Mailing List Archive

CORRECTED Gentoo Weekly Newsletter 24 January 2005
The Mac Mini story got accidentally dropped from the earlier
version of this newsletter. We apologize for the inconvenience.

GWN editor
Ulrich Plate

Gentoo Weekly Newsletter
This is the Gentoo Weekly Newsletter for the week of 24 January 2005.

1. Gentoo News


Only few hours ahead of the first of many components[1] of the complete
Solaris source code being publicly released under Sun's brand new,
OSI-approved CDDL open-source license, Gentoo is pleased to announce plans
to add OpenSolaris[2] support to Portage. Gentoo Senior Manager and
OpenSolaris pilot program participant, Pieter Van den Abeele, has been
working closely with Sun's management, legal and engineering teams to
prepare this move. Gentoo will be leveraging the hard work of long-time
Solaris users and Gentoo Developers-in-training Sunil Kumar and Jason
Wohlgemuth, whose "Portaris" project has been running on top of Solaris 9
and 10 builds for quite a while already[3].

Figure 1.1: OpenSolaris + Looking Glass - an interesting alternative for
the open-source desktop market

With "Sun going back to its roots by open-sourcing the code," Pieter
expects OpenSolaris to have a huge impact on the open-source market. "With
their service and support network and their expertise, they can redefine
at least part of the open-source landscape in the enterprise," says
Pieter. And he expects Gentoo to become an important factor for
OpenSolaris' success: "We're able to build on prior experience with Gentoo
ports to non-Linux operating systems, we've had the technology preview of
Gentoo for Mac OS X[4], we've got developers working full-time on
Opendarwin support, and we're well out of the starting blocks for the race
to Gentoo-ifiedBSD kernels and userland applications[5]," he says. "But
even I wasn't quite prepared for my Sparc booting with a Gentoo
bootsplash," laughs Pieter.

The unofficial Portaris[6] or "Portage for Solaris" project has been
maintaining Gentoo's package management system on top of Solaris 9 and 10
systems. Its two biggest contributors, Sunil Kumar and Jason Wohlgemuth
(who, like Pieter, is a member of Sun's pilot program for open-sourcing
Solaris), have invested a tremendous amount of their time in this project,
culminating in a veritable installer for Solaris[7] that has been
available to a small, knowledgeable Solaris user community for several
months already.

New kernel profiles for 2005.0

In view of the 2005.0 release date, the Gentoo developers on the kernel
team have been working very hard amalgamating the sources in the Portage
tree. Since the 2.6 kernel tree will become the default for all supported
architectures except Sparc, the separate kernel categories in Portage are
being abolished and replaced by the same generic names formerly used for
the 2.4 versions of the same sources. This is the first time that the new
"cascading profiles" feature in Portage has been used to manage the
dependancy requirements of a package. In essence, this means that the same
package - say, gentoo-sources - will automatically decide whether its 2.6
or 2.4 version is being requested, based on the specifications in the
chosen sub-profile. By linking /etc/make.profile to either the 2.4 or 2.6
subprofile (whichever may exist for your profile)
in/usr/portage/profiles/default-[OS]/[arch]/2005.0/, you can choose which
one you want as your personal default, while the other version will be
masked.If you don't choose a subprofile, 2.6 will automatically become the
default, where applicable.

"If you're currently still running 2.4 kernels, but don't care all that
much about staying, this would be a perfect moment to switch," suggests
Gentoo kernel devJohn Mylchreest[8]. "We do recommend switching to 2.6
wherever possible, and you can catch up on what's involved by reading our
kernel migration guide[9]." Sparc being the only architecture with a
number of unresolved issues preventing a move to 2.6 as default, the newer
version will become the standard for virtually everybody else. Users with
any of the following kernel sources currently installed on their systems
need to be aware that these are going to be removed at the same time as
the 2005.0 release. Their replacements are also listed:

* development-sources will become vanilla-sources
* gentoo-dev-sources will become gentoo-sources
* rsbac-dev-sources will become rsbac-sources
* hardened-dev-sources will become hardened-sources

The switch is going to be automatic for users who follow a steady rsync
and emerge world diet. When the next version of their kernel sources
becomes available, an emerge --update will pull in the source tarball
under its new name, and update accordingly. While the Gentoo kernel team
recommends switching, this also works for users with specific reasons to
keep their 2.4 series: They just have to make sure they link to a 2.4
subprofile, and emerge --update for them will consequently only fetch and
install newer versions in the 2.4 tree, not 2.6.

The move on to the new profile that sets 2.6 by default will involve
changing from the old linux26-headers to linux-headers at the same time.
An emerge glibc - or emerge system - may be a good idea at that point.

Except for the pegasos-dev-sources that have already been moved
topegasos-sources, the changeover will occur at the same time as the
2005.0 release. More detailed information, including specific instructions
for linking /etc/make.profile to the right subprofile will be made
available at that time.

Genesi Open Desktop Workstation sales - Gentoo Linux pre-installed

>From 1 March 2005, Luxembourg-based Genesi[10] will start selling their
Open Desktop Workstation in a configuration with Gentoo Linux
pre-installed - for a price of $999 USD, ten percent of which will be
donated to the Gentoo Foundation! Bill Buck, CEO of Genesi, explains the
new sponsoring deal: "For every workstation we sell thanks to a referral
from Gentoo's website, we'll donate 100 USD to the Foundation." As many
Gentoo users have been looking for attractive opportunities to support
Gentoo financially, sales are expected to soar now that the ODWs are
clearly benefitting the project as a whole. Moreover, Genesi is offering
their Gentoo-ified models at a considerable rebate compared to their own
standard offers of desktop and server configurations for $1399 and $1799

Figure 1.1: Open Desktop Workstations with Gentoo Linux/PPC, shipping soon!

The Open Desktop Workstation is configured as follows:

* Pegasos II with 1GHz G4 processor
* 256MB of PC2100 DDR RAM
* CDRW drive
* 40GB ATA100 Hard Disk
* Radeon 9200SE 128MB AGP Graphics with DVI, VGA, and TV-Out
* Low profile small footprint case - tower or desktop orientation

Thirteen of these ODWs had previously been donated to Gentoo developers
for thorough testing and feature development, and consequently Gentoo
fully supports the PegasosPPC. The pre-installed version is based on the
2004.3 release of Gentoo Linux/PPC.

Pre-ordering is available right away. Sales will begin on 1 March 2005 -
detailed information about how to order will be sent to everyone
expressing interest. To be alerted when orders for the ODWs with Gentoo
Linux can be placed, send a message

Rumour confirmed - Gentoo first to run on Mac Mini!

Gentoo/PPC developer Daniel Ostrow[11] has succeeded in bringing the Mac
Mini into the family of Gentoo supported PowerPC based machines. The
system will be fully supported by 2005.0 and boots cleanly using 2004.3.

Figure 1.1: Fresh out of the box, running Gentoo Linux/PPC: Apple's new
Mac Mini

The next step will be getting the attached 20" display to behave under X.
The machine will be on display at the Gentoo booth at Linux World Expo -
Boston edition[12] on 12 to 14 February, and FOSDEM[13] in Brussels later
that month.

2. Future Zone

Renovating the Forums - phpBB brush-up and other changes

Something's afoot in the Forums, and we asked one of the admins,Christian
Hartmann[14] (ian), what was going on. The following interview sheds some
light on what we can expect to happen in the very near future:

Q: The Forums footer says: Powered by phpBB 2.0.x © 2001, 2002 phpBB
Group. What version are we actually using at the moment?

A: At the moment we are using a heavily patched version of the phpBB 2.0
branch. All security related bugs have been patched. Furthermore we
applied some performance tweaks and other modifications[15].

Q: Why aren't you just using a vanilla phpBB 2.0.11 instead?

A:That's a very frequently asked question. First of all we will indeed
switch to the latest stable phpBB release soon. Backporting all the
patches we applied to their 2.0.x codebase will almost be done by the time
you read this.

Q: What about all the feature requests in Gentoo Forums Feedback[16]?

A: We look at every post in Gentoo Forums Feedback and know exactly what
our users demand. After installing the new forums software we will have a
look at implementing a lot of new and exciting stuff. Expect a period
where we'll have something new almost every week...

Q: Does that mean that you will also make use of mods?

A: Exactly! That is one of the reasons why we are switching to the latest
phpBB release. This will make adding modifications much easier.

Q: Adding modifications to the forums were a "no-no" for a long time.
Whatmade you change your mind?

A: Gentoo is project based entirely on the work of volunteers, and so is
its Infrastructure team. We just didn't have the resources to do any of
the more sophisticated things. Now that we do, it was about time we
changed our policy and started working on it.

Q: Talking about modifications and additions, what can we expect to see?

A: We'll have to move the forums web service to a different server soon,
and we'll start making use of the new forums software when switching to
that new server. The user hopefully will not even realize that we switched
to different software. It will be mostly the same as it is now, just with
a clean codebase, and with some of the earlier itches like the search
bug[17] ironed out. More corrections will be made to the language packs,
and after that we will add two more forums, one each for our Turkish and
our Arab users. There's a lot more on our todo-list, but we can talk about
those additions once we're done with the first batch.

3. Gentoo security

Squid: Multiple vulnerabilities

Squid contains vulnerabilities in the the code handling NTLM (NT Lan
Manager), Gopher to HTML and WCCP (Web Cache Communication Protocol) which
could lead to denial of service and arbitrary code execution.

For more information, please see the GLSA Announcement[18]

ImageMagick: PSD decoding heap overflow

ImageMagick is vulnerable to a heap overflow when decoding Photoshop
Document (PSD) files, which could lead to arbitrary code execution.

For more information, please see the GLSA Announcement[19]

Ethereal: Multiple vulnerabilities

Multiple vulnerabilities exist in Ethereal, which may allow an attacker to
run arbitrary code, crash the program or perform DoS by CPU and disk

For more information, please see the GLSA Announcement[20]

Xpdf, GPdf: Stack overflow in Decrypt::makeFileKey2

A stack overflow was discovered in Xpdf, potentially resulting in the
execution of arbitrary code. GPdf includes Xpdf code and therefore is
vulnerable to the same issue.

For more information, please see the GLSA Announcement[21]

Mailman: Cross-site scripting vulnerability

Mailman is vulnerable to cross-site scripting attacks.

For more information, please see the GLSA Announcement[22]

CUPS: Stack overflow in included Xpdf code

CUPS includes Xpdf code and therefore is vulnerable to the recent stack
overflow issue, potentially resulting in the remote execution of arbitrary

For more information, please see the GLSA Announcement[23]

teTeX, pTeX, CSTeX: Multiple vulnerabilities

teTeX, pTeX and CSTeX make use of vulnerable Xpdf code which may allow the
remote execution of arbitrary code. Furthermore, the xdvizilla script is
vulnerable to temporary file handling issues.

For more information, please see the GLSA Announcement[24]

KPdf, KOffice: Stack overflow in included Xpdf code

KPdf and KOffice both include vulnerable Xpdf code to handle PDF files,
making them vulnerable to the execution of arbitrary code.

For more information, please see the GLSA Announcement[25]

MySQL: Insecure temporary file creation

MySQL is vulnerable to symlink attacks, potentially allowing a local user
to overwrite arbitrary files.

For more information, please see the GLSA Announcement[26]

4. Gentoo International

Belgium: Gentoo Developer Meeting at FOSDEM (

Gentoo will again be present at FOSDEM[27] in Brussels, the annual
non-commercial Free and Open Source Software Developers' European Meeting.
It will take place at the Université Libre de Bruxelles[28] on the
weekend of 26 and 27 February. The Gentoo community will be represented by
more than 25 developers from Belgium, the Netherlands, France, Germany,
Denmark, Spain, Italy, and even the U.S. This time we have our own
Developers' Room[29], an amphitheatre with 59 seats, open on Saturday and

A full schedule of presentations[30] has been set up by Gentoo's Fosdem
organizer for the Developers' room, Lars Weiler[31]. In addition to this,
one of Gentoo's portage developers, Marius Mauch[32], will give a
presentation about portage as part Fosdem's main track.

As usual we will also show hardware which is supported by Gentoo, like
Genesi's[33] PegasosPPC, an UltraSparc and an SGI Octane. Several MacMinis
are also expected to get thrown in the mix. Gentoo LiveCDs will be
available for purchase at FOSDEM.

USA: CPLUG Security Conference (5 March)

Central PA Linux Users Group[34] will be hosting a Security Conference[35]
at Messiah College near Harrisburg, Pennsylvania, on 5 March 2005. The
all-day event will feature several speakers covering topics with a
technical focus on Linux-related networking and security, including Gentoo
Hardened developer Brandon Hale[36] who will make a presentation on
"Advanced Memory Protections with Linux". Registrations have already
started and accomodation is provided by the organizers upon request.
Admission to the event is $5 USD, including lunch.

5. Gentoo in the press

Wildlife Photographer of the Year 2004

Gentoos are "busily coming and going, squabbling and fighting, raucously
greeting each other," and - before you start thinking we're reporting from
a developer conference here - "stealing stones from their neighbours'
nests." Nah, we'd never do that, of course. Swedish photographer Lars-Olof
Johansson received a "Highly commended" mention at the BBC Wildlife
Magazine's and The Natural History Museum's "Wildlife Photographer of the
Year" contest, for his extraordinarily intimateshot of two Gentoo chicks
and their mother[37]. Disclaimer: We don't do that, either...

6. Bugzilla


* Statistics
* Closed bug ranking
* New bug rankings


The Gentoo community uses Bugzilla ([38]) to record and
track bugs, notifications, suggestions and other interactions with the
development team. Between 16 January 2005 and 23 January 2005, activity on
the site has resulted in:

* 990 new bugs during this period
* 546 bugs closed or resolved during this period
* 35 previously closed bugs were reopened this period

Of the 7976 currently open bugs: 109 are labeled 'blocker', 230 are
labeled 'critical', and 593 are labeled 'major'.

Closed bug rankings

The developers and teams who have closed the most bugs during this period

* Gentoo KDE team[39], with 41 closed bugs[40]
* OpenOffice Team[41], with 27 closed bugs[42]
* Gentoo Games[43], with 26 closed bugs[44]
* AMD64 Porting Team[45], with 21 closed bugs[46]
* Vim Maintainers[47], with 20 closed bugs[48]
* Java team[49], with 20 closed bugs[50]
* media-video herd[51], with 19 closed bugs[52]
* Gentoo's Team for Core System packages[53], with 17 closed bugs[54]

New bug rankings

The developers and teams who have been assigned the most new bugs during
this period are:

* Gentoo Sound Team[55], with 17 new bugs[56]
* Gentoo Linux Gnome Desktop Team[57], with 17 new bugs[58]
* Gentoo X-windows packagers[59], with 16 new bugs[60]
* Gentoo's Team for Core System packages[61], with 14 new bugs[62]
* Gentoo Kernel Bug Wranglers and Kernel Maintainers[63], with 13 new
* AMD64 Porting Team[65], with 13 new bugs[66]
* Gentoo KDE team[67], with 12 new bugs[68]
* media-video herd[69], with 11 new bugs[70]

7. Tips and Tricks

Watching logfiles on your desktop: root-tail

A good sysadmin should be able to take care of what's going on his system
at any time. To keep up with what's going on it would be best to see the
logfiles just scrolling by on the desktop, but most utilities, like tail
-f, cannot handle more than one file at a time. Moreover, it's a little
tricky to configure a terminal so that it becomes borderless and

Enter x11-terms/root-tail[71]. This handy utility opens a window on your
desktop and lets you look at any given logfile's entries as they're made.
There is only one problem: Most modern Window Managers occupy the desktop
and show a background-image on it. But there are workarounds, and one (for
xfce4) is shown here:

| Code Listing 7.1: |
|Script for starting root-tail in |
| |
|#!/bin/bash |
|deskid=`xwininfo -int -name 'Desktop' | grep 'Desktop' | awk -F' ' '{ |
print $4 }';`
|root-tail -g 900x150+50+575 -font 6x10 -outline -minspace -id ${deskid} |
-f \
| /var/log/emerge.log,yellow \ |
| /var/log/messages,lightblue |
| |

This script will find out the PID of xfce4's desktop-process, then
forkroot-tail into the background with a given size, place and font upon
the desktop where the ID is now known, and will show two logfiles,
printing messages in different colours. Bear in mind that if you are using
a localized environemnt, Desktop could be named differently, of course.

8. Moves, adds, and changes


The following developers recently left the Gentoo team:

* None this week


The following developers recently joined the Gentoo Linux team:

* Fernando J. Pereda (ferdy) - net-mail


The following developers recently changed roles within the Gentoo Linux

* None this week

9. Contribute to GWN

Interested in contributing to the Gentoo Weekly Newsletter? Send us an

10. GWN feedback

Please send us your feedback[73] and help make the GWN better.

11. GWN subscription information

To subscribe to the Gentoo Weekly Newsletter, send a blank email to

To unsubscribe to the Gentoo Weekly Newsletter, send a blank email to from the email address you are
subscribed under.

12. Other languages

The Gentoo Weekly Newsletter is also available in the following languages:

* Danish[74]
* Dutch[75]
* English[76]
* German[77]
* French[78]
* Japanese[79]
* Italian[80]
* Polish[81]
* Portuguese (Brazil)[82]
* Portuguese (Portugal)[83]
* Russian[84]
* Spanish[85]
* Turkish[86]

Ulrich Plate <> - Editor
AJ Armstrong <> - Author
Christian Hartmann <> - Author
Patrick Lauer <> - Author
Daniel Ostrow <> - Author
Lars Weiler <> - Author

-- mailing list