Gentoo Weekly Newsletter: February 21st, 2005Boston Linux World Expo: The Après-Show report The Linux World Conference and Exposition was held last week at the Hynes Convention Center in Boston, Massachusetts, USA. Gentoo Linux had a booth in the .org pavilion, nestled between the friendly folks from Fedora and that lovable lot from the Linux Terminal Server Project. On display were an array of systems demonstrating the wide array of architectures that Gentoo is available for. The main draw was clearly the diminutive Mac Mini with the big cinema screen, brought by Daniel Ostrow. Also present were Daniel's Sparc Ultra 60, several x86 laptops, and an AMD64 and several embedded goodies brought by Mike Frysinger. A full team of volunteers helped staff the booth. Besides Mike and Daniel, Seemant Kulleen, Chris Gianelloni, Dylan Carlson, Jeffrey Forman, Peter Johanson, Luke Macken (lewk), Rajiv Manglani, Andy Fant, Chris Aniszczyk and Aaron Griffis made appearances and helped out in the booth.
Besides the perennial requests for CDs (which we had) and T-shirts (which we didn't), there was a steady flow of interest in the PPC release, and a gratifying number of comments by people who have come to realize that Gentoo has a role to play in the enterprise. Also of note was the forthcoming launch of a Gentoo-based startup that will provide custom binary packages to subscribing users through standard Portage mechanisms. A highlight of the week was the anti-bof, where 30-40 users and developers took over the top floor of the Globe Bar and Grill and got the chance to meet and mingle in person. This was the first year that the LWE was held in Boston, instead of New York, and by all accounts, it was a success. There was a twenty percent increase in vendor exhibits, and attendance was up by a similar amount. It seems likely that LWE will return again next winter, so start making plans for next year. Thanks to everyone who helped to make our presence at the show a success. For those on the west coast, LWE will be in San Francisco from 8 to 11 August. If you are interested in helping with the Gentoo booth at that meeting, please contact the PR team. More than 40 Gentoo developers, activists and power users have confirmed their presence at this year's FOSDEM on 26 and 27 February in Brussels at the Université Libre de Bruxelles. The local youth hostel has literally been taken over by the participants in the DevRoom organised by Gentoo at Europe's largest open-source conference, and the schedule is packed with presentations by developers from all over Europe. Saturday night life in Brussels will make it challenging to keep the tight schedule for the Gentoo developer meeting on Sunday morning. Free entrance to the Gentoo UK conference Thanks to securing sponsorships by the University of Salford and the London Internet Exchange, LINX, the Gentoo UK Conference, scheduled for 12 March at Manchester's University of Salford, was able to drop the entrance fee. Participants will now be admitted free of charge. Easy subscription to Gentoo RSS feeds Michael Kohl has made an OPML file available that allows to automatically subscribe to three different RSS feeds from Gentoo at once, i.e. the Gentoo Linux news as published on the Gentoo website, the Gentoo Linux Security Announcements (GLSAs), and the feed for packages for x86. Many RSS-readers support importing from an OPML file, making subscriptions easily manageable. The Kuro-Box is a toaster-sized PowerPC NAS (Network Attached Storage) device designed for Linux hackers, owing at least part of its appeal to the clever name: much better than its English translation of simply "black" already does, the "kuro" of the Kuro-Box hints at both the colour and the occultness of what may be lurking in the dark. Based on a Freescale MPC8241 (a 603e processor), it exists in two versions:
Obscured by the fact that it was spawned off Buffalo Technology's "LinkStation" storage device series, it's probably the most inexpensive Linux/PPC development environment currently in the market.
The history of the Kuro-Box begins in Japan back in early 2004, when a Buffalo sister company, Kurouto Shikou, decided to sell older LinkStation inventory on the "power users" market. Thus, the oldest and biggest Kuro-Box hackers community is Japanese, and the amount of documentation on their Linkstation Wiki or on Yasunari Yamashita's blog show how active it is. Since a few months, Kuro-Boxes are also distributed in the US and Europe by Revogear, and a new non-Japanese community centering around a forum and a wiki now has plenty of English information available to them. In both communities, there had been several attempts at replacing the stock firmware with more generic Linux distributions ever since the first Kuro-Box shipped about a year ago. The original firmware is too much NAS-oriented, i.e. only designed to be a file and printing server, whereas a complete Linux distribution would allow for easy experimentation and unlocking of the platform's full potential. Even setting up Gentoo systems inside the Kuro-Box had been tried before: jmgdean released a Gentoo Total Conversion alpha1, and much work was done inside the Japanese community. However, all of those earlier attempts were mixed installations of Gentoo Linux on top of the original firmware: the toolchains were still based on gcc-2.95, many files were not managed by Portage, and there was still some non-free code inside. My beta1 release, on the other hand, is entirely built from sources, and exclusively via Portage. It is composed of:
The installation process is mostly similar to "normal" Gentoo systems, except that it begins in the so-called "EM mode" in which the box boots when it's not yet set up. This is a very minimalistic environment which can be accessed by both ftp and telnet. From there, you will be able to prepare your drive, chroot, and install the stage3 image. Then you switch the box to the "Normal mode", and hopefully it will reboot using your fresh Gentoo system, which should be accessible by ssh. Detailed instructions are available on a Wiki page. Known limitation and future work The only thing that is not easily hackable is the content of the FlashROM, i.e. the EM mode system and the kernel. The format of the flash image is well-known and documented (at least on some Japanese websites), but, as opposed to many other Linux-based devices, there is absolutely no fallback in case of mistake once you've touched it -- a flashing error or a badly configured kernel will kill it for good. Because of that, most users are still stuck to the original 2.4.17 kernel, which is far from perfect. There are currently two directions explored to overcome this limitation:
Some other future work items include:
PowerDNS: Denial of Service vulnerability A vulnerability in PowerDNS could lead to a temporary Denial of Service. For more information, please see the GLSA Announcement ht://Dig: Cross-site scripting vulnerability ht://Dig is vulnerable to cross-site scripting attacks. For more information, please see the GLSA Announcement Opera: Multiple vulnerabilities Opera is vulnerable to several vulnerabilities which could result in information disclosure and facilitate execution of arbitrary code. For more information, please see the GLSA Announcement VMware Workstation: Untrusted library search path VMware may load shared libraries from an untrusted, world-writable directory, resulting in the execution of arbitrary code. For more information, please see the GLSA Announcement PostgreSQL: Buffer overflows in PL/PgSQL parser PostgreSQL is vulnerable to several buffer overflows in the PL/PgSQL parser leading to execution of arbitrary code. For more information, please see the GLSA Announcement Emacs, XEmacs: Format string vulnerabilities in movemail The movemail utility shipped with Emacs and XEmacs contains several format string vulnerabilities, potentially leading to the execution of arbitrary code. For more information, please see the GLSA Announcement lighttpd: Script source disclosure An attacker can trick lighttpd into revealing the source of scripts that should be executed as CGI or FastCGI applications. For more information, please see the GLSA Announcement wpa_supplicant: Buffer overflow vulnerability wpa_supplicant contains a buffer overflow that could lead to a Denial of Service. For more information, please see the GLSA Announcement KStars: Buffer overflow in fliccd KStars is vulnerable to a buffer overflow that could lead to arbitrary code execution with elevated privileges. For more information, please see the GLSA Announcement Midnight Commander: Multiple vulnerabilities Midnight Commander contains several format string errors, buffer overflows and one buffer underflow leading to execution of arbitrary code. For more information, please see the GLSA Announcement Squid: Denial of Service through DNS responses Squid contains a bug in the handling of certain DNS responses resulting in a Denial of Service. For more information, please see the GLSA Announcement GProFTPD: gprostats format string vulnerability gprostats, distributed with GProFTPD, is vulnerable to a format string vulnerability, potentially leading to the execution of arbitrary code. For more information, please see the GLSA Announcement gFTP: Directory traversal vulnerability gFTP is vulnerable to directory traversal attacks, possibly leading to the creation or overwriting of arbitrary files. For more information, please see the GLSA Announcement Using Gentoo in emulators After a failed install of Gentoo in MS VirtualPC, a user asks what experiences others have with Gentoo in emulated environments. Read on for a nice (win32-centric) collection of user experiences. Portage performance improvements Another user found a bottleneck in Portage whose removal seems to reduce startup times by at least 50%. Although that may be an extreme example, it still shows that Portage performance is far from optimal. GLEP33: Eclass restructure After the large flamewars last time someone tried to change the way eclasses are used and handled, John Mylchreest and Brian Harring offer a new and quite comprehensive proposal. It can be found at http://glep.gentoo.org/glep-0033.html Runtime vs. devel packages Stuart Herbert offers some thoughts on split ebuilds: "For years now, RedHat have split a lot of their packages into two sets ... a set containing what's needed at runtime to use the package, and another 'devel' package containing header files etc which are only needed for building software. One thing that it's really nice to do with a server is build it with no compilers etc installed. The less that's on there, the less there is to maintain, upgrade, be reused by the black hats, etc etc." But, as it seems, there are also good reasons to do things "The Gentoo Way". Read on for a discussion of the pros and cons of both approaches. Security Focus (14 February 2005) After being talked about in a Security Focus article the week before, Gentoo developer and operational manager for the Gentoo Linux Security Team Thierry Carrez now had his own column last Monday: "More advisories, more security" is the title of his piece on the relationship between activities in the security arms of Linux distributions and overall safety for users. "Security advisories from a software publisher or packager should not be seen as bad news. There are always vulnerabilities in software, and when an advisory is released it means that one of these flaws has been identified and fixed," explains Thierry. "It also means the good guys have done their homework, and that one less flaw can be used by the bad guys to harm you." Linux Times (14 and 18 February 2005) A flamboyant installation report from Austria hit the online magazine Linux Times on Monday last week, under the heading "One week with Gentoo Linux." The article describes in detail an installation of Gentoo Linux on slightly dated hardware, and tries to shatter the myth of Gentoo being not easily accessible: "If there was a list of biggest GNU/Linux cliches, the statement 'Gentoo is hard to install' would be ranked among the top. Let me tell you a little secret: Gentoo is easy to install," says author Imre Kálomista, a student at Vienna University. And if that wasn't enough, Gentoo again figures as a topic on Linux Times four days later in a review of the Vidalinux release 1.1 in direct comparison to a "real" Gentoo system. The article concludes that the Puerto-Rican binary Gentoo clone strangely lacks binary package support, but mentions a club membership for access to a repository of precompiled packages. Cuddletech blog (12 February 2005) Using Xorg 6.8.2 & Composite is the topic for Ben Rockwood's blog entry on the new transparency features in Xorg, with a pleasant side note on the ease of installation in his Gentoo environment: "Thanks to Gentoo I simply yanked XFree86 (unmerge) and merged in Xorg 6.8.2." The Gentoo community uses Bugzilla (bugs.gentoo.org) to record and track bugs, notifications, suggestions and other interactions with the development team. Between 13 February 2005 and 20 February 2005, activity on the site has resulted in:
Of the 8040 currently open bugs: 101 are labeled 'blocker', 240 are labeled 'critical', and 596 are labeled 'major'. The developers and teams who have closed the most bugs during this period are:
The developers and teams who have been assigned the most new bugs during this period are:
The following developers recently left the Gentoo team:
The following developers recently joined the Gentoo Linux team:
The following developers recently changed roles within the Gentoo Linux project:
Interested in contributing to the Gentoo Weekly Newsletter? Send us an email. Please send us your feedback and help make the GWN better. 10. GWN subscription information To subscribe to the Gentoo Weekly Newsletter, send a blank email to gentoo-gwn-subscribe@gentoo.org. To unsubscribe to the Gentoo Weekly Newsletter, send a blank email to gentoo-gwn-unsubscribe@gentoo.org from the email address you are subscribed under. The Gentoo Weekly Newsletter is also available in the following languages:
|
|
