Gentoo Logo

Gentoo Weekly Newsletter: February 21st, 2005

Content:

1.  Gentoo News

Boston Linux World Expo: The Après-Show report

The Linux World Conference and Exposition was held last week at the Hynes Convention Center in Boston, Massachusetts, USA. Gentoo Linux had a booth in the .org pavilion, nestled between the friendly folks from Fedora and that lovable lot from the Linux Terminal Server Project. On display were an array of systems demonstrating the wide array of architectures that Gentoo is available for. The main draw was clearly the diminutive Mac Mini with the big cinema screen, brought by Daniel Ostrow. Also present were Daniel's Sparc Ultra 60, several x86 laptops, and an AMD64 and several embedded goodies brought by Mike Frysinger.

A full team of volunteers helped staff the booth. Besides Mike and Daniel, Seemant Kulleen, Chris Gianelloni, Dylan Carlson, Jeffrey Forman, Peter Johanson, Luke Macken (lewk), Rajiv Manglani, Andy Fant, Chris Aniszczyk and Aaron Griffis made appearances and helped out in the booth.


Figure 1.1: Boston LWE Gentoo booth staff

Fig. 1: devs-in-a-row

Note: Front, left to right: Andrew Fant, Chris Gianelloni, Mike Frysinger, Rajiv Manglani. Chris Aniszcszyk is leaning over the table just under the Gentoo poster, everybody else are visitors.

Besides the perennial requests for CDs (which we had) and T-shirts (which we didn't), there was a steady flow of interest in the PPC release, and a gratifying number of comments by people who have come to realize that Gentoo has a role to play in the enterprise. Also of note was the forthcoming launch of a Gentoo-based startup that will provide custom binary packages to subscribing users through standard Portage mechanisms. A highlight of the week was the anti-bof, where 30-40 users and developers took over the top floor of the Globe Bar and Grill and got the chance to meet and mingle in person.

This was the first year that the LWE was held in Boston, instead of New York, and by all accounts, it was a success. There was a twenty percent increase in vendor exhibits, and attendance was up by a similar amount. It seems likely that LWE will return again next winter, so start making plans for next year. Thanks to everyone who helped to make our presence at the show a success. For those on the west coast, LWE will be in San Francisco from 8 to 11 August. If you are interested in helping with the Gentoo booth at that meeting, please contact the PR team.

Last call for FOSDEM

More than 40 Gentoo developers, activists and power users have confirmed their presence at this year's FOSDEM on 26 and 27 February in Brussels at the Université Libre de Bruxelles. The local youth hostel has literally been taken over by the participants in the DevRoom organised by Gentoo at Europe's largest open-source conference, and the schedule is packed with presentations by developers from all over Europe. Saturday night life in Brussels will make it challenging to keep the tight schedule for the Gentoo developer meeting on Sunday morning.

Free entrance to the Gentoo UK conference

Thanks to securing sponsorships by the University of Salford and the London Internet Exchange, LINX, the Gentoo UK Conference, scheduled for 12 March at Manchester's University of Salford, was able to drop the entrance fee. Participants will now be admitted free of charge.

Easy subscription to Gentoo RSS feeds

Michael Kohl has made an OPML file available that allows to automatically subscribe to three different RSS feeds from Gentoo at once, i.e. the Gentoo Linux news as published on the Gentoo website, the Gentoo Linux Security Announcements (GLSAs), and the feed for packages for x86. Many RSS-readers support importing from an OPML file, making subscriptions easily manageable.

2.  Future Zone

Gentooified Kuro-Box

The Kuro-Box is a toaster-sized PowerPC NAS (Network Attached Storage) device designed for Linux hackers, owing at least part of its appeal to the clever name: much better than its English translation of simply "black" already does, the "kuro" of the Kuro-Box hints at both the colour and the occultness of what may be lurking in the dark. Based on a Freescale MPC8241 (a 603e processor), it exists in two versions:

  • the original one, at 200MHz with 64MB RAM, a 100Mb ethernet controler and one USB plug (around 160 USD without hard-drive)
  • the HG version, at 266MHz with 128MB RAM, a 1Gb ethernet controler and two USB plugs (240 USD without hard-drive)

Obscured by the fact that it was spawned off Buffalo Technology's "LinkStation" storage device series, it's probably the most inexpensive Linux/PPC development environment currently in the market.


Figure 2.1: Attaching a new meaning to network storage: Buffalo's Kuro-Box

Fig. 1: Kuro-Box

The history of the Kuro-Box begins in Japan back in early 2004, when a Buffalo sister company, Kurouto Shikou, decided to sell older LinkStation inventory on the "power users" market. Thus, the oldest and biggest Kuro-Box hackers community is Japanese, and the amount of documentation on their Linkstation Wiki or on Yasunari Yamashita's blog show how active it is. Since a few months, Kuro-Boxes are also distributed in the US and Europe by Revogear, and a new non-Japanese community centering around a forum and a wiki now has plenty of English information available to them.

In both communities, there had been several attempts at replacing the stock firmware with more generic Linux distributions ever since the first Kuro-Box shipped about a year ago. The original firmware is too much NAS-oriented, i.e. only designed to be a file and printing server, whereas a complete Linux distribution would allow for easy experimentation and unlocking of the platform's full potential. Even setting up Gentoo systems inside the Kuro-Box had been tried before: jmgdean released a Gentoo Total Conversion alpha1, and much work was done inside the Japanese community. However, all of those earlier attempts were mixed installations of Gentoo Linux on top of the original firmware: the toolchains were still based on gcc-2.95, many files were not managed by Portage, and there was still some non-free code inside. My beta1 release, on the other hand, is entirely built from sources, and exclusively via Portage. It is composed of:

  • a stage3 image which can be installed directly on a fresh harddrive, and which completly replaces the original firmware
  • a Portage overlay, with a few new or modified ebuilds
  • a custom Portage profile, based on Gentoo PPC 2004.3
  • many additional binary packages that should cover the most current needs for that kind of system

The installation process is mostly similar to "normal" Gentoo systems, except that it begins in the so-called "EM mode" in which the box boots when it's not yet set up. This is a very minimalistic environment which can be accessed by both ftp and telnet. From there, you will be able to prepare your drive, chroot, and install the stage3 image. Then you switch the box to the "Normal mode", and hopefully it will reboot using your fresh Gentoo system, which should be accessible by ssh. Detailed instructions are available on a Wiki page.

Known limitation and future work

The only thing that is not easily hackable is the content of the FlashROM, i.e. the EM mode system and the kernel. The format of the flash image is well-known and documented (at least on some Japanese websites), but, as opposed to many other Linux-based devices, there is absolutely no fallback in case of mistake once you've touched it -- a flashing error or a badly configured kernel will kill it for good. Because of that, most users are still stuck to the original 2.4.17 kernel, which is far from perfect. There are currently two directions explored to overcome this limitation:

  • Installing a proper bootloader in the FlashROM: U-Boot would probably be the best choice, but this project is at too early a stage to give an estimate of its availability.
  • Dynamically replacing the running kernel. This has been made possible thanks to jochang's work, through the load of a simple kernel module. Integrating that kernel switching in the boot process is the top target for Gentoo beta2 (with everything it depends on, like a proper packaging of kuro-ified kernel sources, etc.)

Some other future work items include:

  • improve the distribution system: in particular, use rsync instead of tarballs for overlay/profile
  • by popular demand, add some meta-ebuilds for some common needs like "mail server" or "MacOSX-friendly server". Or release some kinds of customized "stage4"
  • some minor improvements all around, like better LED status, maybe more precompiled modules for the stock kernel, etc.
  • maybe a (semi-)automatic installation process (from a LiveCD?): for some users, installing Gentoo by telnet on a Kuro Box is their first Linux experience, and it seems to be a bit too much at a time...

Note: Author Thomas de Grenier de Latour (TGL) is one of the Gentoo Forums moderators, responsible for the French language forum. He will bring a Kuro-Box to FOSDEM in Brussels this coming weekend, if you would like to learn more about this little box or see it in action, make sure to stop by the Gentoo DevRoom.

3.  Gentoo security

PowerDNS: Denial of Service vulnerability

A vulnerability in PowerDNS could lead to a temporary Denial of Service.

For more information, please see the GLSA Announcement

ht://Dig: Cross-site scripting vulnerability

ht://Dig is vulnerable to cross-site scripting attacks.

For more information, please see the GLSA Announcement

Opera: Multiple vulnerabilities

Opera is vulnerable to several vulnerabilities which could result in information disclosure and facilitate execution of arbitrary code.

For more information, please see the GLSA Announcement

VMware Workstation: Untrusted library search path

VMware may load shared libraries from an untrusted, world-writable directory, resulting in the execution of arbitrary code.

For more information, please see the GLSA Announcement

PostgreSQL: Buffer overflows in PL/PgSQL parser

PostgreSQL is vulnerable to several buffer overflows in the PL/PgSQL parser leading to execution of arbitrary code.

For more information, please see the GLSA Announcement

Emacs, XEmacs: Format string vulnerabilities in movemail

The movemail utility shipped with Emacs and XEmacs contains several format string vulnerabilities, potentially leading to the execution of arbitrary code.

For more information, please see the GLSA Announcement

lighttpd: Script source disclosure

An attacker can trick lighttpd into revealing the source of scripts that should be executed as CGI or FastCGI applications.

For more information, please see the GLSA Announcement

wpa_supplicant: Buffer overflow vulnerability

wpa_supplicant contains a buffer overflow that could lead to a Denial of Service.

For more information, please see the GLSA Announcement

KStars: Buffer overflow in fliccd

KStars is vulnerable to a buffer overflow that could lead to arbitrary code execution with elevated privileges.

For more information, please see the GLSA Announcement

Midnight Commander: Multiple vulnerabilities

Midnight Commander contains several format string errors, buffer overflows and one buffer underflow leading to execution of arbitrary code.

For more information, please see the GLSA Announcement

Squid: Denial of Service through DNS responses

Squid contains a bug in the handling of certain DNS responses resulting in a Denial of Service.

For more information, please see the GLSA Announcement

GProFTPD: gprostats format string vulnerability

gprostats, distributed with GProFTPD, is vulnerable to a format string vulnerability, potentially leading to the execution of arbitrary code.

For more information, please see the GLSA Announcement

gFTP: Directory traversal vulnerability

gFTP is vulnerable to directory traversal attacks, possibly leading to the creation or overwriting of arbitrary files.

For more information, please see the GLSA Announcement

4.  Heard in the community

gentoo-dev

Using Gentoo in emulators

After a failed install of Gentoo in MS VirtualPC, a user asks what experiences others have with Gentoo in emulated environments. Read on for a nice (win32-centric) collection of user experiences.

Portage performance improvements

Another user found a bottleneck in Portage whose removal seems to reduce startup times by at least 50%. Although that may be an extreme example, it still shows that Portage performance is far from optimal.

GLEP33: Eclass restructure

After the large flamewars last time someone tried to change the way eclasses are used and handled, John Mylchreest and Brian Harring offer a new and quite comprehensive proposal. It can be found at http://glep.gentoo.org/glep-0033.html

Runtime vs. devel packages

Stuart Herbert offers some thoughts on split ebuilds: "For years now, RedHat have split a lot of their packages into two sets ... a set containing what's needed at runtime to use the package, and another 'devel' package containing header files etc which are only needed for building software. One thing that it's really nice to do with a server is build it with no compilers etc installed. The less that's on there, the less there is to maintain, upgrade, be reused by the black hats, etc etc." But, as it seems, there are also good reasons to do things "The Gentoo Way". Read on for a discussion of the pros and cons of both approaches.

5.  Gentoo in the press

Security Focus (14 February 2005)

After being talked about in a Security Focus article the week before, Gentoo developer and operational manager for the Gentoo Linux Security Team Thierry Carrez now had his own column last Monday: "More advisories, more security" is the title of his piece on the relationship between activities in the security arms of Linux distributions and overall safety for users. "Security advisories from a software publisher or packager should not be seen as bad news. There are always vulnerabilities in software, and when an advisory is released it means that one of these flaws has been identified and fixed," explains Thierry. "It also means the good guys have done their homework, and that one less flaw can be used by the bad guys to harm you."

Linux Times (14 and 18 February 2005)

A flamboyant installation report from Austria hit the online magazine Linux Times on Monday last week, under the heading "One week with Gentoo Linux." The article describes in detail an installation of Gentoo Linux on slightly dated hardware, and tries to shatter the myth of Gentoo being not easily accessible: "If there was a list of biggest GNU/Linux cliches, the statement 'Gentoo is hard to install' would be ranked among the top. Let me tell you a little secret: Gentoo is easy to install," says author Imre Kálomista, a student at Vienna University. And if that wasn't enough, Gentoo again figures as a topic on Linux Times four days later in a review of the Vidalinux release 1.1 in direct comparison to a "real" Gentoo system. The article concludes that the Puerto-Rican binary Gentoo clone strangely lacks binary package support, but mentions a club membership for access to a repository of precompiled packages.

Cuddletech blog (12 February 2005)

Using Xorg 6.8.2 & Composite is the topic for Ben Rockwood's blog entry on the new transparency features in Xorg, with a pleasant side note on the ease of installation in his Gentoo environment: "Thanks to Gentoo I simply yanked XFree86 (unmerge) and merged in Xorg 6.8.2."

6.  Bugzilla

Summary

Statistics

The Gentoo community uses Bugzilla (bugs.gentoo.org) to record and track bugs, notifications, suggestions and other interactions with the development team. Between 13 February 2005 and 20 February 2005, activity on the site has resulted in:

  • 813 new bugs during this period
  • 447 bugs closed or resolved during this period
  • 20 previously closed bugs were reopened this period

Of the 8040 currently open bugs: 101 are labeled 'blocker', 240 are labeled 'critical', and 596 are labeled 'major'.

Closed bug rankings

The developers and teams who have closed the most bugs during this period are:

New bug rankings

The developers and teams who have been assigned the most new bugs during this period are:

7.  Moves, adds, and changes

Moves

The following developers recently left the Gentoo team:

  • None this week

Adds

The following developers recently joined the Gentoo Linux team:

  • David Gümbel (ganymede) - wine

Changes

The following developers recently changed roles within the Gentoo Linux project:

  • None this week

8.  Contribute to GWN

Interested in contributing to the Gentoo Weekly Newsletter? Send us an email.

9.  GWN feedback

Please send us your feedback and help make the GWN better.

10.  GWN subscription information

To subscribe to the Gentoo Weekly Newsletter, send a blank email to gentoo-gwn-subscribe@gentoo.org.

To unsubscribe to the Gentoo Weekly Newsletter, send a blank email to gentoo-gwn-unsubscribe@gentoo.org from the email address you are subscribed under.

11.  Other languages

The Gentoo Weekly Newsletter is also available in the following languages:



Print

Page updated February 21, 2005

Summary: This is the Gentoo Weekly Newsletter for the week of 21 February 2005.

Ulrich Plate
Editor

Andrew Fant
Author

Thomas de Grenier de Latour
Author

Patrick Lauer
Author

Donate to support our development efforts.

Copyright 2001-2014 Gentoo Foundation, Inc. Questions, Comments? Contact us.