Gentoo Weekly Newsletter: February 14th, 2005Gentoo Forums platform and software switch As anticipated in a Future zone article three weeks ago, the Gentoo Forums have switched to a new hardware platform and an upgraded version of phpBB, now running on a clean codebase, normalizing all the patches that had been applied to the old version, and more feature-rich than the release that was powering the Forums before. Among the embellishments are better language packs for the non-English forums, new URI styles with absolute links that enable search engine spiders to index the entire Forum, and a few things of lesser visibility, like the moderators' new ability to join threads -- displacing posts from threads where they're out of context to a more appropriate location was never possible before. A few glitches aside, the changeover went so smoothly that none of the users realized it until it was all over and done. Congratulations to Christian Hartmann and Lance Albertson for a flawless migration! Gentoo event calender for February/March 2005 Busy days for Gentoo evangelists: Their schedule has never been so packed with shows, conferences and presentations as over the next four weeks. Here's a list of the upcoming events, with a last reminder for tomorrow's LWE in Boston at the top.
Gentoo Linux Security Team -- Interview with Thierry Carrez If you have a habit of watching the pattern of security issues and responses in the Linux world, you've probably noticed that Gentoo's alerts and responses to those issues tend to follow rapidly on the heels of initial discovery. In fact, Gentoo Linux Security Announcements (GLSAs) are a frequently cited resource for security notifications and fix status even outside the Gentoo community. This reputation of responsiveness is a remarkable feat for a community which does not have a commercial arm supporting a dedicated security response center. Thierry Carrez (koon), one of the Operational Managers for Gentoo's Security Team, was kind enough to take a few minutes to explain some of the practices that have allowed the team to be so efficient in identifying and responding to security issues. Could you give us a rough overview of the process involved in identifying and fixing security flaws? What steps are involved? Who performs them? What tools are used? We follow the Vulnerability Treatment Policy to handle security bugs. In brief, public vulnerabilities get submitted by users, our security scouts or the security developers, whoever finds it first. Sometimes we get notified by confidential channels (the vendor-sec list or direct contact from the upstream developers or auditors). Then the security bug progresses through upstream status (where we wait for a fix from upstream maintainers); ebuild status (where we call the Gentoo maintainer for the package and ask for a fixed ebuild); stable status, where we ask all security-supported arches to test and mark the fixed package stable; and finally to glsa status where we issue a GLSA if necessary. Sometimes we get stuck at one of those intermediate statuses and have to work out a patch ourselves. Sometimes we don't find a solution and we mask the package because it's a security risk to leave it in the tree without a fix. Security bug handling is mostly calling the right people at the right time to try to get the ball rolling at all times. This task is performed by the GLSA coordinators, and it's not automated. We rely heavily on the other Gentoo developers (package maintainers and arch teams) to do the patching and testing. Where do you find out about security flaws? Mailing lists? Alerts? Do we do testing ourselves? We rely on our user base to submit as many public vulnerabilities as they can. The security team tries to get all those that go unnoticed. Security flaws come from public mailing-lists like BugTraq or Full-Disclosure, and also upstream security advisories and other distribution advisories. We are more and more accepted as part of the general Linux security community and therefore we get notice of some vulnerabilities before they go public. To contribute back we have recently set up a Security Audit subproject to find vulnerabilities by ourselves, and our package maintainers also find a lot of vulnerabilities in their testing. When a flaw is identified, how is it documented? Most of the time we just copy the public advisory information, and then proceed in verifying that it applies to Gentoo Linux, and rate its severity. This severity seeds priorities, as we try to respect the delays indicated in the Vulnerability Treatment Policy. Is there a formal process where the resolution of a flaw is assigned to someone? How are priorities set? How is the fix documented and tested? Each GLSA Coordinator can take a bug and be tasked to ensure the ball keeps rolling on this bug at all times. But if a bug gets stuck, every security developer can intervene to unstick it. Priorities are set by severities, following the rules described in the Vulnerability Treatment Policy. When a fix is available, how is it documented? Who does the GLSA? How are GLSA's transmitted? How are they archived or stored? We document the fix in a GLSA draft, which must get at least two positive peer-reviews before getting released. We use a tool called GLSAMaker to help in ensuring consistency between all GLSAs. The GLSA is written by the GLSA Coordinator or sometimes by one of our Security Apprentices (GLSA coordinators in training). GLSAs are sent by mail to gentoo-announce and other security lists, automatically appear in a live RDF feed and on the Gentoo Security page. Finally, they get copied by forum moderators to appear as forum announcements. GLSA XML sources are part of the portage tree (in metadata/glsa) and get synced on all user boxes, to enable the use of the (for the moment still experimental) glsa-check tool (which is part of the gentoolkit package). Who are the upstream consumers of GLSA's? Other than Gentoo users, are there other organizations that are alerted? We warn linuxsecurity.com so that they include GLSA in their advisories page. The MITRE CVE dictionary also includes GLSA references. Are there any automated tools or scripts that the team uses to manage these jobs? We use GLSAMaker, a tool written by Tim Yamin (plasmaroo), to help in writing GLSA XML source and the text counterpart. What's the status of "emerge security" functionality to identify and fix security issues using portage? "Emerge security" functionality is currently under testing with the "glsa-check" tool, part of the gentoolkit package. It allows us to identify which GLSAs affect your system and to automatically fix the vulnerable packages. When this is ready, the portage tool team will integrate this into mainline tools like emerge. Users are encouraged to use the latest glsa-check and report any oddities using bugzilla. Where can users get information about the security team? Our main page is the Gentoo Security portal at security.gentoo.org. It contains all the pointers to our policy documents, the latest GLSAs and lots of useful information. People that would like to join the Gentoo Security project should read the Security project webpage, and in particular the GLSA Coordinators guide and the Security padawans page to get a feel of what we need. What are some of the initiatives the security team have undertaken recently? In the last year, we put procedures in place so that all unwritten rules followed by the team have a reference policy document. We also put together a new team that will ensure that we keep a consistent security watch at all times. What did we forget to ask that we should know about? Maybe our management structure. Kurt Lieber (klieber) is our strategic manager, Sune Kloppenborg Jeppesen (jaervosz) and myself are the operational managers. Open-Xchange (OX) is the open-source groupware server on which Novell's SuSE Linux Openexchange Server (SLOX) is based. Open-Xchange was closed source until 30 August 2004 when it was released under the GNU Public License. OX leverages popular open-source server technology by integrating existing projects (SMTP, IMAP, LDAP, Apache, Tomcat, and PostgreSQL) to deliver a powerful messaging and collaboration environment. Some features of interest include e-mail, project management, a versioning document store, shared calendaring, and a knowledge base. It can be accessed via both a web interface or through fat clients such as Evolution, the Mozilla suite (Thunderbird and Sunbird) and any other third party application that supports WebDAV. Currently, Open-Xchange is in development with a slated stable release (v0.8) in March 2005. If you want to see what OX is like before undertaking the somewhat daunting install, you can try it out using the online demo. Installation and support There are currently two ways to install OX in Gentoo Linux: using the ebuild from Bugzilla (not currently in the Portage tree), or manually installing it. A Wiki page explains the installation using the ebuild, but for most of the necessary steps to get OX successfully running, an additional manual installation HOWTO covers the prerequisite configurations as well as extending and enhancing Open-Xchange. For Gentoo-specific questions a Gentoo Forum thread with several hundred posts has most of the answers that are available so far. If you are not already familiar with the servers that OX uses be prepared for a steep learning curve and to do a lot of reading. A majority of the problems experienced so far involve LDAP configuration, Apache/Tomcat integration, and SASL authentication. All of the servers that OX relies on need to be properly configured and working before you can proceed with the actual Open-Xchange install.
OpenMotif: Multiple vulnerabilities in libXpm Multiple vulnerabilities have been discovered in libXpm, which is included in OpenMotif, that can potentially lead to remote code execution. (NB: This is the same vulnerability that was fixed in xorg-x11 last November) For more information, please see the GLSA Announcement PostgreSQL: Local privilege escalation The PostgreSQL server can be tricked by a local attacker to execute arbitrary code. For more information, please see the GLSA Announcement Python: Arbitrary code execution through SimpleXMLRPCServer Python-based XML-RPC servers may be vulnerable to remote execution of arbitrary code. For more information, please see the GLSA Announcement pdftohtml: Vulnerabilities in included Xpdf pdftohtml includes vulnerable Xpdf code to handle PDF files, making it vulnerable to execution of arbitrary code upon converting a malicious PDF file. For more information, please see the GLSA Announcement Mailman: Directory traversal vulnerability Mailman fails to properly sanitize input, leading to information disclosure. For more information, please see the GLSA Announcement Webmin: Information leak in Gentoo binary package Portage-built Webmin binary packages accidentally include a file containing the local encrypted root password. For more information, please see the GLSA Announcement Perl: Vulnerabilities in perl-suid wrapper Vulnerabilities leading to file overwriting and code execution with elevated privileges have been discovered in the perl-suid wrapper. For more information, please see the GLSA Announcement mod_python: Publisher Handler vulnerability mod_python contains a vulnerability in the Publisher Handler potentially leading to information disclosure. For more information, please see the GLSA Announcement Remove no [insert feature here] USE-flags from the tree Michiel de Bruijne writes: "There are quite a few ebuilds in the tree that make use of a no [insert feature here] USE-flag. So basically by disabling the USE-flag you get more features. Pulling in extra dependencies by disabling the USE-flag is a possibility. This has some nasty side effects ..." The following discussion shows quite well why these USE-flags are not good. Automatic stabilization of packages Approximately every 6 months the same discussion comes up: How can the packages in portage be kept up to date? The naive approach would be automatic stabilization after a certain period of time. This thread shows why for the most part that is not a good idea ... Closing or resolving bugs, which is it? Marius Mauch writes: "I noticed a new trend lately introduced by a few new devs: changing bug status from RESOLVED to CLOSED. Personally I just find it annoying and completely useless. Can we agree to not do that unless there is a technical reason? Don't see any benefit in this, just means that closed bugs are now split between two "categories" with no actual difference." USA: Gentoo Bugday event at Oregon State University LUG Gentoo Bugdays are regularly held every first Saturday of each month, with developers and users everywhere gathering on IRC and skimming Gentoo's bugzilla for anything that looks like it needs fixing. On 5 February, the Linux User Group of Oregon State University took the opportunity and turned the virtual event into a real one. Twelve OSLUG members met at Weatherford Hall, the OSU residential college building. Aided by a precompiled list of bugs prepared by Gentoo's Bugday organizers for this occasion, they kept squashing bugs from 9:00 to 16:00, with the official IRC channel #gentoo-bugs being projected overhead, and assorted computers scattered around the classroom, each with a determined Gentoo bug hunter in front of the screen.
Germany: Storage tool release for Gentoo Linux Commercial releases of Linux applications with official support outside the RedHat/SuSE/Mandrake realm are scarce and far between. A German company, SEP AG, has now announced the availability of their storage management product "SEP sesam" for Gentoo Linux. "We're traditionally tied to SuSE Linux, but had Gentoo on our radar ever since we watched the impressive installation Lars Weiler did on an HP Proliant cluster at last year's LinuxTag in Karlsruhe," recalls SEP's sales manager Johann Krahfuss (cf. GWN report 28 June 2004). "So when our first customers demanded an adaptation of SEP sesam to Gentoo Linux, it didn't exactly take us by surprise." The German federal research institution Fraunhofer Gesellschaft were the first to request a SEP sesam installation inside a Gentoo Linux environment, "and since we didn't encounter any problems whatsoever, we feel it's ready for official release," says Krahfuss. A 30-day-test version (including support) can be downloaded from the corporate website's download section. SEP sesam is designed for data storage management in heterogenous networks, including Linux, BSD, Solaris, TRU/64, OpenVMS, Windows and Mac OS X. The company will be present at next week's CRN Storage Solution Days 2005 in Neuss (link in German only). Newsforge (8 and 9 February 2005) Newsforge published an article in two parts about using MySQL to benchmark OS performance, as analyzed and written by Tony Bourke. The performance check spans server operating systems Open-, Net- and FreeBSD, Solaris 10, and Linux as platforms for MySQL database execution, and "among a multitude of distributions" Gentoo was chosen for the Linux part of the test, running both 2.4 and 2.6 kernels (gentoo-sources) on ReiserFS. "With Gentoo it was also relatively easy to install NPTL for 2.6, which I used in the 2.6 tests," says Tony Bourke, "although they didn't make any difference when compared to non-NPTL 2.6 results." While the first part just explains the tools and the methodology, the actual performance comparison is published in a separate article - with amazing results, Gentoo Linux clearly winning all individual benchmark tests. Funnily enough, Gentoo's outstanding performance even triggered complaints about the "unfair advantage" of using a source-based, possibly processor-optimized Linux distribution as a platform for the comparison. Sun's President Jonathan Schwartz nods his head to Gentoo's OpenSolaris effort in an interview published on CNET last week. While explaining the OpenSolaris governance model to interviewer Stephen Shankland, he claims "Solaris is now officially platform-neutral" and expects "10 or more" non-Sun OpenSolaris distributions to appear in the market. Security Focus (2 February 2005) Columnist Jason Miller says Linux kernel security handling is broken, "and it needs to be fixed right now." The article at securityfocus.com, a publication mainly read by security professionals, is highly critical of the way security bugs in the Linux kernel are being addressed. But the author, a self-proclaimed "huge follower of BSD-based operating systems," has some good news, too: "Once we start looking at actual distributions of the Linux kernel as a complete operating system, we find some distributions with official security contacts, as well as security-related pages similar to those provided by the major BSD-based operating systems. Gentoo Linux Security is a good example of that." Réseaux & Télécoms (3 February 2005, in French) Directly responding to the Security Focus column by Jason Miller, the French network and telco magazine looks beyond the kernel as a security issue: Both flaws in individual applications not depending on the kernel, and the distribution of security-related information are identified as equally important fields of activity for the "bug hunters of open source." The article "Noyau Linux : Mais où est la sécurité ?" acknowledges Miller's conclusion of "things changing, fast and in the right direction," and praises Thierry Carrez (see our interview above) as an example for "impressive work." With the current pace of discussion around the structure of security handling and the distribution of information, it's "time to show some optimism," says author Marc Olanie, pointing out that it took Microsoft eighteen years to standardize their own security procedures -- "or have they?" Eric Boutilier, an engineer at Sun, Inc. is gearing up for Gentoo development on OpenSolaris, and posted his first attempts at familiarizing himself with Portage on Linux to his blog at the Sun website. While his choice of installation material is peculiar - Gentoo-clone Vidalinux rather than a standard install, and on a five-year-old Portégé laptop - he quickly falls in sync with normal Portage user behaviour for lengthy compiles: "Oh well. I left it happily building away and went to work." The Gentoo community uses Bugzilla (bugs.gentoo.org) to record and track bugs, notifications, suggestions and other interactions with the development team. Between 06 February 2005 and 13 February 2005, activity on the site has resulted in:
Of the 8036 currently open bugs: 102 are labeled 'blocker', 243 are labeled 'critical', and 600 are labeled 'major'. The developers and teams who have closed the most bugs during this period are:
The developers and teams who have been assigned the most new bugs during this period are:
Portage magic: Identify obsolete packages Gentoo developer Brian Harring designed a clever way to identify all merged versions of packages not available in Portage anymore -- both the official tree and packages from PORTDIR_OVERLAY. Here is the method he came up with, packing as much Python neatness as fits on a single command line:
If that just went a little over your head, let's look at what exactly it does. For example, if a package, say, foo-1.2.3 is merged, and that version 1.2.3 is no longer in the tree, the script will point it out. A simple check for packages that aren't available any longer regardless of versions, would look like this:
Finally, if you want to ignore package foo-1.2.3 even if it isn't in the tree any longer, but a revision foo-1.2.3-r1 is, the following script will ignore the package, only triggering on installed applications that have completely vanished from Portage.
Lastly, none of the above take injected packages into consideration, only those that were installed from an available tree. Now, suppose you'd like to ignore those, too, here's what to do:
Yes, we knew you'd like this. All of the above do work for individual packages you keep in an overlay tree, for example at /usr/local/portage, those are being evaluated along with packages in the official Portage tree. Try it out, you can't break anything, it just notifies you about whatever it finds, leaving it up to the user to decide what to do with that information. The following developers recently left the Gentoo team:
The following developers recently joined the Gentoo Linux team:
The following developers recently changed roles within the Gentoo Linux project:
Interested in contributing to the Gentoo Weekly Newsletter? Send us an email. Please send us your feedback and help make the GWN better. 12. GWN subscription information To subscribe to the Gentoo Weekly Newsletter, send a blank email to gentoo-gwn-subscribe@gentoo.org. To unsubscribe to the Gentoo Weekly Newsletter, send a blank email to gentoo-gwn-unsubscribe@gentoo.org from the email address you are subscribed under. The Gentoo Weekly Newsletter is also available in the following languages:
|
|
