Gentoo Archives: gentoo-gwn

From: Ulrich Plate <plate@g.o>
To: gentoo-gwn@l.g.o
Subject: [gentoo-gwn] Gentoo Weekly Newsletter 11 October 2004
Date: Sun, 10 Oct 2004 22:25:54
Gentoo Weekly Newsletter
This is the Gentoo Weekly Newsletter for the week of 11 October 2004.
1. Gentoo News
Portage breaks through the 100,000 files ceiling
In early 2002, synchronizing the Portage tree was usually done in a few 
seconds. At less than 10,000 files, there wasn't much to wait for, and 
certainly no real need for today's option in /etc/make.conf that limits 
syncs to certain parts of the Portage tree. If they want to do the same 
thing today, Gentoo users must allow for significantly more time: Since 
Friday last week, the Portage tree contains more than 100,000 files, 
leaving little to desire in terms of ebuilds for popular and lesser-known 
applications. Thousands of enhancements, security or Gentoo-specific 
patches to merge with the original sources, even for different versions of 
applications available via Portage are included in the tree. Counting 
toward the total sum are also an increasing number of genuine Gentoo 
developments, like catalyst or tenshi. Congratulations to all who 
contributed to this impressive record! 
Ten PegasosPPC desktops on their way to Gentoo developers
Freescale Semiconductor, Inc.[1], a Motorola company that took over 
production of the PowerPC chips from the mother recently, is donating a 
large number of computers to various open-source projects, in order to 
evaluate if there is a market for Linux on PowerPC desktops. Ten of the 
machines, PegasosPPC desktops with 1 GHz G4 CPUs, are being sent to Gentoo 
developers in the U.S. and in Europe over the next two weeks. The machines 
will go to the base system, security and hardened herds, one each to 
Gentoo's X11 and Gnome maintainers, three more to test accessibility, web 
applications and media/video, and the rest go to the embedded and PPC 
projects. The Gentoo developers are excited and would like to express 
their gratitude for this generous donation to Freescale Inc.

Figure 1.1: Inside the PegasosPPC: G4 CPU, Radeon 9200 graphics
The producers of the donated PegasosPPCs, the Luxemburg-based company 
Genesi S.a.r.l.[2], is unique in openly and actively supporting Linux for 
desktop PowerPCs, regardless of its own operating system, MorphOS, shipped 
pre-installed, too. 3D acceleration isn't available yet, but CPU upgrades 
will be easier than usual in the PowerPC world: Both 7447A 1.3 GHz 
processors that do not require active cooling, and a dual-CPU card will be 
available in a couple of months. Since the G3/G4-series from both IBM and 
Freescale are pin-compatible, CPU upgrades can be done as soon as the new 
processors hit the shelves. Freescale will be releasing 2 GHz CPUs soon 
and is also working on a series of dual-core CPUs. 

Turkish GWN translation reanimated
After more than a year of inactivity, a Turkish translation of the GWN is 
available again since last week. Thanks to Bahadir Kandemir[3], the 
Turkish users of Gentoo join the Japanese, Italian and German readers of 
the GWN who receive regular service in their own languages. Several other 
languages still need additional help. Volunteers can contact 

 3. kandemir@×××××.com
 4. gwn-feedback@g.o
2. Gentoo security
Netpbm: Multiple temporary file issues
Utilities included in old Netpbm versions are vulnerable to multiple 
temporary files issues, potentially allowing a local attacker to overwrite 
files with the rights of the user running the utility. 
For more information, please see the GLSA Announcement[5]

NetKit-telnetd: buffer overflows in telnet and telnetd
Buffer overflows exist in the telnet client and daemon provided by 
netkit-telnetd, which could possibly allow a remote attacker to gain root 
privileges and compromise the system. 
For more information, please see the GLSA Announcement[6]

PHP: Memory disclosure and arbitrary location file upload
Two bugs in PHP may allow the disclosure of portions of memory and allow 
remote attackers to upload files to arbitrary locations. 
For more information, please see the GLSA Announcement[7]

Cyrus-SASL: Buffer overflow and SASL_PATH vulnerabilities
Cyrus-SASL contains two vulnerabilities that might allow an attacker to 
completely compromise the vulnerable system. 
For more information, please see the GLSA Announcement[8]

CUPS: Leakage of sensitive information
CUPS leaks information about user names and passwords when using remote 
printing to SMB-shared printers which require authentication. 
For more information, please see the GLSA Announcement[9]

ed: Insecure temporary file handling
The ed utility is vulnerable to symlink attacks, potentially allowing a 
local user to overwrite or change rights on arbitrary files with the 
rights of the user running ed, which could be the root user. 
For more information, please see the GLSA Announcement[10]

ncompress: Buffer overflow
compress and uncompress, which could be used by daemon programs, contain a 
buffer overflow that could lead to remote execution of arbitrary code with 
the rights of the daemon process. 
For more information, please see the GLSA Announcement[11]

3. Heard in the community
Groupware products
Looking for recommendations for groupware products? Several different 
packages are listed for consideration in this thread: 
 * Groupware solution[12] 

Local.start errors
Setting up an interrupt at boot time for a low latency test kernel, Mark 
Knecht added a local.start script that doesn't work as expected. A quick 
resolution is offered in this thread: 
 * setup commands in local.start[13] 

Last emerge sync
How does one determine when the last emerge sync was run? Several 
suggestions went into this thread: 
 * when was last sync?[14] 

Athcool risk
Athcool is a powersaving utility for Athlon CPUs, but the ebuild claims it 
may cause instability. Here's what users have really experienced: 
 * athcool - how safe is it?[15] 

A new cron herd
The base-system herd has many extra packages that don't really belong into 
base-system but lacks other maintainers. To reduce the workload, all cron 
daemons will be outsourced to the new cron herd. Other package groups may 
follow in the near future.
 * A new cron herd[16] 

Portage subcategories
This thread discussed the advantages and disadvantages of extending the 
package categories from category/package to 
category/subcategory/.../package. At the moment, portage is unable to 
handle it, and the usefulness of such a change is not obvious. 
 * Portage subcategories[17] 

Portage in embedded systems?
How big is portage, and how do embedded systems with low memory handle it?
 * Portage in embedded systems?[18] 

Moving passwd from /usr/bin to /bin
This small change will help in system recovery. For example, fsck wants 
the root password but might fail if /usr/bin is not mounted (which might 
not be the case during bootup/recovery).
 * Moving passwd from /usr/bin to /bin[19] 

4. Gentoo International
Antarctica: First Gentoo penguin webcam online 
No, the German GARS-O'Higgins Station[20] on the tip of the Antarctic 
Peninsula was not built for watching Gentoo penguins breed - but since 
last week it does have a webcam that serves this exact purpose. The 
station's mission, financed and run by German federal research 
organizations, is to receive and store vast amounts of geodetic data 
beaming down on its 9m antenna from various European Space Agency 
satellites in orbit, forwarding them for number-crunching at data centers 
in Germany. On 29 September 2004, the GARS team installed its fourth web 
camera, this one donated by elementary school schildren and other private 
sponsors back home, and pointed it to a spot where a Gentoo penguin colony 
takes shelter from the wind during the Antarctic summer, between 
mid-October and April. The first Gentoos started coming here years ago, 
right after the antenna and its concrete foundation were built, and have 
been growing in numbers ever since. Whether they like the place because 
it's warm and cuddly, or because of the average Gentoo's affinity to 
technology, is clearly beside the point. At the time of this writing there 
isn't much to see besides rocks and snow, but the birds should waddle in 
within the month, says Martin Grund[21], the penguin fan who had the idea 
for the Gentoo webcam and organised its setup. The camera (a Mobotix[22] 
M10 Secure Dual) has a StrongARM CPU and runs Linux, by the way.

Figure 4.1: Gentoo penguins and their favorite iceberg
Note: Photo courtesy of Reiner Wojdziak, BKG Leizpig
5. Gentoo in the press
IEEE Computing in Science and Engineering (Volume 6 Issue 5, 
September/October 2004)
The IEEE's journal of Computing in Science and Engineering has published a 
paper by George K. Thiruvathukal titled Gentoo Linux: The Next Generation 
of Linux[23]. Thiruvathukal is an associate professor at Loyola University 
in Chicago, and an affluent Gentoo activist, who recommends using it in 
his advanced Linux classes at the university. His article for the IEEE 
describes why Gentoo "is a good choice for scientists, and how its 
structure gives us the flexibility and ease of management we need." Only 
the abstract is accessible free of charge on the IEEE website, if you want 
to read the full article, you need to purchase the document (35 USD), or 
go to a library that subscribes to the journal.

AnandTech (4 October 2004)
A report by Kristopher Kubicki at AnandTech is really about Linux 3D AGP 
GPU Roundup: More Cutting Edge Penguin Performance[24] and just mentions 
Gentoo en passant, but in nice enough words to point it out here: "It may 
be due to the circles that we run in, but the sheer interest for Linux 
among our peers seems to have peaked 100-fold what it was last year. 
Simple, clean distros like SuSE, Fedora Core and Mandrake have done 
wonders to the Windows migration crowd - and then there is the whole 
Gentoo sensation as well," writes Kubicki in his introduction to 
AnandTech's hardware benchmarking report for high performance 3D graphics 

ZDNet Tech Update (7 October 2004)
David Berlind writes under the headline "Microsoft Surrounded?" that Linux 
shows promise for the desktop, but must adopt the ease of use seen in Mac 
OS X, for example, especially with regard to network, management and 
resource sharing: "Leading the way on that front (according to ZDNet's 
readers) is the Gentoo distribution." 
Dallas Morning News (7 October 2004)
Titled "Love that Linux - Programmer finds happiness in moving Microsoft 
out of his life", an article by Doug Bedell draws a portrait of Gentoo 
Linux user Mike Owens, CIO at a real estate company and busy migrating 
proprietary Windows environments to Linux. Registration is compulsory to 
be able to read this article[25]. 

The Triangle (1 October 2004)
The student newspaper of Drexel University carries an article by Kevin 
Lynch[26] about Linux distribution choices, comparing the "almost 
idiot-proof configurations" of RPM-based distributions to "the sporty 
young Gentoo" and others. The article's message is borrowed from Indiana 
Jones and the Holy Grail: "Choose wisely." 

The Triangle (8 October 2004)
The same Kevin Lynch writes about the Linux Standard Base (LSB) just one 
week later[27]: "Most of the controversy surrounding the LSB is over the 
chosen installation package method, the Red Hat's Package Manager format. 
[...] Gentoo Linux must redesign its entire package system to conform to 
the LSB standards." 

Maximum PC (October 2004 issue)
On page 36 of this print-only magazine[28], editor Will Smith writes in an 
article on must-have features for Longhorn, the next version of Windows: 
"Finding and installing new applications is ludicrously easy on most Linux 
distros these days. Microsoft needs to make finding new apps and loading 
them on a PC as easy as emerge does on Gentoo or apt-get does on Debian. 
I'm sick of the Installshield installer." 

6. Bugzilla
 * Statistics 
 * Closed bug ranking 
 * New bug rankings 
The Gentoo community uses Bugzilla ([29]) to record and 
track bugs, notifications, suggestions and other interactions with the 
development team. Between 03 October 2004 and 09 October 2004, activity on 
the site has resulted in: 

 * 655 new bugs during this period 
 * 402 bugs closed or resolved during this period 
 * 20 previously closed bugs were reopened this period 
Of the 7116 currently open bugs: 134 are labeled 'blocker', 237 are 
labeled 'critical', and 530 are labeled 'major'. 
Closed bug rankings
The developers and teams who have closed the most bugs during this period 
 * Gentoo's Team for Core System packages[30], with 66 closed bugs[31]  
 * media-video herd[32], with 20 closed bugs[33]  
 * Jeremy Huddleston[34], with 19 closed bugs[35]  
 * Java team[36], with 14 closed bugs[37]  
 * AMD64 Porting Team[38], with 13 closed bugs[39]  
 * Gentoo Security[40], with 12 closed bugs[41]  
 * Gentoo Games[42], with 12 closed bugs[43]  
 * Net-Mail Packages[44], with 10 closed bugs[45]  
 30. base-system@g.o
 32. media-video@g.o
 34. eradicator@g.o
 36. java@g.o
 38. amd64@g.o
 40. security@g.o
 42. games@g.o
 44. net-mail@g.o

New bug rankings
The developers and teams who have been assigned the most new bugs during 
this period are: 
 * Gentoo's Team for Core System packages[46], with 31 new bugs[47]  
 * AMD64 Porting Team[48], with 15 new bugs[49]  
 * Gentoo Games[50], with 13 new bugs[51]  
 * Gentoo Toolchain Maintainers[52], with 11 new bugs[53]  
 * osx porters[54], with 9 new bugs[55]  
 * media-video herd[56], with 9 new bugs[57]  
 * Gnustep herd[58], with 9 new bugs[59]  
 * Gentoo Linux Gnome Desktop Team[60], with 9 new bugs[61]  
 46. base-system@g.o
 48. amd64@g.o
 50. games@g.o
 52. toolchain@g.o
 54. osx@g.o
 56. media-video@g.o
 58. gnustep@g.o
 60. gnome@g.o

7. Tips and Tricks
OpenVPN primer
There are as many advantages to VPN tunnels as there are different VPN 
scenarios. One easy implementation is the "OpenVPN via tun-device" 
solution. An example: you'd like to connect your laptop to your LAN at 
home so that you can use your mail client without reconfiguring it anytime 
you switch from home to internet and back. Let's say your mail-server is in your LAN ( at home, and you have got a 
router/firewall providing access to the Internet. You connect from work or 
school and want to read mail. OpenVPN can create two virtual devices for 
you when connecting two computers through an encrypted tunnel. Naturally 
you then have the possibility of forwarding traffic into the networks 
behind them, and thus would be "virtually connected" to your LAN behind 
the firewall. To enable this, either your firewall or a server behind it 
should run OpenVPN (if you choose a server in your LAN, you'll have to 
forward the destination port to the OpenVPN server).
Here's what you need to do:
| Code Listing 7.1:                                                       |
|Enable the tun module in your kernel: Kernel config - tun                |
|                                                                         |
|         [*] Networking support                                          |
|                Networking options  --->                                 |
|          [ ] Amateur Radio support  --->                                |
|          < > IrDA (infrared) subsystem support  --->                    |
|          < > Bluetooth subsystem support  --->                          |
|          [*] Network device support                                     |
|          < >   Dummy net driver support                                 |
|          < >   Bonding driver support                                   |
|          < >   EQL (serial line load balancing) support                 |
|          <M>   Universal TUN/TAP device driver support  This option must |
be enabled
Make sure this module exists and can be loaded. Next, install OpenVPN and 
it dependencies.
| Code Listing 7.2:                                                       |
|Install                                                                  |
|emerge openvpn                                                           |
Now on both server and client, create a directory for your configuration:
| Code Listing 7.3:                                                       |
|Make                                                                     |
|mkdir /etc/openvpn                                                       |
|mkdir /etc/openvpn/myhomelan                                             |
Inside that directory, create a shared key for your VPN session and copy 
that key to the client's directory, /etc/openvpn/myhomelan.
| Code Listing 7.4:                                                       |
|Generate shared                                                          |
|cd /etc/openvpn/myhomelan                                                |
|openvpn --genkey --secret myhomelan-key.txt                              |
Now for the tricky part, the routing. It is important that the two tun 
devices on the client and server use IP addresses from the same subnet. 
The configuration files shown below list the type of device, the two 
end-points of the tunnel, the compression method and the UDP-port on which 
the tunnel is established. Finally privileges are dropped to user and 
group as listed:
| Code Listing 7.5:                                                       |
|Server-side configuration file                                           |
|dev tun                                                                  |
|ifconfig  IP of the local tun device and its peer |
|secret /etc/openvpn/myhomelan/myhomelan-key.txt                          |
|comp-lzo                                                                 |
|port 5000                                                                |
|user nobody                                                              |
|group nobody                                                             |
The client's configuration needs the tunnel's destination address. This is 
often a dynamic DNS address, sometimes a fixed IP, depending on your ISP. 
You also need to route to your home LAN ( in our example). You 
can call a shell script from the configuration file that accordingly sets 
a route. 
| Code Listing 7.6:                                                       |
|Client-side configuration file                                           |
|remote <servers.dynamic.dns.address>   or your VPN server's external IP  |
if you have a fixed one
|dev tun                                                                  |
|ifconfig        IP of the local tun device and its |
|secret /etc/openvpn/myhomelan/myhomelan-key.txt                          |
|comp-lzo                                                                 |
|port 5000                                                                |
|user nobody                                                              |
|group nobody                                                             |
|up /etc/openvpn/myhomelan/      sets up the route to the network |
behind the VPN server
The route command would need to set the client's gateway for the network to its peer's address ( in our setup).
| Code Listing 7.7:                                                       |
|#!/bin/bash                                                              |
|route add -net netmask gw           |
That's it. Start OpenVPN on the server and the client, and check the 
devices with ifconfig and the routes with route -n. Success!
8. Moves, adds, and changes
The following developers recently left the Gentoo team:
 * None this week 
The following developers recently joined the Gentoo Linux team:
 * None this week 
The following developers recently changed roles within the Gentoo Linux 
 * None this week 
9. Contribute to GWN
Interested in contributing to the Gentoo Weekly Newsletter? Send us an 

 62. gwn-feedback@g.o
10. GWN feedback
Please send us your feedback[63] and help make the GWN better.

 63. gwn-feedback@g.o
11. GWN subscription information
To subscribe to the Gentoo Weekly Newsletter, send a blank email to 
To unsubscribe to the Gentoo Weekly Newsletter, send a blank email to 
gentoo-gwn-unsubscribe@g.o from the email address you are 
subscribed under.
12. Other languages
The Gentoo Weekly Newsletter is also available in the following languages:
 * Danish[64] 
 * Dutch[65] 
 * English[66] 
 * German[67] 
 * French[68] 
 * Japanese[69] 
 * Italian[70] 
 * Polish[71] 
 * Portuguese (Brazil)[72] 
 * Portuguese (Portugal)[73] 
 * Russian[74] 
 * Spanish[75] 
 * Turkish[76] 

Ulrich Plate <plate@g.o> - Editor
Brian Downey <bdowney@×××××××××××.net> - Author
Marc Hildebrand <zypher@g.o> - Author
Patrick Lauer <patrick@g.o> - Author
Emmet Wagle <ewagle@×××××.com> - Author

gentoo-gwn@g.o mailing list