Figure 1.1: Project Dolphin - LiveCD for rescue missions
Project Dolphin: Experimental rescue CD
Benjamin Judas announced last Friday that the release-engineering team has created a new experimental subproject called "Project Dolphin" in order to provide a feature-enhanced LiveCD version targeted at system rescue. Much like the unofficial French SysRescueCD that is also based on the Gentoo LiveCD, Project Dolphin aims at offering all the tools needed for the recovery of broken installations, failing harddisks or other systems in need of rescue.
Figure 1.1: Project Dolphin - LiveCD for rescue missions |
|
Highlights of the CD include zsh, samba, bacula, mc, dar, mutt, xfsdump, ide-smart, netcat, nmap, chrootkit, partimage, ncftp, centericq, bind-tools, alsa-utils, mpg321. A very early test ISO image, actively soliciting testers, has been made available in the experimental section of the Gentoo mirrors for download, in the /experimental/x86/livecd/x86 path. Users are strongly encouraged to submit comments to a freshly introduced meta-bug, either to report problems or to request feature additions. Thanks a lot for your support!
International Gentoo mailing list additions
Two new mailing lists have been made available last week: The Dutch version of the Gentoo Weekly Newsletter is now distributed in plain text version via e-mail, at gentoo-gwn-nl@gentoo.org, shortly after being translated from the English original. As all other newsletter lists, it is for distribution only. Dutch and Flemish speaking readers of the GWN can subscribe to the new list by sending an e-mail to gentoo-gwn-nl-subscribe@gentoo.org and following the instructions in the confirmation message they'll receive.
A regular support and discussion list has been set up for all Russian Gentoo users, as Konstantin V. Arkhipov announced last week. gentoo-user-ru@gentoo.org can be subscribed by sending a blank message to gentoo-user-ru-subscribe@gentoo.org. A full list of official Gentoo mailing lists, both English and non-English ones, is available along with usage instructions at the mailing list page.
"Gentoo is Zen applied to software" -- Patrick Lauer (bonsaikitten)
Figure 2.1: Patrick Lauer aka Bonsaikitten |
 |
This week's featured developer is bonsaikitten, who goes by the name Patrick Lauer in real life. He has no allegiance pledged to any particular faction of Gentoo devhood, but likes to work on a bit of everything. Since late 2004 he is also a regular contributor to the GWN, in particular the gentoo-dev mailing list summaries and this column, the dev-of-the-week, are usually authored by him.
Patrick operates the gentooexperimental.org server, offering ressources for weird and unfinished ideas, including (but not limited to) tinderbox, the script repository and future (web-)rsync replacement candidates. Planet Gentoo was first hosted on Patrick's server before being moved onto official hardware managed by the Gentoo infrastructure team.
During the day he's a student of Computer Science at the RWTH Aachen, Germany, where he has started writing his thesis on "anonymous networks", leaving precious little time for everything else, but after four and a half years at the university he feels ready to move on. His computing environment is a room full of crummy old hardware, a Quad Xeon, two Athlons, and (courtesy of the CS faculty of his university) a 16-CPU cluster.
He is a user of blackbox, firefox, licq, sometimes konqueror, and -- due to vendor lock-in -- evolution, which seems to get less useful with every revision, "as do all gnomes and trolls," says Patrick. He likes to work in Python, but other languages are no problem, either - "unless they are called Java and need longish incantations for every single statement." When the weather permits he can be found mountainbiking in the woods and fields around Aachen. He also enjoys good food, good (Belgian) beer, and the presence of preferably highly intelligent and sexy women (although the latter does not happen as often as desired). His motto is borrowed from Alfred Lord Tennyson: "It is better to have loved and lost than never to have loved at all."
Some new xorg ebuilds
For all those that desparately need the newest and most bleeding edge stuff, Donnie Berkholz has put some new xorg ebuilds in portage. Bug reports are appreciated. Especially the 6.8.99.* snapshots might be interesting to try out - but be warned, it might break ...
Category rename
Since there are many proxies (but not all of them www only), the www-proxy category might be renamed to net-proxy. All the SOCKS, www, ftp etc. proxies will then be easy to find in their new category.
Gentoo as a development platform
Daniel Drake starts a discussion on how to use Gentoo as a development platform where you usually have to pull in various fixes from CVS. How do you keep everything under portage's control while still being able to fix things? Does portage support live CVS ebuilds in a sane fashion? Read on to find out more.
Apache problems
As some of you might have noticed, the Gentoo Apache team has done some quite extensive changes to the newest versions of Apache. This was done for various reasons, including (but not limited to) easier maintenance. This has caused various problems since there is no easy migration path, and most users don't want to throw away their apache config and start from scratch. Because of this the newest versions are package.mask'ed until this situation is resolved.
Switzerland: Pentoo - Gentoo-based intrusion detection LiveCD
"Pentoo" is an acronym for "PENetration on genTOO". It is based on kernel version 2.6.10, uses the Gnome desktop environment, and aims to provide a complete platform for intrusion detection, penetration-testing and security assessment. The content of the LiveCD can be updated, allowing for up-to-date fingerprint and vulnerability databases, for tools that require regular updates like the Nessus plugins, or scanner fingerprint files, metasploit etc. Users can optionaly store data on USB sticks for non-volatile storage support. Pentoo's author, Michael Zanetta, emphasizes that "it has to be considered beta as I have not much time to test it carefully," so feedback and comments are very welcome, at bugs@pentoo.ch. A roadmap for the project is available, too.
Figure 4.1: Penetration testing based on Gentoo: Swiss 'Pentoo' |
 |
Somos libres (25 April 2005, in Spanish)
Today's edition of the Peruvian "Free and Open Software User Group" website at Somos Libres has an interview with Daniel Oliveira, one of the heads of the Gentoo spin-off project Ututo developed at and around the university of Buenos Aires in Argentina. Oliveira, who represents a core team of 37 developers busy pushing Ututo to individual users, but also into municipal services and small and medium enterprises in Argentina, explains the history and the current status of the project.
The following developers recently left the Gentoo team:
The following developers recently joined the Gentoo Linux team:
The following developers recently changed roles within the Gentoo Linux project:
Several serious vulnerabilities have been found in CVS, which may allow an attacker to remotely compromise a CVS server or cause a DoS.
For more information, please see the GLSA Announcement
Multiple vulnerabilities have been discovered in XV, potentially resulting in the execution of arbitrary code.
For more information, please see the GLSA Announcement
Mozilla Firefox, Mozilla Suite: Multiple vulnerabilities
New Mozilla Firefox and Mozilla Suite releases fix new security vulnerabilities, including memory disclosure and various ways of executing JavaScript code with elevated privileges.
For more information, please see the GLSA Announcement
MPlayer: Two heap overflow vulnerabilities
Two vulnerabilities have been found in MPlayer which could lead to the remote execution of arbitrary code.
For more information, please see the GLSA Announcement
openMosixview: Insecure temporary file creation
openMosixview and the openMosixcollector daemon are vulnerable to symlink attacks, potentially allowing a local user to overwrite arbitrary files.
For more information, please see the GLSA Announcement
RealPlayer, Helix Player: Buffer overflow vulnerability
RealPlayer and Helix Player are vulnerable to a buffer overflow that could lead to remote execution of arbitrary code.
For more information, please see the GLSA Announcement
KDE kimgio: PCX handling buffer overflow
KDE fails to properly validate input when handling PCX images, potentially resulting in the execution of arbitrary code.
For more information, please see the GLSA Announcement
Kommander: Insecure remote script execution
Kommander executes remote scripts without confirmation, potentially resulting in the execution of arbitrary code.
For more information, please see the GLSA Announcement
The Gentoo community uses Bugzilla (bugs.gentoo.org) to record and track bugs, notifications, suggestions and other interactions with the development team. Between 17 April 2005 and 24 April 2005, activity on the site has resulted in:
Of the 8497 currently open bugs: 89 are labeled 'blocker', 231 are labeled 'critical', and 628 are labeled 'major'.
The developers and teams who have closed the most bugs during this period are:
The developers and teams who have been assigned the most new bugs during this period are:
Please send us your feedback and help make the GWN better.
10. GWN subscription information
To subscribe to the Gentoo Weekly Newsletter, send a blank email to gentoo-gwn-subscribe@gentoo.org.
To unsubscribe to the Gentoo Weekly Newsletter, send a blank email to gentoo-gwn-unsubscribe@gentoo.org from the email address you are subscribed under.
The Gentoo Weekly Newsletter is also available in the following languages: