Gentoo Archives: gentoo-gwn

From: Ulrich Plate <plate@g.o>
To: gentoo-gwn@××××××××××××.org
Subject: [gentoo-gwn] Gentoo Weekly Newsletter 7 March 2005
Date: Mon, 07 Mar 2005 00:11:00
Gentoo Weekly Newsletter
This is the Gentoo Weekly Newsletter for the week of 7 March 2005.
1. Gentoo News
Gentoo 2005.0 security rebuild
A set of exploitable bugs[1] in gaim and mozilla-firefox (remote exploits) 
and in qt and kdelibs (locally exploitable) has been discovered just in 
time before the final Gentoo Linux 2005.0 release build. Although this 
interrupted the build and prevented it from finishing mere hours before 
its completion was scheduled, Gentoo's release engineering team 
unanimously decided to drop it and reconstruct the release media with all 
the security bugs resolved prior to release. Thanks to the Gentoo security 
team for catching the bugs, and the profiles' lead developers for putting 
up with the delay and testing the builds on their architectures yet again! 

Gentoo staging/master rsync server migrated
Thanks to the donation of an Opteron 246 server from Nvidia, Gentoo is now 
running their staging mirror and master rsync mirror on new hardware. 
Lance Albertson[2] and Nick Jones[3] completed the Portage regeneration 
move last wednesday with little or no problems. This server synchronizes 
from CVS every thirty minutes, then regenerates the depcache which can 
take a lot of I/O and time to finish. From there, the public rsync servers 
sync from it. The old server was a single 1Ghz Pentium III and could 
finish this regen process within 10-30 minutes. The new Opteron server 
does the same thing in a matter of 1-2 minutes. This is an amazing 
improvement and will definitely allow us to scale well as the tree 
continues to grow. Just a note, the update frequency has not changed, so 
please don't waste your time trying to update every 2 minutes. 

 2. ramereth@g.o
 3. carpaski@g.o
Also, most of the mirroring files were moved to this server a month ago, 
with the exception of distfiles. We were running out of space on the old 
server, and this new server has a lot more space for us to grow on. Nick 
Jones is currently working on a better script that catches missing 
distfiles and cleans old ones. Hopefully we'll start using this script in 
production in the next few weeks, in order to save space on our mirrors 
for other projects. 
Forum software updates
Software enhancements done to the Gentoo Forums may well require a weekly 
column of their own soon. The frequency of updates has already been high 
over the past few weeks, but all these changes were just made to make even 
bigger changes possible. Expect more to come, particularly with regard to 
"Mission UTF-8", an ongoing effort to switch the forums completely to 
Unicode, supported by tools that have already been put in place to aid the 
switch over the next few months. 
Three important changes were done in the last two weeks: 
 * We finally added jabber[4] to the user profiles. Christian Hartmann[5] 
created a Jabber-Mod for the phpBB 2.0.x branch[6], Forum user ptlis[7] 
then merged this with his own Jabber-Mod that has since been made 
available at[8]. 
 * The subSilver and Gentoo-Lite themes were removed, mainly to speed up 
development and to minimize potential sources for bugs or other future 
problems. Apologies to those losing the ability for choosing alternative 
profiles, but it's obviously much easier for the administrators to make 
and maintain changes in the future if little-used themes can be 
eliminated. The default Gentoo-theme was the only one kept because it is 
used by the overwhelming majority of Forum users, out of more than 80,000 
registered forum IDs, only 450 were linked to the subSilver theme, and 
4500 had chosen Gentoo-Lite.  
 * Some adjustments[9] have been made to the textbox of the postview 
window, thanks to the great Forum community for keeping track of that.  
 5. ian@g.o

System application reshuffle: Heads up!
In a swift action affecting more than 200 packages residing in Portage's 
sys-apps category, Ciaran McCreesh[10] is currently busy moving some of 
them into other existing categories, while others will find entirely new 
homes in the tree. The applications in question are listed in a file[11] 
sitting in Ciaran's devspace, if you find problems with a package after it 
has been moved, please file a bug[12] or contact Ciaran on Particularly Gentoo users with sys-apps in an individual 
overlay may want to pay special attention to the changes. 

 10. ciaranm@g.o
Looking for testimonials on Gentoo business usage
One of the things that we are always looking for at Gentoo is information 
on people using Gentoo to make their lives easier. This could be anything 
from using Gentoo machines as a render farm or rolled out into desktop 
usage, to just a small corporate firewall. Information such as this can 
help us better determine where we are and where we should be focusing our 
efforts. If you have a Gentoo success story, then we would love to hear 
about it! Information about large deployments or Gentoo usage in unusual 
markets are mostly what we are looking to receive. Send your story to 
usage-feedback@g.o today. 
Note: Although some interesting projects will certainly receive coverage 
in the GWN, we respect your wish for confidentiality if the project 
doesn't allow for publication. Please mark your story as confidential when 
submitting it to the usage feedback address, it will only be discussed 
among directly affected developers in that case. 
2.  Developer of the week 
 "The best thing about Gentoo is the community." -- Albert Hopkins 
Figure 2.1: Albert Hopkins aka marduk
This week's featured developer Marduk[13] is a member of the 
Infrastructure group, responsible for developing and maintaining one of 
the most exciting elements of Gentoo's web presence, the site[14]. He'd be interested in many other areas of 
Gentoo, but making sure the packages database site stays up, fixing bugs, 
and further development takes up most of his free time. That doesn't keep 
him from being in the process of re-writing the entire presentation, 
though, and he has many ambitions for the new site, too many to list 

 13. marduk@g.o
Figure 2.2: A view of things to come: Refurbishing the package database
Gentoo is his most significant OSS project to date, but Marduk has been 
developing open-source software for several years. He authored a program 
called Linbot, which was a web crawler/link validating tool written in 
Python that received a lot of recognition in its time, with reviews 
appearing in Linux magazines, inclusion in distributions and a Python 
book. "I'm very passionate about the Python programming language. I have 
been hacking in Python since 1997. While I still occasionally look at 
other programming languages, I always go back to Python," says Marduk. 
Unfortunately for Linbot, he received a "cease and desist" letter one day 
because the name was apparently too close to the name of a commercial 
application, and he hasn't worked on or distributed the software since 
then. The few smaller programs he continues distributing are kept at his 
own repository[15]. 

Marduk is an administrator for Linux and Linux-like systems at a major 
U.S. clinical laboratory. A college drop-out who nonetheless attended 
Cornell University majoring in Electrical Engineering, he used to work at 
a supercomputer facility and always loved that, still keeping a vivid 
interest in high performance computing, but regrets not to be able to 
afford the hardware. His current main box[16] was just recently upgraded 
to an AMD64, and he made sure "it's got all the trimmings," says Marduk. 
"The first application I launch is evolution, and if you ps my box, you'll 
most likely also find vim, epiphany, gnome-terminal and, of course, 

Marduk lives in the Dallas, TX area. He's single (now accepting 
applications), and his hobbies outside of computing that he felt worth 
mentioning during the interview include movies, long drives in his Audi TT 
roadster, indie music, silence, science, and sociology. 
3. Gentoo International
Germany: Chemnitzer Linuxtage
Lars Weiler[17], Tobias Scherbaum[18] and Jens Blaesche ("Mr. Big") 
represented Gentoo at this year's Chemnitzer Linuxtage, a conference and 
expo in East Germany's Saxony region that has been growing in importance 
since it was first organized last year, with more presentations in the 
main track, the usual suspects in the exposition hall, and a nice crowd 
mostly from Saxony itself, but also attracting visitors from other parts 
of Germany. The Gentoo booth had a Pegasos Open Desktop Workstation on 
display, a Sun Ultra10 running Gentoo, and the recent Brussels invention 
of the /dev/snack box of sweets was equally popular with visitors. 
Particularly rewarding for the booth staff who had been here already at 
last year's event: visitors they had met back then and who had asked 
generally uninformed "What is Gentoo?" questions now came back sporting 
"Portage addict" t-shirts and laptops with Gentoo Linux running on them. A 
German version of the Fizzlewizzle LiveDVD (see FOSDEM report last week), 
complete with KDE and distfiles sources, was the top-seller at this 
regional event, very welcome in this area of Germany where broadband 
Internet connections are difficult to be had. 

 17. pylon@g.o
 18. dertobi123
Figure 3.1: Left: Gentoo booth, center: Pylon, right: dertobi123 and Mr. 
International event reminders
Two events are scheduled for next weekends, one in Manchester where Stuart 
Herbert expects UK-based Gentoo developers and users at the second Gentoo 
UK Conference, and an Expo in L__rrach (Germany, close to the Swiss 
border) with a Gentoo booth on the floor.
 * Gentoo UK Conference[19] - Saturday, 12 March in Manchester, UK: 
University of Salford. Attention: The Friday night social event before the 
conference will start at 19:30 at the Stay Inn[20] (driving instructions 
at their website).  
 * IT/Linux Days 2005[21] - 11 to 14 March in L__rrach, Germany: 
Regio-Messe L__rrach  

4. Gentoo in the press
====================== (4 March 2005)
The lack of support forums or other "groundswell support from users" is 
the topic of an article in O'Reilly's operating systems magazine. Author 
Steve Mallett asks "Where is the SuSE Community?"[22], and compares the 
missing user community presence to other popular distributions: "A search 
for Fedora, Mandrake, or Gentoo for instance and you have no problem 
finding forums, wikis, official and unofficial FAQs. Signs of life." 
observes's managing editor. 

 22. (3 March 2005, in French)
Author Prosper describes the gentoo-stats project in an article[23] on the 
French Linux forum for Apple computers. "The basc project permits to 
calculate the time to install an ebuild. Packages are represented by GU 
(Gentoo units), if you know how many seconds one GU takes to compile on 
your system, it's enough to simply multiply those." 

 23. (28 February 2005, in Spanish)
The Spanish magazine reports about Intel and AMD[24] pushing for 64-bit 
computing in the user realm, and observes that while Microsoft doesn't 
currently have an operating system that fully supports the hardware, Linux 
distributions, "for example Gentoo", are listed as totally functioning 
under 64-bit conditions. 

5. Tips and Tricks
Emerge flags deserving more attention
There are a few flags emerge accepts that can give some insight as to what 
it is (or will be) doing. We've described some of the newer ones that have 
been added with portage-2.0.51, but there are a couple of older switches 
that users may have forgotten about. Here's a quick look at two of those. 
Perhaps a little more commonly used is the first one, --verbose, or -v. It 
displays the USE flags that a package recognizes, and which ones are 
currently enabled or disabled. When running emerge with the --newuse flag, 
it even puts an asterisk to those flags that have been enabled or disabled 
since the last time a package was built. It also displays the size of 
files that need to be downloaded for a particular package, in addition to 
the total download file size for all packages to be emerged. 
The second is --tree, or -t. This displays the dependency tree by 
indenting dependencies. Here's an example to illustrate the effect of this 
| Code Listing 5.1:                                                       |
|Indented packages showing their                                          |
|                                                                         |
|[ebuild  N    ] x11-plugins/gkrellm-sensors-0.1  This tells us that      |
|[ebuild  N    ]  app-admin/gkrellm-1.2.13        requires gkrellm and    |
|[ebuild  N    ]  sys-apps/lm_sensors-2.8.7       and lm_sensors requires |
|[ebuild  N    ]   sys-apps/i2c-2.8.7                                     |
|                                                                         |
By combining --verbose and --tree, you'll get a much clearer picture of 
exactly what emerge is doing. Needless to say, this makes it much easier 
to tweak your USE flags for better control over which packages are being 
6. Moves, adds, and changes
The following developers recently left the Gentoo team: 
 * None this week  
The following developers recently joined the Gentoo Linux team: 
 * Andrew Fant (JFMuggs) - Infrastructure 
 * Eric Edgar (rocket) - Catalyst/Genkernel 
The following developers recently changed roles within the Gentoo Linux 
 * None this week  
7. Gentoo security
MediaWiki: Multiple vulnerabilities
MediaWiki is vulnerable to cross-site scripting, data manipulation and 
security bypass attacks. 
For more information, please see the GLSA Announcement[25] 

Qt: Untrusted library search path
Qt may load shared libraries from an untrusted, world-writable directory, 
resulting in the execution of arbitrary code. 
For more information, please see the GLSA Announcement[26] 

phpBB: Multiple vulnerabilities
Several vulnerabilities allow remote attackers to gain phpBB administrator 
rights or expose and manipulate sensitive data. 
For more information, please see the GLSA Announcement[27] 

Gaim: Multiple Denial of Service issues
Multiple vulnerabilities have been found in Gaim which could allow a 
remote attacker to crash the application. 
For more information, please see the GLSA Announcement[28] 

phpWebSite: Arbitrary PHP execution and path disclosure
Remote attackers can upload and execute arbitrary PHP scripts, another 
flaw reveals the full path of scripts. 
For more information, please see the GLSA Announcement[29] 

xli, xloadimage: Multiple vulnerabilities
xli and xloadimage are vulnerable to multiple issues, potentially leading 
to the execution of arbitrary code. 
For more information, please see the GLSA Announcement[30] 

BidWatcher: Format string vulnerability
BidWatcher is vulnerable to a format string vulnerability, potentially 
allowing arbitrary code execution. 
For more information, please see the GLSA Announcement[31] 

phpMyAdmin: Multiple vulnerabilities
phpMyAdmin contains multiple vulnerabilities that could lead to command 
execution, XSS issues and bypass of security restrictions. 
For more information, please see the GLSA Announcement[32] 

OpenMotif, LessTif: New libXpm buffer overflows
A new vulnerability has been discovered in libXpm, which is included in 
OpenMotif and LessTif, that can potentially lead to remote code execution. 
For more information, please see the GLSA Announcement[33] 

xv: Filename handling vulnerability
xv contains a format string vulnerability, potentially resulting in the 
execution of arbitrary code. 
For more information, please see the GLSA Announcement[34] 

Mozilla Firefox: Various vulnerabilities
Mozilla Firefox is vulnerable to a local file deletion issue and to 
various issues allowing to trick the user into trusting fake web sites or 
interacting with privileged content. 
For more information, please see the GLSA Announcement[35] 

ImageMagick: Filename handling vulnerability
A format string vulnerability exists in ImageMagick that may allow an 
attacker to execute arbitrary code. 
For more information, please see the GLSA Announcement[36] 

Hashcash: Format string vulnerability
A format string vulnerability in the Hashcash utility could allow an 
attacker to execute arbitrary code. 
For more information, please see the GLSA Announcement[37] 

8. Bugzilla
 * Statistics 
 * Closed bug ranking 
 * New bug rankings 
The Gentoo community uses Bugzilla ([38]) to record and 
track bugs, notifications, suggestions and other interactions with the 
development team. Between 27 February 2005 and 06 March 2005, activity on 
the site has resulted in: 

 * 826 new bugs during this period 
 * 467 bugs closed or resolved during this period 
 * 23 previously closed bugs were reopened this period 
Of the 8186 currently open bugs: 97 are labeled 'blocker', 231 are labeled 
'critical', and 602 are labeled 'major'. 
Closed bug rankings
The developers and teams who have closed the most bugs during this period 
 * Portage team[39], with 47 closed bugs[40]  
 * AMD64 Porting Team[41], with 27 closed bugs[42]  
 * Gentoo Security[43], with 22 closed bugs[44]  
 * Gentoo KDE team[45], with 21 closed bugs[46]  
 * Gentoo Linux Gnome Desktop Team[47], with 14 closed bugs[48]  
 * Gentoo Games[49], with 14 closed bugs[50]  
 * PPC Porters[51], with 12 closed bugs[52]  
 * Gustavo Felisberto[53], with 12 closed bugs[54]  
 39. dev-portage@g.o
 41. amd64@g.o
 43. security@g.o
 45. kde@g.o
 47. gnome@g.o
 49. games@g.o
 51. ppc@g.o
 53. humpback@g.o

New bug rankings
The developers and teams who have been assigned the most new bugs during 
this period are: 
 * AMD64 Porting Team[55], with 38 new bugs[56]  
 * Gentoo's Team for Core System packages[57], with 19 new bugs[58]  
 * Gentoo Sound Team[59], with 18 new bugs[60]  
 * Gentoo Linux Gnome Desktop Team[61], with 17 new bugs[62]  
 * Gentoo Kernel Bug Wranglers and Kernel Maintainers[63], with 12 new 
 * media-video herd[65], with 11 new bugs[66]  
 * Portage team[67], with 11 new bugs[68]  
 * Gentoo KDE team[69], with 9 new bugs[70]  
 55. amd64@g.o
 57. base-system@g.o
 59. sound@g.o
 61. gnome@g.o
 63. kernel@g.o
 65. media-video@g.o
 67. dev-portage@g.o
 69. kde@g.o

9. GWN feedback
Please send us your feedback[71] and help make the GWN better.

 71. gwn-feedback@g.o
10. GWN subscription information
To subscribe to the Gentoo Weekly Newsletter, send a blank email to 
To unsubscribe to the Gentoo Weekly Newsletter, send a blank email to 
gentoo-gwn-unsubscribe@g.o from the email address you are 
subscribed under. 
11. Other languages
The Gentoo Weekly Newsletter is also available in the following languages:
 * Danish[72]  
 * Dutch[73]  
 * English[74]  
 * German[75]  
 * French[76]  
 * Japanese[77]  
 * Italian[78]  
 * Polish[79]  
 * Portuguese (Brazil)[80]  
 * Portuguese (Portugal)[81]  
 * Russian[82]  
 * Spanish[83]  
 * Turkish[84]  

Ulrich Plate <plate@g.o> - Editor
Lance Albertson <ramereth@g.o> - Author
Chris Gianelloni <wolf31o2@g.o> - Author
Christian Hartmann <ian@g.o> - Author
Patrick Lauer <patrick@g.o> - Author
Joshua Nichols <joshua.nichols@×××××.com> - Author

gentoo-gwn@g.o mailing list