Gentoo Archives: gentoo-gwn

From: Ulrich Plate <plate@g.o>
To: gentoo-gwn@××××××××××××.org
Subject: [gentoo-gwn] Gentoo Weekly Newsletter 10 January 2005
Date: Mon, 10 Jan 2005 00:56:41
Gentoo Weekly Newsletter
This is the Gentoo Weekly Newsletter for the week of 10 January 2005.
1. Gentoo News
Discouraging Forum abuse: visual registration confirmation added
In the last week of December 2004, an attacker had registered about 8,500 
user accounts from more than 160 hosts, in less than one hour. While the 
Forum admins were working on a solution to block these registrations, 
users started reporting the mass forum account registrations[1]. A few 
hours later 15696 user accounts were deleted[2], taking along a number of 
inactive accounts from the past.
To prevent these mass registration attempts from happening again, a visual 
registration confirmation has now been added to the Forum user account 
registration process. This function was originally implemented in the 
phpBB[3] 2.2 development versions, with the changes being backported to 
version 2.0.11 of phpBB. The same changes have now been applied to the 
customized version of phpBB that is installed at[4].
2.6.10 kernel marked stable
By the time you are reading this, the Linux 2.6.10 release of 
gentoo-dev-sources will be marked stable, or in the final stages of being 
tested, on supported system architectures. Linux 2.6.10, released late on 
Christmas Eve, is proving to be the best kernel release in a long time, 
fixing almost all of the issues we know about present in 2.6.9 and 
earlier. Relatively few new issues have been reported, and the major ones 
have already been fixed. 2.6 users are recommended to upgrade as soon as 
possible, as this release also fixes some recently discovered security 
2. Future zone
Project goals for 2005
A meta-thread on the gentoo-dev mailing list keeps track of goals set 
forth for some Gentoo projects. Here's an overview of items scheduled to 
see the light of day shortly: 
Release engineering
 * Biannual release schedule: The first release (2005.0) will be in 
January, and the second release (2005.1) will be in July/ August. Each 
release will include install cds, stages, and GRP. 
 * LiveCDs: Plans are to replace the current universal LiveCD with a 
Knoppix-like XLiveCD. Media will be renamed accordingly; the minimal 
LiveCD will remain but will instead be called the minimal installCD. 
 * Gentoo Reference Platform (GRP): Working in a joint effort with the 
installer project, Release Engineering is working on redefining the GRP. 
The current plan, which is subject to change, will use functionality 
similar to quickpkg by packaging the installed packages on the XLiveCD and 
copying them to the target system. 
 * Migrate all existing ebuilds to kernel-2 and linux-* eclasses 
 * Push 2.6 for default where possible for headers and sources. 
 * Consolidate appropriate source packages, e.g. dev-sources -> 
 * Further improve our current eclass framework for additional kernels 
(BSD, Darwin) 
 * Have a stage or a set of stages that will be used to install 
 * Have a working baselayout. 
 * Have an installation CD (a.t.m. FreeSBIE can be used) 
 * Have a fair amount of keyworded ebuilds 
 * Have some of our *BSD specific patches applied to portage 
 * Finish our profile, stabilize our set of tarballs 
3. Gentoo security
LinPopUp: Buffer overflow in message reply
LinPopUp contains a buffer overflow potentially allowing execution of 
arbitrary code. 
For more information, please see the GLSA Announcement[5] 
a2ps: Multiple vulnerabilities
The fixps and psmandup scripts in the a2ps package are vulnerable to 
symlink attacks, potentially allowing a local user to overwrite arbitrary 
files. A vulnerability in a2ps filename handling could also result in 
arbitrary command execution. 
For more information, please see the GLSA Announcement[6] 
Mozilla, Firefox, Thunderbird: Various vulnerabilities
Various vulnerabilities were found and fixed in Mozilla-based products, 
ranging from a potential buffer overflow and temporary files disclosure to 
anti-spoofing issues. 
For more information, please see the GLSA Announcement[7] 
Shoutcast Server: Remote code execution
Shoutcast Server contains a possible buffer overflow that could lead to 
the execution of arbitrary code. 
For more information, please see the GLSA Announcement[8] 
mit-krb5: Heap overflow in libkadm5srv
The MIT Kerberos 5 administration library (libkadm5srv) contains a heap 
overflow that could lead to execution of arbitrary code. 
For more information, please see the GLSA Announcement[9] 
tiff: New overflows in image decoding
An integer overflow has been found in the TIFF library image decoding 
routines and the tiffdump utility, potentially allowing arbitrary code 
For more information, please see the GLSA Announcement[10] 
xine-lib: Multiple overflows
xine-lib contains multiple overflows potentially allowing execution of 
arbitrary code. 
For more information, please see the GLSA Announcement[11] 
phpGroupWare: Various vulnerabilities
Multiple vulnerabilities have been discovered in phpGroupWare that could 
lead to information disclosure or remote compromise. 
For more information, please see the GLSA Announcement[12] 
xzgv: Multiple overflows
xzgv contains multiple overflows that may lead to the execution of 
arbitrary code. 
For more information, please see the GLSA Announcement[13] 
Vilistextum: Buffer overflow vulnerability
Vilistextum is vulnerable to a buffer overflow that allows an attacker to 
execute arbitrary code through the use of a malicious webpage. 
For more information, please see the GLSA Announcement[14] 
4. Heard in the community
Web forums
Disappearing X causing slight unrest
The decision by Gentoo developers to gently nudge people to use xorg-x11 
isn't entirely new, but the deletion of XFree86 from Portage on 1 January 
seems to have come as a nasty surprise to some people. One thread out of a 
handful, to represent them all:
 * I refuse to use sucks! (nevermind....user error)[15] 
New global moderator Earthwings
Earthwings[16] has already served in the German subforum for several 
months before being promoted to deal with the rest of the lot now:
 * [forums-announce] New global moderator[17] 
Achieving Hardware Happiness?
Many laptop users experience the same conundrum: Having a mobile computer 
results in different configurations. Most of the time these are 
network-related, for example the difference between a corporate LAN and a 
home network. But occasionally this includes hardware as well. Many 
laptops have hardware docking stations with additional network cards, 
video adapters, and even SCSI. This presents a unique issue to Linux users 
since most of the time, the various settings are hard-edited into various 
files in /etc. Curious how to find your own way to portable paradise? Read 
 * gentoo and "rc hell"?[18] 
Bash Arguments
What could be more Linux-y than a debate on the proper way to delete many 
files out of a directory? There's xargs, find, even... for loops? An 
informative thread of opinionated answers is what we got this week! 
 * Bash query? 'Argument list too long'[19] 
"Monitoring" CPU Usage
On a more humorous note, one list member posted a "helpful" link to a 
newsforge article on a CPU monitoring package called "Hot Babe". We'll 
provide GWN readers a link to the gentoo-user thread, and leave it at 
 * Hot Babe and Debian (GENTOO :-)[20] 
RFC: Advice on driving compile times down
Stuart Herbert[21] asks how to reduce compile times. Read the thread for 
the different possibilities offered to Gentoo users. 
 21. stuart@g.o
 * RFC: Advice on driving compile times down[22] 
xfree gone
With this short notice Gentoo officially stopped supporting xfree. All 
users are asked to migrate to xorg. 
 * xfree gone[23] 
2005.0 2.4 & 2.6 stages
John Davis[24] asks, on behalf of the Gentoo Releng subproject, which 
kernel header and sources 2005.0 stages should be offered. He writes: "Our 
options for building include (a) only 2.6 stages, (b) only 2.4 stages, or 
(c) a combination of 2.4 and 2.6 stages." From rom a release point of view 
only one set would be preferred, but many users still depend on 2.4 
kernels. This rather long thread explores the many small problems that may 
arise and shows how difficult it is to make all people equally happy :-) 
 24. zhen@g.o
 * 2005.0 2.4 & 2.6 stages[25] 
>From a mailing list mostly frequented by people using Gentoo for
non-desktop purposes, gentoo-server@g.o, here's a noteworthy thread that has spun from the original poster asking a simple question: * Who uses Gentoo in production?[26] 26. ======================= 5. Gentoo International ======================= USA: Gentoo lectures at MIT, 10 and 24 January ---------------------------------------------- Rajiv Manglani[27], Gentoo Linux Security Team member and PPC developer, will give an introductory (10 January) and an advanced lecture (24 January) on Gentoo Linux at the Massachusetts Institute of Technology, MIT, in Cambridge, MA. Both lectures are sponsored by the MIT's Student Information Processing Board (SIPB) and will be held tonight and Monday 24 starting at 20:00, at Building 4[28] room 237 (today) and room 231 (24 January) respectively. The first lecture will focus on giving an overview and demonstrating a running Gentoo system, while the "Advanced Gentoo Linux" presentation on 24 January will have more in-depth discussions of Portage and ebuild script creation, system tools such as qpkg and etcat. More details can be found in Rajiv's Independent Activities Period Gentoo lecture announcements[29]. Please make sure to RSVP to the Student Information Board[30] if you plan on attending. 27. rajiv@g.o 28. 29. 30. sipb-iap-gentoo@×××.edu Canada: Gentoo LTSP project at elementary school ------------------------------------------------ The Prairie Linux User Group[31] (PLUG) is planning to deploy Gentoo Linux at the Holy Cross Elementary School in Winnipeg. The project will use reclaimed hardware previously running various shades of Windows that are being replaced with Linux due to cost of licensing for upgrades, concerns about lax security, growing hardware requirements if Windows was chosen as an upgrade path, and the current platform generally not meeting the educational requirements at the school any longer. The setup includes an implementation of the Linux Terminal Server Project[32] (LTSP) across thirty workstations, with Gentoo Linux running openmosix for the terminal server system. On Thursday 20 January the PLUG will meet at the University of Winnipeg[33] (starting at 19:00 in room 2M70) to get a few things straightened out before performing their real world test at the school on Sunday, 23 January from 10:00. Thirty elementary students have been invited to stress-test the system that they might get to keep if it works as advertized: "If the system is successfully able to meet the requirements it would be permanently installed," says PLUG member Mike Crawford[34], a Gentoo dev-perl developer-to-be and maintainer of one of the official Gentoo file mirrors ( More details can be found at the PLUG meeting announcement[35]. 31. 32. 33. 34. ali3n@××××××××××××.com 35. ====================== 6. Gentoo in the press ====================== Linux Journal (5 January 2005) ------------------------------ Andrew Cowie with the Linux Journal published a rather flattery piece on "Gentoo for all the unusual reasons,"[36] providing extensive coverage of Portage as a tool for professional use: "You might think of Gentoo as a bleeding-edge distribution for development workstations, but the simple packaging system can make it a good choice for any production system that needs to stay up to date," writes the author in his introduction, before explaining in great detail the steps for installing and updating software in Gentoo, all nicely accompanied by screenshots. The thoroughly researched article was among LJ's top reads and most commented-on articles last week - even without the GWN boosting its popularity yet again... 36. =========== 7. Bugzilla =========== Summary ------- * Statistics * Closed bug ranking * New bug rankings Statistics ---------- The Gentoo community uses Bugzilla ([37]) to record and track bugs, notifications, suggestions and other interactions with the development team. Between 02 January 2005 and 09 January 2005, activity on the site has resulted in: 37. * 815 new bugs during this period * 528 bugs closed or resolved during this period * 23 previously closed bugs were reopened this period Of the 7862 currently open bugs: 117 are labeled 'blocker', 229 are labeled 'critical', and 568 are labeled 'major'. Closed bug rankings ------------------- The developers and teams who have closed the most bugs during this period are: * Gentoo's Team for Core System packages[38], with 32 closed bugs[39] * Java team[40], with 26 closed bugs[41] * AMD64 Porting Team[42], with 26 closed bugs[43] * media-video herd[44], with 25 closed bugs[45] * Gentoo Games[46], with 21 closed bugs[47] * Gentoo X-windows packagers[48], with 15 closed bugs[49] * Gentoo Security[50], with 15 closed bugs[51] * Tim Yamin[52], with 13 closed bugs[53] 38. base-system@g.o 39. 40. java@g.o 41. 42. amd64@g.o 43. 44. media-video@g.o 45. 46. games@g.o 47. 48. x11@g.o 49. 50. security@g.o 51. 52. plasmaroo@g.o 53. New bug rankings ---------------- The developers and teams who have been assigned the most new bugs during this period are: * Gentoo Sound Team[54], with 30 new bugs[55] * AMD64 Porting Team[56], with 21 new bugs[57] * media-video herd[58], with 20 new bugs[59] * optical media herd[60], with 19 new bugs[61] * Gentoo X-windows packagers[62], with 17 new bugs[63] * Gentoo Linux Gnome Desktop Team[64], with 14 new bugs[65] * Gentoo's Team for Core System packages[66], with 11 new bugs[67] * Gentoo VMWare Bug Squashers[68], with 10 new bugs[69] 54. sound@g.o 55. 56. amd64@g.o 57. 58. media-video@g.o 59. 60. media-optical@g.o 61. 62. x11@g.o 63. 64. gnome@g.o 65. 66. base-system@g.o 67. 68. vmware@g.o 69. =========================== 8. Moves, adds, and changes =========================== Moves ----- The following developers recently left the Gentoo team: * None this week Adds ---- The following developers recently joined the Gentoo Linux team: * Benedikt Böhm (hollow) - Apache * Saleem Abdulrasool (compnerd) - Java Changes ------- The following developers recently changed roles within the Gentoo Linux project: * Lance Albertson (Ramereth) - New dev for netmon et al. (on top of his regular assignment to the infrastructure team) * Danny Van Dyk (Kugelfang) and Mike Doty (KingTaco) - AMD64 operational co-leads (taking over from Travis Tilley) * Jeremy Huddleston (eradicator) - Recruiting co-lead ================== 9. Tips and tricks ================== Denu - a Portage-savvy menu generator for window managers --------------------------------------------------------- Are you switching from Fluxbox to Gnome to KDE a lot? Would you like to try out even more window managers, if it wasn't for the missing application entries in the menus to hop along with you? This week's tip brings a nifty solution in reach: Denu[70] is a brandnew tool to assist in menu generation. It can generate similarly structured menus for various window managers enabling easy transitions from one to another. Denu synchronizes with an online database to allow program definitions to be updated without a software update, and best of all: Portage itself provides the installed program data! 70. --------------------------------------------------------------------------- | Code Listing 9.1: | |Emerge | Denu----------------------------------------------------------------------- -- | | |# cd $PORTDIR_OVERLAY/x11-misc/denu Create the appropriate overlay as | necessary (Denu is not in Portage yet) |# wget | |# emerge denu | | | --------------------------------------------------------------------------- Before we go any further backup any menu configurations you don't want overwritten. Now run denu as a normal user, Denu is not meant to be run as root. Figure 9.1: Screenshot of menu creation with Denu The first step after installing Denu is to run Update (for program definitions) and Sysupdate (for the current list of installed programs). Neither of these are run at startup, so after installing a new program via Portage, Sysupdate will need execution again. To create a menu there are two approaches: hand pick entries from the Installed Tree and add them, or you can hit Autofill, and Denu will automatically generate a menu based on the information it has. Reorganizing a newly created menu is as simple as drag and drop, menu systems will respect the order of entries, except for Gnome and KDE who sort things alphabetically. Click on generate and then one of the boxes corresponding to your desired window manager or desktop environment. Some window managers like Fluxbox be able to use your menu immediately, others may need to be reconfigured or restarted. Denu is still under development, but author Shux[71] has scanned half of the Portage tree for items that might be needed in a GUI menu already. For the remaining half (or things that might need adding in the future) Denu provides a tool to include other applications not in its database yet. Adding programs and their categories, descriptions etc. is just as easy as shifting them around. For questions and answers of all sorts check the lively Denu 2.0 thread in the Forums[72]. 71. shux_linux@×××××××.net 72. ===================== 10. Contribute to GWN ===================== Interested in contributing to the Gentoo Weekly Newsletter? Send us an email[73]. 73. gwn-feedback@g.o ================ 11. GWN feedback ================ Please send us your feedback[74] and help make the GWN better. 74. gwn-feedback@g.o ================================ 12. GWN subscription information ================================ To subscribe to the Gentoo Weekly Newsletter, send a blank email to gentoo-gwn-subscribe@g.o. To unsubscribe to the Gentoo Weekly Newsletter, send a blank email to gentoo-gwn-unsubscribe@g.o from the email address you are subscribed under. =================== 13. Other languages =================== The Gentoo Weekly Newsletter is also available in the following languages: * Danish[75] * Dutch[76] * English[77] * German[78] * French[79] * Japanese[80] * Italian[81] * Polish[82] * Portuguese (Brazil)[83] * Portuguese (Portugal)[84] * Russian[85] * Spanish[86] * Turkish[87] 75. 76. 77. 78. 79. 80. 81. 82. 83. 84. 85. 86. 87. Ulrich Plate <plate@g.o> - Editor Brian Downey <bdowney@×××××××××××.net> - Author Daniel Drake <dsd@g.o> - Author Christian Hartmann <ian@g.o> - Author Patrick Lauer <patrick@g.o> - Author -- gentoo-gwn@g.o mailing list