Gentoo Archives: gentoo-gwn

From: Yuji Carlos Kosugi <carlos@g.o>
To: gentoo-gwn@g.o
Subject: [gentoo-gwn] Gentoo Weekly Newsletter - Volume 2, Issue 49
Date: Mon, 08 Dec 2003 11:43:59
Gentoo Weekly Newsletter
This is the Gentoo Weekly Newsletter for the week of December 8th, 2003.
1. Gentoo News
 * Gentoo: 2004 and beyond 
 * Gentoo server compromised 
 * 'emerge rsync' etiquette 
 * More Praise: Linux Journal 
We're very pleased to announce the launch of three major efforts: Gentoo 
Linux 2004, Portage-ng and catalyst. Starting with the next release of 
Gentoo Linux (Gentoo Linux 2004,) Gentoo Linux will move to a quarterly 
release schedule. More info is available in the Roadmap for Gentoo Linux 

 1. /proj/en/releng/
In addition, we're pleased to announce the start of development on 
"portage-ng," the successor to the ever-popular portage package manager. 
Learn more at our Portage project page[2] and our in-progress architecture 
specification document for Portage-ng development[3]. Portage-ng will be a 
true community effort, and we encourage you to get involved.

 2. /proj/en/portage/
 3. /proj/en/portage/portage-ng/systemspec.xml
And then there's catalyst. Starting with Gentoo Linux 2004, all releases 
(including LiveCDs) will be fully user-rebuildable using our new catalyst 
build technology. Using catalyst, Gentoo users will be able to easily 
create their own customized Gentoo releases, LiveCDs, GameCDs -- you name 
it. The current development version of catalyst[4] supports building 
stages and GRP sets on AMD64 (both 64-bit and 32-bit x86), x86 and 
PowerPC. LiveCD/GameCD building will be released by the end of the year. 
Keep up-to-date on catalyst by visiting our (currently sparse) catalyst 
project pages[5]. Enjoy!

 5. /proj/en/releng/catalyst/
Gentoo server compromised
On 2 December at approximately 03:45 UTC, one of the servers that makes up 
the rotation was compromised, possibly via a remotely 
exploitable rsync buffer overflow. Please also be sure to read 
GLSA-200312-02 and upgrade to kernels without the brk vulnerability.
The compromised system had both an IDS and a file integrity checker 
installed and we have a very detailed forensic trail of what happened once 
the box was breached, so we are reasonably confident that the portage tree 
stored on the box was unaffected. This box has been removed from all 
rsync.* rotations and will remain so until forensic analysis 
has been completed and it has been wiped and rebuilt. For more details, 
see the GLSA.
In regards to the hard work involved in logging, tracking down and fixing 
this rsync vulnerability, Gentoo would like to extend thanks to Andrea 
Barisani, Nedd Ludd, Kurt Lieber, and Corey Shields (of the Gentoo 
Infrastructure team,) Michael Warfield and the ISS[6] team, and the rsync 
development team for handling the recent issues. A special thanks goes to 
Dave Monnier, Lead Security Engineer for the Information Technology 
Security Office of Indiana University, and his team, for their assistance 
as well. 

'emerge rsync' etiquette
Over recent weeks we have noticed an increase in the number of connection 
attempts people make to the rsync servers per day. Because rsync is quite 
intensive on the server (both for CPU and disk access), syncing many times 
a day wastes a lot of resources apart from bandwidth; during the time it's 
processing such a request it could be serving someone else with a greater 
number of changes in their portage tree.
As such, we request that people endeavour to run `emerge sync' at most 
once or twice a day; if you have several machines in a LAN, then set up a 
local rsync mirror updating from `' instead of targetting 
any particular mirror.
We reserve the right to monitor users' connection-rates in order to 
preserve server performance.
More praise: Linux Journal
This week Gentoo Linux has received praise from another Linux periodical: 
Linux Journal[7]. In their review[8] of Gentoo, they say that "In addition 
to endless customization possibilities and performance improvements, 
Gentoo offers solid documentation and a strong community support base". 

2. Featured Developer of the Week
Arcady Genkin
Figure 2.1: Arcady Genkin
Our featured developer this week is Arcady Genkin[9] (agenkin), who helps 
maintain many of the sound and video ebuilds in portage, notably 
alsa-drivers and xine. His primary duties are implementing bug fixes and 
ensuring that ebuild packages remain current. He has significant 
experience as an Open-Source developer, having been a core developer on 
the Squirrelmail[10] project and the primary author of the nhmon[11] tool 
for simultaneous monitoring of a large number of hosts. 

 9. agenkin@g.o
Currently residing in downtown Toronto, Canada, Arcady is originally from 
St. Petersburg, Russia. He is a graduate of the Engineering School of 
Electronics in St. Petersburg, where he studied production of 
micro-electronic devices and technical translation. He also has a Honours 
Bachelor of Science in Computer Science from the University of Toronto. He 
works as a Systems Programmer/Administrator for the Department of Computer 
Science at the University of Toronto. The job primarily comprises 
programming various tools for automating systems administration and 
instructional assistance for Computer Science courses. According to 
Arcady, it is "the perfect mix of programming tasks, ranging from C, 
Python, Perl and PHP programming to keeping mail, DNS, web servers running 
to installing new software". 
Arcady's home environment contains six computers: a FreeBSD 
firewall/server, two workstations (his is the Gentoo one, we won't talk 
about his girlfriend's), a gentoo-based diskless multimedia station, and 
two notebooks (his runs Debian). At work, he has some responsibility for 
about 200 workstations, 50 Sun Sparc Ultra5 and Ultra10 X terminals, and a 
double-handful of servers. His workstation runs Gentoo. He is a KDE user 
(largely because of the reliable keyboard switching between Cyrillic and 
Latin). He launches XMMS[12] and Tkabber[13] at startup, and does much of 
his work in XEmacs[14]. 

Arcady enjoys hiking, skiing, watching movies, music and reading. He is 
currently learning French and reading Words by Sartre. He is fond enough 
of one of e.e. cummings poems to include it in his .sig: guilt is the 
cause of more disauders; than history's most obscene marorders. When asked 
about Gentoo, he told us that "Gentoo Linux can be a very convenient tool 
in experienced hands; its main advantage is that it is very customizable: 
it is extremely easy to add new packages to it, or modify existing ones, 
including the packages of the base system". 
3. Gentoo Security
 * GLSA: rotation server compromised 
 * GLSA: exploitable overflow in rsync 
 * GLSA: kernel 
 * New Security Bug Reports 
GLSA: rotation server compromised
On December 2nd at approximately 03:45 UTC, one of the servers that makes 
up the rotation was compromised via a remote exploit. At 
this point, we are still performing forensic analysis. However, the 
compromised system had both an IDS and a file integrity checker installed 
and we have a very detailed forensic trail of what happened once the box 
was breached, so we are reasonably confident that the portage tree stored 
on that box wasunaffected.
The attacker appears to have installed a rootkit and modified/deleted some 
files to cover their tracks, but left the server otherwise untouched. The 
box was in a compromised state for approximately one hour before it was 
discovered and shut down. During this time, approximately 20 users 
synchronized against the portage mirror stored on this box. The method 
used to gain access to the box remotely is still under investigation. We 
will release more details once we have ascertained the cause of the remote 
This box is not an official Gentoo infrastructure box and is instead 
donated by a sponsor. The box provides other services as well and the 
sponsor has requested that we not publicly identify the box at this time. 
Because the Gentoo part of this box appears to be unaffected by this 
exploit, we are currently honoring the sponsor's request. That said, if at 
any point, we determine that any file in the portage tree was modified in 
any way, we will release full details about the compromised server. 
 * Severity: Normal 
 * Rectification: emerge sync 
 * GLSA Announcement[15] 
GLSA: kernel
Lack of proper bounds checking exists in the do_brk() kernel function in 
Linux kernels prior to 2.4.23. This bug can be used to give a userland 
program or malicious service access to the full kernel address space and 
gain root privileges. This issue is known to be exploitable.
All kernel ebuilds in Portage have been bumped or patched and do not 
contain this vulnerability. The following is a list of recommended kernels.
 * aa-sources-2.4.23_pre6-r3 
 * ck-sources-2.4.22-r3 
 * gentoo-sources-2.4.20-r9 
 * gentoo-sources-2.4.22-r1 
 * grsec-sources- 
 * grsec-sources- 
 * gs-sources-2.4.23_pre8-r1 
 * hardened-sources-2.4.22-r1 
 * hardened-sources-2.4.22-r1 
 * ia64-sources-2.4.22-r1 
 * mips-sources-2.4.22-r4 
 * mips-sources-2.4.22-r5 
 * openmosix-sources-2.4.22-r1 
 * ppc-sources-2.4.22-r3 
 * ppc-sources-benh-2.4.20-r9 
 * ppc-sources-benh-2.4.21-r2 
 * ppc-sources-benh-2.4.22-r3 
 * ppc-sources-crypto-2.4.20-r1 
 * selinux-sources-2.4.21-r5 
 * sparc-sources-2.4.23 
 * usermode-sources-2.4.22-r1 
 * wolk-sources-4.10_pre7-r1 
 * wolk-sources-4.9-r2 
 * xfs-sources-2.4.20-r4 
 * Severity: High 
 * Packages Affected: <2.4.22 
 * Rectification: emerge sync; emerge -pv [your preferred kernel sources]; 
emerge [your preferred kernel sources]; [update the /usr/src/linux 
symlink]; [compile and install your new kernel]; [emerge any necessary 
kernel module ebuilds]; [reboot];  
 * GLSA Announcement[16] 
GLSA: exploitable overflow in rsync
Rsync version 2.5.6 contains a vulnerability that can be used to run 
arbitrary code. The Gentoo infrastructure team has some reasonably good 
forensic evidence that this exploit may have been used in combination with 
the Linux kernel brk vulnerability (see GLSA 200312-02) to exploit a rotation server (see GLSA-200312-01.) 
Please see for the security advisory 
released by the rsync development team.
 * Severity: High 
 * Packages Affected: <2.5.6 
 * Rectification: emerge sync; emerge >=net-misc/rsync-2.5.7 
 * GLSA Announcement[17] 
New Security Bug Reports
The following new security bugs were posted this week: 
 * net-misc/rsync[18] 
4. Heard in the Community
Compromised Rsync Forum Fallout
Well, yes, of course, the unfortunate attack on one of the servers in 
Gentoo's community-driven rsync round-robin server structure had its 
repercussions on the forums, too. Quick overview of the more eminent 
threads covering this mishap and the way it was dealt with:
 * rotation server compromised (200312-01)[19] 
 * zdnet - Hacked Gentoo Linux server taken offline[20] 
 * compromesso[21](Italian) 
 * [OT] rsync-Server laut heise gehackt[22](German) 
Growing demand for the unstable Gimp 1.3 development series has led to a 
number of threads last week, half of which ended up in the dups bin... 
Information on how to build the new Gimp, what works and what doesn't (the 
SANE scanner plugin, sadly, appears to be broken):
 * upgrade to unstable gimp[23] 
 * gimp & non-english characters[24] 
Annoying Terminals 
Frustrated with his Bash terminal window wrapping long lines of text into 
the same line, list member Helder asked for help. Read on[25] for a great 
tip for keeping your terminal session updated on how large your text 
console or window size is. 

More CFLAGS benchmarking 
In the latest mailing list CFLAGS thread, the -O parameter is discussed. 
Check out what some other users thought as well as some test results  

Kernel modules rebuilder.
Whenever you upgrade your kernel, there are always some packages that need 
rebuilding. Well here is[27] a handy little program that finds all those 
packages for you, and rebuilds them for you as well! Also in the replies 
are some other options to do similar things.

5. Gentoo International
Italy: Gentoo Day 29 November 2003
All too quietly, the Italian Linux Day in Venice[28] organised by the 
Venezia Free Software Users Group[29] passed us by on Saturday 29 
November, particularly embarrassing because the GECHI[30] (an acronym for 
"Gentoo CHannel Italy" also meaning "gecco" in Italian) hijacked the 
occasion to organise their first Gentoo Day! Gilberto de Faveri aka 
MyZelF[31] held a presentation[32] about Gentoo Linux, and the foto 
album[33] illustrates some other things that happened in the course of the 
event. Now, had they wanted an announcement of the event before the 
scheduled date, they'd surely would have told us[34], wouldn't they...

 34. gentoo-gwn-feedback@g.o
Germany: Yet Another Oberhausen GLUM
Gentoo Linux User Meetings (GLUMs) seem to be particularly popular in 
Germany. Gentooists in Oberhausen, the unofficial heart of the Ruhrgebiet 
region, have scheduled a follow-up meeting to their first gathering two 
months ago, to be held at Gasthof Harlos[35] in Oberhausen on 10 December 
2003. Details are to be had via a mailing list 
(gentoo-treffen@×××××××××××.de, subscribe by sending a message to 
gentoo-treffen-subscribe at the same TLD) or via this Forum thread[36]. 

6. Bugzilla
 * Statistics 
 * Closed Bug Ranking 
 * New Bug Rankings 
The Gentoo community uses Bugzilla ([37]) to record and 
track bugs, notifications, suggestions and other interactions with the 
development team. Between 28 November 2003 and 04 December 2003, activity 
on the site has resulted in: 

 * 429 new bugs during this period 
 * 215 bugs closed or resolved during this period 
 * 13 previously closed bugs were reopened this period 
Of the 4328 currently open bugs: 91 are labeled 'blocker', 183 are labeled 
'critical', and 321 are labeled 'major'. 
Closed Bug Rankings
The developers and teams who have closed the most bugs during this period 
 * Gentoo Games[38], with 22 closed bugs[39]  
 * Portage Team[40], with 16 closed bugs[41]  
 * Seemant Kulleen[42], with 10 closed bugs[43]  
 * Mike Frysinger[44], with 8 closed bugs[45]  
 * Net-Mail Packages[46], with 8 closed bugs[47]  
 * Gentoo KDE Team[48], with 8 closed bugs[49]  
 * AMD64 Porting Team[50], with 8 closed bugs[51]  
 38. games@g.o
 40. dev-portage@g.o
 42. seemant@g.o
 44. vapier@g.o
 46. net-mail@g.o
 48. kde@g.o
 50. amd64@g.o
New Bug Rankings
The developers and teams who have been assigned the most new bugs during 
this period are: 
 * Gentoo Sound Team[52], with 12 new bugs[53]  
 * Gentoo Linux Gnome Desktop Team[54], with 8 new bugs[55]  
 * Portage Team[56], with 8 new bugs[57]  
 * x86 Kernel Team[58], with 7 new bugs[59]  
 * Net-Mail Packages[60], with 7 new bugs[61]  
 52. sound@g.o
 54. gnome@g.o
 56. dev-portage@g.o
 58. x86-kernel@g.o
 60. net-mail@g.o
7. Tips and Tricks
Backup up files with tar
This weeks tip demonstrates a quick way to back up files using tar.
One of the options for tar is -T which allows you to specify which files 
should go in the tar archive. So, create a file named backup.confand list 
all files or directories you want backed up in this file (one per line). 
Then run tar and specify -T backup.conf.
| Code Listing 7.1:                                                       |
| backup.conf                                                             |
|                                                                         |
|# cat >> /etc/backup.conf                                                |
|# /etc/passwd                                                            |
|# /etc/shadow                                                            |
|# /etc/group                                                             |
|# /etc/make.conf                                                         |
|# /etc/postfix                                                           |
|# EOF                                                                    |
|                                                                         |
|Add more files/directories as necessary                                  |
|                                                                         |
Now use tar to create a backup archive of your files.
| Code Listing 7.2:                                                       |
| tar -T                                                                  |
|                                                                         |
|# tar -cjf backup-`date +%Y-%m-%d`.tar.bz2 -T /etc/backup.conf          |
|                                                                         |
This will archive your files in a file named backup-YYYY-MM-DD.tar.bz2 
(where YYYY is the year, MM is the month, and DD is the day).
Note: You could also specify an absolute path such as 
/backups/backup-`date` and run the command as a script 
from cron on a recurring basis.
8. Moves, Adds, and Changes
The following developers recently left the Gentoo team: 

 * none this week 
The following developers recently joined the Gentoo Linux team:
 * none this week 
The following developers recently changed roles within the Gentoo Linux 
 * none this week 
9. Contribute to GWN
Interested in contributing to the Gentoo Weekly Newsletter? Send us an 

 62. gwn-feedback@g.o
10. GWN Feedback
Please send us your feedback[63] and help make the GWN better.

 63. gwn-feedback@g.o
11. GWN Subscription Information
To subscribe to the Gentoo Weekly Newsletter, send a blank email to 
To unsubscribe to the Gentoo Weekly Newsletter, send a blank email to 
gentoo-gwn-unsubscribe@g.o from the email address you are 
subscribed under.
12. Other Languages
The Gentoo Weekly Newsletter is also available in the following languages:
 * Dutch[64] 
 * English[65] 
 * German[66] 
 * French[67] 
 * Japanese[68] 
 * Italian[69] 
 * Polish[70] 
 * Portuguese (Brazil)[71] 
 * Portuguese (Portugal)[72] 
 * Russian[73] 
 * Spanish[74] 
 * Turkish[75] 

Yuji Carlos Kosugi <carlos@g.o> - Editor
AJ Armstrong <aja@×××××××××××××.com> - Contributor
Brian Downey <bdowney@×××××××××××.net> - Contributor
Luke Giuliani <cold_flame@×××××.com> - Contributor
Shawn Jonnet <shawn.jonnet@×××××××.net> - Contributor
Michael Kohl <citizen428@g.o> - Contributor
Kurt Lieber <klieber@g.o> - Contributor
Rafael Cordones Marcos <rcm@×××××××.net> - Contributor
David Narayan <david@×××××××.net> - Contributor
Gerald J Normandin Jr. <gerrynjr@g.o> - Contributor
Ulrich Plate <plate@g.o> - Contributor
Hendrik Eeckhaut <Hendrik.Eeckhaut@×××××.be> - Dutch Translation
Jorn Eilander <sephiroth@××××××××.nl> - Dutch Translation
Bernard Kerckenaere <bernieke@××××××××.com> - Dutch Translation
Peter ter Borg <peter@××××××.nl> - Dutch Translation
Jochen Maes <linux@××××.be> - Dutch Translation
Roderick Goessen <rgoessen@××××.nl> - Dutch Translation
Gerard van den Berg <gerard@××××××.net> - Dutch Translation
Matthieu Montaudouin <mat@××××××××.com> - French Translation
Xavier Neys <neysx@g.o> - French Translation
Martin Prieto <riverdale@×××××××××.org> - French Translation
Antoine Raillon <cabec2@××××××.net> - French Translation
Sebastien Cevey <seb@×××××.net> - French Translation
Jean-Christophe Choisy <mabouya@××××××××××××.org> - French Translation
Thomas Raschbacher <lordvan@g.o> - German Translation
Steffen Lassahn <madeagle@g.o> - German Translation
Matthias F. Brandstetter <haim@g.o> - German Translation
Lukas Domagala <Cyrik@g.o> - German Translation
Tobias Scherbaum <dertobi123@g.o> - German Translation
Daniel Gerholdt <Sputnik1969@g.o> - German Translation
Marc Herren <dj-submerge@g.o> - German Translation
Tobias Matzat <SirSeoman@g.o> - German Translation
Marco Mascherpa <mush@××××××.net> - Italian Translation
Claudio Merloni <paper@×××××××.it> - Italian Translation
Christian Apolloni <bsolar@×××××××.ch> - Italian Translation
Stefano Lucidi <stefano.lucidi@×××××××××××××.org> - Italian Translation
Yoshiaki Hagihara <hagi@×××.com> - Japanese Translation
Katsuyuki Konno <katuyuki@××××××××.jp> - Japanese Translation
Yuji Carlos Kosugi <carlos@g.o> - Japanese Translation
Yasunori Fukudome <yasunori@××××××××××××××××.uk> - Japanese Translation
Takashi Ota <088@××××××××××.jp> - Japanese Translation
Radoslaw Janeczko <sototh@×××.pl> - Polish Translation
Lukasz Strzygowski <lucass.home@××.pl> - Polish Translation
Michal Drobek <veng@××.pl> - Polish Translation
Adam Lyjak <apo@××××××××××××××××××××.pl> - Polish Translation
Krzysztof Klimonda <cthulhu@×××××××××.net> - Polish Translation
Atila "Jedi" Bohlke Vasconcelos <bohlke@×××××××××.br> - Portuguese 
(Brazil) Translation
Eduardo Belloti <dudu@××××××××.net> - Portuguese (Brazil) Translation
Jo達o Rafael Moraes Nicola <joaoraf@×××××××××.br> - Portuguese (Brazil) 
Marcelo Gon巽alves de Azambuja <mgazambuja@×××××××××.br> - Portuguese 
(Brazil) Translation
Otavio Rodolfo Piske <angusy@××××××××.org> - Portuguese (Brazil) 
Pablo N. Hess -- NatuNobilis <natunobilis@××××××××.org> - Portuguese 
(Brazil) Translation
Pedro de Medeiros <pzilla@××××××××.br> - Portuguese (Brazil) Translation
Ventura Barbeiro <venturasbarbeiro@××××××.br> - Portuguese (Brazil) 
Bruno Ferreira <blueroom@××××××××××××.net> - Portuguese (Portugal) 
Gustavo Felisberto <humpback@××××××××××.net> - Portuguese (Portugal) 
Jos辿 Costa <jose_costa@×××××××.pt> - Portuguese (Portugal) Translation
Luis Medina <metalgodin@×××××××××.org> - Portuguese (Portugal) Translation
Ricardo Loureiro <rjlouro@×××××××.org> - Portuguese (Portugal) Translation
Sergey Galkin <gals_home@××××.ru> - Russian Translator
Sergey Kuleshov <svyatogor@g.o> - Russian Translator
Alex Spirin <asp13@××××.ru> - Russian Translator
Dmitry Suzdalev <dimsuz@××××.ru> - Russian Translator
Anton Vorovatov <mazurous@××××.ru> - Russian Translator
Denis Zaletov <dzaletov@×××××××.ru> - Russian Translator
Lanark <lanark@××××××××××.ar> - Spanish Translation
Fernando J. Pereda <ferdy@××××××.org> - Spanish Translation
Lluis Peinado Cifuentes <lpeinado@×××.edu> - Spanish Translation
Zephryn Xirdal T <ZEPHRYNXIRDAL@××××××××××.net> - Spanish Translation
Guillermo Juarez <katossi@××××××××××××××××.es> - Spanish Translation
Jes炭s Garc鱈a Crespo <correo@××××××.com> - Spanish Translation
Carlos Castillo <carlos@×××××××××××××.com> - Spanish Translation
Julio Castillo <julio@×××××××××××××.com> - Spanish Translation
Sergio G坦mez <s3r@××××××××××××.ar> - Spanish Translation
Aycan Irican <aycan@××××××××.tr> - Turkish Translation
Bugra Cakir <bugra@×××××××××.com> - Turkish Translation
Cagil Seker <cagils@××××××××××.tr> - Turkish Translation
Emre Kazdagli <emre@××××××××.tr> - Turkish Translation
Evrim Ulu <evrim@××××××××.tr> - Turkish Translation
Gursel Kaynak <gurcell@××××××××.tr> - Turkish Translation