Gentoo Logo

Gentoo Weekly Newsletter: April 25th, 2005

Content:

1.  Gentoo News

Project Dolphin: Experimental rescue CD

Benjamin Judas announced last Friday that the release-engineering team has created a new experimental subproject called "Project Dolphin" in order to provide a feature-enhanced LiveCD version targeted at system rescue. Much like the unofficial French SysRescueCD that is also based on the Gentoo LiveCD, Project Dolphin aims at offering all the tools needed for the recovery of broken installations, failing harddisks or other systems in need of rescue.


Figure 1.1: Project Dolphin - LiveCD for rescue missions

Fig. 1: RescueCD

Highlights of the CD include zsh, samba, bacula, mc, dar, mutt, xfsdump, ide-smart, netcat, nmap, chrootkit, partimage, ncftp, centericq, bind-tools, alsa-utils, mpg321. A very early test ISO image, actively soliciting testers, has been made available in the experimental section of the Gentoo mirrors for download, in the /experimental/x86/livecd/x86 path. Users are strongly encouraged to submit comments to a freshly introduced meta-bug, either to report problems or to request feature additions. Thanks a lot for your support!

International Gentoo mailing list additions

Two new mailing lists have been made available last week: The Dutch version of the Gentoo Weekly Newsletter is now distributed in plain text version via e-mail, at gentoo-gwn-nl@gentoo.org, shortly after being translated from the English original. As all other newsletter lists, it is for distribution only. Dutch and Flemish speaking readers of the GWN can subscribe to the new list by sending an e-mail to gentoo-gwn-nl-subscribe@gentoo.org and following the instructions in the confirmation message they'll receive.

A regular support and discussion list has been set up for all Russian Gentoo users, as Konstantin V. Arkhipov announced last week. gentoo-user-ru@gentoo.org can be subscribed by sending a blank message to gentoo-user-ru-subscribe@gentoo.org. A full list of official Gentoo mailing lists, both English and non-English ones, is available along with usage instructions at the mailing list page.

2.  Developer of the week

"Gentoo is Zen applied to software" -- Patrick Lauer (bonsaikitten)


Figure 2.1: Patrick Lauer aka Bonsaikitten

Fig. 1: bonsaikitten

This week's featured developer is bonsaikitten, who goes by the name Patrick Lauer in real life. He has no allegiance pledged to any particular faction of Gentoo devhood, but likes to work on a bit of everything. Since late 2004 he is also a regular contributor to the GWN, in particular the gentoo-dev mailing list summaries and this column, the dev-of-the-week, are usually authored by him.

Patrick operates the gentooexperimental.org server, offering ressources for weird and unfinished ideas, including (but not limited to) tinderbox, the script repository and future (web-)rsync replacement candidates. Planet Gentoo was first hosted on Patrick's server before being moved onto official hardware managed by the Gentoo infrastructure team.

During the day he's a student of Computer Science at the RWTH Aachen, Germany, where he has started writing his thesis on "anonymous networks", leaving precious little time for everything else, but after four and a half years at the university he feels ready to move on. His computing environment is a room full of crummy old hardware, a Quad Xeon, two Athlons, and (courtesy of the CS faculty of his university) a 16-CPU cluster.

He is a user of blackbox, firefox, licq, sometimes konqueror, and -- due to vendor lock-in -- evolution, which seems to get less useful with every revision, "as do all gnomes and trolls," says Patrick. He likes to work in Python, but other languages are no problem, either - "unless they are called Java and need longish incantations for every single statement." When the weather permits he can be found mountainbiking in the woods and fields around Aachen. He also enjoys good food, good (Belgian) beer, and the presence of preferably highly intelligent and sexy women (although the latter does not happen as often as desired). His motto is borrowed from Alfred Lord Tennyson: "It is better to have loved and lost than never to have loved at all."

3.  Heard in the community

gentoo-dev

Some new xorg ebuilds

For all those that desparately need the newest and most bleeding edge stuff, Donnie Berkholz has put some new xorg ebuilds in portage. Bug reports are appreciated. Especially the 6.8.99.* snapshots might be interesting to try out - but be warned, it might break ...

Category rename

Since there are many proxies (but not all of them www only), the www-proxy category might be renamed to net-proxy. All the SOCKS, www, ftp etc. proxies will then be easy to find in their new category.

Gentoo as a development platform

Daniel Drake starts a discussion on how to use Gentoo as a development platform where you usually have to pull in various fixes from CVS. How do you keep everything under portage's control while still being able to fix things? Does portage support live CVS ebuilds in a sane fashion? Read on to find out more.

Apache problems

As some of you might have noticed, the Gentoo Apache team has done some quite extensive changes to the newest versions of Apache. This was done for various reasons, including (but not limited to) easier maintenance. This has caused various problems since there is no easy migration path, and most users don't want to throw away their apache config and start from scratch. Because of this the newest versions are package.mask'ed until this situation is resolved.

4.  Gentoo International

Switzerland: Pentoo - Gentoo-based intrusion detection LiveCD

"Pentoo" is an acronym for "PENetration on genTOO". It is based on kernel version 2.6.10, uses the Gnome desktop environment, and aims to provide a complete platform for intrusion detection, penetration-testing and security assessment. The content of the LiveCD can be updated, allowing for up-to-date fingerprint and vulnerability databases, for tools that require regular updates like the Nessus plugins, or scanner fingerprint files, metasploit etc. Users can optionaly store data on USB sticks for non-volatile storage support. Pentoo's author, Michael Zanetta, emphasizes that "it has to be considered beta as I have not much time to test it carefully," so feedback and comments are very welcome, at bugs@pentoo.ch. A roadmap for the project is available, too.


Figure 4.1: Penetration testing based on Gentoo: Swiss 'Pentoo'

Fig. 1: Pentoo

5.  Gentoo in the press

Somos libres (25 April 2005, in Spanish)

Today's edition of the Peruvian "Free and Open Software User Group" website at Somos Libres has an interview with Daniel Oliveira, one of the heads of the Gentoo spin-off project Ututo developed at and around the university of Buenos Aires in Argentina. Oliveira, who represents a core team of 37 developers busy pushing Ututo to individual users, but also into municipal services and small and medium enterprises in Argentina, explains the history and the current status of the project.

6.  Moves, adds, and changes

Moves

The following developers recently left the Gentoo team:

  • None this week

Adds

The following developers recently joined the Gentoo Linux team:

  • Herbie Hopkins (Herbs) - AMD64

Changes

The following developers recently changed roles within the Gentoo Linux project:

  • None this week

7.  Gentoo security

CVS: Multiple vulnerabilities

Several serious vulnerabilities have been found in CVS, which may allow an attacker to remotely compromise a CVS server or cause a DoS.

For more information, please see the GLSA Announcement

XV: Multiple vulnerabilities

Multiple vulnerabilities have been discovered in XV, potentially resulting in the execution of arbitrary code.

For more information, please see the GLSA Announcement

Mozilla Firefox, Mozilla Suite: Multiple vulnerabilities

New Mozilla Firefox and Mozilla Suite releases fix new security vulnerabilities, including memory disclosure and various ways of executing JavaScript code with elevated privileges.

For more information, please see the GLSA Announcement

MPlayer: Two heap overflow vulnerabilities

Two vulnerabilities have been found in MPlayer which could lead to the remote execution of arbitrary code.

For more information, please see the GLSA Announcement

openMosixview: Insecure temporary file creation

openMosixview and the openMosixcollector daemon are vulnerable to symlink attacks, potentially allowing a local user to overwrite arbitrary files.

For more information, please see the GLSA Announcement

RealPlayer, Helix Player: Buffer overflow vulnerability

RealPlayer and Helix Player are vulnerable to a buffer overflow that could lead to remote execution of arbitrary code.

For more information, please see the GLSA Announcement

KDE kimgio: PCX handling buffer overflow

KDE fails to properly validate input when handling PCX images, potentially resulting in the execution of arbitrary code.

For more information, please see the GLSA Announcement

Kommander: Insecure remote script execution

Kommander executes remote scripts without confirmation, potentially resulting in the execution of arbitrary code.

For more information, please see the GLSA Announcement

8.  Bugzilla

Summary

Statistics

The Gentoo community uses Bugzilla (bugs.gentoo.org) to record and track bugs, notifications, suggestions and other interactions with the development team. Between 17 April 2005 and 24 April 2005, activity on the site has resulted in:

  • 817 new bugs during this period
  • 493 bugs closed or resolved during this period
  • 14 previously closed bugs were reopened this period

Of the 8497 currently open bugs: 89 are labeled 'blocker', 231 are labeled 'critical', and 628 are labeled 'major'.

Closed bug rankings

The developers and teams who have closed the most bugs during this period are:

New bug rankings

The developers and teams who have been assigned the most new bugs during this period are:

9.  GWN feedback

Please send us your feedback and help make the GWN better.

10.  GWN subscription information

To subscribe to the Gentoo Weekly Newsletter, send a blank email to gentoo-gwn-subscribe@gentoo.org.

To unsubscribe to the Gentoo Weekly Newsletter, send a blank email to gentoo-gwn-unsubscribe@gentoo.org from the email address you are subscribed under.

11.  Other languages

The Gentoo Weekly Newsletter is also available in the following languages:



Print

Page updated April 25, 2005

Summary: This is the Gentoo Weekly Newsletter for the week of 25 April 2005.

Ulrich Plate
Editor

Patrick Lauer
Author

Donate to support our development efforts.

Copyright 2001-2014 Gentoo Foundation, Inc. Questions, Comments? Contact us.