Mailing List Archive

Gentoo Weekly Newsletter 14 February 2005
Gentoo Weekly Newsletter
This is the Gentoo Weekly Newsletter for the week of 14 February 2005.

1. Gentoo News

Gentoo Forums platform and software switch

As anticipated in a Future zone[1] article three weeks ago, the Gentoo
Forums[2] have switched to a new hardware platform and an upgraded version
of phpBB, now running on a clean codebase, normalizing all the patches
that had been applied to the old version, and more feature-rich than the
release that was powering the Forums before. Among the embellishments are
better language packs for the non-English forums, new URI styles with
absolute links that enable search engine spiders to index the entire
Forum, and a few things of lesser visibility, like the moderators' new
ability to join threads -- displacing posts from threads where they're out
of context to a more appropriate location was never possible before. A few
glitches aside, the changeover went so smoothly that none of the users
realized it until it was all over and done. Congratulations to Christian
Hartmann[3] and Lance Albertson[4] for a flawless migration!

Gentoo event calender for February/March 2005

Busy days for Gentoo evangelists: Their schedule has never been so packed
with shows, conferences and presentations as over the next four weeks.
Here's a list of the upcoming events, with a last reminder for tomorrow's
LWE in Boston at the top.

* Linux World Expo[5] - 15-18 February in Boston, MA: Hynes Convention
* FOSDEM[6] - 26 and 27 February in Brussels, Belgium: Université Libre
de Bruxelles
* CPLUG Security Conference[7] - 5 March in Grantham, PA: Messiah College

* Chemnitzer Linux-Tage[8] - 5 and 6 March in Chemnitz, Germany:
Technische Universität
* Gentoo UK Conference[9] - 12 March in Manchester, UK: University of

Note: Links point to official event websites or -- if available -- Gentoo
developer pages organizing our own presence.

Gentoo Linux Security Team -- Interview with Thierry Carrez

If you have a habit of watching the pattern of security issues and
responses in the Linux world, you've probably noticed that Gentoo's alerts
and responses to those issues tend to follow rapidly on the heels of
initial discovery. In fact, Gentoo Linux Security Announcements (GLSAs)
are a frequently cited resource for security notifications and fix status
even outside the Gentoo community. This reputiation of responsiveness is a
remarkable feat for a community which does not have a commercial arm
supporting a dedicated security response center.

Thierry Carrez[10] (koon), one of the Operational Managers for Gentoo's
Security Team[11], was kind enough to take a few minutes to explain some
of the practices that have allowed the team to be so efficient in
identifying and responding to security issues.

Could you give us a rough overview of the process involved in identifying
and fixing security flaws? What steps are involved? Who performs them?
What tools are used?

We follow the Vulnerability Treatment Policy[12] to handle security bugs.
In brief, public vulnerabilities get submitted by users, our security
scouts or the security developers, whoever finds it first. Sometimes we
get notified by confidential channels (the vendor-sec list or direct
contact from the upstream developers or auditors). Then the security bug
progresses through upstream status (where we wait for a fix from upstream
maintainers); ebuild status (where we call the Gentoo maintainer for the
package and ask for a fixed ebuild); stable status, where we ask all
security-supported arches to test and mark the fixed package stable; and
finally to glsa status where we issue a GLSA if necessary. Sometimes we
get stuck at one of those intermediate statuses and have to work out a
patch ourselves. Sometimes we don't find a solution and we mask the
package because it's a security risk to leave it in the tree without a fix.

Security bug handling is mostly calling the right people at the right time
to try to get the ball rolling at all times. This task is performed by the
GLSA coordinators, and it's not automated. We rely heavily on the other
Gentoo developers (package maintainers and arch teams) to do the patching
and testing.

Where do you find out about security flaws? Mailing lists? Alerts? Do we
do testing ourselves?

We rely on our user base to submit as many public vulnerabilities as they
can. The security team tries to get all those that go unnoticed. Security
flaws come from public mailing-lists like BugTraq or Full-Disclosure, and
also upstream security advisories and other distribution advisories. We
are more and more accepted as part of the general Linux security community
and therefore we get notice of some vulnerabilities before they go public.
To contribute back we have recently set up a Security Audit subproject to
find vulnerabilities by ourselves, and our package maintainers also find a
lot of vulnerabilities in their testing.

When a flaw is identified, how is it documented?

Most of the time we just copy the public advisory information, and then
proceed in verifying that it applies to Gentoo Linux, and rate its
severity. This severity seeds priorities, as we try to respect the delays
indicated in the Vulnerability Treatment Policy.

Is there a formal process where the resolution of a flaw is assigned to
someone? How are priorities set? How is the fix documented and tested?

Each GLSA Coordinator can take a bug and be tasked to ensure the ball
keeps rolling on this bug at all times. But if a bug gets stuck, every
security developer can intervene to unstick it. Priorities are set by
severities, following the rules described in the Vulnerability Treatment

When a fix is available, how is it documented? Who does the GLSA? How are
GLSA's transmitted? How are they archived or stored?

We document the fix in a GLSA draft, which must get at least two positive
peer-reviews before getting released. We use a tool called GLSAMaker to
help in ensuring consistency between all GLSAs. The GLSA is written by the
GLSA Coordinator or sometimes by one of our Security Apprentices (GLSA
coordinators in training). GLSAs are sent by mail to gentoo-announce and
other security lists, automatically appear in a live RDF feed[13] and on
the Gentoo Security page[14]. Finally, they get copied by forum moderators
to appear as forum announcements. GLSA XML sources are part of the portage
tree (in metadata/glsa) and get synced on all user boxes, to enable the
use of the (for the moment still experimental) glsa-check tool (which is
part of the gentoolkit package).

Who are the upstream consumers of GLSA's? Other than Gentoo users, are
there other organizations that are alerted?

We warn so that they include GLSA in their advisories
page[15]. The MITRE CVE dictionary[16] also includes GLSA references.

Are there any automated tools or scripts that the team uses to manage
these jobs?

We use GLSAMaker, a tool written by Tim Yamin[17] (plasmaroo), to help in
writing GLSA XML source and the text counterpart.

What's the status of "emerge security" functionality to identify and fix
security issues using portage?

"Emerge security" functionality is currently under testing with the
"glsa-check" tool, part of the gentoolkit package. It allows us to
identify which GLSAs affect your system and to automatically fix the
vulnerable packages. When this is ready, the portage tool team will
integrate this into mainline tools like emerge. Users are encouraged to
use the latest glsa-check and report any oddities using bugzilla[18].

Where can users get information about the security team?

Our main page is the Gentoo Security portal at[19]. It
contains all the pointers to our policy documents, the latest GLSAs and
lots of useful information. People that would like to join the Gentoo
Security project should read the Security project webpage[20], and in
particular the GLSA Coordinators guide[21] and the Security padawans
page[22] to get a feel of what we need.

What are some of the initiatives the security team have undertaken

In the last year, we put procedures in place so that all unwritten rules
followed by the team have a reference policy document. We also put
together a new team that will ensure that we keep a consistent security
watch at all times.

What did we forget to ask that we should know about?

Maybe our management structure. Kurt Lieber[23] (klieber) is our strategic
manager, Sune Kloppenborg Jeppesen[24] (jaervosz) and myself are the
operational managers.

2. Future Zone

Open-Xchange in Gentoo Linux

Open-Xchange (OX)[25] is the open-source groupware server on which
Novell's SuSE Linux Openexchange Server (SLOX)[26] is based. Open-Xchange
was closed source until 30 August 2004 when it was released under the GNU
Public License. OX leverages popular open-source server technology by
integrating existing projects (SMTP, IMAP, LDAP, Apache, Tomcat, and
PostgreSQL) to deliver a powerful messaging and collaboration environment.
Some features of interest include e-mail, project management, a versioning
document store, shared calendaring, and a knowledge base. It can be
accessed via both a web interface or through fat clients such as
Evolution, the Mozilla suite (Thunderbird and Sunbird) and any other third
party application that supports WebDAV. Currently, Open-Xchange is in
development with a slated stable release (v0.8) in March 2005. If you want
to see what OX is like before undertaking the somewhat daunting install,
you can try it out using the online demo[27].

Installation and support

There are currently two ways to install OX in Gentoo Linux: using the
ebuild from Bugzilla[28] (not currently in the Portage tree), or manually
installing it. A Wiki page[29] explains the installation using the ebuild,
but for most of the necessary steps to get OX successfully running, an
additional manual installation HOWTO[30] covers the prerequisite
configurations as well as extending and enhancing Open-Xchange. For
Gentoo-specific questions a Gentoo Forum thread[31] with several hundred
posts has most of the answers that are available so far.

If you are not already familiar with the servers that OX uses be prepared
for a steep learning curve and to do a lot of reading. A majority of the
problems experienced so far involve LDAP configuration, Apache/Tomcat
integration, and SASL authentication. All of the servers that OX relies on
need to be properly configured and working before you can proceed with the
actual Open-Xchange install.

Note: Author Mike Fetherston was a dedicated Slackware user who turned to
Gentoo in early 2004. Upon Netline's release of SuSE's SLOX server under
the GPL he covered his initial installation experiences and tremendous
feedback from the Gentoo user community in a document of currently more
than 40 pages.

3. Gentoo security

OpenMotif: Multiple vulnerabilities in libXpm

Multiple vulnerabilities have been discovered in libXpm, which is included
in OpenMotif, that can potentially lead to remote code execution. (NB:
This is the same vulnerability that was fixed in xorg-x11 last November)

For more information, please see the GLSA Announcement[32]

PostgreSQL: Local privilege escalation

The PostgreSQL server can be tricked by a local attacker to execute
arbitrary code.

For more information, please see the GLSA Announcement[33]

Python: Arbitrary code execution through SimpleXMLRPCServer

Python-based XML-RPC servers may be vulnerable to remote execution of
arbitrary code.

For more information, please see the GLSA Announcement[34]

pdftohtml: Vulnerabilities in included Xpdf

pdftohtml includes vulnerable Xpdf code to handle PDF files, making it
vulnerable to execution of arbitrary code upon converting a malicious PDF

For more information, please see the GLSA Announcement[35]

Mailman: Directory traversal vulnerability

Mailman fails to properly sanitize input, leading to information

For more information, please see the GLSA Announcement[36]

Webmin: Information leak in Gentoo binary package

Portage-built Webmin binary packages accidentally include a file
containing the local encrypted root password.

For more information, please see the GLSA Announcement[37]

Perl: Vulnerabilities in perl-suid wrapper

Vulnerabilities leading to file overwriting and code execution with
elevated privileges have been discovered in the perl-suid wrapper.

For more information, please see the GLSA Announcement[38]

mod_python: Publisher Handler vulnerability

mod_python contains a vulnerability in the Publisher Handler potentially
leading to information disclosure.

For more information, please see the GLSA Announcement[39]

4. Heard in the community


Remove no [insert feature here] USE-flags from the tree

Michiel de Bruijne [40] writes: "There are quite a few ebuilds in the tree
that make use of a no [insert feature here] USE-flag. So basically by
disabling the USE-flag you get more features. Pulling in extra
dependencies by disabling the USE-flag is a possibility. This has some
nasty side effects ..." The following discussion shows quite well why
these USE-flags are not good.

* Remove no [insert feature here] USE-flags from the tree[41]

Automatic stabilization of packages

Approximately every 6 months the same discussion comes up: How can the
packages in portage be kept up to date? The naive approach would be
automatic stabilization after a certain period of time. This thread shows
why for the most part that is not a good idea ...

* Automatic stabilization of packages[42]

Closing or resolving bugs, which is it?

Marius Mauch[43] writes: "I noticed a new trend lately introduced by a few
new devs: changing bug status from RESOLVED to CLOSED. Personally I just
find it annoying and completely useless. Can we agree to not do that
unless there is a technical reason? Don't see any benefit in this, just
means that closed bugs are now split between two "categories" with no
actual difference."

* should we close bugs?[44]

5. Gentoo International

USA: Gentoo Bugday event at Oregon State University LUG

Gentoo Bugdays[45] are regularly held every first Saturday of each month,
with developers and users everywhere gathering on IRC and skimming
Gentoo's bugzilla for anything that looks like it needs fixing. On 5
February, the Linux User Group of Oregon State University took the
opportunity and turned the virtual event into a real one[46]. Twelve OSLUG
members met at Weatherford Hall, the OSU residential college building.
Aided by a precompiled list of bugs prepared by Gentoo's Bugday organizers
for this occasion, they kept squashing bugs from 9:00 to 16:00, with the
official IRC channel #gentoo-bugs being projected overhead, and assorted
computers scattered around the classroom, each with a determined Gentoo
bug hunter in front of the screen.

Figure 5.1: The Klendathu, OR bughunt: Deedra Waters, Dunbar (background)
and Micheal Clay

Note: More photos are available at the OSLUG website.

Germany: Storage tool release for Gentoo Linux

Commercial releases of Linux applications with official support outside
the RedHat/SuSE/Mandrake realm are scarce and far between. A German
company, SEP AG[47], has now announced the availability of their storage
management product "SEP sesam" for Gentoo Linux. "We're traditionally tied
to SuSE Linux, but had Gentoo on our radar ever since we watched the
impressive installation Lars Weiler[48] did on an HP Proliant cluster at
last year's LinuxTag in Karlsruhe," recalls SEP's sales manager Johann
Krahfuss (cf. GWN report 28 June 2004[49]). "So when our first customers
demanded an adaptation of SEP sesam to Gentoo Linux, it didn't exactly
take us by surprise." The German federal research institution Fraunhofer
Gesellschaft[50] were the first to request a SEP sesam installation inside
a Gentoo Linux environment, "and since we didn't encounter any problems
whatsoever, we feel it's ready for official release," says Krahfuss. A
30-day-test version (including support) can be downloaded from the
corporate website's download section. SEP sesam is designed for data
storage management in heterogenous networks, including Linux, BSD,
Solaris, TRU/64, OpenVMS, Windows and Mac OS X. The company will be
present at next week's CRN Storage Solution Days 2005[51] in Neuss (link
in German only).

6. Gentoo in the press

Newsforge (8 and 9 February 2005)

Newsforge published an article in two parts about using MySQL to benchmark
OS performance[52], as analyzed and written by Tony Bourke[53]. The
performance check spans server operating systems Open-, Net- and FreeBSD,
Solaris 10, and Linux as platforms for MySQL database execution, and
"among a multitude of distributions" Gentoo was chosen for the Linux part
of the test, running both 2.4 and 2.6 kernels (gentoo-sources) on
ReiserFS. "With Gentoo it was also relatively easy to install NPTL for
2.6, which I used in the 2.6 tests," says Tony Bourke, "although they
didn't make any difference when compared to non-NPTL 2.6 results." While
the first part just explains the tools and the methodology, the actual
performance comparison is published in a separate article[54] - with
amazing results, Gentoo Linux clearly winning all individual benchmark
tests. Funnily enough, Gentoo's outstanding performance even triggered
complaints about the "unfair advantage"[55] of using a source-based,
possibly processor-optimized Linux distribution as a platform for the

CNET (7 February 2005)

Sun's President Jonathan Schwartz nods his head to Gentoo's OpenSolaris
effort in an interview published on CNET last week. While explaining the
OpenSolaris governance model to interviewer Stephen Shankland, he claims
"Solaris is now officially platform-neutral"[56] and expects "10 or more"
non-Sun OpenSolaris distributions to appear in the market.

Security Focus (2 February 2005)

Columnist Jason Miller says Linux kernel security handling is broken, "and
it needs to be fixed right now." The article at[57], a
publication mainly read by security professionals, is highly critical of
the way security bugs in the Linux kernel are being addressed. But the
author, a self-proclaimed "huge follower of BSD-based operating systems,"
has some good news, too: "Once we start looking at actual distributions of
the Linux kernel as a complete operating system, we find some
distributions with official security contacts, as well as security-related
pages similar to those provided by the major BSD-based operating systems.
Gentoo Linux Security is a good example of that."

Réseaux & Télécoms (3 February 2005, in French)

Directly responding to the Security Focus column by Jason Miller, the
French network and telco magazine looks beyond the kernel as a security
issue: Both flaws in individual applications not depending on the kernel,
and the distribution of security-related information are identified as
equally important fields of activity for the "bug hunters of open source."
The article "Noyau Linux : Mais où est la sécurité ?"[58] acknowledges
Miller's conclusion of "things changing, fast and in the right direction,"
and praises Thierry Carrez (see our interview above[59]) as an example for
"impressive work." With the current pace of discussion around the
structure of security handling and the distribution of information, it's
"time to show some optimism," says author Marc Olanie, pointing out that
it took Microsoft eighteen years to standardize their own security
procedures -- "or have they?"

Sun blogs (31 January 2005)

Eric Boutilier, an engineer at Sun, Inc. is gearing up for Gentoo
development on OpenSolaris, and posted his first attempts at familiarizing
himself with Portage on Linux to his blog at the Sun website[60]. While
his choice of installation material is peculiar - Gentoo-clone Vidalinux
rather than a standard install, and on a five-year-old Portégé laptop - he
quickly falls in sync with normal Portage user behaviour for lengthy
compiles: "Oh well. I left it happily building away and went to work."

7. Bugzilla


* Statistics
* Closed bug ranking
* New bug rankings


The Gentoo community uses Bugzilla ([61]) to record and
track bugs, notifications, suggestions and other interactions with the
development team. Between 06 February 2005 and 13 February 2005, activity
on the site has resulted in:

* 860 new bugs during this period
* 699 bugs closed or resolved during this period
* 37 previously closed bugs were reopened this period

Of the 8036 currently open bugs: 102 are labeled 'blocker', 243 are
labeled 'critical', and 600 are labeled 'major'.

Closed bug rankings

The developers and teams who have closed the most bugs during this period

* osx porters[62], with 179 closed bugs[63]
* Gentoo's Team for Core System packages[64], with 53 closed bugs[65]
* Gentoo KDE team[66], with 30 closed bugs[67]
* AMD64 Porting Team[68], with 24 closed bugs[69]
* Gentoo Security[70], with 23 closed bugs[71]
* media-video herd[72], with 19 closed bugs[73]
* Gentoo Games[74], with 19 closed bugs[75]
* Text-Markup Team[76], with 17 closed bugs[77]

New bug rankings

The developers and teams who have been assigned the most new bugs during
this period are:

* AMD64 Porting Team[78], with 30 new bugs[79]
* Gentoo Sound Team[80], with 18 new bugs[81]
* Gentoo X-windows packagers[82], with 15 new bugs[83]
* Net-Mail Packages[84], with 11 new bugs[85]
* Mobile Herd[86], with 11 new bugs[87]
* media-video herd[88], with 11 new bugs[89]
* Gentoo KDE team[90], with 10 new bugs[91]
* Portage team[92], with 10 new bugs[93]

8. Tips and tricks

Portage magic: Identify obsolete packages

Gentoo developer Brian Harring[94] designed a clever way to identify all
merged versions of packages not available in Portage anymore -- both the
official tree and packages from PORTDIR_OVERLAY. Here is the method he
came up with, packing as much Python neatness as fits on a single command

| Code Listing 8.1: |
|Python scriptlet |
| |
|python -c 'import portage; print [x for x in |
portage.db["/"]["vartree"].getallcpv() \
|if len(portage.portdb.xmatch("match-all","="+x))==0]' |
| |

If that just went a little over your head, let's look at what exactly it
does. For example, if a package, say, foo-1.2.3 is merged, and that
version 1.2.3 is no longer in the tree, the script will point it out. A
simple check for packages that aren't available any longer regardless of
versions, would look like this:

| Code Listing 8.2: |
|Python scriptlet |
| |
|python -c 'import portage; print [x for x in |
portage.db["/"]["vartree"].getallcpv() \
|if len(portage.portdb.xmatch("match-all",portage.pkgsplit(x)[0]))==0]' |
| |

Finally, if you want to ignore package foo-1.2.3 even if it isn't in the
tree any longer, but a revision foo-1.2.3-r1 is, the following script will
ignore the package, only triggering on installed applications that have
completely vanished from Portage.

| Code Listing 8.3: |
|Python scriptlet |
| |
|python -c 'import portage; print [x for x in |
portage.db["/"]["vartree"].getallcpv() \
|if |
| |

Lastly, none of the above take injected packages into consideration, only
those that were installed from an available tree. Now, suppose you'd like
to ignore those, too, here's what to do:

| Code Listing 8.4: |
|Python scriptlet |
| |
|python -c 'import portage; print [x for x in |
portage.db["/"]["vartree"].getallcpv() \
|if len(portage.portdb.xmatch("match-all",portage.pkgsplit(x)[0]))==0 \ |
|and not portage.db["/"]["vartree"].dbapi.isInjected(x)]' |
| |

Yes, we knew you'd like this. All of the above do work for individual
packages you keep in an overlay tree, for example at /usr/local/portage,
those are being evaluated along with packages in the official Portage
tree. Try it out, you can't break anything, it just notifies you about
whatever it finds, leaving it up to the user to decide what to do with
that information.

9. Moves, adds, and changes


The following developers recently left the Gentoo team:

* None this week


The following developers recently joined the Gentoo Linux team:

* Sebastian Bergmann (sebastian) - PHP


The following developers recently changed roles within the Gentoo Linux

* None this week

10. Contribute to GWN

Interested in contributing to the Gentoo Weekly Newsletter? Send us an

11. GWN feedback

Please send us your feedback[96] and help make the GWN better.

12. GWN subscription information

To subscribe to the Gentoo Weekly Newsletter, send a blank email to

To unsubscribe to the Gentoo Weekly Newsletter, send a blank email to from the email address you are
subscribed under.

13. Other languages

The Gentoo Weekly Newsletter is also available in the following languages:

* Danish[97]
* Dutch[98]
* English[99]
* German[100]
* french[101]
* japanese[102]
* italian[103]
* polish[104]
* portuguese (brazil)[105]
* portuguese (portugal)[106]
* russian[107]
* spanish[108]
* turkish[109]

Ulrich Plate <> - Editor
AJ Armstrong <> - Author
Mike Fetherston <> - Author
Patrick Lauer <> - Author

-- mailing list