Gentoo Archives: gentoo-gwn

From: Ulrich Plate <plate@g.o>
To: gentoo-gwn@××××××××××××.org
Subject: [gentoo-gwn] Gentoo Weekly Newsletter 14 February 2005
Date: Sun, 13 Feb 2005 23:54:35
Gentoo Weekly Newsletter
This is the Gentoo Weekly Newsletter for the week of 14 February 2005.
1. Gentoo News
Gentoo Forums platform and software switch
As anticipated in a Future zone[1] article three weeks ago, the Gentoo 
Forums[2] have switched to a new hardware platform and an upgraded version 
of phpBB, now running on a clean codebase, normalizing all the patches 
that had been applied to the old version, and more feature-rich than the 
release that was powering the Forums before. Among the embellishments are 
better language packs for the non-English forums, new URI styles with 
absolute links that enable search engine spiders to index the entire 
Forum, and a few things of lesser visibility, like the moderators' new 
ability to join threads -- displacing posts from threads where they're out 
of context to a more appropriate location was never possible before. A few 
glitches aside, the changeover went so smoothly that none of the users 
realized it until it was all over and done. Congratulations to Christian 
Hartmann[3] and Lance Albertson[4] for a flawless migration! 
 3. ian@g.o
 4. ramereth@g.o
Gentoo event calender for February/March 2005
Busy days for Gentoo evangelists: Their schedule has never been so packed 
with shows, conferences and presentations as over the next four weeks. 
Here's a list of the upcoming events, with a last reminder for tomorrow's 
LWE in Boston at the top. 
 * Linux World Expo[5] - 15-18 February in Boston, MA: Hynes Convention 
 * FOSDEM[6] - 26 and 27 February in Brussels, Belgium: Université Libre 
de Bruxelles  
 * CPLUG Security Conference[7] - 5 March in Grantham, PA: Messiah College 
 * Chemnitzer Linux-Tage[8] - 5 and 6 March in Chemnitz, Germany: 
Technische Universität  
 * Gentoo UK Conference[9] - 12 March in Manchester, UK: University of 
Note:  Links point to official event websites or -- if available -- Gentoo 
developer pages organizing our own presence. 
Gentoo Linux Security Team -- Interview with Thierry Carrez
If you have a habit of watching the pattern of security issues and 
responses in the Linux world, you've probably noticed that Gentoo's alerts 
and responses to those issues tend to follow rapidly on the heels of 
initial discovery. In fact, Gentoo Linux Security Announcements (GLSAs) 
are a frequently cited resource for security notifications and fix status 
even outside the Gentoo community. This reputiation of responsiveness is a 
remarkable feat for a community which does not have a commercial arm 
supporting a dedicated security response center.
Thierry Carrez[10] (koon), one of the Operational Managers for Gentoo's 
Security Team[11], was kind enough to take a few minutes to explain some 
of the practices that have allowed the team to be so efficient in 
identifying and responding to security issues.
 10. koon@g.o
Could you give us a rough overview of the process involved in identifying 
and fixing security flaws? What steps are involved? Who performs them? 
What tools are used?
We follow the Vulnerability Treatment Policy[12] to handle security bugs. 
In brief, public vulnerabilities get submitted by users, our security 
scouts or the security developers, whoever finds it first. Sometimes we 
get notified by confidential channels (the vendor-sec list or direct 
contact from the upstream developers or auditors). Then the security bug 
progresses through upstream status (where we wait for a fix from upstream 
maintainers); ebuild status (where we call the Gentoo maintainer for the 
package and ask for a fixed ebuild); stable status, where we ask all 
security-supported arches to test and mark the fixed package stable; and 
finally to glsa status where we issue a GLSA if necessary. Sometimes we 
get stuck at one of those intermediate statuses and have to work out a 
patch ourselves. Sometimes we don't find a solution and we mask the 
package because it's a security risk to leave it in the tree without a fix.
Security bug handling is mostly calling the right people at the right time 
to try to get the ball rolling at all times. This task is performed by the 
GLSA coordinators, and it's not automated. We rely heavily on the other 
Gentoo developers (package maintainers and arch teams) to do the patching 
and testing.
Where do you find out about security flaws? Mailing lists? Alerts? Do we 
do testing ourselves?
We rely on our user base to submit as many public vulnerabilities as they 
can. The security team tries to get all those that go unnoticed. Security 
flaws come from public mailing-lists like BugTraq or Full-Disclosure, and 
also upstream security advisories and other distribution advisories. We 
are more and more accepted as part of the general Linux security community 
and therefore we get notice of some vulnerabilities before they go public. 
To contribute back we have recently set up a Security Audit subproject to 
find vulnerabilities by ourselves, and our package maintainers also find a 
lot of vulnerabilities in their testing.
When a flaw is identified, how is it documented?
Most of the time we just copy the public advisory information, and then 
proceed in verifying that it applies to Gentoo Linux, and rate its 
severity. This severity seeds priorities, as we try to respect the delays 
indicated in the Vulnerability Treatment Policy.
Is there a formal process where the resolution of a flaw is assigned to 
someone? How are priorities set? How is the fix documented and tested?
Each GLSA Coordinator can take a bug and be tasked to ensure the ball 
keeps rolling on this bug at all times. But if a bug gets stuck, every 
security developer can intervene to unstick it. Priorities are set by 
severities, following the rules described in the Vulnerability Treatment 
When a fix is available, how is it documented? Who does the GLSA? How are 
GLSA's transmitted? How are they archived or stored?
We document the fix in a GLSA draft, which must get at least two positive 
peer-reviews before getting released. We use a tool called GLSAMaker to 
help in ensuring consistency between all GLSAs. The GLSA is written by the 
GLSA Coordinator or sometimes by one of our Security Apprentices (GLSA 
coordinators in training). GLSAs are sent by mail to gentoo-announce and 
other security lists, automatically appear in a live RDF feed[13] and on 
the Gentoo Security page[14]. Finally, they get copied by forum moderators 
to appear as forum announcements. GLSA XML sources are part of the portage 
tree (in metadata/glsa) and get synced on all user boxes, to enable the 
use of the (for the moment still experimental) glsa-check tool (which is 
part of the gentoolkit package).
Who are the upstream consumers of GLSA's? Other than Gentoo users, are 
there other organizations that are alerted?
We warn so that they include GLSA in their advisories 
page[15]. The MITRE CVE dictionary[16] also includes GLSA references.
Are there any automated tools or scripts that the team uses to manage 
these jobs?
We use GLSAMaker, a tool written by Tim Yamin[17] (plasmaroo), to help in 
writing GLSA XML source and the text counterpart.
 17. plasmaroo@g.o
What's the status of "emerge security" functionality to identify and fix 
security issues using portage?
"Emerge security" functionality is currently under testing with the 
"glsa-check" tool, part of the gentoolkit package. It allows us to 
identify which GLSAs affect your system and to automatically fix the 
vulnerable packages. When this is ready, the portage tool team will 
integrate this into mainline tools like emerge. Users are encouraged to 
use the latest glsa-check and report any oddities using bugzilla[18].
Where can users get information about the security team?
Our main page is the Gentoo Security portal at[19]. It 
contains all the pointers to our policy documents, the latest GLSAs and 
lots of useful information. People that would like to join the Gentoo 
Security project should read the Security project webpage[20], and in 
particular the GLSA Coordinators guide[21] and the Security padawans 
page[22] to get a feel of what we need.
What are some of the initiatives the security team have undertaken 
In the last year, we put procedures in place so that all unwritten rules 
followed by the team have a reference policy document. We also put 
together a new team that will ensure that we keep a consistent security 
watch at all times.
What did we forget to ask that we should know about?
Maybe our management structure. Kurt Lieber[23] (klieber) is our strategic 
manager, Sune Kloppenborg Jeppesen[24] (jaervosz) and myself are the 
operational managers.
 23. klieber@g.o
 24. jaervosz@g.o
2. Future Zone
Open-Xchange in Gentoo Linux
Open-Xchange (OX)[25] is the open-source groupware server on which 
Novell's SuSE Linux Openexchange Server (SLOX)[26] is based. Open-Xchange 
was closed source until 30 August 2004 when it was released under the GNU 
Public License. OX leverages popular open-source server technology by 
integrating existing projects (SMTP, IMAP, LDAP, Apache, Tomcat, and 
PostgreSQL) to deliver a powerful messaging and collaboration environment. 
Some features of interest include e-mail, project management, a versioning 
document store, shared calendaring, and a knowledge base. It can be 
accessed via both a web interface or through fat clients such as 
Evolution, the Mozilla suite (Thunderbird and Sunbird) and any other third 
party application that supports WebDAV. Currently, Open-Xchange is in 
development with a slated stable release (v0.8) in March 2005. If you want 
to see what OX is like before undertaking the somewhat daunting install, 
you can try it out using the online demo[27]. 
Installation and support
There are currently two ways to install OX in Gentoo Linux: using the 
ebuild from Bugzilla[28] (not currently in the Portage tree), or manually 
installing it. A Wiki page[29] explains the installation using the ebuild, 
but for most of the necessary steps to get OX successfully running, an 
additional manual installation HOWTO[30] covers the prerequisite 
configurations as well as extending and enhancing Open-Xchange. For 
Gentoo-specific questions a Gentoo Forum thread[31] with several hundred 
posts has most of the answers that are available so far. 
If you are not already familiar with the servers that OX uses be prepared 
for a steep learning curve and to do a lot of reading. A majority of the 
problems experienced so far involve LDAP configuration, Apache/Tomcat 
integration, and SASL authentication. All of the servers that OX relies on 
need to be properly configured and working before you can proceed with the 
actual Open-Xchange install. 
Note:  Author Mike Fetherston was a dedicated Slackware user who turned to 
Gentoo in early 2004. Upon Netline's release of SuSE's SLOX server under 
the GPL he covered his initial installation experiences and tremendous 
feedback from the Gentoo user community in a document of currently more 
than 40 pages. 
3. Gentoo security
OpenMotif: Multiple vulnerabilities in libXpm
Multiple vulnerabilities have been discovered in libXpm, which is included 
in OpenMotif, that can potentially lead to remote code execution. (NB: 
This is the same vulnerability that was fixed in xorg-x11 last November) 
For more information, please see the GLSA Announcement[32] 
PostgreSQL: Local privilege escalation
The PostgreSQL server can be tricked by a local attacker to execute 
arbitrary code. 
For more information, please see the GLSA Announcement[33] 
Python: Arbitrary code execution through SimpleXMLRPCServer
Python-based XML-RPC servers may be vulnerable to remote execution of 
arbitrary code. 
For more information, please see the GLSA Announcement[34] 
pdftohtml: Vulnerabilities in included Xpdf
pdftohtml includes vulnerable Xpdf code to handle PDF files, making it 
vulnerable to execution of arbitrary code upon converting a malicious PDF 
For more information, please see the GLSA Announcement[35] 
Mailman: Directory traversal vulnerability
Mailman fails to properly sanitize input, leading to information 
For more information, please see the GLSA Announcement[36] 
Webmin: Information leak in Gentoo binary package
Portage-built Webmin binary packages accidentally include a file 
containing the local encrypted root password. 
For more information, please see the GLSA Announcement[37] 
Perl: Vulnerabilities in perl-suid wrapper
Vulnerabilities leading to file overwriting and code execution with 
elevated privileges have been discovered in the perl-suid wrapper. 
For more information, please see the GLSA Announcement[38] 
mod_python: Publisher Handler vulnerability
mod_python contains a vulnerability in the Publisher Handler potentially 
leading to information disclosure. 
For more information, please see the GLSA Announcement[39] 
4. Heard in the community
Remove no [insert feature here] USE-flags from the tree
Michiel de Bruijne [40] writes: "There are quite a few ebuilds in the tree 
that make use of a no [insert feature here] USE-flag. So basically by 
disabling the USE-flag you get more features. Pulling in extra 
dependencies by disabling the USE-flag is a possibility. This has some 
nasty side effects ..." The following discussion shows quite well why 
these USE-flags are not good. 
 40. m.debruijne@××××××.nl
 * Remove no [insert feature here] USE-flags from the tree[41]  
Automatic stabilization of packages
Approximately every 6 months the same discussion comes up: How can the 
packages in portage be kept up to date? The naive approach would be 
automatic stabilization after a certain period of time. This thread shows 
why for the most part that is not a good idea ... 
 * Automatic stabilization of packages[42] 
Closing or resolving bugs, which is it?
Marius Mauch[43] writes: "I noticed a new trend lately introduced by a few 
new devs: changing bug status from RESOLVED to CLOSED. Personally I just 
find it annoying and completely useless. Can we agree to not do that 
unless there is a technical reason? Don't see any benefit in this, just 
means that closed bugs are now split between two "categories" with no 
actual difference." 
 43. genone@g.o
 * should we close bugs?[44]  
5. Gentoo International
USA: Gentoo Bugday event at Oregon State University LUG
Gentoo Bugdays[45] are regularly held every first Saturday of each month, 
with developers and users everywhere gathering on IRC and skimming 
Gentoo's bugzilla for anything that looks like it needs fixing. On 5 
February, the Linux User Group of Oregon State University took the 
opportunity and turned the virtual event into a real one[46]. Twelve OSLUG 
members met at Weatherford Hall, the OSU residential college building. 
Aided by a precompiled list of bugs prepared by Gentoo's Bugday organizers 
for this occasion, they kept squashing bugs from 9:00 to 16:00, with the 
official IRC channel #gentoo-bugs being projected overhead, and assorted 
computers scattered around the classroom, each with a determined Gentoo 
bug hunter in front of the screen. 
Figure 5.1: The Klendathu, OR bughunt: Deedra Waters, Dunbar (background) 
and Micheal Clay
Note:  More photos are available at the OSLUG website. 
Germany: Storage tool release for Gentoo Linux
Commercial releases of Linux applications with official support outside 
the RedHat/SuSE/Mandrake realm are scarce and far between. A German 
company, SEP AG[47], has now announced the availability of their storage 
management product "SEP sesam" for Gentoo Linux. "We're traditionally tied 
to SuSE Linux, but had Gentoo on our radar ever since we watched the 
impressive installation Lars Weiler[48] did on an HP Proliant cluster at 
last year's LinuxTag in Karlsruhe," recalls SEP's sales manager Johann 
Krahfuss (cf. GWN report 28 June 2004[49]). "So when our first customers 
demanded an adaptation of SEP sesam to Gentoo Linux, it didn't exactly 
take us by surprise." The German federal research institution Fraunhofer 
Gesellschaft[50] were the first to request a SEP sesam installation inside 
a Gentoo Linux environment, "and since we didn't encounter any problems 
whatsoever, we feel it's ready for official release," says Krahfuss. A 
30-day-test version (including support) can be downloaded from the 
corporate website's download section. SEP sesam is designed for data 
storage management in heterogenous networks, including Linux, BSD, 
Solaris, TRU/64, OpenVMS, Windows and Mac OS X. The company will be 
present at next week's CRN Storage Solution Days 2005[51] in Neuss (link 
in German only). 
 48. pylon@g.o
6. Gentoo in the press
Newsforge (8 and 9 February 2005)
Newsforge published an article in two parts about using MySQL to benchmark 
OS performance[52], as analyzed and written by Tony Bourke[53]. The 
performance check spans server operating systems Open-, Net- and FreeBSD, 
Solaris 10, and Linux as platforms for MySQL database execution, and 
"among a multitude of distributions" Gentoo was chosen for the Linux part 
of the test, running both 2.4 and 2.6 kernels (gentoo-sources) on 
ReiserFS. "With Gentoo it was also relatively easy to install NPTL for 
2.6, which I used in the 2.6 tests," says Tony Bourke, "although they 
didn't make any difference when compared to non-NPTL 2.6 results." While 
the first part just explains the tools and the methodology, the actual 
performance comparison is published in a separate article[54] - with 
amazing results, Gentoo Linux clearly winning all individual benchmark 
tests. Funnily enough, Gentoo's outstanding performance even triggered 
complaints about the "unfair advantage"[55] of using a source-based, 
possibly processor-optimized Linux distribution as a platform for the 
CNET (7 February 2005)
Sun's President Jonathan Schwartz nods his head to Gentoo's OpenSolaris 
effort in an interview published on CNET last week. While explaining the 
OpenSolaris governance model to interviewer Stephen Shankland, he claims 
"Solaris is now officially platform-neutral"[56] and expects "10 or more" 
non-Sun OpenSolaris distributions to appear in the market. 
Security Focus (2 February 2005)
Columnist Jason Miller says Linux kernel security handling is broken, "and 
it needs to be fixed right now." The article at[57], a 
publication mainly read by security professionals, is highly critical of 
the way security bugs in the Linux kernel are being addressed. But the 
author, a self-proclaimed "huge follower of BSD-based operating systems," 
has some good news, too: "Once we start looking at actual distributions of 
the Linux kernel as a complete operating system, we find some 
distributions with official security contacts, as well as security-related 
pages similar to those provided by the major BSD-based operating systems. 
Gentoo Linux Security is a good example of that." 
Réseaux & Télécoms (3 February 2005, in French)
Directly responding to the Security Focus column by Jason Miller, the 
French network and telco magazine looks beyond the kernel as a security 
issue: Both flaws in individual applications not depending on the kernel, 
and the distribution of security-related information are identified as 
equally important fields of activity for the "bug hunters of open source." 
The article "Noyau Linux : Mais où est la sécurité ?"[58] acknowledges 
Miller's conclusion of "things changing, fast and in the right direction," 
and praises Thierry Carrez (see our interview above[59]) as an example for 
"impressive work." With the current pace of discussion around the 
structure of security handling and the distribution of information, it's 
"time to show some optimism," says author Marc Olanie, pointing out that 
it took Microsoft eighteen years to standardize their own security 
procedures -- "or have they?" 
Sun blogs (31 January 2005)
Eric Boutilier, an engineer at Sun, Inc. is gearing up for Gentoo 
development on OpenSolaris, and posted his first attempts at familiarizing 
himself with Portage on Linux to  his blog at the Sun website[60]. While 
his choice of installation material is peculiar - Gentoo-clone Vidalinux 
rather than a standard install, and on a five-year-old Portégé laptop - he 
quickly falls in sync with normal Portage user behaviour for lengthy 
compiles: "Oh well. I left it happily building away and went to work." 
7. Bugzilla
 * Statistics 
 * Closed bug ranking 
 * New bug rankings 
The Gentoo community uses Bugzilla ([61]) to record and 
track bugs, notifications, suggestions and other interactions with the 
development team. Between 06 February 2005 and 13 February 2005, activity 
on the site has resulted in: 
 * 860 new bugs during this period 
 * 699 bugs closed or resolved during this period 
 * 37 previously closed bugs were reopened this period 
Of the 8036 currently open bugs: 102 are labeled 'blocker', 243 are 
labeled 'critical', and 600 are labeled 'major'. 
Closed bug rankings
The developers and teams who have closed the most bugs during this period 
 * osx porters[62], with 179 closed bugs[63]  
 * Gentoo's Team for Core System packages[64], with 53 closed bugs[65]  
 * Gentoo KDE team[66], with 30 closed bugs[67]  
 * AMD64 Porting Team[68], with 24 closed bugs[69]  
 * Gentoo Security[70], with 23 closed bugs[71]  
 * media-video herd[72], with 19 closed bugs[73]  
 * Gentoo Games[74], with 19 closed bugs[75]  
 * Text-Markup Team[76], with 17 closed bugs[77]  
 62. osx@g.o
 64. base-system@g.o
 66. kde@g.o
 68. amd64@g.o
 70. security@g.o
 72. media-video@g.o
 74. games@g.o
 76. text-markup@g.o
New bug rankings
The developers and teams who have been assigned the most new bugs during 
this period are: 
 * AMD64 Porting Team[78], with 30 new bugs[79]  
 * Gentoo Sound Team[80], with 18 new bugs[81]  
 * Gentoo X-windows packagers[82], with 15 new bugs[83]  
 * Net-Mail Packages[84], with 11 new bugs[85]  
 * Mobile Herd[86], with 11 new bugs[87]  
 * media-video herd[88], with 11 new bugs[89]  
 * Gentoo KDE team[90], with 10 new bugs[91]  
 * Portage team[92], with 10 new bugs[93]  
 78. amd64@g.o
 80. sound@g.o
 82. x11@g.o
 84. net-mail@g.o
 86. mobile@g.o
 88. media-video@g.o
 90. kde@g.o
 92. dev-portage@g.o
8. Tips and tricks
Portage magic: Identify obsolete packages
Gentoo developer Brian Harring[94] designed a clever way to identify all 
merged versions of packages not available in Portage anymore -- both the 
official tree and packages from PORTDIR_OVERLAY. Here is the method he 
came up with, packing as much Python neatness as fits on a single command 
 94. ferringb@g.o
| Code Listing 8.1:                                                       |
|Python scriptlet                                                         |
|                                                                         |
|python -c 'import portage; print [x for x in                             |
portage.db["/"]["vartree"].getallcpv() \ 
|if len(portage.portdb.xmatch("match-all","="+x))==0]'                    |
|                                                                         |
If that just went a little over your head, let's look at what exactly it 
does. For example, if a package, say, foo-1.2.3 is merged, and that 
version 1.2.3 is no longer in the tree, the script will point it out. A 
simple check for packages that aren't available any longer regardless of 
versions, would look like this: 
| Code Listing 8.2:                                                       |
|Python scriptlet                                                         |
|                                                                         |
|python -c 'import portage; print [x for x in                             |
portage.db["/"]["vartree"].getallcpv() \ 
|if len(portage.portdb.xmatch("match-all",portage.pkgsplit(x)[0]))==0]'   |
|                                                                         |
Finally, if you want to ignore package foo-1.2.3 even if it isn't in the 
tree any longer, but a revision foo-1.2.3-r1 is, the following script will 
ignore the package, only triggering on installed applications that have 
completely vanished from Portage. 
| Code Listing 8.3:                                                       |
|Python scriptlet                                                         |
|                                                                         |
|python -c 'import portage; print [x for x in                             |
portage.db["/"]["vartree"].getallcpv() \ 
|if                                                                       |
|                                                                         |
Lastly, none of the above take injected packages into consideration, only 
those that were installed from an available tree. Now, suppose you'd like 
to ignore those, too, here's what to do:
| Code Listing 8.4:                                                       |
|Python scriptlet                                                         |
|                                                                         |
|python -c 'import portage; print [x for x in                             |
portage.db["/"]["vartree"].getallcpv() \ 
|if len(portage.portdb.xmatch("match-all",portage.pkgsplit(x)[0]))==0 \   |
|and not portage.db["/"]["vartree"].dbapi.isInjected(x)]'                 |
|                                                                         |
Yes, we knew you'd like this. All of the above do work for individual 
packages you keep in an overlay tree, for example at /usr/local/portage, 
those are being evaluated along with packages in the official Portage 
tree. Try it out, you can't break anything, it just notifies you about 
whatever it finds, leaving it up to the user to decide what to do with 
that information. 
9. Moves, adds, and changes
The following developers recently left the Gentoo team: 
 * None this week  
The following developers recently joined the Gentoo Linux team: 
 * Sebastian Bergmann (sebastian) - PHP  
The following developers recently changed roles within the Gentoo Linux 
 * None this week  
10. Contribute to GWN
Interested in contributing to the Gentoo Weekly Newsletter? Send us an 
 95. gwn-feedback@g.o
11. GWN feedback
Please send us your feedback[96] and help make the GWN better.
 96. gwn-feedback@g.o
12. GWN subscription information
To subscribe to the Gentoo Weekly Newsletter, send a blank email to 
To unsubscribe to the Gentoo Weekly Newsletter, send a blank email to 
gentoo-gwn-unsubscribe@g.o from the email address you are 
subscribed under. 
13. Other languages
The Gentoo Weekly Newsletter is also available in the following languages:
 * Danish[97]  
 * Dutch[98]  
 * English[99]  
 * German[100]  
 * french[101]  
 * japanese[102]  
 * italian[103]  
 * polish[104]  
 * portuguese (brazil)[105]  
 * portuguese (portugal)[106]  
 * russian[107]  
 * spanish[108]  
 * turkish[109]  
Ulrich Plate <plate@g.o> - Editor
AJ Armstrong <aja@×××××××××××××.com> - Author
Mike Fetherston <mike@××××××××××××××.ca> - Author
Patrick Lauer <patrick@g.o> - Author

gentoo-gwn@g.o mailing list