Gentoo Archives: gentoo-gwn

From: Ulrich Plate <plate@g.o>
To: gentoo-gwn@××××××××××××.org
Subject: [gentoo-gwn] Gentoo Weekly Newsletter 31 January 2005
Date: Mon, 31 Jan 2005 11:19:23
Gentoo Weekly Newsletter
This is the Gentoo Weekly Newsletter for the week of 31 January 2005.
1. Gentoo News
Trusted Gentoo
Initially suggested by Joseph Pingenot[1], the members of Gentoo's crypto 
herd have set the goal of Trusted Computing Group (TCG - formerly known as 
Trusted Computing Platform Alliance or TCPA[2]) support in Gentoo on the 
agenda for the year. 
TCG is an open standard for hardware specification defining cryptographic 
functions (Trusted Platform Module - TPM) that keep private keys away from 
system memory. The hardware also provides trusted boot functions (TCG 
Software Stack - TSS) that ensure private keys cannot be used if the 
operating system changes to an untrusted one. 
TSS applications of the TCG architectures that would be desireable for 
Gentoo are: 
 * trusted kernel execution ([3],[4]  
 * trusted grub execution[5]  
 * trusted kernel modules 
TPM allows storing of cryptographic keys in hardware rather than placing 
private keys on the filesystem. Examples include: 
 * unlocking of encrypted filesystems 
 * OpenSSH server 
 * SElinux[6]  
 * Apache 
 * OpenCA certification authorities[7]  
 * GnuPG and SSH keychains 
If you are interested in donating hardware or undertaking development in 
this area contact Henrik Brix Andersen[8] or Peter Johanson[9]. Developers 
will need to work largely independantly, and to have a good understanding 
of security architectures and C coding. A TPM emulator that may be of 
assistance is available[10]. 
 8. brix@g.o
 9. latexer@g.o
Looking for EM64T developers, hardware, and AMD64 "Arch-testers"
The Gentoo/AMD64 team has issued a request for developers who could help 
extending support to Intel's x86-64 processors, the EM64T product line. 
The devs will need to bring their own hardware and mainly do kernel 
testing, since the chipsets on EM64T mainboards are different. Please 
contact Jason Huebel[11] if you feel up to helping out with this. 
 11. jhuebel@g.o
In a separate announcement[12], AMD64 is also looking for "Arch-testers" 
or AT's, i.e. non-developers to help iron out bugs and mark applications 
stable for a variety of ebuilds already available. 
Gentoo/PPC GameCD released
The PPC team has prototyped the first completely graphical LiveCD for the 
PowerPC platform featuring a 3D multiplayer OpenGL/SDL game called 
Cube[13]. Designed for the PegasosPPC, a CD variant to run on Macintosh 
hardware is already in the works. While the 198 MB GameCD is already 
available for download from the mirrors (in the experimental/ppc/livecd 
directory), a whole cluster of ODWs running Cube will be part of the 
presentations in the Gentoo developer room at FOSDEM[14] in Brussels, 
26-27 February 2005. 
Figure 1.1: Gentoo Linux GameCD for PPC artwork by Christian Hartmann
2. Future Zone
Project goals for 2005
Continuing our coverage of goals set by projects inside Gentoo Linux, this 
week we look at the plans of the Hardened group: 
 * Review of current approach and policies  
 * Improvement of CFLAGS filtering (especially "-fPIC" and 
 * Introduce AMD64/Sparc64/PPC64 stages, more hardware in the future as 
hardware is aquired 
 * Improved Grsecurity2 documentation 
 * Improved and extended SELinux support 
 * Develop and document RSBAC policies 
 * More and better documentation of everything 
 * Assimilate new developers 
 * Elect new Hardened Committee 
 * Introduce a forensics and rescue LiveCD 
 * Support and improve kernel patchsets 
 * Promote the Gentoo Hardened Project outside of Gentoo and raise 
awareness within Gentoo 
3. Gentoo security
Konversation: Various vulnerabilities
Konversation contains multiple vulnerabilities that could lead to remote 
command execution or information leaks. 
For more information, please see the GLSA Announcement[15] 
Evolution: Integer overflow in camel-lock-helper
An overflow in the camel-lock-helper application can be exploited by an 
attacker to execute arbitrary code with elevated privileges. 
For more information, please see the GLSA Announcement[16] 
AWStats: Remote code execution
AWStats fails to validate certain input, which could lead to the remote 
execution of arbitrary code. 
For more information, please see the GLSA Announcement[17] 
GraphicsMagick: PSD decoding heap overflow
GraphicsMagick is vulnerable to a heap overflow when decoding Photoshop 
Document (PSD) files, which could lead to arbitrary code execution. 
For more information, please see the GLSA Announcement[18] 
Perl: rmtree and DBI tmpfile vulnerabilities
The Perl DBI library and File::Path::rmtree function are vulnerable to 
symlink attacks. 
For more information, please see the GLSA Announcement[19] 
SquirrelMail: Multiple vulnerabilities
SquirrelMail fails to properly sanitize user input, which could lead to 
arbitrary code execution and compromise webmail accounts. 
For more information, please see the GLSA Announcement[20] 
ngIRCd: Buffer overflow
ngIRCd is vulnerable to a buffer overflow that can be used to crash the 
daemon and possibly execute arbitrary code. 
For more information, please see the GLSA Announcement[21] 
TikiWiki: Arbitrary command execution
A bug in TikiWiki allows certain users to upload and execute malicious PHP 
For more information, please see the GLSA Announcement[22] 
VDR: Arbitrary file overwriting issue
VDR insecurely accesses files with elevated privileges, which may result 
in the overwriting of arbitrary files. 
For more information, please see the GLSA Announcement[23] 
f2c: Insecure temporary file creation
f2c is vulnerable to symlink attacks, potentially allowing a local user to 
overwrite arbitrary files. 
For more information, please see the GLSA Announcement[24] 
ncpfs: Multiple vulnerabilities
The ncpfs utilities contain multiple flaws, potentially resulting in the 
remote execution of arbitrary code or local file access with elevated 
For more information, please see the GLSA Announcement[25] 
4. Heard in the community
Web forums
New old Portage utility
One of several Portage search utilities, portagedb, has been renamed to 
"Ebuild Index" or eix recently. Developer Pythonhead acknowledges that 
this alternative to esearch "gets better with every release" and lists eix 
in his meta-thread: 
 * eix - Ebuild IndeX (search utility)[26]  
 * Portage utilities not in portage[27]  
Is the beagle man's best friend?
Slow week in the English sections of the Forums, but the French had a go 
at a piece of software comparable to the much-hyped SpotLight[28] that 
Apple wants to integrate into their Tiger release of Mac OS X. It appears 
that the Mono-based Beagle[29] is not only a completely free Linux 
alternative to Apple's real time desktop search, it's also already usable, 
at least to a certain degree... 
 * [HOWTO] Installation de Beagle 0.0.5[30] (in French)
Reminder on the ebuild upgrade policy
Jason Wever[31] sent out a reminder about ebuild upgrade policy: 
"Recently, there have been a lot of ebuild upgrades with arch keywords 
getting dropped completely. Please do not do this unless there is a 
specific reason for it (security bug, broken dependencies, see policy), 
and if there is a valid reason, please notify the affected arches as to 
why you have dropped their keywords." 
 31. weeve@g.o
 * ebuild upgrade reminder[32] 
[RFC] Versioned eclasses
Daniel Goller[33] and Patrick Lauer[34] started a thread asking for 
versioned eclasses. This proposal (which is a recurring topic every six 
months or so) was burnt to a crisp in one of the largest flamewars the 
gentoo-dev mailing list has seen in the last months, and remained 
 33. morfic@g.o
 34. patrick@g.o
 * Versioned eclasses[35] 
Gentoo-dev seems to be hacked
Around the same time as the "versioned eclasses" flamewar a second 
high-traffic thread developed around signatures, identity and paranoia. 
The initial questions around possibly broken signatures got forgotten 
while devs and users discussed the problem of identity in mostly 
electronical communications and some other tangential questions. 
 * Gentoo-dev seems to be hacked?[36] 
BAS/c troubles
Ciaran McCreesh[37] pointed out some problems with the new Buildtime and 
Statistics client BAS/c. The following thread has lots of good information 
for all the ebuild hackers among you how ebuilds should be written (and 
some good examples what not to do) 
 37. ciaranm@g.o
 * BAS/c problems[38] 
5. Gentoo in the press
Gentoo/OpenSolaris media fallout
"Mixed feelings" best describe the open-source community's assessment of 
Sun's OpenSolaris release. Regardless whether they're critical of Sun's 
move or not, many authors tip their hats to Portaris and the 
Gentoo/OpenSolaris project as a very interesting aspect of it. Here's a 
list of press clippings covering both Sun's and Gentoo's announcements 
from around the world: 
 * Sun lays groundwork for OpenSolaris community[39] (Computerworld 
 * Will Sun's 1600 patents suck the life out of Linux?[40] (CNET's David 
Berlind blogging, contains an interview with Pieter Van den Abeele[41]) 
 * Split Reactions to Sun's OpenSolaris[42] (Internet News) 
 * Gentoo für OpenSolaris angekündigt[43] (, in German) 
 * Gentoo bald auch für Open Solaris[44] (Austrian daily newspaper Der 
Standard, in German) 
 * Gentoo、パッケージシステムのPortageで"OpenSolaris"をサポート[45] (MYCOM 
PC Web, in Japanese) 
 * Sun、OpenSolarisコミュニティーの基盤を構築[46] (IT Media, in Japanese) 
 * 「オープンソースSolaris」への反応は?[47] (ditto) 
 41. pvdabeel@g.o
Mad Penguin (25 January 2005)
"Gentoo done right"[48] is the title for a Mad Penguin article about 
Vidalinux[49], the Gentoo spinoff installing via RedHat's Anaconda and 
supplying binaries on a Gentoo core system. The Puerto-Rican distribution 
- "essentially a stage 3 install" - receives an enthusiastic review, and 
Author Adam Doxtater closes on recommending it "to anyone with a desire to 
give Gentoo Linux a try but who might not have the time to compile 
everything from scratch to get a basic system up and running." 
 49. (25 January 2005)
The German online-only Linux magazine features the sales of Genesi's Open 
Desktop Workstations in an article on PegasosPPC-Workstations with Gentoo 
preinstalled[50]. Pro-Linux quotes last week's GWN announcement and adds a 
few notes on the platform in general, identifying - among other things - 
the ODW as "an Amiga reincarnation." 
6. Bugzilla
 * Statistics 
 * Closed bug ranking 
 * New bug rankings 
The Gentoo community uses Bugzilla ([51]) to record and 
track bugs, notifications, suggestions and other interactions with the 
development team. Between 23 January 2005 and 30 January 2005, activity on 
the site has resulted in: 
 * 844 new bugs during this period 
 * 516 bugs closed or resolved during this period 
 * 29 previously closed bugs were reopened this period 
Of the 7945 currently open bugs: 109 are labeled 'blocker', 240 are 
labeled 'critical', and 584 are labeled 'major'. 
Closed bug rankings
The developers and teams who have closed the most bugs during this period 
 * Gentoo Games[52], with 34 closed bugs[53]  
 * media-video herd[54], with 29 closed bugs[55]  
 * Gentoo KDE team[56], with 29 closed bugs[57]  
 * Netmon Herd[58], with 28 closed bugs[59]  
 * AMD64 Porting Team[60], with 25 closed bugs[61]  
 * Gentoo Security[62], with 20 closed bugs[63]  
 * Net-Mail Packages[64], with 19 closed bugs[65]  
 * Java team[66], with 17 closed bugs[67]  
 52. games@g.o
 54. media-video@g.o
 56. kde@g.o
 58. netmon@g.o
 60. amd64@g.o
 62. security@g.o
 64. net-mail@g.o
 66. java@g.o
New bug rankings
The developers and teams who have been assigned the most new bugs during 
this period are: 
 * AMD64 Porting Team[68], with 26 new bugs[69]  
 * Gentoo X-windows packagers[70], with 14 new bugs[71]  
 * Gentoo Kernel Bug Wranglers and Kernel Maintainers[72], with 12 new 
 * Gentoo Sound Team[74], with 11 new bugs[75]  
 * media-video herd[76], with 11 new bugs[77]  
 * Gentoo Linux Gnome Desktop Team[78], with 11 new bugs[79]  
 * Java team[80], with 9 new bugs[81]  
 * Desktop Misc. Team[82], with 9 new bugs[83]  
 68. amd64@g.o
 70. x11@g.o
 72. kernel@g.o
 74. sound@g.o
 76. media-video@g.o
 78. gnome@g.o
 80. java@g.o
 82. desktop-misc@g.o
7. Moves, adds, and changes
The following developers recently left the Gentoo team:
 * None this week  
The following developers recently joined the Gentoo Linux team:
 * Fernando Serboncini (fserb) - Python 
 * Kyle England (kengland) - Infrastructure 
The following developers recently changed roles within the Gentoo Linux 
 * John Davis (zhen) - Stepped down from Release Engineering Strategic 
 * Aaron Walker (ka0ttic) - Joined netmon 
 * Daniel Black (dragonheart) - Left embedded - joined ppc and netmon 
 * Otavio Rodolfo Piske (AngusYoung) - Joined netmon 
8. Contribute to GWN
Interested in contributing to the Gentoo Weekly Newsletter? Send us an 
 84. gwn-feedback@g.o
9. GWN feedback
Please send us your feedback[85] and help make the GWN better.
 85. gwn-feedback@g.o
10. GWN subscription information
To subscribe to the Gentoo Weekly Newsletter, send a blank email to 
To unsubscribe to the Gentoo Weekly Newsletter, send a blank email to 
gentoo-gwn-unsubscribe@g.o from the email address you are 
subscribed under.
11. Other languages
The Gentoo Weekly Newsletter is also available in the following languages:
 * Danish[86]  
 * Dutch[87]  
 * English[88]  
 * German[89]  
 * French[90]  
 * Japanese[91]  
 * Italian[92]  
 * Polish[93]  
 * Portuguese (Brazil)[94]  
 * Portuguese (Portugal)[95]  
 * Russian[96]  
 * Spanish[97]  
 * Turkish[98]  
Ulrich Plate <plate@g.o> - Editor
Daniel Black <dragonheart@g.o> - Author
Danny van Dyk <kugelfang@g.o> - Author
Patrick Lauer <patrick@g.o> - Author

gentoo-gwn@g.o mailing list