Gentoo Weekly Newsletter 27 November 2006

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view

Gentoo Weekly Newsletter 27 November 2006

Chris Gianelloni
Gentoo Weekly Newsletter
This is the Gentoo Weekly Newsletter for the week of 27 November 2006.

1. Gentoo News

x86/i586 stages available

The Gentoo Release Engineering[1] project is proud to announce that new
stages for x86 have been released. These stages are currently only available
via the Gentoo mirrors[2], but plans are underway to add them to the torrent
tracker, also. These new stages include stages 2 and 3 for both the x86
(i386) and i586 subarchitectures built against the default-linux/x86/no-nptl
profile, as well as stages 2 and 3 for i586 built against the
default-linux/x86/2006.1 profile.


You can find these new stages under /releases/x86/2006.1/stages on your
local Gentoo mirror.

Experimental LiveCD images for Alpha/PPC

Along with the new stages for x86, Release Engineering has also released two
experimental ISO images. These images are built in the same manner as the
x86 and amd64 LiveCD for 2006.1, using the same snapshot. The images should
be fully-functional LiveCDs for both platforms. If you're wanting to try
these out, please grab them from your local mirror under /experimental and
file bugs, as always, to the Gentoo bug tracker[3].


Note: We are aware that the Gentoo Linux Installer is not functional on
these LiveCD images, as the Installer had not yet been ported to them. The
main purpose of these images is as a testing ground and development platform
for the Installer, as well as testing for the LiveCD process on new

GNOME 2.16 stable

The Gentoo GNOME team[4] is working to stabilize GNOME-2.16.2. This is an
upgrade from the current 2.14 stable version of GNOME. Please consult the
GNOME 2.16 Upgrade Guide[5] before upgrading. If you wish to track the
stabilization efforts, you can follow bug 156572[6] for gtk+-2.10
stabilization and bug 156662[7] for GNOME-2.16 stabilization.


There are several major improvements in this upgrade:

  * powerful new note-taking application
  * enhanced menu editing
  * tool to get a better overview of your hard disk space
  * improved integrated power management support
  * improved media web browsing
  * improved themes
  * improved memory usage

To find out in detail what coolness you can expect from this major upgrade,
head over to the GNOME 2.16 page[8] and read the Release Notes.


virtual/mysql Introduced

In order to adjust to changes in upstream release policies, the former
dev-db/mysql has been split into dev-db/mysql-community and dev-db/mysql.
The new virtual/mysql depends on the presence of either
dev-db/mysql-community or dev-db/mysql.

If emerge complains about needing virtual/mysql, just install it. Assuming
you already have mysql or mysql-community installed, there's no compiling

If you don't want the greatest stable version, but want to stay at mysql
4.x, for example, be sure to mask >=virtual/mysql-4.1, >=dev-db/mysql-4.1
and >=dev-db/mysql-community-4.1 in /etc/portage/package.mask.

If you want to compile mysql client-only, you need to use the minimal USE

2. Heard in the community


Coldplug deprecated by udev-103 update? / udev and coldplug blocking each

Two different users found themselves concerned by the recent demise of
coldplug, the package which formerly handled devices which are already
connected at the time the system is booted. Peter K was assured that he'd
read his emerge --sync output correctly and that, as of udev 103, coldplug
was indeed gone.

Hans de Hertog found himself more concerned by the mutual blocks that udev
and coldplug seemed to have thrown up:

| Code Listing 2.1                                                          |
| blocker output                                                            |
| [blocks B ] >=sys-fs/udev-089 (is blocking sys-apps/coldplug-20040920-r1) |
| [blocks B ] sys-apps/coldplug (is blocking sys-fs/udev-103)               |
| [ebuild U ] sys-fs/udev-103 [087-r1] USE="(-selinux)" 195 kB              |

Hans was assured that the recently stabilized udev 103 was an entire
replacement for coldplug. Plucking up his courage, he unmerged coldplug,
merged udev 103 and cleaned up by deleting /etc/init.d/coldplug and running
rc-update del coldplug. As a bonus, he discovered it was no longer necessary
to edit /lib/rcscripts/addons/ to have udev handle


Where is DISPLAYMANAGER="gdm" now?

Mark Knecht had just completed his GCC 4 upgrade and discovered that the
DISPLAYMANAGER="gdm" statement was no longer in /etc/rc.conf. To what file
it had been spirited away?

To /etc/conf.d/xdm although (as noted in /etc/conf.d/xdm) setting
DISPLAYMANAGER in /etc/rc.conf overrides /etc/conf.d/xdm.

Mark thanked all the responders and noted that he'd be using /etc/conf.d/xdm
as he wanted to do it the Gentoo way.



Interrupting portage gracefully

Peter Humphreys wanted to know if there was a command to make portage stop
compiling at the end of the current package. He'd been running compiles
overnight, but was bothered by the fan noise.

Christoph Mende suggested terminating the compile with Control-C and running
emerge --resume the next day. Various readers proposed using suspend to disk
or suspend to RAM and picking up right where you left off the next morning.

Peter Davoust uses emerge [package] && init 0, although conceding it leaves
the machine running if the package fails to compile. Others suggested emerge
[package] ; shutdown -h now. This has the opposite problem to Peter's
solution, since the machine will shutdown even if the package fails to
compile. It thus requires review of logs in the morning to know whether the
package was built or not.


3. Gentoo developer moves


The following developers recently left the Gentoo project:

  * Anders Rune Jensen (arj)


The following developers recently joined the Gentoo project:

  * Charlie Shepherd (masterdriverz) kernel team


The following developers recently changed roles within the Gentoo project:

  * none this week

4. Gentoo security

TikiWiki: Multiple vulnerabilities

TikiWiki allows for the disclosure of MySQL database authentication
credentials and for cross-site scripting attacks.

For more information, please see the GLSA Announcement[9]


Ruby: Denial of Service vulnerability

The Ruby cgi.rb CGI library is vulnerable to a Denial of Service attack.

For more information, please see the GLSA Announcement[10]


Avahi: "netlink" message vulnerability

Avahi fails to verify the origin of netlink messages, which could allow
local users to spoof network changes.

For more information, please see the GLSA Announcement[11]


TORQUE: Insecure temporary file creation

TORQUE creates temporary files in an insecure manner which could lead to the
execution of arbitrary code with elevated privileges.

For more information, please see the GLSA Announcement[12]


qmailAdmin: Buffer overflow

qmailAdmin is vulnerable to a buffer overflow that could lead to the remote
execution of arbitrary code.

For more information, please see the GLSA Announcement[13]


Texinfo: Buffer overflow

Texinfo is vulnerable to a buffer overflow that could lead to the execution
of arbitrary code.

For more information, please see the GLSA Announcement[14]


fvwm: fvwm-menu-directory fvwm command injection

A flaw in fvwm-menu-directory may permit a local attacker to execute
arbitrary commands with the privileges of another user.

For more information, please see the GLSA Announcement[15]


TIN: Multiple buffer overflows

Multiple buffer overflows have been reported in TIN, possibly leading to the
execution of arbitrary code.

For more information, please see the GLSA Announcement[16]


ImageMagick: PALM and DCM buffer overflows

ImageMagick improperly handles PALM and DCM images, potentially resulting in
the execution of arbitrary code.

For more information, please see the GLSA Announcement[17]


GNU gv: Stack overflow

GNU gv improperly handles user-supplied data possibly allowing for the
execution of arbitrary code.

For more information, please see the GLSA Announcement[18]


5. Upcoming package removals

This is a list of packages that have been announced to be removed in the
future. The package removals come from many locations, including the
Treecleaners[19] and various developers.


Last Rites:

Package:                    Removal date: Contact:
dev-perl/Msql-Mysql-modules 20 Dec 06     Michael Cummings[20]
net-nds/migrationtools      21 Dec 06     Robin H. Johnson[21]
net-ftp/kbear               25 Dec 06     Charlie Shepherd[22]

  20. [hidden email]
  21. [hidden email]
  22. [hidden email]

6. Bugzilla


  * Statistics
  * Closed bug ranking
  * New bug rankings


The Gentoo community uses Bugzilla ([23]) to record and track
bugs, notifications, suggestions and other interactions with the development
team. Between 19 November 2006 and 26 November 2006, activity on the site
has resulted in:


  * 632 new bugs during this period
  * 352 bugs closed or resolved during this period
  * 21 previously closed bugs were reopened this period
  * 172 bugs marked as duplicates during this period

Of the 10878 currently open bugs: 27 are labeled 'blocker', 107 are labeled
'critical', and 478 are labeled 'major'.

Closed bug rankings

The developers and teams who have closed the most bugs during this period

  * AMD64 Project[24], with 28 closed bugs[25]
  * Gentoo KDE team[26], with 25 closed bugs[27]
  * Default Assignee for Orphaned Packages[28], with 19 closed bugs[29]
  * Java team[30], with 18 closed bugs[31]
  * Gentoo Security[32], with 16 closed bugs[33]
  * Hanno Boeck[34], with 11 closed bugs[35]
  * Gentoo Linux Gnome Desktop Team[36], with 11 closed bugs[37]
  * PPC Porters[38], with 8 closed bugs[39]

  24. [hidden email]
  26. [hidden email]
  28. [hidden email]
  30. [hidden email]
  32. [hidden email]
  34. [hidden email]
  36. [hidden email]
  38. [hidden email]

New bug rankings

The developers and teams who have been assigned the most new bugs during
this period are:

  * Default Assignee for New Packages[40], with 26 new bugs[41]
  * AMD64 Project[24], with 10 new bugs[42]
  * Gentoo Sound Team[43], with 8 new bugs[44]
  * Gentoo Toolchain Maintainers[45], with 7 new bugs[46]
  * Default Assignee for Orphaned Packages[28], with 7 new bugs[47]
  * Gentoo Games[48], with 7 new bugs[49]
  * Jan Kundr├ít[50], with 6 new bugs[51]
  * Java team[30], with 6 new bugs[52]

  24. [hidden email]
  28. [hidden email]
  30. [hidden email]
  40. [hidden email]
  43. [hidden email]
  45. [hidden email]
  48. [hidden email]
  50. [hidden email]

7. GWN feedback

The GWN is staffed by volunteers and members of the community who submit
ideas and articles. If you are interested in writing for the GWN, have
feedback on an article that we have posted, or just have an idea or article
that you would like to submit to the GWN, please send us your feedback[53]
and help make the GWN better.

  53. [hidden email]

8. GWN subscription information

To subscribe to the Gentoo Weekly Newsletter, send a blank e-mail to
[hidden email].

To unsubscribe to the Gentoo Weekly Newsletter, send a blank e-mail to
[hidden email] from the e-mail address you are subscribed

9. Other languages

The Gentoo Weekly Newsletter is also available in the following languages:

  * Chinese (Simplified)[54]
  * Danish[55]
  * Dutch[56]
  * English[57]
  * German[58]
  * Greek[59]
  * French[60]
  * Korean[61]
  * Japanese[62]
  * Italian[63]
  * Polish[64]
  * Portuguese (Brazil)[65]
  * Portuguese (Portugal)[66]
  * Russian[67]
  * Slovak[68]
  * Spanish[69]
  * Turkish[70]


Ulrich Plate <[hidden email]> - Editor
Chris Atkinson <[hidden email]> - Author
Mart Raudsepp <[hidden email]> - Author
Chris Gianelloni <[hidden email]> - Author

[hidden email] mailing list