Gentoo Weekly Newsletter: March 7th, 2005Gentoo 2005.0 security rebuild A set of exploitable bugs in gaim and mozilla-firefox (remote exploits) and in qt and kdelibs (locally exploitable) has been discovered just in time before the final Gentoo Linux 2005.0 release build. Although this interrupted the build and prevented it from finishing mere hours before its completion was scheduled, Gentoo's release engineering team unanimously decided to drop it and reconstruct the release media with all the security bugs resolved prior to release. Thanks to the Gentoo security team for catching the bugs, and the profiles' lead developers for putting up with the delay and testing the builds on their architectures yet again! Gentoo staging/master rsync server migrated Thanks to the donation of an Opteron 246 server from Nvidia, Gentoo is now running their staging mirror and master rsync mirror on new hardware. Lance Albertson and Nick Jones completed the Portage regeneration move last wednesday with little or no problems. This server synchronizes from CVS every thirty minutes, then regenerates the depcache which can take a lot of I/O and time to finish. From there, the public rsync servers sync from it. The old server was a single 1Ghz Pentium III and could finish this regen process within 10-30 minutes. The new Opteron server does the same thing in a matter of 1-2 minutes. This is an amazing improvement and will definitely allow us to scale well as the tree continues to grow. Just a note, the update frequency has not changed, so please don't waste your time trying to update every 2 minutes. Also, most of the mirroring files were moved to this server a month ago, with the exception of distfiles. We were running out of space on the old server, and this new server has a lot more space for us to grow on. Nick Jones is currently working on a better script that catches missing distfiles and cleans old ones. Hopefully we'll start using this script in production in the next few weeks, in order to save space on our mirrors for other projects. Software enhancements done to the Gentoo Forums may well require a weekly column of their own soon. The frequency of updates has already been high over the past few weeks, but all these changes were just made to make even bigger changes possible. Expect more to come, particularly with regard to "Mission UTF-8", an ongoing effort to switch the forums completely to Unicode, supported by tools that have already been put in place to aid the switch over the next few months. Three important changes were done in the last two weeks:
System application reshuffle: Heads up! In a swift action affecting more than 200 packages residing in Portage's sys-apps category, Ciaran McCreesh is currently busy moving some of them into other existing categories, while others will find entirely new homes in the tree. The applications in question are listed in a file sitting in Ciaran's devspace, if you find problems with a package after it has been moved, please file a bug or contact Ciaran on irc.freenode.net. Particularly Gentoo users with sys-apps in an individual overlay may want to pay special attention to the changes. Looking for testimonials on Gentoo business usage One of the things that we are always looking for at Gentoo is information on people using Gentoo to make their lives easier. This could be anything from using Gentoo machines as a render farm or rolled out into desktop usage, to just a small corporate firewall. Information such as this can help us better determine where we are and where we should be focusing our efforts. If you have a Gentoo success story, then we would love to hear about it! Information about large deployments or Gentoo usage in unusual markets are mostly what we are looking to receive. Send your story to usage-feedback@gentoo.org today.
"The best thing about Gentoo is the community." -- Albert Hopkins (marduk)
This week's featured developer Marduk is a member of the Infrastructure group, responsible for developing and maintaining one of the most exciting elements of Gentoo's web presence, the packages.gentoo.org site. He'd be interested in many other areas of Gentoo, but making sure the packages database site stays up, fixing bugs, and further development takes up most of his free time. That doesn't keep him from being in the process of re-writing the entire presentation, though, and he has many ambitions for the new site, too many to list here...
Gentoo is his most significant OSS project to date, but Marduk has been developing open-source software for several years. He authored a program called Linbot, which was a web crawler/link validating tool written in Python that received a lot of recognition in its time, with reviews appearing in Linux magazines, inclusion in distributions and a Python book. "I'm very passionate about the Python programming language. I have been hacking in Python since 1997. While I still occasionally look at other programming languages, I always go back to Python," says Marduk. Unfortunately for Linbot, he received a "cease and desist" letter one day because the name was apparently too close to the name of a commercial application, and he hasn't worked on or distributed the software since then. The few smaller programs he continues distributing are kept at his own repository. Marduk is an administrator for Linux and Linux-like systems at a major U.S. clinical laboratory. A college drop-out who nonetheless attended Cornell University majoring in Electrical Engineering, he used to work at a supercomputer facility and always loved that, still keeping a vivid interest in high performance computing, but regrets not to be able to afford the hardware. His current main box was just recently upgraded to an AMD64, and he made sure "it's got all the trimmings," says Marduk. "The first application I launch is evolution, and if you ps my box, you'll most likely also find vim, epiphany, gnome-terminal and, of course, python." Marduk lives in the Dallas, TX area. He's single (now accepting applications), and his hobbies outside of computing that he felt worth mentioning during the interview include movies, long drives in his Audi TT roadster, indie music, silence, science, and sociology. Lars Weiler, Tobias Scherbaum and Jens Blaesche ("Mr. Big") represented Gentoo at this year's Chemnitzer Linuxtage, a conference and expo in East Germany's Saxony region that has been growing in importance since it was first organized last year, with more presentations in the main track, the usual suspects in the exposition hall, and a nice crowd mostly from Saxony itself, but also attracting visitors from other parts of Germany. The Gentoo booth had a Pegasos Open Desktop Workstation on display, a Sun Ultra10 running Gentoo, and the recent Brussels invention of the /dev/snack box of sweets was equally popular with visitors. Particularly rewarding for the booth staff who had been here already at last year's event: visitors they had met back then and who had asked generally uninformed "What is Gentoo?" questions now came back sporting "Portage addict" t-shirts and laptops with Gentoo Linux running on them. A German version of the Fizzlewizzle LiveDVD (see FOSDEM report last week), complete with KDE and distfiles sources, was the top-seller at this regional event, very welcome in this area of Germany where broadband Internet connections are difficult to be had.
Two events are scheduled for next weekends, one in Manchester where Stuart Herbert expects UK-based Gentoo developers and users at the second Gentoo UK Conference, and an Expo in Lörrach (Germany, close to the Swiss border) with a Gentoo booth on the floor.
The lack of support forums or other "groundswell support from users" is the topic of an article in O'Reilly's operating systems magazine. Author Steve Mallett asks "Where is the SuSE Community?", and compares the missing user community presence to other popular distributions: "A search for Fedora, Mandrake, or Gentoo for instance and you have no problem finding forums, wikis, official and unofficial FAQs. Signs of life." observes OSdir.com's managing editor. Apple-Linux.org (3 March 2005, in French) Author Prosper describes the gentoo-stats project in an article on the French Linux forum for Apple computers. "The basc project permits to calculate the time to install an ebuild. Packages are represented by GU (Gentoo units), if you know how many seconds one GU takes to compile on your system, it's enough to simply multiply those." Todo-Linux.com (28 February 2005, in Spanish) The Spanish magazine reports about Intel and AMD pushing for 64-bit computing in the user realm, and observes that while Microsoft doesn't currently have an operating system that fully supports the hardware, Linux distributions, "for example Gentoo", are listed as totally functioning under 64-bit conditions. Emerge flags deserving more attention There are a few flags emerge accepts that can give some insight as to what it is (or will be) doing. We've described some of the newer ones that have been added with portage-2.0.51, but there are a couple of older switches that users may have forgotten about. Here's a quick look at two of those. Perhaps a little more commonly used is the first one, --verbose, or -v. It displays the USE flags that a package recognizes, and which ones are currently enabled or disabled. When running emerge with the --newuse flag, it even puts an asterisk to those flags that have been enabled or disabled since the last time a package was built. It also displays the size of files that need to be downloaded for a particular package, in addition to the total download file size for all packages to be emerged. The second is --tree, or -t. This displays the dependency tree by indenting dependencies. Here's an example to illustrate the effect of this flag:
By combining --verbose and --tree, you'll get a much clearer picture of exactly what emerge is doing. Needless to say, this makes it much easier to tweak your USE flags for better control over which packages are being installed. The following developers recently left the Gentoo team:
The following developers recently joined the Gentoo Linux team:
The following developers recently changed roles within the Gentoo Linux project:
MediaWiki: Multiple vulnerabilities MediaWiki is vulnerable to cross-site scripting, data manipulation and security bypass attacks. For more information, please see the GLSA Announcement Qt: Untrusted library search path Qt may load shared libraries from an untrusted, world-writable directory, resulting in the execution of arbitrary code. For more information, please see the GLSA Announcement phpBB: Multiple vulnerabilities Several vulnerabilities allow remote attackers to gain phpBB administrator rights or expose and manipulate sensitive data. For more information, please see the GLSA Announcement Gaim: Multiple Denial of Service issues Multiple vulnerabilities have been found in Gaim which could allow a remote attacker to crash the application. For more information, please see the GLSA Announcement phpWebSite: Arbitrary PHP execution and path disclosure Remote attackers can upload and execute arbitrary PHP scripts, another flaw reveals the full path of scripts. For more information, please see the GLSA Announcement xli, xloadimage: Multiple vulnerabilities xli and xloadimage are vulnerable to multiple issues, potentially leading to the execution of arbitrary code. For more information, please see the GLSA Announcement BidWatcher: Format string vulnerability BidWatcher is vulnerable to a format string vulnerability, potentially allowing arbitrary code execution. For more information, please see the GLSA Announcement phpMyAdmin: Multiple vulnerabilities phpMyAdmin contains multiple vulnerabilities that could lead to command execution, XSS issues and bypass of security restrictions. For more information, please see the GLSA Announcement OpenMotif, LessTif: New libXpm buffer overflows A new vulnerability has been discovered in libXpm, which is included in OpenMotif and LessTif, that can potentially lead to remote code execution. For more information, please see the GLSA Announcement xv: Filename handling vulnerability xv contains a format string vulnerability, potentially resulting in the execution of arbitrary code. For more information, please see the GLSA Announcement Mozilla Firefox: Various vulnerabilities Mozilla Firefox is vulnerable to a local file deletion issue and to various issues allowing to trick the user into trusting fake web sites or interacting with privileged content. For more information, please see the GLSA Announcement ImageMagick: Filename handling vulnerability A format string vulnerability exists in ImageMagick that may allow an attacker to execute arbitrary code. For more information, please see the GLSA Announcement Hashcash: Format string vulnerability A format string vulnerability in the Hashcash utility could allow an attacker to execute arbitrary code. For more information, please see the GLSA Announcement The Gentoo community uses Bugzilla (bugs.gentoo.org) to record and track bugs, notifications, suggestions and other interactions with the development team. Between 27 February 2005 and 06 March 2005, activity on the site has resulted in:
Of the 8186 currently open bugs: 97 are labeled 'blocker', 231 are labeled 'critical', and 602 are labeled 'major'. The developers and teams who have closed the most bugs during this period are:
The developers and teams who have been assigned the most new bugs during this period are:
Please send us your feedback and help make the GWN better. 10. GWN subscription information To subscribe to the Gentoo Weekly Newsletter, send a blank email to gentoo-gwn-subscribe@gentoo.org. To unsubscribe to the Gentoo Weekly Newsletter, send a blank email to gentoo-gwn-unsubscribe@gentoo.org from the email address you are subscribed under. The Gentoo Weekly Newsletter is also available in the following languages:
|
|
