Gentoo Archives: gentoo-gwn

From: Kurt Lieber <klieber@g.o>
To: gentoo-gwn@g.o
Subject: [gentoo-gwn] Gentoo Weekly Newsletter -- Volume 2, Issue 4
Date: Mon, 27 Jan 2003 03:18:00
Gentoo Weekly Newsletter
This is the Gentoo Weekly Newsletter for the week of January 27th, 2003.
1. Gentoo News

 * Gentoo Linux at LinuxWorld Expo 
 * GLSAs being integrated into Portage 
Gentoo Linux at LinuxWorld Expo
Gentoo Linux had a strong showing at last week's LinuxWorld Expo. Showing 
off the recently-released Linux port of Unreal Tournament 2003, the Gentoo 
booth drew large crowds throughout the show. Many of the attendees were 
unfamiliar with Gentoo Linux, so this was a great opportunity to educate a 
highly-targeted audience about the many benefits of Gentoo. While we 
received inquiries from a wide range of people, there seemed to be a 
specific interest from the scientific community, with several attendees 
expressing an interest in using Gentoo Linux for their research projects. 
It was also a great opportunity for many of the developers and avid Gentoo 
users to finally meet face to face. All told, nearly a dozen developers 
showed up for part or all of the show. Amazingly, few people looked like 
they do on IRC. For those who were unable to attend LWE, we've included a 
few pictures with this week's issue. 
Figure 1.1: The Gentoo Linux booth at LinuxWorld Expo
Figure 1.2: Gerk spent much of his time burning CDs for attendees
Figure 1.3: Seemant Kulleen (left) and Daniel Robbins
GLSAs being integrated into Portage
Nick Jones announced his intention to integrate Gentoo Linux Security 
Announcements into Portage The proposed method is converting GLSAs to XML 
format to allow for easy integration into Portage, allowing users to only 
update packages that are affected by GLSAs. While the details still need 
to be worked out, this will certainly be a welcome feature by many Gentoo 
users and will make running Gentoo on servers where stability is paramount 
an easier task. 
2. Gentoo Security
 * GLSA: vim vim-core gvim 
 * GLSA: cvs 
 * GLSA: kde-2.2.x 
 * New Security Bug Reports 
GLSA: vim vim-core gvim
The vim editor and associated packages contain a bug which permits 
execution of un-sandboxed modeline commands. This permits a maliciously 
crafted textfile to execute arbitrary code with the user's privileges. The 
advisory also notes an unconfirmed report of a similar problem with local 
variables in emacs. An exploit has been demonstrated.. 
 * Severity: Moderate to High - arbitrary code execution. 
 * Packages Affected: app-editors/vim-core (prior to 6-1-r4), vim (prior 
   to 6.1-r19), gvim (prior to 6.1-r6). 
 * Rectification: Synchronize and emerge -u vim-core vim gvim 
 * GLSA Announcement[1] 
 * Advisory[2] 

GLSA: cvs
Maliciously malformed directory names can be used to trigger an error in 
CVS that can result in a global pointer being freed twice. This condition 
could be used to determine heap memory locations as a prelude to other 
attacks using the CVS servers' privilege level (potentially root). No 
exploits in the wild are reported. 
 * Severity: Critical - remote information leak, security exposure of 
   systems vulnerable to double-free pointer bugs. 
 * Packages Affected: dev-util/cvs versions prior to 1.11.5 
 * Rectification: Synchronize and emerge -u cvs 
 * GLSA Announcement[3] 
 * Advisory[4] 

GLSA: kde-2.2.x
In some cases, KDE may fail to properly quote execution parameters. This 
could permit arbitrary command execution (with the target user's 
privileges) through the use of carefully crafted URLs, email addresses and 
filenames. Exploits have been demonstrated. This report is related to an 
earlier report[5] of a vulnerability in kde-3.0.x. 
 * Severity: High - remote execution of code, exploits in the wild. 
 * Packages Affected: kde-base/kde2.2.x 
 * Rectification: Synchronize and emerge -u kde 
 * GLSA Announcement[6] 
 * Advisory[7] 

The updated ebuilds for kde-2.2.2 are currently only marked stable for 

New Security Bug Reports
There are no new security bugs this week. The mpg123 bug mentioned last 

 * media-sound/mpg123[8] 

remains open, but the message traffic implies that the issue may not be a 
concern for the version currently in the portage tree. The bug is still 
open because of a potential issue with frame size calculation in the 
current version. 

3. Featured Developer of the Week
Nicholas Jones
Figure 3.1: Nicholas Jones

Nicholas Jones[9], this week's (and the inaugural) Featured Developer, is 
the current maintainer of Portage. Subscribers to the mailing lists will 
have his response[10] to the recent /etc/make.conf fiasco fresh in their 
minds, whereas those who frequent the IRC channel (#gentoo on or the forums will have seen him as carpaski, responding 
to Portage feature requests and resolving various problems. IRC, actually, 
is where Nick got started with the Gentoo team: a regular who helped out 
with things and submitted ebuilds and patches, the developers snapped him 
up and got him onboard. Now, as Portage maintainer, he plans and codes new 
features for Portage, making sure that changes are as modular as possible 
to facilitate testing and debugging, as well as reviewing bug reports, 
looking for problems to solve and features that can be merged into 

 9. carpaski@g.o
A self-proclaimed console junky, Nick's favorite applications include 
Midnight Commander, vi, lsof, and bash. He uses Enlightenment 16.5 - and 
only Enlightenment 16.5 - for window management, and mutt for mail. Using 
his scripting skills, Nick has done some work remotely administering UNIX 
machines, and has also worked as a network engineer on a US goverment 
backbone. Amazingly enough, when he's not busy hacking and testing Portage 
or doing administration work, you'll find him studying at the Illinois 
Institute of Technology in Chicago, IL. After all that it's hard to 
imagine that he'd have time left for other pursuits, but Nick says he 
likes wine and music - both listening to it and playing it on guitar, as 
well as frisbee and racquetball. 
4. Heard In The Community
Web Forums
emerge-webrsync Tool Problems
A recent thread[11] in the forums was promoted to an alert when it was 
discovered that an upgrade to the emerge-webrsync tool from the gentoolkit 
had resulted in the potential for it to delete the /usr directory on 
machines where it was run. emerge-webrsync is a tool for automatically 
updating the local portage directory from the daily snapshots on machines 
that are prevented from using emerge sync (for example, on machines behind 
firewalls that block rsync). A number of users reported substantial (and 
possibly unrecoverable) damage to their installations. The problem was 
reported in this bug report[12]. The issue was apparently resolved in 

Much Moaning About ibiblio
People all over the planet are struggling to get decent download speeds 
from the ibiblio server that provides the packages for Gentoo 
installations. Not a major problem as long as everybody was content to 
grab a stage1 tarball and take it from there, but since the introduction 
of the Gentoo Reference Platform and its collection of precompiled 
binaries, the CD images have grown to "normal" size around 500 MB each, 
and the complaints are getting louder, on the IRC channels and the forums. 
If it wasn't for the fact that many of those complaining have simply 
failed to embrace any of the dozens of mirrors listed[13] at the official 
Gentoo website and Ibiblio itself... 
 * ibiblio esta lenta...[14] 
 * Problems accessing ibiblio...[15] 
 * ibiblio suddenly slow![16] 

Automatic Writing Resurrected
One of the Forum's all-time classics is back: After a break over Christmas 
and New Year's, the "Story By Post" thread has been reanimated. Knitted 
with one-liners that fit exceptionally well within the general direction 
the story will take (except that nobody actually knows where it's going), 
each contribution adds to a great recital involving (so far) the marmalade 
cat, Ellen Feiss, the wonder boy, Peter Falk and many others still rubbing 
their eyes in disbelief, wondering how they ended up starring in a prose 
artifact hovering on a technical support forum. Another thread in a 
similar genre has been left alone for a while - well, until now. This one 
actually comes with its own meta-thread: 
 * Story By Post[18] 
 * Chain Thread[19] 
 * Chain Thread Offramp[20] 

Forum Statistics
fghellar[21], one of the Forum's bodhisattvas and an honorary headcounter, 
has posted an update on the number of users currently registered at the 
site. Hard to estimate how many of these are active or at least passively 
reading stuff, but the sheer numbers are impressive. Constantly updated 
statistics can be watched by clicking on the official statistics link in 
the top menu, but for a historical perspective on growth in the Gentoo 
forums check the first link: 
 * 1k users[22] 
 * Official forum statistics[23] 
More praise for Phoenix
A lengthy discussion took place on gentoo-user about the buggy misbehavior 
of Mozilla. It seems that almost everyone and their mother has complained 
about bad plugin support, sluggishness and crashes -- especially when 
dealing with Gentoo's Mozilla sources. Even with Rafa's tip[24] on 
compiling Mozilla without mail and news support and Steve's point[25] on 
using the tarballs, the complaints remained widespread. 
Phoenix was mentioned as an alternative and the audience gave nothing but 
praise. Phoenix is a non-bloated redesign of the Mozilla browser component 
which admittedly runs much faster and embraces the java and flash plugins 
on Gentoo systems without hesitation. The thread[26] even encouraged happy 
Mozilla users to switch to Phoenix. If you've been fighting with Mozilla, 
you may want to experiment with Phoenix if you don't need Moz's mail & 

Kernel Performance
Most of us gentoo users are not satisfied with an OK system. We'd much 
rather have our software tweaked just enough to squeeze an extra 5hp out 
of that already souped up 750hp big block. The number one place to muster 
this extra horsepower is the Linux kernel. We can worry about the CFLAGS 
later. Gentoo is stocked with many different kernel sources other than the 
-gentoo ones, and all come with their unique advantages and disavantages 
as determined by the patches involved with them. These patches are applied 
against the 'vanilla' source resulting in a modified kernel. An example of 
these patches, rmap[27] , was described within the thread. Aniruddha 
Shankar started the discussion[28] by boasting his happines with using Con 
Kolivas's kernel (-ck sources) for his desktop system. As always, Gentoo 
users are encouraged to tailor their system to their needs, and a good 
place to start is the kernel. 

Methods for managing etc files.
Jeff Kowing asked[29] about the techniques to use to manage updateing etc 
files after an upgrade. Matthew Walker answer very succinctly[30] that 
etc-update may be what he was looking for. 

Gentoo-sources vs "stock" kernels.
Dewet Diener wrote[31] to ask: "I'm wondering what the general status of 
gentoo-sources is compared to the more "stock" kernels, like vanilla and 
-ac? Is it being used in production-class setups without hitches?". Kim 
Nielsen replied[32] with "The gentoo kernel is quite stable but Gentoo was 
never ment as a server distribution even though it serves just as well as 
others like Redhat or Debian. It was intedned for network/developer use." 
Thomas T. Veldhouse chipped in[33] with: "I don't think there is any such 
intent. By what I can see and know about Gentoo, it is for any use that 
one sees fit. It was never designed for any particular application. [...] 
it is up to the administrator to make sure that gentoo changes don't hose 
a production machine". 

5. Gentoo International
Unofficial European Gentoo Websites
While the official Gentoo website struggles to keep up with the 
multilingual cacophony created by the enormous wave of popularity crashing 
over its head, many non-English websites have taken over the part of 
support for local communities. Today we take a closer look at some 
European sites: French-speaking users, for example, have been blessed with 
a dynamic news and discussion site of their own for many months now. The 
forum section is not as active as the French board at, 
but manages to coexist peacefully. But the real strength of "Da Gentoo" 
lies in its news coverage, delivered not only to common browsers: news are being served for PDAs and for WAP-enabled mobile 
phones. The German Gentoo project is probably the oldest outside of the US 
(it started sometime back in April 2002), but hasn't lost its appetite 
yet. (like many other international sites, e.g. Korea and Japan) 
is focussed on documentation, but more importantly provides a large number 
of supplementary "regional" ebuilds with spellcheckers and localized 
Openoffice-bin versions, and the occasional tool for users with specific 
homegrown problems (a PPPoE tarball for DSL users in Germany can be 
downloaded from the project's FTP-server). The Danish site has its 
emphasis equally on projects and development, and is currently looking for 
contributors and people who can help with PHP coding. The news section 
definitely needs a blood transfusion, there haven't been any updates since 
May 2002. The Norwegian website has a comparatively low profile, 
apparently content to just provide a few links to mirror servers and 
information resources. But it's highly unfair to just point out the 
websites: The most buzz for the buck comes from the many non-English IRC 
channels on Freenode! Anybody who wants to get a feel for the huge user 
base Gentoo has in many European countries, just check out the Dutch or 
the Portuguese #gentoo-nl or #gentoo-pt channels via 
With a channel like #gentoo-fi, who needs a Finnish website, and the 
Swedes even have their own IRC statistics: 

 * France: Da Gentoo French Page[34] 
 * Germany: Gentoo Linux - Das deutschsprachige Portal[35] 
 * Denmark: Gentoo Linux Danmark[36] 
 * Norway: Gentoo Linux Norge[37] 
 * Sweden: IRC channel statistics[38] 

6. Portage Watch
The following stable packages were added to portage this week
Because of the pending release of 1.4_final, the Portage tree is currently 
frozen. As such, no new stable packages were introduced to Portage this 
Updates to notable packages

 * sys-devel/gcc - gcc-3.2.1-r7.ebuild;  
 * sys-kernel/* - aa-sources-2.4.21_pre3-r1.ebuild; 
   development-sources-2.5.59-r2.ebuild; development-sources-2.5.59.ebuild; 
   gs-sources-2.4.21_pre3-r1.ebuild; gs-sources-2.4.21_pre3-r2.ebuild; 
   mips-sources-2.4.19.ebuild; openmosix-sources-2.4.20-r2.ebuild;  
 * net-www/apache - apache-2.0.44.ebuild;  
 * app-admin/gentoolkit - gentoolkit-0.1.17-r10.ebuild; 
7. Bugzilla

 * Statistics 
 * Closed Bug Ranking 
 * New Bug Rankings 
The Gentoo community uses Bugzilla ([39]) to record and 
track bugs, notifications, suggestions and other interactions with the 
development team. In the last 7 days, activity on the site has resulted 

 * 258 new bugs this week 
 * 1491 total bugs currently marked 'new' 
 * 559 total bugs curently assigned to developers 
 * 54 bugs that were previously closed have been reopened. 

There are currently 2104 bugs open in bugzilla. Of these: 40 are labelled 
'blocker', 76 are labelled 'critical', and 144 are labelled 'major'. 

The current list of developers' open bugs may be found at the  Gentoo Bug 
Count Report[40]. 

Closed Bug Rankings
The developers and teams who have closed the most bugs this week are: 

* Martin Schlemmer[41], with 38 closed bugs[42] 
 * Nick Hadaway[43], with 17 closed bugs[44] 
 * M. Holzer[45], with 14 closed bugs[46] 
 * Donny Davies[47], with 10 closed bugs[48] 
 * Seemant Kulleen[49], with 8 closed bugs[50] 

 41. azarah@g.o
 43. raker@g.o
 45. mholzer@g.o
 47. woodchip@g.o
 49. seemant@g.o
New Bug Rankings
The developers and teams who have been assigned the most new bugs this 
week are: 
 * Martin Schlemmer[51], with 10 new bugs[52] 
 * Nick Hadaway[53], with 6 new bugs[54] 
 * Seth Chandler[55], with 6 new bugs[56] 
 * The Gnome Team[57], with 5 new bugs[58] 

 51. azarah@g.o
 53. raker@g.o
 55. sethbc@g.o
 57. gnome@g.o
8. Tips and Tricks
Using Procmail and SpamAssassin to Block Spam and Filter Mailing Lists
The proliferation of unsolicited email, or spam, is becoming more and more 
widespread. However, there are many tools to help prevent spam. This week, 
we look at using Procmail and SpamAssassin to filter incoming mail and to 
block incoming spam. Procmail[59] is a mail filter than can be used to 
sort incoming mail into separate folders as well as many other types of 
mail preprocessing. SpamAssassin[60] is a mail filter that uses heuristic 
scanning to identify spam. 

Since both Procmail and SpamAssassin are in Portage, installation is a 
simple emerge. 

| Code Listing 8.1:                                                       |
| Installing Procmail and SpamAssassin                                    |
|                                                                         |
|# emerge net-mail/procmail                                               |
|# emerge dev-perl/Mail-SpamAssassin                                      |
|                                                                         |
|Add the SpamAssassin daemon to the default runlevel                      |
|# rc-update add spamd default                                            |
|                                                                         |

When upgrading Perl to a higher version, you need to re-emerge 
dev-perl/Net-DNS, dev-perl/HTML-Parser, and dev-perl/Time-HiRes or 
SpamAssassin will exit and possibly discard valid emails.  
Each procmail filter is known as a recipie. To keep things organized, 
we're going to create the directory $HOME/.procmail for separate recipies. 

| Code Listing 8.1:                                                       |
| Creating ~/.procmail                                                    |
|                                                                         |
|% mkdir $HOME/.procmail                                                  |
|                                                                         |
Upon invocation, procmail first reads the $HOME/.procmailrc file. This 
file should contain the location of your mailbox and where to look for 
other recipies. 

| Code Listing 8.1:                                                       |
| Example $HOME/.procmailrc                                               |
|                                                                         |
|VERBOSE=no                                                               |
|                                                                         |
|DEFAULT="$HOME/.maildir/"                                                |
|MAILDIR="$HOME/.maildir/"                                                |
|                                                                         |
|PMDIR="$HOME/.procmail"                                                  |
|LOGFILE="$PMDIR/log"                                                     |
|                                                                         |
|INCLUDERC=$PMDIR/lists.rc                                                |
|INCLUDERC=$PMDIR/spam.rc                                                 |
|                                                                         |

This assumes that you are using the Maildir method of storing email. If 
you are using the mbox method, simply change .maildir to your mbox folder 
and remove the trailing slash   $HOME/.procmailrc is read from top to 
bottom. This means that your recipies will be read in the order in which 
they appear. Procmail stops checking on the first recipie that matches. 
Keeping lists.rc above spam.rc ensures that mailing lists filters are 
checked first, avoiding expensive spam checking operations where possible. 
The next step is to set up mailing list filters. Since most lists use the 
List-Id header, we can easily filter out mailing lists from normal email. 

| Code Listing 8.1:                                                       |
| Example $HOME/.procmail/lists.rc                                        |
|                                                                         |
|:0                                                                       |
|*   ^List-Id: Gentoo Linux mail <gentoo-security\.gentoo\.org>           |
|.gentoo-security/                                                        |
|                                                                         |
|:0                                                                       |
|*   ^List-Id: Gentoo Linux mail <gentoo-user\.gentoo\.org>               |
|.gentoo-user/                                                            |
|                                                                         |

To see the actual List-Id header, you may need view all email headers. 
See your mail client's documentation to enable that feature.  
Next, we can set up the spam filter. This recipie first invokes 
SpamAssassin using spamc and then checks the X-Spam-Status header. If the 
message is identified as spam, it is moved to the spam folder. 

| Code Listing 8.1:                                                       |
| Example $HOME/.procmail/spam.rc                                         |
|                                                                         |
|:0 fw                                                                    |
|| /usr/bin/spamc -f                                                      |
|                                                                         |
|:0                                                                       |
|* X-Spam-Status: Yes                                                     |
|.spam/                                                                   |
|                                                                         |

While SpamAssassin is very good, it is not 100% accurate so using 
/dev/null as your spam folder may result in some lost email. It is better 
to move spam to a separate folder and manually delete messages.   spamc 
connects to the SpamAssassin daemon (spamd). If for some reason you cannot 
use the daemon, SpamAssassin can be called directly using 
/usr/bin/spamassassin -a  
You should now be set up to filter your email and block most spam. For 
more information on Procmail or SpamAssassin, see their system 
documentation with man procmail and perldoc Mail::SpamAssassin or the 
associated websites at and 
9. Moves, Adds and Changes
The following developers recently left the Gentoo team: 

 * none this week  
The following developers recently joined the Gentoo team: 

 * none this week  
The following developers recently changed roles within the Gentoo project. 

 * none this week 
10. Contribute to GWN
Interested in contributing to the Gentoo Weekly Newsletter? Send us an 

 61. gwn-feedback@g.o
11. GWN Feedback
Please send us your feedback[62] and help make GWN better.

 62. gwn-feedback@g.o
12. Other Languages
The Gentoo Weekly Newsletter is also available in the following languages:
 * Dutch 
 * English 
 * German 
 * French 
 * Japanese 
 * Italian 
 * Portuguese (Brazil) 
 * Portuguese (Portugal) 
 * Spanish 
Kurt Lieber <klieber@g.o> - Editor
AJ Armstrong <aja@×××××××××××××.com> - Contributor
Brice Burgess <nesta@×××××××.net> - Contributor
Yuji Carlos Kosugi <carlos@g.o> - Contributor
Rafael Cordones Marcos <rcm@×××××××.net> - Contributor
David Narayan <david@×××××××.net> - Contributor
Ulrich Plate <plate@×××.com> - Contributor
Peter Sharp <mail@××××××××××××××.net> - Contributor
Mathy Vanvoorden <matje@×××××××.be> - Dutch Translation
Tom Van Laerhoven <tom.vanlaerhoven@××××××.be> - Dutch Translation
Roel Adriaans <roel@××××××××.cx> - Dutch Translation
Nicolas Ledez <nicolas.ledez@××××.fr> - French Translation
Guillaume Plessis <gui@×××××××××.com> - French Translation
Eric St-Georges <thevedge@××××××××.net> - French Translation
John Berry <anfini@××××.fr> - French Translation
Martin Prieto <riverdale@×××××××××.org> - French Translation
Michael Kohl <citizen428@g.o> - German Translation
Steffen Lassahn <madeagle@g.o> - German Translation
Matthias F. Brandstetter <haim@g.o> - German Translation
Thomas Raschbacher <lordvan@g.o> - German Translation
Marco Mascherpa <mush@××××××.net> - Italian Translation
Claudio Merloni <paper@×××××××.it> - Italian Translation
Daniel Ketel <kage-chan@g.o> - Japanese Translation
Yoshiaki Hagihara <hagi@×××.com> - Japanese Translation
Andy Hunne <andy@×××××××××.com> - Japanese Translation
Yuji Carlos Kosugi <carlos@g.o> - Japanese Translation
Ventura Barbeiro <venturasbarbeiro@××××××.br> - Portuguese (Brazil) 
Bruno Ferreira <blueroom@××××××××××××.net> - Portuguese (Portugal) 
Lanark <lanark@××××××××××.ar> - Spanish Translation
Rafael Cordones Marcos <rcm@×××××××.net> - Spanish Translation
Julio Castillo <julio@×××××××××××××.com> - Spanish Translation
Jaime Freire <jfreire@××.com> - Spanish Translation
Sergio Gómez <s3r@××××××××××××.ar> - Spanish Translation