Gentoo Archives: gentoo-gwn

From: Kurt Lieber <klieber@g.o>
To: gentoo-gwn@g.o
Subject: [gentoo-gwn] Gentoo Weekly Mailing List -- Volume 1, Issue 2
Date: Mon, 30 Dec 2002 09:33:52
Gentoo Weekly Newsletter

This is the Gentoo Weekly Newsletter for the week of December 30th, 2002.

Kurt Lieber <klieber@g.o> - Editor
AJ Armstrong <aja@×××××××××××××.com> - Contributor
Brice Burgess <nesta@×××××××.net> - Contributor
Yuji Carlos Kosugi <carlos@××××××××.net> - Contributor
Rafael Cordones Marcos <rcm@×××××××.net> - Contributor
David Narayan <david@×××××××.net> - Contributor
Ulrich Plate <plate@×××.com> - Contributor
Peter Sharp <mail@××××××××××××××.net> - Contributor
Lanark <lanark@××××××××××.ar> - Spanish Translation
Marco Mascherpa <mush@××××××.net> - Italian Translation
Claudio Merloni <paper@×××××××.it> - Italian Translation
Ventura <venturasbarbeiro@××××××.br> - Portugese (Brazil) Translation

1. Gentoo News  


 * Gentoo to be at LinuxWorld Expo in January 
 * Gentoo Linux 1.4 Release Schedule and Feature Update 
 * Gentoo Linux 1.4_rc2 to be Released on December 31st 
 * New Kernel Development Strategy 
 * New Formal Release Schedule Process

Gentoo to be at LinuxWorld Expo in January  
Daniel Robbins and other members of the Gentoo Linux team will be at 
LinuxWorld Expo[1] January 22nd-24th in New York City. They will be 
manning booth #8 at the .org pavillion and hope to have an impressive 
display of graphics hardware showing off Gentoo Linux. If you're in the 
area, stop by and show your support for Gentoo Linux!


Gentoo Linux 1.4 Release Schedule and Feature Update  
Daniel Robbins recently announced the planned Release Schedule for Gentoo 
1.4_rc3, which will hopefully be released as Gentoo 1.4_final. While the 
Release Shedule is subject to change based on bugs and user feedback, the 
current release date is planned for January 14, 2003, just in time for 
Linux World 2003[2] in New York. New for Gentoo is a more formal release 
process, comprised of five main stages that take the 1.4_rc3/1.4_release 
candidate through a testing and QA process that should improve the quality 
and stability of the final system.

1.4_final will take the improvements introduced in rc1 and rc2 and also 

 * Fully integrated Xft2 support 
 * New baselayout to remove dependency on tmpfs 
 * expanded GRP package set 
 * integrated optional prelink support
 As this release makes its way through the Release Schedule process, the 
quality and stability of this version will determine whether it receives 
the "1.4_final" designation. As with any unreleased product, features and 
dates may change as we get closer to the deadline.

Gentoo Linux 1.4_rc2 to be Released on December 31st  
The last release candidate prior to the final version of Gentoo Linux 1.4 
is scheduled to be released on December 31st. As several Gentoo users have 
already discovered, most of the 1.4_rc2 files have already been placed on 
ibiblio[3]. Last minute additions to rc2 not ready at press time included 
some finishing touches to the installation CDs (LiveCDs) and 
documentation. New to the 1.4_rc2 release are: 

 * The first release of the Gentoo Reference Platform[4] (GRP) -- a 
collection of ebuilds specifically tested for stability. 
 * New LiveCDs with increased hardware support, better technology and more 
eye candy. 
 * Upgraded versions of gcc, binutils, portage and many other packages.
 Users interested in living on the bleeding edge can see the new LiveCD 
technology in action by trying out one of the experimental[5] LiveCDs.


New Kernel Development Strategy  
Daniel Robbins recently proposed a new kernel development strategy for 
Gentoo Linux, with the main goals being to improve hardware support and 
stability of the kernels used in the Gentoo project. As part of this 
strategy, Gentoo would leverage many of the hardware patches that make 
their way into the Red Hat kernel tree since most hardware vendors seek 
out Red Hat as their primary/only Linux partner. In addition to taking 
advantage of the improved hardware support in the Red Hat kernel source 
tree, Gentoo users would also benefit from additional features and 
functionality not normally found in the Red Hat kernel, including XFS, 
EVMS and Win4Lin, as well as others. Furthermore, the focus of 
gentoo-sources and xfs-sources would likely diverge somewhat, with 
gentoo-sources focusing more on high performance and xfs-sources intent on 
maximum hardware compatiblity and kernel functionality.

New Formal Release Schedule Process  
As part of the 1.4 release process, Daniel Robbins proposed a formal 
Release Schedule to ensure that the entire Gentoo development team knows 
what the process and schedule is for future releases. Key to the new 
policy is the migration away from one single "release manager", with one 
person in charge of everything, to more of a "release process" whereby the 
entire development team helps manage the release, based on one set of 
common instructions. At a high level, the new Release Schedule consists of 
5 main steps: 

 * Initial Decision -- The actual decision to release a new version of 
Gentoo Linux. 
 * Package Upgrades Phase -- A period of time (generally 14 days) where 
the developers focus on moving packages from an unstable (masked) state to 
a stable (unmasked) state. 
 * Build and Test -- Assigned builders for each architecture build a 
"generic CPU" set of stage tarballs using a current Portage snapshot. 
 * Release Build and Test -- A full-scale, distributed build effort begins 
to build the full new Gentoo Linux release or release candidate including 
GRP package sets. 
 * Release -- The new version of Gentoo Linux is released to the Gentoo 

2. Gentoo Security  


 * GLSA: openldap 
 * GLSA: cyrus-imapd 
 * GLSA: cyrus-sasl 
 * GLSA: KDE-3.0.x 
 * GLSA: canna 
 * GLSA: wget 
 * GLSA: perl 
 * New Security Bug Reports

GLSA: openldap  
Several buffer overflows and other bugs exist that could allo remote 
attackers to exploit to gain access to systems running vulnerable LDAP 

 * Severity: high - potential remote execution of arbitrary code. 
 * Packages Affected: openldap-2.0.25-r2 
 * Rectification: Synchronize and emerge cyrus-sasl. 
 * GLSA Announcement[6] 
 * Advisory[7]


GLSA: cyrus-imapd  
Cyrus' Sieve implementation contains a couple of classic string based 
buffer overflows in script parsing code. Anyone who can execute Sieve 
scripts can exploit these bugs. Versions up to libSieve 2.1.2 and Cyrus 
IMAP 2.1.10 are affected. 

 * Severity: high - potential remote execution of arbitrary code. 
 * Packages Affected: cyrus-imapd 2.1.10 and earlier 
 * Rectification: Synchronize and emerge cyrus-imapd. 
 * GLSA Announcement[8] 
 * Advisory[9]


GLSA: cyrus-sasl  
Insufficient buffer length checking in user name canonicalization may 
allow attacker to execute arbitrary code on servers using Cyrus SASL 

 * Severity: high - potential remote execution of arbitrary code. 
 * Packages Affected: cyrus-sasl 2.1.9 
 * Rectification: Synchronize and emerge cyrus-sasl. 
 * GLSA Announcement[10] 
 * Advisory[11]


GLSA: KDE-3.0.x  
KDE-3.0.x sometimes fails to quote command parameters in calls to the 
shell. This means that a carefully crafted emails and web pages may permit 
the attacker to pass arbitrary commands using the victim's system 
privileges. Exploits are known to exist. 

 * Severity: high - potential remote execution of arbitrary code under 
victim's privileges. 
 * Packages Affected: kde-3.0.4 and earlier in the kde-3.x series. 
 * Rectification: Synchronize and emerge kde. 
 * GLSA Announcement[12] 
 * Advisory[13]


GLSA: canna  
The canna server versions 3.6 and earlier expose a heap overflow that 
permits a remote exploit that has been demonstrated, but not reported in 
the wild. In addition, the same server versions fail to validate some 
request cases. 

 * Severity: moderate to high - DOS attack and information exposure, 
remote exploit permits execution with same privileges as the canna server. 
 * Packages Affected: canna-3.6 
 * Rectification: Synchronize and emerge canna. 
 * GLSA Announcement[14] 
 * Advisory[15]


GLSA: wget  
Wget could permit a malicious ftp site operator to overwrite certain key 
files and potentially gain privileges on the target computer through 
replacing executable files. No cases in the wild have been reported. 

 * Severity: moderate - DOS and remote exploit mitigated by requirement 
for victim participation. 
 * Packages Affected: wget-1.8.2-r1 and earlier 
 * Rectification: Synchronize and emerge wget. 
 * GLSA Announcement[16]


GLSA: perl  
Perl's Safe module ( exposes a potential vulnerability in that, if 
a safe compartment is reused it is no longer safe (due to an inability to 
alter operation masks). 

 * Severity: moderate - somewhate obscure and requires code that reuses 
safe compartments. 
 * Packages Affected: perl-5.8.0-r5 and earlier 
 * Rectification: Synchronize and emerge perl or (less drastic) emerge 
 * GLSA Announcement[17] 
 * Advisory[18]


New Security Bug Reports  
The past week has not seen any significant new security bugs posted to 
bugzilla. Therefore, we will use this section to provide a summary of 
currently open security bugs on the system (we should note that most of 
these 'bugs' have been fixed in packages that are currently in testing, 
and could be unmasked and emerged now): 

 * evolution[19] 
 * glibc[20] 
 * freeswan[21] 
 * libpng[22] 
 * cups[23]


3. Heard In The Community  

Web Forums  
Forums Crashed - Back Online
Nitro writes[24] that the Forum's backbone, the MySQL server that makes 
the phpBB surface ripple, was unreachable on Christmas Eve (probably out 
having an eggnog somewhere warm and cozy). The downtime was caused when a 
new server being brought online crashed. Things have since been migrated 
back to the old server and the new server is undergoing further stress 
testing. Fortunately, nothing has gone missing, the entire database has 
been restored, and only those few people who created new accounts during 
the brief period of downtime will have to do so again.

Dual boot alert!
People have been unwrapping their Christmas presents, and this may well be 
the reason behind the current wave of dual boot configurations reflected 
in the forums. This at least is the impression one gets from the sudden 
flurry of activity documented in the threads listed below. For people 
planning on setting up Gentoo in a dual configuration with a legacy 
operating system, these are as good a place as any to start from: 
 * EVMS and dual booting[25] 
 * Setting up Dual Boot?[26] 
 * yaboot problem Dual USB iBook[27] 
 * Grub + Winnt[28]

Gentoo Linux Users Everywhere
What is one to do with an optimized Gentoo system after all the emerging 
is done? Several active topics have formed as centers for the organization 
of Gentoo teams for such diverse distributed computing projects as 
SETI@home,'s RC-5-72, Folding@home, and 
ClimatePrediction.Net. Properly niced(nice is used to run a program with 
modified scheduling priory), clients for these projects can use systems' 
spare CPU cycles, doing (potentially) constructive work without any 
adverse effect on performance. The SETI@home team[29]is currently the 
largest, with 85 users from all over the world and a whopping 76 CPU 
years, but the Folding@home team[30] is quite active as well. For more 
information about setting up the clients, joining the teams, and the 
effects of SETI@home participation on one enthusiastic user's electric 
bill, among other things, see the following threads: 

 * SETI: Gentoo Linux Users Everywhere (85 users)[31] 
 * folding@home and Gentoo Linux Users Everywhere[32] 
 * RC-5-72 started yesterday[33]


Gentoo vs. FreeBSD
Portage, Gentoo's package management system, undoubtedly resembles the 
ports system found in FreeBSD. So, which is better? Gentoo advocates will 
argue that newer is of course better, as exemplified by evolution. FreeBSD 
loyalists remind us of Marlon Brando in the Godfather, things were better 
back then. Truthfully it would be silly to draw such simple conclusions. 
Charles Burns posted an excellent response[34] comparing the two different 
OSes. When it comes to desktops or less popular hardware, there is no 
substitute for Gentoo.

Don't fear the downgrade
Every once in awhile an emerge preview will notify you that it is going to 
downgrade an important package. For instance, emerging edb may downgrade 
freetype, instilling an instant fear of losing those good looking fonts. 
Fear not. Many packages coexist happily with each other and the newer 
versions will not be removed after the 'downgrade'. For example, Glib2 and 
Glib1 also behave well on the same system. Jean Smith has posted a 
suggestion[35] that will hopefully clear up this confusion.


Final Release of Gentoo?
M. Zuelsdorff wrote[36] to say: "I am following the the discussion in the 
gentoo-dev group for more than a year now. All I see is "a problem with 
this" and "a problem with that". Some days ago, something even appeared to 
be "really fucked up". My question: When do you expect Gentoo to become a 
final usable release?". Most of the answers in the thread agreed in that 
human nature might play some role here and make us take time to complain 
more often than we do to say things work for us. Arthur Britto chipped 
in[37] with: "You've just highlighted one of the biggest problems with 
Gentoo: manual problem discovery and resolution. When a package breaks, 
someone must (1) manually discover it, (2) search mailing lists for Gentoo 
and the application, (3) search the forums for Gentoo and the application, 
(4) attempt reasonable diagnostics to insure the problem is not just with 
their system, (5) if they are competent they might try to solve the 
problem, and (6) share their problem with the community." Finally, Daniel 
Robbins (Chief Architect of Gentoo Linux) closed the thread with the 
steps[38] being taken in order to improve quality control.

USE Flags Selector.
John Nilsson wrote an e-mail[39] in which he exposed his interest in 
writing an interface for selecting USE flags and GCC flags. Turns out, 
this interface already exists in the form of ufed[40] and kportage[41]. 
But, as always, with free software[42], there is room for improvements! ;-)


4. Gentoo International  

Yet Another French Linux Documentation
The French Gentoo community is very excited[43] about a brand new Linux 
installation and configuration guide by Christian Casteyde. Not exactly 
built to order for Gentooists (he appears to be a SuSE and Slackware man 
himself), it is a very extensive and up-to-date documentation, with a 
strong emphasis on additional features of XFree86 4.x and kernel 2.4.x. He 
calls it Yet Another "Guide d'Installation de Linux"[44], or YAGIL, and it 
certainly looks like enough of a reason to brush up your French.


Gentoo Shinnenkai - New Year's Party at Gentoo-JP...
In what can only be called an effort at Doing The Right Thing, the 
Japanese Gentoo activists have agreed on a date for the first get-together 
of the year 2003. With the precise location still to be announced, all of 
Japan's Gentoo users and developers present in Tokyo on that date will 
meet on 17 January 2003, starting at 19:00. The easiest way to tell them 
you're coming is probably the IRC channel, #gentoo-ja on, 
or you can drop a mail to the organizers.

5. Portage Watch  

Security Updates (see above)  

 * openldap - fixed in openldap-2.0.27 and above 
 * cyrus-imapd - fixed in cyrus-imapd-2.1.11 and above 
 * cyrus-sasl - fixed in cyrus-sasl-2.1.10 and above 
 * Perl - fixed in perl-5.6.10-r10 / perl-5.8.0-r6 and above 
 * wget - fixed in wget-1.8.2-r2 and above 
 * canna - fixed in canna-3.6-r1 and above 
 * kde-3.0.x - fixed in kde-3.0.5a and above


The following stable packages were added to portage this week  

 * app-crypt/keylookup : "A tool to fetch PGP keys from keyservers." 
 * app-games/gnurobots : "Game/diversion where you construct a program for 
a little robot then set him loose and watch him explore a world on his 
 * app-games/gnushogi : "Japanese version of chess (commandline + 
 * dev-java/xdoclet : "A code-generation engine primarily for EJB" 
 * dev-perl/File-Temp : "File::Temp can be used to create and open 
temporary files in a safe way." 
 * dev-perl/Graph : "Graph is a module to create graphs." 
 * dev-perl/Heap : "Heap - Perl extensions for keeping data partially 
 * dev-perl/MIME-Lite : "low-calorie MIME generator" 
 * dev-perl/SOAP-Lite : "Provides a simple and lightweight interface to 
the SOAP protocol (sic) both on client and server side." 
 * dev-perl/Text-Shellwords : "Provides shellwords() routine which parses 
lines of text and returns a set of tokens using the same rules that the 
Unix shell does." 
 * dev-perl/Time-modules : "A Date/Time Parsing Perl Module"
 * media-libs/lib3ds : "overall software library for managing 3D-Studio 
Release 3 and 4 .3DS files" 
 * media-libs/libjsw : "provide a uniform API and user configuration for 
joysticks and game controllers" 
 * media-sound/aseqview : "ALSA sequencer event viewer/filter." 
 * net-analyzer/wepattack : "WLAN tool for breaking 802.11 WEP keys" 
 * net-misc/bwwhois : "Perl-based whois client designed to work with the 
new Shared Registration System" 
 * app-emacs/yc : "YC - Yet another Canna client on Emacsen."

Updates to notable packages  

 * sys-apps/portage - portage-2.0.47_pre1.ebuild; 
 * kde-base/kde - kde-3.0.5a.ebuild; 
 * sys-kernel/* - development-sources-2.5.53.ebuild; 
lolo-sources-; lolo-sources-; 
lolo-sources-; openmosix-sources-2.4.20-r1.ebuild; 
usermode-sources-2.4.19-r36.ebuild; usermode-sources-2.4.19-r37.ebuild; 
usermode-sources-2.4.19-r38.ebuild; usermode-sources-2.4.19-r39.ebuild; 
usermode-sources-2.4.19-r40.ebuild; xfs-sources-2.4.20_pre1.ebuild; 
 * sys-devel/perl - perl-5.8.0-r7.ebuild;

6. Bugzilla  


 * Statistics 
 * Bugs of Note

The Gentoo community uses Bugzilla ([45]) to record and 
track bugs, notifications, suggestions and other interactions with the 
development team. In the last 7 days, activity on the site has resulted 

 * 190 new bugs this week 
 * 1166 total bugs currently marked 'new' 
 * 535 total bugs curently assigned to developers 
 * 54 bugs that were previously closed have been reopened.
 There are currently 1755 bugs open in bugzilla. Of these: 29 are labelled 
'blocker', 74 are labelled 'critical', and 104 are labelled 'major'.

The developers and teams with the highest apparent bug-related workload 

 * Nicholas Jones[46], with 260 open bugs 
 * Martin Schlemmer[47], with 120 open bugs 
 * Brandon Low[48], with 105 open bugs 
 * The KDE Team[49], with 106 open bugs 
 * The Gnome Team[50], with 60 open bugs
 Please lend them (and the entire development team) your best wishes, 
toothbrush and continuing support.

 46. mailto://carpaski@g.o
 47. mailto://azarah@g.o
 48. mailto://lostlogic@g.o
 49. mailto://kde@g.o
 50. mailto://gnome@g.o

Bugs of Note  
Each week, we will single out a few bugs for special mention, because they 
have been provoking significant discussions, they are particularly 
problematic, they are amusing or simply because they struck our fancy. 
This week's featured bugs are (in no particular order): 

 *  Bug 9459[51] discusses apparent problems with intermittent file 
corruption after incorrect shutdowns on ReiserFS using Gentoo-Sources. 
 *  Bug 12537[52] discusses problems with the latest baselayout changing 
the gid of smmsp - which provokes problems with sendmail. 
 *  Bug 8324[53] critiques the lack of a keyboard language select (for 
non-US keyboards) in the 1.4 install CD release candidate. Daniel Robbins 
has indicated that this will be resolved by the final release. 
 *  Bug 11384[54] discusses a problem compiling glibc using 
-march=pentium4. The issue is apparently inherent in the current gcc code, 
so it cannot be fixed. However, the bug is an excellent example of 
interaction between the reporter and the developer. 
 *  Bug 9633[55] indicates a problem with booting the 1.4 install CD 
release candidate on certain architectures (Fujitsu P2000) without the 
ability to specify boot parameters. Apparently,the resolution may require 
a modification to the install kernel, which seems likely.


7. Tips and Tricks  

Getting information about installed packages
New Gentoo users often ask how to get a list of installed packages from 
the Portage tree, but what many of those who give answers might not know 
is the abundance of tools that can be used to do so. From Portage's 
pkglist, the gentoolkit's qpkg and epm(an rpm work-alike), to walking the 
/var/db/pkg/ directory structure yourself, there are definitely quite a 
few choices. Here are two ways to list all installed packages, first using 
pkglist (found in /usr/lib/portage/bin/, which is often not in $PATH), the 
second running find on /var/db/pkg/:
Code Listing 7.1: 
Code Listing 7.2: 
 find /var/db/pkg/ -mindepth 2 -maxdepth 2 -printf "%P\n"
A list of files that belong to a package can be generated by either epm or 
qpkg; to find out which files belong to the xmms package, try one of:
Code Listing 7.3: 
 epm -ql xmms
Code Listing 7.4: 
 qpkg -l xmms
And lastly, if you want to know to which package a file belongs, here are 
two ways:
Code Listing 7.5: 
 epm -qf /usn/bin/namei
Code Listing 7.6: 
 qpkg -f /usr/bin/namei

8. Moves, Adds and Changes  

The following developers recently left the Gentoo team: 

 * none this week

The following developers recently joined the Gentoo team: 

 * Jan Seidel (tuxus) -- MIPS 
 * John Lennard (yakmoose) -- win4lin 
 * Christian Birchinger (joker) -- Sparc

The following developers recently changed roles within the Gentoo project. 

 * none this week

9. Contribute to GWN  
Interested in contributing to the Gentoo Weekly Newsletter? Send us an 

 56. gwn-feedback@g.o

10. GWN Feedback  
Please send us your feedback[57] and help make GWN better.

 57. gwn-feedback@g.o