Gentoo Weekly Newsletter

---------------------------------------------------------------------------
Gentoo Weekly Newsletter
http://www.gentoo.org/news/en/gwn/current.xml
This is the Gentoo Weekly Newsletter for the week of 21 February 2005.
---------------------------------------------------------------------------
 
==============
1. Gentoo News
==============
  
Boston Linux World Expo: The Après-Show report
-----------------------------------------------
  
The Linux World Conference and Exposition was held last week at the Hynes 
Convention Center in Boston, Massachusetts, USA. Gentoo Linux had a booth 
in the .org pavilion, nestled between the friendly folks from Fedora and 
that lovable lot from the Linux Terminal Server Project. On display were 
an array of systems demonstrating the wide array of architectures that 
Gentoo is available for. The main draw was clearly the diminutive Mac Mini 
with the big cinema screen, brought by Daniel Ostrow[1]. Also present were 
Daniel's Sparc Ultra 60, several x86 laptops, and an AMD64 and several 
embedded goodies brought by Mike Frysinger[2]. 
 1. dostrow@gentoo.org
 2. vapier@gentoo.org
 
A full team of volunteers helped staff the booth. Besides Mike and Daniel, 
Seemant Kulleen[3], Chris Gianelloni[4], Dylan Carlson[5], Jeffrey 
Forman[6], Peter Johanson[7], Luke Macken[8] (lewk), Rajiv Manglani[9], 
Andy Fant[10], Chris Aniszczyk[11] and Aaron Griffis[12] made appearances 
and helped out in the booth. 
 3. seemant@gentoo.org
 4. wolf31o2@gentoo.org
 5. absinthe@gentoo.org
 6. jforman@gentoo.org
 7. latexer@gentoo.org
 8. lewk@gentoo.org
 9. rajiv@gentoo.org
 10. fant@pobox.com
 11. zx@gentoo.org
 12. agriffis@gentoo.org
 
Figure 1.1: Boston LWE Gentoo booth staff
http://www.gentoo.org/images/gwn/20050221_lwe.jpg
 
Note:  Front, left to right: Andrew Fant, Chris Gianelloni, Mike 
Frysinger, Rajiv Manglani. Chris Aniszcszyk is leaning over the table just 
under the Gentoo poster, everybody else are visitors. 
 
Besides the perennial requests for CDs (which we had) and T-shirts (which 
we didn't), there was a steady flow of interest in the PPC release, and a 
gratifying number of comments by people who have come to realize that 
Gentoo has a role to play in the enterprise. Also of note was the 
forthcoming launch of a Gentoo-based startup[13] that will provide custom 
binary packages to subscribing users through standard Portage mechanisms. 
A highlight of the week was the anti-bof, where 30-40 users and developers 
took over the top floor of the Globe Bar and Grill and got the chance to 
meet and mingle in person. 
 13. http://www.genux.org
 
This was the first year that the LWE was held in Boston, instead of New 
York, and by all accounts, it was a success. There was a twenty percent 
increase in vendor exhibits, and attendance was up by a similar amount. It 
seems likely that LWE will return again next winter, so start making plans 
for next year. Thanks to everyone who helped to make our presence at the 
show a success. For those on the west coast, LWE will be in San Francisco 
from 8 to 11 August. If you are interested in helping with the Gentoo 
booth at that meeting, please contact the PR team. 
    
Last call for FOSDEM
--------------------
  
More than 40 Gentoo developers, activists and power users have confirmed 
their presence at this year's FOSDEM[14] on 26 and 27 February in Brussels 
at the Université Libre de Bruxelles. The local youth hostel has literally 
been taken over by the participants in the DevRoom organised by Gentoo at 
Europe's largest open-source conference, and the schedule is packed with 
presentations by developers from all over Europe. Saturday night life in 
Brussels will make it challenging to keep the tight schedule for the 
Gentoo developer meeting on Sunday morning. 
 14. http://dev.gentoo.org/~pylon/fosdem-2005.html
    
Free entrance to the Gentoo UK conference
-----------------------------------------
  
Thanks to securing sponsorships by the University of Salford and the 
London Internet Exchange, LINX[15], the Mancunian Gentoo UK 
Conference[16], scheduled for 12 March at Manchester's University of 
Salford, was able to drop the entrance fee. Participants are asked to 
register, but will be admitted free of charge, registration is still 
open.[17] 
 15. http://www.linx.net
 16. http://dev.gentoo.org/~stuart/2005/
 17. http://dev.gentoo.org/~stuart/2005/registration.html
    
Easy subscription to Gentoo RSS feeds
-------------------------------------
  
Michael Kohl[18] has made an OPML file[19] available that allows to 
automatically subscribe to three different RSS feeds from Gentoo at once, 
i.e. the Gentoo Linux news as published on the Gentoo website, the Gentoo 
Linux Security Announcements (GLSAs), and the feed for packages for x86. 
Many RSS-readers support importing from an OPML file, making subscriptions 
easily manageable. 
 18. citizen428@gentoo.org
 19. http://dev.gentoo.org/~citizen428/files/gentoo.opml
    
==============
2. Future Zone
==============
  
Gentooified Kuro-Box
--------------------
  
The Kuro-Box is a toaster-sized PowerPC NAS (Network Attached Storage) 
device designed for Linux hackers, owing at least part of its appeal to 
the clever name: much better than its English translation of simply 
"black" already does, the "kuro" of the Kuro-Box hints at both the colour 
and the occultness of what may be lurking in the dark. Based on a  
Freescale MPC8241[20] (a 603e processor), it exists in two versions:
 20. http://www.freescale.com/webapp/sps/site/prod_summary.jsp...
 
 * the original one, at 200MHz with 64MB RAM, a 100Mb ethernet controler 
and one USB plug (around 160 USD without hard-drive) 
 * the HG version, at 266MHz with 128MB RAM, a 1Gb ethernet controler and 
two USB plugs (240 USD without hard-drive) 
 
Obscured by the fact that it was spawned off Buffalo Technology's 
"LinkStation" storage device series, it's probably the most inexpensive 
Linux/PPC development environment currently in the market. 
 
Figure 2.1: Attaching a new meaning to network storage: Buffalo's Kuro-Box
http://www.gentoo.org/images/gwn/20050221_kurobox.jpg
 
The history[21] of the Kuro-Box begins in Japan back in early 2004, when a 
Buffalo sister company, Kurouto Shikou, decided to sell older LinkStation 
inventory on the "power users" market. Thus, the oldest and biggest 
Kuro-Box hackers community is Japanese, and the amount of documentation on 
their Linkstation Wiki[22] or on Yasunari Yamashita's blog[23] show how 
active it is. Since a few months, Kuro-Boxes are also distributed in the 
US and Europe by Revogear[24], and a new non-Japanese community centering 
around a forum[25] and a wiki[26] now has plenty of English information 
available to them.
 21. http://penguinppc.org/embedded/kuro/
 22. http:kstation/">http://www.yamasita.jp/linkstation/
 24. http://www.revogear.com/
 25. http://www.kurobox.com/forums/
 26. http://www.kurobox.com/online/
 
In both communities, there had been several attempts at replacing the 
stock firmware with more generic Linux distributions ever since the first 
Kuro-Box shipped about a year ago. The original firmware is too much 
NAS-oriented, i.e. only designed to be a file and printing server, whereas 
a complete Linux distribution would allow for easy experimentation and 
unlocking of the platform's full potential. Even setting up Gentoo systems 
inside the Kuro-Box had been tried before: jmgdean[27] released a Gentoo 
Total Conversion alpha1[28], and much work was done inside the Japanese 
community. However, all of those earlier attempts were mixed installations 
of Gentoo Linux on top of the original firmware: the toolchains were still 
based on gcc-2.95, many files were not managed by Portage, and there was 
still some non-free code inside. My beta1 release[29], on the other hand, 
is entirely built from sources, and exclusively via Portage. It is 
composed of: 
 27. http://www.kurobox.com/forums/profile.php?mode=viewprofil...
 28. http://www.kurobox.com/forums/viewtopic.php?t=111
 29. 
http://www.kurobox.com/online/tiki-index.php?page=What+is...
 
 * a stage3 image which can be installed directly on a fresh harddrive, 
and which completly replaces the original firmware 
 * a Portage overlay, with a few new or modified ebuilds 
 * a custom Portage profile, based on Gentoo PPC 2004.3 
 * many additional binary packages that should cover the most current 
needs for that kind of system 
 
The installation process is mostly similar to "normal" Gentoo systems, 
except that it begins in the so-called "EM mode" in which the box boots 
when it's not yet set up. This is a very minimalistic environment which 
can be accessed by both ftp and telnet. From there, you will be able to 
prepare your drive, chroot, and install the stage3 image. Then you switch 
the box to the "Normal mode", and hopefully it will reboot using your 
fresh Gentoo system, which should be accessible by ssh. Detailed 
instructions are available on a  Wiki page[30].
 30. http://www.kurobox.com/online/tiki-index.php?page=Install...
 
Known limitation and future work
 
The only thing that is not easily hackable is the content of the FlashROM, 
i.e. the EM mode system and the kernel. The format of the flash image is 
well-known and documented (at least on some Japanese websites), but, as 
opposed to many other Linux-based devices, there is absolutely no fallback 
in case of mistake once you've touched it -- a flashing error or a badly 
configured kernel will kill it for good. Because of that, most users are 
still stuck to the original 2.4.17 kernel, which is far from perfect. 
There are currently two directions explored to overcome this limitation: 
 
 * Installing a proper bootloader in the FlashROM: U-Boot[31] would 
probably be the best choice, but this project is at too early a stage to 
give an estimate of its availability.  
 * Dynamically replacing the running kernel. This has been made possible 
thanks to jochang's work[32], through the load of a simple kernel module. 
Integrating that kernel switching in the boot process is the top target 
for Gentoo beta2 (with everything it depends on, like a proper packaging 
of kuro-ified kernel sources, etc.)  
 31. http://www.kurobox.com/online/tiki-index.php?page=project...
 32. http://www.gentoo.org/security/en/glsa/glsa-200502-15.xml
    
ht://Dig: Cross-site scripting vulnerability
--------------------------------------------
  
ht://Dig is vulnerable to cross-site scripting attacks. 
 
For more information, please see the GLSA Announcement[34] 
 34. http://www.gentoo.org/security/en/glsa/glsa-200502-16.xml
    
Opera: Multiple vulnerabilities
-------------------------------
  
Opera is vulnerable to several vulnerabilities which could result in 
information disclosure and facilitate execution of arbitrary code. 
 
For more information, please see the GLSA Announcement[35] 
 35. http://www.gentoo.org/security/en/glsa/glsa-200502-17.xml
    
VMware Workstation: Untrusted library search path
-------------------------------------------------
  
VMware may load shared libraries from an untrusted, world-writable 
directory, resulting in the execution of arbitrary code. 
 
For more information, please see the GLSA Announcement[36] 
 36. http://www.gentoo.org/security/en/glsa/glsa-200502-18.xml
    
PostgreSQL: Buffer overflows in PL/PgSQL parser
-----------------------------------------------
  
PostgreSQL is vulnerable to several buffer overflows in the PL/PgSQL 
parser leading to execution of arbitrary code. 
 
For more information, please see the GLSA Announcement[37] 
 37. http://www.gentoo.org/security/en/glsa/glsa-200502-19.xml
    
Emacs, XEmacs: Format string vulnerabilities in movemail
--------------------------------------------------------
  
The movemail utility shipped with Emacs and XEmacs contains several format 
string vulnerabilities, potentially leading to the execution of arbitrary 
code. 
 
For more information, please see the GLSA Announcement[38] 
 38. http://www.gentoo.org/security/en/glsa/glsa-200502-20.xml
    
lighttpd: Script source disclosure
----------------------------------
  
An attacker can trick lighttpd into revealing the source of scripts that 
should be executed as CGI or FastCGI applications. 
 
For more information, please see the GLSA Announcement[39] 
 39. http://www.gentoo.org/security/en/glsa/glsa-200502-21.xml
    
wpa_supplicant: Buffer overflow vulnerability
---------------------------------------------
  
wpa_supplicant contains a buffer overflow that could lead to a Denial of 
Service. 
 
For more information, please see the GLSA Announcement[40] 
 40. http://www.gentoo.org/security/en/glsa/glsa-200502-22.xml
    
KStars: Buffer overflow in fliccd
---------------------------------
  
KStars is vulnerable to a buffer overflow that could lead to arbitrary 
code execution with elevated privileges. 
 
For more information, please see the GLSA Announcement[41] 
 41. http://www.gentoo.org/security/en/glsa/glsa-200502-23.xml
    
Midnight Commander: Multiple vulnerabilities
--------------------------------------------
  
Midnight Commander contains several format string errors, buffer overflows 
and one buffer underflow leading to execution of arbitrary code. 
 
For more information, please see the GLSA Announcement[42] 
 42. http://www.gentoo.org/security/en/glsa/glsa-200502-24.xml
    
Squid: Denial of Service through DNS responses
----------------------------------------------
  
Squid contains a bug in the handling of certain DNS responses resulting in 
a Denial of Service. 
 
For more information, please see the GLSA Announcement[43] 
 43. http://www.gentoo.org/security/en/glsa/glsa-200502-25.xml
    
GProFTPD: gprostats format string vulnerability
-----------------------------------------------
  
gprostats, distributed with GProFTPD, is vulnerable to a format string 
vulnerability, potentially leading to the execution of arbitrary code. 
 
For more information, please see the GLSA Announcement[44] 
 44. http://www.gentoo.org/security/en/glsa/glsa-200502-26.xml
    
gFTP: Directory traversal vulnerability
---------------------------------------
  
gFTP is vulnerable to directory traversal attacks, possibly leading to the 
creation or overwriting of arbitrary files. 
 
For more information, please see the GLSA Announcement[45] 
 45. http://www.gentoo.org/security/en/glsa/glsa-200502-27.xml
    
=========================
4. Heard in the community
=========================
  
gentoo-dev
----------
  
Using Gentoo in emulators
 
After a failed install of Gentoo in MS VirtualPC, a user asks what 
experiences others have with Gentoo in emulated environments. Read on for 
a nice (win32-centric) collection of user experiences. 
 
 * Using Gentoo in emulators[46] 
 46. http://thread.gmane.org/gmane.linux.gentoo.devel/25480
 
Portage performance improvements
 
Another user found a bottleneck in Portage whose removal seems to reduce 
startup times by at least 50%. Although that may be an extreme example, it 
still shows that Portage performance is far from optimal. 
 
 * Portage performance improvements[47] 
 47. http://thread.gmane.org/gmane.linux.gentoo.devel/25458
 
GLEP33: Eclass restructure
 
After the large flamewars last time someone tried to change the way 
eclasses are used and handled, John Mylchreest[48] and Brian Harring[49] 
offer a new and quite comprehensive proposal. It can be found at 
http://dev.gentoo.org/~johnm/files/glep33.txt 
 48. johnm@gentoo.org
 49. ferringb@gentoo.org
 
 * GLEP 33: Eclass restructure[50] 
 50. http://thread.gmane.org/gmane.linux.gentoo.devel/25427
 
Runtime vs. devel packages
 
Stuart Herbert[51] offers some thoughts on split ebuilds: "For years now, 
RedHat have split a lot of their packages into two sets ... a set 
containing what's needed at runtime to use the package, and another 
'devel' package containing header files etc which are only needed for 
building software. One thing that it's really nice to do with a server is 
build it with no compilers etc installed. The less that's on there, the 
less there is to maintain, upgrade, be reused by the black hats, etc etc." 
But, as it seems, there are also good reasons to do things "The Gentoo 
Way". Read on for a discussion of the pros and cons of both approaches. 
 51. stu
 * Runtime vs. devel packages[52] 
 52. http://thread.gmane.org/gmane.linux.gentoo.devel/25412
   
======================
5. Gentoo in the press
======================
  
Security Focus (14 February 2005)
---------------------------------
  
After being talked about in a Security Focus article the week before, 
Gentoo developer and operational manager for the Gentoo Linux Security 
Team Thierry Carrez[53] now had his own column last Monday: "More 
advisories, more security"[54] is the title of his piece on the 
relationship between activities in the security arms of Linux 
distributions and overall safety for users. "Security advisories from a 
software publisher or packager should not be seen as bad news. There are 
always vulnerabilities in software, and when an advisory is released it 
means that one of these flaws has been identified and fixed," explains 
Thierry. "It also means the good guys have done their homework, and that 
one less flaw can be used by the bad guys to harm you." 
 53. koon@gentoo.org
 54. http://www.securityfocus.com/columnists/299
    
Linux Times (14 and 18 February 2005)
-------------------------------------
  
A flamboyant installation report from Austria hit the online magazine 
Linux Times on Monday last week, under the heading "One week with Gentoo 
Linux." The article[55] describes in detail an installation of Gentoo 
Linux on slightly dated hardware, and tries to shatter the myth of Gentoo 
being not easily accessible: "If there was a list of biggest GNU/Linux 
cliches, the statement 'Gentoo is hard to install' would be ranked among 
the top. Let me tell you a little secret: Gentoo is easy to install," says 
author Imre Kálomista, a student at Vienna University. And if that wasn't 
enough, Gentoo again figures as a topic on Linux Times four days later in 
a review of the Vidalinux release 1.1 in direct comparison to a "real" 
Gentoo system. The article[56] concludes that the Puerto-Rican binary 
Gentoo clone strangely lacks binary package support, but mentions a club 
membership for access to a repository of precompiled packages. 
 55. http://www.linuxtimes.net/modules.php?name=News&file=...
 56. http://www.linuxtimes.net/modules.php?name=News&file=...
    
Cuddletech blog (12 February 2005)
----------------------------------
  
Using Xorg 6.8.2 & Composite[57] is the topic for Ben Rockwood's blog 
entry on the new transparency features in Xorg, with a pleasant side note 
on the ease of installation in his Gentoo environment: "Thanks to Gentoo I 
simply yanked XFree86 (unmerge) and merged in Xorg 6.8.2." 
 57. http://www.cuddletech.com/blog/pivot/entry.php?id=82
    
===========
6. Bugzilla
===========
  
Summary
-------
  
 * Statistics 
 * Closed bug ranking 
 * New bug rankings 
    
Statistics
----------
  
The Gentoo community uses Bugzilla (bugs.gentoo.org[58]) to record and 
track bugs, notifications, suggestions and other interactions with the 
development team. Between 13 February 2005 and 20 February 2005, activity 
on the site has resulted in: 
 58. http://bugs.gentoo.org
 
 * 813 new bugs during this period 
 * 447 bugs closed or resolved during this period 
 * 20 previously closed bugs were reopened this period 
 
Of the 8040 currently open bugs: 101 are labeled 'blocker', 240 are 
labeled 'critical', and 596 are labeled 'major'. 
    
Closed bug rankings
-------------------
  
The developers and teams who have closed the most bugs during this period 
are: 
 
 * Gentoo KDE team[59], with 25 closed bugs[60]  
 * PHP Bugs[61], with 24 closed bugs[62]  
 * Net-Mail Packages[63], with 21 closed bugs[64]  
 * Gentoo Security[65], with 20 closed bugs[66]tmon Herd[67], with 15 closed bugs[68]  
 * AMD64 Porting Team[69], with 15 closed bugs[70]  
 * Gentoo Sound Team[71], with 11 closed bugs[72]  
 * PPC Porters[73], with 11 closed bugs[74]  
 59. kde@gentoo.org
 60. 
http://bugs.gentoo.org/buglist.cgi?bug_status=RESOLVED&...
 61. php-bugs@gentoo.org
 62. 
http://bugs.gentoo.org/buglist.cgi?bug_status=RESOLVED&...
 63. net-mail@gentoo.org
 64. 
http://bugs.gentoo.org/buglist.cgi?bug_status=RESOLVED&...
 65. security@gentoo.org
 66. 
http://bugs.gentoo.org/buglist.cgi?bug_status=RESOLVED&...
 67. netmon@gentoo.org
 68. 
http://bugs.gentoo.org/buglist.cgi?bug_status=RESOLVED&...
 69. amd64@gentoo.org
 70. 
http://bugs.gentoo.org/buglist.cgi?bug_status=RESOLVED&...
 71. sound@gentoo.org
 72. 
http://bugs.gentoo.org/buglist.cgi?bug_status=RESOLVED&...
 73. ppc@gentoo.org
 74. 
http://bugs.gentoo.org/buglist.cgi?bug_status=RESOLVED&...
    
New bug rankings
----------------
  
The developers and teams who have been assigned the most new bugs during 
this period are: 
 
 * Qmail Team[75], with 54 new bugs[76]  
 * Gentoo Sound Team[77], with 23 new bugs[78]  
 * AMD64 Porting Team[79], with 19 new bugs[80]  
 * media-video herd[81], with 17 new bugs[82]  
 * Gentoo KDE team[83], with 16 new bugs[84]  
 * Gentoo Science Related Packages[85], with 10 new bugs[86]  
 * Gentoo's Team for Core System packages[87], with 10 new bugs[88]  
 * Gentoo X-windows packagers[89], with 9 new bugs[90]  
 75. qmail-bugs@gentoo.org
 76. 
http://bugs.gentoo.org/buglist.cgi?bug_status=NEW&bug...
 77. sound@gentoo.org
 78. 
http://bugs.gentoo.org/buglist.cgi?bug_status=NEW&bug...
 79. amd64@gentoo.org
 80. 
http://bugs.gentoo.org/buglist.cgi?bug_status=NEW&bug...
 81. media-video@gentoo.org
 82. 
http://bugs.gentoo.org/buglist.cgi?bug_status=NEW&bug...
 83. kde@gentoo.org
 84. 
http://bugs.gentoo.org/buglist.cgi?bug_status=NEW&bug...
 85. sci@gentoo.org
 86. 
http://bugs.gentoo.org/buglist.cgi?bug_status=NEW&bug...
 87. base-system@gentoo.org
 88. 
http://bugs.gentoo.org/buglist.cgi?bug_status=NEW&bug...
 89. x11@gentoo.org
 90. 
http://bugs.gentoo.org/buglist.cgi?bug_status=NEW&bug...
    
===========================
7. Moves, adds, and changes
===========================
  
Moves
-----
  
The following developers recently left the Gentoo team: 
 
 * None this week  
    
Adds
----
  
The following developers recently joined the Gentoo Linux team: 
 
 * David Gümbel (ganymede) - wine  
    
Changes
-------
  
The following developers recently changed roles within the Gentoo Linux 
project:
 
 * None this week  
    
====================
8. Contribute to GWN
====================
   
Interested in contributing to the Gentoo Weekly Newsletter? Send us an 
email[91]. 
 91. gwn-feedback@gentoo.org
    
===============
9. GWN feedback
===============
   
Please send us your feedback[92] and help make the GWN better.
 92. gwn-feedback@gentoo.org
    
================================
10. GWN subscription information
================================
   
To subscribe to the Gentoo Weekly Newsletter, send a blank email to 
gentoo-gwn-subscribe@gentoo.org. 
 
To unsubscribe to the Gentoo Weekly Newsletter, send a blank email to 
gentoo-gwn-unsubscribe@gentoo.org from the email address you are 
subscribed under. 
    
===================
11. Other languages
===================
   
The Gentoo Weekly Newsletter is also available in the following languages:
 
 * Danish[93]  
 * Dutch[94]  
 * English[95]  
 * German[96]  
 * french[97]  
 * japanese[98]  
 * italian[99]  
 * polish[100]  
 * portuguese (brazil)[101]  
 * portuguese (portugal)[102]  
 * russian[103]  
 * spanish[104]  
 * turkish[105]  
 93. http://www.gentoo.org/news/da/gwn/gwn.xml
 94. http://www.gentoo.org/news/nl/gwn/gwn.xml
 95. http://www.gentoo.org/news/en/gwn/gwn.xml
 96. http://www.gentoo.org/news/de/gwn/gwn.xml
 97. http://www.gentoo.org/news/fr/gwn/gwn.xml
 98. http://www.gentoo.org/news/ja/gwn/gwn.xml
 99. http://www.gentoo.org/news/it/gwn/gwn.xml
 100. http://www.gentoo.org/news/pl/gwn/gwn.xml
 101. http://www.gentoo.org/news/pt_br/gwn/gwn.xml
 102. http://www.gentoo.org/news/pt/gwn/gwn.xml
 103. http://www.gentoo.org/news/ru/gwn/gwn.xml
 104. http://www.gentoo.org/news/es/gwn/gwn.xml
 105. http://www.gentoo.org/news/tr/gwn/gwn.xml
   
Ulrich Plate <plate@gentoo.org> - Editor
Andrew Fant <fant@pobox.com> - Author
Thomas de Grenier de Latour <degrenier@easyconnect.fr> - Author
Patrick Lauer <patrick@gentoo.org> - Author

--
gentoo-gwn@gentoo.org mailing list