Gentoo Weekly Newsletter: January 17, 2005

1.  Gentoo News

Gentoo name and logo usage guidelines

As many might have noticed from last week's front page news item, the Gentoo Foundation and Gentoo Technologies have drafted a document on Gentoo name and logo usage containing legalese instructions when people and projects are allowed to use the Gentoo name and/or logo. To make those as easily understandable as possible, here's a summary of the general ideas behind those guidelines.

The Gentoo trademark is described as follows:

Computer software, namely operating system software that automatically
configures and optimizes performance on the underlying hardware and is adapted
for a large number of usage scenarios and applications, namely, secure servers,
development workstations, professional desktops, gaming systems and embedded
solutions.

Section 4 and Section 6 describe when people and projects are allowed to use the Gentoo name in content that falls under the description of the Gentoo trademark. These last words are very important - when you use Gentoo in any meaning other than the description given above, then this document does not apply to you. So you're free to talk about the Gentoo penguin or start an insurance company called "Gentoo Insurance".

So, when are you allowed to use "Gentoo" in a project or content that does relate to operating system software (including the Gentoo operating system specifically)?

We ask project managers not to call their project "Gentoo" or have "Gentoo" in its name. Otherwise users might get confused where to go for official information, support or feedback. We also ask that, if you use "Gentoo" in any other way (i.e. not within the name of a project) that still relates to operating system software, that you clearly mention that Gentoo is a registered trademark and that whatever you use "Gentoo" for is not part of the Gentoo project and not directed or managed by the Gentoo project or the Gentoo Foundation. It is common practice to add a ™ symbol behind "Gentoo" and mention "Gentoo is a trademark of Gentoo Technologies, Inc." at the end of your document.

Hold it! Does that mean we can't create a site that helps Gentoo users? Surely not, that's not our intention. The more Gentoo community sites we see, the happier we are. Section 6 grants explicit approval to community sites to use the "Gentoo" name in their project name if they acknowledge the "Gentoo" trademark and follow the conditions stated:

• Each page must clearly state that the site is not officially part of the Gentoo project. This informs their users that they should not try to get feedback or support from the Gentoo project about that project - chances are very likely that the Gentoo developers don't know how to deal with their requests.
• The website may not look like an official Gentoo website. The layout used by the Gentoo website (both the current and the upcoming new layout) are only to be used by official Gentoo websites. Using the same (or a similar) layout might confuse users about the origin of the website and where to go with feedback or comments.

So far about the Gentoo name. What about the "g" logo?

When you plan on using the Gentoo logo on a software/hardware product for commercial purposes, we ask you not to have the Gentoo logo as the primary, largest logo on the product. People who then use this product will know that the product contains or is based on Gentoo, but that support and feedback should be directed to you.

What about other products, such as merchandise? We currently deny any use of the Gentoo logo or artwork on such products for commercial purposes. The foundation will grant approval to parties on a case-by-case basis to sell such material, most likely to receive some funding from the sales, or to allow projects that help Gentoo to fund their actions (such as conferences) with the sales of these products.

You are free to use the Gentoo logo for any non-commercial purpose as long as the logo is used to refer to the Gentoo project. For instance, you can use the Gentoo logo to accompany an article about Gentoo, or on Gentoo LiveCDs you give away on conferences.

Brazilian Portuguese and Spanish translations, mailing list for German GWN installed

The new year started with excellent news for people in some non-English environments who would like to read the GWN in their own language: Building on the success of the French, Russian and Turkish GWN who re-emerge in the final days of last year, two other language versions were softly woken from their year-long sleep, and put up with fresh material to the Gentoo website:

• Marcelo Góes and Fernando Vaz have started the Brazilian Portuguese translation project again, the first issue (10 January 2005) has been published just last week. They've requested additional help via a Forum thread, please join them if you can contribute!
• After an equally long silence, a team of Spanish translators has begun working on their version, with the same 10 January issue as their first being fresh out of the blocks, too, signed by five initial collaborators (Demóstenes, Andrés Pereira, Víctor Argüelles, Miles Lubin and Alexander Moreno).

A warm welcome to our new translator teams! If you would like to contribute to a GWN version in your own language, please send a short note to gwn-feedback@gentoo.org.

Meanwhile, a long-standing request by readers of the German GWN has been answered. On top of being available at the official Gentoo website, the German version will be delivered to subscribers of a mailing list set up last week. Distribution will start from the current issue, if you would like to subscribe, send a message to gentoo-gwn-de-subscribe@gentoo.org and follow instructions.

2.  Future zone

Project goals for 2005

Continued from last week's GWN, this section today keeps track of more goals set forth for some Gentoo projects again. After Release Engineering, Kernel, and Gentoo/BSD defined their goals last week, here's what else is on the agenda for the next months:

Portage

• Stabilize portage-2.0
• Finalize a plan for (CVS-)HEAD portage features
• Roll out a useful API
• Release new versions with extensive changes

Web-app

• Improve turn-around time on responses to security bugs
• Publish a Gentoo webserver handbook (in progress)
• Release webapp-config v2, and vhost-config v1 (in progress)
• Remove webapp-apache.eclass from Portage
• Find more maintainers for our packages

Documentation project

• Pull in developers/contributors: contributors for non-x86, contributors for Gentoo projects, maintainers for existing documentation
• Reintroduce status updates for all team members
• Improve documentation on GuideXML
• "Writing Style" documentation
• Audit the existing documentation
• More USE-case documentation (e.g. "Virtual Mailhosting Guide")
• Documentation project update

Forensics Herd

• Include more packages
• Develop a bootable CD for network and disk forensic tools

Embedded

• Include more packages
• Solve bugs related to packages

Netmon

• Catch up on bugs
• Recruit more people
• Integrate gentoo-security announcements and nessus

Managers' meetings

• Rotate schedules across timezones so that more developers may participate
• Discuss usefulness of these meetings and implement needed changes
• Assign task to get logs put up on the web

GLEPs

• Possibly recruit another GLEP editor
• Consider allowing plain-text GLEPs

3.  Gentoo security

Dillo: Format string vulnerability

Dillo is vulnerable to a format string bug, which may result in the execution of arbitrary code.

For more information, please see the GLSA Announcement

TikiWiki: Arbitrary command execution

A bug in TikiWiki allows certain users to upload and execute malicious PHP scripts.

For more information, please see the GLSA Announcement

pdftohtml: Vulnerabilities in included Xpdf

pdftohtml includes vulnerable Xpdf code to handle PDF files, making it vulnerable to execution of arbitrary code upon converting a malicious PDF file.

For more information, please see the GLSA Announcement

mpg123: Buffer overflow

An attacker may be able to execute arbitrary code by way of specially crafted MP2 or MP3 files.

For more information, please see the GLSA Announcement

UnRTF: Buffer overflow

A buffer overflow in UnRTF allows an attacker to execute arbitrary code by way of a specially crafted RTF file.

For more information, please see the GLSA Announcement

Konqueror: Java sandbox vulnerabilities

The Java sandbox environment in Konqueror can be bypassed to access arbitrary packages, allowing untrusted Java applets to perform unrestricted actions on the host system.

For more information, please see the GLSA Announcement

KPdf, KOffice: More vulnerabilities in included Xpdf

KPdf and KOffice both include vulnerable Xpdf code to handle PDF files, making them vulnerable to the execution of arbitrary code if a user is enticed to view a malicious PDF file.

For more information, please see the GLSA Announcement

KDE FTP KIOslave: Command injection

The FTP KIOslave contains a bug allowing users to execute arbitrary FTP commands.

For more information, please see the GLSA Announcement

imlib2: Buffer overflows in image decoding

Multiple overflows have been found in the imlib2 library image decoding routines, potentially allowing the execution of arbitrary code.

For more information, please see the GLSA Announcement

o3read: Buffer overflow during file conversion

A buffer overflow in o3read allows an attacker to execute arbitrary code by way of a specially crafted XML file.

For more information, please see the GLSA Announcement

HylaFAX: hfaxd unauthorized login vulnerability

HylaFAX is subject to a vulnerability in its username matching code, potentially allowing remote users to bypass access control lists.

For more information, please see the GLSA Announcement

poppassd_pam: Unauthorized password changing

poppassd_pam allows anyone to change any user's password without authenticating the user first.

For more information, please see the GLSA Announcement

Exim: Two buffer overflows

Buffer overflow vulnerabilities, which could lead to arbitrary code execution, have been found in the handling of IPv6 addresses as well as in the SPA authentication mechanism in Exim.

For more information, please see the GLSA Announcement

tnftp: Arbitrary file overwriting

tnftp fails to validate filenames when downloading files, making it vulnerable to arbitrary file overwriting.

For more information, please see the GLSA Announcement

4.  Heard in the community

Web forums

Flurry of fits over GCC update

GCC 3.3.5 was marked stable for keyword="x86" last week, but caused major uproar because of highly unpleasant side-effects. The symptoms include errors when compiling some libraries like Gtk+-2, which in turn lead to a few dozen duplicate bug reports in Bugzilla, and an equally frenetic activity in the Forums. The fix is simple enough, but people are still puzzled how something like this could have happened in the first place:

• Problems after upgrade gcc to 3.3.5 (solution)

gentoo-user

Linux and TV tuner cards

Linux supports various TV Tuner cards, but no one ever said it was trivial! This massive thread leads up our coverage of the gentoo-user list this week, and it involves a Gentoo user using a WinTV card. Read this thread for an important lesson learned on using and configuring with make menuconfig!

• BT848 driver.

Soliciting initial advice

Just about everyone has a few stories regarding their first installation of Gentoo. While Gentoo's install has undoubtedly improved by leaps and bounds over the past few years, Linux users migrating from other mainstream distributions like SuSE and Fedora are often intimidated with the "daunting" task of installing the operating system from source. One potential Gentoo recruit solicited advice from the list this week, with a handful of great tips in the tow.

• before beginning

gentoo-dev

Encrypted root file system

Paranoid? Trying to hide something? This thread gives you lots of good hints on encrypting even your root filesystem to keep your data away from bad people

• Encrypted root file system

Ideas for desktop TLP goals?

Donnie Berkholz asks "Where would you like to see the Gentoo desktop go? What's been done poorly, what's been done well?"

• Ideas for desktop TLP goals?

2005.0 cleanups

In preparation for the 2005.0 release, Mike Frysinger warns that some of the older profiles (2004.0 mostly) will be removed with the appearance of 2005.0. Please update your profiles!

• 2005.0 spring cleanup

5.  Gentoo International

USA: Gentoo booth at the Linux World Expo in Boston, MA (14 to 17 February)

Preparations for Gentoo's presence from 14 to 17 February 2005 at the Linux World Expo, Boston edition, are well under way. Architectures on display will include x86 and others, with a possibility of including a few MacMinis. There's a Forum thread for people looking for directions to the booth (and possibly to announce their intentions to visit the show), and if you need help with accommodation or other tips, Bostonian Andrew Fant has volunteered to serve as a local coordinator and pivot for informations.

UK: Gentoo UK conference online registration open

Online registration for the second Gentoo UK conference on 12 March 2005 is now possible via Stuart Herbert's web space at dev.gentoo.org. According to Stuart, there are even a few slots for presentations still available to interested developers.

6.  Gentoo in the press

Linux Format (Issue #62, January 2005)

The UK based magazine's print version has an article on "the ultimate distros". Ranking Gentoo 6th among 15 distributions under scrutiny, their peculiar judgement of Gentoo including a not entirely satisfactory assessment of its usefulness has already triggered some repercussions in the Gentoo Forums.

7.  Bugzilla

Summary

• Statistics
• Closed bug ranking
• New bug rankings

Statistics

The Gentoo community uses Bugzilla (bugs.gentoo.org) to record and track bugs, notifications, suggestions and other interactions with the development team. Between 09 January 2005 and 16 January 2005, activity on the site has resulted in:

• 968 new bugs during this period
• 500 bugs closed or resolved during this period
• 31 previously closed bugs were reopened this period

Of the 7959 currently open bugs: 116 are labeled 'blocker', 229 are labeled 'critical', and 567 are labeled 'major'.

Closed bug rankings

The developers and teams who have closed the most bugs during this period are:

• AMD64 Porting Team, with 40 closed bugs
• Gentoo's Team for Core System packages, with 32 closed bugs
• Gentoo Security, with 31 closed bugs
• Gentoo KDE team, with 19 closed bugs
• Jeremy Huddleston, with 18 closed bugs
• Java team, with 16 closed bugs
• Net-Mail Packages, with 13 closed bugs
• media-video herd, with 12 closed bugs

New bug rankings

The developers and teams who have been assigned the most new bugs during this period are:

• AMD64 Porting Team, with 22 new bugs
• Gentoo Sound Team, with 18 new bugs
• Gentoo X-windows packagers, with 15 new bugs
• Net-Mail Packages, with 15 new bugs
• Gentoo Kernel Bug Wranglers and Kernel Maintainers, with 15 new bugs
• Gentoo Linux Gnome Desktop Team, with 14 new bugs
• OpenOffice Team, with 12 new bugs
• Gentoo KDE team, with 12 new bugs

8.  Tips and tricks

Gentoo bugzilla search plugin for Firefox

Are you using the little search input field on the upper right of your Firefox browser window? Most people do, and most of most people use it only to google for search terms. A little lesser known is the possibility to add plugins for limited searches at specific websites - or the Gentoo bug report system, for that matter. This extremely useful little add-on was concocted by developer Mike Frysinger, and hunts for your search terms in the overview of bug reports at Gentoo's central Bugzilla.

# wget http://mycroft.mozdev.org/plugins/Gentoo-Bugs.{src,png} 

Next, copy those files to the path where Firefox looks for plugins to use. Be root if you do this, or prepend the following command with sudo:

# cp Gentoo-Bugs.src Gentoo-Bugs.png /usr/lib/MozillaFirefox/searchplugins/(or sudo if not done as root)

That's it. Kill any open Firefox windows, restart Firefox, there you go: Gentoo bug hunting at your fingertips.

9.  Moves, adds, and changes

Moves

The following developers recently left the Gentoo team:

• None this week

Adds

The following developers recently joined the Gentoo Linux team:

• Kai Zimmermann (kzimmerm) - media-video

Changes

The following developers recently changed roles within the Gentoo Linux project:

• None this week

10.  Contribute to GWN

Interested in contributing to the Gentoo Weekly Newsletter? Send us an email.

11.  GWN feedback

Please send us your feedback and help make the GWN better.

12.  GWN subscription information

To subscribe to the Gentoo Weekly Newsletter, send a blank email to gentoo-gwn-subscribe@gentoo.org.

To unsubscribe to the Gentoo Weekly Newsletter, send a blank email to gentoo-gwn-unsubscribe@gentoo.org from the email address you are subscribed under.

13.  Other languages

The Gentoo Weekly Newsletter is also available in the following languages:

• Danish
• Dutch
• English
• German
• French
• Japanese
• Italian
• Polish
• Portuguese (Brazil)
• Portuguese (Portugal)
• Russian
• Spanish
• Turkish