Gentoo Logo

Gentoo Weekly Newsletter: 12 June 2006

Content:

1.  Gentoo news

Portage 2.1 Released

After many months in development, the Portage team has released Portage-2.1. This new release sees a great many new features, fixed bugs, and performance improvements. A detailed description of changes can be found in the release notes and NEWS file. Some highlights, however, are:

  • confcache integration: In combination with the dev-util/confcachepackage, users can now benefit from cached configure checks, speeding up build times for many packages.
  • New cache framework: The Portage cache has been completely overhauled, leading to massive speed improvements when updating cache after sync, as well as in other areas.
  • New elog functionality: In the past, important messages from ebuilds were delivered by means of the einfo, ewarn, and eerror functions, which print messages to the standard output. However, in a length multi-package merge, it is very easy for these messages to get lost. The new elog function allows them to be collected in one place for later inspection, and should greatly ease the process of upgrading many packages at one time.
  • New hooks framework: Using /etc/portage/bashrc, users can now define bash functions to be executed before and after any given ebuild phase. This can be used to make almost arbitrary customisations to the build environment, and is a powerful tool for those who need functionality or behaviour that stock Portage cannot provide.
  • Digest improvements: Portage can now use SHA256 and RMD160 digests in addition to MD5 for checking the integrity of downloaded files. This release also introduces support for a new Manifest2 format that should allow the current Manifest and digest-* files to be unified into one much more efficient file format.
  • Improved debugging support: using FEATURES="splitdebug" it is now possible to keep the performance improvements from using stripped binaries, while still having the debug information around on disk should it be needed. This should make filing useful bug reports much easier.
  • Colour remappings: Using the /etc/portage/color.map file, you can now remap the colours that Portage will use in its output. Have you ever wanted a pretty pink portage? Well now you can, without having to change the source code.
  • Configuration improvements: Certain config files can now be made into directories, for easier management (for example, /etc/portage/package.unmask/kde, /etc/portage/package.unmask/xorg will be combined to make the old /etc/portage/package.unmask). /etc/portageitself can also be loaded from different locations, making certain tasks much simpler.
  • Various other improvements: Certain types of binary security issues can now be fixed automatically. The initial import of the Portage module should now be faster in certain circumstances, meaning that external scripts which import it should see speed improvements. Emerge now supports a -q or 'really quiet mode' option, reducing its output to a minimum.

There is a stabilisation bug open, where you can track the progress of this new release towards the stable tree. As of this writing, stable users on x86, Sparc, HPPA and PPC platforms can use the new release; other architecture teams should be following in the near future.

Thanks to Alec Warner and Ned Ludd for taking the time to talk to the GWN about this release.

Status report: Gentoo/Alpha

The Gentoo/Alpha team is responsible for making sure that Gentoo runs smoothly on the Alpha architecture. The team has recently grown to include Thomas Cort and Christel Dahlskjaer. In the past few months we have been very productive. Stephen Bennett has continued his work with SELinux. hardened-sources is now keyworded for alpha. Thanks to the work of Stefaan De Roeck and others, modular X has been keyworded and is working well. The Gentoo/Alpha team is also pleased to announce that we have stabilized gnome-2.12.3 and kde-3.5.2.

Thomas Cort has produced two documents, the Alpha Porting Guide and the Gentoo/Alpha FAQ. A guide to using the SRM console is on the way. Jose Luis Rivero, Fernando Pereda, and the rest of the Gentoo/Alpha team completely revamped the project page. Fernando Pereda has also been busy setting up the Alpha Arch Testers project. If you want to learn more about this excellent opportunity to give back to Gentoo, please check out the Alpha Arch Testers Project page.

Tetex changes

Tetex's upstream maintainer Thomas Esser hass announced that he won't make any further tetex releases. This will have some mid- to long-term effects on how tetex is maintained in Gentoo. Gentoo developer Martin Ehmsen shows the possible methods for handling this – while it seems to be undecided for now how to proceed there will be changes in the future. Stay tuned…

The shadow and pam-login conflict

Many users may have seen that new versions of pam-login and shadow block each other. The reason for that is that the file /bin/login used to be provided by pam-login for mostly historical reasons. Now shadow 4.0 started also providing this file, to reduce confusion this file is now provided by shadow. Also the rest of pam-login has been folded into shadow too, so when you see these two packages blocking each other please unmerge pam-login and emerge the updated shadow package in its place.

Further information can be found in Diego Pettenò's weblog:

Ukrainian IRC channels

The relatively new and still small Ukrainian Gentoo community has opened an official IRC channel: #gentoo-ua channel on irc.freenode.net. If you want to discuss all thing Gentoo in Ukrainian or want to help in the localization effort just join the team around George Shapovalov. For now there is no Ukrainian Subforum, but if that community continues to grow that is a distinct possibility – for now "Other languages" is the correct forum for Ukrainian questions.

Gentoo Women

Geek girls are almost the stuff of legend. Women make up only 30% of regular computer users, and as little as 2% of Linux users.

But why should this be the case? The reason for this can be as elusive as the Linux-using women themselves – for every survey or paper saying that they are not given the same chances or opportunities, there is another one saying exactly the opposite. Lost in the midst of all this controversy, however, is the fact that little if anything is being done to interest women in computing, in Linux, or in Gentoo.

Groups such as the Debian project are seeking to change that. Debian Women, founded in 2004, was set up to encourage women to become more involved with Linux. The group maintains an IRC channel and a mailing list for the discussion of technical issues, as well as maintaining a public presence at Linux-related conferences and events. They also run an extensive mentoring program whereby women are paired up with a mentor who will spend the time to help them find answers to their questions, and get to know the distribution, as well as the community and Linux in general. This mentoring program adds a personal element to the process, and helps to guide people towards working more effectively with Linux. Unfortunately though, as the name implies, their efforts focus very much on encouraging their members to use Debian.

The idea was recently floated of starting a similar project for the women of Gentoo, and we would like your thoughts on the matter. Would such a project be welcome within the community, and would people take advantage of it? What would you like to see the project do, and how? Would you volunteer your time and/or money to encourage people, not just women, to use Gentoo, and to mentor and help users?

All groups, regardless of their origins, need 'fresh blood' to survive – members will inevitably depart, and without a steady stream of people joining the group will diminish with time. If we do not reach out to the community, we miss out on a lot of good ideas and talented people that are out there. Let's make the effort to do so, rather than wallowing in complacency and resisting any change.

2.  Summer of Code - Update

Summer of Code -- One Month Along

It's a month now since the start of this year's Summer of Code, and Gentoo's projects have been progressing rapidly. Our students have been hard at work with their projects, and making good progress. The Summer of Code was originally mentioned in the GWN of May 1st. If you are interested to know what all the fuss is about, read on.

The Summer of Code, now in its second year, is a program run by Google which sponsors students to work on open source projects during the summer holidays. Last year's program was a great success, with a long list of results including some great projects. This year's version is even bigger, containing over twice as many mentoring organisations, and a list of student projects to match.

This year Gentoo is participating as a mentoring organisation, and we were lucky enough to be allocated 14 projects, including this year's most in-demand student – Anant Narayanan had applications accepted by a total of 4 organisations, and chose to work with us rather than any of the others. For a while it was uncertain whether we would be accepted, given the number of other Linux distributions and operating systems already accepted, but we were eventually chosen, and allocated a higher than normal number of projects.

"I like how Gentoo has built a community around the distro in such a short time. To me, that is emblematic of a good community, and is what SoC needs for mentoring great OSS developers" said Greg Stein from Google, talking about why he chose to accept Gentoo over other projects on the hold list. "As one example, Gentoo got included into the program because I've liked how they came from pretty much nowhere into one of the stronger Linux distributions. Out of the thousand distros out there, they rose to one of the primaries in pretty short order. I believe that is due to a strong community focus, which is exactly something that I believe is good for an SoC organization."

A full list of Gentoo's accepted applications with some basic information can be found at Google's Gentoo page; more updates about many of the projects can be found on the students' blogs, which are aggregated as part of Planet Gentoo as well as making up Planet Gentoo SoC. However, we would like to highlight a few individual projects here, with some more information about the projects and their current status.

Michael Kelly has been working on a unified user/group management framework, with the intention of integrating it into package managers and the Gentoo tree to provide an implementation of GLEP 27, which was approved long ago but has not yet been implemented. His code can be found in his public Subversion repository, accessible through the web with ViewVC. As his initial proposal outlines, this should provide some great improvements in the way user and group accounts are handled by ebuilds – the current system, while it works in the vast majority of cases, is relatively limited in its capability and scalability. The code seems to be progressing nicely, and when finished should provide a simple, flexible, and portable means to manage users and groups in package managers and elsewhere.

Alex Martinez has been working on porting Gentoo's "sandbox" utility to run on FreeBSD systems. The Gentoo/*BSD project has been increasingly active in recent months, and is rapidly becoming a viable platform for real-world use. However, due to differences between the FreeBSD and GNU C libraries, the sandbox utility, used primarily for ebuild QA purposes, still does not work properly. Alex's SoC project sets out to change this, and involves looking into the most fundamental libraries on the system to find out just what is causing the problems. While the project is currently on hold due to the exam season, progress just before this was extremely promising. When completed, this should bring the various Gentoo/*BSD ports much closer to having all the package management functionality available on Gentoo Linux, a major milestone in their development.

All in all, the Summer of Code is a fantastic opportunity for students to get more involved in their favourite open source projects and to let them spend the summer doing what they enjoy without hindrance. Of course, it also provides the projects with some great code that perhaps would not have been written otherwise, as well as a fruitful source of potential new contributors. This sentiment was echoed by Christel Dahlskjaer, Gentoo's administrative contact for the summer of code, talking to the GWN earlier this month: "I am doing my best to ensure that we give the students the support they need, we also aim to make these summer months a time of fun for them and we hope that at the end of their 'internship' they'll not only have provided us with contributions in form of code, but will hopefully have decided that they want to come on board and work on Gentoo as developers."

3.  Heard in the community

forums

Genetic - A New Portage Frontend

Over the past two weeks, a discussion of a new ncurses and wxWidgets portage frontend has been happening on the Gentoo Forums. The project is still in its infancy and is asking for XML/Python/Ncurses experts to help.

GEMS - Gentoo Enterprise Management System

An announcement of a new management system in the style of "Red Hat Network" designed for Gentoo has been announced on the forums. It aims to ease the management of a large number of Gentoo computers and currently includes features such as: inventory of installed software, GLSAs associated with them, monitoring deployments status and more. GEMS is licensed under the GPL and is freely available on its website.

Decreasing chances of making mistakes while installing Gentoo

new_to_non_X86, a forum user notes how currently it is very easy for users to make simple mistakes such as typos or missing steps while following the handbook. How do you think the quality of Gentoo documentation could be improved so that mistakes are less prone to happening?

gentoo-dev

GLEP 49 - take 2

After the long discussion about alternative package managers in the last weeks Paul de Vrieze and Grant Goodyear offer two competing GLEPs for discussion that define the capabilities, license and other managerial issues that a package manager has to offer to be supported. This might focus future discussions about portage replacements on technical instead of social issues.

Security/QA Spring Cleaning

Every now and then a security problem is found. When this affects a Gentoo package a GLSA is released, but until now the affected packages were not directly unkeyworded or removed from the tree. This leaves some vulnerable ebuilds in place, so Ned Ludd in cooperation with Brian Harring has started a cleanup of the tree. This should not affect users, only vulnerable, insecure and unmaintained ebuilds will be removed.

Spring Cleanup, part 2

A cleanup of unmaintained broken ebuilds has started. As they were already known to not work no functionality is lost for users. This is part of a general QA strategy to increase the overall quality of Gentoo.

[RFC Maintainer-Wanted Bugs/Cleaning]

For user-submitted and unmaintained ebuilds the maintainer-wanted alias was created. What seemed like a good idea has ended in almost 2000 bugs assigned to that alias, most of them without any changes. Alec Warner asks for input how to handle these bugs in the future. Some ideas like a central overlay for these ebuilds or closing them after a pre-set time are discussed in this thread, but no resolution has been found.

planet.gentoo.org

Gentoo Overlays Project needs a logo

Gentoo Overlays is a project designed to bring social workspaces to Gentoo. It provides a place for Gentoo projects and developers to host their overlays. If you can help the Overlays project by creating a logo drop by #gentoo-overlays on irc.freenode.net.

KDE 3.5.3 unmasked

KDE 3.5.3 got unmasked and provides decreased startup times. Also over 800 minor issues were fixed and small new features implemented in Akregator, KMail and KAlarm.

net-setup enhancements

Naming of network interfaces sometimes differs between a live system and the installed Gentoo system. To help in configuring the network interfaces net-setup has been expanded by two additional dialogs which displays the interface name, interface caption and additional information. The new net-setup will be included in the next livecd-tools release.

4.  Gentoo International

Gentoo UK 2006

A little later than anticipated, organisation of the Gentoo UK 2006 users-and-developers conference is nearing completion. The conference will take place on Saturday July 8th in Central London, and will feature a few talks from Gentoo developers plus possibly some guest speakers. There will also be some social activities taking place around the event.

Numbers are limited, so we do require people to pre-register (no cost) by leaving a name and email address. Registration is open now.

For more info, see the conference website. We look forward to seeing you there!

5.  Tips and Tricks

Searching the portage tree with eix

eix is a handy utility that indexes your portage tree and quickly searches it. The latest stable version, 0.55, is also compatible with Portage 2.1's new metadata backend.

To get started, emerge the package, and then build your index:

Code Listing 5.1: Installing eix

# emerge eix
# update-eix

update-eix will index your ebuilds in your PORTDIR_OVERLAY in addition to the main portage tree.

Once finished you are ready to do some searches. Use eix foo to search for a package, or eix -S bar to search package descriptions. To search for a specific package, use eix -e packagename. You can also use regular expressions in your search parameters by default.

The output of eix displays each package version available. Versions prefixed with ~ are marked unstable, while !indicates the version is hard masked.

Code Listing 5.2: eix firefox

$ eix firefox
* www-client/mozilla-firefox
Available versions:  1.0.7-r4 ~1.0.8 ~1.5-r9 ~1.5-r11 ~1.5.0.1-r2 ~1.5.0.1-r3
~1.5.0.1-r4 1.5.0.2 ~1.5.0.2-r1 1.5.0.3 1.5.0.4
Installed:           none
Homepage:            http://www.mozilla.org/projects/firefox/
Description:         Firefox Web Browser

* www-client/mozilla-firefox-bin
Available versions:  1.0.7 ~1.0.8 1.5.0.2 1.5.0.3 1.5.0.4
Installed:           1.5.0.3
Homepage:            http://www.mozilla.org/projects/firefox
Description:         Firefox Web Browser


Found 2 matches

Finally, one last tip. If you want to run emerge --sync and update-eix all in one step, just run eix-sync instead.

Note: If you have tips and tricks you would like to share with the Gentoo community please drop us a mail at gwn-feedback@gentoo.org

6.  Gentoo developer moves

Moves

The following developers recently left the Gentoo project:

  • Dan Armak
  • Ryan Phillips

Adds

The following developers recently joined the Gentoo project:

  • Chris Parrott (haskell)

Changes

The following developers recently changed roles within the Gentoo project:

  • None this week

7.  Gentoo Security

CherryPy: Directory traversal vulnerability

CherryPy is vulnerable to a directory traversal that could allow attackers to read arbitrary files.

For more information, please see the GLSA Announcement

libTIFF: Multiple vulnerabilities

Multiple vulnerabilities in libTIFF could lead to the execution of arbitrary code or a Denial of Service.

For more information, please see the GLSA Announcement

Opera: Buffer overflow

Opera contains an integer signedness error resulting in a buffer overflow which may allow a remote attacker to execute arbitrary code.

For more information, please see the GLSA Announcement

shadow: Privilege escalation

A security issue in shadow allows a local user to perform certain actions with escalated privileges.

For more information, please see the GLSA Announcement

Dia: Format string vulnerabilities

Format string vulnerabilities in Dia may lead to the execution of arbitrary code.

For more information, please see the GLSA Announcement

Tor: Several vulnerabilities

Tor is vulnerable to a possible buffer overflow, a Denial of Service, information disclosure and information leak.

For more information, please see the GLSA Announcement

Pound: HTTP request smuggling

Pound is vulnerable to HTTP request smuggling, which could be exploited to bypass security restrictions or poison web caches.

For more information, please see the GLSA Announcement

AWStats: Remote execution of arbitrary code

AWStats contains a bug in the sanitization of the input parameters which can lead to the remote execution of arbitrary code.

For more information, please see the GLSA Announcement

Vixie Cron: Privilege Escalation

Vixie Cron allows local users to execute programs as root.

For more information, please see the GLSA Announcement

WordPress: Arbitrary command execution

WordPress fails to sufficiently check the format of cached username data.

For more information, please see the GLSA Announcement

SpamAssassin: Execution of arbitrary code

SpamAssassin, when running with certain options, could allow local or even remote attackers to execute arbitrary commands, possibly as the root user.

For more information, please see the GLSA Announcement

Cscope: Many buffer overflows

Cscope is vulnerable to multiple buffer overflows that could lead to the execution of arbitrary code.

For more information, please see the GLSA Announcement

JPEG library: Denial of Service

The JPEG library is vulnerable to a Denial of Service.

For more information, please see the GLSA Announcement

Mozilla Firefox: Multiple vulnerabilities

Vulnerabilities in Mozilla Firefox allow privilege escalations for JavaScript code, cross site scripting attacks, HTTP response smuggling and possibly the execution of arbitrary code.

For more information, please see the GLSA Announcement

MySQL: SQL Injection

MySQL is vulnerable to an SQL Injection flaw in the multi-byte encoding process.

For more information, please see the GLSA Announcement

8.  Bugzilla

Summary

Statistics

The Gentoo community uses Bugzilla (bugs.gentoo.org) to record and track bugs, notifications, suggestions and other interactions with the development team. Between 28 May 2006 and 11 June 2006, activity on the site has resulted in:

  • 1756 new bugs during this period
  • 812 bugs closed or resolved during this period
  • 54 previously closed bugs were reopened this period

Of the 10196 currently open bugs: 53 are labeled 'blocker', 144 are labeled 'critical', and 549 are labeled 'major'.

Closed bug rankings

The developers and teams who have closed the most bugs during this period are:

New bug rankings

The developers and teams who have been assigned the most new bugs during this period are:

9.  GWN feedback

Please send us your feedback and help make the GWN better.

10.  GWN subscription information

To subscribe to the Gentoo Weekly Newsletter, send a blank e-mail to gentoo-gwn+subscribe@gentoo.org.

To unsubscribe to the Gentoo Weekly Newsletter, send a blank e-mail to gentoo-gwn+unsubscribe@gentoo.org from the e-mail address you are subscribed under.

11.  Other languages

The Gentoo Weekly Newsletter is also available in the following languages:



Print

Page updated June 12, 2006

Summary: This is the Gentoo Weekly Newsletter for the week of 12 June 2006.

Ulrich Plate
Editor

Patrick Lauer
Author

Christel Dahlskjaer
Author

Tobias Scherbaum
Author

Mark Kowarsky
Author

Thomas Cort
Author

Steve Dibb
Author

Alec Warner
Author

Ned Ludd
Author

Lars Weiler
Author

Donate to support our development efforts.

Copyright 2001-2014 Gentoo Foundation, Inc. Questions, Comments? Contact us.