Gentoo Archives: gentoo-gwn

From: Ulrich Plate <plate@g.o>
To: gentoo-gwn@l.g.o
Subject: [gentoo-gwn] Gentoo Weekly Newsletter 25 October 2004
Date: Sun, 24 Oct 2004 23:10:18
Gentoo Weekly Newsletter
This is the Gentoo Weekly Newsletter for the week of 25 October 2004.
1. Gentoo News
Portage 2.0.51 released
Keeping a Linux system healthy and in good condition wouldn't be possible 
without its core toolchain. No wonder the excitement over Portage releases 
generally reaches higher amplitudes than other Gentoo developments. As of 
last week, Portage 2.0.51 has been marked stable and fit for general 
consumption. Portage is now more feature-rich than ever, has sped up 
considerably, and is generally on track for future improvements to 
Gentoo's sophisticated package management. A full list of all the new 
features is published in the official announcement[1], here is an overview 
of a few of the highlights:
 * Rebuilding on USE flag changes: Using emerge --newuse, Portage is now 
able to perform automatic rebuilds of formerly emerged packages whenever 
USE flag settings have changed (see also today's Tips and Tricks section 
 * Experimental support for GPG verification: Not completely implemented 
yet, but a new FEATURES variable gpg in /etc/make.conf that can be set to 
different levels of strictness will allow checks of the GPG signatures in 
newer Manifest files. 
 * FHS compliance - The world file has been moved, and virtuals are now 
being dynamically checked, making Portage FHS-compliant - which means for 
example that it's now safe to remove data from /var/cache. 
 * Compilation success checking: New ebuilds will be able to include a 
test phase in the compilation process where success or failure of a 
package build can be verified before emerge has finished. 
 * Dependency calculation speedup: Now at only one third of the time that 
the previous Portage release had to spend on dependency checking. 
 * Parallel emerging: Portage has improved its use of lockfiles, to 
correctly perform downloads while emerging applications now, for example. 
Winner of the website redesign contest announced
Aaron Shi and his design are the winners of the public contest that was 
held to determine the future look of the soon-to-be-refurbished Gentoo 
Foundation website. Aaron was elected over four other finalists by almost 
half of the more than 3000 votes that were being cast within the two weeks 
that the poll at the Gentoo Forums was open. 
Figure 1.1: Only 3 percent wanted to keep the current design...
Congratulations to Aaron, and many thanks to all the other participants in 
the public contest. The new look is expected to replace the current layout 
as soon as the Gentoo developer team - now busily working together with 
the designer - will finish applying some last touches to the graphics and 
the internal data structure of the new design. The content presentation 
remains unaffected by the new design, as the Gentoo website continues to 
be entirely XML-based, with XHTML pages being generated on the fly by 
using XSL transformation style sheets.
Figure 1.2: Aaron Shi's design for the new Gentoo Foundation website
Urgent call for help: Haskell developers
The developer team looking after the lambda-calculus based functional 
programming language Haskell[2] in Gentoo is urgently seeking additional 
help. Haskell programmers who would like to support the effort of 
maintaining Haskell in Gentoo please contact Gentoo's recruiters team[3].
 3. recruiters@g.o
New chapter in the Gentoo handbook: Working with Portage
Several good news came from the documentation team this week, including 
improvements to the KDE configuration[4], the Gentoo installation tips and 
tricks[5], and Usermode Linux guides[6]. Stuart Herbert[7] has contributed 
a document on "Running NX On Gentoo Linux"[8], a guide on using 
NoMachine's[9] commercial NX server and its free clients in Gentoo for 
remote X11 access optimized for low-bandwidth connections. Probably the 
most significant change was made to the Gentoo handbook, which has been 
expanded to reflect the changes in Portage 2.0.51. It now accomodates a 
whole new chapter called "A Portage Introduction"[10] which contains all 
the basic emerge-related commands that every Gentoo user ought to know, 
and a section on "Working with Portage"[11] explaining the finer details.
 7. stuart@g.o
2. Gentoo security
phpMyAdmin: Vulnerability in MIME-based transformation system
A vulnerability has been found in the MIME-based transformation system of 
phpMyAdmin, which may allow remote execution of arbitrary commands if 
PHP's "safe mode" is disabled.
For more information, please see the GLSA Announcement[12]
Squid: Remote DoS vulnerability
Squid contains a vulnerability in the SNMP module which may lead to a 
denial of service. 
For more information, please see the GLSA Announcement[13]
PostgreSQL: Insecure temporary file use in make_oidjoins_check
The make_oidjoins_check script, part of the PostgreSQL package, is 
vulnerable to symlink attacks, potentially allowing a local user to 
overwrite arbitrary files with the rights of the user running the utility. 
For more information, please see the GLSA Announcement[14]
 14. Temporary files disclosure
------------------------------------------ uses insecure temporary files which could allow a malicious 
local user to gain knowledge of sensitive information from other users' 
For more information, please see the GLSA Announcement[15]
Ghostscript: Insecure temporary file use in multiple scripts
Multiple scripts in the Ghostscript package are vulnerable to symlink 
attacks, potentially allowing a local user to overwrite arbitrary files 
with the rights of the user running the script. 
For more information, please see the GLSA Announcement[16]
glibc: Insecure tempfile handling in catchsegv script
The catchsegv script in the glibc package is vulnerable to symlink 
attacks, potentially allowing a local user to overwrite arbitrary files 
with the rights of the user running the script. 
For more information, please see the GLSA Announcement[17]
Xpdf, CUPS: Multiple integer overflows
Multiple integer overflows were discovered in Xpdf, potentially resulting 
in execution of arbitrary code upon viewing a malicious PDF file. CUPS 
includes Xpdf code and therefore is vulnerable to the same issues. 
For more information, please see the GLSA Announcement[18]
Apache 2, mod_ssl: Bypass of SSLCipherSuite directive
In certain configurations, it can be possible to bypass restrictions set 
by the "SSLCipherSuite" directive of mod_ssl. 
For more information, please see the GLSA Announcement[19]
3. Heard in the community
/etc/group x
Following an emerge -uD world etc-update was intent on removing the "x" in 
the password field from entries in the /etc/group file. Can this be safely 
ignored, in order not to lose group memberships? 
 * /etc/group changes[20]  
Mysql 4.1 ebuild
If you're looking for the next releases of MySQL to test the latest 
features, version 4.1 or 5.0 ebuilds appear to be missing from Portage. 
 * Mysql 4.1 ebuild[21] 
List Package Files
How do you list all files installed by a particular ebuild? Distributions 
based on the rpm package manager offer the functionality to query any 
package for its contents, so how does one find the same information in 
 * List Files in Packages (rpm -ql feature?)[22] 
Gentoo (x86|ppc|arm)-uClibc experimental stages
Ned Ludd[23] has released some uClibc stages which are especially suited 
for embedded systems.
 23. solar@g.o
 * Gentoo (x86|ppc|arm)-uClibc experimental stages[24] 
GLEP 28 to remove inactive GLEPs
To get more speed into the GLEP process, GLEPs that have been inactive for 
more than 60 days will be removed from 1 November 2004
 * GLEPs soon to expire[25] 
"Broken-up" KDE ebuilds
Dan Armak[26] has released individual KDE ebuilds that allow single KDE 
applications to be built without pulling in other, perhaps unneeded KDE 
applications. This is one of the most frequently requested functions and 
is now available at least experimentally. 
 26. danarmak@g.o
 * broken up KDE ebuilds[27] 
Open-source and Business
Cory Visi[28] asks Gentoo users to give examples of a) IT consulting firms 
in the North Eastern US that support and implement open-source/Linux 
solutions, and b) Fortune 100 or 500 companies in the financial services 
industry that use open-source/Linux solutions successfully. 
 28. merlin@g.o
 * OpenSource and Business[29] 
4. Gentoo International
Germany: Linux World Expo opening next Tuesday
Held in Frankfurt/Main from 26 to 28 October 2004, the German issue of the 
Linux World Expo[30] series of exhibitions and conferences is opening with 
a Gentoo stand in the open-source projects section. Similar to the 
Linuxtag in Karlsruhe earlier this year, the focus of the Gentoo presence 
is going to be a display the variety of architectures supported by Gentoo 
Linux. Apart from an SGI O2 and several x86 and PPC notebooks already 
running Gentoo Linux, the hardware lineup includes three Sun UltraSparc 
workstations (U1 140MHz 448MB RAM 2GB HDD, U2 160MHz 1GB RAM 18GB disk, 
U10 440MHz 256MB of RAM 60GB disk), and a Siemens Primergy 670-40 
quad-server (4x400MHz Pentium III, 1GB RAM, two RAID controllers with 32MB 
Adaptec failover cache and lots of harddisks). The latter, a 60kg monster, 
and the Sparc workstations will undergo live Gentoo installations at the 
LWE, while other highlights at the booth (manned by Christian Hartmann, 
Michael Imhof, Wernfried Haas, Sven Wegener and Markus Nigbur) will 
include brandnew LiveCDs in a special LWE edition, T-shirts, the famous 
Foser stickers and other goodies. The LiveCD has German localization 
across the board, includes KDE and documentation in German, and is based 
on a 2.6 kernel. If you can't make it to the Expo, the ISO is available 
via Gentoo's bittorrent[31].
Figure 4.1: Gentoo hardware lineup at the Linux World Expo in Frankfurt, 
26-28 October 2004
UK: Gentoo User Meeting in Cambridge
One February morning in 1953, two researchers from a university 
laboratory, Francis Crick and James Watson, walked into their favourite 
Cambridge pub, the Eagle on Bene't Street, and declared that they had 
found the secret of life - or more precisely, the double helix structure 
of DNA. Since then, regulars at the Eagle have started concentrating on 
their beers again, but now Stephen Bennett, Gentoo (and BSD) developer 
based in Cambridge, and a few fellow Gentooists are proposing a Gentoo 
meeting for users and developers at the famous pub, on Thursday 4 November 
2004 from around 19:30. The idea for this initial gathering is to meet up, 
see who's around and whether it's worth arranging something more 
seriously, so if you'd be interested, then come along and register your 
support. Check this Forum thread[32] for details.
5. Gentoo in the press
DigiTimes (14 October 2004)
In an article about Abit dual AMD 64-bit Opteron SU-2S showing prowess as 
UT2K4 game server[33], James McClure writes about the Taiwanese 
motherboard manufacturer[34]: "Abit believes that thoroughly testing its 
motherboards under Linux puts the boards through the most rigorous testing 
procedures available." Consequently, Gentoo Linux is mentioned in the 
article as one of the distributions being tested on Abit's hardware. Abit 
even maintained a Linux distribution of their own until a few years ago - 
called "Gentus," interestingly enough.
6. Bugzilla
 * Statistics 
 * Closed bug ranking 
 * New bug rankings 
The Gentoo community uses Bugzilla ([35]) to record and 
track bugs, notifications, suggestions and other interactions with the 
development team. Between 17 October 2004 and 23 October 2004, activity on 
the site has resulted in: 
 * 764 new bugs during this period 
 * 569 bugs closed or resolved during this period 
 * 26 previously closed bugs were reopened this period 
Of the 7185 currently open bugs: 115 are labeled 'blocker', 235 are 
labeled 'critical', and 522 are labeled 'major'. 
Closed bug rankings
The developers and teams who have closed the most bugs during this period 
 * Portage team[36], with 143 closed bugs[37]  
 * AMD64 Porting Team[38], with 29 closed bugs[39]  
 * Gentoo Linux Gnome Desktop Team[40], with 25 closed bugs[41]  
 * Gentoo's Team for Core System packages[42], with 21 closed bugs[43]  
 * Dylan Carlson[44], with 19 closed bugs[45]  
 * Gentoo KDE team[46], with 14 closed bugs[47]  
 * Pieter Van den Abeele[48], with 12 closed bugs[49]  
 * Gentoo Games[50], with 11 closed bugs[51]  
 36. dev-portage@g.o
 38. amd64@g.o
 40. gnome@g.o
 42. base-system@g.o
 44. absinthe@g.o
 46. kde@g.o
 48. pvdabeel@g.o
 50. games@g.o
New bug rankings
The developers and teams who have been assigned the most new bugs during 
this period are: 
 * Gentoo Linux Gnome Desktop Team[52], with 23 new bugs[53]  
 * Gentoo X-windows packagers[54], with 12 new bugs[55]  
 * media-video herd[56], with 12 new bugs[57]  
 * Gentoo KDE team[58], with 11 new bugs[59]  
 * AMD64 Porting Team[60], with 11 new bugs[61]  
 * Gentoo Toolchain Maintainers[62], with 10 new bugs[63]  
 * osx porters[64], with 10 new bugs[65]  
 * Karl Trygve Kalleberg[66], with 10 new bugs[67]  
 52. gnome@g.o
 54. x11@g.o
 56. media-video@g.o
 58. kde@g.o
 60. amd64@g.o
 62. toolchain@g.o
 64. osx@g.o
 66. karltk@g.o
7. Tips and Tricks
Portage's new '--newuse' option
This week we want to explain a new Portage option which allows you to 
track changes to USE flag settings you may have altered after installing 
an application. We're talking about --newuse, one of a number of very 
useful new features in Portage 2.0.51. Before we start, make sure that 
you've installed the latest Portage revision on your box. 
Imagine that up until today, you never had printer. Now you bought one, 
and off course you want to use your Gentoo system to test your new 
printer. First of all, you'd want printing support for some of the 
applications you've installed. In order to get that you would alter your 
USE flags and add cups and maybe some more flags to your USE variable in 
So what's next, then? You'll need to find an easy way to create a listing 
with all packages affected by this USE flag change: 
Type emerge --newuse to list all pacakges affected by a USE flag change: 
| Code Listing 7.1:                                                       |
|List all pacakges affected by a USE flag                                 |
|                                                                         |
|                                                                         |
|#                                                                        |
|emerge --newuse world -Dpv                                               |
|                                                                         |
|                                                                         |
|These are the packages that I would merge, in order:                     |
|                                                                         |
|Calculating world dependencies ...done!                                  |
|[ebuild  N    ] net-print/cups-1.1.21-r2  -debug +pam -samba -slp +ssl   |
8,348 kB
|[ebuild   R   ] gnome-base/nautilus-2.8.0  +cups* -debug -flac -gstreamer |
-mad +oggvorbis 5,637 kB
|                                                                         |
No surprise that the CUPS package itself wants to get installed now, but 
you will also notice the appended asterisk to the +cups USE flag on the 
Nautilus package: This simply points out that the USE flag has changed, 
and you can now merge CUPS and all the packages which could benefit from 
an active cups USE flag. Don't forget to configure your new printer. 
8. Moves, adds, and changes
The following developers recently left the Gentoo team:
 * None this week 
The following developers recently joined the Gentoo Linux team:
 * Joseph Jezak (josejx) - Gentoo/PPC, Gentoo/OSX 
 * Preston Cody (codeman) - Gentoo Installer 
 * Stephen Bennett (spb) - Gentoo/BSD, bugfixes  
The following developers recently changed roles within the Gentoo Linux 
 * None this week 
9. Contribute to GWN
Interested in contributing to the Gentoo Weekly Newsletter? Send us an 
 68. gwn-feedback@g.o
10. GWN feedback
Please send us your feedback[69] and help make the GWN better.
 69. gwn-feedback@g.o
11. GWN subscription information
To subscribe to the Gentoo Weekly Newsletter, send a blank email to 
To unsubscribe to the Gentoo Weekly Newsletter, send a blank email to 
gentoo-gwn-unsubscribe@g.o from the email address you are 
subscribed under.
12. Other languages
The Gentoo Weekly Newsletter is also available in the following languages:
 * Danish[70] 
 * Dutch[71] 
 * English[72] 
 * German[73] 
 * French[74] 
 * Japanese[75] 
 * Italian[76] 
 * Polish[77] 
 * Portuguese (Brazil)[78] 
 * Portuguese (Portugal)[79] 
 * Russian[80] 
 * Spanish[81] 
 * Turkish[82] 
Ulrich Plate <plate@g.o> - Editor
Brian Downey <bdowney@×××××××××××.net> - Author
Patrick Lauer <patrick@g.o> - Author
Tobias Scherbaum <dertobi123@g.o> - Author
Emmet Wagle <ewagle@×××××.com> - Author