Gentoo Archives: gentoo-gwn

From: Lars Weiler <pylon@g.o>
To: gentoo-gwn@l.g.o
Subject: [gentoo-gwn] Gentoo Weekly Newsletter 18 July 2005
Date: Mon, 18 Jul 2005 00:21:18
Gentoo Weekly Newsletter
This is the Gentoo Weekly Newsletter for the week of 18 July 2005.

1. Gentoo News

Discontinuing Gentoo-2.4-sources

The Gentoo kernel maintainers are considering to discontinue the
gentoo-sources-2.4 kernel series.

gentoo-sources-2.4 is a kernel based on the older 2.4 series kernel which
is no longer under active development. x86 is the only supported
architecture, and several feature-style patches are included.

Since January, gentoo-sources-2.6 has become the default kernel, and full
migration documentation has been produced. Linux 2.6 is under active
development and includes many of the feature patches which were included
in gentoo-sources-2.4.

This only concerns the removal of gentoo-sources-2.4, a 'clean' Linux 2.4
kernel will still be provided through vanilla-sources. gentoo-sources-2.6
will also continue as normal.

If you have input on this subject, please mail kernel@g.o with your
opinion. We're especially interested to hear from current
gentoo-sources-2.4 users. Do you depend on gentoo-sources-2.4
specifically, or are you able to migrate to vanilla-sources-2.4 with
minimal hassle? We would especially like to know if there is anything
preventing you from upgrading to gentoo-sources-2.6. Your input is

Hardware Donations

The last weeks have brought two hardware donations to Gentoo. First is a
SUN E250 from the Loyola University of Chicago and Mike Doty (kingtaco).
It's a dual-processor 400Mhz UltraSparc2 box with 2GB RAM and 2x36GB
disks, available for Gentoo Development from now on.

The second donation received is a Hewlett Packard management processor which
has allowed remote testing and development of LiveCDs, which has not happened
until now due to the rarity and lack of physical access to the hardware.  In
addition, HP has included a 73Gb 15,000rpm U320 SCSI drive with this donation,
giving developers much needed space for testing applications in the Portage

Additional thanks are directed to the Open Source Laboratory, at the
University of Oregon (OSUOSL) - where Corey Shields and Michael Marineau
provided invaluable assistance installing the newly donated hardware.
Lance Albertson is also kindly acknowledged for allowing the use of other
Gentoo infrastructure to access the serial consoles on the IA64 system.

These machines are a welcome addition to the existing development


First IA64 LiveCD finished

Thanks to very generous hardware donations from Hewlett Packard, the
Gentoo/IA64 team has finally been able to build a working LiveCD for
systems based on the Itanium (IA64) architecture. The new LiveCD will
allow users to quickly and painlessly deploy Gentoo on an IA64 platform,
where previously another distribution was required to jumpstart the
bootstrap process for a Gentoo installation. The CD is planned to be
released as part of Gentoo 2005.1, and anyone who is interested in helping
test the product should contact the IA64-Developer Tim Yamin[2].

 2. plasmaroo@g.o

Bugzilla Upgrade

Shortly before the release of this GWN, infrastructure-developer Jeffrey
Forman[3] upgraded Gentoo's Bugzilla[4] from version 2.18.1 to 2.18.3.
This update gives beside some security bugs an end to the
duplicate-bugs-fiasco which was introduced in an earlier update.
Furthermore there is a new autolink feature: just like being able to cite
"bug #XXXX" and a link is created, now "glsa #XXXX-Y" will be active so
that our security folks can more easily reference GLSA's.

 3. jforman@g.o

2. Developer of the week

“For the first impression there is no second chance” — Sven Wegener (swegener)

Figure 2.1: Sven Wegener aka swegener

This weeks victim is Sven Wegener[5], one of the German devs. He's living
near Hamelin, the city of the Pied Piper of Hamelin saga.

 5. swegener@g.o

Most people might know him from his QA efforts (he was promoted to QA lead
recently), but he also maintains the net-irc, net-news and shell-tools
herds. In general he does bugfixing, package maintenance and looks out for
tree breakage. One of his newest toys is ‘autorepoman’, an automated
checker that sends mails whenever someones commit causes a problem. Like
many other devs he never got to work on other OSS projects before being
absorbed into the Gentoo collective.

He used to have a day job as a system administrator, but since that
contract expired he's looking for new sources of income. About his
education he says “I studied at the University of Cooperative Education in
Hamelin and graduated as business data processing specialist. After a law
change I was able to post-graduate as Bachelor of Science”, noting that
it's quite difficult to translate these titles from German.

Right now Sven mostly uses his AthlonXP workstation and several computers
in the basement (nothing fancy, all x86) for development. He adds: “I use
gnome-light for my daily work, but occasionally switch to plain console.
Mail is done via a mixture of mutt, pine and evolution, all connected to
my IMAP server. My workstation is normally left running all time, but I
count firefox and several terminals, to access my servers and other
development computers, to the apps I normally start after login. irssi,
centericq, mutt and pine are permanently running on a server outside of my
house.” Speaking of outside: Whenever he finds some spare time he enjoys

Quote: “Gentoo makes easy things difficult, impossible things easy, but it
also gives you enough rope to hang yourself.”

3. Heard in the community


Another Spam victim

After different kinds of spam in the last week this week saw some really
weird spam with a win32 executable as attachment. Even mailinglists seem
to be an acceptable target to some spammers now.

 * Re: Re: Hello [6]

Proposal: pre-emerge advisories

Since sometimes breakage happens during updates, an interested user
suggests to add functionality to portage to warn about known issues before
upgrading. Although this would be very interesting to have it is unlikely
to become a portage feature in the foreseeable future.

 * pre-emerge advisories [7]

upcoming portage changes

As portage continues to grow in CVS (which is not yet available for
general consumption) the portage hackers warn of things to come: At some
point in the future the ebuild format will change in a non-compatible way.
To make any transition easier there will be a new EBUILD_FORMAT variable
so that old and new ebuild can be distinguished. Also, the RDEPEND=DEPEND
assumption that portage does right now will change.

 * RDEPEND=DEPEND changes [9]

devfs is dead, let's move on

Our resident kernel hacker and udev maintainer GregKH explains some of the
changes that the removal of devfs from the 2.6 kernel series will cause.
Also, a slight reorganization in the udev namespace might save some RAM
for all involved.

 * devfs is dead [10]

Proposed security policy for web-based apps

Stuart Herbert[11] offers a proposal for handling security bugs for
web-apps. This should reduce the reaction time for Gentoo whenever there
are such bugs (and thanks to sloppy coding there are more than enough of

 11. stuart@g.o

 * Proposed security policy for web-apps [12]

4. Gentoo International

Canada: Gentoo at the Ottawa Linux Symposium

The annual OLS[13] is coming up this week, held from 20 to 23 July at the
Ottawa Congress Centre (preceded by a desktop developer's conference at
the same venue starting today, 18 to 19 July, open to anyone arriving
early for the main event). At the OLS, Gentoo's Linux kernel developer and
udev maintainer Greg Kroah-Hartman will be given a device upon the start
of the class, and by the end, they will have created a kernel driver that
controls the device that will be acceptable for inclusion in the main
Linux kernel tree! Seating for Greg's tutorial is limited to 30 spaces, so
please reserve now. He also hosts a birds-of-a-feather (BOF) session about
"Linux device persistant naming policy", and fellow Gentoo developer
Omkhar Arasaratnam[14] will organize an impromptu Gentoo BOF session for
any Gentoo user, developer or afficionado who happens to be in Ottawa.
Please email Omkhar directly to announce your interest in participating.

 14. omkhar@g.o

Germany: Gentoo introductory talk at Oberhausen LUG

Gentoo Developer Tobias Scherbaum[15] held a presentation about Gentoo
including a demonstration how fast Gentoo can be installed using GRP
packages last Wednesday at the monthly meeting of his local LUG[16] in
Oberhausen/Germany. First he introduced the concepts behind Gentoo, then
how everyone can utilize Gentoo for his personal needs and finally
Gentoo's big plus: our strong and manifold community.

 15. dertobi123@g.o

Subsequent to his presentation the attendees got a practical introduction
to Gentoo: Tobias installed Gentoo on a quite new HP notebook using the
2005.0 installation media and explained the necessary installation steps,
including the usage of GRP packages to get a system quick set up.

5. Gentoo in the press

Benchmarking AMD64 and P4 with Gentoo on linuxhardware

Linuxhardware did a current benchmark between different AMD64 and P4
machines[17]. The interesting stuff: They used Gentoo/AMD64 for both
platforms. Find out the winner!


6. Tips and Tricks

Fullscreen task-switching: skippy

You know the problem: Too many applications open, too many windows open,
and you are searching for one window you can't find in your taskbar or
with the taskswitcher. That's the point when skippy becomes handy:

Figure 6.1: fullscreen task-switching with skippy

For installation just run emerge skippy and start it with skippy. Now you
can switch your tasks with F11. Or show the windows of the current
application only with Alt-F11. Use your mouse for selecting the window or
cycle through all windows with Alt-Tab.

You can customize the keys by copying the file
/usr/share/skippy-0.5.0/skippyrc-default into ~/.skippyrc and change it to
your preferences.

And finally there is a skippy thread[18] in the forums with some
customized config-files.


7. Moves, adds, and changes


The following developers recently left the Gentoo team:

 * None this week


The following developers recently joined the Gentoo Linux team:

 * New staff member: Wernfried Haas (amne) (forum moderator)
 * New developer: Francesco Riosa (vivo) (MySQL)


The following developers recently changed roles within the Gentoo Linux

 * None this week

8. Gentoo security

Adobe Acrobat Reader: Buffer overflow vulnerability

Adobe Acrobat Reader is vulnerable to a buffer overflow that could lead to
remote execution of arbitrary code.

For more information, please see the GLSA Announcement[19]


Ruby: Arbitrary command execution through XML-RPC

A vulnerability in XMLRPC.iPIMethods allows remote attackers to execute
arbitrary commands.

For more information, please see the GLSA Announcement[20]


MIT Kerberos 5: Multiple vulnerabilities

MIT Kerberos 5 is vulnerable to a Denial of Service attack and remote
execution of arbitrary code, possibly leading to the compromise of the
entire Kerberos realm.

For more information, please see the GLSA Announcement[21]


Bugzilla: Unauthorized access and information disclosure

Multiple vulnerabilities in Bugzilla could allow remote users to modify
bug flags or gain sensitive information.

For more information, please see the GLSA Announcement[22]


pam_ldap and nss_ldap: Plain text authentication leak

pam_ldap and nss_ldap fail to restart TLS when following a referral,
possibly leading to credentials being sent in plain text.

For more information, please see the GLSA Announcement[23]


Mozilla Firefox: Multiple vulnerabilities

Several vulnerabilities in Mozilla Firefox allow attacks ranging from
execution of script code with elevated privileges to information leak.

For more information, please see the GLSA Announcement[24]


PHP: Script injection through XML-RPC

PHP includes an XML-RPC implementation which allows remote attackers to
execute arbitrary PHP script commands.

For more information, please see the GLSA Announcement[25]


dhcpcd: Denial of Service vulnerability

A vulnerability in dhcpcd may cause the dhcpcd daemon to crash.

For more information, please see the GLSA Announcement[26]


9. Bugzilla


 * Statistics
 * Closed bug ranking
 * New bug rankings


The Gentoo community uses Bugzilla ([27]) to record and
track bugs, notifications, suggestions and other interactions with the
development team. Between 10 July 2005 and 16 July 2005, activity on the
site has resulted in:


 * 634 new bugs during this period
 * 561 bugs closed or resolved during this period
 * 22 previously closed bugs were reopened this period

Of the 8131 currently open bugs: 104 are labeled 'blocker', 185 are
labeled 'critical', and 552 are labeled 'major'.

Closed bug rankings

The developers and teams who have closed the most bugs during this period

 * Portage team[28], with 117 closed bugs[29]
 * AMD64 Porting Team[30], with 20 closed bugs[31]
 * Gentoo Genkernel Maintainers[32], with 19 closed bugs[33]
 * Gentoo's Team for Core System packages[34], with 18 closed bugs[35]
 * Gentoo Games[36], with 17 closed bugs[37]
 * Gentoo Security[38], with 16 closed bugs[39]
 * PPC Porters[40], with 16 closed bugs[41]
 * Apache Herd - Bugzilla Reports[42], with 15 closed bugs[43]
 28. dev-portage@g.o
 30. amd64@g.o
 32. genkernel@g.o
 34. base-system@g.o
 36. games@g.o
 38. security@g.o
 40. ppc@g.o
 42. apache-bugs@g.o

New bug rankings

The developers and teams who have been assigned the most new bugs during
this period are:

 * Default Assignee for New Packages[44], with 206 new bugs[45]
 * Default Assignee for Orphaned Packages[46], with 44 new bugs[47]
 * Java team[48], with 14 new bugs[49]
 * Gentoo Linux Gnome Desktop Team[50], with 9 new bugs[51]
 * media-video herd[52], with 8 new bugs[53]
 * Gentoo's Team for Core System packages[54], with 8 new bugs[55]
 * AMD64 Porting Team[56], with 8 new bugs[57]
 * X11 External Driver Maintainers[58], with 7 new bugs[59]
 44. maintainer-wanted@g.o
 46. maintainer-needed@g.o
 48. java@g.o
 50. gnome@g.o
 52. media-video@g.o
 54. base-system@g.o
 56. amd64@g.o
 58. x11-drivers@g.o

10. GWN feedback

Please send us your feedback[60] and help make the GWN better.

 60. gwn-feedback@g.o

11. GWN subscription information

To subscribe to the Gentoo Weekly Newsletter, send a blank email to

To unsubscribe to the Gentoo Weekly Newsletter, send a blank email to
gentoo-gwn+unsubscribe@g.o from the email address you are
subscribed under.

12. Other languages

The Gentoo Weekly Newsletter is also available in the following languages:

 * Danish[61]
 * Dutch[62]
 * English[63]
 * German[64]
 * French[65]
 * Japanese[66]
 * Italian[67]
 * Polish[68]
 * Portuguese (Brazil)[69]
 * Portuguese (Portugal)[70]
 * Russian[71]
 * Spanish[72]
 * Turkish[73]

Ulrich Plate <plate@g.o> - Editor
Daniel Drake <dsd@g.o> - Author
Tim Yamin <plasmaroo@g.o> - Author
Patrick Lauer <patrick@g.o> - Author
Tobias Scherbaum <dertobi123@g.o> - Author
Lars Weiler <pylon@g.o> - Author

gentoo-gwn@g.o mailing list