Gentoo Archives: gentoo-gwn

From: Yuji Carlos Kosugi <carlos@g.o>
To: gentoo-gwn@g.o
Subject: [gentoo-gwn] Gentoo Weekly Newsletter -- Volume 2, Issue 36
Date: Mon, 06 Oct 2003 15:01:46
Gentoo Weekly Newsletter
This is the Gentoo Weekly Newsletter for the week of October 6th, 2003.
1. Gentoo News
 * Gentoo Linux Performance Metrics 
Gentoo Linux Performance Metrics
On 23 Sep 2003, Jose Alberto Suarez Lopez gave a presentation[1] at 
HispaLinux 2003[2] where he demonstrated the load-time performance of the 
official Gentoo Linux 1.4 release. Gentoo Linux 1.4 for Pentium III, with 
and without prelink, were compared with a default Mandrake 9.1 
installation on a Pentium III. The results - Gentoo Linux 1.4 with prelink 
did better than Mandrake 9.1 across the board, and even without prelinking 
Mozilla loaded nearly twice as quickly in Gentoo, and NetBeans loaded more 
than twice as fast. 

The conclusions we can glean from this are that the default optimizations 
in Gentoo Linux for Pentium III make a significant difference in in "real 
world" application load-time performance. Also, prelinking seems to 
greatly improve the load time of KDE apps. Gentoo Linux is able to 
generally deliver better overall performance than other Linux 
distributions because we try to offer the latest and best free software 
technologies to our users, like the latest compiler toolchains, and 
because we ship pre-built binary packages that have been optimized for 
specific CPU models (and also provide an easy way for users to "build 
Gentoo from scratch." For more information, read the rest of the 
findings[3]. To pick up your own optimized build or release of Gentoo, 
visit the Gentoo Store[4]. 

2. Gentoo Security
 * GLSA: teapop 
 * GLSA: mpg123 
 * GLSA: net-ftp/proftpd 
 * GLSA: media-video/mplayer 
 * GLSA: openssl 
GLSA: teapop
teapop suffers from a sql injection in the postgresql and mysql 
authentication module.
 * Severity: High - sql injection, remote exploit. 
 * Packages Affected: <teapop-0.3.7 
 * Rectification: emerge sync; emerge teapop; emerge clean 
 * GLSA Announcement[5] 
GLSA: mpg123
mpg123 contains a heap based buffer overflow that would allow an remote 
attacker to execute arbitrary code on the victims machine.
 * Severity: High - buffer overflow. 
 * Packages Affected: <0.59r-r3  
 * Rectification: emerge sync; emerge mpg123; emerge clean 
 * GLSA Announcement[6] 
GLSA: net-ftp/proftpd
ISS X-Force discovered a vulnerability that could be triggered when a 
specially crafted file is uploaded to a proftpd server.
 * Severity: High - ASCII File Remote Compromise Vulnerability. 
 * Packages Affected: <net-ftp/proftpd-1.2.9_rc2  
 * Rectification: emerge sync; emerge '>=net-ftp/proftpd-1.2.9_rc2'; 
emerge clean 
 * GLSA Announcement[7] 
GLSA: media-video/mplayer
A remotely exploitable buffer overflow vulnerability was found in MPlayer. 
A malicious host can craft a harmful ASX header, and trick MPlayer into 
executing arbitrary code upon parsing that header.
 * Severity: High - Buffer Overflow Vulnerability 
 * Packages Affected: <mplayer-0.91 =mplayer-1.0_pre1  
 * Rectification: emerge sync; emerge =media-video/mplayer-0.92; emerge 
 * GLSA Announcement[8] 
GLSA: openssl
Quote from OpenSSL advisory:
"1. Certain ASN.1 encodings that are rejected as invalid by the parser can 
trigger a bug in the deallocation of the corresponding data structure, 
corrupting the stack. This can be used as a denial of service attack. It 
is currently unknown whether this can be exploited to run malicious code. 
This issue does not affect OpenSSL 0.9.6.
2. Unusual ASN.1 tag values can cause an out of bounds read under certain 
circumstances, resulting in a denial of service vulnerability.
3. A malformed public key in a certificate will crash the verify code if 
it is set to ignore public key decoding errors. Public key decode errors 
are not normally ignored, except for debugging purposes, so this is 
unlikely to affect production code. Exploitation of an affected 
application would result in a denial of service vulnerability.
4. Due to an error in the SSL/TLS protocol handling, a server will parse a 
client certificate when one is not specifically requested. This by itself 
is not strictly speaking a vulnerability but it does mean that *all* 
SSL/TLS servers that use OpenSSL can be attacked using vulnerabilities 1, 
2 and 3 even if they don't enable client authentication."
 * Severity: Medium - remote exploit 
 * Packages Affected: <0.9.6k 
 * Rectification: emerge sync; emerge openssl; emerge clean 
 * GLSA Announcement[9] 
New Security Bug Reports
The following new security bugs were posted in the past week: 
 * Apache 2.0.47 & mod_cgi: denial of service[10] 
3. Featured Developer of the Week
Thomas Raschbacher
Figure 3.1: Thomas Raschbacher
This week, we are featuring Thomas Raschbacher[11] (LordVan), the head of 
Gentoo's printing team and frequent contributer of fixes and ebuilds for 
python and DVB. He also serves on the German translation team, including 
managing the translation of our beloved GWN. He primarily works on 
developing new ebuilds and patching old ones. In addition to his work with 
Gentoo, Thomas has provided translation for the Gnome project and patch 
work for Twisted[12], as well as some work on smaller projects. He is 
quite proud of some of the web development work he has completed using 
Twisted, and plans to open source it. 

 11. LordVan@g.o
Thomas is a relatively old hand at Linux, having started with Slackware in 
1996. He moved to Gentoo almost immediately on hearing of the project in 
August of 2002. Thomas became a developer for the distro in December of 
that year, after (as he says) "being too annoying about my ebuilds and 
fixes getting submitted" to Seemant Kulleen[13]. Thomas describes Gentoo 
as a "damn nice distro that I wish I could do more for". 

 13. seemant@g.o
Thomas lives in Judenau-Baumgarten, Lower Austria. He has completed 
Technical Informatics studies at Higher Technical School as well as his 
Matura (equivalent to A-Levels or Matriculation). He is self-employed in 
computer sales consulting, including web design and Linux support. He is 
an avid martial artist, currently studying Ninjutsu[14] (as well as 
studying Japanese). He also enjoys traditional geek fare of Star Trek, 
Anime and Manga. In that vein, the favorite quote he shared is from the 
Anime classic End of Evangelion (a conversation between the characters 
Shinji and Rei): "Then... where is my dream? It is the continuation of 
reality. Where is... my reality? It is at the end of your dream.". 
Finally, Thomas is active in organizing and attending LAN parties.[15] 

Thomas does most of his work on a Celeron server, development workstation 
and a production web server. In addition, he has a laptop, a Zaurus 
handheld, and an assortment of test stations and servers. His primary 
development tools include python, sed and grep. He communicates using 
mutt, MozillaFirebird, Xchat-2 and MozillaThunderbird. He is also fond of 
gnotime, a fully-featured time tracker. Like many of us, his first task on 
waking it to check his email. 
4. Heard in the Community
Latter Days PHP
Back in the days of just a few thousand Forum users it used to be 
excessive trigger-happiness whenever triplets or even more counts of the 
same post appeared in the Forums. But these days the reason for repetitive 
postings (vulgo: postorrhea) were sluggish to non-forthcoming responses 
from the database whenever someone hit the submit button under heavy 
traffic conditions, and yes, multiple posts can indeed occur even if the 
submit button is hit only once. While the moderators of the German forum, 
to alleviate the burden a little, have actually started asking people to 
point out useless, duplicate, very old and unresponded threads that may be 
deleted without anyone missing them, the hardly bearable performance 
issues have led site admin klieber[16] to kick off an open discussion 
about possible alternatives to the current forum software, phpBB, 
soliciting opinions about commercial packages as a potential replacement:

 * Migrating to a commercial PHP-based forums package[17] 
 * Abl??sung von phpBB? Boardprobleme und Co.[18](in German)
Portage on the Web
With being shelved for the time being, and the package 
database on the main Gentoo website[19] somewhat tightlipped when it comes 
to comments and status overviews for packages, thrasher6670[20] had the 
idea to set up a semi-automated, yet interactive site[21] keeping track of 
the content of the Portage tree and offering possibilities to add user 
impressions for each package. From what he says himself in the thread he 
started (repeated on site), thrasher6670 could use some help with the web 

 * Portage website (the thread)[22] 
 * Portage website (the site)[23] 
Non-English GWN Via Mail
Yes, it's possible, even without mailing lists for each individual 
language. Thanks to Ginko[24] for his nice little Perl script that 
automatically downloads, converts and mails fresh GWN copies whenever they 
appear at the Gentoo website:

 * GWN automagically sent to your Mailbox[25]
Benchmarking/Tweaking your Videocard 
Want to get that last FPS out of your ATI/Nvidia video adapter? Might want 
to check out this interesting thread on  testing and configuring AGPGART 
[26] . 

Lightweight FileManagers for Gentoo 
Many users were attracted to Gentoo because it offered a lightweight, 
"only what you want" type solution for their needs. Likewise some users 
enjoy the same kind of desktop. Take a look at  this thread [27] for a few 
suggestions of some. 

The Great Gentoo Bug Hunt!
Don't bother with looking for easter eggs at easter, start looking for 
some gentoo bugs and win some free hardware! Interested in becoming a 
master sleuth for gentoo? Have a look here[28] for the guidelines, and 
start squashing!

5. Gentoo International
Germany: Reminders for this Week's Events
The Frankfurt area Gentooists managed to sneak their meeting past the GWN: 
It was announced, held and over before we looked at the corresponding 
forum thread... However, this year's busiest German Gentoo week is about 
to start, and we would like to hammer a few reminders home to anyone in 
the general area at that time:
 * 8 October: Ruhrgebiet Gentoo User Meeting in Oberhausen[29](precise 
location description at the link)
 * 9 October: K??ln/Bonn Gentoo User Meeting in Bonn[30]
 * 11 October: Practical Linux Day in Gie??en[31](featuring a Gentoo booth 
and presentation)

6. Portage Watch
Portage Watch is on hiatus this week.
7. Bugzilla
 * Statistics 
 * Closed Bug Ranking 
 * New Bug Rankings 
The Gentoo community uses Bugzilla ([32]) to record and 
track bugs, notifications, suggestions and other interactions with the 
development team. Between 26 September 2003 and 02 October 2003, activity 
on the site has resulted in: 

 * 496 new bugs during this period 
 * 464 bugs closed or resolved during this period 
 * 13 previously closed bugs were reopened this period 
Of the 4140 currently open bugs: 92 are labeled 'blocker', 196 are labeled 
'critical', and 335 are labeled 'major'. 
Closed Bug Rankings
The developers and teams who have closed the most bugs during this period 
 * George Shapovalov[33], with 37 closed bugs[34]  
 * Gentoo Linux Gnome Desktop Team[35], with 26 closed bugs[36]  
 * PHP Bugs Team[37], with 22 closed bugs[38]  
 * Gentoo Games[39], with 20 closed bugs[40]  
 * Gentoo Sound Team[41], with 14 closed bugs[42]  
 33. george@g.o
 35. gnome@g.o
 37. php-bugs@g.o
 39. games@g.o
 41. sound@g.o

New Bug Rankings
The developers and teams who have been assigned the most new bugs during 
this period are: 
 * Portage team[43], with 25 new bugs[44]  
 * Martin Schlemmer[45], with 13 new bugs[46]  
 * Gentoo Linux Gnome Desktop Team[47], with 11 new bugs[48]  
 * x86 Kernel Team[49], with 10 new bugs[50]  
 * Gentoo Sound Team[51], with 9 new bugs[52]  
 43. dev-portage@g.o
 45. azarah@g.o
 47. gnome@g.o
 49. x86-kernel@g.o
 51. sound@g.o

8. Tips and Tricks
Using qpkg
This week's tip demonstrates some basic uses of the "query package" (qpkg) 
which allows you to perform get information about installed or uninstalled 
packages on your system. It can be used to find package ownership of 
files, to find duplicate packages, to list the files installed by a 
package, and more. 
To get qpkg you need to install app-portage/gentoolkit. 
| Code Listing 8.1:                                                       |
| Installing gentoolkit                                                   |
|                                                                         |
|# emerge app-portage/gentoolkit                                          |
|                                                                         |
Now that you have qpkg installed, you can start using it to examine your 
system. The first example is figuring out which package owns which file. 
This is done with the --find-file (or alternatively --find-pattern option. 
Note:  To get a complete list of packages and the version installed on 
your machine use the command qpkg --installed --verbose. 
| Code Listing 8.2:                                                       |
|Finding the package that owns a fil                                      |
|                                                                         |
|Which package owns /etc/crontab?                                         |
|% qpkg --find-file /etc/crontab                                          |
|sys-apps/vcron *                                                         |
|                                                                         |
|What version of vcron? (--verbose)                                       |
|% qpkg --find-file --verbose /etc/crontab                                |
|sys-apps/vcron-3.0.1-r1 *                                                |
|                                                                         |
|Where's the ebuild for this file? (--verbose --verbose)                  |
|% qpkg --find-file --verbose --verbose /etc/crontab                      |
|   /var/db/pkg/sys-apps/vcron-3.0.1-r1/vcron-3.0.1-r1.ebuild             |
|sys-apps/vcron-3.0.1-r1 *                                                |
|                                                                         |
To list all the files a package installed, use the --list option. 
| Code Listing 8.3:                                                       |
| Listing all the files installed by a package                            |
|                                                                         |
|% qpkg --list units                                                      |
|Directories were snipped for brevity                                     |
|app-sci/units-1.74 *                                                     |
|CONTENTS:                                                                |
|/usr/bin/units                                                           |
|/usr/share/doc/units-1.74                                                |
|/usr/share/doc/units-1.74/README.gz                                      |
|/usr/share/doc/units-1.74/NEWS.gz                                        |
|/usr/share/doc/units-1.74/INSTALL.gz                                     |
|/usr/share/doc/units-1.74/COPYING.gz                                     |
|/usr/share/doc/units-1.74/ChangeLog.gz                                   |
|/usr/share/man/man1/units.1.gz                                           |
|/usr/share/info/                                            |
|/usr/share/units/units.dat                                               |
|                                                                         |
The last example shows you how to find which packages depend on a 
specified package using --query-deps. 
| Code Listing 8.4:                                                       |
|Finding dependencies                                                     |
|                                                                         |
|% qpkg --installed --query-deps mozilla                                  |
|net-www/mozilla-1.4-r3 *                                                 |
|DEPENDED ON BY:                                                          |
|        net-mail/evolution-1.4.3                                         |
|        net-www/galeon-1.3.9                                             |
|                                                                         |
Note:  Not specifying --installed causes qpkg to look inside the entire 
Portage tree which is probably not what you want. 
This should get you started with qpkg. For more options see qpkg --help or 
man 1 qpkg. 
9. Moves, Adds and Changes
The following developers recently left the Gentoo team: 
 * none this week 
The following developers recently joined the Gentoo Linux team:
 * Brad House (brad_mssw) -- amd64 
 * Joel Hillster (hillster) -- miscellanious ebuilds 
 * Rob Cakebread (pythonhead) -- python 
The following developers recently changed roles within the Gentoo Linux 
 * none this week 
10. Contribute to GWN
Interested in contributing to the Gentoo Weekly Newsletter? Send us an 

 53. gwn-feedback@g.o
11. GWN Feedback
Please send us your feedback[54] and help make the GWN better.

 54. gwn-feedback@g.o
12. GWN Subscription Information
To subscribe to the Gentoo Weekly Newsletter, send a blank email to 
To unsubscribe to the Gentoo Weekly Newsletter, send a blank email to 
gentoo-gwn-unsubscribe@g.o from the email address you are 
subscribed under.
13. Other Languages
The Gentoo Weekly Newsletter is also available in the following languages:
 * Dutch[55] 
 * English[56] 
 * German[57] 
 * French[58] 
 * Japanese[59] 
 * Italian[60] 
 * Polish[61] 
 * Portuguese (Brazil)[62] 
 * Portuguese (Portugal)[63] 
 * Russian[64] 
 * Spanish[65] 
 * Turkish[66] 
Yuji Carlos Kosugi <carlos@g.o> - Editor
AJ Armstrong <aja@×××××××××××××.com> - Contributor
Brian Downey <bdowney@×××××××××××.net> - Contributor
Cal Evans <cal@××××××××.com> - Contributor
Chris Gavin <gubbs@××××.org> - Contributor
Luke Giuliani <cold_flame@×××××.com> - Contributor
Shawn Jonnet <shawn.jonnet@×××××××.net> - Contributor
Michael Kohl <citizen428@g.o> - Contributor
Kurt Lieber <klieber@g.o> - Contributor
Rafael Cordones Marcos <rcm@×××××××.net> - Contributor
David Narayan <david@×××××××.net> - Contributor
Gerald J Normandin Jr. <gerrynjr@g.o> - Contributor
Ulrich Plate <plate@g.o> - Contributor
Mathy Vanvoorden <matje@×××××××.be> - Dutch Translation
Hendrik Eeckhaut <Hendrik.Eeckhaut@×××××.be> - Dutch Translation
Jorn Eilander <sephiroth@××××××××.nl> - Dutch Translation
Bernard Kerckenaere <bernieke@××××××××.com> - Dutch Translation
Peter ter Borg <peter@××××××.nl> - Dutch Translation
Jochen Maes <linux@××××.be> - Dutch Translation
Roderick Goessen <rgoessen@××××.nl> - Dutch Translation
Gerard van den Berg <gerard@××××××.net> - Dutch Translation
Matthieu Montaudouin <mat@××××××××.com> - French Translation
Martin Prieto <riverdale@×××××××××.org> - French Translation
Antoine Raillon <cabec2@××××××.net> - French Translation
Sebastien Cevey <seb@×××××.net> - French Translation
Jean-Christophe Choisy <mabouya@××××××××××××.org> - French Translation
Thomas Raschbacher <lordvan@g.o> - German Translation
Steffen Lassahn <madeagle@g.o> - German Translation
Matthias F. Brandstetter <haim@g.o> - German Translation
Lukas Domagala <Cyrik@g.o> - German Translation
Tobias Scherbaum <dertobi123@g.o> - German Translation
Daniel Gerholdt <Sputnik1969@g.o> - German Translation
Marc Herren <dj-submerge@g.o> - German Translation
Tobias Matzat <SirSeoman@g.o> - German Translation
Marco Mascherpa <mush@××××××.net> - Italian Translation
Claudio Merloni <paper@×××××××.it> - Italian Translation
Christian Apolloni <bsolar@×××××××.ch> - Italian Translation
Stefano Lucidi <stefano.lucidi@×××××××××××××.org> - Italian Translation
Katsuyuki Konno <katuyuki@××××××××.jp> - Japanese Translation
Yuji Carlos Kosugi <carlos@g.o> - Japanese Translation
Yasunori Fukudome <yasunori@××××××××××××××××.uk> - Japanese Translation
Takashi Ota <088@××××××××××.jp> - Japanese Translation
Radoslaw Janeczko <sototh@×××.pl> - Polish Translation
Lukasz Strzygowski <lucass.home@××.pl> - Polish Translation
Michal Drobek <veng@××.pl> - Polish Translation
Adam Lyjak <apo@××××××××××××××××××××.pl> - Polish Translation
Krzysztof Klimonda <cthulhu@×××××××××.net> - Polish Translation
Atila "Jedi" Bohlke Vasconcelos <bohlke@×××××××××.br> - Portuguese 
(Brazil) Translation
Eduardo Belloti <dudu@××××××××.net> - Portuguese (Brazil) Translation
Jo??o Rafael Moraes Nicola <joaoraf@×××××××××.br> - Portuguese (Brazil) 
Marcelo Gon??alves de Azambuja <mgazambuja@×××××××××.br> - Portuguese 
(Brazil) Translation
Otavio Rodolfo Piske <angusy@××××××××.org> - Portuguese (Brazil) 
Pablo N. Hess -- NatuNobilis <natunobilis@××××××××.org> - Portuguese 
(Brazil) Translation
Pedro de Medeiros <pzilla@××××××××.br> - Portuguese (Brazil) Translation
Ventura Barbeiro <venturasbarbeiro@××××××.br> - Portuguese (Brazil) 
Bruno Ferreira <blueroom@××××××××××××.net> - Portuguese (Portugal) 
Gustavo Felisberto <humpback@××××××××××.net> - Portuguese (Portugal) 
Jos?? Costa <jose_costa@×××××××.pt> - Portuguese (Portugal) Translation
Luis Medina <metalgodin@×××××××××.org> - Portuguese (Portugal) Translation
Ricardo Loureiro <rjlouro@×××××××.org> - Portuguese (Portugal) Translation
Sergey Galkin <gals_home@××××.ru> - Russian Translator
Sergey Kuleshov <svyatogor@g.o> - Russian Translator
Alex Spirin <asp13@××××.ru> - Russian Translator
Dmitry Suzdalev <dimsuz@××××.ru> - Russian Translator
Anton Vorovatov <mazurous@××××.ru> - Russian Translator
Denis Zaletov <dzaletov@×××××××.ru> - Russian Translator
Lanark <lanark@××××××××××.ar> - Spanish Translation
Fernando J. Pereda <ferdy@××××××.org> - Spanish Translation
Lluis Peinado Cifuentes <lpeinado@×××.edu> - Spanish Translation
Zephryn Xirdal T <ZEPHRYNXIRDAL@××××××××××.net> - Spanish Translation
Guillermo Juarez <katossi@××××××××××××××××.es> - Spanish Translation
Jes??s Garc??a Crespo <correo@××××××.com> - Spanish Translation
Carlos Castillo <carlos@×××××××××××××.com> - Spanish Translation
Julio Castillo <julio@×××××××××××××.com> - Spanish Translation
Sergio G??mez <s3r@××××××××××××.ar> - Spanish Translation
Aycan Irican <aycan@××××××××.tr> - Turkish Translation
Bugra Cakir <bugra@×××××××××.com> - Turkish Translation
Cagil Seker <cagils@××××××××××.tr> - Turkish Translation
Emre Kazdagli <emre@××××××××.tr> - Turkish Translation
Evrim Ulu <evrim@××××××××.tr> - Turkish Translation
Gursel Kaynak <gurcell@××××××××.tr> - Turkish Translation