---------------------------------------------------------------------------
Gentoo Weekly Newsletter
http://www.gentoo.org/news/en/gwn/current.xml
This is the Gentoo Weekly Newsletter for the week of 14 February 2005.
---------------------------------------------------------------------------
==============
1. Gentoo News
==============
Gentoo Forums platform and software switch
------------------------------------------
As anticipated in a Future zone[1] article three weeks ago, the Gentoo
Forums[2] have switched to a new hardware platform and an upgraded version
of phpBB, now running on a clean codebase, normalizing all the patches
that had been applied to the old version, and more feature-rich than the
release that was powering the Forums before. Among the embellishments are
better language packs for the non-English forums, new URI styles with
absolute links that enable search engine spiders to index the entire
Forum, and a few things of lesser visibility, like the moderators' new
ability to join threads -- displacing posts from threads where they're out
of context to a more appropriate location was never possible before. A few
glitches aside, the changeover went so smoothly that none of the users
realized it until it was all over and done. Congratulations to Christian
Hartmann[3] and Lance Albertson[4] for a flawless migration!
1. http://www.gentoo.org/news/en/gwn/20050124-newsletter.xml#doc_chap2
2. http://forums.gentoo.org
3. ian@gentoo.org
4. ramereth@gentoo.org
Gentoo event calender for February/March 2005
---------------------------------------------
Busy days for Gentoo evangelists: Their schedule has never been so packed
with shows, conferences and presentations as over the next four weeks.
Here's a list of the upcoming events, with a last reminder for tomorrow's
LWE in Boston at the top.
* Linux World Expo[5] - 15-18 February in Boston, MA: Hynes Convention
Center
* FOSDEM[6] - 26 and 27 February in Brussels, Belgium: Université Libre
de Bruxelles
* CPLUG Security Conference[7] - 5 March in Grantham, PA: Messiah College
* Chemnitzer Linux-Tage[8] - 5 and 6 March in Chemnitz, Germany:
Technische Universität
* Gentoo UK Conference[9] - 12 March in Manchester, UK: University of
Salford
5. http://www.linuxworldexpo.com/live/12/events/12BOS05A/
6. http://dev.gentoo.org/~pylon/fosdem-2005.html
7. http://cplug.net/conference
8. http://dev.gentoo.org/~dertobi123/clt2005
9. http://dev.gentoo.org/~stuart/2005/
Note: Links point to official event websites or -- if available -- Gentoo
developer pages organizing our own presence.
Gentoo Linux Security Team -- Interview with Thierry Carrez
-----------------------------------------------------------
If you have a habit of watching the pattern of security issues and
responses in the Linux world, you've probably noticed that Gentoo's alerts
and responses to those issues tend to follow rapidly on the heels of
initial discovery. In fact, Gentoo Linux Security Announcements (GLSAs)
are a frequently cited resource for security notifications and fix status
even outside the Gentoo community. This reputiation of responsiveness is a
remarkable feat for a community which does not have a commercial arm
supporting a dedicated security response center.
Thierry Carrez[10] (koon), one of the Operational Managers for Gentoo's
Security Team[11], was kind enough to take a few minutes to explain some
of the practices that have allowed the team to be so efficient in
identifying and responding to security issues.
10. koon@gentoo.org
11. http://www.gentoo.org/proj/en/security/index.xml
Could you give us a rough overview of the process involved in identifying
and fixing security flaws? What steps are involved? Who performs them?
What tools are used?
We follow the Vulnerability Treatment Policy[12] to handle security bugs.
In brief, public vulnerabilities get submitted by users, our security
scouts or the security developers, whoever finds it first. Sometimes we
get notified by confidential channels (the vendor-sec list or direct
contact from the upstream developers or auditors). Then the security bug
progresses through upstream status (where we wait for a fix from upstream
maintainers); ebuild status (where we call the Gentoo maintainer for the
package and ask for a fixed ebuild); stable status, where we ask all
security-supported arches to test and mark the fixed package stable; and
finally to glsa status where we issue a GLSA if necessary. Sometimes we
get stuck at one of those intermediate statuses and have to work out a
patch ourselves. Sometimes we don't find a solution and we mask the
package because it's a security risk to leave it in the tree without a fix.
12. http://www.gentoo.org/security/en/vulnerability-policy.xml
Security bug handling is mostly calling the right people at the right time
to try to get the ball rolling at all times. This task is performed by the
GLSA coordinators, and it's not automated. We rely heavily on the other
Gentoo developers (package maintainers and arch teams) to do the patching
and testing.
Where do you find out about security flaws? Mailing lists? Alerts? Do we
do testing ourselves?
We rely on our user base to submit as many public vulnerabilities as they
can. The security team tries to get all those that go unnoticed. Security
flaws come from public mailing-lists like BugTraq or Full-Disclosure, and
also upstream security advisories and other distribution advisories. We
are more and more accepted as part of the general Linux security community
and therefore we get notice of some vulnerabilities before they go public.
To contribute back we have recently set up a Security Audit subproject to
find vulnerabilities by ourselves, and our package maintainers also find a
lot of vulnerabilities in their testing.
When a flaw is identified, how is it documented?
Most of the time we just copy the public advisory information, and then
proceed in verifying that it applies to Gentoo Linux, and rate its
severity. This severity seeds priorities, as we try to respect the delays
indicated in the Vulnerability Treatment Policy.
Is there a formal process where the resolution of a flaw is assigned to
someone? How are priorities set? How is the fix documented and tested?
Each GLSA Coordinator can take a bug and be tasked to ensure the ball
keeps rolling on this bug at all times. But if a bug gets stuck, every
security developer can intervene to unstick it. Priorities are set by
severities, following the rules described in the Vulnerability Treatment
Policy.
When a fix is available, how is it documented? Who does the GLSA? How are
GLSA's transmitted? How are they archived or stored?
We document the fix in a GLSA draft, which must get at least two positive
peer-reviews before getting released. We use a tool called GLSAMaker to
help in ensuring consistency between all GLSAs. The GLSA is written by the
GLSA Coordinator or sometimes by one of our Security Apprentices (GLSA
coordinators in training). GLSAs are sent by mail to gentoo-announce and
other security lists, automatically appear in a live RDF feed[13] and on
the Gentoo Security page[14]. Finally, they get copied by forum moderators
to appear as forum announcements. GLSA XML sources are part of the portage
tree (in metadata/glsa) and get synced on all user boxes, to enable the
use of the (for the moment still experimental) glsa-check tool (which is
part of the gentoolkit package).
13. http://www.gentoo.org/rdf/en/glsa-index.rdf
14. http://security.gentoo.org
Who are the upstream consumers of GLSA's? Other than Gentoo users, are
there other organizations that are alerted?
We warn linuxsecurity.com so that they include GLSA in their advisories
page[15]. The MITRE CVE dictionary[16] also includes GLSA references.
15. http://www.linuxsecurity.com/content/blogcategory/0/76/
16. http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=GENTOO
Are there any automated tools or scripts that the team uses to manage
these jobs?
We use GLSAMaker, a tool written by Tim Yamin[17] (plasmaroo), to help in
writing GLSA XML source and the text counterpart.
17. plasmaroo@gentoo.org
What's the status of "emerge security" functionality to identify and fix
security issues using portage?
"Emerge security" functionality is currently under testing with the
"glsa-check" tool, part of the gentoolkit package. It allows us to
identify which GLSAs affect your system and to automatically fix the
vulnerable packages. When this is ready, the portage tool team will
integrate this into mainline tools like emerge. Users are encouraged to
use the latest glsa-check and report any oddities using bugzilla[18].
18. http://bugs.gentoo.org
Where can users get information about the security team?
Our main page is the Gentoo Security portal at security.gentoo.org[19]. It
contains all the pointers to our policy documents, the latest GLSAs and
lots of useful information. People that would like to join the Gentoo
Security project should read the Security project webpage[20], and in
particular the GLSA Coordinators guide[21] and the Security padawans
page[22] to get a feel of what we need.
19. http://security.gentoo.org
20. http://www.gentoo.org/proj/en/security/
21. http://www.gentoo.org/security/en/coordinator_guide.xml
22. http://www.gentoo.org/security/en/padawans.xml
What are some of the initiatives the security team have undertaken
recently?
In the last year, we put procedures in place so that all unwritten rules
followed by the team have a reference policy document. We also put
together a new team that will ensure that we keep a consistent security
watch at all times.
What did we forget to ask that we should know about?
Maybe our management structure. Kurt Lieber[23] (klieber) is our strategic
manager, Sune Kloppenborg Jeppesen[24] (jaervosz) and myself are the
operational managers.
23. klieber@gentoo.org
24. jaervosz@gentoo.org
==============
2. Future Zone
==============
Open-Xchange in Gentoo Linux
----------------------------
Open-Xchange (OX)[25] is the open-source groupware server on which
Novell's SuSE Linux Openexchange Server (SLOX)[26] is based. Open-Xchange
was closed source until 30 August 2004 when it was released under the GNU
Public License. OX leverages popular open-source server technology by
integrating existing projects (SMTP, IMAP, LDAP, Apache, Tomcat, and
PostgreSQL) to deliver a powerful messaging and collaboration environment.
Some features of interest include e-mail, project management, a versioning
document store, shared calendaring, and a knowledge base. It can be
accessed via both a web interface or through fat clients such as
Evolution, the Mozilla suite (Thunderbird and Sunbird) and any other third
party application that supports WebDAV. Currently, Open-Xchange is in
development with a slated stable release (v0.8) in March 2005. If you want
to see what OX is like before undertaking the somewhat daunting install,
you can try it out using the online demo[27].
25. http://www.open-xchange.org
26. http://www.novell.com/products/openexchange
27. http://mirror.open-xchange.org/ox/EN/community/online.htm
Installation and support
There are currently two ways to install OX in Gentoo Linux: using the
ebuild from Bugzilla[28] (not currently in the Portage tree), or manually
installing it. A Wiki page[29] explains the installation using the ebuild,
but for most of the necessary steps to get OX successfully running, an
additional manual installation HOWTO[30] covers the prerequisite
configurations as well as extending and enhancing Open-Xchange. For
Gentoo-specific questions a Gentoo Forum thread[31] with several hundred
posts has most of the answers that are available so far.
28. http://bugs.gentoo.org/show_bug.cgi?id=62197
29. http://gentoo-wiki.com/HOWTO_Open-Xchange
30. http://www.mikefetherston.ca/OX/
31. http://forums.gentoo.org/viewtopic-t-233291.html
If you are not already familiar with the servers that OX uses be prepared
for a steep learning curve and to do a lot of reading. A majority of the
problems experienced so far involve LDAP configuration, Apache/Tomcat
integration, and SASL authentication. All of the servers that OX relies on
need to be properly configured and working before you can proceed with the
actual Open-Xchange install.
Note: Author Mike Fetherston was a dedicated Slackware user who turned to
Gentoo in early 2004. Upon Netline's release of SuSE's SLOX server under
the GPL he covered his initial installation experiences and tremendous
feedback from the Gentoo user community in a document of currently more
than 40 pages.
==================
3. Gentoo security
==================
OpenMotif: Multiple vulnerabilities in libXpm
---------------------------------------------
Multiple vulnerabilities have been discovered in libXpm, which is included
in OpenMotif, that can potentially lead to remote code execution. (NB:
This is the same vulnerability that was fixed in xorg-x11 last November)
For more information, please see the GLSA Announcement[32]
32. http://www.gentoo.org/security/en/glsa/glsa-200502-07.xml
PostgreSQL: Local privilege escalation
--------------------------------------
The PostgreSQL server can be tricked by a local attacker to execute
arbitrary code.
For more information, please see the GLSA Announcement[33]
33. http://www.gentoo.org/security/en/glsa/glsa-200502-08.xml
Python: Arbitrary code execution through SimpleXMLRPCServer
-----------------------------------------------------------
Python-based XML-RPC servers may be vulnerable to remote execution of
arbitrary code.
For more information, please see the GLSA Announcement[34]
34. http://www.gentoo.org/security/en/glsa/glsa-200502-09.xml
pdftohtml: Vulnerabilities in included Xpdf
-------------------------------------------
pdftohtml includes vulnerable Xpdf code to handle PDF files, making it
vulnerable to execution of arbitrary code upon converting a malicious PDF
file.
For more information, please see the GLSA Announcement[35]
35. http://www.gentoo.org/security/en/glsa/glsa-200502-10.xml
Mailman: Directory traversal vulnerability
------------------------------------------
Mailman fails to properly sanitize input, leading to information
disclosure.
For more information, please see the GLSA Announcement[36]
36. http://www.gentoo.org/security/en/glsa/glsa-200502-11.xml
Webmin: Information leak in Gentoo binary package
-------------------------------------------------
Portage-built Webmin binary packages accidentally include a file
containing the local encrypted root password.
For more information, please see the GLSA Announcement[37]
37. http://www.gentoo.org/security/en/glsa/glsa-200502-12.xml
Perl: Vulnerabilities in perl-suid wrapper
------------------------------------------
Vulnerabilities leading to file overwriting and code execution with
elevated privileges have been discovered in the perl-suid wrapper.
For more information, please see the GLSA Announcement[38]
38. http://www.gentoo.org/security/en/glsa/glsa-200502-13.xml
mod_python: Publisher Handler vulnerability
-------------------------------------------
mod_python contains a vulnerability in the Publisher Handler potentially
leading to information disclosure.
For more information, please see the GLSA Announcement[39]
39. http://www.gentoo.org/security/en/glsa/glsa-200502-14.xml
=========================
4. Heard in the community
=========================
gentoo-dev
----------
Remove no [insert feature here] USE-flags from the tree
Michiel de Bruijne [40] writes: "There are quite a few ebuilds in the tree
that make use of a no [insert feature here] USE-flag. So basically by
disabling the USE-flag you get more features. Pulling in extra
dependencies by disabling the USE-flag is a possibility. This has some
nasty side effects ..." The following discussion shows quite well why
these USE-flags are not good.
40. m.debruijne@hccnet.nl
* Remove no [insert feature here] USE-flags from the tree[41]
41. http://thread.gmane.org/gmane.linux.gentoo.devel/25197
Automatic stabilization of packages
Approximately every 6 months the same discussion comes up: How can the
packages in portage be kept up to date? The naive approach would be
automatic stabilization after a certain period of time. This thread shows
why for the most part that is not a good idea ...
* Automatic stabilization of packages[42]
42. http://thread.gmane.org/gmane.linux.gentoo.devel/25254
Closing or resolving bugs, which is it?
Marius Mauch[43] writes: "I noticed a new trend lately introduced by a few
new devs: changing bug status from RESOLVED to CLOSED. Personally I just
find it annoying and completely useless. Can we agree to not do that
unless there is a technical reason? Don't see any benefit in this, just
means that closed bugs are now split between two "categories" with no
actual difference."
43. genone@gentoo.org
* should we close bugs?[44]
44. http://thread.gmane.org/gmane.linux.gentoo.devel/25168
=======================
5. Gentoo International
=======================
USA: Gentoo Bugday event at Oregon State University LUG
-------------------------------------------------------
Gentoo Bugdays[45] are regularly held every first Saturday of each month,
with developers and users everywhere gathering on IRC and skimming
Gentoo's bugzilla for anything that looks like it needs fixing. On 5
February, the Linux User Group of Oregon State University took the
opportunity and turned the virtual event into a real one[46]. Twelve OSLUG
members met at Weatherford Hall, the OSU residential college building.
Aided by a precompiled list of bugs prepared by Gentoo's Bugday organizers
for this occasion, they kept squashing bugs from 9:00 to 16:00, with the
official IRC channel #gentoo-bugs being projected overhead, and assorted
computers scattered around the classroom, each with a determined Gentoo
bug hunter in front of the screen.
45. http://bugday.gentoo.org/
46. http://lug.oregonstate.edu/wiki/index.cgi?GentooBugDay
Figure 5.1: The Klendathu, OR bughunt: Deedra Waters, Dunbar (background)
and Micheal Clay
http://www.gentoo.org/images/gwn/20050214_oslug.jpg
Note: More photos are available at the OSLUG website.
Germany: Storage tool release for Gentoo Linux
----------------------------------------------
Commercial releases of Linux applications with official support outside
the RedHat/SuSE/Mandrake realm are scarce and far between. A German
company, SEP AG[47], has now announced the availability of their storage
management product "SEP sesam" for Gentoo Linux. "We're traditionally tied
to SuSE Linux, but had Gentoo on our radar ever since we watched the
impressive installation Lars Weiler[48] did on an HP Proliant cluster at
last year's LinuxTag in Karlsruhe," recalls SEP's sales manager Johann
Krahfuss (cf. GWN report 28 June 2004[49]). "So when our first customers
demanded an adaptation of SEP sesam to Gentoo Linux, it didn't exactly
take us by surprise." The German federal research institution Fraunhofer
Gesellschaft[50] were the first to request a SEP sesam installation inside
a Gentoo Linux environment, "and since we didn't encounter any problems
whatsoever, we feel it's ready for official release," says Krahfuss. A
30-day-test version (including support) can be downloaded from the
corporate website's download section. SEP sesam is designed for data
storage management in heterogenous networks, including Linux, BSD,
Solaris, TRU/64, OpenVMS, Windows and Mac OS X. The company will be
present at next week's CRN Storage Solution Days 2005[51] in Neuss (link
in German only).
47. http://www.sep.de
48. pylon@gentoo.org
49. http://www.gentoo.org/news/en/gwn/20040628-newsletter.xml
50. http://www.fhg.de
51. http://www.solutiondays.de/storage
======================
6. Gentoo in the press
======================
Newsforge (8 and 9 February 2005)
---------------------------------
Newsforge published an article in two parts about using MySQL to benchmark
OS performance[52], as analyzed and written by Tony Bourke[53]. The
performance check spans server operating systems Open-, Net- and FreeBSD,
Solaris 10, and Linux as platforms for MySQL database execution, and
"among a multitude of distributions" Gentoo was chosen for the Linux part
of the test, running both 2.4 and 2.6 kernels (gentoo-sources) on
ReiserFS. "With Gentoo it was also relatively easy to install NPTL for
2.6, which I used in the 2.6 tests," says Tony Bourke, "although they
didn't make any difference when compared to non-NPTL 2.6 results." While
the first part just explains the tools and the methodology, the actual
performance comparison is published in a separate article[54] - with
amazing results, Gentoo Linux clearly winning all individual benchmark
tests. Funnily enough, Gentoo's outstanding performance even triggered
complaints about the "unfair advantage"[55] of using a source-based,
possibly processor-optimized Linux distribution as a platform for the
comparison.
52. http://software.newsforge.com/software/04/12/27/1238216.shtml
53. http://vegan.net/tony/
54. http://www.newsforge.com/article.pl?sid=04/12/27/1243207
55.
http://www.newsforge.com/comments.pl?sid=43141&op=&threshold=0&commentsort=0&mode=thread&tid=152&pid=106968#106970
CNET (7 February 2005)
----------------------
Sun's President Jonathan Schwartz nods his head to Gentoo's OpenSolaris
effort in an interview published on CNET last week. While explaining the
OpenSolaris governance model to interviewer Stephen Shankland, he claims
"Solaris is now officially platform-neutral"[56] and expects "10 or more"
non-Sun OpenSolaris distributions to appear in the market.
56. http://news.com.com/Suns+open-source+gamble/2008-1082_3-5564283.html
Security Focus (2 February 2005)
--------------------------------
Columnist Jason Miller says Linux kernel security handling is broken, "and
it needs to be fixed right now." The article at securityfocus.com[57], a
publication mainly read by security professionals, is highly critical of
the way security bugs in the Linux kernel are being addressed. But the
author, a self-proclaimed "huge follower of BSD-based operating systems,"
has some good news, too: "Once we start looking at actual distributions of
the Linux kernel as a complete operating system, we find some
distributions with official security contacts, as well as security-related
pages similar to those provided by the major BSD-based operating systems.
Gentoo Linux Security is a good example of that."
57. http://www.securityfocus.com/columnists/296
Réseaux & Télécoms (3 February 2005, in French)
--------------------------------------------------
Directly responding to the Security Focus column by Jason Miller, the
French network and telco magazine looks beyond the kernel as a security
issue: Both flaws in individual applications not depending on the kernel,
and the distribution of security-related information are identified as
equally important fields of activity for the "bug hunters of open source."
The article "Noyau Linux : Mais où est la sécurité ?"[58] acknowledges
Miller's conclusion of "things changing, fast and in the right direction,"
and praises Thierry Carrez (see our interview above[59]) as an example for
"impressive work." With the current pace of discussion around the
structure of security handling and the distribution of information, it's
"time to show some optimism," says author Marc Olanie, pointing out that
it took Microsoft eighteen years to standardize their own security
procedures -- "or have they?"
58.
http://www.reseaux-telecoms.com/cso_btree/05_02_03_194507_984/CSO/Newscso_view
59.
http://www.gentoo.org/news/en/gwn/20050214-newsletter.xml#doc_chap1_sect2
Sun blogs (31 January 2005)
---------------------------
Eric Boutilier, an engineer at Sun, Inc. is gearing up for Gentoo
development on OpenSolaris, and posted his first attempts at familiarizing
himself with Portage on Linux to his blog at the Sun website[60]. While
his choice of installation material is peculiar - Gentoo-clone Vidalinux
rather than a standard install, and on a five-year-old Portégé laptop - he
quickly falls in sync with normal Portage user behaviour for lengthy
compiles: "Oh well. I left it happily building away and went to work."
60. http://blogs.sun.com/roller/page/eric_boutilier/20050131
===========
7. Bugzilla
===========
Summary
-------
* Statistics
* Closed bug ranking
* New bug rankings
Statistics
----------
The Gentoo community uses Bugzilla (bugs.gentoo.org[61]) to record and
track bugs, notifications, suggestions and other interactions with the
development team. Between 06 February 2005 and 13 February 2005, activity
on the site has resulted in:
61. http://bugs.gentoo.org
* 860 new bugs during this period
* 699 bugs closed or resolved during this period
* 37 previously closed bugs were reopened this period
Of the 8036 currently open bugs: 102 are labeled 'blocker', 243 are
labeled 'critical', and 600 are labeled 'major'.
Closed bug rankings
-------------------
The developers and teams who have closed the most bugs during this period
are:
* osx porters[62], with 179 closed bugs[63]
* Gentoo's Team for Core System packages[64], with 53 closed bugs[65]
* Gentoo KDE team[66], with 30 closed bugs[67]
* AMD64 Porting Team[68], with 24 closed bugs[69]
* Gentoo Security[70], with 23 closed bugs[71]
* media-video herd[72], with 19 closed bugs[73]
* Gentoo Games[74], with 19 closed bugs[75]
* Text-Markup Team[76], with 17 closed bugs[77]
62. osx@gentoo.org
63.
http://bugs.gentoo.org/buglist.cgi?bug_status=RESOLVED&bug_status=CLOSED&chfield=bug_status&chfieldfrom=2005-02-06&chfieldto=2005-02-13&resolution=FIXED&assigned_to=osx@gentoo.org
64. base-system@gentoo.org
65.
http://bugs.gentoo.org/buglist.cgi?bug_status=RESOLVED&bug_status=CLOSED&chfield=bug_status&chfieldfrom=2005-02-06&chfieldto=2005-02-13&resolution=FIXED&assigned_to=base-system@gentoo.org
66. kde@gentoo.org
67.
http://bugs.gentoo.org/buglist.cgi?bug_status=RESOLVED&bug_status=CLOSED&chfield=bug_status&chfieldfrom=2005-02-06&chfieldto=2005-02-13&resolution=FIXED&assigned_to=kde@gentoo.org
68. amd64@gentoo.org
69.
http://bugs.gentoo.org/buglist.cgi?bug_status=RESOLVED&bug_status=CLOSED&chfield=bug_status&chfieldfrom=2005-02-06&chfieldto=2005-02-13&resolution=FIXED&assigned_to=amd64@gentoo.org
70. security@gentoo.org
71.
http://bugs.gentoo.org/buglist.cgi?bug_status=RESOLVED&bug_status=CLOSED&chfield=bug_status&chfieldfrom=2005-02-06&chfieldto=2005-02-13&resolution=FIXED&assigned_to=security@gentoo.org
72. media-video@gentoo.org
73.
http://bugs.gentoo.org/buglist.cgi?bug_status=RESOLVED&bug_status=CLOSED&chfield=bug_status&chfieldfrom=2005-02-06&chfieldto=2005-02-13&resolution=FIXED&assigned_to=media-video@gentoo.org
74. games@gentoo.org
75.
http://bugs.gentoo.org/buglist.cgi?bug_status=RESOLVED&bug_status=CLOSED&chfield=bug_status&chfieldfrom=2005-02-06&chfieldto=2005-02-13&resolution=FIXED&assigned_to=games@gentoo.org
76. text-markup@gentoo.org
77.
http://bugs.gentoo.org/buglist.cgi?bug_status=RESOLVED&bug_status=CLOSED&chfield=bug_status&chfieldfrom=2005-02-06&chfieldto=2005-02-13&resolution=FIXED&assigned_to=text-markup@gentoo.org
New bug rankings
----------------
The developers and teams who have been assigned the most new bugs during
this period are:
* AMD64 Porting Team[78], with 30 new bugs[79]
* Gentoo Sound Team[80], with 18 new bugs[81]
* Gentoo X-windows packagers[82], with 15 new bugs[83]
* Net-Mail Packages[84], with 11 new bugs[85]
* Mobile Herd[86], with 11 new bugs[87]
* media-video herd[88], with 11 new bugs[89]
* Gentoo KDE team[90], with 10 new bugs[91]
* Portage team[92], with 10 new bugs[93]
78. amd64@gentoo.org
79.
http://bugs.gentoo.org/buglist.cgi?bug_status=NEW&bug_status=ASSIGNED&bug_status=REOPENED&chfield=assigned_to&chfieldfrom=2005-02-06&chfieldto=2005-02-13&assigned_to=amd64@gentoo.org
80. sound@gentoo.org
81.
http://bugs.gentoo.org/buglist.cgi?bug_status=NEW&bug_status=ASSIGNED&bug_status=REOPENED&chfield=assigned_to&chfieldfrom=2005-02-06&chfieldto=2005-02-13&assigned_to=sound@gentoo.org
82. x11@gentoo.org
83.
http://bugs.gentoo.org/buglist.cgi?bug_status=NEW&bug_status=ASSIGNED&bug_status=REOPENED&chfield=assigned_to&chfieldfrom=2005-02-06&chfieldto=2005-02-13&assigned_to=x11@gentoo.org
84. net-mail@gentoo.org
85.
http://bugs.gentoo.org/buglist.cgi?bug_status=NEW&bug_status=ASSIGNED&bug_status=REOPENED&chfield=assigned_to&chfieldfrom=2005-02-06&chfieldto=2005-02-13&assigned_to=net-mail@gentoo.org
86. mobile@gentoo.org
87.
http://bugs.gentoo.org/buglist.cgi?bug_status=NEW&bug_status=ASSIGNED&bug_status=REOPENED&chfield=assigned_to&chfieldfrom=2005-02-06&chfieldto=2005-02-13&assigned_to=mobile@gentoo.org
88. media-video@gentoo.org
89.
http://bugs.gentoo.org/buglist.cgi?bug_status=NEW&bug_status=ASSIGNED&bug_status=REOPENED&chfield=assigned_to&chfieldfrom=2005-02-06&chfieldto=2005-02-13&assigned_to=media-video@gentoo.org
90. kde@gentoo.org
91.
http://bugs.gentoo.org/buglist.cgi?bug_status=NEW&bug_status=ASSIGNED&bug_status=REOPENED&chfield=assigned_to&chfieldfrom=2005-02-06&chfieldto=2005-02-13&assigned_to=kde@gentoo.org
92. dev-portage@gentoo.org
93.
http://bugs.gentoo.org/buglist.cgi?bug_status=NEW&bug_status=ASSIGNED&bug_status=REOPENED&chfield=assigned_to&chfieldfrom=2005-02-06&chfieldto=2005-02-13&assigned_to=dev-portage@gentoo.org
==================
8. Tips and tricks
==================
Portage magic: Identify obsolete packages
-----------------------------------------
Gentoo developer Brian Harring[94] designed a clever way to identify all
merged versions of packages not available in Portage anymore -- both the
official tree and packages from PORTDIR_OVERLAY. Here is the method he
came up with, packing as much Python neatness as fits on a single command
line:
94. ferringb@gentoo.org
---------------------------------------------------------------------------
| Code Listing 8.1: |
|Python scriptlet |
#1-------------------------------------------------------------------------
| |
|python -c 'import portage; print [x for x in |
portage.db["/"]["vartree"].getallcpv() \
|if len(portage.portdb.xmatch("match-all","="+x))==0]' |
| |
---------------------------------------------------------------------------
If that just went a little over your head, let's look at what exactly it
does. For example, if a package, say, foo-1.2.3 is merged, and that
version 1.2.3 is no longer in the tree, the script will point it out. A
simple check for packages that aren't available any longer regardless of
versions, would look like this:
---------------------------------------------------------------------------
| Code Listing 8.2: |
|Python scriptlet |
#2-------------------------------------------------------------------------
| |
|python -c 'import portage; print [x for x in |
portage.db["/"]["vartree"].getallcpv() \
|if len(portage.portdb.xmatch("match-all",portage.pkgsplit(x)[0]))==0]' |
| |
---------------------------------------------------------------------------
Finally, if you want to ignore package foo-1.2.3 even if it isn't in the
tree any longer, but a revision foo-1.2.3-r1 is, the following script will
ignore the package, only triggering on installed applications that have
completely vanished from Portage.
---------------------------------------------------------------------------
| Code Listing 8.3: |
|Python scriptlet |
#3-------------------------------------------------------------------------
| |
|python -c 'import portage; print [x for x in |
portage.db["/"]["vartree"].getallcpv() \
|if |
len(portage.portdb.xmatch("match-all","~"+"-".join(portage.pkgsplit(x)[:2])
))==0]'
| |
---------------------------------------------------------------------------
Lastly, none of the above take injected packages into consideration, only
those that were installed from an available tree. Now, suppose you'd like
to ignore those, too, here's what to do:
---------------------------------------------------------------------------
| Code Listing 8.4: |
|Python scriptlet |
#4-------------------------------------------------------------------------
| |
|python -c 'import portage; print [x for x in |
portage.db["/"]["vartree"].getallcpv() \
|if len(portage.portdb.xmatch("match-all",portage.pkgsplit(x)[0]))==0 \ |
|and not portage.db["/"]["vartree"].dbapi.isInjected(x)]' |
| |
---------------------------------------------------------------------------
Yes, we knew you'd like this. All of the above do work for individual
packages you keep in an overlay tree, for example at /usr/local/portage,
those are being evaluated along with packages in the official Portage
tree. Try it out, you can't break anything, it just notifies you about
whatever it finds, leaving it up to the user to decide what to do with
that information.
===========================
9. Moves, adds, and changes
===========================
Moves
-----
The following developers recently left the Gentoo team:
* None this week
Adds
----
The following developers recently joined the Gentoo Linux team:
* Sebastian Bergmann (sebastian) - PHP
Changes
-------
The following developers recently changed roles within the Gentoo Linux
project:
* None this week
=====================
10. Contribute to GWN
=====================
Interested in contributing to the Gentoo Weekly Newsletter? Send us an
email[95].
95. gwn-feedback@gentoo.org
================
11. GWN feedback
================
Please send us your feedback[96] and help make the GWN better.
96. gwn-feedback@gentoo.org
================================
12. GWN subscription information
================================
To subscribe to the Gentoo Weekly Newsletter, send a blank email to
gentoo-gwn-subscribe@gentoo.org.
To unsubscribe to the Gentoo Weekly Newsletter, send a blank email to
gentoo-gwn-unsubscribe@gentoo.org from the email address you are
subscribed under.
===================
13. Other languages
===================
The Gentoo Weekly Newsletter is also available in the following languages:
* Danish[97]
* Dutch[98]
* English[99]
* German[100]
* french[101]
* japanese[102]
* italian[103]
* polish[104]
* portuguese (brazil)[105]
* portuguese (portugal)[106]
* russian[107]
* spanish[108]
* turkish[109]
97. http://www.gentoo.org/news/da/gwn/gwn.xml
98. http://www.gentoo.org/news/nl/gwn/gwn.xml
99. http://www.gentoo.org/news/en/gwn/gwn.xml
100. http://www.gentoo.org/news/de/gwn/gwn.xml
101. http://www.gentoo.org/news/fr/gwn/gwn.xml
102. http://www.gentoo.org/news/ja/gwn/gwn.xml
103. http://www.gentoo.org/news/it/gwn/gwn.xml
104. http://www.gentoo.org/news/pl/gwn/gwn.xml
105. http://www.gentoo.org/news/pt_br/gwn/gwn.xml
106. http://www.gentoo.org/news/pt/gwn/gwn.xml
107. http://www.gentoo.org/news/ru/gwn/gwn.xml
108. http://www.gentoo.org/news/es/gwn/gwn.xml
109. http://www.gentoo.org/news/tr/gwn/gwn.xml
Ulrich Plate <plate@gentoo.org> - Editor
AJ Armstrong <aja@clanarmstrong.com> - Author
Mike Fetherston <mike@mikefetherston.ca> - Author
Patrick Lauer <patrick@gentoo.org> - Author
--
gentoo-gwn@gentoo.org mailing list
Gentoo Weekly Newsletter
http://www.gentoo.org/news/en/gwn/current.xml
This is the Gentoo Weekly Newsletter for the week of 14 February 2005.
---------------------------------------------------------------------------
==============
1. Gentoo News
==============
Gentoo Forums platform and software switch
------------------------------------------
As anticipated in a Future zone[1] article three weeks ago, the Gentoo
Forums[2] have switched to a new hardware platform and an upgraded version
of phpBB, now running on a clean codebase, normalizing all the patches
that had been applied to the old version, and more feature-rich than the
release that was powering the Forums before. Among the embellishments are
better language packs for the non-English forums, new URI styles with
absolute links that enable search engine spiders to index the entire
Forum, and a few things of lesser visibility, like the moderators' new
ability to join threads -- displacing posts from threads where they're out
of context to a more appropriate location was never possible before. A few
glitches aside, the changeover went so smoothly that none of the users
realized it until it was all over and done. Congratulations to Christian
Hartmann[3] and Lance Albertson[4] for a flawless migration!
1. http://www.gentoo.org/news/en/gwn/20050124-newsletter.xml#doc_chap2
2. http://forums.gentoo.org
3. ian@gentoo.org
4. ramereth@gentoo.org
Gentoo event calender for February/March 2005
---------------------------------------------
Busy days for Gentoo evangelists: Their schedule has never been so packed
with shows, conferences and presentations as over the next four weeks.
Here's a list of the upcoming events, with a last reminder for tomorrow's
LWE in Boston at the top.
* Linux World Expo[5] - 15-18 February in Boston, MA: Hynes Convention
Center
* FOSDEM[6] - 26 and 27 February in Brussels, Belgium: Université Libre
de Bruxelles
* CPLUG Security Conference[7] - 5 March in Grantham, PA: Messiah College
* Chemnitzer Linux-Tage[8] - 5 and 6 March in Chemnitz, Germany:
Technische Universität
* Gentoo UK Conference[9] - 12 March in Manchester, UK: University of
Salford
5. http://www.linuxworldexpo.com/live/12/events/12BOS05A/
6. http://dev.gentoo.org/~pylon/fosdem-2005.html
7. http://cplug.net/conference
8. http://dev.gentoo.org/~dertobi123/clt2005
9. http://dev.gentoo.org/~stuart/2005/
Note: Links point to official event websites or -- if available -- Gentoo
developer pages organizing our own presence.
Gentoo Linux Security Team -- Interview with Thierry Carrez
-----------------------------------------------------------
If you have a habit of watching the pattern of security issues and
responses in the Linux world, you've probably noticed that Gentoo's alerts
and responses to those issues tend to follow rapidly on the heels of
initial discovery. In fact, Gentoo Linux Security Announcements (GLSAs)
are a frequently cited resource for security notifications and fix status
even outside the Gentoo community. This reputiation of responsiveness is a
remarkable feat for a community which does not have a commercial arm
supporting a dedicated security response center.
Thierry Carrez[10] (koon), one of the Operational Managers for Gentoo's
Security Team[11], was kind enough to take a few minutes to explain some
of the practices that have allowed the team to be so efficient in
identifying and responding to security issues.
10. koon@gentoo.org
11. http://www.gentoo.org/proj/en/security/index.xml
Could you give us a rough overview of the process involved in identifying
and fixing security flaws? What steps are involved? Who performs them?
What tools are used?
We follow the Vulnerability Treatment Policy[12] to handle security bugs.
In brief, public vulnerabilities get submitted by users, our security
scouts or the security developers, whoever finds it first. Sometimes we
get notified by confidential channels (the vendor-sec list or direct
contact from the upstream developers or auditors). Then the security bug
progresses through upstream status (where we wait for a fix from upstream
maintainers); ebuild status (where we call the Gentoo maintainer for the
package and ask for a fixed ebuild); stable status, where we ask all
security-supported arches to test and mark the fixed package stable; and
finally to glsa status where we issue a GLSA if necessary. Sometimes we
get stuck at one of those intermediate statuses and have to work out a
patch ourselves. Sometimes we don't find a solution and we mask the
package because it's a security risk to leave it in the tree without a fix.
12. http://www.gentoo.org/security/en/vulnerability-policy.xml
Security bug handling is mostly calling the right people at the right time
to try to get the ball rolling at all times. This task is performed by the
GLSA coordinators, and it's not automated. We rely heavily on the other
Gentoo developers (package maintainers and arch teams) to do the patching
and testing.
Where do you find out about security flaws? Mailing lists? Alerts? Do we
do testing ourselves?
We rely on our user base to submit as many public vulnerabilities as they
can. The security team tries to get all those that go unnoticed. Security
flaws come from public mailing-lists like BugTraq or Full-Disclosure, and
also upstream security advisories and other distribution advisories. We
are more and more accepted as part of the general Linux security community
and therefore we get notice of some vulnerabilities before they go public.
To contribute back we have recently set up a Security Audit subproject to
find vulnerabilities by ourselves, and our package maintainers also find a
lot of vulnerabilities in their testing.
When a flaw is identified, how is it documented?
Most of the time we just copy the public advisory information, and then
proceed in verifying that it applies to Gentoo Linux, and rate its
severity. This severity seeds priorities, as we try to respect the delays
indicated in the Vulnerability Treatment Policy.
Is there a formal process where the resolution of a flaw is assigned to
someone? How are priorities set? How is the fix documented and tested?
Each GLSA Coordinator can take a bug and be tasked to ensure the ball
keeps rolling on this bug at all times. But if a bug gets stuck, every
security developer can intervene to unstick it. Priorities are set by
severities, following the rules described in the Vulnerability Treatment
Policy.
When a fix is available, how is it documented? Who does the GLSA? How are
GLSA's transmitted? How are they archived or stored?
We document the fix in a GLSA draft, which must get at least two positive
peer-reviews before getting released. We use a tool called GLSAMaker to
help in ensuring consistency between all GLSAs. The GLSA is written by the
GLSA Coordinator or sometimes by one of our Security Apprentices (GLSA
coordinators in training). GLSAs are sent by mail to gentoo-announce and
other security lists, automatically appear in a live RDF feed[13] and on
the Gentoo Security page[14]. Finally, they get copied by forum moderators
to appear as forum announcements. GLSA XML sources are part of the portage
tree (in metadata/glsa) and get synced on all user boxes, to enable the
use of the (for the moment still experimental) glsa-check tool (which is
part of the gentoolkit package).
13. http://www.gentoo.org/rdf/en/glsa-index.rdf
14. http://security.gentoo.org
Who are the upstream consumers of GLSA's? Other than Gentoo users, are
there other organizations that are alerted?
We warn linuxsecurity.com so that they include GLSA in their advisories
page[15]. The MITRE CVE dictionary[16] also includes GLSA references.
15. http://www.linuxsecurity.com/content/blogcategory/0/76/
16. http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=GENTOO
Are there any automated tools or scripts that the team uses to manage
these jobs?
We use GLSAMaker, a tool written by Tim Yamin[17] (plasmaroo), to help in
writing GLSA XML source and the text counterpart.
17. plasmaroo@gentoo.org
What's the status of "emerge security" functionality to identify and fix
security issues using portage?
"Emerge security" functionality is currently under testing with the
"glsa-check" tool, part of the gentoolkit package. It allows us to
identify which GLSAs affect your system and to automatically fix the
vulnerable packages. When this is ready, the portage tool team will
integrate this into mainline tools like emerge. Users are encouraged to
use the latest glsa-check and report any oddities using bugzilla[18].
18. http://bugs.gentoo.org
Where can users get information about the security team?
Our main page is the Gentoo Security portal at security.gentoo.org[19]. It
contains all the pointers to our policy documents, the latest GLSAs and
lots of useful information. People that would like to join the Gentoo
Security project should read the Security project webpage[20], and in
particular the GLSA Coordinators guide[21] and the Security padawans
page[22] to get a feel of what we need.
19. http://security.gentoo.org
20. http://www.gentoo.org/proj/en/security/
21. http://www.gentoo.org/security/en/coordinator_guide.xml
22. http://www.gentoo.org/security/en/padawans.xml
What are some of the initiatives the security team have undertaken
recently?
In the last year, we put procedures in place so that all unwritten rules
followed by the team have a reference policy document. We also put
together a new team that will ensure that we keep a consistent security
watch at all times.
What did we forget to ask that we should know about?
Maybe our management structure. Kurt Lieber[23] (klieber) is our strategic
manager, Sune Kloppenborg Jeppesen[24] (jaervosz) and myself are the
operational managers.
23. klieber@gentoo.org
24. jaervosz@gentoo.org
==============
2. Future Zone
==============
Open-Xchange in Gentoo Linux
----------------------------
Open-Xchange (OX)[25] is the open-source groupware server on which
Novell's SuSE Linux Openexchange Server (SLOX)[26] is based. Open-Xchange
was closed source until 30 August 2004 when it was released under the GNU
Public License. OX leverages popular open-source server technology by
integrating existing projects (SMTP, IMAP, LDAP, Apache, Tomcat, and
PostgreSQL) to deliver a powerful messaging and collaboration environment.
Some features of interest include e-mail, project management, a versioning
document store, shared calendaring, and a knowledge base. It can be
accessed via both a web interface or through fat clients such as
Evolution, the Mozilla suite (Thunderbird and Sunbird) and any other third
party application that supports WebDAV. Currently, Open-Xchange is in
development with a slated stable release (v0.8) in March 2005. If you want
to see what OX is like before undertaking the somewhat daunting install,
you can try it out using the online demo[27].
25. http://www.open-xchange.org
26. http://www.novell.com/products/openexchange
27. http://mirror.open-xchange.org/ox/EN/community/online.htm
Installation and support
There are currently two ways to install OX in Gentoo Linux: using the
ebuild from Bugzilla[28] (not currently in the Portage tree), or manually
installing it. A Wiki page[29] explains the installation using the ebuild,
but for most of the necessary steps to get OX successfully running, an
additional manual installation HOWTO[30] covers the prerequisite
configurations as well as extending and enhancing Open-Xchange. For
Gentoo-specific questions a Gentoo Forum thread[31] with several hundred
posts has most of the answers that are available so far.
28. http://bugs.gentoo.org/show_bug.cgi?id=62197
29. http://gentoo-wiki.com/HOWTO_Open-Xchange
30. http://www.mikefetherston.ca/OX/
31. http://forums.gentoo.org/viewtopic-t-233291.html
If you are not already familiar with the servers that OX uses be prepared
for a steep learning curve and to do a lot of reading. A majority of the
problems experienced so far involve LDAP configuration, Apache/Tomcat
integration, and SASL authentication. All of the servers that OX relies on
need to be properly configured and working before you can proceed with the
actual Open-Xchange install.
Note: Author Mike Fetherston was a dedicated Slackware user who turned to
Gentoo in early 2004. Upon Netline's release of SuSE's SLOX server under
the GPL he covered his initial installation experiences and tremendous
feedback from the Gentoo user community in a document of currently more
than 40 pages.
==================
3. Gentoo security
==================
OpenMotif: Multiple vulnerabilities in libXpm
---------------------------------------------
Multiple vulnerabilities have been discovered in libXpm, which is included
in OpenMotif, that can potentially lead to remote code execution. (NB:
This is the same vulnerability that was fixed in xorg-x11 last November)
For more information, please see the GLSA Announcement[32]
32. http://www.gentoo.org/security/en/glsa/glsa-200502-07.xml
PostgreSQL: Local privilege escalation
--------------------------------------
The PostgreSQL server can be tricked by a local attacker to execute
arbitrary code.
For more information, please see the GLSA Announcement[33]
33. http://www.gentoo.org/security/en/glsa/glsa-200502-08.xml
Python: Arbitrary code execution through SimpleXMLRPCServer
-----------------------------------------------------------
Python-based XML-RPC servers may be vulnerable to remote execution of
arbitrary code.
For more information, please see the GLSA Announcement[34]
34. http://www.gentoo.org/security/en/glsa/glsa-200502-09.xml
pdftohtml: Vulnerabilities in included Xpdf
-------------------------------------------
pdftohtml includes vulnerable Xpdf code to handle PDF files, making it
vulnerable to execution of arbitrary code upon converting a malicious PDF
file.
For more information, please see the GLSA Announcement[35]
35. http://www.gentoo.org/security/en/glsa/glsa-200502-10.xml
Mailman: Directory traversal vulnerability
------------------------------------------
Mailman fails to properly sanitize input, leading to information
disclosure.
For more information, please see the GLSA Announcement[36]
36. http://www.gentoo.org/security/en/glsa/glsa-200502-11.xml
Webmin: Information leak in Gentoo binary package
-------------------------------------------------
Portage-built Webmin binary packages accidentally include a file
containing the local encrypted root password.
For more information, please see the GLSA Announcement[37]
37. http://www.gentoo.org/security/en/glsa/glsa-200502-12.xml
Perl: Vulnerabilities in perl-suid wrapper
------------------------------------------
Vulnerabilities leading to file overwriting and code execution with
elevated privileges have been discovered in the perl-suid wrapper.
For more information, please see the GLSA Announcement[38]
38. http://www.gentoo.org/security/en/glsa/glsa-200502-13.xml
mod_python: Publisher Handler vulnerability
-------------------------------------------
mod_python contains a vulnerability in the Publisher Handler potentially
leading to information disclosure.
For more information, please see the GLSA Announcement[39]
39. http://www.gentoo.org/security/en/glsa/glsa-200502-14.xml
=========================
4. Heard in the community
=========================
gentoo-dev
----------
Remove no [insert feature here] USE-flags from the tree
Michiel de Bruijne [40] writes: "There are quite a few ebuilds in the tree
that make use of a no [insert feature here] USE-flag. So basically by
disabling the USE-flag you get more features. Pulling in extra
dependencies by disabling the USE-flag is a possibility. This has some
nasty side effects ..." The following discussion shows quite well why
these USE-flags are not good.
40. m.debruijne@hccnet.nl
* Remove no [insert feature here] USE-flags from the tree[41]
41. http://thread.gmane.org/gmane.linux.gentoo.devel/25197
Automatic stabilization of packages
Approximately every 6 months the same discussion comes up: How can the
packages in portage be kept up to date? The naive approach would be
automatic stabilization after a certain period of time. This thread shows
why for the most part that is not a good idea ...
* Automatic stabilization of packages[42]
42. http://thread.gmane.org/gmane.linux.gentoo.devel/25254
Closing or resolving bugs, which is it?
Marius Mauch[43] writes: "I noticed a new trend lately introduced by a few
new devs: changing bug status from RESOLVED to CLOSED. Personally I just
find it annoying and completely useless. Can we agree to not do that
unless there is a technical reason? Don't see any benefit in this, just
means that closed bugs are now split between two "categories" with no
actual difference."
43. genone@gentoo.org
* should we close bugs?[44]
44. http://thread.gmane.org/gmane.linux.gentoo.devel/25168
=======================
5. Gentoo International
=======================
USA: Gentoo Bugday event at Oregon State University LUG
-------------------------------------------------------
Gentoo Bugdays[45] are regularly held every first Saturday of each month,
with developers and users everywhere gathering on IRC and skimming
Gentoo's bugzilla for anything that looks like it needs fixing. On 5
February, the Linux User Group of Oregon State University took the
opportunity and turned the virtual event into a real one[46]. Twelve OSLUG
members met at Weatherford Hall, the OSU residential college building.
Aided by a precompiled list of bugs prepared by Gentoo's Bugday organizers
for this occasion, they kept squashing bugs from 9:00 to 16:00, with the
official IRC channel #gentoo-bugs being projected overhead, and assorted
computers scattered around the classroom, each with a determined Gentoo
bug hunter in front of the screen.
45. http://bugday.gentoo.org/
46. http://lug.oregonstate.edu/wiki/index.cgi?GentooBugDay
Figure 5.1: The Klendathu, OR bughunt: Deedra Waters, Dunbar (background)
and Micheal Clay
http://www.gentoo.org/images/gwn/20050214_oslug.jpg
Note: More photos are available at the OSLUG website.
Germany: Storage tool release for Gentoo Linux
----------------------------------------------
Commercial releases of Linux applications with official support outside
the RedHat/SuSE/Mandrake realm are scarce and far between. A German
company, SEP AG[47], has now announced the availability of their storage
management product "SEP sesam" for Gentoo Linux. "We're traditionally tied
to SuSE Linux, but had Gentoo on our radar ever since we watched the
impressive installation Lars Weiler[48] did on an HP Proliant cluster at
last year's LinuxTag in Karlsruhe," recalls SEP's sales manager Johann
Krahfuss (cf. GWN report 28 June 2004[49]). "So when our first customers
demanded an adaptation of SEP sesam to Gentoo Linux, it didn't exactly
take us by surprise." The German federal research institution Fraunhofer
Gesellschaft[50] were the first to request a SEP sesam installation inside
a Gentoo Linux environment, "and since we didn't encounter any problems
whatsoever, we feel it's ready for official release," says Krahfuss. A
30-day-test version (including support) can be downloaded from the
corporate website's download section. SEP sesam is designed for data
storage management in heterogenous networks, including Linux, BSD,
Solaris, TRU/64, OpenVMS, Windows and Mac OS X. The company will be
present at next week's CRN Storage Solution Days 2005[51] in Neuss (link
in German only).
47. http://www.sep.de
48. pylon@gentoo.org
49. http://www.gentoo.org/news/en/gwn/20040628-newsletter.xml
50. http://www.fhg.de
51. http://www.solutiondays.de/storage
======================
6. Gentoo in the press
======================
Newsforge (8 and 9 February 2005)
---------------------------------
Newsforge published an article in two parts about using MySQL to benchmark
OS performance[52], as analyzed and written by Tony Bourke[53]. The
performance check spans server operating systems Open-, Net- and FreeBSD,
Solaris 10, and Linux as platforms for MySQL database execution, and
"among a multitude of distributions" Gentoo was chosen for the Linux part
of the test, running both 2.4 and 2.6 kernels (gentoo-sources) on
ReiserFS. "With Gentoo it was also relatively easy to install NPTL for
2.6, which I used in the 2.6 tests," says Tony Bourke, "although they
didn't make any difference when compared to non-NPTL 2.6 results." While
the first part just explains the tools and the methodology, the actual
performance comparison is published in a separate article[54] - with
amazing results, Gentoo Linux clearly winning all individual benchmark
tests. Funnily enough, Gentoo's outstanding performance even triggered
complaints about the "unfair advantage"[55] of using a source-based,
possibly processor-optimized Linux distribution as a platform for the
comparison.
52. http://software.newsforge.com/software/04/12/27/1238216.shtml
53. http://vegan.net/tony/
54. http://www.newsforge.com/article.pl?sid=04/12/27/1243207
55.
http://www.newsforge.com/comments.pl?sid=43141&op=&threshold=0&commentsort=0&mode=thread&tid=152&pid=106968#106970
CNET (7 February 2005)
----------------------
Sun's President Jonathan Schwartz nods his head to Gentoo's OpenSolaris
effort in an interview published on CNET last week. While explaining the
OpenSolaris governance model to interviewer Stephen Shankland, he claims
"Solaris is now officially platform-neutral"[56] and expects "10 or more"
non-Sun OpenSolaris distributions to appear in the market.
56. http://news.com.com/Suns+open-source+gamble/2008-1082_3-5564283.html
Security Focus (2 February 2005)
--------------------------------
Columnist Jason Miller says Linux kernel security handling is broken, "and
it needs to be fixed right now." The article at securityfocus.com[57], a
publication mainly read by security professionals, is highly critical of
the way security bugs in the Linux kernel are being addressed. But the
author, a self-proclaimed "huge follower of BSD-based operating systems,"
has some good news, too: "Once we start looking at actual distributions of
the Linux kernel as a complete operating system, we find some
distributions with official security contacts, as well as security-related
pages similar to those provided by the major BSD-based operating systems.
Gentoo Linux Security is a good example of that."
57. http://www.securityfocus.com/columnists/296
Réseaux & Télécoms (3 February 2005, in French)
--------------------------------------------------
Directly responding to the Security Focus column by Jason Miller, the
French network and telco magazine looks beyond the kernel as a security
issue: Both flaws in individual applications not depending on the kernel,
and the distribution of security-related information are identified as
equally important fields of activity for the "bug hunters of open source."
The article "Noyau Linux : Mais où est la sécurité ?"[58] acknowledges
Miller's conclusion of "things changing, fast and in the right direction,"
and praises Thierry Carrez (see our interview above[59]) as an example for
"impressive work." With the current pace of discussion around the
structure of security handling and the distribution of information, it's
"time to show some optimism," says author Marc Olanie, pointing out that
it took Microsoft eighteen years to standardize their own security
procedures -- "or have they?"
58.
http://www.reseaux-telecoms.com/cso_btree/05_02_03_194507_984/CSO/Newscso_view
59.
http://www.gentoo.org/news/en/gwn/20050214-newsletter.xml#doc_chap1_sect2
Sun blogs (31 January 2005)
---------------------------
Eric Boutilier, an engineer at Sun, Inc. is gearing up for Gentoo
development on OpenSolaris, and posted his first attempts at familiarizing
himself with Portage on Linux to his blog at the Sun website[60]. While
his choice of installation material is peculiar - Gentoo-clone Vidalinux
rather than a standard install, and on a five-year-old Portégé laptop - he
quickly falls in sync with normal Portage user behaviour for lengthy
compiles: "Oh well. I left it happily building away and went to work."
60. http://blogs.sun.com/roller/page/eric_boutilier/20050131
===========
7. Bugzilla
===========
Summary
-------
* Statistics
* Closed bug ranking
* New bug rankings
Statistics
----------
The Gentoo community uses Bugzilla (bugs.gentoo.org[61]) to record and
track bugs, notifications, suggestions and other interactions with the
development team. Between 06 February 2005 and 13 February 2005, activity
on the site has resulted in:
61. http://bugs.gentoo.org
* 860 new bugs during this period
* 699 bugs closed or resolved during this period
* 37 previously closed bugs were reopened this period
Of the 8036 currently open bugs: 102 are labeled 'blocker', 243 are
labeled 'critical', and 600 are labeled 'major'.
Closed bug rankings
-------------------
The developers and teams who have closed the most bugs during this period
are:
* osx porters[62], with 179 closed bugs[63]
* Gentoo's Team for Core System packages[64], with 53 closed bugs[65]
* Gentoo KDE team[66], with 30 closed bugs[67]
* AMD64 Porting Team[68], with 24 closed bugs[69]
* Gentoo Security[70], with 23 closed bugs[71]
* media-video herd[72], with 19 closed bugs[73]
* Gentoo Games[74], with 19 closed bugs[75]
* Text-Markup Team[76], with 17 closed bugs[77]
62. osx@gentoo.org
63.
http://bugs.gentoo.org/buglist.cgi?bug_status=RESOLVED&bug_status=CLOSED&chfield=bug_status&chfieldfrom=2005-02-06&chfieldto=2005-02-13&resolution=FIXED&assigned_to=osx@gentoo.org
64. base-system@gentoo.org
65.
http://bugs.gentoo.org/buglist.cgi?bug_status=RESOLVED&bug_status=CLOSED&chfield=bug_status&chfieldfrom=2005-02-06&chfieldto=2005-02-13&resolution=FIXED&assigned_to=base-system@gentoo.org
66. kde@gentoo.org
67.
http://bugs.gentoo.org/buglist.cgi?bug_status=RESOLVED&bug_status=CLOSED&chfield=bug_status&chfieldfrom=2005-02-06&chfieldto=2005-02-13&resolution=FIXED&assigned_to=kde@gentoo.org
68. amd64@gentoo.org
69.
http://bugs.gentoo.org/buglist.cgi?bug_status=RESOLVED&bug_status=CLOSED&chfield=bug_status&chfieldfrom=2005-02-06&chfieldto=2005-02-13&resolution=FIXED&assigned_to=amd64@gentoo.org
70. security@gentoo.org
71.
http://bugs.gentoo.org/buglist.cgi?bug_status=RESOLVED&bug_status=CLOSED&chfield=bug_status&chfieldfrom=2005-02-06&chfieldto=2005-02-13&resolution=FIXED&assigned_to=security@gentoo.org
72. media-video@gentoo.org
73.
http://bugs.gentoo.org/buglist.cgi?bug_status=RESOLVED&bug_status=CLOSED&chfield=bug_status&chfieldfrom=2005-02-06&chfieldto=2005-02-13&resolution=FIXED&assigned_to=media-video@gentoo.org
74. games@gentoo.org
75.
http://bugs.gentoo.org/buglist.cgi?bug_status=RESOLVED&bug_status=CLOSED&chfield=bug_status&chfieldfrom=2005-02-06&chfieldto=2005-02-13&resolution=FIXED&assigned_to=games@gentoo.org
76. text-markup@gentoo.org
77.
http://bugs.gentoo.org/buglist.cgi?bug_status=RESOLVED&bug_status=CLOSED&chfield=bug_status&chfieldfrom=2005-02-06&chfieldto=2005-02-13&resolution=FIXED&assigned_to=text-markup@gentoo.org
New bug rankings
----------------
The developers and teams who have been assigned the most new bugs during
this period are:
* AMD64 Porting Team[78], with 30 new bugs[79]
* Gentoo Sound Team[80], with 18 new bugs[81]
* Gentoo X-windows packagers[82], with 15 new bugs[83]
* Net-Mail Packages[84], with 11 new bugs[85]
* Mobile Herd[86], with 11 new bugs[87]
* media-video herd[88], with 11 new bugs[89]
* Gentoo KDE team[90], with 10 new bugs[91]
* Portage team[92], with 10 new bugs[93]
78. amd64@gentoo.org
79.
http://bugs.gentoo.org/buglist.cgi?bug_status=NEW&bug_status=ASSIGNED&bug_status=REOPENED&chfield=assigned_to&chfieldfrom=2005-02-06&chfieldto=2005-02-13&assigned_to=amd64@gentoo.org
80. sound@gentoo.org
81.
http://bugs.gentoo.org/buglist.cgi?bug_status=NEW&bug_status=ASSIGNED&bug_status=REOPENED&chfield=assigned_to&chfieldfrom=2005-02-06&chfieldto=2005-02-13&assigned_to=sound@gentoo.org
82. x11@gentoo.org
83.
http://bugs.gentoo.org/buglist.cgi?bug_status=NEW&bug_status=ASSIGNED&bug_status=REOPENED&chfield=assigned_to&chfieldfrom=2005-02-06&chfieldto=2005-02-13&assigned_to=x11@gentoo.org
84. net-mail@gentoo.org
85.
http://bugs.gentoo.org/buglist.cgi?bug_status=NEW&bug_status=ASSIGNED&bug_status=REOPENED&chfield=assigned_to&chfieldfrom=2005-02-06&chfieldto=2005-02-13&assigned_to=net-mail@gentoo.org
86. mobile@gentoo.org
87.
http://bugs.gentoo.org/buglist.cgi?bug_status=NEW&bug_status=ASSIGNED&bug_status=REOPENED&chfield=assigned_to&chfieldfrom=2005-02-06&chfieldto=2005-02-13&assigned_to=mobile@gentoo.org
88. media-video@gentoo.org
89.
http://bugs.gentoo.org/buglist.cgi?bug_status=NEW&bug_status=ASSIGNED&bug_status=REOPENED&chfield=assigned_to&chfieldfrom=2005-02-06&chfieldto=2005-02-13&assigned_to=media-video@gentoo.org
90. kde@gentoo.org
91.
http://bugs.gentoo.org/buglist.cgi?bug_status=NEW&bug_status=ASSIGNED&bug_status=REOPENED&chfield=assigned_to&chfieldfrom=2005-02-06&chfieldto=2005-02-13&assigned_to=kde@gentoo.org
92. dev-portage@gentoo.org
93.
http://bugs.gentoo.org/buglist.cgi?bug_status=NEW&bug_status=ASSIGNED&bug_status=REOPENED&chfield=assigned_to&chfieldfrom=2005-02-06&chfieldto=2005-02-13&assigned_to=dev-portage@gentoo.org
==================
8. Tips and tricks
==================
Portage magic: Identify obsolete packages
-----------------------------------------
Gentoo developer Brian Harring[94] designed a clever way to identify all
merged versions of packages not available in Portage anymore -- both the
official tree and packages from PORTDIR_OVERLAY. Here is the method he
came up with, packing as much Python neatness as fits on a single command
line:
94. ferringb@gentoo.org
---------------------------------------------------------------------------
| Code Listing 8.1: |
|Python scriptlet |
#1-------------------------------------------------------------------------
| |
|python -c 'import portage; print [x for x in |
portage.db["/"]["vartree"].getallcpv() \
|if len(portage.portdb.xmatch("match-all","="+x))==0]' |
| |
---------------------------------------------------------------------------
If that just went a little over your head, let's look at what exactly it
does. For example, if a package, say, foo-1.2.3 is merged, and that
version 1.2.3 is no longer in the tree, the script will point it out. A
simple check for packages that aren't available any longer regardless of
versions, would look like this:
---------------------------------------------------------------------------
| Code Listing 8.2: |
|Python scriptlet |
#2-------------------------------------------------------------------------
| |
|python -c 'import portage; print [x for x in |
portage.db["/"]["vartree"].getallcpv() \
|if len(portage.portdb.xmatch("match-all",portage.pkgsplit(x)[0]))==0]' |
| |
---------------------------------------------------------------------------
Finally, if you want to ignore package foo-1.2.3 even if it isn't in the
tree any longer, but a revision foo-1.2.3-r1 is, the following script will
ignore the package, only triggering on installed applications that have
completely vanished from Portage.
---------------------------------------------------------------------------
| Code Listing 8.3: |
|Python scriptlet |
#3-------------------------------------------------------------------------
| |
|python -c 'import portage; print [x for x in |
portage.db["/"]["vartree"].getallcpv() \
|if |
len(portage.portdb.xmatch("match-all","~"+"-".join(portage.pkgsplit(x)[:2])
))==0]'
| |
---------------------------------------------------------------------------
Lastly, none of the above take injected packages into consideration, only
those that were installed from an available tree. Now, suppose you'd like
to ignore those, too, here's what to do:
---------------------------------------------------------------------------
| Code Listing 8.4: |
|Python scriptlet |
#4-------------------------------------------------------------------------
| |
|python -c 'import portage; print [x for x in |
portage.db["/"]["vartree"].getallcpv() \
|if len(portage.portdb.xmatch("match-all",portage.pkgsplit(x)[0]))==0 \ |
|and not portage.db["/"]["vartree"].dbapi.isInjected(x)]' |
| |
---------------------------------------------------------------------------
Yes, we knew you'd like this. All of the above do work for individual
packages you keep in an overlay tree, for example at /usr/local/portage,
those are being evaluated along with packages in the official Portage
tree. Try it out, you can't break anything, it just notifies you about
whatever it finds, leaving it up to the user to decide what to do with
that information.
===========================
9. Moves, adds, and changes
===========================
Moves
-----
The following developers recently left the Gentoo team:
* None this week
Adds
----
The following developers recently joined the Gentoo Linux team:
* Sebastian Bergmann (sebastian) - PHP
Changes
-------
The following developers recently changed roles within the Gentoo Linux
project:
* None this week
=====================
10. Contribute to GWN
=====================
Interested in contributing to the Gentoo Weekly Newsletter? Send us an
email[95].
95. gwn-feedback@gentoo.org
================
11. GWN feedback
================
Please send us your feedback[96] and help make the GWN better.
96. gwn-feedback@gentoo.org
================================
12. GWN subscription information
================================
To subscribe to the Gentoo Weekly Newsletter, send a blank email to
gentoo-gwn-subscribe@gentoo.org.
To unsubscribe to the Gentoo Weekly Newsletter, send a blank email to
gentoo-gwn-unsubscribe@gentoo.org from the email address you are
subscribed under.
===================
13. Other languages
===================
The Gentoo Weekly Newsletter is also available in the following languages:
* Danish[97]
* Dutch[98]
* English[99]
* German[100]
* french[101]
* japanese[102]
* italian[103]
* polish[104]
* portuguese (brazil)[105]
* portuguese (portugal)[106]
* russian[107]
* spanish[108]
* turkish[109]
97. http://www.gentoo.org/news/da/gwn/gwn.xml
98. http://www.gentoo.org/news/nl/gwn/gwn.xml
99. http://www.gentoo.org/news/en/gwn/gwn.xml
100. http://www.gentoo.org/news/de/gwn/gwn.xml
101. http://www.gentoo.org/news/fr/gwn/gwn.xml
102. http://www.gentoo.org/news/ja/gwn/gwn.xml
103. http://www.gentoo.org/news/it/gwn/gwn.xml
104. http://www.gentoo.org/news/pl/gwn/gwn.xml
105. http://www.gentoo.org/news/pt_br/gwn/gwn.xml
106. http://www.gentoo.org/news/pt/gwn/gwn.xml
107. http://www.gentoo.org/news/ru/gwn/gwn.xml
108. http://www.gentoo.org/news/es/gwn/gwn.xml
109. http://www.gentoo.org/news/tr/gwn/gwn.xml
Ulrich Plate <plate@gentoo.org> - Editor
AJ Armstrong <aja@clanarmstrong.com> - Author
Mike Fetherston <mike@mikefetherston.ca> - Author
Patrick Lauer <patrick@gentoo.org> - Author
--
gentoo-gwn@gentoo.org mailing list