Gentoo Logo

Gentoo Weekly Newsletter: January 10, 2005

Content:

1.  Gentoo News

Discouraging Forum abuse: visual registration confirmation added

In the last week of December 2004, an attacker had registered about 8,500 user accounts from more than 160 hosts, in less than one hour. While the Forum admins were working on a solution to block these registrations, users started reporting the mass forum account registrations. A few hours later 15696 user accounts were deleted, taking along a number of inactive accounts from the past.

To prevent these mass registration attempts from happening again, a visual registration confirmation has now been added to the Forum user account registration process. This function was originally implemented in the phpBB 2.2 development versions, with the changes being backported to version 2.0.11 of phpBB. The same changes have now been applied to the customized version of phpBB that is installed at forums.gentoo.org.

2.6.10 kernel marked stable

By the time you are reading this, the Linux 2.6.10 release of gentoo-dev-sources will be marked stable, or in the final stages of being tested, on supported system architectures. Linux 2.6.10, released late on Christmas Eve, is proving to be the best kernel release in a long time, fixing almost all of the issues we know about present in 2.6.9 and earlier. Relatively few new issues have been reported, and the major ones have already been fixed. 2.6 users are recommended to upgrade as soon as possible, as this release also fixes some recently discovered security vulnerabilities.

2.  Future zone

Project goals for 2005

A meta-thread on the gentoo-dev mailing list keeps track of goals set forth for some Gentoo projects. Here's an overview of items scheduled to see the light of day shortly:

Release engineering

  • Biannual release schedule: The first release (2005.0) will be in January, and the second release (2005.1) will be in July/ August. Each release will include install cds, stages, and GRP.
  • LiveCDs: Plans are to replace the current universal LiveCD with a Knoppix-like XLiveCD. Media will be renamed accordingly; the minimal LiveCD will remain but will instead be called the minimal installCD.
  • Gentoo Reference Platform (GRP): Working in a joint effort with the installer project, Release Engineering is working on redefining the GRP. The current plan, which is subject to change, will use functionality similar to quickpkg by packaging the installed packages on the XLiveCD and copying them to the target system.

Kernel

  • Migrate all existing ebuilds to kernel-2 and linux-* eclasses
  • Push 2.6 for default where possible for headers and sources.
  • Consolidate appropriate source packages, e.g. dev-sources -> vanilla-sources
  • Further improve our current eclass framework for additional kernels (BSD, Darwin)

Gentoo/BSD

  • Have a stage or a set of stages that will be used to install Gentoo/FBSD
  • Have a working baselayout.
  • Have an installation CD (a.t.m. FreeSBIE can be used)
  • Have a fair amount of keyworded ebuilds
  • Have some of our *BSD specific patches applied to portage
  • Finish our profile, stabilize our set of tarballs

3.  Gentoo security

LinPopUp: Buffer overflow in message reply

LinPopUp contains a buffer overflow potentially allowing execution of arbitrary code.

For more information, please see the GLSA Announcement

a2ps: Multiple vulnerabilities

The fixps and psmandup scripts in the a2ps package are vulnerable to symlink attacks, potentially allowing a local user to overwrite arbitrary files. A vulnerability in a2ps filename handling could also result in arbitrary command execution.

For more information, please see the GLSA Announcement

Mozilla, Firefox, Thunderbird: Various vulnerabilities

Various vulnerabilities were found and fixed in Mozilla-based products, ranging from a potential buffer overflow and temporary files disclosure to anti-spoofing issues.

For more information, please see the GLSA Announcement

Shoutcast Server: Remote code execution

Shoutcast Server contains a possible buffer overflow that could lead to the execution of arbitrary code.

For more information, please see the GLSA Announcement

mit-krb5: Heap overflow in libkadm5srv

The MIT Kerberos 5 administration library (libkadm5srv) contains a heap overflow that could lead to execution of arbitrary code.

For more information, please see the GLSA Announcement

tiff: New overflows in image decoding

An integer overflow has been found in the TIFF library image decoding routines and the tiffdump utility, potentially allowing arbitrary code execution.

For more information, please see the GLSA Announcement

xine-lib: Multiple overflows

xine-lib contains multiple overflows potentially allowing execution of arbitrary code.

For more information, please see the GLSA Announcement

phpGroupWare: Various vulnerabilities

Multiple vulnerabilities have been discovered in phpGroupWare that could lead to information disclosure or remote compromise.

For more information, please see the GLSA Announcement

xzgv: Multiple overflows

xzgv contains multiple overflows that may lead to the execution of arbitrary code.

For more information, please see the GLSA Announcement

Vilistextum: Buffer overflow vulnerability

Vilistextum is vulnerable to a buffer overflow that allows an attacker to execute arbitrary code through the use of a malicious webpage.

For more information, please see the GLSA Announcement

4.  Heard in the community

Web forums

Disappearing X causing slight unrest

The decision by Gentoo developers to gently nudge people to use xorg-x11 isn't entirely new, but the deletion of XFree86 from Portage on 1 January seems to have come as a nasty surprise to some people. One thread out of a handful, to represent them all:

New global moderator Earthwings

Earthwings has already served in the German subforum for several months before being promoted to deal with the rest of the lot now:

gentoo-user

Achieving Hardware Happiness?

Many laptop users experience the same conundrum: Having a mobile computer results in different configurations. Most of the time these are network-related, for example the difference between a corporate LAN and a home network. But occasionally this includes hardware as well. Many laptops have hardware docking stations with additional network cards, video adapters, and even SCSI. This presents a unique issue to Linux users since most of the time, the various settings are hard-edited into various files in /etc. Curious how to find your own way to portable paradise? Read on!

Bash Arguments

What could be more Linux-y than a debate on the proper way to delete many files out of a directory? There's xargs, find, even... for loops? An informative thread of opinionated answers is what we got this week!

"Monitoring" CPU Usage

On a more humorous note, one list member posted a "helpful" link to a newsforge article on a CPU monitoring package called "Hot Babe". We'll provide GWN readers a link to the gentoo-user thread, and leave it at that.

gentoo-dev

RFC: Advice on driving compile times down

Stuart Herbert asks how to reduce compile times. Read the thread for the different possibilities offered to Gentoo users.

xfree gone

With this short notice Gentoo officially stopped supporting xfree. All users are asked to migrate to xorg.

2005.0 2.4 & 2.6 stages

John Davis asks, on behalf of the Gentoo Releng subproject, which kernel header and sources 2005.0 stages should be offered. He writes: "Our options for building include (a) only 2.6 stages, (b) only 2.4 stages, or (c) a combination of 2.4 and 2.6 stages." From a release point of view only one set would be preferred, but many users still depend on 2.4 kernels. This rather long thread explores the many small problems that may arise and shows how difficult it is to make all people equally happy.

gentoo-server

From a mailing list mostly frequented by people using Gentoo for non-desktop purposes, gentoo-server@gentoo.org, here's a noteworthy thread that has spun from the original poster asking a simple question:

5.  Gentoo International

USA: Gentoo lectures at MIT, 10 and 24 January

Rajiv Manglani, Gentoo Linux Security Team member and PPC developer, will give an introductory (10 January) and an advanced lecture (24 January) on Gentoo Linux at the Massachusetts Institute of Technology, MIT, in Cambridge, MA. Both lectures are sponsored by the MIT's Student Information Processing Board (SIPB) and will be held tonight and Monday 24 starting at 20:00, at Building 4 room 237 (today) and room 231 (24 January) respectively. The first lecture will focus on giving an overview and demonstrating a running Gentoo system, while the "Advanced Gentoo Linux" presentation on 24 January will have more in-depth discussions of Portage and ebuild script creation, system tools such as qpkg and etcat. More details can be found in Rajiv's Independent Activities Period Gentoo lecture announcements. Please make sure to RSVP to the Student Information Board if you plan on attending.

Canada: Gentoo LTSP project at elementary school

The Prairie Linux User Group (PLUG) is planning to deploy Gentoo Linux at the Holy Cross Elementary School in Winnipeg. The project will use reclaimed hardware previously running various shades of Windows that are being replaced with Linux due to cost of licensing for upgrades, concerns about lax security, growing hardware requirements if Windows was chosen as an upgrade path, and the current platform generally not meeting the educational requirements at the school any longer. The setup includes an implementation of the Linux Terminal Server Project (LTSP) across thirty workstations, with Gentoo Linux running openmosix for the terminal server system. On Thursday 20 January the PLUG will meet at the University of Winnipeg (starting at 19:00 in room 2M70) to get a few things straightened out before performing their real world test at the school on Sunday, 23 January from 10:00. Thirty elementary students have been invited to stress-test the system that they might get to keep if it works as advertized: "If the system is successfully able to meet the requirements it would be permanently installed," says PLUG member Mike Crawford, a Gentoo dev-perl developer-to-be and maintainer of one of the official Gentoo file mirrors (gentoo.eliteitminds.com). More details can be found at the PLUG meeting announcement.

6.  Gentoo in the press

Linux Journal (5 January 2005)

Andrew Cowie with the Linux Journal published a rather flattery piece on "Gentoo for all the unusual reasons," providing extensive coverage of Portage as a tool for professional use: "You might think of Gentoo as a bleeding-edge distribution for development workstations, but the simple packaging system can make it a good choice for any production system that needs to stay up to date," writes the author in his introduction, before explaining in great detail the steps for installing and updating software in Gentoo, all nicely accompanied by screenshots. The thoroughly researched article was among LJ's top reads and most commented-on articles last week - even without the GWN boosting its popularity yet again...

7.  Bugzilla

Summary

Statistics

The Gentoo community uses Bugzilla (bugs.gentoo.org) to record and track bugs, notifications, suggestions and other interactions with the development team. Between 02 January 2005 and 09 January 2005, activity on the site has resulted in:

  • 815 new bugs during this period
  • 528 bugs closed or resolved during this period
  • 23 previously closed bugs were reopened this period

Of the 7862 currently open bugs: 117 are labeled 'blocker', 229 are labeled 'critical', and 568 are labeled 'major'.

Closed bug rankings

The developers and teams who have closed the most bugs during this period are:

New bug rankings

The developers and teams who have been assigned the most new bugs during this period are:

8.  Moves, adds, and changes

Moves

The following developers recently left the Gentoo team:

  • None this week

Adds

The following developers recently joined the Gentoo Linux team:

  • Benedikt Böhm (hollow) - Apache
  • Saleem Abdulrasool (compnerd) - Java

Changes

The following developers recently changed roles within the Gentoo Linux project:

  • Lance Albertson (Ramereth) - New dev for netmon et al. (on top of his regular assignment to the infrastructure team)
  • Danny Van Dyk (Kugelfang) and Mike Doty (KingTaco) - AMD64 operational co-leads (taking over from Travis Tilley)
  • Jeremy Huddleston (eradicator) - Recruiting co-lead

9.  Tips and tricks

Denu - a Portage-savvy menu generator for window managers

Are you switching from Fluxbox to Gnome to KDE a lot? Would you like to try out even more window managers, if it wasn't for the missing application entries in the menus to hop along with you? This week's tip brings a nifty solution in reach: Denu is a brandnew tool to assist in menu generation. It can generate similarly structured menus for various window managers enabling easy transitions from one to another. Denu synchronizes with an online database to allow program definitions to be updated without a software update, and best of all: Portage itself provides the installed program data!

Code Listing 9.1: Emerge Denu

# cd $PORTDIR_OVERLAY/x11-misc/denu Create the appropriate overlay as necessary (Denu is not in Portage yet)
# wget http://dl.sourceforge.net/sourceforge/denu/denu-2.1.2-r1.ebuild
# emerge denu

Before we go any further backup any menu configurations you don't want overwritten. Now run denu as a normal user, Denu is not meant to be run as root.


Figure 9.1: Screenshot of menu creation with Denu

Fig. 1: Denu

The first step after installing Denu is to run Update (for program definitions) and Sysupdate (for the current list of installed programs). Neither of these are run at startup, so after installing a new program via Portage, Sysupdate will need execution again.

To create a menu there are two approaches: hand pick entries from the Installed Tree and add them, or you can hit Autofill, and Denu will automatically generate a menu based on the information it has. Reorganizing a newly created menu is as simple as drag and drop, menu systems will respect the order of entries, except for Gnome and KDE who sort things alphabetically. Click on generate, and then on one of the boxes corresponding to your desired window manager or desktop environment. Some window managers like Fluxbox will be able to use your menu immediately, others may need to be reconfigured or restarted.

Denu is still under development, but author Shux has scanned half of the Portage tree for items that might be needed in a GUI menu already. For the remaining half (or things that might need adding in the future) Denu provides a tool to include other applications not in its database yet. Adding programs and their categories, descriptions etc. is just as easy as shifting them around. For questions and answers of all sorts check the lively Denu 2.0 thread in the Forums.

10.  Contribute to GWN

Interested in contributing to the Gentoo Weekly Newsletter? Send us an email.

11.  GWN feedback

Please send us your feedback and help make the GWN better.

12.  GWN subscription information

To subscribe to the Gentoo Weekly Newsletter, send a blank email to gentoo-gwn-subscribe@gentoo.org.

To unsubscribe to the Gentoo Weekly Newsletter, send a blank email to gentoo-gwn-unsubscribe@gentoo.org from the email address you are subscribed under.

13.  Other languages

The Gentoo Weekly Newsletter is also available in the following languages:

Print

Page updated January 10, 2004

Summary: This is the Gentoo Weekly Newsletter for the week of 10 January 2005.

Ulrich Plate
Editor

Brian Downey
Author

Daniel Drake
Author

Christian Hartmann
Author

Patrick Lauer
Author

Donate to support our development efforts.

Copyright 2001-2013 Gentoo Foundation, Inc. Questions, Comments? Contact us.