Gentoo Logo

Gentoo Weekly Newsletter: 9 January 2006

Content:

1.  Gentoo news

FOSDEM coming up: Europe's main Gentoo event

Thirty developers have already confirmed their attendance at next month's FOSDEM, Europe's largest open-source conference and the most important event in the European Gentoo calendar, to be held in Brussels. Last year saw the first "dev room" reservation for Gentoo, an entire day and lecture hall completely devoted to Gentoo use and development, with an embedded Gentoo developers-only meeting that initiated the metastructure changes implemented over the last year. FOSDEM 2006 again opens on the last weekend of February, Saturday 25 and Sunday 26, with the Gentoo dev room on the second day and a preliminary schedule already in place. If you plan on attending FOSDEM and need help in finding accomodation in Brussels, please contact Patrick Lauer who coordinates this year's Gentoo presence at FOSDEM. Especially if you want to fill one of the last remaining time slots and grace the dev room with a Gentoo presentation!

Lithuanian translators needed

A small team around Ernestas Liubarskij has recently started translating the Gentoo documentation into the Lithuanian language (ISO code: lt). They need many more contributors to help with this effort, so if you can read English, write Lithuanian, and would like to join the team, please contact Ernestas directly.

2.  Developer of the week

"I'm an open-source guy with an open mind" -- Andrea Barisani


Figure 2.1: Andrea Barisani a.k.a. lcars

Fig. 1: lcars

Andrea Barisani hails from the beautiful Italian city of Trieste. While still trying to finish his degree in physics, he also runs a company - InversePath - together with fellow Gentoo developer Rob Holland. Among many services, they provide Gentoo Linux commercial support for production environments.

During his first year at the university, Andrea discovered his interest in system administration and security. At the university, he deployed one of the earliest documented production Gentoo servers. From bugreports and patches he became more and more involved with Gentoo. The Gentoo environment still exists at the University, along with rsync1.it.gentoo.org and lists.gentoo.org, both managed by Andrea. Other Gentoo duties include the LDAP setup, general infrastructure work, managing the mailing lists and being the security liaison for the Infrastructure project. Upstream mlmmj (the mailinglist software) benefits from many patches Andrea created while adapting and bugfixing the package to make it work for Gentoo. Additionally many LDAP-related packages, sendmail, ftester (firewall testing tool) and tenshi (log analyzer) are among the packages he maintains.

Andrea has deployed Gentoo on a wide range of systems whenever appropriate -- firewalls, clusters, generic servers... Amazingly the "KDE or GNOME?" question draws a blank from him -- Andrea is a text-mode addict, powered by ssh, screen, mutt, vim and subversion. Only in rare cases does X even get started, and then only for firefox or Openoffice. He manages 50 workstations and six servers at the university, among other things, which more than compensates for the comparatively modest machine park of only a few generic x86 computers he keeps at home.

Andrea is not strictly bound to Linux, as he says, "the world is big and we have good software for many different things" -- while Linux usually has the most features it often lacks the consistency of the BSD projects, so he uses whatever works best. "You can see the benefits of a more controlled bazaar in BSD, and you can see the benefits of a huge bazaar in GNU|Whatever/Linux distros," he states.

Some people may remember the "rsync compromise" some time ago when an exploit in the rsync code was abused to take over servers -- Andrea was one of the first to fully diagnose the exploit. This exploit also showed the power of open-source development -- within 36 hours the bugs were fixed and a new rsync release was out. An interview about that incident can be found in Harvard Business Review, a short biography of Andrea and more personal info are available at the InversePath website and the speakers pages of last year's PacSec conference in Yokohama that Andrea attended.

3.  Heard in the community

gentoo-dev

Textrels in packages policy

Mark Loeser started a nice technical discussion about textrels. Portage does warn about textrels as they can lead to performance and security problems - a comprehensive explanation on the how and why of that can be found in this thread.

GLEP 42 (news) round six

The discussion about portage news reporting which has been going on for a few weeks now gets iterated once more in the hope of reaching a workable solution.

Viability of other SCM/version control systems for big repo's

While CVS is mature and quite stable it doesn't offer all the features of newer version control systems. Some people have experimented with migrating the gentoo-x86 repository (which won't happen in the near future due to logistical and administrative issues). Donnie Berkholz asks for experiences with alternatives, especially with performance and scalability in mind.

gentoo-server

Roadrunner's server project update

Ricardo Loureiro wrote a follow-up to his initial PDF document mentioned in the 12 December 2005 edition of the GWN. This new document talks about the initial design layout of the mysql database required to store package information. It goes into great detail as to data types, and displays more progress towards the project goals.

4.  Gentoo international

Italy: Yet another Gentoo derivative

Proclaiming to allow you to install Gentoo Linux on your computer in a matter of minutes, the RR4 and RR64 Linux DVDs you can get from Fabio Erculiani differ from Gentoo in few ways, most importantly a default kernel with Reiser4 enabled that is certain to send shivers down the spines of many Gentoo developers who certainly wouldn't want to see your bug reports about this anywhere near the official Gentoo bugzilla. The RR4/64 project is still a remarkable effort, since it's a live system complete with both KDE and Gnome that boots directly from the DVD. The third beta 64-bit version of RR just came out on 26 December, sort of a late Christmas present from Fabio to his fellow Italians, with international users equally invited to give it a spin.

5.  Gentoo in the press

Asteria (December 2005)

Jon Hood, a developer working for Asteria Solutions Group, Inc. takes the current beta version of the Gentoo Installer for a test drive around the block, and appears quite satisfied with the result, calls it a "wonderful step in the right direction for the Gentoo distribution," and is particularly delighted because "people aren't supposed to actually USE testing software and have it WORK, but that's exactly what happened." His review includes a pretty little slideshow documenting every step of the installation process when done via the GUI installer, very interesting for everybody who's never seen it at work.

6.  Gentoo developer moves

Moves

The following developers recently left the Gentoo project:

  • None this week

Adds

The following developers recently joined the Gentoo project:

  • Peter Volkov (pva) - netmon
  • Gunnar Wrobel (wrobel) - web apps

Changes

The following developers recently changed roles within the Gentoo project:

  • Sven Vermeulen (swift) - resigned as Gentoo Documentation Project (GDP) lead
  • Xavier Neys (neysx) - took over the GDP lead role from swift

7.  Gentoo Security

CenterICQ: Multiple vulnerabilities

CenterICQ is vulnerable to a Denial of Service issue, and also potentially to the execution of arbitrary code through an included vulnerable ktools library.

For more information, please see the GLSA Announcement

Mantis: Multiple vulnerabilities

Mantis is affected by multiple vulnerabilities ranging from file upload and SQL injection to cross-site scripting and HTTP response splitting.

For more information, please see the GLSA Announcement

Dropbear: Privilege escalation

A buffer overflow in Dropbear could allow authenticated users to execute arbitrary code as the root user.

For more information, please see the GLSA Announcement

NBD Tools: Buffer overflow in NBD server

The NBD server is vulnerable to a buffer overflow that may result in the execution of arbitrary code.

For more information, please see the GLSA Announcement

rssh: Privilege escalation

Local users could gain root privileges by chrooting into arbitrary directories.

For more information, please see the GLSA Announcement

OpenMotif, AMD64 x86 emulation X libraries: Buffer overflows in libUil library

Two buffer overflows have been discovered in libUil, part of the OpenMotif toolkit, that can potentially lead to the execution of arbitrary code.

For more information, please see the GLSA Announcement

scponly: Multiple privilege escalation issues

Local users can exploit an scponly flaw to gain root privileges, and scponly restricted users can use another vulnerability to evade shell restrictions.

For more information, please see the GLSA Announcement

XnView: Privilege escalation

XnView may search for shared libraries in an untrusted location, potentially allowing local users to execute arbitrary code with the privileges of another user.

For more information, please see the GLSA Announcement

pinentry: Local privilege escalation

pinentry is vulnerable to privilege escalation.

For more information, please see the GLSA Announcement

KPdf, KWord: Multiple overflows in included Xpdf code

KPdf and KWord both include vulnerable Xpdf code to handle PDF files, making them vulnerable to the execution of arbitrary code.

For more information, please see the GLSA Announcement

HylaFAX: Multiple vulnerabilities

HylaFAX is vulnerable to arbitrary code execution and unauthorized access vulnerabilities.

For more information, please see the GLSA Announcement

VMware Workstation: Vulnerability in NAT networking

VMware guest operating systems can execute arbitrary code with elevated privileges on the host operating system through a flaw in NAT networking.

For more information, please see the GLSA Announcement

8.  Bugzilla

Statistics

The Gentoo community uses Bugzilla (bugs.gentoo.org) to record and track bugs, notifications, suggestions and other interactions with the development team. Between 18 December 2005 and 08 January 2006, activity on the site has resulted in:

  • 2338 new bugs during this period
  • 1184 bugs closed or resolved during this period
  • 84 previously closed bugs were reopened this period

Of the 9097 currently open bugs: 78 are labeled 'blocker', 173 are labeled 'critical', and 498 are labeled 'major'.

Closed bug rankings

The developers and teams who have closed the most bugs during this period are:

New bug rankings

The developers and teams who have been assigned the most new bugs during this period are:

9.  GWN feedback

Please send us your feedback and help make the GWN better.

10.  GWN subscription information

To subscribe to the Gentoo Weekly Newsletter, send a blank email to gentoo-gwn+subscribe@gentoo.org.

To unsubscribe to the Gentoo Weekly Newsletter, send a blank email to gentoo-gwn+unsubscribe@gentoo.org from the email address you are subscribed under.

11.  Other languages

The Gentoo Weekly Newsletter is also available in the following languages:



Print

Page updated January 9, 2006

Summary: This is the Gentoo Weekly Newsletter for the week of 9 January 2006.

Ulrich Plate
Editor

Patrick Lauer
Author

Chris White
Author

Donate to support our development efforts.

Copyright 2001-2014 Gentoo Foundation, Inc. Questions, Comments? Contact us.