Gentoo Archives: gentoo-gwn

From: Ulrich Plate <plate@g.o>
To: gentoo-gwn@××××××××××××.org
Subject: [gentoo-gwn] Gentoo Weekly Newsletter 22 November 2004
Date: Mon, 22 Nov 2004 02:49:06
Gentoo Weekly Newsletter
This is the Gentoo Weekly Newsletter for the week of 15 November 2004.
1. Gentoo News
Gentoo 2004.3 x86 release on DVD
The Gentoo Store[1] now delivers the entire 2004.3 release for the x86 
architecture, including all binary packages for the supported 
subarchitectures (x86, i686, Pentium 3, Pentium 4 and Athlon XP) on a 
single bootable DVD.
It also provides a set of two DVDs that contains a complete archive of the 
2004.3 release distfiles, including all necessary source code except for 
the games category that was omitted for space reasons. The store profits 
go partly to the Gentoo Foundation, helping in establishing the 
not-for-profit entity, the server infrastructure and other Gentoo 
development-related support. 
Gentoo documentation updates and extensions
A flurry of activity coming from kernel developer Daniel Drake[2] has 
enriched the Gentoo documentation last week. Aside from updates to 
numerous kernel guides and primers, he also authored a mantelpiece for the 
Gentoo documentation collection, a brandnew "Complete Gentoo Linux 2.6 
Migration Guide"[3] that answers all the questions that Gentoo users 
moving on from the 2.4 kernel series may have.
 2. dsd@g.o
On the workflow side of things the documentation team has been preoccupied 
with a few shortcomings of AxKit for a while, i.e. the XML preprocessor 
responsible for converting the internal XML structure of all web-hosted 
content at to HTML. AxKit is running only with Apache v1, 
for example, and looks somewhat unmaintained with its lack of significant 
updates for some time. Xavier Neys[4] and Sven Vermeulen[5] have therefore 
started replacing AxKit with gorg[6], its promising successor capable of 
delivering the missing features. As always, the update page[7] of the 
documentation project has all these and other important changes, including 
some gruesome work done on existing files to make the translators' job a 
little easier.
 4. neysx@g.o
 5. swift@g.o
2. Future zone
Portage CVS
Sometimes it's nice to show to the users that there's a fair amount of 
work going into Portage, despite the gaps between stable releases. Portage 
2.0.51 hasn't been out more than a month, but its CVS version now has - in 
a mostly stable fashion - the following features:
 * confcache 
 * prelink (auto-prelink binaries as they are merged) 
 * verify-rdepend (verify a package links only to stated rdepends) 
 * userpriv_fakeroot (run install phase under fakeroot, removing the need 
for root privs from all building phases but setup) 
Aside from feature additions, and code cleanup that's already started, 
--regen (checking and updating the dependency path) is now 33% faster, and 
metadata updates (post rsync'ing) are quicker by almost half in baseline 
Then there's the work on the environment settings. Ebuilds now should be 
able to be completely uninstalled without anything of the tree existing. 
Nothing but the relevant profile is needed for this, which basically means 
that Portage developers can start modifying eclasses again without having 
to worry about backwards compatability going back years. 
Also - nifty little trick - the old "I updated ssl, got shifted, 
and now wget won't work and I can't fetch any sources" issue is addressed 
via a bundled Python-based fetch implementation - if the exit code from 
the fetch call is indicative of missing libraries or binaries, it tries 
the bundled lib instead. In tests Brian Herring has done in a system 
gutted of openssl, the bundled lib has soldiered on, promising that users 
could get out of that jam. 
Some work is going into sync refactoring, too: The CVS format was made 
more flexible, and snapshot support was added in, meaning the need for 
emerge-webrsync is vanishing. 
The CVS development is a bit embryonic at the moment, with a lot of work 
left, but these and more changes will not take long before they come your 
way - the diff between portage-2.0.51 and the version in CVS is already 
larger than 400KB. 
3. Gentoo security
Ruby: Denial of Service issue
The CGI module in Ruby can be sent into an infinite loop, resulting in a 
Denial of Service condition. 
For more information, please see the GLSA Announcement[8] 
BNC: Buffer overflow vulnerability
BNC contains a buffer overflow vulnerability that may lead to Denial of 
Service and execution of arbitrary code. 
For more information, please see the GLSA Announcement[9] 
SquirrelMail: Encoded text XSS vulnerability
Squirrelmail fails to properly sanitize user input, which could lead to a 
compromise of webmail accounts. 
For more information, please see the GLSA Announcement[10] 
GIMPS, SETI@home, ChessBrain: Insecure installation
Improper file ownership allows user-owned files to be run with root 
privileges by init scripts. 
For more information, please see the GLSA Announcement[11] 
Fcron: Multiple vulnerabilities
Multiple vulnerabilities in Fcron can allow a local user to potentially 
cause a Denial of Service. 
For more information, please see the GLSA Announcement[12] 
4. Heard in the community
Web forums
CD burning and Gentoo kernel 2.6.9
Gentoo developer Daniel Drake[13] is soliciting testers for a replacement 
bugfix he's done on Gentoo's development kernel (and managed to get 
included in the official tree for 2.6.10). As CD and DVD burning has been 
under fire since 2.6.7 because of security concerns with simulated SCSI 
commands being sent to the devices, fixes that weren't making things any 
better had to be replaced with a saner approach. Check this thread and 
tell him what you think: 
 13. dsd@g.o
 * Request for testing: CD/DVD writing on 2.6.9[14] 
RAM-voracious ebuilds?
What can be done if during installation an ebuild needs lots of RAM 
(gtk2hs) or large amounts of disk space ( Since the build 
process might fail on some systems, it would be useful to have portage 
check these resources before starting the build. Is there a sane and 
cross-platform way of doing this? /proc/ does not exist on all platforms, 
after all. 
 * what to do when an ebuild needs loads of RAM?[15] 
Handling important upgrade messages
Many ebuilds give important hints about changes in behaviour, 
configuration files etc. These messages are spewed to the screen during 
the installation, and therefore usually scroll away during multi-package 
upgrades. This prevents users from seeing many important messages in an 
easy way (and no, sitting eight hours watching the messages scroll by 
doesn't count). This thread explores the possibilities of collecting these 
messages so that they can be presented all at once. 
 * Handling important upgrade messages[16] 
5. Gentoo International
UK: Oxford Gentoo User Meeting
Hardly surprising, coming to think of it: Since Gentoo users in "that 
other city"[17] met two weeks ago, Oxford-based Gentooists have been 
thinking out loud that they can't possibly let this pass. They'll be 
meeting for the first time on Sunday afternoon, 28 November 2004 from 
15:00, at the "Far From The Madding Crowd"[18]in 10-12 Friar's Entry. Half 
a dozen Oxfordian Gentooists have already confirmed, with shadow Portage 
bash-scripter Edward Catmur[19] expected at the venue, and Gentoo 
developer robmoss[20] hiking to Oxford on a full 500 mile roundtrip just 
for this event. Announce your participation in this Forum thread[21].
 20. robmoss@g.o
6. Gentoo in the press
2004.3 Release announcements roundup
Last week's release of Gentoo Linux 2004.3 triggered a large number of 
publications about Gentoo. Here's a list of some of the shinier 
highlights, many of them with comment areas below the article:
 * Austrian newspaper "Der Standard[22] 
 * German IT news[23] 
 * German Windows (sic!) Online Magazine [24] 
 * OSzine (German language open source magazine)[25] 
 * The Japanese "PC Web" finds the G5 (ppc64) support in 2004.3 most 
 * French PC INpact (rightfully) points out the Gentoo 2004.3 comes out 
just four days before the Beaujolais Primeur.[27] 
 * French PC magazine[28] 
 * Another French electronic newspaper.[29] 
 * Download sources for kazaa/eDonkey and other file sharing services [30] 
 * OS News' Eugenia Loli-Queru forwards the Gentoo 2004.3 
 * Linux Electrons - "Linux with a hardware slant"[32] 
Business Wire (20 November 2004
Business Wire[33] announces that the speaker list for next year's big 
"Security Enhanced Linux" (SELinux) symposium is now confirmed, and it 
mentions Gentoo as one of the organisations to be present and presenting 
at the SELinux Symposium[34], scheduled for 2-4 March 2005 in Silver 
Spring, Maryland. What the article doesn't say: The Gentooist involved in 
this conference is Gentoo developer Joshua Brindle[35].
7. Bugzilla
 * Statistics 
 * Closed bug ranking 
 * New bug rankings 
The Gentoo community uses Bugzilla ([36]) to record and 
track bugs, notifications, suggestions and other interactions with the 
development team. Between 07 November 2004 and 14 November 2004, activity 
on the site has resulted in: 
 * 795 new bugs during this period 
 * 548 bugs closed or resolved during this period 
 * 29 previously closed bugs were reopened this period 
Of the 7397 currently open bugs: 129 are labeled 'blocker', 240 are 
labeled 'critical', and 556 are labeled 'major'. 
Closed bug rankings
The developers and teams who have closed the most bugs during this period 
 * AMD64 Porting Team[37], with 40 closed bugs[38]  
 * Gentoo Games[39], with 28 closed bugs[40]  
 * Gentoo's Team for Core System packages[41], with 27 closed bugs[42]  
 * Mozilla Gentoo Team[43], with 26 closed bugs[44]  
 * media-video herd[45], with 25 closed bugs[46]  
 * Paul de Vrieze[47], with 21 closed bugs[48]  
 * SpanKY[49], with 20 closed bugs[50]  
 * Gentoo Security[51], with 17 closed bugs[52]  
 37. amd64@g.o
 39. games@g.o
 41. base-system@g.o
 43. mozilla@g.o
 45. media-video@g.o
 47. pauldv@g.o
 49. vapier@g.o
 51. security@g.o
New bug rankings
The developers and teams who have been assigned the most new bugs during 
this period are: 
 * Gentoo's Team for Core System packages[53], with 23 new bugs[54]  
 * Gentoo X-windows packagers[55], with 19 new bugs[56]  
 * Java team[57], with 15 new bugs[58]  
 * Mozilla Gentoo Team[59], with 14 new bugs[60]  
 * AMD64 Porting Team[61], with 14 new bugs[62]  
 * Gentoo Linux Gnome Desktop Team[63], with 13 new bugs[64]  
 * Chris White[65], with 10 new bugs[66]  
 * Gentoo Toolchain Maintainers[67], with 9 new bugs[68]  
 53. base-system@g.o
 55. x11@g.o
 57. java@g.o
 59. mozilla@g.o
 61. amd64@g.o
 63. gnome@g.o
 65. chriswhite@g.o
 67. toolchain@g.o
8. Tips and Tricks
Portage magic
/var/log/emerge.log is well-known as the central reporitory of information 
about all emerge activity going on in system. Lesser known are some tricks 
you can do with the content of that log file. For example, when you start 
an upgrade, you generally don't know how much time it will take to finish 
compiling. You probably don't remember how long your last mplayer 
installation took, but Portage does, and if you'd decipher the Unix time 
stamps in /var/log/emerge.log, you'd get a pretty good idea, too. Or you 
could let app-portage/genlop do it for you. Emerge (the unstable, ~arch 
version of) genlop with:
| Code Listing 8.1:                                                       |
|Emerge                                                                   |
|                                                                         |
|#emerge -av genlop                                                       |
|                                                                         |
Now run a pretended world upgrade and pipe it to genlop for an estimation 
of your upgrade schedule:
| Code Listing 8.2:                                                       |
|Estimate upgrade                                                         |
|                                                                         |
|#emerge -pu world | genlop --pretend                                     |
|These are the pretended packages: (this may take a while; wait...)       |
|                                                                         |
| * media-libs/tiff                                                       |
| * x11-base/xorg-x11                                                     |
| * app-sci/stellarium                                                    |
| * app-arch/gzip                                                         |
| * dev-libs/libIDL                                                       |
| * net-www/mozilla-firefox                                               |
| * sys-boot/lilo                                                         |
| * app-doc/abs-guide                                                     |
| * app-arch/unarj                                                        |
| * app-emulation/wine                                                    |
| * app-admin/sudo                                                        |
|                                                                         |
|Estimated update time: 4 hours, 38 minutes.                              |
|                                                                         |
A look at the mechanism explains how Portage can double as an oracle. It 
uses the statistics stored in the emerge.log file, take an average of 
compilation times for given packages, and summarize the results. There are 
some uncertainties, of course, for example if you use the CCACHE feature, 
then compile times for a minor version bump may be much faster than the 
original package took compiling the first time. On the other hand, if an 
application has been extended with new features, the old average compile 
time can be shorter than the version you're about to emerge.
Another brilliant feature of genlop is its --current option, the perfect 
companion to the estimated compile-time from --pretend:
| Code Listing 8.3:                                                       |
|How much time spent since the beginning of an                            |
|                                                                         |
|# genlop --current                                                       |
|                                                                         |
| * app-portage/splat-0.07                                                |
|                                                                         |
|       current merge time: 12 seconds.                                   |
|                                                                         |
Now you can say how long time you have to wait.
9. Moves, adds, and changes
The following developers recently left the Gentoo team:
 * None this week 
The following developers recently joined the Gentoo Linux team:
 * None this week 
The following developers recently changed roles within the Gentoo Linux 
 * None this week 
10. Contribute to GWN
Interested in contributing to the Gentoo Weekly Newsletter? Send us an 
 69. gwn-feedback@g.o
11. GWN feedback
Please send us your feedback[70] and help make the GWN better.
 70. gwn-feedback@g.o
12. GWN subscription information
To subscribe to the Gentoo Weekly Newsletter, send a blank email to 
To unsubscribe to the Gentoo Weekly Newsletter, send a blank email to 
gentoo-gwn-unsubscribe@g.o from the email address you are 
subscribed under.
13. Other languages
The Gentoo Weekly Newsletter is also available in the following languages:
 * Danish[71] 
 * Dutch[72] 
 * English[73] 
 * German[74] 
 * French[75] 
 * Japanese[76] 
 * Italian[77] 
 * Polish[78] 
 * Portuguese (Brazil)[79] 
 * Portuguese (Portugal)[80] 
 * Russian[81] 
 * Spanish[82] 
 * Turkish[83] 
Ulrich Plate <plate@g.o> - Editor
Brian Herring <ferringb@g.o> - Author
Patrick Lauer <patrick@g.o> - Author
 <> - Author

gentoo-gwn@g.o mailing list