Gentoo Weekly Newsletter 12 June 2006

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view

Gentoo Weekly Newsletter 12 June 2006

Lars Weiler
Gentoo Weekly Newsletter
This is the Gentoo Weekly Newsletter for the week of 12 June 2006.

1. Gentoo news

Portage 2.1 Released

After many months in development, the Portage team has released
Portage-2.1. This new release sees a great many new features, fixed bugs,
and performance improvements. A detailed description of changes can be
found in the  release notes[1] and  NEWS file[2]. Some highlights,
however, are:


 * confcache integration: In combination with the
dev-util/confcachepackage, users can now benefit from cached configure
checks, speeding up build times for many packages.
 * New cache framework: The Portage cache has been completely overhauled,
leading to massive speed improvements when updating cache after sync, as
well as in other areas.
 * New elog functionality: In the past, important messages from ebuilds
were delivered by means of the einfo, ewarn, and eerror functions, which
print messages to the standard output. However, in a length multi-package
merge, it is very easy for these messages to get lost. The new elog
function allows them to be collected in one place for later inspection,
and should greatly ease the process of upgrading many packages at one
 * New hooks framework: Using /etc/portage/bashrc, users can now define
bash functions to be executed before and after any given ebuild phase.
This can be used to make almost arbitrary customisations to the build
environment, and is a powerful tool for those who need functionality or
behaviour that stock Portage cannot provide.
 * Digest improvements: Portage can now use SHA256 and RMD160 digests in
addition to MD5 for checking the integrity of downloaded files. This
release also introduces support for a new Manifest2 format that should
allow the current Manifest and digest-* files to be unified into one much
more efficient file format.
 * Improved debugging support: using FEATURES="splitdebug" it is now
possible to keep the performance improvements from using stripped
binaries, while still having the debug information around on disk should
it be needed. This should make filing useful bug reports much easier.
 * Colour remappings: Using the /etc/portage/ file, you can now
remap the colours that Portage will use in its output. Have you ever
wanted a pretty pink portage? Well now you can, without having to change
the source code.
 * Configuration improvements: Certain config files can now be made into
directories, for easier management (for example,
/etc/portage/package.unmask/kde, /etc/portage/package.unmask/xorg will be
combined to make the old /etc/portage/package.unmask). /etc/portageitself
can also be loaded from different locations, making certain tasks much
 * Various other improvements: Certain types of binary security issues can
now be fixed automatically. The initial import of the Portage module
should now be faster in certain circumstances, meaning that external
scripts which import it should see speed improvements. Emerge now supports
a -q or 'really quiet mode' option, reducing its output to a minimum.

There is a stabilisation  bug[3] open, where you can track the progress of
this new release towards the stable tree. As of this writing, stable users
on x86, Sparc, HPPA and PPC platforms can use the new release; other
architecture teams should be following in the near future.


Thanks to Alec Warner[4] and Ned Ludd[5] for taking the time to talk to
the GWN about this release.

 4. [hidden email]
 5. [hidden email]

Status report: Gentoo/Alpha

The Gentoo/Alpha team is responsible for making sure that Gentoo runs
smoothly on the Alpha architecture. The team has recently grown to include
Thomas Cort[6] and Christel Dahlskjaer[7]. In the past few months we have
been very productive. Stephen Bennett[8] has continued his work with
SELinux. hardened-sources is now keyworded for alpha. Thanks to the work
of Stefaan De Roeck[9]and others, modular X has been keyworded and is
working well. The Gentoo/Alpha team is also pleased to announce that we
have stabilized gnome-2.12.3 and kde-3.5.2.

 6. [hidden email]
 7. [hidden email]
 8. [hidden email]
 9. [hidden email]

Thomas Cort has produced two documents, the Alpha Porting Guide and the
Gentoo/Alpha FAQ. A guide to using the SRM console is on the way. Jose
Luis Rivero[10], Fernando Pereda[11], and the rest of the Gentoo/Alpha
team completely revamped the project page. Fernando Pereda has also been
busy setting up the Alpha Arch Testers project. If you want to learn more
about this excellent opportunity to give back to Gentoo, please check out
the Alpha Arch Testers Project page[12].

 10. [hidden email]
 11. [hidden email]

Tetex changes

Tetex's upstream maintainer Thomas Esser hass announced that he won't make
any further tetex releases. This will have some mid- to long-term effects
on how tetex is maintained in Gentoo. Gentoo developer Martin Ehmsen[13]
shows the possible methods for handling this – while it seems to be
undecided for now how to proceed there will be changes in the future. Stay

 13. [hidden email]

 *  Tetex change announcement[14]

The shadow and pam-login conflict

Many users may have seen that new versions of pam-login and shadow block
each other. The reason for that is that the file /bin/login used to be
provided by pam-login for mostly historical reasons. Now shadow 4.0
started also providing this file, to reduce confusion this file is now
provided by shadow. Also the rest of pam-login has been folded into shadow
too, so when you see these two packages blocking each other please unmerge
pam-login and emerge the updated shadow package in its place.

Further information can be found in Diego Pettenò's[15] weblog:

 15. [hidden email]

 *  Shadow and pam-login conflict[16]

Ukrainian IRC channels

The relatively new and still small Ukrainian Gentoo community has opened
an official IRC channel: #gentoo-ua channel on If you
want to discuss all thing Gentoo in Ukrainian or want to help in the
localization effort just join the team around George Shapovalov[17]. For
now there is no Ukrainian Subforum, but if that community continues to
grow that is a distinct possibility – for now "Other languages" is the
correct forum for Ukrainian questions.

 17. [hidden email]

Gentoo Women

Geek girls are almost the stuff of legend. Women make up only 30% of
regular computer users, and as little as 2% of Linux users.

But why should this be the case? The reason for this can be as elusive as
the Linux-using women themselves – for every survey or paper saying that
they are not given the same chances or opportunities, there is another one
saying exactly the opposite. Lost in the midst of all this controversy,
however, is the fact that little if anything is being done to interest
women in computing, in Linux, or in Gentoo.

Groups such as the Debian project are seeking to change that. Debian
Women, founded in 2004, was set up to encourage women to become more
involved with Linux. The group maintains an IRC channel and a mailing list
for the discussion of technical issues, as well as maintaining a public
presence at Linux-related conferences and events. They also run an
extensive mentoring program whereby women are paired up with a mentor who
will spend the time to help them find answers to their questions, and get
to know the distribution, as well as the community and Linux in general.
This mentoring program adds a personal element to the process, and helps
to guide people towards working more effectively with Linux. Unfortunately
though, as the name implies, their efforts focus very much on encouraging
their members to use Debian.

The idea was recently floated of starting a similar project for the women
of Gentoo, and we would like your thoughts on the matter. Would such a
project be welcome within the community, and would people take advantage
of it? What would you like to see the project do, and how? Would you
volunteer your time and/or money to encourage people, not just women, to
use Gentoo, and to mentor and help users?

All groups, regardless of their origins, need 'fresh blood' to survive –
members will inevitably depart, and without a steady stream of people
joining the group will diminish with time. If we do not reach out to the
community, we miss out on a lot of good ideas and talented people that are
out there. Let's make the effort to do so, rather than wallowing in
complacency and resisting any change.

 * Gentoo Women Forums thread[18]
 * Gentoo Userrel email alias[19]
 19. [hidden email]

2. Summer of Code - Update

Summer of Code -- One Month Along

It's a month now since the start of this year's Summer of Code, and
Gentoo's projects have been progressing rapidly. Our students have been
hard at work with their projects, and making good progress. The Summer of
Code was originally mentioned  in the GWN of May 1st.[20]. If you are
interested to know what all the fuss is about, read on.


The Summer of Code[21], now in its second year, is a program run by Google
which sponsors students to work on open source projects during the summer
holidays. Last year's program was a great success, with a long list of
results[22] including some great projects. This year's version is even
bigger, containing over twice as many mentoring organisations, and a list
of student projects to match.


This year Gentoo is participating as a mentoring organisation, and we were
lucky enough to be allocated 14 projects, including this year's most
in-demand student – Anant Narayanan had applications accepted by a total
of 4 organisations, and chose to work with us rather than any of the
others. For a while it was uncertain whether we would be accepted, given
the number of other Linux distributions and operating systems already
accepted, but we were eventually chosen, and allocated a higher than
normal number of projects.

"I like how Gentoo has built a community around the distro in such a short
time. To me, that is emblematic of a good community, and is what SoC needs
for mentoring great OSS developers" said Greg Stein from Google, talking
about why he chose to accept Gentoo over other projects on the hold list.
"As one example, Gentoo got included into the program because I've liked
how they came from pretty much nowhere into one of the stronger Linux
distributions. Out of the thousand distros out there, they rose to one of
the primaries in pretty short order. I believe that is due to a strong
community focus, which is exactly something that I believe is good for an
SoC organization."

A full list of Gentoo's accepted applications with some basic information
can be found at Google's Gentoo page[23]; more updates about many of the
projects can be found on the students' blogs, which are aggregated as part
of Planet Gentoo[24] as well as making up Planet Gentoo SoC[25]. However,
we would like to highlight a few individual projects here, with some more
information about the projects and their current status.


Michael Kelly[26]has been working on a unified user/group management
framework, with the intention of integrating it into package managers and
the Gentoo tree to provide an implementation of GLEP 27[27], which was
approved long ago but has not yet been implemented. His code can be found
in his public Subversion repository, accessible through the web with
ViewVC[28]. As his initial  proposal[29] outlines, this should provide
some great improvements in the way user and group accounts are handled by
ebuilds – the current system, while it works in the vast majority of
cases, is relatively limited in its capability and scalability. The code
seems to be progressing nicely, and when finished should provide a simple,
flexible, and portable means to manage users and groups in package
managers and elsewhere.


Alex Martinez[30]has been working on porting Gentoo's "sandbox" utility to
run on FreeBSD systems. The  Gentoo/*BSD project[31] has been increasingly
active in recent months, and is rapidly becoming a viable platform for
real-world use. However, due to differences between the FreeBSD and GNU C
libraries, the sandbox utility, used primarily for ebuild QA purposes,
still does not work properly. Alex's SoC project sets out to change this,
and involves looking into the most fundamental libraries on the system to
find out just what is causing the problems. While the project is currently
on hold due to the exam season, progress just before this was extremely
promising. When completed, this should bring the various Gentoo/*BSD ports
much closer to having all the package management functionality available
on Gentoo Linux, a major milestone in their development.


All in all, the Summer of Code is a fantastic opportunity for students to
get more involved in their favourite open source projects and to let them
spend the summer doing what they enjoy without hindrance. Of course, it
also provides the projects with some great code that perhaps would not
have been written otherwise, as well as a fruitful source of potential new
contributors. This sentiment was echoed by Christel Dahlskjaer, Gentoo's
administrative contact for the summer of code, talking to the GWN earlier
this month: "I am doing my best to ensure that we give the students the
support they need, we also aim to make these summer months a time of fun
for them and we hope that at the end of their 'internship' they'll not
only have provided us with contributions in form of code, but will
hopefully have decided that they want to come on board and work on Gentoo
as developers."

3. Heard in the community


Genetic - A New Portage Frontend

Over the past two weeks, a discussion of a new ncurses and wxWidgets
portage frontend has been happening on the Gentoo Forums. The project is
still in its infancy and is asking for XML/Python/Ncurses experts to help.

 * Genetic Forum Thread[32]
 * Genetic Homepage[33]

GEMS - Gentoo Enterprise Management System

An announcement of a new management system in the style of "Red Hat
Network" designed for Gentoo has been announced on the forums. It aims to
ease the management of a large number of Gentoo computers and currently
includes features such as: inventory of installed software, GLSAs
associated with them, monitoring deployments status and more. GEMS is
licensed under the GPL and is freely available on its website.

 * GEMS Forum thread[34]
 * GEMS homepage[35]

Decreasing chances of making mistakes while installing Gentoo

new_to_non_X86, a forum user notes how currently it is very easy for users
to make simple mistakes such as typos or missing steps while following the
handbook. How do you think the quality of Gentoo documentation could be
improved so that mistakes are less prone to happening?

 * Forum Thread[36]


GLEP 49 - take 2

After the long discussion about alternative package managers in the last
weeks Paul de Vrieze[37] and Grant Goodyear[38] offer two competing GLEPs
for discussion that define the capabilities, license and other managerial
issues that a package manager has to offer to be supported. This might
focus future discussions about portage replacements on technical instead
of social issues.

 37. [hidden email]
 38. [hidden email]

 *  GLEP 49 - take 2[39]

Security/QA Spring Cleaning

Every now and then a security problem is found. When this affects a Gentoo
package a GLSA is released, but until now the affected packages were not
directly unkeyworded or removed from the tree. This leaves some vulnerable
ebuilds in place, so Ned Ludd[40] in cooperation with Brian Harring[41]
has started a cleanup of the tree. This should not affect users, only
vulnerable, insecure and unmaintained ebuilds will be removed.

 40. [hidden email]
 41. [hidden email]

 *  Security/QA Spring Cleaning[42]

Spring Cleanup, part 2

A cleanup of unmaintained broken ebuilds has started. As they were already
known to not work no functionality is lost for users. This is part of a
general QA strategy to increase the overall quality of Gentoo.

 *  app-editors/gnotepad+[43]
 *  ipkg-utils[44]
 *  media-libs/nurbs++[45]
 *  dev-libs/nana[46]
 *  sys-fs/convertfs[47]
 *  net-misc/powerd[48]
 *  www-client/prozilla[49]
 *  sys-libs/ldetect{,-lst}[50]

[RFC Maintainer-Wanted Bugs/Cleaning]

For user-submitted and unmaintained ebuilds the maintainer-wanted alias
was created. What seemed like a good idea has ended in almost 2000 bugs
assigned to that alias, most of them without any changes. Alec Warner[51]
asks for input how to handle these bugs in the future. Some ideas like a
central overlay for these ebuilds or closing them after a pre-set time are
discussed in this thread, but no resolution has been found.

 51. [hidden email]

 *  [RFC Maintainer-Wanted Bugs/Cleaning][52]

Gentoo Overlays Project needs a logo

Gentoo Overlays[53] is a project designed to bring social workspaces to
Gentoo. It provides a place for Gentoo projects and developers to host
their overlays. If you can help the Overlays project by creating a logo
drop by #gentoo-overlays on


 *  Gentoo Overlays Project needs a logo[54]

KDE 3.5.3 unmasked

KDE 3.5.3 got unmasked and provides decreased startup times. Also over 800
minor issues were fixed and small new features implemented in Akregator,
KMail and KAlarm.

 *  KDE 3.5.3 unmasked[55]

net-setup enhancements

Naming of network interfaces sometimes differs between a live system and
the installed Gentoo system. To help in configuring the network interfaces
net-setup has been expanded by two additional dialogs which displays the
interface name, interface caption and additional information. The new
net-setup will be included in the next livecd-tools release.

 *  net-setup enhancements[56]

4. Gentoo International

Gentoo UK 2006

A little later than anticipated, organisation of the Gentoo UK 2006
users-and-developers conference is nearing completion. The conference will
take place on Saturday July 8th in Central London, and will feature a few
talks from Gentoo developers plus possibly some guest speakers. There will
also be some social activities taking place around the event.

Numbers are limited, so we do require people to pre-register (no cost) by
leaving a name and email address. Registration is open now.

For more info, see the conference website[57]. We look forward to seeing
you there!


5. Tips and Tricks

Searching the portage tree with eix

eix is a handy utility that indexes your portage tree and quickly searches
it. The latest stable version, 0.55, is also compatible with Portage 2.1's
new metadata backend.

To get started, emerge the package, and then build your index:

| Code Listing 5.1:                                                       |
| Installing eix                                                          |
|                                                                         |
|# emerge eix                                                             |
|# update-eix                                                             |
|                                                                         |

update-eixwill index your ebuilds in your PORTDIR_OVERLAY in addition to
the main portage tree.

Once finished you are ready to do some searches. Use eix foo to search for
a package, or eix -S bar to search package descriptions. To search for a
specific package, use eix -e packagename. You can also use regular
expressions in your search parameters by default.

The output of eix displays each package version available. Versions
prefixed with ~ are marked unstable, while !indicates the version is hard

| Code Listing 5.2:                                                       |
| eix firefox                                                             |
|                                                                         |
|$ eix firefox                                                            |
|* www-client/mozilla-firefox                                             |
|Available versions:  1.0.7-r4 ~1.0.8 ~1.5-r9 ~ ~     |
|~ ~                          |
|Installed:           none                                                |
|Homepage:              |
|Description:         Firefox Web Browser                                 |
|                                                                         |
|* www-client/mozilla-firefox-bin                                         |
|Available versions:  1.0.7 ~1.0.8                |
|Installed:                                              |
|Homepage:               |
|Description:         Firefox Web Browser                                 |
|                                                                         |
|                                                                         |
|Found 2 matches                                                          |
|                                                                         |

Finally, one last tip. If you want to run emerge --sync and update-eix all
in one step, just run eix-sync instead.

Note: If you have tips and tricks you would like to share with the Gentoo
community please drop us a mail at [hidden email]

6. Gentoo developer moves


The following developers recently left the Gentoo project:

 * Dan Armak
 * Ryan Phillips


The following developers recently joined the Gentoo project:

 * Chris Parrott (haskell)


The following developers recently changed roles within the Gentoo project:

 * None this week

7. Gentoo Security

CherryPy: Directory traversal vulnerability

CherryPy is vulnerable to a directory traversal that could allow attackers
to read arbitrary files.

For more information, please see the GLSA Announcement[58]


libTIFF: Multiple vulnerabilities

Multiple vulnerabilities in libTIFF could lead to the execution of
arbitrary code or a Denial of Service.

For more information, please see the GLSA Announcement[59]


Opera: Buffer overflow

Opera contains an integer signedness error resulting in a buffer overflow
which may allow a remote attacker to execute arbitrary code.

For more information, please see the GLSA Announcement[60]


shadow: Privilege escalation

A security issue in shadow allows a local user to perform certain actions
with escalated privileges.

For more information, please see the GLSA Announcement[61]


Dia: Format string vulnerabilities

Format string vulnerabilities in Dia may lead to the execution of
arbitrary code.

For more information, please see the GLSA Announcement[62]


Tor: Several vulnerabilities

Tor is vulnerable to a possible buffer overflow, a Denial of Service,
information disclosure and information leak.

For more information, please see the GLSA Announcement[63]


Pound: HTTP request smuggling

Pound is vulnerable to HTTP request smuggling, which could be exploited to
bypass security restrictions or poison web caches.

For more information, please see the GLSA Announcement[64]


AWStats: Remote execution of arbitrary code

AWStats contains a bug in the sanitization of the input parameters which
can lead to the remote execution of arbitrary code.

For more information, please see the GLSA Announcement[65]


Vixie Cron: Privilege Escalation

Vixie Cron allows local users to execute programs as root.

For more information, please see the GLSA Announcement[66]


WordPress: Arbitrary command execution

WordPress fails to sufficiently check the format of cached username data.

For more information, please see the GLSA Announcement[67]


SpamAssassin: Execution of arbitrary code

SpamAssassin, when running with certain options, could allow local or even
remote attackers to execute arbitrary commands, possibly as the root user.

For more information, please see the GLSA Announcement[68]


Cscope: Many buffer overflows

Cscope is vulnerable to multiple buffer overflows that could lead to the
execution of arbitrary code.

For more information, please see the GLSA Announcement[69]


JPEG library: Denial of Service

The JPEG library is vulnerable to a Denial of Service.

For more information, please see the GLSA Announcement[70]


Mozilla Firefox: Multiple vulnerabilities

Vulnerabilities in Mozilla Firefox allow privilege escalations for
JavaScript code, cross site scripting attacks, HTTP response smuggling and
possibly the execution of arbitrary code.

For more information, please see the GLSA Announcement[71]


MySQL: SQL Injection

MySQL is vulnerable to an SQL Injection flaw in the multi-byte encoding

For more information, please see the GLSA Announcement[72]


8. Bugzilla


 * Statistics
 * Closed bug ranking
 * New bug rankings


The Gentoo community uses Bugzilla ([73]) to record and
track bugs, notifications, suggestions and other interactions with the
development team. Between 28 May 2006 and 11 June 2006, activity on the
site has resulted in:


 * 1756 new bugs during this period
 * 812 bugs closed or resolved during this period
 * 54 previously closed bugs were reopened this period

Of the 10196 currently open bugs: 53 are labeled 'blocker', 144 are
labeled 'critical', and 549 are labeled 'major'.

Closed bug rankings

The developers and teams who have closed the most bugs during this period

 * Gentoo Games[74], with 49 closed bugs[75]
 * Gentoo Security[76], with 28 closed bugs[77]
 * Printing Team[78], with 28 closed bugs[79]
 * Gentoo KDE team[80], with 28 closed bugs[81]
 * Apache Herd - Bugzilla Reports[82], with 26 closed bugs[83]
 * Gentoo's Team for Core System packages[84], with 25 closed bugs[85]
 * Portage team[86], with 21 closed bugs[87]
 * Diego Pettenò[88], with 19 closed bugs[89]
 74. [hidden email]
 76. [hidden email]
 78. [hidden email]
 80. [hidden email]
 82. [hidden email]
 84. [hidden email]
 86. [hidden email]
 88. [hidden email]

New bug rankings

The developers and teams who have been assigned the most new bugs during
this period are:

 * Default Assignee for New Packages[90], with 54 new bugs[91]
 * Mozilla Gentoo Team[92], with 16 new bugs[93]
 * Gentoo Games[94], with 15 new bugs[95]
 * Default Assignee for Orphaned Packages[96], with 14 new bugs[97]
 * Diego Pettenò[98], with 14 new bugs[99]
 * Chris White[100], with 14 new bugs[101]
 * AMD64 Project[102], with 13 new bugs[103]
 * Gentoo KDE team[104], with 12 new bugs[105]
 90. [hidden email]
 92. [hidden email]
 94. [hidden email]
 96. [hidden email]
 98. [hidden email]
 100. [hidden email]
 102. [hidden email]
 104. [hidden email]

9. GWN feedback

Please send us your feedback[106]and help make the GWN better.

 106. [hidden email]

10. GWN subscription information

To subscribe to the Gentoo Weekly Newsletter, send a blank e-mail to
[hidden email][107].

 107. [hidden email]

To unsubscribe to the Gentoo Weekly Newsletter, send a blank e-mail to
[hidden email][108] from the e-mail address you are
subscribed under.

 108. [hidden email]

11. Other languages

The Gentoo Weekly Newsletter is also available in the following languages:

 * Danish[109]
 * Dutch[110]
 * English[111]
 * German[112]
 * French[113]
 * Korean[114]
 * Japanese[115]
 * Italian[116]
 * Polish[117]
 * Portuguese (Brazil)[118]
 * Portuguese (Portugal)[119]
 * Russian[120]
 * Spanish[121]
 * Turkish[122]

Ulrich Plate <[hidden email]> - Editor
Patrick Lauer <[hidden email]> - Author
Christel Dahlskjaer <[hidden email]> - Author
Tobias Scherbaum <[hidden email]> - Author
Mark Kowarsky <[hidden email]> - Author
Thomas Cort <[hidden email]> - Author
Steve Dibb <[hidden email]> - Author
Alec Warner <[hidden email]> - Author
Ned Ludd <[hidden email]> - Author
Lars Weiler <[hidden email]> - Author

[hidden email] mailing list