Gentoo Archives: gentoo-gwn

From: Ulrich Plate <plate@g.o>
To: gentoo-gwn@l.g.o
Subject: [gentoo-gwn] Gentoo Weekly Newsletter 9 January 2006
Date: Mon, 09 Jan 2006 00:24:15
Gentoo Weekly Newsletter
This is the Gentoo Weekly Newsletter for the week of 9 January 2005.
1. Gentoo news
FOSDEM coming up: Europe's main Gentoo event
Thirty developers have already confirmed their attendance at next month's 
FOSDEM[1], Europe's largest open-source conference and the most important 
event in the European Gentoo calendar, to be held in Brussels. Last year 
saw the first "dev room" reservation for Gentoo, an entire day and lecture 
hall completely devoted to Gentoo use and development, with an embedded 
Gentoo developers-only meeting that initiated the metastructure changes 
implemented over the last year. FOSDEM 2006 again opens on the last 
weekend of February, Saturday 25 and Sunday 26, with the Gentoo dev room 
on the second day and a preliminary schedule already in place. If you plan 
on attending FOSDEM and need help in finding accomodation in Brussels, 
please contact Patrick Lauer[2] who coordinates this year's Gentoo 
presence at FOSDEM. Especially if you want to fill one of the last 
remaining time slots and grace the dev room with a Gentoo presentation! 
 2. patrick@g.o
Lithuanian translators needed
A small team around Ernestas Liubarskij[3] has recently started 
translating the Gentoo documentation into the Lithuanian language (ISO 
code: lt). They need many more contributors to help with this effort, so 
if you can read English, write Lithuanian, and would like to join the 
team, please contact Ernestas directly. 
 3. e.liubarskij@×××××.com
2. Developer of the week
"I'm an open-source guy with an open mind" -- Andrea Barisani
Figure 2.1: Andrea Barisani a.k.a. lcars
Andrea Barisani[4] hails from the beautiful Italian city of Trieste. While 
still trying to finish his degree in physics, he also runs a company - 
InversePath[5] - together with fellow Gentoo developer Rob Holland[6]. 
 4. lcars@g.o
 6. tigger@g.o
During his first year at the university, Andrea discovered his interest in 
system administration and security. At the university, he deployed one of 
the earliest documented production Gentoo servers. From bugreports and 
patches he became more and more involved with Gentoo. The Gentoo 
environment still exists at the University, along with and, both managed by Andrea. Other 
Gentoo duties include the LDAP setup, general infrastructure work, 
managing the mailing lists and being the security liaison for the 
Infrastructure project. Upstream mlmmj (the mailinglist software) benefits 
from many patches Andrea created while adapting and bugfixing the package 
to make it work for Gentoo. Additionally many LDAP-related packages, 
sendmail, ftester (firewall testing tool) and tenshi (log analyzer) are 
among the packages he maintains. 
Andrea has deployed Gentoo on a wide range of systems whenever appropriate 
-- firewalls, clusters, generic servers... Amazingly the "KDE or GNOME?" 
question draws a blank from him -- Andrea is a text-mode addict, powered 
by ssh, screen, mutt, vim and subversion. Only in rare cases does X even 
get started, and then only for firefox or Openoffice. He manages 50 
workstations and six servers at the university, among other things, which 
more than compensates for the comparatively modest machine park of only a 
few generic x86 computers he keeps at home. 
Andrea is not strictly bound to Linux, as he says, "the world is big and 
we have good software for many different things" -- while Linux usually 
has the most features it often lacks the consistency of the BSD projects, 
so he uses whatever works best. "You can see the benefits of a more 
controlled bazaar in BSD, and you can see the benefits of a huge bazaar in 
GNU|Whatever/Linux distros," he states. 
Some people may remember the "rsync compromise" some time ago when an 
exploit in the rsync code was abused to take over servers -- Andrea was 
one of the first to fully diagnose the exploit. This exploit also showed 
the power of open-source development -- within 36 hours the bugs were 
fixed and a new rsync release was out. An interview about that incident 
can be found in Harvard Business Review[7], a short biography of Andrea 
and more personal info are available at the InversePath website[8] and the 
speakers pages[9] of last year's PacSec conference in Yokohama that Andrea 
3. Heard in the community
Textrels in packages policy
Mark Loeser[10] started a nice technical discussion about textrels. 
Portage does warn about textrels as they can lead to performance and 
security problems - a comprehensive explanation on the how and why of that 
can be found in this thread. 
 10. halcy0n@g.o
 * Textrels in packages policy [11] 
GLEP 42 (news) round six
The discussion about portage news reporting which has been going on for a 
few weeks now gets iterated once more in the hope of reaching a workable 
 * GLEP 42 (news) round six [12] 
Viability of other SCM/version control systems for big repo's
While CVS is mature and quite stable it doesn't offer all the features of 
newer version control systems. Some people have experimented with 
migrating the gentoo-x86 repository (which won't happen in the near future 
due to logistical and administrative issues). Donnie Berkholz[13] asks for 
experiences with alternatives, especially with performance and scalability 
in mind. 
 13. spyderous@g.o
 * Viability of other SCM/version control systems for big repo's [14] 
Roadrunner's server project update
Ricardo Loureiro wrote a follow-up to his initial PDF document mentioned 
in the 12 December 2005 edition of the GWN[15]. This new document talks 
about the initial design layout of the mysql database required to store 
package information. It goes into great detail as to data types, and 
displays more progress towards the project goals. 
 * Gentoo-server, take 2[16] 
4. Gentoo international
Italy: Yet another Gentoo derivative
Proclaiming to allow you to install Gentoo Linux on your computer in a 
matter of minutes, the RR4 and RR64 Linux DVDs you can get from Fabio 
Erculiani[17] differ from Gentoo in few ways, most importantly a default 
kernel with Reiser4 enabled that is certain to send shivers down the 
spines of many Gentoo developers who certainly wouldn't want to see your 
bug reports about this anywhere near the official Gentoo bugzilla. The 
RR4/64 project is still a remarkable effort, since it's a live system 
complete with both KDE and Gnome that boots directly from the DVD. The 
third beta 64-bit version of RR just came out on 26 December, sort of a 
late Christmas present from Fabio to his fellow Italians, with 
international users equally invited to give it a spin. 
5. Gentoo in the press
Asteria (December 2005)
Jon Hood, a developer working for Asteria Solutions Group, Inc.[18] takes 
the current beta version of the Gentoo Installer[19] for a test drive 
around the block, and appears quite satisfied[20] with the result, calls 
it a "wonderful step in the right direction for the Gentoo distribution," 
and is particularly delighted because "people aren't supposed to actually 
USE testing software and have it WORK, but that's exactly what happened." 
His review includes a pretty little slideshow[21] documenting every step 
of the installation process when done via the GUI installer, very 
interesting for everybody who's never seen it at work. 
6. Gentoo developer moves
The following developers recently left the Gentoo project: 
 * None this week 
The following developers recently joined the Gentoo project: 
 * Peter Volkov (pva) - netmon 
 * Gunnar Wrobel (wrobel) - web apps 
The following developers recently changed roles within the Gentoo project:
 * Sven Vermeulen (swift) - resigned as Gentoo Documentation Project (GDP) 
 * Xavier Neys (neysx) - took over the GDP lead role from swift 
7. Gentoo Security
CenterICQ: Multiple vulnerabilities
CenterICQ is vulnerable to a Denial of Service issue, and also potentially 
to the execution of arbitrary code through an included vulnerable ktools 
For more information, please see the GLSA Announcement[22] 
Mantis: Multiple vulnerabilities
Mantis is affected by multiple vulnerabilities ranging from file upload 
and SQL injection to cross-site scripting and HTTP response splitting. 
For more information, please see the GLSA Announcement[23] 
Dropbear: Privilege escalation
A buffer overflow in Dropbear could allow authenticated users to execute 
arbitrary code as the root user. 
For more information, please see the GLSA Announcement[24] 
NBD Tools: Buffer overflow in NBD server
The NBD server is vulnerable to a buffer overflow that may result in the 
execution of arbitrary code. 
For more information, please see the GLSA Announcement[25] 
rssh: Privilege escalation
Local users could gain root privileges by chrooting into arbitrary 
For more information, please see the GLSA Announcement[26] 
OpenMotif, AMD64 x86 emulation X libraries: Buffer overflows in libUil 
Two buffer overflows have been discovered in libUil, part of the OpenMotif 
toolkit, that can potentially lead to the execution of arbitrary code. 
For more information, please see the GLSA Announcement[27] 
scponly: Multiple privilege escalation issues
Local users can exploit an scponly flaw to gain root privileges, and 
scponly restricted users can use another vulnerability to evade shell 
For more information, please see the GLSA Announcement[28] 
XnView: Privilege escalation
XnView may search for shared libraries in an untrusted location, 
potentially allowing local users to execute arbitrary code with the 
privileges of another user. 
For more information, please see the GLSA Announcement[29] 
pinentry: Local privilege escalation
pinentry is vulnerable to privilege escalation. 
For more information, please see the GLSA Announcement[30] 
KPdf, KWord: Multiple overflows in included Xpdf code
KPdf and KWord both include vulnerable Xpdf code to handle PDF files, 
making them vulnerable to the execution of arbitrary code. 
For more information, please see the GLSA Announcement[31] 
HylaFAX: Multiple vulnerabilities
HylaFAX is vulnerable to arbitrary code execution and unauthorized access 
For more information, please see the GLSA Announcement[32] 
VMware Workstation: Vulnerability in NAT networking
VMware guest operating systems can execute arbitrary code with elevated 
privileges on the host operating system through a flaw in NAT networking. 
For more information, please see the GLSA Announcement[33] 
8. Bugzilla
The Gentoo community uses Bugzilla ([34]) to record and 
track bugs, notifications, suggestions and other interactions with the 
development team. Between 18 December 2005 and 08 January 2006, activity 
on the site has resulted in: 
 * 2338 new bugs during this period 
 * 1184 bugs closed or resolved during this period 
 * 84 previously closed bugs were reopened this period 
Of the 9097 currently open bugs: 78 are labeled 'blocker', 173 are labeled 
'critical', and 498 are labeled 'major'. 
Closed bug rankings
The developers and teams who have closed the most bugs during this period 
 * Gentoo Games[35], with 37 closed bugs[36]  
 * Java team[37], with 36 closed bugs[38]  
 * Gentoo Linux Gnome Desktop Team[39], with 33 closed bugs[40]  
 * Gentoo Security[41], with 32 closed bugs[42]  
 * AMD64 Porting Team[43], with 32 closed bugs[44]  
 * Portage team[45], with 31 closed bugs[46]  
 * Gentoo's Team for Core System packages[47], with 31 closed bugs[48]  
 * Docs Team[49], with 28 closed bugs[50]  
 35. games@g.o
 37. java@g.o
 39. gnome@g.o
 41. security@g.o
 43. amd64@g.o
 45. dev-portage@g.o
 47. base-system@g.o
 49. docs-team@g.o
New bug rankings
The developers and teams who have been assigned the most new bugs during 
this period are: 
 * Default Assignee for New Packages[51], with 102 new bugs[52]  
 * AMD64 Porting Team[53], with 73 new bugs[54]  
 * Default Assignee for Orphaned Packages[55], with 35 new bugs[56]  
 * Gentoo Sound Team[57], with 33 new bugs[58]  
 * media-video herd[59], with 29 new bugs[60]  
 * Gentoo Games[61], with 20 new bugs[62]  
 * Gentoo Kernel Bug Wranglers and Kernel Maintainers[63], with 17 new 
 * Gentoo net-im Herd[65], with 16 new bugs[66]  
 51. maintainer-wanted@g.o
 53. amd64@g.o
 55. maintainer-needed@g.o
 57. sound@g.o
 59. media-video@g.o
 61. games@g.o
 63. kernel@g.o
 65. net-im@g.o
9. GWN feedback
Please send us your feedback[67] and help make the GWN better. 
 67. gwn-feedback@g.o
10. GWN subscription information
To subscribe to the Gentoo Weekly Newsletter, send a blank email to 
To unsubscribe to the Gentoo Weekly Newsletter, send a blank email to 
gentoo-gwn+unsubscribe@g.o from the email address you are 
subscribed under.
11. Other languages
The Gentoo Weekly Newsletter is also available in the following languages:
 * Danish[68]  
 * Dutch[69]  
 * English[70]  
 * German[71]  
 * French[72]  
 * Korean[73]  
 * Japanese[74]  
 * Italian[75]  
 * Polish[76]  
 * Portuguese (Brazil)[77]  
 * Portuguese (Portugal)[78]  
 * Russian[79]  
 * Spanish[80]  
 * Turkish[81]  
Ulrich Plate <plate@g.o> - Editor
Patrick Lauer <patrick@g.o> - Author
Chris White <chriswhite@g.o> - Author

gentoo-gwn@g.o mailing list