Gentoo Archives: gentoo-gwn

From: Kurt Lieber <klieber@g.o>
To: gentoo-gwn@g.o
Subject: [gentoo-gwn] Gentoo Weekly Newsletter -- Volume 2, Issue 8
Date: Mon, 24 Feb 2003 14:57:01
Gentoo Weekly Newsletter
This is the Gentoo Weekly Newsletter for the week of February 24th, 2003.
1. Gentoo News

 * Gentoo Linux partners with NeTraverse 
 * Gentoo Linux 1.4 update 
 * Pictures of FOSDEM 
Gentoo Linux partners with NeTraverse
The Gentoo Linux project recently reached an agreement with NeTraverse[1] 
to bring Win4Lin to Gentoo users at a reduced price. Win4Lin lets you run 
Windows applications under Gentoo Linux at native speeds and can help 
bridge the gap between the stability of Linux and the vast number of 
Windows applications.

Gentoo users who purchase the Gentoo Edition[2] of Win4Lin enjoy a $10 
discount off the regular $89.99 price. Additionally, each purchase helps 
support further development of Gentoo Linux. There is also a 30-day trial 
version of Win4Lin available in the Portage tree. 

Gentoo Linux 1.4 Update
We reported[3] back in January that Gentoo Linux 1.4_rc3 was due to be 
released on January 14th, based on the timeline laid out by the 
newly-adopted Formal Release Process[4]. Obviously, this release has yet 
to make it out the door and users and developers alike have increasingly 
complained about the recurring delays, stale Portage tree and general 
confusion that seems to surround the release process. Fortunately, with 
the recent appointment[5] of Brad Cowen as the Gentoo Release Coordinator, 
the 1.4 release process seems to have regained some of its lost momentum. 
Brad recently updated the Gentoo developer team regarding the status of 
the next release candidate, 1.4_rc3: 

I just wanted to take a moment and let everyone know where we stand as far 
as a release goes. Plans are to release an official RC3 on Thursday the 
27th. This rc will include stages from the sparc, x86, and ppc teams. The 
x86 port will be a limited release meaning a single "one size fits all" 
compiled set of stages and no GRP will be packaged. 
Brad went on to say that, after the rc3 release, he plans to adhere 
closely to the formal release process. This also means that, post rc3, the 
Portage tree will be unfrozen for a period of 2 weeks or so where 
developers will be able to migrate masked packages over to an unmasked 
Pictures of FOSDEM
As reported earlier[6], Gentoo Linux was at FOSDEM and, by all accounts, 
the event was a success. As with LinuxWorld in New York, many of the 
attendees were previously unfamiliar with Gentoo Linux, so this was a 
great opportunity to help spread the word about Gentoo Linux in Europe and 
also meet lots of other free software developers. Daniel Robbins also had 
the opportunity to speak with Richard Stallman at length, where they software, of course :). Here are some photos of the event 
for those who were unable to attend in person. 


Figure 1.1: Jack Morgan, Verwilst and Popsickle at Fosdem -- or is this a 
Coke commercial? 
Figure 1.2: Wout Mertens and Daniel Robbins discover a quantum singularity 
2. Gentoo Security

 * GLSA: webmin 
 * GLSA: openssl 
 * GLSA: bitchx 
 * GLSA: mod_php 
 * GLSA: nethack 
 * GLSA: w3m 
 * GLSA: syslinux 
 * GLSA: mailman 
 * New Security Bug Reports 
GLSA: webmin
Webmin contain a vulnerability which could permit unauthenticated access. 
No exploits in the wild have been reported. 
 * Severity: Critical - Remote Access with Administrative Privileges 
 * Packages Affected: app-admin/webmin versions prior to webmin-1.070 
 * Rectification: Synchronize and emerge -u webmin, emerge clean. 
 * Advisory[7] 
GLSA: openssl
OpenSSL may permit an attacker, by performing a man-in-the-middle attack 
and measuring the relative times for rejection of modified cipher texts, 
to determine which error condition (padding or verification) caused the 
modified texts to be rejected. This information is adequate to initiate an 
adaptive attack which may result in exposure of the plaintext. The attack 
has been demonstrated in principle. 
 * Severity: Critical - Remote Encryption Compromise 
 * Packages Affected: dev-libs/openssl versions prior to openssl-0.96i or 
 * Rectification: Synchronize and emerge -u openssl, emerge clean. 
 * GLSA Announcement[8] 
 * Advisory[9] 

GLSA: bitchx
Bitchx may be caused to segfault with a malformed packet, exposing a 
denial-of-service vulnerability. 
 * Severity: Moderate - Remote DOS for non-critical service.  
 * Packages Affected: net-irc/bitchx versions prior to bitchx-1.0.19-r4 
 * Rectification: Synchronize and emerge -u bitchx, emerge clean. 
 * GLSA Announcement[10] 
 * Advisory[11] 
GLSA: mod_php
PHP 4.3.0 introduced a bug which prevents the cgi-security options 
'--enable-force-cgi-redirect' and 'cgi.force_redirect'. This could permit 
an attacker to gain access to the server file system using the web 
server's privileges on systems that use the PHP CGI module. 
 * Severity: High - Remote Exposure of Filesystem 
 * Packages Affected: dev-php/mod_php-4.3.0 
 * Rectification: Synchronize and emerge -u mod_php, emerge clean. 
 * GLSA Announcement[12] 
 * Advisory[13] 

GLSA: nethack
Nethack contains a buffer overflow vulnerability that may permit elevation 
of the player's privileges to that of the game's uid. An exploit has been 
published. The primary use of this exploit would be to modify the high 
score and character files. However, any privilege elevation is a security 
fault, and could be dangerous if nethack's uid has additional permissions. 
 * Severity: Low - Privilege Elevation to A Game 
 * Packages Affected: app-games/nethack versions prior to nethack-3.4.0-r6 
 * Rectification: Synchronize and emerge -u nethack, emerge clean. 
 * GLSA Announcement[14] 
 * Advisory[15] 

GLSA: w3m
The w3m browser (a text-based browser sometimes used within emacs) fails 
to properly escape img tags in html. This vulnerability could be exploited 
by a carefully crafted web page to access files on the local machine. 
 * Severity: High - Remote Exposure of Filesystem 
 * Packages Affected: net-www/w3m versions prior to w3m- 
 * Rectification: Synchronize and emerge -u w3m, emerge clean. 
 * GLSA Announcement[16] 

GLSA: syslinux
The syslinux bootloader exposes several security flaws when run with root 
privileges. The code has been modified to use the mtools package for 
accessing the disk. Syslinux should not be run with setuid. 
 * Severity: High - Root Privilege Exposure. 
 * Packages Affected: sys-apps/syslinux versions prior to syslinux-2.02 
 * Rectification: Synchronize and emerge -u syslinux, emerge clean. 
 * GLSA Announcement[17] 
GLSA: mailman
The default error page in the mailman list server web interface exposes a 
cross-site scripting vulnerability that could permit remote execution of 
code using the server's privilege level. 
 * Severity: High - Remote Execution of Code. 
 * Packages Affected: net-mail/mailman versions prior to mailman-2.1.1 
 * Rectification: Synchronize and emerge -u mailman, emerge clean. 
 * GLSA Announcement[18] 
 * Advisory[19] 
New Security Bug Reports
The following new security bugs were posted this week: 
 * sys-apps/acupsd[20] 
 * app-admin/webmin[21] 
 * net-misc/vnc[22] 

3. Featured Developer of the Week
John P. Davis
John P. Davis[23], this week's featured developer, is Senior 
Developer/Coordinator for the Gentoo Linux Documentation team and the 
administrator of Gentoo's Bugzilla[24] system. John, who started off by 
writing the Gentoo Linux Printing HOWTO[25], coordinates developers and 
translators on documentation and hacks on the Bugzilla source to make it 
as functional as possible. He takes pride in making the Bugzilla system as 
useful as possible to users and devs, and is amazed at how the 
documentation team is shaping up. For now Gentoo is the only OSS project 
John has worked on, but he hopes to change that in the future. 

 23. zhen@g.o
John has an Athlon XP workstation running RAID0 and an Athlon server which 
hosts[26], his playpen. (currently undergoing renovations) 
He uses Enlightenment with an Aqua theme, Sylheed for mail, and likes 
iconv, iptables, grep, sed, the GIMP, and nmap. During the day John 
studies computer science at Mount Union College in Alliance, OH, as well 
as working at his college's help desk. He enjoys spending time with his 
girlfriend Mary, drinking Bawls, mountain biking, skiing, scuba diving, as 
well as college life in general. 

4. Heard In The Community
Web Forums
Mother Tongue Campaigning
The message is simple: First you need to achieve critical mass by posting 
into a thread that registers how many people would be interested in a 
separate forum conducted in their own language, then the FAQ and a few 
other documents need translation, a moderator or two needs to volunteer, 
and if sufficiently convincing evidence for a lively community has built 
up, just watch that admin machine go. The Italians were off to a quick 
start last week and are gaining momentum, but the Japanese community isn't 
anywhere near critical mass and needs some serious campaigning before a 
Japanese language forum can be set up. Lack of interest is unlikely, but a 
lot of the guys on the #gentoo-jp IRC channel don't seem to have a forum 
ID yet... 
 * Japanese Gentoo user[27] 
 * italian forum[28] 

Emulating the Unspeakable
The gamers were the first class of users to discuss which emulator or 
virtual machine wins the Windows look-a-like contest, but running 
commercial Windows applications in Linux has become a widespread pattern 
since the more serious desktop publishing crowd has made inroads into Open 
Source operating systems, while requiring the use of professional software 
from vendors who so far have bluntly refused to code for Linux. It's not 
as if there was a lack of choice in terms of tools to do so, between Wine 
and Plex86 or Bochs (fresh version 2.0.2 released just a week ago) on the 
free-of-charge side of things, and the more powerful commercial 
equivalents Crossover, WineX, Win4Lin and VMware on their flipside, the 
only remaining problem is to pick one. Flame wars of the past used erupt 
over whether one should do that or not, but for some time the debate has 
been centered on a more pragmatic question: how to do it most efficiently. 
The forums reflect all this and more, including Netraverse, the company 
behind Win4Lin, stepping forward with a special Gentooified build at a 
significant markdown... 
 * WIN4LIN[29] 
 * Codeweaver's Crossover Plugin and Gentoo[30] 
 * running photoshop[31] 
 * MS Office 2000, wine and Gentoo[32] 

Yet Another Architecture: Gentoo on MIPS
Last week the usually rather calm Alternate Architectures forum saw an 
influx of people who reported about Gentoo Linux on SGI Indy and Indigo2. 
About two months into the latest initiative to port Gentoo to MIPS 
machines, successful installations so far include R4400 and R5000 driven 
models. If you own an Elan or Extreme or maybe an O2 and wonder what else 
than Irix you can run on it, join the Indy posse on their new IRC channel, 
#gentoo-mips on, and in one or both of these threads (top 
for evangelism, bottom for caveats): 
 * #gentoo-mips[33] 
 * mips gentoo[34] 


Hardware Issues
Combining components from leaking capaciters to hot CPUs often makes it 
hard to diagnose hardware problems. Sipping coffee, closing your eyes and 
seeing the faulty component is a great method, although it may not work 
for non Jedi Masters. Bruno Lustosa has been suffering from suspicious 
failed compiles in a number of threads[35]. Is it the bios? Memory? CPU? 
Evil Kernel? After many supportive suggestions, Bruno appears on the verge 
of victory. Ernie Shroder, in particular, reminded[36] us of a great 
article[37] by the man himself, Dr. Daniel Robbins. The article makes a 
worth-while read as Robbins takes us through the ins and outs of 
diagnosing CPU and RAM problems on a linux system. 

Upon asking about kivo, of all things, the tool epm was brought up[38]. 
EPM is available as an ebuild (sys-apps/epm) with the description: rpm 
workalike for Gentoo Linux. This is meant to provide for easier 
transistion from a Red Hat system, allowing Red Hatters to feel at home by 
typing 'epm -qf `which kivio'. 

More RedHatism
An extremely grueling discussion took place involving the Gentoo init 
system. Remarkably, the details of Gentoo's system versus other SysV 
implementations hardly surfaced. What was at stake was Phil Barnet's 
apparent demand[39] for "abstraction" scripts, in particular the 'service' 
script, available in other distributions. The counter point expressed 
typical Gentoo mannerism, offered in one of Andrew Dacey's many 
rebuttals[40], "The whole point of Gentoo is to be configurable, almost 
nothing is forced onto the user. With this in mind, no abstraction layer 
from another OS or distro should be included by default, no matter how 
common that OS or distro is". Suggestions for ebuilds were offerend as the 
debate waged on. 

5. Gentoo International
Regional Gentoo User Meetings in Europe
The Viennese Gentooists have agreed on a date and a venue: Tuesday, 4 
March 2003, 19:00 onwards at the  Siebensternbrau[41], Siebensterngasse 
19 in 1070 Wien. If you're free and in the area that day and would like to 
join them, announce your intentions with a reply to this thread in the 
forums[42] for a headcount. Meanwhile, users from Northern Germany are 
looking into opportunities for a meeting this week in or around Hamburg, 
but the details didn't make it in time for this newsletter. They, too, 
have a thread in the forums[43] to coordinate the exact date and venue. 

Svenska Gentoo IRC Hemsida[44] is the shiny new address for the Swedish Gentoo 
web presence, so far "only" a web appendix to the notorious IRC channel. 
It includes the channel statistics, some user profiles of a few IRC 
regulars, and a pastebot for uploading a quick config file or error 
message from a borked ebuild, and generating a URL for it to be pasted 
into the #gentoo-se channel on

Italian Documentation Taskforce
While his compatriots are busy campaigning for an Italian forum, Marco 
Mascherpa has set up a mailing list for Italian translators to join in the 
effort of going through the entire pile of Gentoo documentation and 
creating new or embellishing existing Italian versions. If your Italian is 
up to the task and you would like to help, send an email to Marco[45] 

 45. m.mascherpa@g.o
6. Portage Watch
The following stable packages were added to portage this week
Because of the pending release of 1.4_final, the Portage tree is currently 
frozen. As such, no new stable packages were introduced to Portage this 
Updates to notable packages

 * sys-apps/portage - portage-2.0.47-r2.ebuild;  
 * gnome-base/gnome - gnome-2.2-r2.ebuild;  
 * sys-kernel/* - aa-sources-2.4.21_pre4-r3.ebuild; 
   development-sources-2.5.61-r1.ebuild; development-sources-2.5.61.ebuild; 
   development-sources-2.5.62.ebuild; gs-sources-2.4.21_pre4.ebuild; 
   hppa-sources-2.4.20_p27.ebuild; lolo-sources-; 
 * dev-db/mysql - mysql-4.0.10.ebuild;  
 * dev-php/php - php-4.3.1.ebuild;  
 * sys-devel/perl - perl-5.6.1-r11.ebuild;  
7. Bugzilla
 * Statistics 
 * Closed Bug Ranking 
 * New Bug Rankings 
The Gentoo community uses Bugzilla ([46]) to record and 
track bugs, notifications, suggestions and other interactions with the 
development team. In the last 7 days, activity on the site has resulted 
 * 294 new bugs this week 
 * 336 bugs closed or resolved this week 
 * 8 previously closed bugs were reopened this week. 
 * 1796 total bugs currently marked 'new' 
 * 558 total bugs curently assigned to developers 

There are currently 2411 bugs open in bugzilla. Of these: 46 are labelled 
'blocker', 82 are labelled 'critical', and 171 are labelled 'major'. 

Closed Bug Rankings
The developers and teams who have closed the most bugs this week are: 
 * Nicholas Jones[47], with 29 closed bugs[48] 
 * Martin Schlemmer[49], with 18 closed bugs[50] 
 * The Gnome Team[51], with 17 closed bugs[52] 
 * Nick Hadaway[53], with 13 closed bugs[54] 
 47. carpaski@g.o
 49. azarah@g.o
 51. gnome@g.o
 53. raker@g.o
New Bug Rankings
The developers and teams who have been assigned the most new bugs this 
week are: 
 * Nick Hadaway[55], with 20 new bugs[56] 
 * The Gnome Team[57], with 18 new bugs[58] 
 * Nicholas Jones[59], with 15 new bugs[60] 
 * Martin Schlemmer[61], with 14 new bugs[62] 
 * George Shapovalov[63], with 11 new bugs[64] 

 55. raker@g.o
 57. gnome@g.o
 59. carpaski@g.o
 61. azarah@g.o
 63. george@g.o
8. Tips and Tricks
Mirror, Mirror On The Wall
As Gentoo's userbase grows, a common complaint is the slowdown of its 
primary mirrors. Many people in the community have responded, adding more 
mirrors to help distribute the load. So where do you find these mirrors? 
One way is to look on the website at The other (easier) way is to 
use the handy mirrorselect tool. MirrorSelect is a simple ncurses 
interface that allows you to select which mirror(s) you want to use for 
your machine. 
MirrorSelect is available in Portage, so a simple emerge is all that's 
necessary to install it. 
| Code Listing 8.1:                                                       |
| Installing MirrorSelect                                                 |
|                                                                         |
|# emerge mirrorselect                                                    |
|                                                                         |
To use MirrorSelect, simply run mirrorselect at a terminal prompt and then 
select your preferred mirror(s). 
| Code Listing 8.1:                                                       |
| Using MirrorSelect                                                      |
|                                                                         |
|# mirrorselect                                                           |
|                                                                         |
Figure 8.1: Using MirrorSelect 
When you're done selecting mirrors, select OK, and your /etc/make.conf 
will be updated with your new mirrors. 
| Code Listing 8.1:                                                       |
|                                                                         |
|Selected:                       |
| |
|          Mirrors set successfully                                       |
|                                                                         |
9. Moves, Adds and Changes
The following developers recently left the Gentoo team: 
 * none this week 
The following developers recently joined the Gentoo team: 
 * Robert Coie (rac) -- perl, bughunting 
 * James Boddington (Aiken) -- Gentoo/SPARC, Gentoo/ARM 
 * Jon Ellis (jje) -- music stuffs 
 * Alastair Tse (liquidx) -- python, GNOME, Gentoo/ARM 
 * Ken Nowack (antifa) -- Gentoo Documentation 
The following developers recently changed roles within the Gentoo project. 
 * none this week 
10. Contribute to GWN
Interested in contributing to the Gentoo Weekly Newsletter? Send us an 

 65. gwn-feedback@g.o
11. GWN Feedback
Please send us your feedback[66] and help make GWN better.

 66. gwn-feedback@g.o
12. Other Languages
The Gentoo Weekly Newsletter is also available in the following languages:
 * Dutch[66] 
 * English[66] 
 * German[66] 
 * French[66] 
 * Japanese[66] 
 * Italian[66] 
 * Portuguese (Brazil)[66] 
 * Portuguese (Portugal)[66] 
 * Spanish[66] 
Kurt Lieber <klieber@g.o> - Editor
AJ Armstrong <aja@×××××××××××××.com> - Contributor
Brice Burgess <nesta@×××××××.net> - Contributor
Yuji Carlos Kosugi <carlos@g.o> - Contributor
Rafael Cordones Marcos <rcm@×××××××.net> - Contributor
David Narayan <david@×××××××.net> - Contributor
Ulrich Plate <plate@g.o> - Contributor
Peter Sharp <mail@××××××××××××××.net> - Contributor
Mathy Vanvoorden <matje@×××××××.be> - Dutch Translation
Tom Van Laerhoven <tom.vanlaerhoven@××××××.be> - Dutch Translation
Roel Adriaans <roel@××××××××.cx> - Dutch Translation
Peter Dijkstra <phj.dijkstra@××××.nl> - Dutch Translation
Nicolas Ledez <nicolas.ledez@××××.fr> - French Translation
Guillaume Plessis <gui@×××××××××.com> - French Translation
Eric St-Georges <thevedge@××××××××.net> - French Translation
John Berry <anfini@××××.fr> - French Translation
Martin Prieto <riverdale@×××××××××.org> - French Translation
Michael Kohl <citizen428@g.o> - German Translation
Steffen Lassahn <madeagle@g.o> - German Translation
Matthias F. Brandstetter <haim@g.o> - German Translation
Thomas Raschbacher <lordvan@g.o> - German Translation
Marco Mascherpa <mush@××××××.net> - Italian Translation
Claudio Merloni <paper@×××××××.it> - Italian Translation
Daniel Ketel <kage-chan@g.o> - Japanese Translation
Yoshiaki Hagihara <hagi@×××.com> - Japanese Translation
Andy Hunne <andy@×××××××××.com> - Japanese Translation
Yuji Carlos Kosugi <carlos@g.o> - Japanese Translation
Yasunori Fukudome <yasunori@××××××××××××××××.uk> - Japanese Translation
Ventura Barbeiro <venturasbarbeiro@××××××.br> - Portuguese (Brazil) 
Bruno Ferreira <blueroom@××××××××××××.net> - Portuguese (Portugal) 
Gustavo Felisberto <gustavo@××××××××××.net> - Portuguese (Portugal) 
Ricardo Jorge Louro <rjlouro@×××××××.org> - Portuguese (Portugal) 
Lanark <lanark@××××××××××.ar> - Spanish Translation
Rafael Cordones Marcos <rcm@×××××××.net> - Spanish Translation
Julio Castillo <julio@×××××××××××××.com> - Spanish Translation
Sergio Gómez <s3r@××××××××××××.ar> - Spanish Translation
Pablo Pita Leira <pablo.leira@×××××××××.com> - Spanish Translation
Carlos Castillo <carlos@×××××××××××××.com> - Spanish Translation
Tirant <tirant@×××××.net> - Spanish Translation
Jaime Freire <jfreire@××.com> - Spanish Translation
Lucas Sallovitz <krusty_ar@×××××.com> - Spanish Translation