Gentoo Archives: gentoo-gwn

From: Ulrich Plate <plate@g.o>
To: gentoo-gwn@××××××××××××.org
Subject: [gentoo-gwn] Gentoo Weekly Newsletter 21 February 2005
Date: Mon, 21 Feb 2005 00:00:15
Gentoo Weekly Newsletter
This is the Gentoo Weekly Newsletter for the week of 21 February 2005.
1. Gentoo News
Boston Linux World Expo: The Après-Show report
The Linux World Conference and Exposition was held last week at the Hynes 
Convention Center in Boston, Massachusetts, USA. Gentoo Linux had a booth 
in the .org pavilion, nestled between the friendly folks from Fedora and 
that lovable lot from the Linux Terminal Server Project. On display were 
an array of systems demonstrating the wide array of architectures that 
Gentoo is available for. The main draw was clearly the diminutive Mac Mini 
with the big cinema screen, brought by Daniel Ostrow[1]. Also present were 
Daniel's Sparc Ultra 60, several x86 laptops, and an AMD64 and several 
embedded goodies brought by Mike Frysinger[2]. 
 1. dostrow@g.o
 2. vapier@g.o
A full team of volunteers helped staff the booth. Besides Mike and Daniel, 
Seemant Kulleen[3], Chris Gianelloni[4], Dylan Carlson[5], Jeffrey 
Forman[6], Peter Johanson[7], Luke Macken[8] (lewk), Rajiv Manglani[9], 
Andy Fant[10], Chris Aniszczyk[11] and Aaron Griffis[12] made appearances 
and helped out in the booth. 
 3. seemant@g.o
 4. wolf31o2@g.o
 5. absinthe@g.o
 6. jforman@g.o
 7. latexer@g.o
 8. lewk@g.o
 9. rajiv@g.o
 10. fant@×××××.com
 11. zx@g.o
 12. agriffis@g.o
Figure 1.1: Boston LWE Gentoo booth staff
Note:  Front, left to right: Andrew Fant, Chris Gianelloni, Mike 
Frysinger, Rajiv Manglani. Chris Aniszcszyk is leaning over the table just 
under the Gentoo poster, everybody else are visitors. 
Besides the perennial requests for CDs (which we had) and T-shirts (which 
we didn't), there was a steady flow of interest in the PPC release, and a 
gratifying number of comments by people who have come to realize that 
Gentoo has a role to play in the enterprise. Also of note was the 
forthcoming launch of a Gentoo-based startup[13] that will provide custom 
binary packages to subscribing users through standard Portage mechanisms. 
A highlight of the week was the anti-bof, where 30-40 users and developers 
took over the top floor of the Globe Bar and Grill and got the chance to 
meet and mingle in person. 
This was the first year that the LWE was held in Boston, instead of New 
York, and by all accounts, it was a success. There was a twenty percent 
increase in vendor exhibits, and attendance was up by a similar amount. It 
seems likely that LWE will return again next winter, so start making plans 
for next year. Thanks to everyone who helped to make our presence at the 
show a success. For those on the west coast, LWE will be in San Francisco 
from 8 to 11 August. If you are interested in helping with the Gentoo 
booth at that meeting, please contact the PR team. 
Last call for FOSDEM
More than 40 Gentoo developers, activists and power users have confirmed 
their presence at this year's FOSDEM[14] on 26 and 27 February in Brussels 
at the Université Libre de Bruxelles. The local youth hostel has literally 
been taken over by the participants in the DevRoom organised by Gentoo at 
Europe's largest open-source conference, and the schedule is packed with 
presentations by developers from all over Europe. Saturday night life in 
Brussels will make it challenging to keep the tight schedule for the 
Gentoo developer meeting on Sunday morning. 
Free entrance to the Gentoo UK conference
Thanks to securing sponsorships by the University of Salford and the 
London Internet Exchange, LINX[15], the Mancunian Gentoo UK 
Conference[16], scheduled for 12 March at Manchester's University of 
Salford, was able to drop the entrance fee. Participants are asked to 
register, but will be admitted free of charge, registration is still 
Easy subscription to Gentoo RSS feeds
Michael Kohl[18] has made an OPML file[19] available that allows to 
automatically subscribe to three different RSS feeds from Gentoo at once, 
i.e. the Gentoo Linux news as published on the Gentoo website, the Gentoo 
Linux Security Announcements (GLSAs), and the feed for packages for x86. 
Many RSS-readers support importing from an OPML file, making subscriptions 
easily manageable. 
 18. citizen428@g.o
2. Future Zone
Gentooified Kuro-Box
The Kuro-Box is a toaster-sized PowerPC NAS (Network Attached Storage) 
device designed for Linux hackers, owing at least part of its appeal to 
the clever name: much better than its English translation of simply 
"black" already does, the "kuro" of the Kuro-Box hints at both the colour 
and the occultness of what may be lurking in the dark. Based on a  
Freescale MPC8241[20] (a 603e processor), it exists in two versions:
 * the original one, at 200MHz with 64MB RAM, a 100Mb ethernet controler 
and one USB plug (around 160 USD without hard-drive) 
 * the HG version, at 266MHz with 128MB RAM, a 1Gb ethernet controler and 
two USB plugs (240 USD without hard-drive) 
Obscured by the fact that it was spawned off Buffalo Technology's 
"LinkStation" storage device series, it's probably the most inexpensive 
Linux/PPC development environment currently in the market. 
Figure 2.1: Attaching a new meaning to network storage: Buffalo's Kuro-Box
The history[21] of the Kuro-Box begins in Japan back in early 2004, when a 
Buffalo sister company, Kurouto Shikou, decided to sell older LinkStation 
inventory on the "power users" market. Thus, the oldest and biggest 
Kuro-Box hackers community is Japanese, and the amount of documentation on 
their Linkstation Wiki[22] or on Yasunari Yamashita's blog[23] show how 
active it is. Since a few months, Kuro-Boxes are also distributed in the 
US and Europe by Revogear[24], and a new non-Japanese community centering 
around a forum[25] and a wiki[26] now has plenty of English information 
available to them.
In both communities, there had been several attempts at replacing the 
stock firmware with more generic Linux distributions ever since the first 
Kuro-Box shipped about a year ago. The original firmware is too much 
NAS-oriented, i.e. only designed to be a file and printing server, whereas 
a complete Linux distribution would allow for easy experimentation and 
unlocking of the platform's full potential. Even setting up Gentoo systems 
inside the Kuro-Box had been tried before: jmgdean[27] released a Gentoo 
Total Conversion alpha1[28], and much work was done inside the Japanese 
community. However, all of those earlier attempts were mixed installations 
of Gentoo Linux on top of the original firmware: the toolchains were still 
based on gcc-2.95, many files were not managed by Portage, and there was 
still some non-free code inside. My beta1 release[29], on the other hand, 
is entirely built from sources, and exclusively via Portage. It is 
composed of: 
 * a stage3 image which can be installed directly on a fresh harddrive, 
and which completly replaces the original firmware 
 * a Portage overlay, with a few new or modified ebuilds 
 * a custom Portage profile, based on Gentoo PPC 2004.3 
 * many additional binary packages that should cover the most current 
needs for that kind of system 
The installation process is mostly similar to "normal" Gentoo systems, 
except that it begins in the so-called "EM mode" in which the box boots 
when it's not yet set up. This is a very minimalistic environment which 
can be accessed by both ftp and telnet. From there, you will be able to 
prepare your drive, chroot, and install the stage3 image. Then you switch 
the box to the "Normal mode", and hopefully it will reboot using your 
fresh Gentoo system, which should be accessible by ssh. Detailed 
instructions are available on a  Wiki page[30].
Known limitation and future work
The only thing that is not easily hackable is the content of the FlashROM, 
i.e. the EM mode system and the kernel. The format of the flash image is 
well-known and documented (at least on some Japanese websites), but, as 
opposed to many other Linux-based devices, there is absolutely no fallback 
in case of mistake once you've touched it -- a flashing error or a badly 
configured kernel will kill it for good. Because of that, most users are 
still stuck to the original 2.4.17 kernel, which is far from perfect. 
There are currently two directions explored to overcome this limitation: 
 * Installing a proper bootloader in the FlashROM: U-Boot[31] would 
probably be the best choice, but this project is at too early a stage to 
give an estimate of its availability.  
 * Dynamically replacing the running kernel. This has been made possible 
thanks to jochang's work[32], through the load of a simple kernel module. 
Integrating that kernel switching in the boot process is the top target 
for Gentoo beta2 (with everything it depends on, like a proper packaging 
of kuro-ified kernel sources, etc.)  
Some other future work items include: 
 * improve the distribution system: in particular, use rsync instead of 
tarballs for overlay/profile 
 * by popular demand, add some meta-ebuilds for some common needs like 
"mail server" or "MacOSX-friendly server". Or release some kinds of 
customized "stage4"  
 * some minor improvements all around, like better LED status, maybe more 
precompiled modules for the stock kernel, etc.  
 * maybe a (semi-)automatic installation process (from a LiveCD?): for 
some users, installing Gentoo by telnet on a Kuro Box is their first Linux 
experience, and it seems to be a bit too much at a time... 
Note: Author Thomas de Grenier de Latour (TGL) is one of the Gentoo Forums 
moderators, responsible for the French language forum. He will bring a 
Kuro-Box to FOSDEM in Brussels this coming weekend, if you would like to 
learn more about this little box or see it in action, make sure to stop by 
the Gentoo DevRoom.
3. Gentoo security
PowerDNS: Denial of Service vulnerability
A vulnerability in PowerDNS could lead to a temporary Denial of Service. 
For more information, please see the GLSA Announcement[33] 
ht://Dig: Cross-site scripting vulnerability
ht://Dig is vulnerable to cross-site scripting attacks. 
For more information, please see the GLSA Announcement[34] 
Opera: Multiple vulnerabilities
Opera is vulnerable to several vulnerabilities which could result in 
information disclosure and facilitate execution of arbitrary code. 
For more information, please see the GLSA Announcement[35] 
VMware Workstation: Untrusted library search path
VMware may load shared libraries from an untrusted, world-writable 
directory, resulting in the execution of arbitrary code. 
For more information, please see the GLSA Announcement[36] 
PostgreSQL: Buffer overflows in PL/PgSQL parser
PostgreSQL is vulnerable to several buffer overflows in the PL/PgSQL 
parser leading to execution of arbitrary code. 
For more information, please see the GLSA Announcement[37] 
Emacs, XEmacs: Format string vulnerabilities in movemail
The movemail utility shipped with Emacs and XEmacs contains several format 
string vulnerabilities, potentially leading to the execution of arbitrary 
For more information, please see the GLSA Announcement[38] 
lighttpd: Script source disclosure
An attacker can trick lighttpd into revealing the source of scripts that 
should be executed as CGI or FastCGI applications. 
For more information, please see the GLSA Announcement[39] 
wpa_supplicant: Buffer overflow vulnerability
wpa_supplicant contains a buffer overflow that could lead to a Denial of 
For more information, please see the GLSA Announcement[40] 
KStars: Buffer overflow in fliccd
KStars is vulnerable to a buffer overflow that could lead to arbitrary 
code execution with elevated privileges. 
For more information, please see the GLSA Announcement[41] 
Midnight Commander: Multiple vulnerabilities
Midnight Commander contains several format string errors, buffer overflows 
and one buffer underflow leading to execution of arbitrary code. 
For more information, please see the GLSA Announcement[42] 
Squid: Denial of Service through DNS responses
Squid contains a bug in the handling of certain DNS responses resulting in 
a Denial of Service. 
For more information, please see the GLSA Announcement[43] 
GProFTPD: gprostats format string vulnerability
gprostats, distributed with GProFTPD, is vulnerable to a format string 
vulnerability, potentially leading to the execution of arbitrary code. 
For more information, please see the GLSA Announcement[44] 
gFTP: Directory traversal vulnerability
gFTP is vulnerable to directory traversal attacks, possibly leading to the 
creation or overwriting of arbitrary files. 
For more information, please see the GLSA Announcement[45] 
4. Heard in the community
Using Gentoo in emulators
After a failed install of Gentoo in MS VirtualPC, a user asks what 
experiences others have with Gentoo in emulated environments. Read on for 
a nice (win32-centric) collection of user experiences. 
 * Using Gentoo in emulators[46] 
Portage performance improvements
Another user found a bottleneck in Portage whose removal seems to reduce 
startup times by at least 50%. Although that may be an extreme example, it 
still shows that Portage performance is far from optimal. 
 * Portage performance improvements[47] 
GLEP33: Eclass restructure
After the large flamewars last time someone tried to change the way 
eclasses are used and handled, John Mylchreest[48] and Brian Harring[49] 
offer a new and quite comprehensive proposal. It can be found at 
 48. johnm@g.o
 49. ferringb@g.o
 * GLEP 33: Eclass restructure[50] 
Runtime vs. devel packages
Stuart Herbert[51] offers some thoughts on split ebuilds: "For years now, 
RedHat have split a lot of their packages into two sets ... a set 
containing what's needed at runtime to use the package, and another 
'devel' package containing header files etc which are only needed for 
building software. One thing that it's really nice to do with a server is 
build it with no compilers etc installed. The less that's on there, the 
less there is to maintain, upgrade, be reused by the black hats, etc etc." 
But, as it seems, there are also good reasons to do things "The Gentoo 
Way". Read on for a discussion of the pros and cons of both approaches. 
 51. stuart@g.o
 * Runtime vs. devel packages[52] 
5. Gentoo in the press
Security Focus (14 February 2005)
After being talked about in a Security Focus article the week before, 
Gentoo developer and operational manager for the Gentoo Linux Security 
Team Thierry Carrez[53] now had his own column last Monday: "More 
advisories, more security"[54] is the title of his piece on the 
relationship between activities in the security arms of Linux 
distributions and overall safety for users. "Security advisories from a 
software publisher or packager should not be seen as bad news. There are 
always vulnerabilities in software, and when an advisory is released it 
means that one of these flaws has been identified and fixed," explains 
Thierry. "It also means the good guys have done their homework, and that 
one less flaw can be used by the bad guys to harm you." 
 53. koon@g.o
Linux Times (14 and 18 February 2005)
A flamboyant installation report from Austria hit the online magazine 
Linux Times on Monday last week, under the heading "One week with Gentoo 
Linux." The article[55] describes in detail an installation of Gentoo 
Linux on slightly dated hardware, and tries to shatter the myth of Gentoo 
being not easily accessible: "If there was a list of biggest GNU/Linux 
cliches, the statement 'Gentoo is hard to install' would be ranked among 
the top. Let me tell you a little secret: Gentoo is easy to install," says 
author Imre Kálomista, a student at Vienna University. And if that wasn't 
enough, Gentoo again figures as a topic on Linux Times four days later in 
a review of the Vidalinux release 1.1 in direct comparison to a "real" 
Gentoo system. The article[56] concludes that the Puerto-Rican binary 
Gentoo clone strangely lacks binary package support, but mentions a club 
membership for access to a repository of precompiled packages. 
Cuddletech blog (12 February 2005)
Using Xorg 6.8.2 & Composite[57] is the topic for Ben Rockwood's blog 
entry on the new transparency features in Xorg, with a pleasant side note 
on the ease of installation in his Gentoo environment: "Thanks to Gentoo I 
simply yanked XFree86 (unmerge) and merged in Xorg 6.8.2." 
6. Bugzilla
 * Statistics 
 * Closed bug ranking 
 * New bug rankings 
The Gentoo community uses Bugzilla ([58]) to record and 
track bugs, notifications, suggestions and other interactions with the 
development team. Between 13 February 2005 and 20 February 2005, activity 
on the site has resulted in: 
 * 813 new bugs during this period 
 * 447 bugs closed or resolved during this period 
 * 20 previously closed bugs were reopened this period 
Of the 8040 currently open bugs: 101 are labeled 'blocker', 240 are 
labeled 'critical', and 596 are labeled 'major'. 
Closed bug rankings
The developers and teams who have closed the most bugs during this period 
 * Gentoo KDE team[59], with 25 closed bugs[60]  
 * PHP Bugs[61], with 24 closed bugs[62]  
 * Net-Mail Packages[63], with 21 closed bugs[64]  
 * Gentoo Security[65], with 20 closed bugs[66]  
 * Netmon Herd[67], with 15 closed bugs[68]  
 * AMD64 Porting Team[69], with 15 closed bugs[70]  
 * Gentoo Sound Team[71], with 11 closed bugs[72]  
 * PPC Porters[73], with 11 closed bugs[74]  
 59. kde@g.o
 61. php-bugs@g.o
 63. net-mail@g.o
 65. security@g.o
 67. netmon@g.o
 69. amd64@g.o
 71. sound@g.o
 73. ppc@g.o
New bug rankings
The developers and teams who have been assigned the most new bugs during 
this period are: 
 * Qmail Team[75], with 54 new bugs[76]  
 * Gentoo Sound Team[77], with 23 new bugs[78]  
 * AMD64 Porting Team[79], with 19 new bugs[80]  
 * media-video herd[81], with 17 new bugs[82]  
 * Gentoo KDE team[83], with 16 new bugs[84]  
 * Gentoo Science Related Packages[85], with 10 new bugs[86]  
 * Gentoo's Team for Core System packages[87], with 10 new bugs[88]  
 * Gentoo X-windows packagers[89], with 9 new bugs[90]  
 75. qmail-bugs@g.o
 77. sound@g.o
 79. amd64@g.o
 81. media-video@g.o
 83. kde@g.o
 85. sci@g.o
 87. base-system@g.o
 89. x11@g.o
7. Moves, adds, and changes
The following developers recently left the Gentoo team: 
 * None this week  
The following developers recently joined the Gentoo Linux team: 
 * David Gümbel (ganymede) - wine  
The following developers recently changed roles within the Gentoo Linux 
 * None this week  
8. Contribute to GWN
Interested in contributing to the Gentoo Weekly Newsletter? Send us an 
 91. gwn-feedback@g.o
9. GWN feedback
Please send us your feedback[92] and help make the GWN better.
 92. gwn-feedback@g.o
10. GWN subscription information
To subscribe to the Gentoo Weekly Newsletter, send a blank email to 
To unsubscribe to the Gentoo Weekly Newsletter, send a blank email to 
gentoo-gwn-unsubscribe@g.o from the email address you are 
subscribed under. 
11. Other languages
The Gentoo Weekly Newsletter is also available in the following languages:
 * Danish[93]  
 * Dutch[94]  
 * English[95]  
 * German[96]  
 * french[97]  
 * japanese[98]  
 * italian[99]  
 * polish[100]  
 * portuguese (brazil)[101]  
 * portuguese (portugal)[102]  
 * russian[103]  
 * spanish[104]  
 * turkish[105]  
Ulrich Plate <plate@g.o> - Editor
Andrew Fant <fant@×××××.com> - Author
Thomas de Grenier de Latour <degrenier@×××××××××××.fr> - Author
Patrick Lauer <patrick@g.o> - Author

gentoo-gwn@g.o mailing list