores the possibilities of collecting these messages so that they can be presented all at once.

5.  Gentoo International

UK: Oxford Gentoo User Meeting

Hardly surprising, coming to think of it: Since Gentoo users in "that other city" met two weeks ago, Oxford-based Gentooists have been thinking out loud that they can't possibly let this pass. They'll be meeting for the first time on Sunday afternoon, 28 November 2004 from 15:00, at the "Far From The Madding Crowd"in 10-12 Friar's Entry. Half a dozen Oxonian Gentooists have already confirmed, with shadow Portage bash-scripter Edward Catmur expected at the venue, and Gentoo developer robmoss hiking to Oxford on a full 500 mile roundtrip just for this event. Announce your participation in this Forum thread.

6.  Gentoo in the press

2004.3 Release announcements roundup

Last week's release of Gentoo Linux 2004.3 triggered a large number of publications about Gentoo. Here's a list of some of the shinier highlights, many of them with comment areas below the article:

Business Wire (20 November 2004

Business Wire announces that the speaker list for next year's big "Security Enhanced Linux" (SELinux) symposium is now confirmed, and it mentions Gentoo as one of the organisations to be present and presenting at the SELinux Symposium, scheduled for 2-4 March 2005 in Silver Spring, Maryland. What the article doesn't say: The Gentooist involved in this conference is Gentoo developer Joshua Brindle.

7.  Bugzilla

Summary

Statistics

The Gentoo community uses Bugzilla (bugs.gentoo.org) to record and track bugs, notifications, suggestions and other interactions with the development team. Between 07 November 2004 and 14 November 2004, activity on the site has resulted in:

  • 795 new bugs during this period
  • 548 bugs closed or resolved during this period
  • 29 previously closed bugs were reopened this period

Of the 7397 currently open bugs: 129 are labeled 'blocker', 240 are labeled 'critical', and 556 are labeled 'major'.

Closed bug rankings

The developers and teams who have closed the most bugs during this period are:

New bug rankings

The developers and teams who have been assigned the most new bugs during this period are:

8.  Tips and Tricks

Portage magic

/var/log/emerge.log is well-known as the central reporitory of information about all emerge activity going on in system. Lesser known are some tricks you can do with the content of that log file. For example, when you start an upgrade, you generally don't know how much time it will take to finish compiling. You probably don't remember how long your last mplayer installation took, but Portage does, and if you'd decipher the Unix time stamps in /var/log/emerge.log, you'd get a pretty good idea, too. Or you could let app-portage/genlop do it for you. Emerge (the unstable, ~arch version of) genlop with:

Code Listing 8.1: Emerge genlop

#emerge -av genlop

Now run a pretended world upgrade and pipe it to genlop for an estimation of your upgrade schedule:

Code Listing 8.2: Estimate upgrade time

#emerge -pu world | genlop --pretend
These are the pretended packages: (this may take a while; wait...)

 * media-libs/tiff
 * x11-base/xorg-x11
 * app-sci/stellarium
 * app-arch/gzip
 * dev-libs/libIDL
 * net-www/mozilla-firefox
 * sys-boot/lilo
 * app-doc/abs-guide
 * app-arch/unarj
 * app-emulation/wine
 * app-admin/sudo

Estimated update time: 4 hours, 38 minutes.

A look at the mechanism explains how Portage can double as an oracle. It uses the statistics stored in the emerge.log file, take an average of compilation times for given packages, and summarize the results. There are some uncertainties, of course, for example if you use the CCACHE feature, then compile times for a minor version bump may be much faster than the original package took compiling the first time. On the other hand, if an application has been extended with new features, the old average compile time can be shorter than the version you're about to emerge.

Another brilliant feature of genlop is its --current option, the perfect companion to the estimated compile-time from --pretend:

Code Listing 8.3: How much time spent since the beginning of an emerge

# genlop --current

 * app-portage/splat-0.07 

       current merge time: 12 seconds.

Now you can say how long time you have to wait.

9.  Moves, adds, and changes

Moves

The following developers recently left the Gentoo team:

  • None this week

Adds

The following developers recently joined the Gentoo Linux team:

  • None this week

Changes

The following developers recently changed roles within the Gentoo Linux project:

  • None this week

10.  Contribute to GWN

Interested in contributing to the Gentoo Weekly Newsletter? Send us an email.

11.  GWN feedback

Please send us your feedback and help make the GWN better.

12.  GWN subscription information

To subscribe to the Gentoo Weekly Newsletter, send a blank email to gentoo-gwn-subscribe@gentoo.org.

To unsubscribe to the Gentoo Weekly Newsletter, send a blank email to gentoo-gwn-unsubscribe@gentoo.org from the email address you are subscribed under.

13.  Other languages

The Gentoo Weekly Newsletter is also available in the following languages:



Print

Page updated 22 November 2004

Summary: This is the Gentoo Weekly Newsletter for the week of 15 November 2004.

Ulrich Plate
Editor

Brian Herring
Author

Patrick Lauer
Author

Tamas Sarga
Author

Donate to support our development efforts.

Copyright 2001-2014 Gentoo Foundation, Inc. Questions, Comments? Contact us.