With a report from last week's Gentoo booth at the Linux World Expo in Boston, reminders for FOSDEM and the Gentoo UK conference, and news about how to subscribe to Gentoo RSS feeds, this week's Gentoo Weekly Newsletter is again full of interesting articles for users and developers alike. The Future Zone introduces a very peculiar piece of hardware and the process of its Gentooification, several articles about Gentoo and derived news are to be found in the press clipping section, and of course many of the usual items, GLSAs, bug statistics, and a new developer to be welcomed on board. Enjoy your newsletter!
|
|
---------------------------------------------------------------------------
Gentoo Weekly Newsletter
http://www.gentoo.org/news/en/gwn/current.xml
This is the Gentoo Weekly Newsletter for the week of 21 February 2005.
---------------------------------------------------------------------------
==============
1. Gentoo News
==============
Boston Linux World Expo: The Après-Show report
-----------------------------------------------
The Linux World Conference and Exposition was held last week at the Hynes
Convention Center in Boston, Massachusetts, USA. Gentoo Linux had a booth
in the .org pavilion, nestled between the friendly folks from Fedora and
that lovable lot from the Linux Terminal Server Project. On display were
an array of systems demonstrating the wide array of architectures that
Gentoo is available for. The main draw was clearly the diminutive Mac Mini
with the big cinema screen, brought by Daniel Ostrow[1]. Also present were
Daniel's Sparc Ultra 60, several x86 laptops, and an AMD64 and several
embedded goodies brought by Mike Frysinger[2].
1. [e-mail:dostrow@gentoo.org]
2. [e-mail:vapier@gentoo.org]
A full team of volunteers helped staff the booth. Besides Mike and Daniel,
Seemant Kulleen[3], Chris Gianelloni[4], Dylan Carlson[5], Jeffrey
Forman[6], Peter Johanson[7], Luke Macken[8] (lewk), Rajiv Manglani[9],
Andy Fant[10], Chris Aniszczyk[11] and Aaron Griffis[12] made appearances
and helped out in the booth.
3. [e-mail:seemant@gentoo.org]
4. [e-mail:wolf31o2@gentoo.org]
5. [e-mail:absinthe@gentoo.org]
6. [e-mail:jforman@gentoo.org]
7. [e-mail:latexer@gentoo.org]
8. [e-mail:lewk@gentoo.org]
9. [e-mail:rajiv@gentoo.org]
10. [e-mail:fant@pobox.com]
11. [e-mail:zx@gentoo.org]
12. [e-mail:agriffis@gentoo.org]
Figure 1.1: Boston LWE Gentoo booth staff
http://www.gentoo.org/images/gwn/20050221_lwe.jpg
Note: Front, left to right: Andrew Fant, Chris Gianelloni, Mike
Frysinger, Rajiv Manglani. Chris Aniszcszyk is leaning over the table just
under the Gentoo poster, everybody else are visitors.
Besides the perennial requests for CDs (which we had) and T-shirts (which
we didn't), there was a steady flow of interest in the PPC release, and a
gratifying number of comments by people who have come to realize that
Gentoo has a role to play in the enterprise. Also of note was the
forthcoming launch of a Gentoo-based startup[13] that will provide custom
binary packages to subscribing users through standard Portage mechanisms.
A highlight of the week was the anti-bof, where 30-40 users and developers
took over the top floor of the Globe Bar and Grill and got the chance to
meet and mingle in person.
13. http://www.genux.org
This was the first year that the LWE was held in Boston, instead of New
York, and by all accounts, it was a success. There was a twenty percent
increase in vendor exhibits, and attendance was up by a similar amount. It
seems likely that LWE will return again next winter, so start making plans
for next year. Thanks to everyone who helped to make our presence at the
show a success. For those on the west coast, LWE will be in San Francisco
from 8 to 11 August. If you are interested in helping with the Gentoo
booth at that meeting, please contact the PR team.
Last call for FOSDEM
--------------------
More than 40 Gentoo developers, activists and power users have confirmed
their presence at this year's FOSDEM[14] on 26 and 27 February in Brussels
at the Université Libre de Bruxelles. The local youth hostel has literally
been taken over by the participants in the DevRoom organised by Gentoo at
Europe's largest open-source conference, and the schedule is packed with
presentations by developers from all over Europe. Saturday night life in
Brussels will make it challenging to keep the tight schedule for the
Gentoo developer meeting on Sunday morning.
14. http://dev.gentoo.org/~pylon/fosdem-2005.html
Free entrance to the Gentoo UK conference
-----------------------------------------
Thanks to securing sponsorships by the University of Salford and the
London Internet Exchange, LINX[15], the Mancunian Gentoo UK
Conference[16], scheduled for 12 March at Manchester's University of
Salford, was able to drop the entrance fee. Participants are asked to
register, but will be admitted free of charge, registration is still
open.[17]
15. http://www.linx.net
16. http://dev.gentoo.org/~stuart/2005/
17. http://dev.gentoo.org/~stuart/2005/registration.html
Easy subscription to Gentoo RSS feeds
-------------------------------------
Michael Kohl[18] has made an OPML file[19] available that allows to
automatically subscribe to three different RSS feeds from Gentoo at once,
i.e. the Gentoo Linux news as published on the Gentoo website, the Gentoo
Linux Security Announcements (GLSAs), and the feed for packages for x86.
Many RSS-readers support importing from an OPML file, making subscriptions
easily manageable.
18. [e-mail:citizen428@gentoo.org]
19. http://dev.gentoo.org/~citizen428/files/gentoo.opml
==============
2. Future Zone
==============
Gentooified Kuro-Box
--------------------
The Kuro-Box is a toaster-sized PowerPC NAS (Network Attached Storage)
device designed for Linux hackers, owing at least part of its appeal to
the clever name: much better than its English translation of simply
"black" already does, the "kuro" of the Kuro-Box hints at both the colour
and the occultness of what may be lurking in the dark. Based on a
Freescale MPC8241[20] (a 603e processor), it exists in two versions:
20. http://www.freescale.com/webapp/sps/site/prod_summary.jsp?code=MPC8241
* the original one, at 200MHz with 64MB RAM, a 100Mb ethernet controler
and one USB plug (around 160 USD without hard-drive)
* the HG version, at 266MHz with 128MB RAM, a 1Gb ethernet controler and
two USB plugs (240 USD without hard-drive)
Obscured by the fact that it was spawned off Buffalo Technology's
"LinkStation" storage device series, it's probably the most inexpensive
Linux/PPC development environment currently in the market.
Figure 2.1: Attaching a new meaning to network storage: Buffalo's Kuro-Box
http://www.gentoo.org/images/gwn/20050221_kurobox.jpg
The history[21] of the Kuro-Box begins in Japan back in early 2004, when a
Buffalo sister company, Kurouto Shikou, decided to sell older LinkStation
inventory on the "power users" market. Thus, the oldest and biggest
Kuro-Box hackers community is Japanese, and the amount of documentation on
their Linkstation Wiki[22] or on Yasunari Yamashita's blog[23] show how
active it is. Since a few months, Kuro-Boxes are also distributed in the
US and Europe by Revogear[24], and a new non-Japanese community centering
around a forum[25] and a wiki[26] now has plenty of English information
available to them.
21. http://penguinppc.org/embedded/kuro/
22. http://linkstation.yi.org/
23. http://www.yamasita.jp/linkstation/
24. http://www.revogear.com/
25. http://www.kurobox.com/forums/
26. http://www.kurobox.com/online/
In both communities, there had been several attempts at replacing the
stock firmware with more generic Linux distributions ever since the first
Kuro-Box shipped about a year ago. The original firmware is too much
NAS-oriented, i.e. only designed to be a file and printing server, whereas
a complete Linux distribution would allow for easy experimentation and
unlocking of the platform's full potential. Even setting up Gentoo systems
inside the Kuro-Box had been tried before: jmgdean[27] released a Gentoo
Total Conversion alpha1[28], and much work was done inside the Japanese
community. However, all of those earlier attempts were mixed installations
of Gentoo Linux on top of the original firmware: the toolchains were still
based on gcc-2.95, many files were not managed by Portage, and there was
still some non-free code inside. My beta1 release[29], on the other hand,
is entirely built from sources, and exclusively via Portage. It is
composed of:
27. http://www.kurobox.com/forums/profile.php?mode=viewprofile&u=48
28. http://www.kurobox.com/forums/viewtopic.php?t=111
29.
http://www.kurobox.com/online/tiki-index.php?page=What+is+in+Gentoo+Beta1
* a stage3 image which can be installed directly on a fresh harddrive,
and which completly replaces the original firmware
* a Portage overlay, with a few new or modified ebuilds
* a custom Portage profile, based on Gentoo PPC 2004.3
* many additional binary packages that should cover the most current
needs for that kind of system
The installation process is mostly similar to "normal" Gentoo systems,
except that it begins in the so-called "EM mode" in which the box boots
when it's not yet set up. This is a very minimalistic environment which
can be accessed by both ftp and telnet. From there, you will be able to
prepare your drive, chroot, and install the stage3 image. Then you switch
the box to the "Normal mode", and hopefully it will reboot using your
fresh Gentoo system, which should be accessible by ssh. Detailed
instructions are available on a Wiki page[30].
30. http://www.kurobox.com/online/tiki-index.php?page=InstallGentooBeta1
Known limitation and future work
The only thing that is not easily hackable is the content of the FlashROM,
i.e. the EM mode system and the kernel. The format of the flash image is
well-known and documented (at least on some Japanese websites), but, as
opposed to many other Linux-based devices, there is absolutely no fallback
in case of mistake once you've touched it -- a flashing error or a badly
configured kernel will kill it for good. Because of that, most users are
still stuck to the original 2.4.17 kernel, which is far from perfect.
There are currently two directions explored to overcome this limitation:
* Installing a proper bootloader in the FlashROM: U-Boot[31] would
probably be the best choice, but this project is at too early a stage to
give an estimate of its availability.
* Dynamically replacing the running kernel. This has been made possible
thanks to jochang's work[32], through the load of a simple kernel module.
Integrating that kernel switching in the boot process is the top target
for Gentoo beta2 (with everything it depends on, like a proper packaging
of kuro-ified kernel sources, etc.)
31. http://www.kurobox.com/online/tiki-index.php?page=projectsBootloader
32. http://www.kurobox.com/forums/viewtopic.php?t=277
Some other future work items include:
* improve the distribution system: in particular, use rsync instead of
tarballs for overlay/profile
* by popular demand, add some meta-ebuilds for some common needs like
"mail server" or "MacOSX-friendly server". Or release some kinds of
customized "stage4"
* some minor improvements all around, like better LED status, maybe more
precompiled modules for the stock kernel, etc.
* maybe a (semi-)automatic installation process (from a LiveCD?): for
some users, installing Gentoo by telnet on a Kuro Box is their first Linux
experience, and it seems to be a bit too much at a time...
Note: Author Thomas de Grenier de Latour (TGL) is one of the Gentoo Forums
moderators, responsible for the French language forum. He will bring a
Kuro-Box to FOSDEM in Brussels this coming weekend, if you would like to
learn more about this little box or see it in action, make sure to stop by
the Gentoo DevRoom.
==================
3. Gentoo security
==================
PowerDNS: Denial of Service vulnerability
-----------------------------------------
A vulnerability in PowerDNS could lead to a temporary Denial of Service.
For more information, please see the GLSA Announcement[33]
33. http://www.gentoo.org/security/en/glsa/glsa-200502-15.xml
ht://Dig: Cross-site scripting vulnerability
--------------------------------------------
ht://Dig is vulnerable to cross-site scripting attacks.
For more information, please see the GLSA Announcement[34]
34. http://www.gentoo.org/security/en/glsa/glsa-200502-16.xml
Opera: Multiple vulnerabilities
-------------------------------
Opera is vulnerable to several vulnerabilities which could result in
information disclosure and facilitate execution of arbitrary code.
For more information, please see the GLSA Announcement[35]
35. http://www.gentoo.org/security/en/glsa/glsa-200502-17.xml
VMware Workstation: Untrusted library search path
-------------------------------------------------
VMware may load shared libraries from an untrusted, world-writable
directory, resulting in the execution of arbitrary code.
For more information, please see the GLSA Announcement[36]
36. http://www.gentoo.org/security/en/glsa/glsa-200502-18.xml
PostgreSQL: Buffer overflows in PL/PgSQL parser
-----------------------------------------------
PostgreSQL is vulnerable to several buffer overflows in the PL/PgSQL
parser leading to execution of arbitrary code.
For more information, please see the GLSA Announcement[37]
37. http://www.gentoo.org/security/en/glsa/glsa-200502-19.xml
Emacs, XEmacs: Format string vulnerabilities in movemail
--------------------------------------------------------
The movemail utility shipped with Emacs and XEmacs contains several format
string vulnerabilities, potentially leading to the execution of arbitrary
code.
For more information, please see the GLSA Announcement[38]
38. http://www.gentoo.org/security/en/glsa/glsa-200502-20.xml
lighttpd: Script source disclosure
----------------------------------
An attacker can trick lighttpd into revealing the source of scripts that
should be executed as CGI or FastCGI applications.
For more information, please see the GLSA Announcement[39]
39. http://www.gentoo.org/security/en/glsa/glsa-200502-21.xml
wpa_supplicant: Buffer overflow vulnerability
---------------------------------------------
wpa_supplicant contains a buffer overflow that could lead to a Denial of
Service.
For more information, please see the GLSA Announcement[40]
40. http://www.gentoo.org/security/en/glsa/glsa-200502-22.xml
KStars: Buffer overflow in fliccd
---------------------------------
KStars is vulnerable to a buffer overflow that could lead to arbitrary
code execution with elevated privileges.
For more information, please see the GLSA Announcement[41]
41. http://www.gentoo.org/security/en/glsa/glsa-200502-23.xml
Midnight Commander: Multiple vulnerabilities
--------------------------------------------
Midnight Commander contains several format string errors, buffer overflows
and one buffer underflow leading to execution of arbitrary code.
For more information, please see the GLSA Announcement[42]
42. http://www.gentoo.org/security/en/glsa/glsa-200502-24.xml
Squid: Denial of Service through DNS responses
----------------------------------------------
Squid contains a bug in the handling of certain DNS responses resulting in
a Denial of Service.
For more information, please see the GLSA Announcement[43]
43. http://www.gentoo.org/security/en/glsa/glsa-200502-25.xml
GProFTPD: gprostats format string vulnerability
-----------------------------------------------
gprostats, distributed with GProFTPD, is vulnerable to a format string
vulnerability, potentially leading to the execution of arbitrary code.
For more information, please see the GLSA Announcement[44]
44. http://www.gentoo.org/security/en/glsa/glsa-200502-26.xml
gFTP: Directory traversal vulnerability
---------------------------------------
gFTP is vulnerable to directory traversal attacks, possibly leading to the
creation or overwriting of arbitrary files.
For more information, please see the GLSA Announcement[45]
45. http://www.gentoo.org/security/en/glsa/glsa-200502-27.xml
=========================
4. Heard in the community
=========================
gentoo-dev
----------
Using Gentoo in emulators
After a failed install of Gentoo in MS VirtualPC, a user asks what
experiences others have with Gentoo in emulated environments. Read on for
a nice (win32-centric) collection of user experiences.
* Using Gentoo in emulators[46]
46. http://thread.gmane.org/gmane.linux.gentoo.devel/25480
Portage performance improvements
Another user found a bottleneck in Portage whose removal seems to reduce
startup times by at least 50%. Although that may be an extreme example, it
still shows that Portage performance is far from optimal.
* Portage performance improvements[47]
47. http://thread.gmane.org/gmane.linux.gentoo.devel/25458
GLEP33: Eclass restructure
After the large flamewars last time someone tried to change the way
eclasses are used and handled, John Mylchreest[48] and Brian Harring[49]
offer a new and quite comprehensive proposal. It can be found at
http://dev.gentoo.org/~johnm/files/glep33.txt
48. [e-mail:johnm@gentoo.org]
49. [e-mail:ferringb@gentoo.org]
* GLEP 33: Eclass restructure[50]
50. http://thread.gmane.org/gmane.linux.gentoo.devel/25427
Runtime vs. devel packages
Stuart Herbert[51] offers some thoughts on split ebuilds: "For years now,
RedHat have split a lot of their packages into two sets ... a set
containing what's needed at runtime to use the package, and another
'devel' package containing header files etc which are only needed for
building software. One thing that it's really nice to do with a server is
build it with no compilers etc installed. The less that's on there, the
less there is to maintain, upgrade, be reused by the black hats, etc etc."
But, as it seems, there are also good reasons to do things "The Gentoo
Way". Read on for a discussion of the pros and cons of both approaches.
51. [e-mail:stuart@gentoo.org]
* Runtime vs. devel packages[52]
52. http://thread.gmane.org/gmane.linux.gentoo.devel/25412
======================
5. Gentoo in the press
======================
Security Focus (14 February 2005)
---------------------------------
After being talked about in a Security Focus article the week before,
Gentoo developer and operational manager for the Gentoo Linux Security
Team Thierry Carrez[53] now had his own column last Monday: "More
advisories, more security"[54] is the title of his piece on the
relationship between activities in the security arms of Linux
distributions and overall safety for users. "Security advisories from a
software publisher or packager should not be seen as bad news. There are
always vulnerabilities in software, and when an advisory is released it
means that one of these flaws has been identified and fixed," explains
Thierry. "It also means the good guys have done their homework, and that
one less flaw can be used by the bad guys to harm you."
53. [e-mail:koon@gentoo.org]
54. http://www.securityfocus.com/columnists/299
Linux Times (14 and 18 February 2005)
-------------------------------------
A flamboyant installation report from Austria hit the online magazine
Linux Times on Monday last week, under the heading "One week with Gentoo
Linux." The article[55] describes in detail an installation of Gentoo
Linux on slightly dated hardware, and tries to shatter the myth of Gentoo
being not easily accessible: "If there was a list of biggest GNU/Linux
cliches, the statement 'Gentoo is hard to install' would be ranked among
the top. Let me tell you a little secret: Gentoo is easy to install," says
author Imre Kálomista, a student at Vienna University. And if that wasn't
enough, Gentoo again figures as a topic on Linux Times four days later in
a review of the Vidalinux release 1.1 in direct comparison to a "real"
Gentoo system. The article[56] concludes that the Puerto-Rican binary
Gentoo clone strangely lacks binary package support, but mentions a club
membership for access to a repository of precompiled packages.
55. http://www.linuxtimes.net/modules.php?name=News&file=article&sid=806
56. http://www.linuxtimes.net/modules.php?name=News&file=article&sid=831
Cuddletech blog (12 February 2005)
----------------------------------
Using Xorg 6.8.2 & Composite[57] is the topic for Ben Rockwood's blog
entry on the new transparency features in Xorg, with a pleasant side note
on the ease of installation in his Gentoo environment: "Thanks to Gentoo I
simply yanked XFree86 (unmerge) and merged in Xorg 6.8.2."
57. http://www.cuddletech.com/blog/pivot/entry.php?id=82
===========
6. Bugzilla
===========
Summary
-------
* Statistics
* Closed bug ranking
* New bug rankings
Statistics
----------
The Gentoo community uses Bugzilla (bugs.gentoo.org[58]) to record and
track bugs, notifications, suggestions and other interactions with the
development team. Between 13 February 2005 and 20 February 2005, activity
on the site has resulted in:
58. http://bugs.gentoo.org
* 813 new bugs during this period
* 447 bugs closed or resolved during this period
* 20 previously closed bugs were reopened this period
Of the 8040 currently open bugs: 101 are labeled 'blocker', 240 are
labeled 'critical', and 596 are labeled 'major'.
Closed bug rankings
-------------------
The developers and teams who have closed the most bugs during this period
are:
* Gentoo KDE team[59], with 25 closed bugs[60]
* PHP Bugs[61], with 24 closed bugs[62]
* Net-Mail Packages[63], with 21 closed bugs[64]
* Gentoo Security[65], with 20 closed bugs[66]
* Netmon Herd[67], with 15 closed bugs[68]
* AMD64 Porting Team[69], with 15 closed bugs[70]
* Gentoo Sound Team[71], with 11 closed bugs[72]
* PPC Porters[73], with 11 closed bugs[74]
59. [e-mail:kde@gentoo.org]
60.
[e-mail:/buglist.cgi]
61. [e-mail:php-bugs@gentoo.org]
62.
[e-mail:/buglist.cgi]
63. [e-mail:net-mail@gentoo.org]
64.
[e-mail:/buglist.cgi]
65. [e-mail:security@gentoo.org]
66.
[e-mail:/buglist.cgi]
67. [e-mail:netmon@gentoo.org]
68.
[e-mail:/buglist.cgi]
69. [e-mail:amd64@gentoo.org]
70.
[e-mail:/buglist.cgi]
71. [e-mail:sound@gentoo.org]
72.
[e-mail:/buglist.cgi]
73. [e-mail:ppc@gentoo.org]
74.
[e-mail:/buglist.cgi]
New bug rankings
----------------
The developers and teams who have been assigned the most new bugs during
this period are:
* Qmail Team[75], with 54 new bugs[76]
* Gentoo Sound Team[77], with 23 new bugs[78]
* AMD64 Porting Team[79], with 19 new bugs[80]
* media-video herd[81], with 17 new bugs[82]
* Gentoo KDE team[83], with 16 new bugs[84]
* Gentoo Science Related Packages[85], with 10 new bugs[86]
* Gentoo's Team for Core System packages[87], with 10 new bugs[88]
* Gentoo X-windows packagers[89], with 9 new bugs[90]
75. [e-mail:qmail-bugs@gentoo.org]
76.
[e-mail:/buglist.cgi]
77. [e-mail:sound@gentoo.org]
78.
[e-mail:/buglist.cgi]
79. [e-mail:amd64@gentoo.org]
80.
[e-mail:/buglist.cgi]
81. [e-mail:media-video@gentoo.org]
82.
[e-mail:/buglist.cgi]
83. [e-mail:kde@gentoo.org]
84.
[e-mail:/buglist.cgi]
85. [e-mail:sci@gentoo.org]
86.
[e-mail:/buglist.cgi]
87. [e-mail:base-system@gentoo.org]
88.
[e-mail:/buglist.cgi]
89. [e-mail:x11@gentoo.org]
90.
[e-mail:/buglist.cgi]
===========================
7. Moves, adds, and changes
===========================
Moves
-----
The following developers recently left the Gentoo team:
* None this week
Adds
----
The following developers recently joined the Gentoo Linux team:
* David Gümbel (ganymede) - wine
Changes
-------
The following developers recently changed roles within the Gentoo Linux
project:
* None this week
====================
8. Contribute to GWN
====================
Interested in contributing to the Gentoo Weekly Newsletter? Send us an
email[91].
91. [e-mail:gwn-feedback@gentoo.org]
===============
9. GWN feedback
===============
Please send us your feedback[92] and help make the GWN better.
92. [e-mail:gwn-feedback@gentoo.org]
================================
10. GWN subscription information
================================
To subscribe to the Gentoo Weekly Newsletter, send a blank email to
[e-mail:gentoo-gwn-subscribe@gentoo.org].
To unsubscribe to the Gentoo Weekly Newsletter, send a blank email to
[e-mail:gentoo-gwn-unsubscribe@gentoo.org] from the email address you are
subscribed under.
===================
11. Other languages
===================
The Gentoo Weekly Newsletter is also available in the following languages:
* Danish[93]
* Dutch[94]
* English[95]
* German[96]
* french[97]
* japanese[98]
* italian[99]
* polish[100]
* portuguese (brazil)[101]
* portuguese (portugal)[102]
* russian[103]
* spanish[104]
* turkish[105]
93. http://www.gentoo.org/news/da/gwn/gwn.xml
94. http://www.gentoo.org/news/nl/gwn/gwn.xml
95. http://www.gentoo.org/news/en/gwn/gwn.xml
96. http://www.gentoo.org/news/de/gwn/gwn.xml
97. http://www.gentoo.org/news/fr/gwn/gwn.xml
98. http://www.gentoo.org/news/ja/gwn/gwn.xml
99. http://www.gentoo.org/news/it/gwn/gwn.xml
100. http://www.gentoo.org/news/pl/gwn/gwn.xml
101. http://www.gentoo.org/news/pt_br/gwn/gwn.xml
102. http://www.gentoo.org/news/pt/gwn/gwn.xml
103. http://www.gentoo.org/news/ru/gwn/gwn.xml
104. http://www.gentoo.org/news/es/gwn/gwn.xml
105. http://www.gentoo.org/news/tr/gwn/gwn.xml
Ulrich Plate - Editor
Andrew Fant - Author
Thomas de Grenier de Latour - Author
Patrick Lauer - Author
--
[e-mail:gentoo-gwn@gentoo.org] mailing list
Full Story |