Gentoo Logo

Gentoo Weekly Newsletter: March 7th, 2005

Content:

1.  Gentoo News

Gentoo 2005.0 security rebuild

A set of exploitable bugs in gaim and mozilla-firefox (remote exploits) and in qt and kdelibs (locally exploitable) has been discovered just in time before the final Gentoo Linux 2005.0 release build. Although this interrupted the build and prevented it from finishing mere hours before its completion was scheduled, Gentoo's release engineering team unanimously decided to drop it and reconstruct the release media with all the security bugs resolved prior to release. Thanks to the Gentoo security team for catching the bugs, and the profiles' lead developers for putting up with the delay and testing the builds on their architectures yet again!

Gentoo staging/master rsync server migrated

Thanks to the donation of an Opteron 246 server from Nvidia, Gentoo is now running their staging mirror and master rsync mirror on new hardware. Lance Albertson and Nick Jones completed the Portage regeneration move last wednesday with little or no problems. This server synchronizes from CVS every thirty minutes, then regenerates the depcache which can take a lot of I/O and time to finish. From there, the public rsync servers sync from it. The old server was a single 1Ghz Pentium III and could finish this regen process within 10-30 minutes. The new Opteron server does the same thing in a matter of 1-2 minutes. This is an amazing improvement and will definitely allow us to scale well as the tree continues to grow. Just a note, the update frequency has not changed, so please don't waste your time trying to update every 2 minutes.

Also, most of the mirroring files were moved to this server a month ago, with the exception of distfiles. We were running out of space on the old server, and this new server has a lot more space for us to grow on. Nick Jones is currently working on a better script that catches missing distfiles and cleans old ones. Hopefully we'll start using this script in production in the next few weeks, in order to save space on our mirrors for other projects.

Forum software updates

Software enhancements done to the Gentoo Forums may well require a weekly column of their own soon. The frequency of updates has already been high over the past few weeks, but all these changes were just made to make even bigger changes possible. Expect more to come, particularly with regard to "Mission UTF-8", an ongoing effort to switch the forums completely to Unicode, supported by tools that have already been put in place to aid the switch over the next few months.

Three important changes were done in the last two weeks:

  • We finally added jabber to the user profiles. Christian Hartmann created a Jabber-Mod for the phpBB 2.0.x branch, Forum user ptlis then merged this with his own Jabber-Mod that has since been made available at phpBB.com.
  • The subSilver and Gentoo-Lite themes were removed, mainly to speed up development and to minimize potential sources for bugs or other future problems. Apologies to those losing the ability for choosing alternative profiles, but it's obviously much easier for the administrators to make and maintain changes in the future if little-used themes can be eliminated. The default Gentoo-theme was the only one kept because it is used by the overwhelming majority of Forum users, out of more than 80,000 registered forum IDs, only 450 were linked to the subSilver theme, and 4500 had chosen Gentoo-Lite.
  • Some adjustments have been made to the textbox of the postview window, thanks to the great Forum community for keeping track of that.

System application reshuffle: Heads up!

In a swift action affecting more than 200 packages residing in Portage's sys-apps category, Ciaran McCreesh is currently busy moving some of them into other existing categories, while others will find entirely new homes in the tree. The applications in question are listed in a file sitting in Ciaran's devspace, if you find problems with a package after it has been moved, please file a bug or contact Ciaran on irc.freenode.net. Particularly Gentoo users with sys-apps in an individual overlay may want to pay special attention to the changes.

Looking for testimonials on Gentoo business usage

One of the things that we are always looking for at Gentoo is information on people using Gentoo to make their lives easier. This could be anything from using Gentoo machines as a render farm or rolled out into desktop usage, to just a small corporate firewall. Information such as this can help us better determine where we are and where we should be focusing our efforts. If you have a Gentoo success story, then we would love to hear about it! Information about large deployments or Gentoo usage in unusual markets are mostly what we are looking to receive. Send your story to usage-feedback@gentoo.org today.

Note: Although some interesting projects will certainly receive coverage in the GWN, we respect your wish for confidentiality if the project doesn't allow for publication. Please mark your story as confidential when submitting it to the usage feedback address, it will only be discussed among directly affected developers in that case.

2.  Developer of the week

"The best thing about Gentoo is the community." -- Albert Hopkins (marduk)


Figure 2.1: Albert Hopkins aka marduk

Fig. 1: Marduk

This week's featured developer Marduk is a member of the Infrastructure group, responsible for developing and maintaining one of the most exciting elements of Gentoo's web presence, the packages.gentoo.org site. He'd be interested in many other areas of Gentoo, but making sure the packages database site stays up, fixing bugs, and further development takes up most of his free time. That doesn't keep him from being in the process of re-writing the entire presentation, though, and he has many ambitions for the new site, too many to list here...


Figure 2.2: A view of things to come: Refurbishing the package database

Fig. 2: packages.gentoo.org

Gentoo is his most significant OSS project to date, but Marduk has been developing open-source software for several years. He authored a program called Linbot, which was a web crawler/link validating tool written in Python that received a lot of recognition in its time, with reviews appearing in Linux magazines, inclusion in distributions and a Python book. "I'm very passionate about the Python programming language. I have been hacking in Python since 1997. While I still occasionally look at other programming languages, I always go back to Python," says Marduk. Unfortunately for Linbot, he received a "cease and desist" letter one day because the name was apparently too close to the name of a commercial application, and he hasn't worked on or distributed the software since then. The few smaller programs he continues distributing are kept at his own repository.

Marduk is an administrator for Linux and Linux-like systems at a major U.S. clinical laboratory. A college drop-out who nonetheless attended Cornell University majoring in Electrical Engineering, he used to work at a supercomputer facility and always loved that, still keeping a vivid interest in high performance computing, but regrets not to be able to afford the hardware. His current main box was just recently upgraded to an AMD64, and he made sure "it's got all the trimmings," says Marduk. "The first application I launch is evolution, and if you ps my box, you'll most likely also find vim, epiphany, gnome-terminal and, of course, python."

Marduk lives in the Dallas, TX area. He's single (now accepting applications), and his hobbies outside of computing that he felt worth mentioning during the interview include movies, long drives in his Audi TT roadster, indie music, silence, science, and sociology.

3.  Gentoo International

Germany: Chemnitzer Linuxtage

Lars Weiler, Tobias Scherbaum and Jens Blaesche ("Mr. Big") represented Gentoo at this year's Chemnitzer Linuxtage, a conference and expo in East Germany's Saxony region that has been growing in importance since it was first organized last year, with more presentations in the main track, the usual suspects in the exposition hall, and a nice crowd mostly from Saxony itself, but also attracting visitors from other parts of Germany. The Gentoo booth had a Pegasos Open Desktop Workstation on display, a Sun Ultra10 running Gentoo, and the recent Brussels invention of the /dev/snack box of sweets was equally popular with visitors. Particularly rewarding for the booth staff who had been here already at last year's event: visitors they had met back then and who had asked generally uninformed "What is Gentoo?" questions now came back sporting "Portage addict" t-shirts and laptops with Gentoo Linux running on them. A German version of the Fizzlewizzle LiveDVD (see FOSDEM report last week), complete with KDE and distfiles sources, was the top-seller at this regional event, very welcome in this area of Germany where broadband Internet connections are difficult to be had.


Figure 3.1: Left: Gentoo booth, center: Pylon, right: dertobi123 and Mr. Big

Fig. 1: Chemnitz

International event reminders

Two events are scheduled for next weekends, one in Manchester where Stuart Herbert expects UK-based Gentoo developers and users at the second Gentoo UK Conference, and an Expo in Lörrach (Germany, close to the Swiss border) with a Gentoo booth on the floor.

  • Gentoo UK Conference - Saturday, 12 March in Manchester, UK: University of Salford. Attention: The Friday night social event before the conference will start at 19:30 at the Stay Inn (driving instructions at their website).
  • IT/Linux Days 2005 - 11 to 14 March in Lörrach, Germany: Regio-Messe Lörrach

4.  Gentoo in the press

OSdir.com (4 March 2005)

The lack of support forums or other "groundswell support from users" is the topic of an article in O'Reilly's operating systems magazine. Author Steve Mallett asks "Where is the SuSE Community?", and compares the missing user community presence to other popular distributions: "A search for Fedora, Mandrake, or Gentoo for instance and you have no problem finding forums, wikis, official and unofficial FAQs. Signs of life." observes OSdir.com's managing editor.

Apple-Linux.org (3 March 2005, in French)

Author Prosper describes the gentoo-stats project in an article on the French Linux forum for Apple computers. "The basc project permits to calculate the time to install an ebuild. Packages are represented by GU (Gentoo units), if you know how many seconds one GU takes to compile on your system, it's enough to simply multiply those."

Todo-Linux.com (28 February 2005, in Spanish)

The Spanish magazine reports about Intel and AMD pushing for 64-bit computing in the user realm, and observes that while Microsoft doesn't currently have an operating system that fully supports the hardware, Linux distributions, "for example Gentoo", are listed as totally functioning under 64-bit conditions.

5.  Tips and Tricks

Emerge flags deserving more attention

There are a few flags emerge accepts that can give some insight as to what it is (or will be) doing. We've described some of the newer ones that have been added with portage-2.0.51, but there are a couple of older switches that users may have forgotten about. Here's a quick look at two of those.

Perhaps a little more commonly used is the first one, --verbose, or -v. It displays the USE flags that a package recognizes, and which ones are currently enabled or disabled. When running emerge with the --newuse flag, it even puts an asterisk to those flags that have been enabled or disabled since the last time a package was built. It also displays the size of files that need to be downloaded for a particular package, in addition to the total download file size for all packages to be emerged.

The second is --tree, or -t. This displays the dependency tree by indenting dependencies. Here's an example to illustrate the effect of this flag:

Code Listing 5.1: Indented packages showing their dependencies

[ebuild  N    ] x11-plugins/gkrellm-sensors-0.1  (This tells us that gkrellm-sensors)
[ebuild  N    ]  app-admin/gkrellm-1.2.13        (requires gkrellm and lm_sensors,)
[ebuild  N    ]  sys-apps/lm_sensors-2.8.7       (and lm_sensors requires i2c.)
[ebuild  N    ]   sys-apps/i2c-2.8.7  

By combining --verbose and --tree, you'll get a much clearer picture of exactly what emerge is doing. Needless to say, this makes it much easier to tweak your USE flags for better control over which packages are being installed.

6.  Moves, adds, and changes

Moves

The following developers recently left the Gentoo team:

  • None this week

Adds

The following developers recently joined the Gentoo Linux team:

  • Andrew Fant (JFMuggs) - Infrastructure
  • Eric Edgar (rocket) - Catalyst/Genkernel

Changes

The following developers recently changed roles within the Gentoo Linux project:

  • None this week

7.  Gentoo security

MediaWiki: Multiple vulnerabilities

MediaWiki is vulnerable to cross-site scripting, data manipulation and security bypass attacks.

For more information, please see the GLSA Announcement

Qt: Untrusted library search path

Qt may load shared libraries from an untrusted, world-writable directory, resulting in the execution of arbitrary code.

For more information, please see the GLSA Announcement

phpBB: Multiple vulnerabilities

Several vulnerabilities allow remote attackers to gain phpBB administrator rights or expose and manipulate sensitive data.

For more information, please see the GLSA Announcement

Gaim: Multiple Denial of Service issues

Multiple vulnerabilities have been found in Gaim which could allow a remote attacker to crash the application.

For more information, please see the GLSA Announcement

phpWebSite: Arbitrary PHP execution and path disclosure

Remote attackers can upload and execute arbitrary PHP scripts, another flaw reveals the full path of scripts.

For more information, please see the GLSA Announcement

xli, xloadimage: Multiple vulnerabilities

xli and xloadimage are vulnerable to multiple issues, potentially leading to the execution of arbitrary code.

For more information, please see the GLSA Announcement

BidWatcher: Format string vulnerability

BidWatcher is vulnerable to a format string vulnerability, potentially allowing arbitrary code execution.

For more information, please see the GLSA Announcement

phpMyAdmin: Multiple vulnerabilities

phpMyAdmin contains multiple vulnerabilities that could lead to command execution, XSS issues and bypass of security restrictions.

For more information, please see the GLSA Announcement

OpenMotif, LessTif: New libXpm buffer overflows

A new vulnerability has been discovered in libXpm, which is included in OpenMotif and LessTif, that can potentially lead to remote code execution.

For more information, please see the GLSA Announcement

xv: Filename handling vulnerability

xv contains a format string vulnerability, potentially resulting in the execution of arbitrary code.

For more information, please see the GLSA Announcement

Mozilla Firefox: Various vulnerabilities

Mozilla Firefox is vulnerable to a local file deletion issue and to various issues allowing to trick the user into trusting fake web sites or interacting with privileged content.

For more information, please see the GLSA Announcement

ImageMagick: Filename handling vulnerability

A format string vulnerability exists in ImageMagick that may allow an attacker to execute arbitrary code.

For more information, please see the GLSA Announcement

Hashcash: Format string vulnerability

A format string vulnerability in the Hashcash utility could allow an attacker to execute arbitrary code.

For more information, please see the GLSA Announcement

8.  Bugzilla

Summary

Statistics

The Gentoo community uses Bugzilla (bugs.gentoo.org) to record and track bugs, notifications, suggestions and other interactions with the development team. Between 27 February 2005 and 06 March 2005, activity on the site has resulted in:

  • 826 new bugs during this period
  • 467 bugs closed or resolved during this period
  • 23 previously closed bugs were reopened this period

Of the 8186 currently open bugs: 97 are labeled 'blocker', 231 are labeled 'critical', and 602 are labeled 'major'.

Closed bug rankings

The developers and teams who have closed the most bugs during this period are:

New bug rankings

The developers and teams who have been assigned the most new bugs during this period are:

9.  GWN feedback

Please send us your feedback and help make the GWN better.

10.  GWN subscription information

To subscribe to the Gentoo Weekly Newsletter, send a blank email to gentoo-gwn-subscribe@gentoo.org.

To unsubscribe to the Gentoo Weekly Newsletter, send a blank email to gentoo-gwn-unsubscribe@gentoo.org from the email address you are subscribed under.

11.  Other languages

The Gentoo Weekly Newsletter is also available in the following languages:



Print

Page updated March 7, 2005

Summary: This is the Gentoo Weekly Newsletter for the week of 7 March 2005.

Ulrich Plate
Editor

Lance Albertson
Author

Chris Gianelloni
Author

Christian Hartmann
Author

Patrick Lauer
Author

Joshua Nichols
Author

Donate to support our development efforts.

Copyright 2001-2014 Gentoo Foundation, Inc. Questions, Comments? Contact us.