Gentoo Archives: gentoo-gwn

From: Kurt Lieber <klieber@g.o>
To: gentoo-gwn@g.o
Subject: [gentoo-gwn] Gentoo Weekly Newsletter -- Volume 2, Issue 13
Date: Tue, 01 Apr 2003 00:55:32
Gentoo Weekly Newsletter
This is the Gentoo Weekly Newsletter for the week of April 1st, 2003.
1. Gentoo News
 * Portage 2.1 to adopt RPM format for LSB compliance 
 * Gentoo/PPC team restructuring 
 * Release schedule announced for Gentoo Linux 1.4_rc4 
Portage 2.1 to adopt RPM format for LSB compliance
In what will likely prove to be a controversial decision, Portage 2.1 will 
adopt the RPM format for all packages moving forward. The use of ebuilds 
will be deprecated in favor of the defacto RPM standard. The primary 
driver for this decision was to ensure compliance with the Linux Standard 
Base[1] specification, which mandates RPM support for package management. 

The developers have been hard at work to make this migration as easy as 
possible. Already a proof-of-concept ebuild2rpm script is in place and 
being tested by a pilot group of developers. Unfortunately, because of the 
architectural differences between the two formats, some features will not 
be supported once Gentoo moves to RPM. USE variables are one such feature; 
sandbox security is another. However, the added benefit brought about by 
full LSB compliance should far outweigh the loss of these two minor 
Additionally, because of LSB's required library support[2], the xfree86 
package will move to become part of the base Gentoo Linux system, rather 
than an optional addition. Users interested in learning more about the 
Linux Standard Base should read the LSB FAQ[3] or the full LSB 1.3 

Gentoo/PPC team restructuring
As announced in last week's issue[5], Mark Guertin (gerk) recently retired 
from the Gentoo Linux project. Replacing Mark as the Gentoo/PPC lead will 
be Pieter Van den Abeele (pvdabeel). Assisting Pieter in the PPC 
development efforts will be Luca, Graham, and Seth, who have been 
appointed as second-tier leads for the group. The new structure provides 
for more distributed leadership on the PPC developer team and offers more 
flexibility and redundancy. 

Release schedule announced for Gentoo Linux 1.4_rc4
Brad Cowan (bcowan) recently announced the release schedule for Gentoo 
Linux 1.4_rc4: 
 * Sun March 23rd - Package Upgrades Phase Starts - The development team 
is encouraged to move things from unstable ("~" masked) state to stable 
for the next 14 days. 
 * Sun March 30th - Build and Test Phase - Generic CPU stage tarballs are 
made and tested from the current CVS tree for the next 7 days with jhhudso 
and QA testers reporting any bugs found. 
 * Sun April 6th - End Package Upgrades phase - Start Build and Test Phase 
with an official CVS snapshot. 
 * Wed April 9th - Official Release Decision - a determination is made as 
to whether this next release will be an "official release" or release 
candidate. The Development Lead for each arch, the Release Coordinator, 
the Development Manager, and the Chief Architect all come to a final 
unanimous decision in this matter. 
2. Gentoo Security
 * GLSA: stunnel 
 * GLSA: mod_ssl 
 * GLSA: glibc 
 * GLSA: openssl 
 * GLSA: mutt 
 * GLSA: bitchx 
 * GLSA: zlib 
 * New Security Bug Reports 
GLSA: stunnel
The stunnel SSL port wrapper is vulnerable to a timing attack against 
OpenSSL that may expose RSA keys. 
 * Severity: High - Cryptographic exposure. 
 * Packages Affected: net-misc/stunnel versions prior to stunnel-3.22-r2 
 * Rectification: Synchronize and emerge stunnel, emerge clean. 
 * GLSA Announcement[6] 
 * Advisory[7] 
The Apache module mod_SSL is vulnerable to a timing attack against OpenSSL 
that may expose RSA keys. 
 * Severity: High - Cryptographic exposure. 
 * Packages Affected: net-www/mod_ssl versions prior to mod_ssl-2.8.14 
 * Rectification: Synchronize and emerge mod_ssl, emerge clean. 
 * GLSA Announcement[8] 
 * Advisory[9] 
GLSA: glibc
An integer overflow vulnerability in the xdrmem_getbytes() function 
provided as part of glibc could permit a remote exploit attack. 
 * Severity: High - Remote exploit possible. 
 * Packages Affected: sys-libs/glibc versions prior to glibc-2.3.1-r4 
   (glibc-2.2.5-r8 on ARM systems). 
 * Rectification: Synchronize and emerge glibc, emerge clean. 
 * GLSA Announcement[10] 
 * Advisory[11] 

GLSA: openssl
It has been discovered that OpenSSL is vulnerable to a sophisticated 
attack involving opening millions of SSL/TLS connections to a server in 
order to perform a private-key operation using the server's RSA key. The 
key itself is not compromised. 
 * Severity: High - Cryptographic exposure. 
 * Packages Affected: dev-libs/openssl versions prior to openssl-0.9.6i-r2 
 * Rectification: Synchronize and emerge openssl, emerge clean. 
 * GLSA Announcement[12] 
 * Advisory[13] 

GLSA: mutt
The mutt mail client contains a vulnerability in its IMAP support that 
could permit a malicious IMAP server operator to crash the reader or 
potentially execute commands on the vulnerable system. 
 * Severity: High - Remote code execution. 
 * Packages Affected: net-mail/mutt versions prior to mutt-1.4.1 
 * Rectification: Synchronize and emerge mutt, emerge clean. 
 * GLSA Announcement[14] 
 * Advisory[15] 

GLSA: bitchx
The bitchx IRC client is vulnerable to buffer-overflows, permitting 
malicious server operators or man-in-the-middle attackers to perform DoS 
 * Severity: Moderate - remote DoS. 
 * Packages Affected: net-irc/bitchx versions prior to bitchx-1.0.19-r5 
 * Rectification: Synchronize and emerge bitchx, emerge clean. 
 * GLSA Announcement[16] 
 * Advisory[17] 
GLSA: zlib
The zlib system library contains a buffer-overflow vulnerability in its 
gzprintf() function. This vulnerability could be used to corrupt the call 
 * Severity: Moderate - local DoS. 
 * Packages Affected: sys-libs/zlib versions prior to zlib-1.1.4-r1 
 * Rectification: Synchronize and emerge zlib, emerge clean. 
 * GLSA Announcement[18] 
 * Advisory[19] 
New Security Bug Reports
The following new security bugs were posted this week: 
 * dev-libs/dietlibc[20] 
 * app-crypt/heimdal[21] 
 * dev-php/php[22] 
3. Featured Developer of the Week
Karl Trygve Kalleberg
Karl Trygve Kalleberg[23] maintains dev-lisp and dev-java with a few other 
developers, as well as several other languages and compilers and the 
eminently useful gentoolkit. This mostly entails fixing ebuild bugs and 
verifying new submissions; Karl also spends much time arguing with the 
other developers about how to improve Gentoo Linux's development process, 
a goal for which he has crafted tools like lintool and munchie. A Gentoo 
developer since summer 2001, Karl has worked on many other OSS projects, 
including the Savage3D driver for the Utah-GLX project[24], the Linux port 
to the Sega Dreamcast[25], a multi-language documentation system[26], the 
Norwegian translations of AbiWord[27] and the Gimp[28] (the first to 
Bokmål, the latter to Nynorks, two different dialects of Norwegian), and 
some other projects you can see listed on his personal page[29] at 
SourceForge, but most of these projects, as well as his involvement with 
Gentoo were preempted by his Master's thesis: transformations for the 
CodeBoost transformation system[30] which he presented on the 21st of 
March at the University of Bergen[31]. Now he's back in all of his 
capacities, including that of comic relief for the Gentoo development 

 23. karltk@g.o
Karl has a nice dual Athlon 2000+ box with a Kyro II video card and an IDE 
RAID, but as of late he only visits it through ssh. He's currently 
borrowing an Athlon 1800+ running Redhat (his excuse: it's nice to know 
what the other distros look like once in a while), and is waiting for a 
replacement for his iBook, which he bought in January and which has broken 
down twice (Karl says that Apple's customer support is the worst service 
he's come across, including the tax authorities, but will gladly use an 
iBook if Apple decides to send him a working one). He uses Fluxbox and KDE 
depending on the occasion, with Galeon and Sylpheed for browsing and mail. 
Karl's other favorite apps include zsh, most, irssi, and ssh, and he 
suffers from withdrawal symptoms whenevr he tries to ditch the bloated, 
horrible, emacs, which is nevertheless home. 
Karl used to design computer languages until the company he worked for 
caved in last summer, and afterwards he worked at a very cool ISP[32]. Now 
unwittingly applying for a PhD position in computer science, he continues 
to study medicine at the Norwegian university of Technology and 
Science[33] as a break from all the CS. Also, he enjoys various forms of 
roleplaying, generally Ars Magica interspersed with some happy-go-lucky 
Sci Fi stints. Believe it or not, his girlfriend's name is Tilde; the fact 
that she works for an evil cell phone company[34] is offset by her 
understanding of obscure Unix jokes[35], and she lives with him in 
Trondheim, Norway[36]. Karl was born in the coastal town of Haugesund but 
escaped to Bergen when he discovered that not all city halls were supposed 
to be pink[37]. The city hall in Bergen[38] was nondistinct, and there he 
was subjeced to Solaris and IRIX before he accidentally installed Linux 
and was not able to get it off. 

Karl left the link between Bergen and Trodheim in a shroud of mystery, as 
to appear inscrutable. 

4. Heard In The Community
Web Forums
CFLAGS Central Revival
Floating point conversion functions in GCC, the standard C compiler suite, 
are susceptible of creating bugs when compiling with -march=pentium4. Some 
people circumvent this by "downgrading" to -march=pentium3, some deny 
bugginess altogether. Say hello to a renewed discussion of compiler 
 * gcc 3.2.2 and Pentium4[39] 
 * -march=pentium4 issue[40] 
 * -fomit-frame-pointer[41] 
 * Making full use of cpu registers in CFLAGS[42] 
 * CFLAGS Central[43] 
Finally: Gentoo on the Xbox
A fresh post by Forum newbie, ShALLaX[44], sent shivers of relief +down 
many a Gentooist's spine: You can do a stage1 installation and run Gentoo 
Linux on your Xbox!

 * Gentoo on the Xbox[45] 

Gentoo Migration Strategies
Matt Garman asked about migration strategies[46] for moving from Debian to 
Gentoo. The resulting thread[47] gave Matt some helpful hints and also 
touched upon the "requirement" of having a separate, 100MB boot partition. 

 * Gentoo Migration Strategy[48] 

Money Dance is Not Dead
Alex Combas inquired[49] about running Money Dance[50] on Gentoo. There 
was some confusion about whether or not Money Dance was still an 
actively-developed program, but it was eventually clarified[51] that Money 
Dance is, in fact, still an active product. 
 * Money Dance[52] 

Managing Disk Space
Andy Arbon posted[53] a script for assisting in the tidying of binary 
packages built by portage. 

Destroying Dependancies 
Per Wigren had some troubles with dependancies[54] when mysql was upgraded 
from 3.23 to 4.0 and proposed a solution to solve the problem going 
forward. Alain Penders pointed out that reverse dependancy checking in 
portage[55] would likely solve Per's problem. 

 * Destroying Dependancies[56] 
5. Gentoo International
Gentoo Hanami
Cherry blossom season in Japan. While the weather report of Japanese TV 
stations still brings daily coverage of the full-bloom-front that is 
slowly moving towards the north of the country, the usual GentooJP 
suspects have already fulfilled their traditional "hanami" duty last 
Friday. For those unfamiliar with the expression: Hanami is a cherry 
blossom viewing event better described as an annual mass hysteria with the 
aim of getting seriously drunk in a park with preferrably large numbers of 
cherry trees and watching the petals float gently to the ground while 
noisily dancing around on much too blue plastic sheets. Roughly a dozen of 
GentooJP activists decided on Shinjuku Gyoen as a venue, a particularly 
nice and fairly central spot in Tokyo, but believe it or not: nobody 
brought a camera... Hoping for next year then, lads. 
German Police Runs on Gentoo-ARM
Government agencies in Europe are known to be much more open towards Linux 
and Open Source Software than those of other countries. In their latest 
move, the BKA[57] (the German equivalent of its more universally known 
cousins FBI or Scotland Yard) has started deploying Gentoo-ARM-based PDAs 
for use of its officers in the field. "They will mainly use it for playing 
MP3s of phone conversations in abduction cases", says Hein Bloed, head of 
the IT department at BKA's headquarters in Wiesbaden. PDAs have been part 
of the standard equipment at the BKA for many years, but the sudden 
decision to replace PocketPC with ARM-based Gentoo Linux came as a 
surprise. The Gentoo-ARM developer team says there are rumours of a 
PocketPC virus accidentally spread throughout the organization by their 
own computer crime department following a raid on illegal software 
importers in the port of Hamburg two months ago.

Erratum: Gentoo Presentation in Denmark on 1 April, not 2 April!
We apologize to Klavs Klavsen for the misinformation carried in last 
week's GWN: His presentation to the mixed Danish and Swedish SSLUG is 
going to take place on 1 April, i.e. Tuesday, at DKUUG/Symbion, 
Fruebjergvej 3 in Copenhagen East, starting at 19:30 in room M4.
6. Portage Watch
The following stable packages were added to portage this week

 * app-admin/envtest : This ebuild display the environment for an ebuild. 
   It's for portage-testing purposes only and will _always_ fail. 
 * net-ftp/junkie : Junkie - GTK2 FTP Client 
 * net-www/phoenix-cvs : The Phoenix Web Browser 
 * net-firewall/kmyfirewall : Graphical KDE iptables configuration tool 
Updates to notable packages

 * sys-apps/portage - portage-2.0.47-r12.ebuild;  
 * sys-devel/gcc - gcc-3.2.2-r2.ebuild;  
 * sys-libs/glibc - glibc-2.2.5-r8.ebuild; glibc-2.3.1-r4.ebuild;  
 * sys-kernel/* - development-sources-2.5.66.ebuild; 
   mips-headers-2.4.21.ebuild; mm-sources-2.5.65-r3.ebuild; 
   mm-sources-2.5.65-r4.ebuild; mm-sources-2.5.66-r1.ebuild; 
   ppc-sources-benh-2.4.20-r9.ebuild; selinux-sources-2.4.20-r2.ebuild; 
 * dev-db/mysql - mysql-4.0.12.ebuild;  
New USE variables

 * mpi - Adds MPI (Message Passing Interface) layer to the apps that 
   support it 
 * selinux - Adds support for Security Enhanced Linux (to build a more 
   secure set of packages and kernel 
7. Bugzilla
 * Statistics 
 * Closed Bug Ranking 
 * New Bug Rankings 
The Gentoo community uses Bugzilla ([58]) to record and 
track bugs, notifications, suggestions and other interactions with the 
development team. In the last 7 days, activity on the site has resulted 

 * 311 new bugs this week 
 * 311 bugs closed or resolved this week 
 * 12 previously closed bugs were reopened this week. 
 * 2349 total bugs currently marked 'new' 
 * 466 total bugs currently assigned to developers 
There are currently 2880 bugs open in Bugzilla. Of these: 72 are labeled 
'blocker', 104 are labeled 'critical', and 233 are labeled 'major'. 
Closed Bug Rankings
The developers and teams who have closed the most bugs this week are: 
 * The Documents Team[59], with 14 closed bugs[60]  
 * Martin Schlemmer[61], with 9 closed bugs[62]  
 * The Gnome Team[63], with 9 closed bugs[64]  
 * Seemant Kulleen[65], with 9 closed bugs[66]  
 * Alastair Tse[67], with 8 closed bugs[68]  
 * Martin Holzer[69], with 8 closed bugs[70]  
 59. docs-team@g.o
 61. azarah@g.o
 63. gnome@g.o
 65. seemant@g.o
 67. liquidx@g.o
 69. mholzer@g.o

New Bug Rankings
The developers and teams who have been assigned the most new bugs this 
week are: 
 * Nick Hadaway[71], with 16 new bugs[72]  
 71. raker@g.o
 * The x86 Kernel Team[73], with 14 new bugs[74]  
 73. x86-kernel@g.o
 * Martin Schlemmer[75], with 13 new bugs[76]  
 75. azarah@g.o
 * The KDE Team[77], with 13 new bugs[78]  
 77. kde@g.o

 * Nicholas Jones[79], with 11 new bugs[80]  
 79. carpaski@g.o
8. Tips and Tricks
Synchronizing System Date/Time with rdate
This week's tip shows you how to keep your system's date and time synced 
without the hassle of NTP. The command rdate allows you to get the time 
from a server running NTP but doesn't require you to set up your own NTP 
First make sure that you have rdate installed. 
| Code Listing 8.1:                                                       |
| Installing rdate                                                        |
|                                                                         |
|# emerge rdate                                                           |
|                                                                         |
To sync your computer clock, run rdate -s. You should probably change 
which server you use so as not to overload one particular one. Here is a 
list of public Stratum 2 servers[81] that you can use. 

| Code Listing 8.2:                                                       |
| Using rdate                                                             |
|                                                                         |
|# rdate -s                                              |
|                                                                         |
To keep your machine automatically synced, you may want to make use of 
| Code Listing 8.3:                                                       |
| Adding rdate to crontab                                                 |
|                                                                         |
|Add the following to /etc/crontab to sync on the first day of the week.  |
|                                                                         |
|* * * * 0 rdate -s                                      |
|                                                                         |
9. Moves, Adds and Changes
The following developers recently left the Gentoo team: 
 * Nicholas Henke (roughneck) 
 * Maik Schreiber (blizzy) 
The following developers recently joined the Gentoo Linux team:
 * Arun Thomas (sindian) -- Gentoo/ARM, gentoo-hardened 
The following developers recently changed roles within the Gentoo Linux 
 * none this week 
10. Contribute to GWN
Interested in contributing to the Gentoo Weekly Newsletter? Send us an 

 82. gwn-feedback@g.o
11. GWN Feedback
Please send us your feedback[83] and help make GWN better.

 83. gwn-feedback@g.o
12. Other Languages
The Gentoo Weekly Newsletter is also available in the following languages:
 * Dutch[84] 
 * English[85] 
 * German[86] 
 * French[87] 
 * Japanese[88] 
 * Italian[89] 
 * Portuguese (Brazil)[90] 
 * Portuguese (Portugal)[91] 
 * Spanish[92] 

Kurt Lieber <klieber@g.o> - Editor
AJ Armstrong <aja@×××××××××××××.com> - Contributor
Brice Burgess <nesta@×××××××.net> - Contributor
Yuji Carlos Kosugi <carlos@g.o> - Contributor
Rafael Cordones Marcos <rcm@×××××××.net> - Contributor
David Narayan <david@×××××××.net> - Contributor
Ulrich Plate <plate@g.o> - Contributor
Peter Sharp <mail@××××××××××××××.net> - Contributor
Kim Tingkaer <kim@×××××××.dk> - Contributor
Mathy Vanvoorden <matje@×××××××.be> - Dutch Translation
Tom Van Laerhoven <tom.vanlaerhoven@××××××.be> - Dutch Translation
Peter Dijkstra <phj.dijkstra@××××.nl> - Dutch Translation
Bernard Bernieke <bernieke@××××××××.com> - Dutch Translation
Vincent Verleye <zu@×××××××.be> - Dutch Translation
Jochen Maes <linux@××××.be> - Dutch Translation
Ben De Groot <yngwin@××××××.nl> - Dutch Translation
Jelmer Jaarsma <j.jaarsma@××××××××××××××××××.nl> - Dutch Translation
Nicolas Ledez <nicolas.ledez@××××.fr> - French Translation
Guillaume Plessis <gui@×××××××××.com> - French Translation
John Berry <anfini@××××.fr> - French Translation
Martin Prieto <riverdale@×××××××××.org> - French Translation
Michael Kohl <citizen428@g.o> - German Translation
Steffen Lassahn <madeagle@g.o> - German Translation
Matthias F. Brandstetter <haim@g.o> - German Translation
Thomas Raschbacher <lordvan@g.o> - German Translation
Klaus-J. Wolf <yanestra@×××.de> - German Translation
Marco Mascherpa <mush@××××××.net> - Italian Translation
Claudio Merloni <paper@×××××××.it> - Italian Translation
Daniel Ketel <kage-chan@g.o> - Japanese Translation
Yoshiaki Hagihara <hagi@×××.com> - Japanese Translation
Andy Hunne <andy@×××××××××.com> - Japanese Translation
Yuji Carlos Kosugi <carlos@g.o> - Japanese Translation
Yasunori Fukudome <yasunori@××××××××××××××××.uk> - Japanese Translation
Ventura Barbeiro <venturasbarbeiro@××××××.br> - Portuguese (Brazil) 
Bruno Ferreira <blueroom@××××××××××××.net> - Portuguese (Portugal) 
Gustavo Felisberto <gustavo@××××××××××.net> - Portuguese (Portugal) 
Ricardo Jorge Louro <rjlouro@×××××××.org> - Portuguese (Portugal) 
Lanark <lanark@××××××××××.ar> - Spanish Translation
Rafael Cordones Marcos <rcm@×××××××.net> - Spanish Translation
Julio Castillo <julio@×××××××××××××.com> - Spanish Translation
Sergio Gómez <s3r@××××××××××××.ar> - Spanish Translation
Pablo Pita Leira <pablo.leira@×××××××××.com> - Spanish Translation
Carlos Castillo <carlos@×××××××××××××.com> - Spanish Translation
Tirant <tirant@×××××.net> - Spanish Translation
Jaime Freire <jfreire@××.com> - Spanish Translation
Lucas Sallovitz <krusty_ar@×××××.com> - Spanish Translation