Gentoo Archives: gentoo-gwn

From: Kurt Lieber <klieber@g.o>
To: gentoo-gwn@g.o
Subject: [gentoo-gwn] Gentoo Weekly Newsletter -- Volume 2, Issue 15
Date: Mon, 14 Apr 2003 09:26:32
Gentoo Weekly Newsletter
This is the Gentoo Weekly Newsletter for the week of April 14th, 2003.
1. Gentoo News
 * Gentoo Linux 1.4_rc4 Released 
 * New Unreal Tournament 2003 Game CD 
Gentoo Linux 1.4_rc4 Released
Earlier this week, the decision was made to release the next version of 
Gentoo Linux 1.4 as Release Candidate 4, rather than Final. Improvements 
to the rc4 release include much better hardware detection on the LiveCD 
installation disc as well as major updates to various packages in the 
Portage tree. The decision to issue another release candidate was made due 
to a number of reasons, including: 
 * Binary packages required for the Gentoo Reference Platform have yet to 
   be built or tested. Until these are completed, 1.4_final cannot be 
 * The version of baselayout currently marked as "stable" still depends on 
   tmpfs. One of the goals of 1.4 from the beginning was to eliminate 
   baselayout's dependency on tmpfs. There is a masked version of baselayout 
   in Portage that solves this issue, but it has not received adequate 
   testing as of yet. (Anyone using or willing to test this version of 
   baselayout is encouraged to report their results on Gentoo Stable[1]) 
 * Automated Kernel Building is currently undergoing testing for inclusion 
   in 1.4_final 
New Unreal Tournament 2003 Game CD
A new Unreal Tournament 2003 Game CD has been released and can be 
downloaded here[2] as well as any of our other mirrors[3]. This CD allows 
you to run the Unreal Tournament 2003 demo directly from CD, with no 
installation required. Just boot your computer from the CD and play! The 
latest CD includes a highly-optimized gaming kernel, which significantly 
improves overall gameplay. Other improvements include the latest NVIDIA 
drivers (1.0.4349) with GeForce FX support, preliminary bootsplash 
support, full autodetection of all hardware and countless other 
enhancements. This GameCD does require a modern NVIDIA graphics card to 
run the ut2003-demo. 

You can also run the latest demo on your existing Gentoo Linux system 
provided you have a modern NVIDIA graphics card. Just type emerge 
ut2003-demo and then type ut2003-demo to start the game. The use of the 
gaming-sources kernel is recommended for optimum gaming performance and 
2. Gentoo Security
 * GLSA: samba 
 * GLSA: kde-3.x 
 * GLSA: kde-2.x 
 * GLSA: setiathome 
 * GLSA: apache 
 * New Security Bug Reports 
GLSA: samba
The Samba server is subject to a buffer overflow in a string copy routine 
that could be exploited to gain remote root access to the vulnerable 
 * Severity: Critical - Potential remote root compromise. 
 * Packages Affected: net-fs/samba versions prior to samba-2.2.8a 
 * Rectification: Synchronize and emerge samba, emerge clean. 
 * GLSA Announcement[4] 
 * Advisory[5] 
GLSA: kde-3.x
KDE's use of Ghostscript to process PostScript and PDF files is subject to 
a security vulnerability permitting the execution of arbitrary shell 
commands embedded in such files, using the user privilege level. This 
attack could be implemented by posting maliciously crafted files to 
webservers or embedding them in emails. 
 * Severity: Critical - Remote execution of commands, information 
 * Packages Affected: kde-base/kde version 3 prior to kde-3.0.5b or 
 * Rectification: Synchronize and emerge kde OR \=kde-base/kde-3.0.5b, 
   emerge clean, restart kde. 
 * GLSA Announcement[6] 
 * Advisory[7] 

The patch versions of kde are currently only marked stable for x86. If 
you have successfully compiled and merged 3.1.1a or 3.0.5a on any other 
architecture please report this to kde@g.o [7].    

GLSA: kde-2.x
KDE's use of Ghostscript to process PostScript and PDF files is subject to 
a security vulnerability permitting the execution of arbitrary shell 
commands embedded in such files, using the user privilege level. This 
attack could be implemented by posting maliciously crafted files to 
webservers or embedding them in emails. 
 * Severity: Critical - Remote execution of commands, information 
 * Packages Affected: 
 * kde-base/kdebase version 2 prior to kdebase-2.2.2-r5 
 * kde-base/kdelibs version 2 prior to kdelibs-2.2.2a-r1 
 * kde-base/kdegraphics version 2 prior to kdegraphics-2.2.2-r2   
 * Rectification: 
 * emerge sync 
 * emerge \=kde-base/kdebase-2.2.2-r5 
 * emerge \=kde-base/kdelibs-2.2.2a-r1 
 * emerge \=kde-base/kdegraphics-2.2.2-r2 
 * emerge clean 
 * restart kde   
 * GLSA Announcement[8] 
 * Advisory[9] 
GLSA: setiathome
The popular Seti-At-Home distributed computing client application is 
subject to a buffer overflow vulnerability that could be used to execute 
arbitrary code - this would require spoofing of the client connection to 
the server. The client also transmits system information in plain text, 
including processor type and OS. 
 * Severity: High - Remote execution of code, information compromise. 
 * Packages Affected: app-sci/setiathome versions prior to setiathome-3.08 
 * Rectification: Synchronize and emerge setiathome, emerge clean. 
 * GLSA Announcement[10] 
 * Advisory[11] 

GLSA: Apache
Version 2 of the Apache HTTP server is subject to a memory leak in the way 
it handles large numbers of consecutive linefeed characters. This could be 
used by a remote attacker to exhaust system resources on a vulnerable 
 * Severity: Moderate - Remote DoS. 
 * Packages Affected: net-www/apache version 2 prior to apache-2.0.45 
 * Rectification: Synchronize and emerge \=net-www/apache-2.0.45, emerge 
 * GLSA Announcement[12] 
 * Advisory[13] 
New Security Bug Reports
There were no new security bugs this week that are still outstanding. 
3. Featured Developer of the Week
Bob Johnson
The Gentoo LiveCD is the tool that got Gentoo Linux onto most people's 
systems and is often the first impression of Gentoo that users get. This 
week's featured developer, Bob Johnson[14], is in charge of the livecd-ng 
scripts that are used to make the LiveCDs (curious readers can go ahead 
and emerge it since it's in Portage), and has been building the last few 
x86 LiveCDs. His work with the LiveCDs mostly involves listening to users 
complain about how they can't get the LiveCD to boot or get their NIC 
working, and then working to fix the problem. Bob's involvement with the 
Gentoo team began when he was suddenly asked to get the xfs-sources kernel 
ready for the 1.4-rc2 LiveCD in 24 hours when he had only been running 
Gentoo for about two weeks. In addition to working on livecd-ng and the 
x86 CDs, Bob also maintains xfs-sources and gs-sources (to find out about 
these and other kernels, read KC6:Which Sources?[15] in the forums.) 

 14. livewire@g.o
Bob's main box is an Athlon XP 2100+ with 512MB RAM, seven hard drives 
(four SCSI, three IDE), dual NVIDIA cards with a 19-inch monitor attached 
to each and running KDE, which Bob used to think was ugly but now, at 
version 3.1, loves. He uses VMWare a lot for testing, and doesn't know 
what he'd do without it. 
Bob owns a concrete and excavating company, and has been in the business 
for seventeen years. He's been married for fifteen years, has a 
thirteen-year-old-daughter, and has two beagles in his home in 
Indianapolis, Indiana. During the summer he spends a lot of time at the 
lake, slalom water skiing, and waxing the 20-foot Caravelle he bought last 
year when he isn't boating. 
4. Heard In The Community
Web Forums
Happy Birthday, Gentoo Forums!
The first post to the freshly installed Gentoo Forums was an announcement 
by Forum founder Nitro on 9 April 2002: "This forum is my shot at helping 
users of Gentoo (including myself)." What started as a humble affair on a 
cable connection has quickly developed into one of the most successful and 
exciting tech support venues on the web, with an average of 700 new posts 
every day, five-digit user head count and a peculiar atmosphere that sets 
it apart from most other Linux forums. People here are polite, eloquent, 
uncommonly helpful to others and generally the best of folks. 
Congratulations to us all:
 * Welcome to[16] 
 * FORUMS ARE ONE YEAR OLD Tue Apr 09, 2002 9:20 am[17] 
 * Gentoo forum users are the best...[18] 
Automatic Hardware Configuration Using Profiles
Making clever use of the runlevels in Gentoo, Optilude contributed 
scripts and documentation for configuring your hardware according to 
different profiles last week, thank you very much:

 * Automatic system configuration based on hardware profiles[20] (French) 
Running Business Software in Gentoo: How to Install Oracle 9.2
Problems with Oracle under Gentoo Linux had been dragging on since 
December, doubtlessly due to problems with gcc and its libraries. Finally 
we've come to a happy ending. Make sure your glibc is in order, run the 
Oracle installer and enjoy:
 * How to run Oracle 9.2 with glibc 2.3.1-r3[21] 
 * Installing Oracle Client on Gentoo 1.4[22] 


Getting the most USE out of it...
The USE flag system portage implements may well pose as a source of 
anxiety for the Gentoo newbie. Carlos Gonzalez began a thread exemplifying 
the somewhat complicated process of having to modify USE flags on a per 
package basis (stripping JAVA for a PHP emerge). Thankfully the thread[23] 
mentioned a tool created to simplify the process of managing these USE 
flags, ufed -- Use Flag Editor, where flags are explained and can be 
toggled on and off. Carl Hudkins noted his *wish*[24] that ufed would be 
included on Gentoo's LiveCD. 

 * What does USE="-java" have to do with php emerge?[25] 

p2p for the masses
It's finally happened, p2p has gone mainstream and the sheer amount of 
KaZa'ers are rivaling the once dominant Napster network. While some Gentoo 
users have jumped on the bandwagon by installing Kazaa lite using wine (a 
MS Windows emulator), Chris Graves wants to get down with p2p clients 
native to Linux. The good news is that Linux is far from lacking in p2p 
clients, and that the network was in fact pioneered with open source 
clients developed for Linux. Keppy mentions Gentoo's commitment to these 
programs in the form of the portage directory: /usr/portage/net-p2p/. 
Limewire[26] a popular open source p2p client written in Java was also 
recommended, though not in portage. 

 * p2p client?[27] 

Performance in Gentoo
The Linux kernel project has given rise to quite a few derivatives over 
the years. And while the Kernel project tries to maintain a stable kernel 
befitting a general public. The spawned derivatives implement a wide 
variety of changes often brought by many different people. This plethora 
of minds and opinions going into the kernel is its strength. Then 
naturally it becomes hard to choose.
One way to reduce the dilemma of choosing is simply trying out the 
different major distributions. This way we can see how the specific 
distribution performs the task it is set to do.
While performing a little speed test, this user[28] noticed that 
apparantly the Gentoo kernel had a relative performance low compared to 
the Red Hat installed kernel.

The discussion itself evolves around a specific system call monitored with 
a specific lmbench[29]. But for those of you eeking to test your linux box 
here are a couple of resources you might want to take a look at.

First of all, don't forget that the kernel is not the distribution. Never 
compare the incomparable. Remember, similar configurations, similar 
platforms, similar patches and so on. Now, having a good test foundation 
we need a tool - which Gentoo provides here[30]. And there is a 
benchmarking howto available at TLDP[31]

Now, as annoying as this can be, the trick is knowing what flag goes with 
what package. And also remember that there are default flags set.
The way around the first dilemma is to run the command "emerge -pv 
[package_name]" this will show what flags go with what package package
And the default flags are not apparant either. However the command "grep 
-A 3 USE /etc/make.profile/make.defaults" will reveal the secret. But 
caution, do not change the make.defaults. Rather modify your make.conf and 
you can even build your own USE string from scratch. To compose your own 
list of USE flags you set USE="-* [your flag list]". Where "-*" unsets all 
flags and "[your flag list]" simply is the string of flags you choose to 
Gentoo as a binary release?
The question was raised as to why Gentoo does not provide a binary package 
system[32]. Binary vs. source has always been a point of contention among 
Gentoo users. Many want the convenience and speed offered by binary 
packages while others decry such efforts as taking focus away from making 
Gentoo Linux the best source-based distribution available.

As some users may already know, Gentoo Linux is working on providing a 
limited subset of binary packages in the form of the Gentoo Reference 
Platform. Applications such as KDE, XFree86 and other large applications 
will be offered in both source and binary form in order to provide a 
choice to our users. The first "official" release of the Gentoo Reference 
Platform will come with the final release of Gentoo Linux 1.4. 
5. Gentoo International
Taiwanese Gentoo Initiatives Merging
In a big push for the fledgling Chinese Gentoo user communities, Gentoo 
Taiwan GOT,[33] was set up last week. Patrick Hsieh, 
the coordinator, and a few zealous Gentooists are merging their strength 
to establish a local Gentoo organization in Taiwan. They're not only 
promoting Gentoo to the Taiwanese Linux user sphere, but also making every 
effort to help localizing Gentoo Linux for the realm of the Big5 Chinese 
encoding. "We already have a dedicated rsync server ( 
and an ambitious new forum ([34] plus an almost 
ready gentoo FTP server( And definitely more and more 
users will see how we make the difference," says Patrick Hsieh. The GOT 
web portal is also under construction and about to be unveiled in a few 

Meanwhile Back in Reality: Italian Consultancy Deploys Gentoo Linux
Verona, a rather attractive spot in Northern Italy, is better known for 
its historic arena dating from the Roman empire (and notorious for 
butchering opera master pieces at that same location). A lesser known fact 
is that it's currently spearheading Gentoo's move to professional 
corporate use: Euronia[36], a technology consultancy firm in Verona, made 
the switch from SuSE to Gentoo Linux for their own computers as early as 
release 1.0, and started offering services based on Gentoo six months ago. 
Their customers include Banca Populare di Verona e Ravenna, the largest 
banking group in the region, where Euronia set up a proxy for 7500 users, 
a reverse SSL proxy, secure FTP and other servers, all powered by Gentoo 
Linux. At Antex (a major HR consultancy in Italy), the tax calculations 
for 150,000 pay checks each month are done on a Gentoo-based SQL server, 
and a handful of other banks had Euronia switch their web servers to 
Gentoo as their operating system, too. Euronia's push for Gentoo Linux in 
corporate server solutions is easily explained: "We find that Gentoo Linux 
is the most advanced distro available", says Andrea Gagliardi, head of 
technology at Euronia. "We build solutions for customers, like the servers 
we usually base on EVMS-enabled Vanilla kernels with a dozen other stable 
patches thrown in, or our embedded Xfree on Aquapads (diskless tablet 
PCs). Nothing we've tried makes setting up and deploying all those 
customizations more manageable than Gentoo". 

6. Portage Watch
The following stable packages were added to portage this week
 * dev-lang/nhc98 : Haskell 98 compiler[37] 
 * dev-ruby/yamlrb : Machine parsable data serialization format designed 
   for human readability[38] 

Updates to notable packages
 * sys-apps/portage - portage-2.0.48_pre2.ebuild;  
 * x11-base/xfree - xfree-4.3.0-r2.ebuild;  
 * kde-base/kde - kde-3.0.5b.ebuild; kde-3.1.1a.ebuild;  
 * sys-kernel/* - hardened-sources-2.4.20-r1.ebuild; 
   hppa-sources-2.4.20_p32.ebuild; mm-sources-2.5.67-r1.ebuild; 
7. Bugzilla
 * Statistics 
 * Closed Bug Ranking 
 * New Bug Rankings 
The Gentoo community uses Bugzilla ([39]) to record and 
track bugs, notifications, suggestions and other interactions with the 
development team. In the last 7 days, activity on the site has resulted 

 * 261 new bugs this week 
 * 302 bugs closed or resolved this week 
 * 7 previously closed bugs were reopened this week. 
 * 2493 total bugs currently marked 'new' 
 * 452 total bugs currently assigned to developers 
There are currently 3010 bugs open in bugzilla. Of these: 55 are labeled 
'blocker', 119 are labeled 'critical', and 245 are labeled 'major'. 
Closed Bug Rankings
The developers and teams who have closed the most bugs this week are: 
 * Martin Schlemmer[40], with 32 closed bugs[41] 
 * Tom Payne[42], with 13 closed bugs[43] 
 * Alastair Tse[44], with 12 closed bugs[45] 
 * The Mirror Administrators[46], with 7 closed bugs[47] 
 * Seth Chandler[48], with 7 closed bugs[49] 
 40. azarah@g.o
 42. twp@g.o
 44. liquidx@g.o
 46. mirror-admin@g.o
 48. sethbc@g.o

New Bug Rankings
The developers and teams who have been assigned the most new bugs this 
week are: 
 * Seemant Kulleen[50], with 20 new bugs[51] 
 * Martin Schlemmer[52], with 19 new bugs[53] 
 * The KDE team[54], with 19 new bugs[55] 
 * The x86-kernel Team[56], with 19 new bugs[57] 
 * Nicholas Jones[58], with 16 new bugs[59] 
 50. seemant@g.o
 52. azarah@g.o
 54. kde@g.o
 56. x86-kernel@g.o
 58. carpaski@g.o

8. Tips and Tricks
Using /dev/loop to view a CD image
This week's tip explains how to use the loop device to view or share files 
from a CD image or ISO file. 
First, you need to make sure you have support in your kernel. It can be 
configured as a module so there's no need to reboot if you don't have 
| Code Listing 8.1:                                                       |
| Installing the kernel module                                            |
|                                                                         |
|configure the following option                                           |
|Block Devices                                                            |
|-> <M> Loopback device support                                           |
|                                                                         |
|#  make dep && make modules modules_install                              |
|#  insmod loop                                                           |
|                                                                         |
To view the contents of an iso file, just mount the iso on a loopback 
device. For example, here we mount gentoo-basic-x86-1.4_rc4.iso to 
| Code Listing 8.2:                                                       |
| Mounting an iso on a loopback                                           |
|                                                                         |
|# mount gentoo-basic-x86-1.4_rc4.iso gentoo-1.4_rc4 -o \                 |
|  loop=/dev/loop1,blocksize=1024                                         |
|                                                                         |
Now you can view the directory gentoo-1.4_rc4 just as if it were part of 
your regular filesystem. 
9. Moves, Adds and Changes
The following developers recently left the Gentoo team: 
 * none this week 
The following developers recently joined the Gentoo Linux team:
 * Ivan Zenkov (zenkov) -- Russian documentation 
 * Andres Loeh (kosmikus) -- haskell stuff 
 * Michele Balistreri (brain) -- KDE 
 * Todd Sunderlin (todd) -- Gentoo/Sparc 
 * Joshua Kinard (Kumba) -- Gentoo/Sparc, Gentoo/Mips 
The following developers recently changed roles within the Gentoo Linux 
 * none this week 
10. Contribute to GWN
Interested in contributing to the Gentoo Weekly Newsletter? Send us an 

 60. gwn-feedback@g.o
11. GWN Feedback
Please send us your feedback[61] and help make GWN better.

 61. gwn-feedback@g.o
12. Other Languages
The Gentoo Weekly Newsletter is also available in the following languages:
 * Dutch[62] 
 * English[63] 
 * German[64] 
 * French[65] 
 * Japanese[66] 
 * Italian[67] 
 * Portuguese (Brazil)[68] 
 * Portuguese (Portugal)[69] 
 * Spanish[70] 

Kurt Lieber <klieber@g.o> - Editor
AJ Armstrong <aja@×××××××××××××.com> - Contributor
Brice Burgess <nesta@×××××××.net> - Contributor
Yuji Carlos Kosugi <carlos@g.o> - Contributor
Rafael Cordones Marcos <rcm@×××××××.net> - Contributor
David Narayan <david@×××××××.net> - Contributor
Ulrich Plate <plate@g.o> - Contributor
Peter Sharp <mail@××××××××××××××.net> - Contributor
Kim Tingkaer <kim@×××××××.dk> - Contributor
Mathy Vanvoorden <matje@×××××××.be> - Dutch Translation
Tom Van Laerhoven <tom.vanlaerhoven@××××××.be> - Dutch Translation
Peter Dijkstra <phj.dijkstra@××××.nl> - Dutch Translation
Bernard Bernieke <bernieke@××××××××.com> - Dutch Translation
Vincent Verleye <zu@×××××××.be> - Dutch Translation
Jochen Maes <linux@××××.be> - Dutch Translation
Ben De Groot <yngwin@××××××.nl> - Dutch Translation
Jelmer Jaarsma <j.jaarsma@××××××××××××××××××.nl> - Dutch Translation
Matthieu Montaudouin <mat@××××××××.com> - French Translation
Martin Prieto <riverdale@×××××××××.org> - French Translation
Michael Kohl <citizen428@g.o> - German Translation
Steffen Lassahn <madeagle@g.o> - German Translation
Matthias F. Brandstetter <haim@g.o> - German Translation
Thomas Raschbacher <lordvan@g.o> - German Translation
Klaus-J. Wolf <yanestra@×××.de> - German Translation
Marco Mascherpa <mush@××××××.net> - Italian Translation
Claudio Merloni <paper@×××××××.it> - Italian Translation
Christian Apolloni <bsolar@×××××××.ch> - Italian Translation
Daniel Ketel <kage-chan@g.o> - Japanese Translation
Yoshiaki Hagihara <hagi@×××.com> - Japanese Translation
Andy Hunne <andy@×××××××××.com> - Japanese Translation
Yuji Carlos Kosugi <carlos@g.o> - Japanese Translation
Yasunori Fukudome <yasunori@××××××××××××××××.uk> - Japanese Translation
Ventura Barbeiro <venturasbarbeiro@××××××.br> - Portuguese (Brazil) 
Bruno Ferreira <blueroom@××××××××××××.net> - Portuguese (Portugal) 
Gustavo Felisberto <gustavo@××××××××××.net> - Portuguese (Portugal) 
Ricardo Jorge Louro <rjlouro@×××××××.org> - Portuguese (Portugal) 
Lanark <lanark@××××××××××.ar> - Spanish Translation
Rafael Cordones Marcos <rcm@×××××××.net> - Spanish Translation
Julio Castillo <julio@×××××××××××××.com> - Spanish Translation
Sergio Gómez <s3r@××××××××××××.ar> - Spanish Translation
Pablo Pita Leira <pablo.leira@×××××××××.com> - Spanish Translation
Carlos Castillo <carlos@×××××××××××××.com> - Spanish Translation
Tirant <tirant@×××××.net> - Spanish Translation
Jaime Freire <jfreire@××.com> - Spanish Translation
Lucas Sallovitz <krusty_ar@×××××.com> - Spanish Translation