Gentoo Weekly Newsletter: 7 May 2007

1.  Gentoo News

Gentoo 2007.0, code named "Secret Sauce", is released

The Gentoo Release Engineering project is pleased to announce the much-delayed release of Gentoo Linux 2007.0, code named "Secret Sauce". This release met with several delays due to an abnormally high number of security vulnerabilities in large packages which had to be rebuilt using the newer, secure versions of the packages. There was also a complete re-snapshot done about half-way through the release period due to the release taking so long and the packages becoming stale.

You can find out more information about the release in the official press release. To get the new release, grab it from http://www.gentoo.org/main/en/where.xml.

Recent Coreutils update and shell script issues

If you recently updated coreutils, or are planning your next emerge -avNDu world while reading this, you might want to take note of some important changes. The recent update to sys-apps/coreutils moved some utilities around a bit. Some moved from /bin to /usr/bin, others, maybe because they felt the inodes were greener in the other directory, flipped from /usr/bin to /bin. While there are many important reasons these files moved, including to provide access to the tools while in single user mode, for instance, what is more important for those affected is knowing what this means for your shell scripts. How to look for problems, and, if necessary, how to fix your scripts.

For many people, most scripts are run as root through cron, and might have taken the precaution of hard coding the path of each and every binary in the script (it is generally considered a more secure method of scripting, you can get more detail at http://forums.gentoo.org/viewtopic-t-548833.html). Hopefully, those paths to the location of the binaries in a variable at the beginning of the script, such as:

#!/bin/bash
MYNOHUP=/usr/bin/nohup
MYCOMMAND=/usr/local/bin/somecommand
$MYNOHUP $MYCOMMAND

This way, there is only one edit to make in the script. Of course, this isn't the only solution. In a recent discussion on the gentoo-dev mailing list, many potential solutions were offered. You can read the thread at http://archives.gentoo.org/gentoo-dev/msg_144236.xml. One potential solution is to completely forgo the full path to binaries in your shell scripts. By ensuring that the PATH variable is properly set at the beginning of your scripts, this entire issue is completely avoidable. In fact, for those that currently subscribe to this method of shell scripting, the coreutils update may have gone completely unnoticed. A good default for the PATH variable in your scripts would be:

PATH=${PATH}:/bin:/usr/bin:/sbin:/usr/sbin:/usr/local/bin:/usr/local/sbin

Obviously, one might want to check the path of the binaries for more esoteric paths, for example /opt/vmware/server/bin is the location for VMWare Server utilities. Another option mentioned was the command -p program method. From the man page, command -p will "perform the command search using a default value for PATH that is guaranteed to find all of the standard utilities". This appears to be a fairly safe method of executing a command, albeit at the cost of a few extra keystrokes. Also, since command is a built in bash utility, it doesn't actually exist on the file system and is therefore immune to the changes made by coreutils. This of course assumes one is using the bash shell by default, which is a safe bet for most Linux users.

Similar to command, env runs a program in a modified environment. Simply calling env program will run your utility with a drastically stripped-down path; /bin:/usr/bin according to the email thread. Contrary to the command utility, env is a file on the local file system and exists, via symbolic links, in both /bin and /usr/bin.

Ultimately, the solution you choose is largely a matter of preference and personal experience. Your best bet is to experiment with the solutions listed above to find the one with which you are most comfortable. With your new-found knowledge, there is one last thing to do. You will need to make sure that you find the scripts running on your system and test them for problems. You can manually ran each of them in debug mode to look for issues.

$ bash -x sample_cron_job
+ /bin/echo 'Hello World!'
Hello World!

You will also want to look in /usr/local/bin for scripts (if that is where you keep them) and also /etc/conf.d/local.start and /etc/conf.d/local.stop. If everything works, then you are in great shape!

2.  Heard in the community

planet.gentoo.org

Status of Gentoo MIPS

Developer Alexander Færøy writes into his blog about the current optimistic status of the MIPS herd. With the addition of Bryan Østergaard, who will be working on general porting, and Richard Brown, who will be working on ruby support, the progress of bringing this architecture up to speed is accelerating toward the 2007.0 release. Alexander also mentions that they are seeking new recruits to "join the coolest team within Gentoo" and talks about his successes with their new Movidis box.

• http://alex.stener.nu/index.php/2007/05/04/status-from-gentoomips/

gentoo-user

Do it all, minus one

Jesse Adelman wrote into gentoo-user to ask how to be able to do an emerge -uDN world, but have portage not update one package. Jesse had a version of MythTV that had been removed from the tree that he wished to keep. However, the version in the tree was between a newer and older version, thus causing portage to want to downgrade if he simply put the newer version in package.mask. Vikas Kumar suggested the often forgotten /etc/portage/profile/package.provided. A package placed in this file will not be updated unless another package necessarily depends on a newer version. More information about package.provided is available in the portage man page. Developer Zac Medico suggested to instead simply mask the package versions that are both higher and lower than the version Jesse wanted to keep, which is the best solution.

• http://archives.gentoo.org/gentoo-user/msg_111700.xml

gentoo-dev

Looking for help with 2.6 kernel maintenance

Daniel Drake is looking for one or more people to help out with gentoo-sources-2.6 maintenance. Knowledge of kernel internals and kernel hacking is not required, but motivation to learn is the main qualification. Being a Gentoo developer is not required to offer assistance and could be a good way for an interested person to get a foot in the door towards becoming a developer. Interested parties should contact Daniel privately, or on IRC.

• http://archives.gentoo.org/gentoo-dev/msg_145122.xml

3.  Gentoo International

HSM looking for Gentoo specialists

HSM is a renowned, high profile software service provider headquartered in Paderborn / Germany. Their strength is the development of interfaces and add-ons to standard software programs and databases, programming of customer-specific software, provision of standard software in the areas security, ERP and emulations.

HSM is searching for Linux specialists with strong Gentoo knowledge for further development and customer support for their Linux-based universal firewall-software with a new and unique product concept. Successful candidates will have ample Linux experience, which especially covers TCP/IP and Routing, Perl, PHP and BASH Scripting, Apache, Bind, DNS, SQUID, Postfix and MySQL, plus communicative skills, organised work habits and consequent customer orientation.

This position offers candidates with the respective long-term professional experience the possibility of ascending to a managing position. For candidates with initial professional experiences we provide attractive training and further qualification possibilities. For further information contact HSM's HR Consultant, Mr. Wolf Geldmacher.

4.  Gentoo in the press

Linux Magazine (26 April, 2007)

Linux Magazine posted an article about Gentoo Linux and portage. The feature article is entirely about Gentoo and is available to Linux Magazine subscribers only. If you are a Linux Magazine subscriber, check out the article.

• http://www.linux-mag.com/id/3130/

5.  Gentoo developer moves

Moves

The following developers recently left the Gentoo project:

• none this week

Adds

The following developers recently joined the Gentoo project:

• none this week

Changes

The following developers recently changed roles within the Gentoo project:

• none this week

6.  Gentoo security

Ktorrent: Multiple vulnerabilities

Multiple vulnerabilities have been discovered in Ktorrent allowing for the remote execution of arbitrary code and a Denial of Service.

For more information, please see the GLSA Announcement

FreeType: User-assisted execution of arbitrary code

A vulnerability has been discovered in FreeType allowing for user-assisted remote execution of arbitrary code.

For more information, please see the GLSA Announcement

Tomcat: Information disclosure

A vulnerability has been discovered in Tomcat that allows for the disclosure of sensitive information.

For more information, please see the GLSA Announcement

Apache mod_perl: Denial of Service

The mod_perl Apache module is vulnerable to a Denial of Service when processing regular expressions.

For more information, please see the GLSA Announcement

Quagga: Denial of Service

A vulnerability has been discovered in Quagga allowing for a Denial of Service.

For more information, please see the GLSA Announcement

X.Org X11 library: Multiple integer overflows

The X.Org X11 library contains multiple integer overflows, which could lead to the execution of arbitrary code.

For more information, please see the GLSA Announcement

7.  Gentoo package moves

This section lists packages that have either been moved or added to the tree and packages that have had their "last rites" announcement given to be removed in the future. The package removals come from many locations, including the Treecleaners and various developers. Most packages which are listed under the Last Rites section are in need of some love and care and can remain in the tree if proper maintainership is established.

Removals:

Additions:

Last Rites:

8.  Bugzilla

Summary

• Statistics
• Closed bug ranking
• New bug rankings

Statistics

The Gentoo community uses Bugzilla (bugs.gentoo.org) to record and track bugs, notifications, suggestions and other interactions with the development team. Between 29 April 2007 and 06 May 2007, activity on the site has resulted in:

• 565 new bugs during this period
• 361 bugs closed or resolved during this period
• 26 previously closed bugs were reopened this period
• 123 closed as NEEDINFO/WONTFIX/CANTFIX/INVALID/UPSTREAM during this period
• 104 bugs marked as duplicates during this period

Of the 10028 currently open bugs: 11 are labeled 'blocker', 116 are labeled 'critical', and 364 are labeled 'major'.

Closed bug rankings

The developers and teams who have closed the most bugs during this period are:

• Gentoo's Team for Core System packages, with 35 closed bugs
• Java team, with 17 closed bugs
• Gentoo Security, with 16 closed bugs
• Gentoo KDE team, with 15 closed bugs
• Gentoo net-im Herd, with 13 closed bugs
• ppc64 architecture team, with 10 closed bugs
• Gentoo X-windows packagers, with 9 closed bugs
• SpanKY, with 9 closed bugs

New bug rankings

The developers and teams who have been assigned the most new bugs during this period are:

• Default Assignee for New Packages, with 21 new bugs
• Gentoo X-windows packagers, with 13 new bugs
• AMD64 Project, with 10 new bugs
• media-video herd, with 8 new bugs
• Gentoo's Team for Core System packages, with 7 new bugs
• Gentoo Ruby Team, with 6 new bugs
• Robin Johnson, with 6 new bugs
• Gentoo net-im Herd, with 5 new bugs

9.  GWN feedback

The GWN is staffed by volunteers and members of the community who submit ideas and articles. If you are interested in writing for the GWN, have feedback on an article that we have posted, or just have an idea or article that you would like to submit to the GWN, please send us your feedback and help make the GWN better.

10.  GWN subscription information

To subscribe to the Gentoo Weekly Newsletter, send a blank e-mail to gentoo-gwn+subscribe@gentoo.org.

To unsubscribe to the Gentoo Weekly Newsletter, send a blank e-mail to gentoo-gwn+unsubscribe@gentoo.org from the e-mail address you are subscribed under.

11.  Other languages

The Gentoo Weekly Newsletter is also available in the following languages:

• Chinese (Simplified)
• Dutch
• English
• German
• Greek
• French
• Korean
• Japanese
• Italian
• Polish
• Portuguese (Brazil)
• Portuguese (Portugal)
• Russian
• Slovak
• Spanish
• Turkish