Gentoo Logo
Gentoo Spaceship

Note: Due to technical difficulties, the Archives are currently not up to date. GMANE provides an alternative service for most mailing lists.
c.f. bug 424647
List Archive: gentoo-gwn
Lists: gentoo-gwn: < Prev By Thread Next > < Prev By Date Next >
To: gentoo-gwn@g.o
From: Ulrich Plate <plate@g.o>
Subject: Gentoo Weekly Newsletter 15 November 2004
Date: Mon, 15 Nov 2004 00:56:40 +0100
Gentoo Weekly Newsletter
This is the Gentoo Weekly Newsletter for the week of 15 November 2004.
1. Gentoo News
Proud to present: Gentoo Linux 2004.3 release
This is the fourth and final release of Gentoo Linux in 2004, with its 
main focus on bug fixes and making the release tools more robust and 
easier to use. Releasing for 2004.3 are all the major architectures 
supported by Gentoo: amd64, hppa, ppc, sparc, x86, and an initial ppc64 
release. There is also an experimental alpha release, along with stages 
for ia64 and s390. The embedded team has also released stages for arm, 
mips, ppc, and x86, all of which can be found under /experimental. You can 
find out more about 2004.3 by checking out the release page[1] and reading 
the ChangeLog[2]. 
Among the highlights of 2004.3: Both amd64 and ppc have switched to gcc 
3.4 as their compiler of choice. Sparc is releasing only sparc64 media, 
amd64 and x86 are both switching to a single kernel for the LiveCD. Best 
of all has been the improved cooperation between the teams for the various 
architectures, invisibly ensuring an even more consistent output than 
previous releases.
2004.3 has been pushed to the mirrors[3] in the past few hours, and is 
also available via bittorrent on[4] and[5]. Delivered to the public as scheduled by 0:00 
UTC on Monday, 15 November 2004, it marks the last version in the 
quarterly schedule adopted for 2004 that is going to be replaced by 
six-monthly releases next year, with 2005.0 and 2005.1 to be expected in 
early and mid-2005.
Although Gentoo Linux puts much less emphasis behind releases than other 
Linux distributions, and adheres to release cycles solely for installation 
media, the frozen state of each release represents the culmination of the 
work of each of our developers, and an excellent starting point for new 
installations of Gentoo Linux. Thanks to all Gentoo developers and 
community testers for making this our best release ever!
Gentoo's X11 team seeks additional developers
The X11 team needs help with the core X implementations, both xorg-x11 and 
xfree. In particular, people comfortable with the C language and with 
diving deep into X are requested to contact Donnie Berkholz[6] and the 
Developer Relations project[7] as soon as possible: more than 200 open 
bugs need fixing!
 6. spyderous@g.o
 7. recruiters@g.o
Kernel housecleaning: pruning the tree
The Gentoo Linux kernel maintainers are in the process of doing some 
housecleaning with the sys-kernel packages in Portage. A number of popular 
and not-so-popular source packages are unmaintained and outdated, or have 
been merged with the official Linux kernel development. They have either 
already been removed from the tree or are in the process of getting 
replaced by alternatives, and people still running any of them are invited 
to migrate to different kernel packages at their earliest convenience. A 
summary list of packages and migration recommendations are listed here[8], 
together with an announcement for a behaviour change in the hotplug 
package (see below in the "Tips and tricks" section).
2. Future zone
MetaKDE: Split KDE ebuilds
This project by Dan Armak[9] and Simone Gotti[10] implements a 
long-requested feature: separate ebuilds for all kde applications. Instead 
of emerge kdebase kdepim, you can now emerge konqueror kmail.
 9. danarmak@g.o
 10. motaboy@g.o
Very few users actually use all or almost all the 300+ kde applications, 
and packaging them in a few huge, monolithic packages is distinctly 
un-Gentooish. Splitting them cuts down on emerge time, disk usage and 
clutter and makes it easier to issue and verify updates, including 
security alerts. It also allows more fine-grained dependency specification 
and USE flag usage.
This power comes at a price. The reason the Gentoo KDE packages weren't 
split long ago is that every ebuild emerged has to unpack a huge tarball 
and run configure all over again, which takes time. It was calculated that 
the total overhead for emerging all of KDE in split packages, as opposed 
to the current monolithic ones, would be several hours. Two years ago this 
was still deemed unacceptable (for a summary of the discussion see this
But things have become faster over time - not just hardware, but autotools 
and the KDE build scripts as well. So much so, that we decided we'd try 
this and see what happened. The new confcache (see next week's "Future 
zone" section for details) is also a major bonus. The current status of 
the project is about 95% complete. An ebuild overlay is at[12] and has no known bugs, just a few missing 
features. These ebuilds also have some minor improvements that the 
monolithic ones don't.
We are now starting to merge these ebuilds into Portage proper. The plan 
is to introduce them gradually, starting with the least used packages. The 
kdebindings-derived ebuilds are already there and will probably be 
unmasked by the time you read this. We hope the split ebuilds will become 
the default in time for KDE 3.4. Meanwhile wide testing by all and sundry 
would be appreciated.
3. Gentoo security
zgv: Multiple buffer overflows
zgv contains multiple buffer overflows that can potentially lead to the 
execution of arbitrary code. 
For more information, please see the GLSA Announcement[13]
Portage, Gentoolkit: Temporary file vulnerabilities
dispatch-conf (included in Portage) and qpkg (included in Gentoolkit) are 
vulnerable to symlink attacks, potentially allowing a local user to 
overwrite arbitrary files with the rights of the user running the script. 
For more information, please see the GLSA Announcement[14]
Kaffeine, gxine: Remotely exploitable buffer overflow
Kaffeine and gxine both contain a buffer overflow that can be exploited 
when accessing content from a malicious HTTP server with specially crafted 
For more information, please see the GLSA Announcement[15]
OpenSSL, Groff: Insecure tempfile handling
groffer, included in the Groff package, and the der_chop script, included 
in the OpenSSL package, are both vulnerable to symlink attacks, 
potentially allowing a local user to overwrite arbitrary files with the 
rights of the user running the utility. 
For more information, please see the GLSA Announcement[16]
zip: Path name buffer overflow
zip contains a buffer overflow when creating a ZIP archive of files with 
very long path names. This could lead to the execution of arbitrary code. 
For more information, please see the GLSA Announcement[17]
mtink: Insecure tempfile handling
mtink is vulnerable to symlink attacks, potentially allowing a local user 
to overwrite arbitrary files with the rights of the user running the 
For more information, please see the GLSA Announcement[18]
Apache 2.0: Denial of Service by memory consumption
A flaw in Apache 2.0 could allow a remote attacker to cause a Denial of 
For more information, please see the GLSA Announcement[19]
Pavuk: Multiple buffer overflows
Pavuk contains multiple buffer overflows that can allow a remote attacker 
to run arbitrary code. 
For more information, please see the GLSA Announcement[20]
ez-ipupdate: Format string vulnerability
ez-ipupdate contains a format string vulnerability that could lead to 
execution of arbitrary code. 
For more information, please see the GLSA Announcement[21]
Samba: Remote Denial of Service
An input validation flaw in Samba may allow a remote attacker to cause a 
Denial of Service by excessive consumption of CPU cycles. 
For more information, please see the GLSA Announcement[22]
Davfs2, lvm-user: Insecure tempfile handling
Davfs2 and the lvmcreate_initrd script (included in the lvm-user package) 
are both vulnerable to symlink attacks, potentially allowing a local user 
to overwrite arbitrary files with the rights of the user running them. 
For more information, please see the GLSA Announcement[23]
4. Heard in the community
Media-sound reorganization
Chris White[24] plans to reorganize the whole media-sound category. The 
almost 300 packages in this category will be split into approximately 15 
to 20 new categories. And, as many times before, the arguments for a 
generally different organization of packages were considered in this 
 24. chriswhite@g.o
 * Media-sound reorganization[25] 
Trojan for Gentoo
After a long time of inactivity on his bug[26], the original reporter 
offers a way for rsync mirrors to trojanize Gentoo installs by 
manipulation of eclasses. Since they are not yet signed, a compromised 
rsync server could become a great security risk. 
 * Trojan for Gentoo[27] 
Detecting gcj and other gcc language modules
This is the specific case of the general question: Is there a general way 
to depend on a package built with a specific USE-flag? As it seems, this 
useful functionality is not yet in portage. At the moment only a few 
workarounds exist, but it's still the cause of some compile failures and 
seemingly strange bugs. 
 * Detecting gcj and other gcc language modules[28] 
5. Gentoo International
Italy: G-Day update
As reported last week, the Italian Linux Society - a not-for-profit 
organization that coordinates Italian Linux user groups (LUG) - once a 
year organizes a "Linux Day"[29], a fundamental event for Linux users in 
every major Italian city where local LUGs runs meetings, conferences, 
install parties, and other activities for their community. Linux Day 2004 
on 27 November will be held in about one hundred different cities around 
Italy. The Italian Gentoo community, driven by activists of the GeCHI[30] 
(Gentoo Channel Italia), has decided to build on the experience of last 
year's inaugural Gentoo-related event during Linux Day in Venice, and will 
organize a "Gentoo Day" or G-Day. G-Day is going to be a great opportunity 
to meet, discuss, share ideas and show Gentoo Linux to other Linux users 
and beginners. After a bit of discussion where to hold the G-Day, the 
GeCHI finally settled for Prato last week. The all-day event, presented in 
co-operation with the Prato Linux User Group (PLUG[31]), will start at 
9:30 and finish around midnight on 27 November.
The GeCHI evangelists will set up a demonstration area with PCs, PPCs, and 
a PlayStation2, where they will show different Gentoo uses and 
capabilities. Distfiles and rsync mirrors will be provided locally for the 
convenience of visitors who wish to install Gentoo Linux on their own 
hardware on the spot. They have prepared brochures showing pros and cons 
of Gentoo systems, and about using Gentoo in educational, desktop and 
enterprise environments. Handbooks and CDs will be distributed to people 
who would like to try Gentoo. During the whole day, in a conference hall 
next to the demo area, GeCHI speakers will hold talks and Q&A sessions, 
with topics ranging from "Introduction to Gentoo Linux" for beginners, via 
"Gentoo in enterprise environments" for professional system 
administrators, to technical issues like "Securing a Gentoo box" and 
"Managing multiple Gentoo installations". Proceeds for the gadgetry 
(T-Shirts, case stickers) sold at the event will be donated to the Gentoo 
Some live coverage can be tapped into via the Italian Gentoo Fora, in 
particular this thread in the official Gentoo Forum[32] and the GeCHI's 
own G-Day forum[33].
Brazil: Gentoo Linux at CONISLI, São Paulo
CONISLI[34], the "Congresso Internacional de Software Livre" 
(International Free Software Conference) in the city of São Paulo was held 
for the first time only last year, but it has already become one of the 
most important Free Software events in Brazil. This year it was held on 5 
and 6 November at the Palácio das Convenções do Anhembi[35], already twice 
as big as the first event at São Paulo's university where it was held in 
2003. The main focus this year was on "Developing Software", and on top of 
various talks and workshops on the conference schedule (including Marcelo 
Gondim's intriguingly titled presentation "Shopping with Gentoo Linux"), 
CONISLI also provided exhibition space for free software communities, 
where the particularly strong Brazilian Gentoo users group[36] set up a 
booth and held a meeting of their own, to discuss ideas, exchange 
information and nurture the growth of Gentoo among Brazilian Linux users. 
Figure 5.1: Gentoo Linux at CONISLI 2004
Note: Left to right: Annihilator, Enderson (Enderson Maia), Chatoo (Wagner 
Hebert), Angra (Diego R. Grein), Lulyis (Luana Leonor), Toskinha (Sulamita 
Garcia), fl0cker (Luiz Agostinho), Marcelo_ (Marcelo Lima), Bani (Vanessa 
Sabino), Aninha (Ana Paula), Gentoo developer AngusYoung (Otavio Piske)
More photos from the event can be found here:
 * CONISLI pictures[37] 
 * More CONISLI pictures[38] 
 * And even more CONISLI pictures[39] 
Germany: Annual General Meeting (AGM) of "Friends of Gentoo e.V.", 20 
November 2004
The first AGM of the German not-for-profit association "Friends of Gentoo 
e.V."[40] is going to be held next Saturday, 20 November 2004 from 19:00 
at the Gasthof Harlos[41] in Oberhausen, a pub with a history of monthly 
regional Gentoo user meetings. On the agenda are elections for the board 
of directors, a report on last year's activities and motions for 
amendments to the statutes. The meeting is open to the public, but only 
current members of the association have the right to vote. 
Germany: First Gentoo user meeting in Nuremberg, 1 December 2004
Bavaria's second largest city is going to host the next Gentoo user 
meeting (GUM) in Germany, the first one in this area, organised by a 
freshly constituted Gentoo User Group Nürnberg (GUGN). If you happen to be 
around that part of the country on 1 December, meet the others at the 
Landbierparadies after 19:30. All necessary details including maps can be 
had at an improvised GUGN website[42], and a Forum thread[43] coordinates 
who and how many are planning to show up. 
6. Gentoo in the press
O'Reilly: Knoppix Hacks (October 2004)
"100 Industrial-Strength Tips & Tools" is the subtitle of a brandnew book 
from O'Reilly, "Knoppix Hacks"[44], published just last month, and hack 
#36 on p. 110f explains how to "Install Gentoo with Knoppix". Providing 
several reasons why installing Gentoo Linux is best done from a LiveCD (as 
opposed to from inside an existing Linux installation), the article 
promotes doing this not from a Gentoo ISO, but from booting a Knoppix CD. 
Never mind, as long as you get "all the benefits of having a Gentoo 
system, such as the excellent portage package manager," as author Alex 
Garbutt puts it, alongside his personal recommendation of playing Frozen 
Bubble while waiting for the installation to finish. 
7. Bugzilla
 * Statistics 
 * Closed bug ranking 
 * New bug rankings 
The Gentoo community uses Bugzilla ([45]) to record and 
track bugs, notifications, suggestions and other interactions with the 
development team. Between 07 November 2004 and 14 November 2004, activity 
on the site has resulted in: 
 * 795 new bugs during this period 
 * 548 bugs closed or resolved during this period 
 * 29 previously closed bugs were reopened this period 
Of the 7397 currently open bugs: 129 are labeled 'blocker', 240 are 
labeled 'critical', and 556 are labeled 'major'. 
Closed bug rankings
The developers and teams who have closed the most bugs during this period 
 * AMD64 Porting Team[46], with 40 closed bugs[47]  
 * Gentoo Games[48], with 28 closed bugs[49]  
 * Gentoo's Team for Core System packages[50], with 27 closed bugs[51]  
 * Mozilla Gentoo Team[52], with 26 closed bugs[53]  
 * media-video herd[54], with 25 closed bugs[55]  
 * Paul de Vrieze[56], with 21 closed bugs[57]  
 * SpanKY[58], with 20 closed bugs[59]  
 * Gentoo Security[60], with 17 closed bugs[61]  
 46. amd64@g.o
 48. games@g.o
 50. base-system@g.o
 52. mozilla@g.o
 54. media-video@g.o
 56. pauldv@g.o
 58. vapier@g.o
 60. security@g.o
New bug rankings
The developers and teams who have been assigned the most new bugs during 
this period are: 
 * Gentoo's Team for Core System packages[62], with 23 new bugs[63]  
 * Gentoo X-windows packagers[64], with 19 new bugs[65]  
 * Java team[66], with 15 new bugs[67]  
 * Mozilla Gentoo Team[68], with 14 new bugs[69]  
 * AMD64 Porting Team[70], with 14 new bugs[71]  
 * Gentoo Linux Gnome Desktop Team[72], with 13 new bugs[73]  
 * Chris White[74], with 10 new bugs[75]  
 * Gentoo Toolchain Maintainers[76], with 9 new bugs[77]  
 62. base-system@g.o
 64. x11@g.o
 66. java@g.o
 68. mozilla@g.o
 70. amd64@g.o
 72. gnome@g.o
 74. chriswhite@g.o
 76. toolchain@g.o
8. Tips and Tricks
Hotplugging? Coldplugging!
Today's tip comes straight from Gentoo's kernel package maintainer and 
developer department, and it reflects quite an important change in the 
behaviour of a core mechanism during the boot process. The 
sys-apps/hotplug package is commonly installed on desktop systems in order 
to provide automatic loading of modules when hardware is plugged in during 
system operation. As well as automatically loading modules when new 
devices are plugged in, the previous hotplug releases also scanned the 
system hardware at bootup and loaded modules for any detected hardware.
Technically, autoloading modules at bootup is not hotplugging, and as 
such, this functionality has been removed from the latest hotplug release. 
If you previously relied on hotplug autoloading modules at bootup and wish 
to keep it that way, then all you need to do is install the more 
appropriately named coldplug package: 
| Code Listing 8.1:                                                       |
|Emerge and activate                                                      |
|                                                                         |
|emerge coldplug                                                          |
|rc-update add coldplug boot                                              |
Bear in mind that it is generally safer to include the modules you want to 
autoload in the /etc/modules.autoload.d/kernel-2.x file, though. Do 
yourself a favor and switch back to the canonical way if you ever 
experience problems with coldplug. 
9. Moves, adds, and changes
The following developers recently left the Gentoo team:
 * None this week 
The following developers recently joined the Gentoo Linux team:
 * Stefan Schweizer (genstef) - External kernel modules 
The following developers recently changed roles within the Gentoo Linux 
 * Henrik Brix Andersen (brix) - Kernel 
10. Contribute to GWN
Interested in contributing to the Gentoo Weekly Newsletter? Send us an 
 78. gwn-feedback@g.o
11. GWN feedback
Please send us your feedback[79] and help make the GWN better.
 79. gwn-feedback@g.o
12. GWN subscription information
To subscribe to the Gentoo Weekly Newsletter, send a blank email to 
To unsubscribe to the Gentoo Weekly Newsletter, send a blank email to 
gentoo-gwn-unsubscribe@g.o from the email address you are 
subscribed under.
13. Other languages
The Gentoo Weekly Newsletter is also available in the following languages:
 * Danish[80] 
 * Dutch[81] 
 * English[82] 
 * German[83] 
 * French[84] 
 * Japanese[85] 
 * Italian[86] 
 * Polish[87] 
 * Portuguese (Brazil)[88] 
 * Portuguese (Portugal)[89] 
 * Russian[90] 
 * Spanish[91] 
 * Turkish[92] 
Ulrich Plate <plate@g.o> - Editor
Dan Armak <danarmak@g.o> - Author
Daniel Drake <dsd@g.o> - Author
Chris Gianelloni <wolf31o2@g.o> - Author
Patrick Lauer <patrick@g.o> - Author
Otavio Piske <angusyoung@g.o> - Author
Gianmaria Visconti - Author

gentoo-gwn@g.o mailing list

gentoo-gwn@g.o mailing list

gentoo-gwn@g.o mailing list

Lists: gentoo-gwn: < Prev By Thread Next > < Prev By Date Next >
Previous by thread:
Gentoo Weekly Newsletter 8 November 2004
Next by thread:
Gentoo Weekly Newsletter 22 November 2004
Previous by date:
Gentoo Weekly Newsletter 8 November 2004
Next by date:
Gentoo Weekly Newsletter 22 November 2004

Updated Jun 17, 2009

Summary: Archive of the gentoo-gwn mailing list.

Donate to support our development efforts.

Copyright 2001-2013 Gentoo Foundation, Inc. Questions, Comments? Contact us.