| 1 |
--------------------------------------------------------------------------- |
| 2 |
Gentoo Weekly Newsletter |
| 3 |
http://www.gentoo.org/news/en/gwn/current.xml |
| 4 |
This is the Gentoo Weekly Newsletter for the week of 14 February 2005. |
| 5 |
--------------------------------------------------------------------------- |
| 6 |
|
| 7 |
============== |
| 8 |
1. Gentoo News |
| 9 |
============== |
| 10 |
|
| 11 |
Gentoo Forums platform and software switch |
| 12 |
------------------------------------------ |
| 13 |
|
| 14 |
As anticipated in a Future zone[1] article three weeks ago, the Gentoo |
| 15 |
Forums[2] have switched to a new hardware platform and an upgraded version |
| 16 |
of phpBB, now running on a clean codebase, normalizing all the patches |
| 17 |
that had been applied to the old version, and more feature-rich than the |
| 18 |
release that was powering the Forums before. Among the embellishments are |
| 19 |
better language packs for the non-English forums, new URI styles with |
| 20 |
absolute links that enable search engine spiders to index the entire |
| 21 |
Forum, and a few things of lesser visibility, like the moderators' new |
| 22 |
ability to join threads -- displacing posts from threads where they're out |
| 23 |
of context to a more appropriate location was never possible before. A few |
| 24 |
glitches aside, the changeover went so smoothly that none of the users |
| 25 |
realized it until it was all over and done. Congratulations to Christian |
| 26 |
Hartmann[3] and Lance Albertson[4] for a flawless migration! |
| 27 |
1. http://www.gentoo.org/news/en/gwn/20050124-newsletter.xml#doc_chap2 |
| 28 |
2. http://forums.gentoo.org |
| 29 |
3. ian@g.o |
| 30 |
4. ramereth@g.o |
| 31 |
|
| 32 |
Gentoo event calender for February/March 2005 |
| 33 |
--------------------------------------------- |
| 34 |
|
| 35 |
Busy days for Gentoo evangelists: Their schedule has never been so packed |
| 36 |
with shows, conferences and presentations as over the next four weeks. |
| 37 |
Here's a list of the upcoming events, with a last reminder for tomorrow's |
| 38 |
LWE in Boston at the top. |
| 39 |
|
| 40 |
* Linux World Expo[5] - 15-18 February in Boston, MA: Hynes Convention |
| 41 |
Center |
| 42 |
* FOSDEM[6] - 26 and 27 February in Brussels, Belgium: Université Libre |
| 43 |
de Bruxelles |
| 44 |
* CPLUG Security Conference[7] - 5 March in Grantham, PA: Messiah College |
| 45 |
|
| 46 |
* Chemnitzer Linux-Tage[8] - 5 and 6 March in Chemnitz, Germany: |
| 47 |
Technische Universität |
| 48 |
* Gentoo UK Conference[9] - 12 March in Manchester, UK: University of |
| 49 |
Salford |
| 50 |
5. http://www.linuxworldexpo.com/live/12/events/12BOS05A/ |
| 51 |
6. http://dev.gentoo.org/~pylon/fosdem-2005.html |
| 52 |
7. http://cplug.net/conference |
| 53 |
8. http://dev.gentoo.org/~dertobi123/clt2005 |
| 54 |
9. http://dev.gentoo.org/~stuart/2005/ |
| 55 |
|
| 56 |
Note: Links point to official event websites or -- if available -- Gentoo |
| 57 |
developer pages organizing our own presence. |
| 58 |
|
| 59 |
Gentoo Linux Security Team -- Interview with Thierry Carrez |
| 60 |
----------------------------------------------------------- |
| 61 |
|
| 62 |
If you have a habit of watching the pattern of security issues and |
| 63 |
responses in the Linux world, you've probably noticed that Gentoo's alerts |
| 64 |
and responses to those issues tend to follow rapidly on the heels of |
| 65 |
initial discovery. In fact, Gentoo Linux Security Announcements (GLSAs) |
| 66 |
are a frequently cited resource for security notifications and fix status |
| 67 |
even outside the Gentoo community. This reputiation of responsiveness is a |
| 68 |
remarkable feat for a community which does not have a commercial arm |
| 69 |
supporting a dedicated security response center. |
| 70 |
|
| 71 |
Thierry Carrez[10] (koon), one of the Operational Managers for Gentoo's |
| 72 |
Security Team[11], was kind enough to take a few minutes to explain some |
| 73 |
of the practices that have allowed the team to be so efficient in |
| 74 |
identifying and responding to security issues. |
| 75 |
10. koon@g.o |
| 76 |
11. http://www.gentoo.org/proj/en/security/index.xml |
| 77 |
|
| 78 |
Could you give us a rough overview of the process involved in identifying |
| 79 |
and fixing security flaws? What steps are involved? Who performs them? |
| 80 |
What tools are used? |
| 81 |
|
| 82 |
We follow the Vulnerability Treatment Policy[12] to handle security bugs. |
| 83 |
In brief, public vulnerabilities get submitted by users, our security |
| 84 |
scouts or the security developers, whoever finds it first. Sometimes we |
| 85 |
get notified by confidential channels (the vendor-sec list or direct |
| 86 |
contact from the upstream developers or auditors). Then the security bug |
| 87 |
progresses through upstream status (where we wait for a fix from upstream |
| 88 |
maintainers); ebuild status (where we call the Gentoo maintainer for the |
| 89 |
package and ask for a fixed ebuild); stable status, where we ask all |
| 90 |
security-supported arches to test and mark the fixed package stable; and |
| 91 |
finally to glsa status where we issue a GLSA if necessary. Sometimes we |
| 92 |
get stuck at one of those intermediate statuses and have to work out a |
| 93 |
patch ourselves. Sometimes we don't find a solution and we mask the |
| 94 |
package because it's a security risk to leave it in the tree without a fix. |
| 95 |
12. http://www.gentoo.org/security/en/vulnerability-policy.xml |
| 96 |
|
| 97 |
Security bug handling is mostly calling the right people at the right time |
| 98 |
to try to get the ball rolling at all times. This task is performed by the |
| 99 |
GLSA coordinators, and it's not automated. We rely heavily on the other |
| 100 |
Gentoo developers (package maintainers and arch teams) to do the patching |
| 101 |
and testing. |
| 102 |
|
| 103 |
Where do you find out about security flaws? Mailing lists? Alerts? Do we |
| 104 |
do testing ourselves? |
| 105 |
|
| 106 |
We rely on our user base to submit as many public vulnerabilities as they |
| 107 |
can. The security team tries to get all those that go unnoticed. Security |
| 108 |
flaws come from public mailing-lists like BugTraq or Full-Disclosure, and |
| 109 |
also upstream security advisories and other distribution advisories. We |
| 110 |
are more and more accepted as part of the general Linux security community |
| 111 |
and therefore we get notice of some vulnerabilities before they go public. |
| 112 |
To contribute back we have recently set up a Security Audit subproject to |
| 113 |
find vulnerabilities by ourselves, and our package maintainers also find a |
| 114 |
lot of vulnerabilities in their testing. |
| 115 |
|
| 116 |
When a flaw is identified, how is it documented? |
| 117 |
|
| 118 |
Most of the time we just copy the public advisory information, and then |
| 119 |
proceed in verifying that it applies to Gentoo Linux, and rate its |
| 120 |
severity. This severity seeds priorities, as we try to respect the delays |
| 121 |
indicated in the Vulnerability Treatment Policy. |
| 122 |
|
| 123 |
Is there a formal process where the resolution of a flaw is assigned to |
| 124 |
someone? How are priorities set? How is the fix documented and tested? |
| 125 |
|
| 126 |
Each GLSA Coordinator can take a bug and be tasked to ensure the ball |
| 127 |
keeps rolling on this bug at all times. But if a bug gets stuck, every |
| 128 |
security developer can intervene to unstick it. Priorities are set by |
| 129 |
severities, following the rules described in the Vulnerability Treatment |
| 130 |
Policy. |
| 131 |
|
| 132 |
When a fix is available, how is it documented? Who does the GLSA? How are |
| 133 |
GLSA's transmitted? How are they archived or stored? |
| 134 |
|
| 135 |
We document the fix in a GLSA draft, which must get at least two positive |
| 136 |
peer-reviews before getting released. We use a tool called GLSAMaker to |
| 137 |
help in ensuring consistency between all GLSAs. The GLSA is written by the |
| 138 |
GLSA Coordinator or sometimes by one of our Security Apprentices (GLSA |
| 139 |
coordinators in training). GLSAs are sent by mail to gentoo-announce and |
| 140 |
other security lists, automatically appear in a live RDF feed[13] and on |
| 141 |
the Gentoo Security page[14]. Finally, they get copied by forum moderators |
| 142 |
to appear as forum announcements. GLSA XML sources are part of the portage |
| 143 |
tree (in metadata/glsa) and get synced on all user boxes, to enable the |
| 144 |
use of the (for the moment still experimental) glsa-check tool (which is |
| 145 |
part of the gentoolkit package). |
| 146 |
13. http://www.gentoo.org/rdf/en/glsa-index.rdf |
| 147 |
14. http://security.gentoo.org |
| 148 |
|
| 149 |
Who are the upstream consumers of GLSA's? Other than Gentoo users, are |
| 150 |
there other organizations that are alerted? |
| 151 |
|
| 152 |
We warn linuxsecurity.com so that they include GLSA in their advisories |
| 153 |
page[15]. The MITRE CVE dictionary[16] also includes GLSA references. |
| 154 |
15. http://www.linuxsecurity.com/content/blogcategory/0/76/ |
| 155 |
16. http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=GENTOO |
| 156 |
|
| 157 |
Are there any automated tools or scripts that the team uses to manage |
| 158 |
these jobs? |
| 159 |
|
| 160 |
We use GLSAMaker, a tool written by Tim Yamin[17] (plasmaroo), to help in |
| 161 |
writing GLSA XML source and the text counterpart. |
| 162 |
17. plasmaroo@g.o |
| 163 |
|
| 164 |
What's the status of "emerge security" functionality to identify and fix |
| 165 |
security issues using portage? |
| 166 |
|
| 167 |
"Emerge security" functionality is currently under testing with the |
| 168 |
"glsa-check" tool, part of the gentoolkit package. It allows us to |
| 169 |
identify which GLSAs affect your system and to automatically fix the |
| 170 |
vulnerable packages. When this is ready, the portage tool team will |
| 171 |
integrate this into mainline tools like emerge. Users are encouraged to |
| 172 |
use the latest glsa-check and report any oddities using bugzilla[18]. |
| 173 |
18. http://bugs.gentoo.org |
| 174 |
|
| 175 |
Where can users get information about the security team? |
| 176 |
|
| 177 |
Our main page is the Gentoo Security portal at security.gentoo.org[19]. It |
| 178 |
contains all the pointers to our policy documents, the latest GLSAs and |
| 179 |
lots of useful information. People that would like to join the Gentoo |
| 180 |
Security project should read the Security project webpage[20], and in |
| 181 |
particular the GLSA Coordinators guide[21] and the Security padawans |
| 182 |
page[22] to get a feel of what we need. |
| 183 |
19. http://security.gentoo.org |
| 184 |
20. http://www.gentoo.org/proj/en/security/ |
| 185 |
21. http://www.gentoo.org/security/en/coordinator_guide.xml |
| 186 |
22. http://www.gentoo.org/security/en/padawans.xml |
| 187 |
|
| 188 |
What are some of the initiatives the security team have undertaken |
| 189 |
recently? |
| 190 |
|
| 191 |
In the last year, we put procedures in place so that all unwritten rules |
| 192 |
followed by the team have a reference policy document. We also put |
| 193 |
together a new team that will ensure that we keep a consistent security |
| 194 |
watch at all times. |
| 195 |
|
| 196 |
What did we forget to ask that we should know about? |
| 197 |
|
| 198 |
Maybe our management structure. Kurt Lieber[23] (klieber) is our strategic |
| 199 |
manager, Sune Kloppenborg Jeppesen[24] (jaervosz) and myself are the |
| 200 |
operational managers. |
| 201 |
23. klieber@g.o |
| 202 |
24. jaervosz@g.o |
| 203 |
|
| 204 |
============== |
| 205 |
2. Future Zone |
| 206 |
============== |
| 207 |
|
| 208 |
Open-Xchange in Gentoo Linux |
| 209 |
---------------------------- |
| 210 |
|
| 211 |
Open-Xchange (OX)[25] is the open-source groupware server on which |
| 212 |
Novell's SuSE Linux Openexchange Server (SLOX)[26] is based. Open-Xchange |
| 213 |
was closed source until 30 August 2004 when it was released under the GNU |
| 214 |
Public License. OX leverages popular open-source server technology by |
| 215 |
integrating existing projects (SMTP, IMAP, LDAP, Apache, Tomcat, and |
| 216 |
PostgreSQL) to deliver a powerful messaging and collaboration environment. |
| 217 |
Some features of interest include e-mail, project management, a versioning |
| 218 |
document store, shared calendaring, and a knowledge base. It can be |
| 219 |
accessed via both a web interface or through fat clients such as |
| 220 |
Evolution, the Mozilla suite (Thunderbird and Sunbird) and any other third |
| 221 |
party application that supports WebDAV. Currently, Open-Xchange is in |
| 222 |
development with a slated stable release (v0.8) in March 2005. If you want |
| 223 |
to see what OX is like before undertaking the somewhat daunting install, |
| 224 |
you can try it out using the online demo[27]. |
| 225 |
25. http://www.open-xchange.org |
| 226 |
26. http://www.novell.com/products/openexchange |
| 227 |
27. http://mirror.open-xchange.org/ox/EN/community/online.htm |
| 228 |
|
| 229 |
Installation and support |
| 230 |
|
| 231 |
There are currently two ways to install OX in Gentoo Linux: using the |
| 232 |
ebuild from Bugzilla[28] (not currently in the Portage tree), or manually |
| 233 |
installing it. A Wiki page[29] explains the installation using the ebuild, |
| 234 |
but for most of the necessary steps to get OX successfully running, an |
| 235 |
additional manual installation HOWTO[30] covers the prerequisite |
| 236 |
configurations as well as extending and enhancing Open-Xchange. For |
| 237 |
Gentoo-specific questions a Gentoo Forum thread[31] with several hundred |
| 238 |
posts has most of the answers that are available so far. |
| 239 |
28. http://bugs.gentoo.org/show_bug.cgi?id=62197 |
| 240 |
29. http://gentoo-wiki.com/HOWTO_Open-Xchange |
| 241 |
30. http://www.mikefetherston.ca/OX/ |
| 242 |
31. http://forums.gentoo.org/viewtopic-t-233291.html |
| 243 |
|
| 244 |
If you are not already familiar with the servers that OX uses be prepared |
| 245 |
for a steep learning curve and to do a lot of reading. A majority of the |
| 246 |
problems experienced so far involve LDAP configuration, Apache/Tomcat |
| 247 |
integration, and SASL authentication. All of the servers that OX relies on |
| 248 |
need to be properly configured and working before you can proceed with the |
| 249 |
actual Open-Xchange install. |
| 250 |
|
| 251 |
Note: Author Mike Fetherston was a dedicated Slackware user who turned to |
| 252 |
Gentoo in early 2004. Upon Netline's release of SuSE's SLOX server under |
| 253 |
the GPL he covered his initial installation experiences and tremendous |
| 254 |
feedback from the Gentoo user community in a document of currently more |
| 255 |
than 40 pages. |
| 256 |
|
| 257 |
================== |
| 258 |
3. Gentoo security |
| 259 |
================== |
| 260 |
|
| 261 |
OpenMotif: Multiple vulnerabilities in libXpm |
| 262 |
--------------------------------------------- |
| 263 |
|
| 264 |
Multiple vulnerabilities have been discovered in libXpm, which is included |
| 265 |
in OpenMotif, that can potentially lead to remote code execution. (NB: |
| 266 |
This is the same vulnerability that was fixed in xorg-x11 last November) |
| 267 |
|
| 268 |
For more information, please see the GLSA Announcement[32] |
| 269 |
32. http://www.gentoo.org/security/en/glsa/glsa-200502-07.xml |
| 270 |
|
| 271 |
PostgreSQL: Local privilege escalation |
| 272 |
-------------------------------------- |
| 273 |
|
| 274 |
The PostgreSQL server can be tricked by a local attacker to execute |
| 275 |
arbitrary code. |
| 276 |
|
| 277 |
For more information, please see the GLSA Announcement[33] |
| 278 |
33. http://www.gentoo.org/security/en/glsa/glsa-200502-08.xml |
| 279 |
|
| 280 |
Python: Arbitrary code execution through SimpleXMLRPCServer |
| 281 |
----------------------------------------------------------- |
| 282 |
|
| 283 |
Python-based XML-RPC servers may be vulnerable to remote execution of |
| 284 |
arbitrary code. |
| 285 |
|
| 286 |
For more information, please see the GLSA Announcement[34] |
| 287 |
34. http://www.gentoo.org/security/en/glsa/glsa-200502-09.xml |
| 288 |
|
| 289 |
pdftohtml: Vulnerabilities in included Xpdf |
| 290 |
------------------------------------------- |
| 291 |
|
| 292 |
pdftohtml includes vulnerable Xpdf code to handle PDF files, making it |
| 293 |
vulnerable to execution of arbitrary code upon converting a malicious PDF |
| 294 |
file. |
| 295 |
|
| 296 |
For more information, please see the GLSA Announcement[35] |
| 297 |
35. http://www.gentoo.org/security/en/glsa/glsa-200502-10.xml |
| 298 |
|
| 299 |
Mailman: Directory traversal vulnerability |
| 300 |
------------------------------------------ |
| 301 |
|
| 302 |
Mailman fails to properly sanitize input, leading to information |
| 303 |
disclosure. |
| 304 |
|
| 305 |
For more information, please see the GLSA Announcement[36] |
| 306 |
36. http://www.gentoo.org/security/en/glsa/glsa-200502-11.xml |
| 307 |
|
| 308 |
Webmin: Information leak in Gentoo binary package |
| 309 |
------------------------------------------------- |
| 310 |
|
| 311 |
Portage-built Webmin binary packages accidentally include a file |
| 312 |
containing the local encrypted root password. |
| 313 |
|
| 314 |
For more information, please see the GLSA Announcement[37] |
| 315 |
37. http://www.gentoo.org/security/en/glsa/glsa-200502-12.xml |
| 316 |
|
| 317 |
Perl: Vulnerabilities in perl-suid wrapper |
| 318 |
------------------------------------------ |
| 319 |
|
| 320 |
Vulnerabilities leading to file overwriting and code execution with |
| 321 |
elevated privileges have been discovered in the perl-suid wrapper. |
| 322 |
|
| 323 |
For more information, please see the GLSA Announcement[38] |
| 324 |
38. http://www.gentoo.org/security/en/glsa/glsa-200502-13.xml |
| 325 |
|
| 326 |
mod_python: Publisher Handler vulnerability |
| 327 |
------------------------------------------- |
| 328 |
|
| 329 |
mod_python contains a vulnerability in the Publisher Handler potentially |
| 330 |
leading to information disclosure. |
| 331 |
|
| 332 |
For more information, please see the GLSA Announcement[39] |
| 333 |
39. http://www.gentoo.org/security/en/glsa/glsa-200502-14.xml |
| 334 |
|
| 335 |
========================= |
| 336 |
4. Heard in the community |
| 337 |
========================= |
| 338 |
|
| 339 |
gentoo-dev |
| 340 |
---------- |
| 341 |
|
| 342 |
Remove no [insert feature here] USE-flags from the tree |
| 343 |
|
| 344 |
Michiel de Bruijne [40] writes: "There are quite a few ebuilds in the tree |
| 345 |
that make use of a no [insert feature here] USE-flag. So basically by |
| 346 |
disabling the USE-flag you get more features. Pulling in extra |
| 347 |
dependencies by disabling the USE-flag is a possibility. This has some |
| 348 |
nasty side effects ..." The following discussion shows quite well why |
| 349 |
these USE-flags are not good. |
| 350 |
40. m.debruijne@××××××.nl |
| 351 |
|
| 352 |
* Remove no [insert feature here] USE-flags from the tree[41] |
| 353 |
41. http://thread.gmane.org/gmane.linux.gentoo.devel/25197 |
| 354 |
|
| 355 |
Automatic stabilization of packages |
| 356 |
|
| 357 |
Approximately every 6 months the same discussion comes up: How can the |
| 358 |
packages in portage be kept up to date? The naive approach would be |
| 359 |
automatic stabilization after a certain period of time. This thread shows |
| 360 |
why for the most part that is not a good idea ... |
| 361 |
|
| 362 |
* Automatic stabilization of packages[42] |
| 363 |
42. http://thread.gmane.org/gmane.linux.gentoo.devel/25254 |
| 364 |
|
| 365 |
Closing or resolving bugs, which is it? |
| 366 |
|
| 367 |
Marius Mauch[43] writes: "I noticed a new trend lately introduced by a few |
| 368 |
new devs: changing bug status from RESOLVED to CLOSED. Personally I just |
| 369 |
find it annoying and completely useless. Can we agree to not do that |
| 370 |
unless there is a technical reason? Don't see any benefit in this, just |
| 371 |
means that closed bugs are now split between two "categories" with no |
| 372 |
actual difference." |
| 373 |
43. genone@g.o |
| 374 |
|
| 375 |
* should we close bugs?[44] |
| 376 |
44. http://thread.gmane.org/gmane.linux.gentoo.devel/25168 |
| 377 |
|
| 378 |
======================= |
| 379 |
5. Gentoo International |
| 380 |
======================= |
| 381 |
|
| 382 |
USA: Gentoo Bugday event at Oregon State University LUG |
| 383 |
------------------------------------------------------- |
| 384 |
|
| 385 |
Gentoo Bugdays[45] are regularly held every first Saturday of each month, |
| 386 |
with developers and users everywhere gathering on IRC and skimming |
| 387 |
Gentoo's bugzilla for anything that looks like it needs fixing. On 5 |
| 388 |
February, the Linux User Group of Oregon State University took the |
| 389 |
opportunity and turned the virtual event into a real one[46]. Twelve OSLUG |
| 390 |
members met at Weatherford Hall, the OSU residential college building. |
| 391 |
Aided by a precompiled list of bugs prepared by Gentoo's Bugday organizers |
| 392 |
for this occasion, they kept squashing bugs from 9:00 to 16:00, with the |
| 393 |
official IRC channel #gentoo-bugs being projected overhead, and assorted |
| 394 |
computers scattered around the classroom, each with a determined Gentoo |
| 395 |
bug hunter in front of the screen. |
| 396 |
45. http://bugday.gentoo.org/ |
| 397 |
46. http://lug.oregonstate.edu/wiki/index.cgi?GentooBugDay |
| 398 |
|
| 399 |
Figure 5.1: The Klendathu, OR bughunt: Deedra Waters, Dunbar (background) |
| 400 |
and Micheal Clay |
| 401 |
http://www.gentoo.org/images/gwn/20050214_oslug.jpg |
| 402 |
|
| 403 |
Note: More photos are available at the OSLUG website. |
| 404 |
|
| 405 |
Germany: Storage tool release for Gentoo Linux |
| 406 |
---------------------------------------------- |
| 407 |
|
| 408 |
Commercial releases of Linux applications with official support outside |
| 409 |
the RedHat/SuSE/Mandrake realm are scarce and far between. A German |
| 410 |
company, SEP AG[47], has now announced the availability of their storage |
| 411 |
management product "SEP sesam" for Gentoo Linux. "We're traditionally tied |
| 412 |
to SuSE Linux, but had Gentoo on our radar ever since we watched the |
| 413 |
impressive installation Lars Weiler[48] did on an HP Proliant cluster at |
| 414 |
last year's LinuxTag in Karlsruhe," recalls SEP's sales manager Johann |
| 415 |
Krahfuss (cf. GWN report 28 June 2004[49]). "So when our first customers |
| 416 |
demanded an adaptation of SEP sesam to Gentoo Linux, it didn't exactly |
| 417 |
take us by surprise." The German federal research institution Fraunhofer |
| 418 |
Gesellschaft[50] were the first to request a SEP sesam installation inside |
| 419 |
a Gentoo Linux environment, "and since we didn't encounter any problems |
| 420 |
whatsoever, we feel it's ready for official release," says Krahfuss. A |
| 421 |
30-day-test version (including support) can be downloaded from the |
| 422 |
corporate website's download section. SEP sesam is designed for data |
| 423 |
storage management in heterogenous networks, including Linux, BSD, |
| 424 |
Solaris, TRU/64, OpenVMS, Windows and Mac OS X. The company will be |
| 425 |
present at next week's CRN Storage Solution Days 2005[51] in Neuss (link |
| 426 |
in German only). |
| 427 |
47. http://www.sep.de |
| 428 |
48. pylon@g.o |
| 429 |
49. http://www.gentoo.org/news/en/gwn/20040628-newsletter.xml |
| 430 |
50. http://www.fhg.de |
| 431 |
51. http://www.solutiondays.de/storage |
| 432 |
|
| 433 |
====================== |
| 434 |
6. Gentoo in the press |
| 435 |
====================== |
| 436 |
|
| 437 |
Newsforge (8 and 9 February 2005) |
| 438 |
--------------------------------- |
| 439 |
|
| 440 |
Newsforge published an article in two parts about using MySQL to benchmark |
| 441 |
OS performance[52], as analyzed and written by Tony Bourke[53]. The |
| 442 |
performance check spans server operating systems Open-, Net- and FreeBSD, |
| 443 |
Solaris 10, and Linux as platforms for MySQL database execution, and |
| 444 |
"among a multitude of distributions" Gentoo was chosen for the Linux part |
| 445 |
of the test, running both 2.4 and 2.6 kernels (gentoo-sources) on |
| 446 |
ReiserFS. "With Gentoo it was also relatively easy to install NPTL for |
| 447 |
2.6, which I used in the 2.6 tests," says Tony Bourke, "although they |
| 448 |
didn't make any difference when compared to non-NPTL 2.6 results." While |
| 449 |
the first part just explains the tools and the methodology, the actual |
| 450 |
performance comparison is published in a separate article[54] - with |
| 451 |
amazing results, Gentoo Linux clearly winning all individual benchmark |
| 452 |
tests. Funnily enough, Gentoo's outstanding performance even triggered |
| 453 |
complaints about the "unfair advantage"[55] of using a source-based, |
| 454 |
possibly processor-optimized Linux distribution as a platform for the |
| 455 |
comparison. |
| 456 |
52. http://software.newsforge.com/software/04/12/27/1238216.shtml |
| 457 |
53. http://vegan.net/tony/ |
| 458 |
54. http://www.newsforge.com/article.pl?sid=04/12/27/1243207 |
| 459 |
55. |
| 460 |
http://www.newsforge.com/comments.pl?sid=43141&op=&threshold=0&commentsort=0&mode=thread&tid=152&pid=106968#106970 |
| 461 |
|
| 462 |
CNET (7 February 2005) |
| 463 |
---------------------- |
| 464 |
|
| 465 |
Sun's President Jonathan Schwartz nods his head to Gentoo's OpenSolaris |
| 466 |
effort in an interview published on CNET last week. While explaining the |
| 467 |
OpenSolaris governance model to interviewer Stephen Shankland, he claims |
| 468 |
"Solaris is now officially platform-neutral"[56] and expects "10 or more" |
| 469 |
non-Sun OpenSolaris distributions to appear in the market. |
| 470 |
56. http://news.com.com/Suns+open-source+gamble/2008-1082_3-5564283.html |
| 471 |
|
| 472 |
Security Focus (2 February 2005) |
| 473 |
-------------------------------- |
| 474 |
|
| 475 |
Columnist Jason Miller says Linux kernel security handling is broken, "and |
| 476 |
it needs to be fixed right now." The article at securityfocus.com[57], a |
| 477 |
publication mainly read by security professionals, is highly critical of |
| 478 |
the way security bugs in the Linux kernel are being addressed. But the |
| 479 |
author, a self-proclaimed "huge follower of BSD-based operating systems," |
| 480 |
has some good news, too: "Once we start looking at actual distributions of |
| 481 |
the Linux kernel as a complete operating system, we find some |
| 482 |
distributions with official security contacts, as well as security-related |
| 483 |
pages similar to those provided by the major BSD-based operating systems. |
| 484 |
Gentoo Linux Security is a good example of that." |
| 485 |
57. http://www.securityfocus.com/columnists/296 |
| 486 |
|
| 487 |
Réseaux & Télécoms (3 February 2005, in French) |
| 488 |
-------------------------------------------------- |
| 489 |
|
| 490 |
Directly responding to the Security Focus column by Jason Miller, the |
| 491 |
French network and telco magazine looks beyond the kernel as a security |
| 492 |
issue: Both flaws in individual applications not depending on the kernel, |
| 493 |
and the distribution of security-related information are identified as |
| 494 |
equally important fields of activity for the "bug hunters of open source." |
| 495 |
The article "Noyau Linux : Mais où est la sécurité ?"[58] acknowledges |
| 496 |
Miller's conclusion of "things changing, fast and in the right direction," |
| 497 |
and praises Thierry Carrez (see our interview above[59]) as an example for |
| 498 |
"impressive work." With the current pace of discussion around the |
| 499 |
structure of security handling and the distribution of information, it's |
| 500 |
"time to show some optimism," says author Marc Olanie, pointing out that |
| 501 |
it took Microsoft eighteen years to standardize their own security |
| 502 |
procedures -- "or have they?" |
| 503 |
58. |
| 504 |
http://www.reseaux-telecoms.com/cso_btree/05_02_03_194507_984/CSO/Newscso_view |
| 505 |
59. |
| 506 |
http://www.gentoo.org/news/en/gwn/20050214-newsletter.xml#doc_chap1_sect2 |
| 507 |
|
| 508 |
Sun blogs (31 January 2005) |
| 509 |
--------------------------- |
| 510 |
|
| 511 |
Eric Boutilier, an engineer at Sun, Inc. is gearing up for Gentoo |
| 512 |
development on OpenSolaris, and posted his first attempts at familiarizing |
| 513 |
himself with Portage on Linux to his blog at the Sun website[60]. While |
| 514 |
his choice of installation material is peculiar - Gentoo-clone Vidalinux |
| 515 |
rather than a standard install, and on a five-year-old Portégé laptop - he |
| 516 |
quickly falls in sync with normal Portage user behaviour for lengthy |
| 517 |
compiles: "Oh well. I left it happily building away and went to work." |
| 518 |
60. http://blogs.sun.com/roller/page/eric_boutilier/20050131 |
| 519 |
|
| 520 |
=========== |
| 521 |
7. Bugzilla |
| 522 |
=========== |
| 523 |
|
| 524 |
Summary |
| 525 |
------- |
| 526 |
|
| 527 |
* Statistics |
| 528 |
* Closed bug ranking |
| 529 |
* New bug rankings |
| 530 |
|
| 531 |
Statistics |
| 532 |
---------- |
| 533 |
|
| 534 |
The Gentoo community uses Bugzilla (bugs.gentoo.org[61]) to record and |
| 535 |
track bugs, notifications, suggestions and other interactions with the |
| 536 |
development team. Between 06 February 2005 and 13 February 2005, activity |
| 537 |
on the site has resulted in: |
| 538 |
61. http://bugs.gentoo.org |
| 539 |
|
| 540 |
* 860 new bugs during this period |
| 541 |
* 699 bugs closed or resolved during this period |
| 542 |
* 37 previously closed bugs were reopened this period |
| 543 |
|
| 544 |
Of the 8036 currently open bugs: 102 are labeled 'blocker', 243 are |
| 545 |
labeled 'critical', and 600 are labeled 'major'. |
| 546 |
|
| 547 |
Closed bug rankings |
| 548 |
------------------- |
| 549 |
|
| 550 |
The developers and teams who have closed the most bugs during this period |
| 551 |
are: |
| 552 |
|
| 553 |
* osx porters[62], with 179 closed bugs[63] |
| 554 |
* Gentoo's Team for Core System packages[64], with 53 closed bugs[65] |
| 555 |
* Gentoo KDE team[66], with 30 closed bugs[67] |
| 556 |
* AMD64 Porting Team[68], with 24 closed bugs[69] |
| 557 |
* Gentoo Security[70], with 23 closed bugs[71] |
| 558 |
* media-video herd[72], with 19 closed bugs[73] |
| 559 |
* Gentoo Games[74], with 19 closed bugs[75] |
| 560 |
* Text-Markup Team[76], with 17 closed bugs[77] |
| 561 |
62. osx@g.o |
| 562 |
63. |
| 563 |
http://bugs.gentoo.org/buglist.cgi?bug_status=RESOLVED&bug_status=CLOSED&chfield=bug_status&chfieldfrom=2005-02-06&chfieldto=2005-02-13&resolution=FIXED&assigned_to=osx@g.o |
| 564 |
64. base-system@g.o |
| 565 |
65. |
| 566 |
http://bugs.gentoo.org/buglist.cgi?bug_status=RESOLVED&bug_status=CLOSED&chfield=bug_status&chfieldfrom=2005-02-06&chfieldto=2005-02-13&resolution=FIXED&assigned_to=base-system@g.o |
| 567 |
66. kde@g.o |
| 568 |
67. |
| 569 |
http://bugs.gentoo.org/buglist.cgi?bug_status=RESOLVED&bug_status=CLOSED&chfield=bug_status&chfieldfrom=2005-02-06&chfieldto=2005-02-13&resolution=FIXED&assigned_to=kde@g.o |
| 570 |
68. amd64@g.o |
| 571 |
69. |
| 572 |
http://bugs.gentoo.org/buglist.cgi?bug_status=RESOLVED&bug_status=CLOSED&chfield=bug_status&chfieldfrom=2005-02-06&chfieldto=2005-02-13&resolution=FIXED&assigned_to=amd64@g.o |
| 573 |
70. security@g.o |
| 574 |
71. |
| 575 |
http://bugs.gentoo.org/buglist.cgi?bug_status=RESOLVED&bug_status=CLOSED&chfield=bug_status&chfieldfrom=2005-02-06&chfieldto=2005-02-13&resolution=FIXED&assigned_to=security@g.o |
| 576 |
72. media-video@g.o |
| 577 |
73. |
| 578 |
http://bugs.gentoo.org/buglist.cgi?bug_status=RESOLVED&bug_status=CLOSED&chfield=bug_status&chfieldfrom=2005-02-06&chfieldto=2005-02-13&resolution=FIXED&assigned_to=media-video@g.o |
| 579 |
74. games@g.o |
| 580 |
75. |
| 581 |
http://bugs.gentoo.org/buglist.cgi?bug_status=RESOLVED&bug_status=CLOSED&chfield=bug_status&chfieldfrom=2005-02-06&chfieldto=2005-02-13&resolution=FIXED&assigned_to=games@g.o |
| 582 |
76. text-markup@g.o |
| 583 |
77. |
| 584 |
http://bugs.gentoo.org/buglist.cgi?bug_status=RESOLVED&bug_status=CLOSED&chfield=bug_status&chfieldfrom=2005-02-06&chfieldto=2005-02-13&resolution=FIXED&assigned_to=text-markup@g.o |
| 585 |
|
| 586 |
New bug rankings |
| 587 |
---------------- |
| 588 |
|
| 589 |
The developers and teams who have been assigned the most new bugs during |
| 590 |
this period are: |
| 591 |
|
| 592 |
* AMD64 Porting Team[78], with 30 new bugs[79] |
| 593 |
* Gentoo Sound Team[80], with 18 new bugs[81] |
| 594 |
* Gentoo X-windows packagers[82], with 15 new bugs[83] |
| 595 |
* Net-Mail Packages[84], with 11 new bugs[85] |
| 596 |
* Mobile Herd[86], with 11 new bugs[87] |
| 597 |
* media-video herd[88], with 11 new bugs[89] |
| 598 |
* Gentoo KDE team[90], with 10 new bugs[91] |
| 599 |
* Portage team[92], with 10 new bugs[93] |
| 600 |
78. amd64@g.o |
| 601 |
79. |
| 602 |
http://bugs.gentoo.org/buglist.cgi?bug_status=NEW&bug_status=ASSIGNED&bug_status=REOPENED&chfield=assigned_to&chfieldfrom=2005-02-06&chfieldto=2005-02-13&assigned_to=amd64@g.o |
| 603 |
80. sound@g.o |
| 604 |
81. |
| 605 |
http://bugs.gentoo.org/buglist.cgi?bug_status=NEW&bug_status=ASSIGNED&bug_status=REOPENED&chfield=assigned_to&chfieldfrom=2005-02-06&chfieldto=2005-02-13&assigned_to=sound@g.o |
| 606 |
82. x11@g.o |
| 607 |
83. |
| 608 |
http://bugs.gentoo.org/buglist.cgi?bug_status=NEW&bug_status=ASSIGNED&bug_status=REOPENED&chfield=assigned_to&chfieldfrom=2005-02-06&chfieldto=2005-02-13&assigned_to=x11@g.o |
| 609 |
84. net-mail@g.o |
| 610 |
85. |
| 611 |
http://bugs.gentoo.org/buglist.cgi?bug_status=NEW&bug_status=ASSIGNED&bug_status=REOPENED&chfield=assigned_to&chfieldfrom=2005-02-06&chfieldto=2005-02-13&assigned_to=net-mail@g.o |
| 612 |
86. mobile@g.o |
| 613 |
87. |
| 614 |
http://bugs.gentoo.org/buglist.cgi?bug_status=NEW&bug_status=ASSIGNED&bug_status=REOPENED&chfield=assigned_to&chfieldfrom=2005-02-06&chfieldto=2005-02-13&assigned_to=mobile@g.o |
| 615 |
88. media-video@g.o |
| 616 |
89. |
| 617 |
http://bugs.gentoo.org/buglist.cgi?bug_status=NEW&bug_status=ASSIGNED&bug_status=REOPENED&chfield=assigned_to&chfieldfrom=2005-02-06&chfieldto=2005-02-13&assigned_to=media-video@g.o |
| 618 |
90. kde@g.o |
| 619 |
91. |
| 620 |
http://bugs.gentoo.org/buglist.cgi?bug_status=NEW&bug_status=ASSIGNED&bug_status=REOPENED&chfield=assigned_to&chfieldfrom=2005-02-06&chfieldto=2005-02-13&assigned_to=kde@g.o |
| 621 |
92. dev-portage@g.o |
| 622 |
93. |
| 623 |
http://bugs.gentoo.org/buglist.cgi?bug_status=NEW&bug_status=ASSIGNED&bug_status=REOPENED&chfield=assigned_to&chfieldfrom=2005-02-06&chfieldto=2005-02-13&assigned_to=dev-portage@g.o |
| 624 |
|
| 625 |
================== |
| 626 |
8. Tips and tricks |
| 627 |
================== |
| 628 |
|
| 629 |
Portage magic: Identify obsolete packages |
| 630 |
----------------------------------------- |
| 631 |
|
| 632 |
Gentoo developer Brian Harring[94] designed a clever way to identify all |
| 633 |
merged versions of packages not available in Portage anymore -- both the |
| 634 |
official tree and packages from PORTDIR_OVERLAY. Here is the method he |
| 635 |
came up with, packing as much Python neatness as fits on a single command |
| 636 |
line: |
| 637 |
94. ferringb@g.o |
| 638 |
|
| 639 |
--------------------------------------------------------------------------- |
| 640 |
| Code Listing 8.1: | |
| 641 |
|Python scriptlet | |
| 642 |
#1------------------------------------------------------------------------- |
| 643 |
| | |
| 644 |
|python -c 'import portage; print [x for x in | |
| 645 |
portage.db["/"]["vartree"].getallcpv() \ |
| 646 |
|if len(portage.portdb.xmatch("match-all","="+x))==0]' | |
| 647 |
| | |
| 648 |
--------------------------------------------------------------------------- |
| 649 |
|
| 650 |
If that just went a little over your head, let's look at what exactly it |
| 651 |
does. For example, if a package, say, foo-1.2.3 is merged, and that |
| 652 |
version 1.2.3 is no longer in the tree, the script will point it out. A |
| 653 |
simple check for packages that aren't available any longer regardless of |
| 654 |
versions, would look like this: |
| 655 |
|
| 656 |
--------------------------------------------------------------------------- |
| 657 |
| Code Listing 8.2: | |
| 658 |
|Python scriptlet | |
| 659 |
#2------------------------------------------------------------------------- |
| 660 |
| | |
| 661 |
|python -c 'import portage; print [x for x in | |
| 662 |
portage.db["/"]["vartree"].getallcpv() \ |
| 663 |
|if len(portage.portdb.xmatch("match-all",portage.pkgsplit(x)[0]))==0]' | |
| 664 |
| | |
| 665 |
--------------------------------------------------------------------------- |
| 666 |
|
| 667 |
Finally, if you want to ignore package foo-1.2.3 even if it isn't in the |
| 668 |
tree any longer, but a revision foo-1.2.3-r1 is, the following script will |
| 669 |
ignore the package, only triggering on installed applications that have |
| 670 |
completely vanished from Portage. |
| 671 |
|
| 672 |
--------------------------------------------------------------------------- |
| 673 |
| Code Listing 8.3: | |
| 674 |
|Python scriptlet | |
| 675 |
#3------------------------------------------------------------------------- |
| 676 |
| | |
| 677 |
|python -c 'import portage; print [x for x in | |
| 678 |
portage.db["/"]["vartree"].getallcpv() \ |
| 679 |
|if | |
| 680 |
len(portage.portdb.xmatch("match-all","~"+"-".join(portage.pkgsplit(x)[:2]) |
| 681 |
))==0]' |
| 682 |
| | |
| 683 |
--------------------------------------------------------------------------- |
| 684 |
|
| 685 |
Lastly, none of the above take injected packages into consideration, only |
| 686 |
those that were installed from an available tree. Now, suppose you'd like |
| 687 |
to ignore those, too, here's what to do: |
| 688 |
|
| 689 |
--------------------------------------------------------------------------- |
| 690 |
| Code Listing 8.4: | |
| 691 |
|Python scriptlet | |
| 692 |
#4------------------------------------------------------------------------- |
| 693 |
| | |
| 694 |
|python -c 'import portage; print [x for x in | |
| 695 |
portage.db["/"]["vartree"].getallcpv() \ |
| 696 |
|if len(portage.portdb.xmatch("match-all",portage.pkgsplit(x)[0]))==0 \ | |
| 697 |
|and not portage.db["/"]["vartree"].dbapi.isInjected(x)]' | |
| 698 |
| | |
| 699 |
--------------------------------------------------------------------------- |
| 700 |
|
| 701 |
Yes, we knew you'd like this. All of the above do work for individual |
| 702 |
packages you keep in an overlay tree, for example at /usr/local/portage, |
| 703 |
those are being evaluated along with packages in the official Portage |
| 704 |
tree. Try it out, you can't break anything, it just notifies you about |
| 705 |
whatever it finds, leaving it up to the user to decide what to do with |
| 706 |
that information. |
| 707 |
|
| 708 |
=========================== |
| 709 |
9. Moves, adds, and changes |
| 710 |
=========================== |
| 711 |
|
| 712 |
Moves |
| 713 |
----- |
| 714 |
|
| 715 |
The following developers recently left the Gentoo team: |
| 716 |
|
| 717 |
* None this week |
| 718 |
|
| 719 |
Adds |
| 720 |
---- |
| 721 |
|
| 722 |
The following developers recently joined the Gentoo Linux team: |
| 723 |
|
| 724 |
* Sebastian Bergmann (sebastian) - PHP |
| 725 |
|
| 726 |
Changes |
| 727 |
------- |
| 728 |
|
| 729 |
The following developers recently changed roles within the Gentoo Linux |
| 730 |
project: |
| 731 |
|
| 732 |
* None this week |
| 733 |
|
| 734 |
===================== |
| 735 |
10. Contribute to GWN |
| 736 |
===================== |
| 737 |
|
| 738 |
Interested in contributing to the Gentoo Weekly Newsletter? Send us an |
| 739 |
email[95]. |
| 740 |
95. gwn-feedback@g.o |
| 741 |
|
| 742 |
================ |
| 743 |
11. GWN feedback |
| 744 |
================ |
| 745 |
|
| 746 |
Please send us your feedback[96] and help make the GWN better. |
| 747 |
96. gwn-feedback@g.o |
| 748 |
|
| 749 |
================================ |
| 750 |
12. GWN subscription information |
| 751 |
================================ |
| 752 |
|
| 753 |
To subscribe to the Gentoo Weekly Newsletter, send a blank email to |
| 754 |
gentoo-gwn-subscribe@g.o. |
| 755 |
|
| 756 |
To unsubscribe to the Gentoo Weekly Newsletter, send a blank email to |
| 757 |
gentoo-gwn-unsubscribe@g.o from the email address you are |
| 758 |
subscribed under. |
| 759 |
|
| 760 |
=================== |
| 761 |
13. Other languages |
| 762 |
=================== |
| 763 |
|
| 764 |
The Gentoo Weekly Newsletter is also available in the following languages: |
| 765 |
|
| 766 |
* Danish[97] |
| 767 |
* Dutch[98] |
| 768 |
* English[99] |
| 769 |
* German[100] |
| 770 |
* french[101] |
| 771 |
* japanese[102] |
| 772 |
* italian[103] |
| 773 |
* polish[104] |
| 774 |
* portuguese (brazil)[105] |
| 775 |
* portuguese (portugal)[106] |
| 776 |
* russian[107] |
| 777 |
* spanish[108] |
| 778 |
* turkish[109] |
| 779 |
97. http://www.gentoo.org/news/da/gwn/gwn.xml |
| 780 |
98. http://www.gentoo.org/news/nl/gwn/gwn.xml |
| 781 |
99. http://www.gentoo.org/news/en/gwn/gwn.xml |
| 782 |
100. http://www.gentoo.org/news/de/gwn/gwn.xml |
| 783 |
101. http://www.gentoo.org/news/fr/gwn/gwn.xml |
| 784 |
102. http://www.gentoo.org/news/ja/gwn/gwn.xml |
| 785 |
103. http://www.gentoo.org/news/it/gwn/gwn.xml |
| 786 |
104. http://www.gentoo.org/news/pl/gwn/gwn.xml |
| 787 |
105. http://www.gentoo.org/news/pt_br/gwn/gwn.xml |
| 788 |
106. http://www.gentoo.org/news/pt/gwn/gwn.xml |
| 789 |
107. http://www.gentoo.org/news/ru/gwn/gwn.xml |
| 790 |
108. http://www.gentoo.org/news/es/gwn/gwn.xml |
| 791 |
109. http://www.gentoo.org/news/tr/gwn/gwn.xml |
| 792 |
|
| 793 |
Ulrich Plate <plate@g.o> - Editor |
| 794 |
AJ Armstrong <aja@×××××××××××××.com> - Author |
| 795 |
Mike Fetherston <mike@××××××××××××××.ca> - Author |
| 796 |
Patrick Lauer <patrick@g.o> - Author |
| 797 |
|
| 798 |
-- |
| 799 |
gentoo-gwn@g.o mailing list |
Archives
