Mailing List Archive

Gentoo Weekly Newsletter 7 March 2005
Gentoo Weekly Newsletter
This is the Gentoo Weekly Newsletter for the week of 7 March 2005.

1. Gentoo News

Gentoo 2005.0 security rebuild

A set of exploitable bugs[1] in gaim and mozilla-firefox (remote exploits)
and in qt and kdelibs (locally exploitable) has been discovered just in
time before the final Gentoo Linux 2005.0 release build. Although this
interrupted the build and prevented it from finishing mere hours before
its completion was scheduled, Gentoo's release engineering team
unanimously decided to drop it and reconstruct the release media with all
the security bugs resolved prior to release. Thanks to the Gentoo security
team for catching the bugs, and the profiles' lead developers for putting
up with the delay and testing the builds on their architectures yet again!


Gentoo staging/master rsync server migrated

Thanks to the donation of an Opteron 246 server from Nvidia, Gentoo is now
running their staging mirror and master rsync mirror on new hardware.
Lance Albertson[2] and Nick Jones[3] completed the Portage regeneration
move last wednesday with little or no problems. This server synchronizes
from CVS every thirty minutes, then regenerates the depcache which can
take a lot of I/O and time to finish. From there, the public rsync servers
sync from it. The old server was a single 1Ghz Pentium III and could
finish this regen process within 10-30 minutes. The new Opteron server
does the same thing in a matter of 1-2 minutes. This is an amazing
improvement and will definitely allow us to scale well as the tree
continues to grow. Just a note, the update frequency has not changed, so
please don't waste your time trying to update every 2 minutes.


Also, most of the mirroring files were moved to this server a month ago,
with the exception of distfiles. We were running out of space on the old
server, and this new server has a lot more space for us to grow on. Nick
Jones is currently working on a better script that catches missing
distfiles and cleans old ones. Hopefully we'll start using this script in
production in the next few weeks, in order to save space on our mirrors
for other projects.

Forum software updates

Software enhancements done to the Gentoo Forums may well require a weekly
column of their own soon. The frequency of updates has already been high
over the past few weeks, but all these changes were just made to make even
bigger changes possible. Expect more to come, particularly with regard to
"Mission UTF-8", an ongoing effort to switch the forums completely to
Unicode, supported by tools that have already been put in place to aid the
switch over the next few months.

Three important changes were done in the last two weeks:

* We finally added jabber[4] to the user profiles. Christian Hartmann[5]
created a Jabber-Mod for the phpBB 2.0.x branch[6], Forum user ptlis[7]
then merged this with his own Jabber-Mod that has since been made
available at[8].
* The subSilver and Gentoo-Lite themes were removed, mainly to speed up
development and to minimize potential sources for bugs or other future
problems. Apologies to those losing the ability for choosing alternative
profiles, but it's obviously much easier for the administrators to make
and maintain changes in the future if little-used themes can be
eliminated. The default Gentoo-theme was the only one kept because it is
used by the overwhelming majority of Forum users, out of more than 80,000
registered forum IDs, only 450 were linked to the subSilver theme, and
4500 had chosen Gentoo-Lite.
* Some adjustments[9] have been made to the textbox of the postview
window, thanks to the great Forum community for keeping track of that.

System application reshuffle: Heads up!

In a swift action affecting more than 200 packages residing in Portage's
sys-apps category, Ciaran McCreesh[10] is currently busy moving some of
them into other existing categories, while others will find entirely new
homes in the tree. The applications in question are listed in a file[11]
sitting in Ciaran's devspace, if you find problems with a package after it
has been moved, please file a bug[12] or contact Ciaran on Particularly Gentoo users with sys-apps in an individual
overlay may want to pay special attention to the changes.


Looking for testimonials on Gentoo business usage

One of the things that we are always looking for at Gentoo is information
on people using Gentoo to make their lives easier. This could be anything
from using Gentoo machines as a render farm or rolled out into desktop
usage, to just a small corporate firewall. Information such as this can
help us better determine where we are and where we should be focusing our
efforts. If you have a Gentoo success story, then we would love to hear
about it! Information about large deployments or Gentoo usage in unusual
markets are mostly what we are looking to receive. Send your story to today.

Note: Although some interesting projects will certainly receive coverage
in the GWN, we respect your wish for confidentiality if the project
doesn't allow for publication. Please mark your story as confidential when
submitting it to the usage feedback address, it will only be discussed
among directly affected developers in that case.

2. Developer of the week

"The best thing about Gentoo is the community." -- Albert Hopkins

Figure 2.1: Albert Hopkins aka marduk

This week's featured developer Marduk[13] is a member of the
Infrastructure group, responsible for developing and maintaining one of
the most exciting elements of Gentoo's web presence, the site[14]. He'd be interested in many other areas of
Gentoo, but making sure the packages database site stays up, fixing bugs,
and further development takes up most of his free time. That doesn't keep
him from being in the process of re-writing the entire presentation,
though, and he has many ambitions for the new site, too many to list


Figure 2.2: A view of things to come: Refurbishing the package database

Gentoo is his most significant OSS project to date, but Marduk has been
developing open-source software for several years. He authored a program
called Linbot, which was a web crawler/link validating tool written in
Python that received a lot of recognition in its time, with reviews
appearing in Linux magazines, inclusion in distributions and a Python
book. "I'm very passionate about the Python programming language. I have
been hacking in Python since 1997. While I still occasionally look at
other programming languages, I always go back to Python," says Marduk.
Unfortunately for Linbot, he received a "cease and desist" letter one day
because the name was apparently too close to the name of a commercial
application, and he hasn't worked on or distributed the software since
then. The few smaller programs he continues distributing are kept at his
own repository[15].


Marduk is an administrator for Linux and Linux-like systems at a major
U.S. clinical laboratory. A college drop-out who nonetheless attended
Cornell University majoring in Electrical Engineering, he used to work at
a supercomputer facility and always loved that, still keeping a vivid
interest in high performance computing, but regrets not to be able to
afford the hardware. His current main box[16] was just recently upgraded
to an AMD64, and he made sure "it's got all the trimmings," says Marduk.
"The first application I launch is evolution, and if you ps my box, you'll
most likely also find vim, epiphany, gnome-terminal and, of course,


Marduk lives in the Dallas, TX area. He's single (now accepting
applications), and his hobbies outside of computing that he felt worth
mentioning during the interview include movies, long drives in his Audi TT
roadster, indie music, silence, science, and sociology.

3. Gentoo International

Germany: Chemnitzer Linuxtage

Lars Weiler[17], Tobias Scherbaum[18] and Jens Blaesche ("Mr. Big")
represented Gentoo at this year's Chemnitzer Linuxtage, a conference and
expo in East Germany's Saxony region that has been growing in importance
since it was first organized last year, with more presentations in the
main track, the usual suspects in the exposition hall, and a nice crowd
mostly from Saxony itself, but also attracting visitors from other parts
of Germany. The Gentoo booth had a Pegasos Open Desktop Workstation on
display, a Sun Ultra10 running Gentoo, and the recent Brussels invention
of the /dev/snack box of sweets was equally popular with visitors.
Particularly rewarding for the booth staff who had been here already at
last year's event: visitors they had met back then and who had asked
generally uninformed "What is Gentoo?" questions now came back sporting
"Portage addict" t-shirts and laptops with Gentoo Linux running on them. A
German version of the Fizzlewizzle LiveDVD (see FOSDEM report last week),
complete with KDE and distfiles sources, was the top-seller at this
regional event, very welcome in this area of Germany where broadband
Internet connections are difficult to be had.

18. dertobi123

Figure 3.1: Left: Gentoo booth, center: Pylon, right: dertobi123 and Mr.

International event reminders

Two events are scheduled for next weekends, one in Manchester where Stuart
Herbert expects UK-based Gentoo developers and users at the second Gentoo
UK Conference, and an Expo in L__rrach (Germany, close to the Swiss
border) with a Gentoo booth on the floor.

* Gentoo UK Conference[19] - Saturday, 12 March in Manchester, UK:
University of Salford. Attention: The Friday night social event before the
conference will start at 19:30 at the Stay Inn[20] (driving instructions
at their website).
* IT/Linux Days 2005[21] - 11 to 14 March in L__rrach, Germany:
Regio-Messe L__rrach

4. Gentoo in the press
====================== (4 March 2005)

The lack of support forums or other "groundswell support from users" is
the topic of an article in O'Reilly's operating systems magazine. Author
Steve Mallett asks "Where is the SuSE Community?"[22], and compares the
missing user community presence to other popular distributions: "A search
for Fedora, Mandrake, or Gentoo for instance and you have no problem
finding forums, wikis, official and unofficial FAQs. Signs of life."
observes's managing editor.

22. (3 March 2005, in French)

Author Prosper describes the gentoo-stats project in an article[23] on the
French Linux forum for Apple computers. "The basc project permits to
calculate the time to install an ebuild. Packages are represented by GU
(Gentoo units), if you know how many seconds one GU takes to compile on
your system, it's enough to simply multiply those."

23. (28 February 2005, in Spanish)

The Spanish magazine reports about Intel and AMD[24] pushing for 64-bit
computing in the user realm, and observes that while Microsoft doesn't
currently have an operating system that fully supports the hardware, Linux
distributions, "for example Gentoo", are listed as totally functioning
under 64-bit conditions.


5. Tips and Tricks

Emerge flags deserving more attention

There are a few flags emerge accepts that can give some insight as to what
it is (or will be) doing. We've described some of the newer ones that have
been added with portage-2.0.51, but there are a couple of older switches
that users may have forgotten about. Here's a quick look at two of those.

Perhaps a little more commonly used is the first one, --verbose, or -v. It
displays the USE flags that a package recognizes, and which ones are
currently enabled or disabled. When running emerge with the --newuse flag,
it even puts an asterisk to those flags that have been enabled or disabled
since the last time a package was built. It also displays the size of
files that need to be downloaded for a particular package, in addition to
the total download file size for all packages to be emerged.

The second is --tree, or -t. This displays the dependency tree by
indenting dependencies. Here's an example to illustrate the effect of this

| Code Listing 5.1: |
|Indented packages showing their |
| |
|[ebuild N ] x11-plugins/gkrellm-sensors-0.1 This tells us that |
|[ebuild N ] app-admin/gkrellm-1.2.13 requires gkrellm and |
|[ebuild N ] sys-apps/lm_sensors-2.8.7 and lm_sensors requires |
|[ebuild N ] sys-apps/i2c-2.8.7 |
| |

By combining --verbose and --tree, you'll get a much clearer picture of
exactly what emerge is doing. Needless to say, this makes it much easier
to tweak your USE flags for better control over which packages are being

6. Moves, adds, and changes


The following developers recently left the Gentoo team:

* None this week


The following developers recently joined the Gentoo Linux team:

* Andrew Fant (JFMuggs) - Infrastructure
* Eric Edgar (rocket) - Catalyst/Genkernel


The following developers recently changed roles within the Gentoo Linux

* None this week

7. Gentoo security

MediaWiki: Multiple vulnerabilities

MediaWiki is vulnerable to cross-site scripting, data manipulation and
security bypass attacks.

For more information, please see the GLSA Announcement[25]


Qt: Untrusted library search path

Qt may load shared libraries from an untrusted, world-writable directory,
resulting in the execution of arbitrary code.

For more information, please see the GLSA Announcement[26]


phpBB: Multiple vulnerabilities

Several vulnerabilities allow remote attackers to gain phpBB administrator
rights or expose and manipulate sensitive data.

For more information, please see the GLSA Announcement[27]


Gaim: Multiple Denial of Service issues

Multiple vulnerabilities have been found in Gaim which could allow a
remote attacker to crash the application.

For more information, please see the GLSA Announcement[28]


phpWebSite: Arbitrary PHP execution and path disclosure

Remote attackers can upload and execute arbitrary PHP scripts, another
flaw reveals the full path of scripts.

For more information, please see the GLSA Announcement[29]


xli, xloadimage: Multiple vulnerabilities

xli and xloadimage are vulnerable to multiple issues, potentially leading
to the execution of arbitrary code.

For more information, please see the GLSA Announcement[30]


BidWatcher: Format string vulnerability

BidWatcher is vulnerable to a format string vulnerability, potentially
allowing arbitrary code execution.

For more information, please see the GLSA Announcement[31]


phpMyAdmin: Multiple vulnerabilities

phpMyAdmin contains multiple vulnerabilities that could lead to command
execution, XSS issues and bypass of security restrictions.

For more information, please see the GLSA Announcement[32]


OpenMotif, LessTif: New libXpm buffer overflows

A new vulnerability has been discovered in libXpm, which is included in
OpenMotif and LessTif, that can potentially lead to remote code execution.

For more information, please see the GLSA Announcement[33]


xv: Filename handling vulnerability

xv contains a format string vulnerability, potentially resulting in the
execution of arbitrary code.

For more information, please see the GLSA Announcement[34]


Mozilla Firefox: Various vulnerabilities

Mozilla Firefox is vulnerable to a local file deletion issue and to
various issues allowing to trick the user into trusting fake web sites or
interacting with privileged content.

For more information, please see the GLSA Announcement[35]


ImageMagick: Filename handling vulnerability

A format string vulnerability exists in ImageMagick that may allow an
attacker to execute arbitrary code.

For more information, please see the GLSA Announcement[36]


Hashcash: Format string vulnerability

A format string vulnerability in the Hashcash utility could allow an
attacker to execute arbitrary code.

For more information, please see the GLSA Announcement[37]


8. Bugzilla


* Statistics
* Closed bug ranking
* New bug rankings


The Gentoo community uses Bugzilla ([38]) to record and
track bugs, notifications, suggestions and other interactions with the
development team. Between 27 February 2005 and 06 March 2005, activity on
the site has resulted in:


* 826 new bugs during this period
* 467 bugs closed or resolved during this period
* 23 previously closed bugs were reopened this period

Of the 8186 currently open bugs: 97 are labeled 'blocker', 231 are labeled
'critical', and 602 are labeled 'major'.

Closed bug rankings

The developers and teams who have closed the most bugs during this period

* Portage team[39], with 47 closed bugs[40]
* AMD64 Porting Team[41], with 27 closed bugs[42]
* Gentoo Security[43], with 22 closed bugs[44]
* Gentoo KDE team[45], with 21 closed bugs[46]
* Gentoo Linux Gnome Desktop Team[47], with 14 closed bugs[48]
* Gentoo Games[49], with 14 closed bugs[50]
* PPC Porters[51], with 12 closed bugs[52]
* Gustavo Felisberto[53], with 12 closed bugs[54]

New bug rankings

The developers and teams who have been assigned the most new bugs during
this period are:

* AMD64 Porting Team[55], with 38 new bugs[56]
* Gentoo's Team for Core System packages[57], with 19 new bugs[58]
* Gentoo Sound Team[59], with 18 new bugs[60]
* Gentoo Linux Gnome Desktop Team[61], with 17 new bugs[62]
* Gentoo Kernel Bug Wranglers and Kernel Maintainers[63], with 12 new
* media-video herd[65], with 11 new bugs[66]
* Portage team[67], with 11 new bugs[68]
* Gentoo KDE team[69], with 9 new bugs[70]

9. GWN feedback

Please send us your feedback[71] and help make the GWN better.


10. GWN subscription information

To subscribe to the Gentoo Weekly Newsletter, send a blank email to

To unsubscribe to the Gentoo Weekly Newsletter, send a blank email to from the email address you are
subscribed under.

11. Other languages

The Gentoo Weekly Newsletter is also available in the following languages:

* Danish[72]
* Dutch[73]
* English[74]
* German[75]
* French[76]
* Japanese[77]
* Italian[78]
* Polish[79]
* Portuguese (Brazil)[80]
* Portuguese (Portugal)[81]
* Russian[82]
* Spanish[83]
* Turkish[84]

Ulrich Plate <> - Editor
Lance Albertson <> - Author
Chris Gianelloni <> - Author
Christian Hartmann <> - Author
Patrick Lauer <> - Author
Joshua Nichols <> - Author

-- mailing list