1 |
--------------------------------------------------------------------------- |
2 |
Gentoo Weekly Newsletter |
3 |
http://www.gentoo.org/news/en/gwn/current.xml |
4 |
This is the Gentoo Weekly Newsletter for the week of 14 February 2005. |
5 |
--------------------------------------------------------------------------- |
6 |
|
7 |
============== |
8 |
1. Gentoo News |
9 |
============== |
10 |
|
11 |
Gentoo Forums platform and software switch |
12 |
------------------------------------------ |
13 |
|
14 |
As anticipated in a Future zone[1] article three weeks ago, the Gentoo |
15 |
Forums[2] have switched to a new hardware platform and an upgraded version |
16 |
of phpBB, now running on a clean codebase, normalizing all the patches |
17 |
that had been applied to the old version, and more feature-rich than the |
18 |
release that was powering the Forums before. Among the embellishments are |
19 |
better language packs for the non-English forums, new URI styles with |
20 |
absolute links that enable search engine spiders to index the entire |
21 |
Forum, and a few things of lesser visibility, like the moderators' new |
22 |
ability to join threads -- displacing posts from threads where they're out |
23 |
of context to a more appropriate location was never possible before. A few |
24 |
glitches aside, the changeover went so smoothly that none of the users |
25 |
realized it until it was all over and done. Congratulations to Christian |
26 |
Hartmann[3] and Lance Albertson[4] for a flawless migration! |
27 |
1. http://www.gentoo.org/news/en/gwn/20050124-newsletter.xml#doc_chap2 |
28 |
2. http://forums.gentoo.org |
29 |
3. ian@g.o |
30 |
4. ramereth@g.o |
31 |
|
32 |
Gentoo event calender for February/March 2005 |
33 |
--------------------------------------------- |
34 |
|
35 |
Busy days for Gentoo evangelists: Their schedule has never been so packed |
36 |
with shows, conferences and presentations as over the next four weeks. |
37 |
Here's a list of the upcoming events, with a last reminder for tomorrow's |
38 |
LWE in Boston at the top. |
39 |
|
40 |
* Linux World Expo[5] - 15-18 February in Boston, MA: Hynes Convention |
41 |
Center |
42 |
* FOSDEM[6] - 26 and 27 February in Brussels, Belgium: Université Libre |
43 |
de Bruxelles |
44 |
* CPLUG Security Conference[7] - 5 March in Grantham, PA: Messiah College |
45 |
|
46 |
* Chemnitzer Linux-Tage[8] - 5 and 6 March in Chemnitz, Germany: |
47 |
Technische Universität |
48 |
* Gentoo UK Conference[9] - 12 March in Manchester, UK: University of |
49 |
Salford |
50 |
5. http://www.linuxworldexpo.com/live/12/events/12BOS05A/ |
51 |
6. http://dev.gentoo.org/~pylon/fosdem-2005.html |
52 |
7. http://cplug.net/conference |
53 |
8. http://dev.gentoo.org/~dertobi123/clt2005 |
54 |
9. http://dev.gentoo.org/~stuart/2005/ |
55 |
|
56 |
Note: Links point to official event websites or -- if available -- Gentoo |
57 |
developer pages organizing our own presence. |
58 |
|
59 |
Gentoo Linux Security Team -- Interview with Thierry Carrez |
60 |
----------------------------------------------------------- |
61 |
|
62 |
If you have a habit of watching the pattern of security issues and |
63 |
responses in the Linux world, you've probably noticed that Gentoo's alerts |
64 |
and responses to those issues tend to follow rapidly on the heels of |
65 |
initial discovery. In fact, Gentoo Linux Security Announcements (GLSAs) |
66 |
are a frequently cited resource for security notifications and fix status |
67 |
even outside the Gentoo community. This reputiation of responsiveness is a |
68 |
remarkable feat for a community which does not have a commercial arm |
69 |
supporting a dedicated security response center. |
70 |
|
71 |
Thierry Carrez[10] (koon), one of the Operational Managers for Gentoo's |
72 |
Security Team[11], was kind enough to take a few minutes to explain some |
73 |
of the practices that have allowed the team to be so efficient in |
74 |
identifying and responding to security issues. |
75 |
10. koon@g.o |
76 |
11. http://www.gentoo.org/proj/en/security/index.xml |
77 |
|
78 |
Could you give us a rough overview of the process involved in identifying |
79 |
and fixing security flaws? What steps are involved? Who performs them? |
80 |
What tools are used? |
81 |
|
82 |
We follow the Vulnerability Treatment Policy[12] to handle security bugs. |
83 |
In brief, public vulnerabilities get submitted by users, our security |
84 |
scouts or the security developers, whoever finds it first. Sometimes we |
85 |
get notified by confidential channels (the vendor-sec list or direct |
86 |
contact from the upstream developers or auditors). Then the security bug |
87 |
progresses through upstream status (where we wait for a fix from upstream |
88 |
maintainers); ebuild status (where we call the Gentoo maintainer for the |
89 |
package and ask for a fixed ebuild); stable status, where we ask all |
90 |
security-supported arches to test and mark the fixed package stable; and |
91 |
finally to glsa status where we issue a GLSA if necessary. Sometimes we |
92 |
get stuck at one of those intermediate statuses and have to work out a |
93 |
patch ourselves. Sometimes we don't find a solution and we mask the |
94 |
package because it's a security risk to leave it in the tree without a fix. |
95 |
12. http://www.gentoo.org/security/en/vulnerability-policy.xml |
96 |
|
97 |
Security bug handling is mostly calling the right people at the right time |
98 |
to try to get the ball rolling at all times. This task is performed by the |
99 |
GLSA coordinators, and it's not automated. We rely heavily on the other |
100 |
Gentoo developers (package maintainers and arch teams) to do the patching |
101 |
and testing. |
102 |
|
103 |
Where do you find out about security flaws? Mailing lists? Alerts? Do we |
104 |
do testing ourselves? |
105 |
|
106 |
We rely on our user base to submit as many public vulnerabilities as they |
107 |
can. The security team tries to get all those that go unnoticed. Security |
108 |
flaws come from public mailing-lists like BugTraq or Full-Disclosure, and |
109 |
also upstream security advisories and other distribution advisories. We |
110 |
are more and more accepted as part of the general Linux security community |
111 |
and therefore we get notice of some vulnerabilities before they go public. |
112 |
To contribute back we have recently set up a Security Audit subproject to |
113 |
find vulnerabilities by ourselves, and our package maintainers also find a |
114 |
lot of vulnerabilities in their testing. |
115 |
|
116 |
When a flaw is identified, how is it documented? |
117 |
|
118 |
Most of the time we just copy the public advisory information, and then |
119 |
proceed in verifying that it applies to Gentoo Linux, and rate its |
120 |
severity. This severity seeds priorities, as we try to respect the delays |
121 |
indicated in the Vulnerability Treatment Policy. |
122 |
|
123 |
Is there a formal process where the resolution of a flaw is assigned to |
124 |
someone? How are priorities set? How is the fix documented and tested? |
125 |
|
126 |
Each GLSA Coordinator can take a bug and be tasked to ensure the ball |
127 |
keeps rolling on this bug at all times. But if a bug gets stuck, every |
128 |
security developer can intervene to unstick it. Priorities are set by |
129 |
severities, following the rules described in the Vulnerability Treatment |
130 |
Policy. |
131 |
|
132 |
When a fix is available, how is it documented? Who does the GLSA? How are |
133 |
GLSA's transmitted? How are they archived or stored? |
134 |
|
135 |
We document the fix in a GLSA draft, which must get at least two positive |
136 |
peer-reviews before getting released. We use a tool called GLSAMaker to |
137 |
help in ensuring consistency between all GLSAs. The GLSA is written by the |
138 |
GLSA Coordinator or sometimes by one of our Security Apprentices (GLSA |
139 |
coordinators in training). GLSAs are sent by mail to gentoo-announce and |
140 |
other security lists, automatically appear in a live RDF feed[13] and on |
141 |
the Gentoo Security page[14]. Finally, they get copied by forum moderators |
142 |
to appear as forum announcements. GLSA XML sources are part of the portage |
143 |
tree (in metadata/glsa) and get synced on all user boxes, to enable the |
144 |
use of the (for the moment still experimental) glsa-check tool (which is |
145 |
part of the gentoolkit package). |
146 |
13. http://www.gentoo.org/rdf/en/glsa-index.rdf |
147 |
14. http://security.gentoo.org |
148 |
|
149 |
Who are the upstream consumers of GLSA's? Other than Gentoo users, are |
150 |
there other organizations that are alerted? |
151 |
|
152 |
We warn linuxsecurity.com so that they include GLSA in their advisories |
153 |
page[15]. The MITRE CVE dictionary[16] also includes GLSA references. |
154 |
15. http://www.linuxsecurity.com/content/blogcategory/0/76/ |
155 |
16. http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=GENTOO |
156 |
|
157 |
Are there any automated tools or scripts that the team uses to manage |
158 |
these jobs? |
159 |
|
160 |
We use GLSAMaker, a tool written by Tim Yamin[17] (plasmaroo), to help in |
161 |
writing GLSA XML source and the text counterpart. |
162 |
17. plasmaroo@g.o |
163 |
|
164 |
What's the status of "emerge security" functionality to identify and fix |
165 |
security issues using portage? |
166 |
|
167 |
"Emerge security" functionality is currently under testing with the |
168 |
"glsa-check" tool, part of the gentoolkit package. It allows us to |
169 |
identify which GLSAs affect your system and to automatically fix the |
170 |
vulnerable packages. When this is ready, the portage tool team will |
171 |
integrate this into mainline tools like emerge. Users are encouraged to |
172 |
use the latest glsa-check and report any oddities using bugzilla[18]. |
173 |
18. http://bugs.gentoo.org |
174 |
|
175 |
Where can users get information about the security team? |
176 |
|
177 |
Our main page is the Gentoo Security portal at security.gentoo.org[19]. It |
178 |
contains all the pointers to our policy documents, the latest GLSAs and |
179 |
lots of useful information. People that would like to join the Gentoo |
180 |
Security project should read the Security project webpage[20], and in |
181 |
particular the GLSA Coordinators guide[21] and the Security padawans |
182 |
page[22] to get a feel of what we need. |
183 |
19. http://security.gentoo.org |
184 |
20. http://www.gentoo.org/proj/en/security/ |
185 |
21. http://www.gentoo.org/security/en/coordinator_guide.xml |
186 |
22. http://www.gentoo.org/security/en/padawans.xml |
187 |
|
188 |
What are some of the initiatives the security team have undertaken |
189 |
recently? |
190 |
|
191 |
In the last year, we put procedures in place so that all unwritten rules |
192 |
followed by the team have a reference policy document. We also put |
193 |
together a new team that will ensure that we keep a consistent security |
194 |
watch at all times. |
195 |
|
196 |
What did we forget to ask that we should know about? |
197 |
|
198 |
Maybe our management structure. Kurt Lieber[23] (klieber) is our strategic |
199 |
manager, Sune Kloppenborg Jeppesen[24] (jaervosz) and myself are the |
200 |
operational managers. |
201 |
23. klieber@g.o |
202 |
24. jaervosz@g.o |
203 |
|
204 |
============== |
205 |
2. Future Zone |
206 |
============== |
207 |
|
208 |
Open-Xchange in Gentoo Linux |
209 |
---------------------------- |
210 |
|
211 |
Open-Xchange (OX)[25] is the open-source groupware server on which |
212 |
Novell's SuSE Linux Openexchange Server (SLOX)[26] is based. Open-Xchange |
213 |
was closed source until 30 August 2004 when it was released under the GNU |
214 |
Public License. OX leverages popular open-source server technology by |
215 |
integrating existing projects (SMTP, IMAP, LDAP, Apache, Tomcat, and |
216 |
PostgreSQL) to deliver a powerful messaging and collaboration environment. |
217 |
Some features of interest include e-mail, project management, a versioning |
218 |
document store, shared calendaring, and a knowledge base. It can be |
219 |
accessed via both a web interface or through fat clients such as |
220 |
Evolution, the Mozilla suite (Thunderbird and Sunbird) and any other third |
221 |
party application that supports WebDAV. Currently, Open-Xchange is in |
222 |
development with a slated stable release (v0.8) in March 2005. If you want |
223 |
to see what OX is like before undertaking the somewhat daunting install, |
224 |
you can try it out using the online demo[27]. |
225 |
25. http://www.open-xchange.org |
226 |
26. http://www.novell.com/products/openexchange |
227 |
27. http://mirror.open-xchange.org/ox/EN/community/online.htm |
228 |
|
229 |
Installation and support |
230 |
|
231 |
There are currently two ways to install OX in Gentoo Linux: using the |
232 |
ebuild from Bugzilla[28] (not currently in the Portage tree), or manually |
233 |
installing it. A Wiki page[29] explains the installation using the ebuild, |
234 |
but for most of the necessary steps to get OX successfully running, an |
235 |
additional manual installation HOWTO[30] covers the prerequisite |
236 |
configurations as well as extending and enhancing Open-Xchange. For |
237 |
Gentoo-specific questions a Gentoo Forum thread[31] with several hundred |
238 |
posts has most of the answers that are available so far. |
239 |
28. http://bugs.gentoo.org/show_bug.cgi?id=62197 |
240 |
29. http://gentoo-wiki.com/HOWTO_Open-Xchange |
241 |
30. http://www.mikefetherston.ca/OX/ |
242 |
31. http://forums.gentoo.org/viewtopic-t-233291.html |
243 |
|
244 |
If you are not already familiar with the servers that OX uses be prepared |
245 |
for a steep learning curve and to do a lot of reading. A majority of the |
246 |
problems experienced so far involve LDAP configuration, Apache/Tomcat |
247 |
integration, and SASL authentication. All of the servers that OX relies on |
248 |
need to be properly configured and working before you can proceed with the |
249 |
actual Open-Xchange install. |
250 |
|
251 |
Note: Author Mike Fetherston was a dedicated Slackware user who turned to |
252 |
Gentoo in early 2004. Upon Netline's release of SuSE's SLOX server under |
253 |
the GPL he covered his initial installation experiences and tremendous |
254 |
feedback from the Gentoo user community in a document of currently more |
255 |
than 40 pages. |
256 |
|
257 |
================== |
258 |
3. Gentoo security |
259 |
================== |
260 |
|
261 |
OpenMotif: Multiple vulnerabilities in libXpm |
262 |
--------------------------------------------- |
263 |
|
264 |
Multiple vulnerabilities have been discovered in libXpm, which is included |
265 |
in OpenMotif, that can potentially lead to remote code execution. (NB: |
266 |
This is the same vulnerability that was fixed in xorg-x11 last November) |
267 |
|
268 |
For more information, please see the GLSA Announcement[32] |
269 |
32. http://www.gentoo.org/security/en/glsa/glsa-200502-07.xml |
270 |
|
271 |
PostgreSQL: Local privilege escalation |
272 |
-------------------------------------- |
273 |
|
274 |
The PostgreSQL server can be tricked by a local attacker to execute |
275 |
arbitrary code. |
276 |
|
277 |
For more information, please see the GLSA Announcement[33] |
278 |
33. http://www.gentoo.org/security/en/glsa/glsa-200502-08.xml |
279 |
|
280 |
Python: Arbitrary code execution through SimpleXMLRPCServer |
281 |
----------------------------------------------------------- |
282 |
|
283 |
Python-based XML-RPC servers may be vulnerable to remote execution of |
284 |
arbitrary code. |
285 |
|
286 |
For more information, please see the GLSA Announcement[34] |
287 |
34. http://www.gentoo.org/security/en/glsa/glsa-200502-09.xml |
288 |
|
289 |
pdftohtml: Vulnerabilities in included Xpdf |
290 |
------------------------------------------- |
291 |
|
292 |
pdftohtml includes vulnerable Xpdf code to handle PDF files, making it |
293 |
vulnerable to execution of arbitrary code upon converting a malicious PDF |
294 |
file. |
295 |
|
296 |
For more information, please see the GLSA Announcement[35] |
297 |
35. http://www.gentoo.org/security/en/glsa/glsa-200502-10.xml |
298 |
|
299 |
Mailman: Directory traversal vulnerability |
300 |
------------------------------------------ |
301 |
|
302 |
Mailman fails to properly sanitize input, leading to information |
303 |
disclosure. |
304 |
|
305 |
For more information, please see the GLSA Announcement[36] |
306 |
36. http://www.gentoo.org/security/en/glsa/glsa-200502-11.xml |
307 |
|
308 |
Webmin: Information leak in Gentoo binary package |
309 |
------------------------------------------------- |
310 |
|
311 |
Portage-built Webmin binary packages accidentally include a file |
312 |
containing the local encrypted root password. |
313 |
|
314 |
For more information, please see the GLSA Announcement[37] |
315 |
37. http://www.gentoo.org/security/en/glsa/glsa-200502-12.xml |
316 |
|
317 |
Perl: Vulnerabilities in perl-suid wrapper |
318 |
------------------------------------------ |
319 |
|
320 |
Vulnerabilities leading to file overwriting and code execution with |
321 |
elevated privileges have been discovered in the perl-suid wrapper. |
322 |
|
323 |
For more information, please see the GLSA Announcement[38] |
324 |
38. http://www.gentoo.org/security/en/glsa/glsa-200502-13.xml |
325 |
|
326 |
mod_python: Publisher Handler vulnerability |
327 |
------------------------------------------- |
328 |
|
329 |
mod_python contains a vulnerability in the Publisher Handler potentially |
330 |
leading to information disclosure. |
331 |
|
332 |
For more information, please see the GLSA Announcement[39] |
333 |
39. http://www.gentoo.org/security/en/glsa/glsa-200502-14.xml |
334 |
|
335 |
========================= |
336 |
4. Heard in the community |
337 |
========================= |
338 |
|
339 |
gentoo-dev |
340 |
---------- |
341 |
|
342 |
Remove no [insert feature here] USE-flags from the tree |
343 |
|
344 |
Michiel de Bruijne [40] writes: "There are quite a few ebuilds in the tree |
345 |
that make use of a no [insert feature here] USE-flag. So basically by |
346 |
disabling the USE-flag you get more features. Pulling in extra |
347 |
dependencies by disabling the USE-flag is a possibility. This has some |
348 |
nasty side effects ..." The following discussion shows quite well why |
349 |
these USE-flags are not good. |
350 |
40. m.debruijne@××××××.nl |
351 |
|
352 |
* Remove no [insert feature here] USE-flags from the tree[41] |
353 |
41. http://thread.gmane.org/gmane.linux.gentoo.devel/25197 |
354 |
|
355 |
Automatic stabilization of packages |
356 |
|
357 |
Approximately every 6 months the same discussion comes up: How can the |
358 |
packages in portage be kept up to date? The naive approach would be |
359 |
automatic stabilization after a certain period of time. This thread shows |
360 |
why for the most part that is not a good idea ... |
361 |
|
362 |
* Automatic stabilization of packages[42] |
363 |
42. http://thread.gmane.org/gmane.linux.gentoo.devel/25254 |
364 |
|
365 |
Closing or resolving bugs, which is it? |
366 |
|
367 |
Marius Mauch[43] writes: "I noticed a new trend lately introduced by a few |
368 |
new devs: changing bug status from RESOLVED to CLOSED. Personally I just |
369 |
find it annoying and completely useless. Can we agree to not do that |
370 |
unless there is a technical reason? Don't see any benefit in this, just |
371 |
means that closed bugs are now split between two "categories" with no |
372 |
actual difference." |
373 |
43. genone@g.o |
374 |
|
375 |
* should we close bugs?[44] |
376 |
44. http://thread.gmane.org/gmane.linux.gentoo.devel/25168 |
377 |
|
378 |
======================= |
379 |
5. Gentoo International |
380 |
======================= |
381 |
|
382 |
USA: Gentoo Bugday event at Oregon State University LUG |
383 |
------------------------------------------------------- |
384 |
|
385 |
Gentoo Bugdays[45] are regularly held every first Saturday of each month, |
386 |
with developers and users everywhere gathering on IRC and skimming |
387 |
Gentoo's bugzilla for anything that looks like it needs fixing. On 5 |
388 |
February, the Linux User Group of Oregon State University took the |
389 |
opportunity and turned the virtual event into a real one[46]. Twelve OSLUG |
390 |
members met at Weatherford Hall, the OSU residential college building. |
391 |
Aided by a precompiled list of bugs prepared by Gentoo's Bugday organizers |
392 |
for this occasion, they kept squashing bugs from 9:00 to 16:00, with the |
393 |
official IRC channel #gentoo-bugs being projected overhead, and assorted |
394 |
computers scattered around the classroom, each with a determined Gentoo |
395 |
bug hunter in front of the screen. |
396 |
45. http://bugday.gentoo.org/ |
397 |
46. http://lug.oregonstate.edu/wiki/index.cgi?GentooBugDay |
398 |
|
399 |
Figure 5.1: The Klendathu, OR bughunt: Deedra Waters, Dunbar (background) |
400 |
and Micheal Clay |
401 |
http://www.gentoo.org/images/gwn/20050214_oslug.jpg |
402 |
|
403 |
Note: More photos are available at the OSLUG website. |
404 |
|
405 |
Germany: Storage tool release for Gentoo Linux |
406 |
---------------------------------------------- |
407 |
|
408 |
Commercial releases of Linux applications with official support outside |
409 |
the RedHat/SuSE/Mandrake realm are scarce and far between. A German |
410 |
company, SEP AG[47], has now announced the availability of their storage |
411 |
management product "SEP sesam" for Gentoo Linux. "We're traditionally tied |
412 |
to SuSE Linux, but had Gentoo on our radar ever since we watched the |
413 |
impressive installation Lars Weiler[48] did on an HP Proliant cluster at |
414 |
last year's LinuxTag in Karlsruhe," recalls SEP's sales manager Johann |
415 |
Krahfuss (cf. GWN report 28 June 2004[49]). "So when our first customers |
416 |
demanded an adaptation of SEP sesam to Gentoo Linux, it didn't exactly |
417 |
take us by surprise." The German federal research institution Fraunhofer |
418 |
Gesellschaft[50] were the first to request a SEP sesam installation inside |
419 |
a Gentoo Linux environment, "and since we didn't encounter any problems |
420 |
whatsoever, we feel it's ready for official release," says Krahfuss. A |
421 |
30-day-test version (including support) can be downloaded from the |
422 |
corporate website's download section. SEP sesam is designed for data |
423 |
storage management in heterogenous networks, including Linux, BSD, |
424 |
Solaris, TRU/64, OpenVMS, Windows and Mac OS X. The company will be |
425 |
present at next week's CRN Storage Solution Days 2005[51] in Neuss (link |
426 |
in German only). |
427 |
47. http://www.sep.de |
428 |
48. pylon@g.o |
429 |
49. http://www.gentoo.org/news/en/gwn/20040628-newsletter.xml |
430 |
50. http://www.fhg.de |
431 |
51. http://www.solutiondays.de/storage |
432 |
|
433 |
====================== |
434 |
6. Gentoo in the press |
435 |
====================== |
436 |
|
437 |
Newsforge (8 and 9 February 2005) |
438 |
--------------------------------- |
439 |
|
440 |
Newsforge published an article in two parts about using MySQL to benchmark |
441 |
OS performance[52], as analyzed and written by Tony Bourke[53]. The |
442 |
performance check spans server operating systems Open-, Net- and FreeBSD, |
443 |
Solaris 10, and Linux as platforms for MySQL database execution, and |
444 |
"among a multitude of distributions" Gentoo was chosen for the Linux part |
445 |
of the test, running both 2.4 and 2.6 kernels (gentoo-sources) on |
446 |
ReiserFS. "With Gentoo it was also relatively easy to install NPTL for |
447 |
2.6, which I used in the 2.6 tests," says Tony Bourke, "although they |
448 |
didn't make any difference when compared to non-NPTL 2.6 results." While |
449 |
the first part just explains the tools and the methodology, the actual |
450 |
performance comparison is published in a separate article[54] - with |
451 |
amazing results, Gentoo Linux clearly winning all individual benchmark |
452 |
tests. Funnily enough, Gentoo's outstanding performance even triggered |
453 |
complaints about the "unfair advantage"[55] of using a source-based, |
454 |
possibly processor-optimized Linux distribution as a platform for the |
455 |
comparison. |
456 |
52. http://software.newsforge.com/software/04/12/27/1238216.shtml |
457 |
53. http://vegan.net/tony/ |
458 |
54. http://www.newsforge.com/article.pl?sid=04/12/27/1243207 |
459 |
55. |
460 |
http://www.newsforge.com/comments.pl?sid=43141&op=&threshold=0&commentsort=0&mode=thread&tid=152&pid=106968#106970 |
461 |
|
462 |
CNET (7 February 2005) |
463 |
---------------------- |
464 |
|
465 |
Sun's President Jonathan Schwartz nods his head to Gentoo's OpenSolaris |
466 |
effort in an interview published on CNET last week. While explaining the |
467 |
OpenSolaris governance model to interviewer Stephen Shankland, he claims |
468 |
"Solaris is now officially platform-neutral"[56] and expects "10 or more" |
469 |
non-Sun OpenSolaris distributions to appear in the market. |
470 |
56. http://news.com.com/Suns+open-source+gamble/2008-1082_3-5564283.html |
471 |
|
472 |
Security Focus (2 February 2005) |
473 |
-------------------------------- |
474 |
|
475 |
Columnist Jason Miller says Linux kernel security handling is broken, "and |
476 |
it needs to be fixed right now." The article at securityfocus.com[57], a |
477 |
publication mainly read by security professionals, is highly critical of |
478 |
the way security bugs in the Linux kernel are being addressed. But the |
479 |
author, a self-proclaimed "huge follower of BSD-based operating systems," |
480 |
has some good news, too: "Once we start looking at actual distributions of |
481 |
the Linux kernel as a complete operating system, we find some |
482 |
distributions with official security contacts, as well as security-related |
483 |
pages similar to those provided by the major BSD-based operating systems. |
484 |
Gentoo Linux Security is a good example of that." |
485 |
57. http://www.securityfocus.com/columnists/296 |
486 |
|
487 |
Réseaux & Télécoms (3 February 2005, in French) |
488 |
-------------------------------------------------- |
489 |
|
490 |
Directly responding to the Security Focus column by Jason Miller, the |
491 |
French network and telco magazine looks beyond the kernel as a security |
492 |
issue: Both flaws in individual applications not depending on the kernel, |
493 |
and the distribution of security-related information are identified as |
494 |
equally important fields of activity for the "bug hunters of open source." |
495 |
The article "Noyau Linux : Mais où est la sécurité ?"[58] acknowledges |
496 |
Miller's conclusion of "things changing, fast and in the right direction," |
497 |
and praises Thierry Carrez (see our interview above[59]) as an example for |
498 |
"impressive work." With the current pace of discussion around the |
499 |
structure of security handling and the distribution of information, it's |
500 |
"time to show some optimism," says author Marc Olanie, pointing out that |
501 |
it took Microsoft eighteen years to standardize their own security |
502 |
procedures -- "or have they?" |
503 |
58. |
504 |
http://www.reseaux-telecoms.com/cso_btree/05_02_03_194507_984/CSO/Newscso_view |
505 |
59. |
506 |
http://www.gentoo.org/news/en/gwn/20050214-newsletter.xml#doc_chap1_sect2 |
507 |
|
508 |
Sun blogs (31 January 2005) |
509 |
--------------------------- |
510 |
|
511 |
Eric Boutilier, an engineer at Sun, Inc. is gearing up for Gentoo |
512 |
development on OpenSolaris, and posted his first attempts at familiarizing |
513 |
himself with Portage on Linux to his blog at the Sun website[60]. While |
514 |
his choice of installation material is peculiar - Gentoo-clone Vidalinux |
515 |
rather than a standard install, and on a five-year-old Portégé laptop - he |
516 |
quickly falls in sync with normal Portage user behaviour for lengthy |
517 |
compiles: "Oh well. I left it happily building away and went to work." |
518 |
60. http://blogs.sun.com/roller/page/eric_boutilier/20050131 |
519 |
|
520 |
=========== |
521 |
7. Bugzilla |
522 |
=========== |
523 |
|
524 |
Summary |
525 |
------- |
526 |
|
527 |
* Statistics |
528 |
* Closed bug ranking |
529 |
* New bug rankings |
530 |
|
531 |
Statistics |
532 |
---------- |
533 |
|
534 |
The Gentoo community uses Bugzilla (bugs.gentoo.org[61]) to record and |
535 |
track bugs, notifications, suggestions and other interactions with the |
536 |
development team. Between 06 February 2005 and 13 February 2005, activity |
537 |
on the site has resulted in: |
538 |
61. http://bugs.gentoo.org |
539 |
|
540 |
* 860 new bugs during this period |
541 |
* 699 bugs closed or resolved during this period |
542 |
* 37 previously closed bugs were reopened this period |
543 |
|
544 |
Of the 8036 currently open bugs: 102 are labeled 'blocker', 243 are |
545 |
labeled 'critical', and 600 are labeled 'major'. |
546 |
|
547 |
Closed bug rankings |
548 |
------------------- |
549 |
|
550 |
The developers and teams who have closed the most bugs during this period |
551 |
are: |
552 |
|
553 |
* osx porters[62], with 179 closed bugs[63] |
554 |
* Gentoo's Team for Core System packages[64], with 53 closed bugs[65] |
555 |
* Gentoo KDE team[66], with 30 closed bugs[67] |
556 |
* AMD64 Porting Team[68], with 24 closed bugs[69] |
557 |
* Gentoo Security[70], with 23 closed bugs[71] |
558 |
* media-video herd[72], with 19 closed bugs[73] |
559 |
* Gentoo Games[74], with 19 closed bugs[75] |
560 |
* Text-Markup Team[76], with 17 closed bugs[77] |
561 |
62. osx@g.o |
562 |
63. |
563 |
http://bugs.gentoo.org/buglist.cgi?bug_status=RESOLVED&bug_status=CLOSED&chfield=bug_status&chfieldfrom=2005-02-06&chfieldto=2005-02-13&resolution=FIXED&assigned_to=osx@g.o |
564 |
64. base-system@g.o |
565 |
65. |
566 |
http://bugs.gentoo.org/buglist.cgi?bug_status=RESOLVED&bug_status=CLOSED&chfield=bug_status&chfieldfrom=2005-02-06&chfieldto=2005-02-13&resolution=FIXED&assigned_to=base-system@g.o |
567 |
66. kde@g.o |
568 |
67. |
569 |
http://bugs.gentoo.org/buglist.cgi?bug_status=RESOLVED&bug_status=CLOSED&chfield=bug_status&chfieldfrom=2005-02-06&chfieldto=2005-02-13&resolution=FIXED&assigned_to=kde@g.o |
570 |
68. amd64@g.o |
571 |
69. |
572 |
http://bugs.gentoo.org/buglist.cgi?bug_status=RESOLVED&bug_status=CLOSED&chfield=bug_status&chfieldfrom=2005-02-06&chfieldto=2005-02-13&resolution=FIXED&assigned_to=amd64@g.o |
573 |
70. security@g.o |
574 |
71. |
575 |
http://bugs.gentoo.org/buglist.cgi?bug_status=RESOLVED&bug_status=CLOSED&chfield=bug_status&chfieldfrom=2005-02-06&chfieldto=2005-02-13&resolution=FIXED&assigned_to=security@g.o |
576 |
72. media-video@g.o |
577 |
73. |
578 |
http://bugs.gentoo.org/buglist.cgi?bug_status=RESOLVED&bug_status=CLOSED&chfield=bug_status&chfieldfrom=2005-02-06&chfieldto=2005-02-13&resolution=FIXED&assigned_to=media-video@g.o |
579 |
74. games@g.o |
580 |
75. |
581 |
http://bugs.gentoo.org/buglist.cgi?bug_status=RESOLVED&bug_status=CLOSED&chfield=bug_status&chfieldfrom=2005-02-06&chfieldto=2005-02-13&resolution=FIXED&assigned_to=games@g.o |
582 |
76. text-markup@g.o |
583 |
77. |
584 |
http://bugs.gentoo.org/buglist.cgi?bug_status=RESOLVED&bug_status=CLOSED&chfield=bug_status&chfieldfrom=2005-02-06&chfieldto=2005-02-13&resolution=FIXED&assigned_to=text-markup@g.o |
585 |
|
586 |
New bug rankings |
587 |
---------------- |
588 |
|
589 |
The developers and teams who have been assigned the most new bugs during |
590 |
this period are: |
591 |
|
592 |
* AMD64 Porting Team[78], with 30 new bugs[79] |
593 |
* Gentoo Sound Team[80], with 18 new bugs[81] |
594 |
* Gentoo X-windows packagers[82], with 15 new bugs[83] |
595 |
* Net-Mail Packages[84], with 11 new bugs[85] |
596 |
* Mobile Herd[86], with 11 new bugs[87] |
597 |
* media-video herd[88], with 11 new bugs[89] |
598 |
* Gentoo KDE team[90], with 10 new bugs[91] |
599 |
* Portage team[92], with 10 new bugs[93] |
600 |
78. amd64@g.o |
601 |
79. |
602 |
http://bugs.gentoo.org/buglist.cgi?bug_status=NEW&bug_status=ASSIGNED&bug_status=REOPENED&chfield=assigned_to&chfieldfrom=2005-02-06&chfieldto=2005-02-13&assigned_to=amd64@g.o |
603 |
80. sound@g.o |
604 |
81. |
605 |
http://bugs.gentoo.org/buglist.cgi?bug_status=NEW&bug_status=ASSIGNED&bug_status=REOPENED&chfield=assigned_to&chfieldfrom=2005-02-06&chfieldto=2005-02-13&assigned_to=sound@g.o |
606 |
82. x11@g.o |
607 |
83. |
608 |
http://bugs.gentoo.org/buglist.cgi?bug_status=NEW&bug_status=ASSIGNED&bug_status=REOPENED&chfield=assigned_to&chfieldfrom=2005-02-06&chfieldto=2005-02-13&assigned_to=x11@g.o |
609 |
84. net-mail@g.o |
610 |
85. |
611 |
http://bugs.gentoo.org/buglist.cgi?bug_status=NEW&bug_status=ASSIGNED&bug_status=REOPENED&chfield=assigned_to&chfieldfrom=2005-02-06&chfieldto=2005-02-13&assigned_to=net-mail@g.o |
612 |
86. mobile@g.o |
613 |
87. |
614 |
http://bugs.gentoo.org/buglist.cgi?bug_status=NEW&bug_status=ASSIGNED&bug_status=REOPENED&chfield=assigned_to&chfieldfrom=2005-02-06&chfieldto=2005-02-13&assigned_to=mobile@g.o |
615 |
88. media-video@g.o |
616 |
89. |
617 |
http://bugs.gentoo.org/buglist.cgi?bug_status=NEW&bug_status=ASSIGNED&bug_status=REOPENED&chfield=assigned_to&chfieldfrom=2005-02-06&chfieldto=2005-02-13&assigned_to=media-video@g.o |
618 |
90. kde@g.o |
619 |
91. |
620 |
http://bugs.gentoo.org/buglist.cgi?bug_status=NEW&bug_status=ASSIGNED&bug_status=REOPENED&chfield=assigned_to&chfieldfrom=2005-02-06&chfieldto=2005-02-13&assigned_to=kde@g.o |
621 |
92. dev-portage@g.o |
622 |
93. |
623 |
http://bugs.gentoo.org/buglist.cgi?bug_status=NEW&bug_status=ASSIGNED&bug_status=REOPENED&chfield=assigned_to&chfieldfrom=2005-02-06&chfieldto=2005-02-13&assigned_to=dev-portage@g.o |
624 |
|
625 |
================== |
626 |
8. Tips and tricks |
627 |
================== |
628 |
|
629 |
Portage magic: Identify obsolete packages |
630 |
----------------------------------------- |
631 |
|
632 |
Gentoo developer Brian Harring[94] designed a clever way to identify all |
633 |
merged versions of packages not available in Portage anymore -- both the |
634 |
official tree and packages from PORTDIR_OVERLAY. Here is the method he |
635 |
came up with, packing as much Python neatness as fits on a single command |
636 |
line: |
637 |
94. ferringb@g.o |
638 |
|
639 |
--------------------------------------------------------------------------- |
640 |
| Code Listing 8.1: | |
641 |
|Python scriptlet | |
642 |
#1------------------------------------------------------------------------- |
643 |
| | |
644 |
|python -c 'import portage; print [x for x in | |
645 |
portage.db["/"]["vartree"].getallcpv() \ |
646 |
|if len(portage.portdb.xmatch("match-all","="+x))==0]' | |
647 |
| | |
648 |
--------------------------------------------------------------------------- |
649 |
|
650 |
If that just went a little over your head, let's look at what exactly it |
651 |
does. For example, if a package, say, foo-1.2.3 is merged, and that |
652 |
version 1.2.3 is no longer in the tree, the script will point it out. A |
653 |
simple check for packages that aren't available any longer regardless of |
654 |
versions, would look like this: |
655 |
|
656 |
--------------------------------------------------------------------------- |
657 |
| Code Listing 8.2: | |
658 |
|Python scriptlet | |
659 |
#2------------------------------------------------------------------------- |
660 |
| | |
661 |
|python -c 'import portage; print [x for x in | |
662 |
portage.db["/"]["vartree"].getallcpv() \ |
663 |
|if len(portage.portdb.xmatch("match-all",portage.pkgsplit(x)[0]))==0]' | |
664 |
| | |
665 |
--------------------------------------------------------------------------- |
666 |
|
667 |
Finally, if you want to ignore package foo-1.2.3 even if it isn't in the |
668 |
tree any longer, but a revision foo-1.2.3-r1 is, the following script will |
669 |
ignore the package, only triggering on installed applications that have |
670 |
completely vanished from Portage. |
671 |
|
672 |
--------------------------------------------------------------------------- |
673 |
| Code Listing 8.3: | |
674 |
|Python scriptlet | |
675 |
#3------------------------------------------------------------------------- |
676 |
| | |
677 |
|python -c 'import portage; print [x for x in | |
678 |
portage.db["/"]["vartree"].getallcpv() \ |
679 |
|if | |
680 |
len(portage.portdb.xmatch("match-all","~"+"-".join(portage.pkgsplit(x)[:2]) |
681 |
))==0]' |
682 |
| | |
683 |
--------------------------------------------------------------------------- |
684 |
|
685 |
Lastly, none of the above take injected packages into consideration, only |
686 |
those that were installed from an available tree. Now, suppose you'd like |
687 |
to ignore those, too, here's what to do: |
688 |
|
689 |
--------------------------------------------------------------------------- |
690 |
| Code Listing 8.4: | |
691 |
|Python scriptlet | |
692 |
#4------------------------------------------------------------------------- |
693 |
| | |
694 |
|python -c 'import portage; print [x for x in | |
695 |
portage.db["/"]["vartree"].getallcpv() \ |
696 |
|if len(portage.portdb.xmatch("match-all",portage.pkgsplit(x)[0]))==0 \ | |
697 |
|and not portage.db["/"]["vartree"].dbapi.isInjected(x)]' | |
698 |
| | |
699 |
--------------------------------------------------------------------------- |
700 |
|
701 |
Yes, we knew you'd like this. All of the above do work for individual |
702 |
packages you keep in an overlay tree, for example at /usr/local/portage, |
703 |
those are being evaluated along with packages in the official Portage |
704 |
tree. Try it out, you can't break anything, it just notifies you about |
705 |
whatever it finds, leaving it up to the user to decide what to do with |
706 |
that information. |
707 |
|
708 |
=========================== |
709 |
9. Moves, adds, and changes |
710 |
=========================== |
711 |
|
712 |
Moves |
713 |
----- |
714 |
|
715 |
The following developers recently left the Gentoo team: |
716 |
|
717 |
* None this week |
718 |
|
719 |
Adds |
720 |
---- |
721 |
|
722 |
The following developers recently joined the Gentoo Linux team: |
723 |
|
724 |
* Sebastian Bergmann (sebastian) - PHP |
725 |
|
726 |
Changes |
727 |
------- |
728 |
|
729 |
The following developers recently changed roles within the Gentoo Linux |
730 |
project: |
731 |
|
732 |
* None this week |
733 |
|
734 |
===================== |
735 |
10. Contribute to GWN |
736 |
===================== |
737 |
|
738 |
Interested in contributing to the Gentoo Weekly Newsletter? Send us an |
739 |
email[95]. |
740 |
95. gwn-feedback@g.o |
741 |
|
742 |
================ |
743 |
11. GWN feedback |
744 |
================ |
745 |
|
746 |
Please send us your feedback[96] and help make the GWN better. |
747 |
96. gwn-feedback@g.o |
748 |
|
749 |
================================ |
750 |
12. GWN subscription information |
751 |
================================ |
752 |
|
753 |
To subscribe to the Gentoo Weekly Newsletter, send a blank email to |
754 |
gentoo-gwn-subscribe@g.o. |
755 |
|
756 |
To unsubscribe to the Gentoo Weekly Newsletter, send a blank email to |
757 |
gentoo-gwn-unsubscribe@g.o from the email address you are |
758 |
subscribed under. |
759 |
|
760 |
=================== |
761 |
13. Other languages |
762 |
=================== |
763 |
|
764 |
The Gentoo Weekly Newsletter is also available in the following languages: |
765 |
|
766 |
* Danish[97] |
767 |
* Dutch[98] |
768 |
* English[99] |
769 |
* German[100] |
770 |
* french[101] |
771 |
* japanese[102] |
772 |
* italian[103] |
773 |
* polish[104] |
774 |
* portuguese (brazil)[105] |
775 |
* portuguese (portugal)[106] |
776 |
* russian[107] |
777 |
* spanish[108] |
778 |
* turkish[109] |
779 |
97. http://www.gentoo.org/news/da/gwn/gwn.xml |
780 |
98. http://www.gentoo.org/news/nl/gwn/gwn.xml |
781 |
99. http://www.gentoo.org/news/en/gwn/gwn.xml |
782 |
100. http://www.gentoo.org/news/de/gwn/gwn.xml |
783 |
101. http://www.gentoo.org/news/fr/gwn/gwn.xml |
784 |
102. http://www.gentoo.org/news/ja/gwn/gwn.xml |
785 |
103. http://www.gentoo.org/news/it/gwn/gwn.xml |
786 |
104. http://www.gentoo.org/news/pl/gwn/gwn.xml |
787 |
105. http://www.gentoo.org/news/pt_br/gwn/gwn.xml |
788 |
106. http://www.gentoo.org/news/pt/gwn/gwn.xml |
789 |
107. http://www.gentoo.org/news/ru/gwn/gwn.xml |
790 |
108. http://www.gentoo.org/news/es/gwn/gwn.xml |
791 |
109. http://www.gentoo.org/news/tr/gwn/gwn.xml |
792 |
|
793 |
Ulrich Plate <plate@g.o> - Editor |
794 |
AJ Armstrong <aja@×××××××××××××.com> - Author |
795 |
Mike Fetherston <mike@××××××××××××××.ca> - Author |
796 |
Patrick Lauer <patrick@g.o> - Author |
797 |
|
798 |
-- |
799 |
gentoo-gwn@g.o mailing list |