Gentoo Weekly Newsletter: 12 June 2006
1. Gentoo news
Portage 2.1 Released
After many months in development, the Portage team has released
Portage-2.1. This new release sees a great many new features, fixed
bugs, and performance improvements. A detailed description of changes
can be found in the
release notes and
NEWS file. Some highlights, however, are:
-
confcache integration: In combination with the
dev-util/confcachepackage, users can now benefit from
cached configure checks, speeding up build times for many
packages.
-
New cache framework: The Portage cache has been completely
overhauled, leading to massive speed improvements when updating cache
after sync, as well as in other areas.
-
New elog functionality: In the past, important messages from
ebuilds were delivered by means of the einfo, ewarn, and
eerror functions, which print messages to the standard output.
However, in a length multi-package merge, it is very easy for these
messages to get lost. The new elog function allows them to be
collected in one place for later inspection, and should greatly ease
the process of upgrading many packages at one time.
-
New hooks framework: Using /etc/portage/bashrc,
users can now define bash functions to be executed before and after
any given ebuild phase. This can be used to make almost arbitrary
customisations to the build environment, and is a powerful tool for
those who need functionality or behaviour that stock Portage cannot
provide.
-
Digest improvements: Portage can now use SHA256 and RMD160
digests in addition to MD5 for checking the integrity of downloaded
files. This release also introduces support for a new Manifest2
format that should allow the current Manifest and digest-* files to
be unified into one much more efficient file format.
-
Improved debugging support: using FEATURES="splitdebug" it is
now possible to keep the performance improvements from using stripped
binaries, while still having the debug information around on disk
should it be needed. This should make filing useful bug reports much
easier.
-
Colour remappings: Using the
/etc/portage/color.map file, you can now remap the
colours that Portage will use in its output. Have you ever wanted a
pretty pink portage? Well now you can, without having to change the
source code.
-
Configuration improvements: Certain config files can now be
made into directories, for easier management (for example,
/etc/portage/package.unmask/kde,
/etc/portage/package.unmask/xorg will be combined to make
the old /etc/portage/package.unmask).
/etc/portageitself can also be loaded from different
locations, making certain tasks much simpler.
-
Various other improvements: Certain types of binary security
issues can now be fixed automatically. The initial import of the
Portage module should now be faster in certain circumstances, meaning
that external scripts which import it should see speed improvements.
Emerge now supports a -q or 'really quiet mode' option, reducing its
output to a minimum.
There is a stabilisation
bug open, where you can track the progress of this new release
towards the stable tree. As of this writing, stable users on x86,
Sparc, HPPA and PPC platforms can use the new release; other
architecture teams should be following in the near future.
Thanks to
Alec Warner and
Ned Ludd for taking the time to
talk to the GWN about this release.
Status report: Gentoo/Alpha
The Gentoo/Alpha team is responsible for making sure that Gentoo
runs smoothly on the Alpha architecture. The team has recently grown to
include
Thomas Cort and
Christel Dahlskjaer. In the
past few months we have been very productive.
Stephen Bennett has continued his
work with SELinux. hardened-sources is now keyworded for alpha. Thanks
to the work of
Stefaan De Roeck and others,
modular X has been keyworded and is working well. The Gentoo/Alpha team
is also pleased to announce that we have stabilized gnome-2.12.3 and
kde-3.5.2.
Thomas Cort has produced two documents, the Alpha Porting Guide and
the Gentoo/Alpha FAQ. A guide to using the SRM console is on the way.
Jose Luis Rivero,
Fernando Pereda, and the rest of
the Gentoo/Alpha team completely revamped the project page. Fernando
Pereda has also been busy setting up the Alpha Arch Testers project. If
you want to learn more about this excellent opportunity to give back to
Gentoo, please check out the Alpha
Arch Testers Project page.
Tetex changes
Tetex's upstream maintainer Thomas Esser hass announced that he
won't make any further tetex releases. This will have some mid- to
long-term effects on how tetex is maintained in Gentoo. Gentoo
developer Martin Ehmsen shows the
possible methods for handling this – while it seems to be undecided for
now how to proceed there will be changes in the future. Stay tuned…
The shadow and pam-login conflict
Many users may have seen that new versions of pam-login and shadow
block each other. The reason for that is that the file
/bin/login used to be provided by pam-login for mostly
historical reasons. Now shadow 4.0 started also providing this file, to
reduce confusion this file is now provided by shadow. Also the rest of
pam-login has been folded into shadow too, so when you see these two
packages blocking each other please unmerge pam-login and emerge the
updated shadow package in its place.
Further information can be found in
Diego Pettenò's weblog:
Ukrainian IRC channels
The relatively new and still small Ukrainian Gentoo community has
opened an official IRC channel: #gentoo-ua channel on
irc.freenode.net. If you want to discuss all thing Gentoo in Ukrainian
or want to help in the localization effort just join the team around
George Shapovalov. For now there
is no Ukrainian Subforum, but if that community continues to grow that
is a distinct possibility – for now "Other languages" is the correct
forum for Ukrainian questions.
Gentoo Women
Geek girls are almost the stuff of legend. Women make up only 30% of
regular computer users, and as little as 2% of Linux users.
But why should this be the case? The reason for this can be as
elusive as the Linux-using women themselves – for every survey or
paper saying that they are not given the same chances or opportunities,
there is another one saying exactly the opposite. Lost in the midst of
all this controversy, however, is the fact that little if anything is
being done to interest women in computing, in Linux, or in Gentoo.
Groups such as the Debian project are seeking to change that. Debian
Women, founded in 2004, was set up to encourage women to become more
involved with Linux. The group maintains an IRC channel and a mailing
list for the discussion of technical issues, as well as maintaining a
public presence at Linux-related conferences and events. They also run
an extensive mentoring program whereby women are paired up with a
mentor who will spend the time to help them find answers to their
questions, and get to know the distribution, as well as the community
and Linux in general. This mentoring program adds a personal element to
the process, and helps to guide people towards working more effectively
with Linux. Unfortunately though, as the name implies, their efforts
focus very much on encouraging their members to use Debian.
The idea was recently floated of starting a similar project for the
women of Gentoo, and we would like your thoughts on the matter. Would
such a project be welcome within the community, and would people take
advantage of it? What would you like to see the project do, and how?
Would you volunteer your time and/or money to encourage people, not
just women, to use Gentoo, and to mentor and help users?
All groups, regardless of their origins, need 'fresh blood' to
survive – members will inevitably depart, and without a steady stream
of people joining the group will diminish with time. If we do not reach
out to the community, we miss out on a lot of good ideas and talented
people that are out there. Let's make the effort to do so, rather than
wallowing in complacency and resisting any change.
2. Summer of Code - Update
Summer of Code -- One Month Along
It's a month now since the start of this year's Summer of Code, and
Gentoo's projects have been progressing rapidly. Our students have been
hard at work with their projects, and making good progress. The Summer
of Code was originally mentioned
in the GWN of May 1st. If you are interested to know what all the
fuss is about, read on.
The Summer of Code, now
in its second year, is a program run by Google which sponsors students
to work on open source projects during the summer holidays. Last year's
program was a great success, with a long list of
results including some great projects. This year's version is even
bigger, containing over twice as many mentoring organisations, and a
list of student projects to match.
This year Gentoo is participating as a mentoring organisation, and
we were lucky enough to be allocated 14 projects, including this year's
most in-demand student – Anant Narayanan had applications accepted by
a total of 4 organisations, and chose to work with us rather than any
of the others. For a while it was uncertain whether we would be
accepted, given the number of other Linux distributions and operating
systems already accepted, but we were eventually chosen, and allocated
a higher than normal number of projects.
"I like how Gentoo has built a community around the distro in such a
short time. To me, that is emblematic of a good community, and is what
SoC needs for mentoring great OSS developers" said Greg Stein from
Google, talking about why he chose to accept Gentoo over other projects
on the hold list. "As one example, Gentoo got included into the program
because I've liked how they came from pretty much nowhere into one of
the stronger Linux distributions. Out of the thousand distros out
there, they rose to one of the primaries in pretty short order. I
believe that is due to a strong community focus, which is exactly
something that I believe is good for an SoC organization."
A full list of Gentoo's accepted applications with some basic
information can be found at
Google's
Gentoo page; more updates about many of the projects can be found
on the students' blogs, which are aggregated as part of
Planet Gentoo as well as
making up
Planet Gentoo SoC.
However, we would like to highlight a few individual projects here,
with some more information about the projects and their current
status.
Michael
Kelly has been working on a unified user/group management
framework, with the intention of integrating it into package managers
and the Gentoo tree to provide an implementation of
GLEP
27, which was approved long ago but has not yet been implemented.
His code can be found in his public Subversion repository, accessible
through the web with
ViewVC. As his initial
proposal outlines, this should provide some great improvements in
the way user and group accounts are handled by ebuilds – the current
system, while it works in the vast majority of cases, is relatively
limited in its capability and scalability. The code seems to be
progressing nicely, and when finished should provide a simple,
flexible, and portable means to manage users and groups in package
managers and elsewhere.
Alex Martinez has been
working on porting Gentoo's "sandbox" utility to run on FreeBSD
systems. The
Gentoo/*BSD project has been increasingly active in recent months,
and is rapidly becoming a viable platform for real-world use. However,
due to differences between the FreeBSD and GNU C libraries, the sandbox
utility, used primarily for ebuild QA purposes, still does not work
properly. Alex's SoC project sets out to change this, and involves
looking into the most fundamental libraries on the system to find out
just what is causing the problems. While the project is currently on
hold due to the exam season, progress just before this was extremely
promising. When completed, this should bring the various Gentoo/*BSD
ports much closer to having all the package management functionality
available on Gentoo Linux, a major milestone in their development.
All in all, the Summer of Code is a fantastic opportunity for
students to get more involved in their favourite open source projects
and to let them spend the summer doing what they enjoy without
hindrance. Of course, it also provides the projects with some great
code that perhaps would not have been written otherwise, as well as a
fruitful source of potential new contributors. This sentiment was
echoed by Christel Dahlskjaer, Gentoo's administrative contact for the
summer of code, talking to the GWN earlier this month: "I am doing my
best to ensure that we give the students the support they need, we also
aim to make these summer months a time of fun for them and we hope that
at the end of their 'internship' they'll not only have provided us with
contributions in form of code, but will hopefully have decided that
they want to come on board and work on Gentoo as developers."
3. Heard in the community
forums
Genetic - A New Portage Frontend
Over the past two weeks, a discussion of a new ncurses and wxWidgets
portage frontend has been happening on the Gentoo Forums. The project
is still in its infancy and is asking for XML/Python/Ncurses experts to
help.
GEMS - Gentoo Enterprise Management System
An announcement of a new management system in the style of "Red Hat
Network" designed for Gentoo has been announced on the forums. It aims
to ease the management of a large number of Gentoo computers and
currently includes features such as: inventory of installed software,
GLSAs associated with them, monitoring deployments status and more.
GEMS is licensed under the GPL and is freely available on its
website.
Decreasing chances of making mistakes while installing Gentoo
new_to_non_X86, a forum user notes how currently it is very easy for
users to make simple mistakes such as typos or missing steps while
following the handbook. How do you think the quality of Gentoo
documentation could be improved so that mistakes are less prone to
happening?
gentoo-dev
GLEP 49 - take 2
After the long discussion about alternative package managers in the
last weeks
Paul de Vrieze and
Grant Goodyear offer two
competing GLEPs for discussion that define the capabilities, license
and other managerial issues that a package manager has to offer to be
supported. This might focus future discussions about portage
replacements on technical instead of social issues.
Security/QA Spring Cleaning
Every now and then a security problem is found. When this affects a
Gentoo package a GLSA is released, but until now the affected packages
were not directly unkeyworded or removed from the tree. This leaves
some vulnerable ebuilds in place, so
Ned Ludd in cooperation with
Brian Harring has started a
cleanup of the tree. This should not affect users, only vulnerable,
insecure and unmaintained ebuilds will be removed.
Spring Cleanup, part 2
A cleanup of unmaintained broken ebuilds has started. As they were
already known to not work no functionality is lost for users. This is
part of a general QA strategy to increase the overall quality of
Gentoo.
[RFC Maintainer-Wanted Bugs/Cleaning]
For user-submitted and unmaintained ebuilds the maintainer-wanted
alias was created. What seemed like a good idea has ended in almost
2000 bugs assigned to that alias, most of them without any changes.
Alec Warner asks for input how to
handle these bugs in the future. Some ideas like a central overlay for
these ebuilds or closing them after a pre-set time are discussed in
this thread, but no resolution has been found.
planet.gentoo.org
Gentoo Overlays Project needs a logo
Gentoo
Overlays is a project designed to bring social workspaces to
Gentoo. It provides a place for Gentoo projects and developers to host
their overlays. If you can help the Overlays project by creating a logo
drop by #gentoo-overlays on irc.freenode.net.
KDE 3.5.3 unmasked
KDE 3.5.3 got unmasked and provides decreased startup times. Also
over 800 minor issues were fixed and small new features implemented in
Akregator, KMail and KAlarm.
net-setup enhancements
Naming of network interfaces sometimes differs between a live system
and the installed Gentoo system. To help in configuring the network
interfaces net-setup has been expanded by two additional dialogs
which displays the interface name, interface caption and additional
information. The new net-setup will be included in the next
livecd-tools release.
4. Gentoo International
Gentoo UK 2006
A little later than anticipated, organisation of the Gentoo UK 2006
users-and-developers conference is nearing completion. The conference
will take place on Saturday July 8th in Central London, and will
feature a few talks from Gentoo developers plus possibly some guest
speakers. There will also be some social activities taking place around
the event.
Numbers are limited, so we do require people to pre-register (no
cost) by leaving a name and email address. Registration is open
now.
For more info, see the
conference
website. We look forward to seeing you there!
5. Tips and Tricks
Searching the portage tree with eix
eix is a handy utility that indexes your portage tree and quickly
searches it. The latest stable version, 0.55, is also compatible with
Portage 2.1's new metadata backend.
To get started, emerge the package, and then build your index:
Code Listing 5.1: Installing eix |
# emerge eix
# update-eix
|
update-eix will index your ebuilds in your
PORTDIR_OVERLAY in addition to the main portage tree.
Once finished you are ready to do some searches. Use eix foo
to search for a package, or eix -S bar to search package
descriptions. To search for a specific package, use
eix -e packagename. You can also use regular expressions in your
search parameters by default.
The output of eix displays each package version available.
Versions prefixed with ~ are marked unstable, while
!indicates the version is hard masked.
Code Listing 5.2: eix firefox |
$ eix firefox
* www-client/mozilla-firefox
Available versions: 1.0.7-r4 ~1.0.8 ~1.5-r9 ~1.5-r11 ~1.5.0.1-r2 ~1.5.0.1-r3
~1.5.0.1-r4 1.5.0.2 ~1.5.0.2-r1 1.5.0.3 1.5.0.4
Installed: none
Homepage: http://www.mozilla.org/projects/firefox/
Description: Firefox Web Browser
* www-client/mozilla-firefox-bin
Available versions: 1.0.7 ~1.0.8 1.5.0.2 1.5.0.3 1.5.0.4
Installed: 1.5.0.3
Homepage: http://www.mozilla.org/projects/firefox
Description: Firefox Web Browser
Found 2 matches
|
Finally, one last tip. If you want to run emerge --sync and
update-eix all in one step, just run eix-sync instead.
Note: If you have tips and tricks you would like to share with the
Gentoo community please drop us a mail at
gwn-feedback@gentoo.org |
6. Gentoo developer moves
Moves
The following developers recently left the Gentoo project:
Adds
The following developers recently joined the Gentoo project:
Changes
The following developers recently changed roles within the Gentoo
project:
7. Gentoo Security
CherryPy: Directory traversal vulnerability
CherryPy is vulnerable to a directory traversal that could allow attackers
to read arbitrary files.
For more information, please see the GLSA Announcement
libTIFF: Multiple vulnerabilities
Multiple vulnerabilities in libTIFF could lead to the execution of
arbitrary code or a Denial of Service.
For more information, please see the GLSA Announcement
Opera: Buffer overflow
Opera contains an integer signedness error resulting in a buffer overflow
which may allow a remote attacker to execute arbitrary code.
For more information, please see the GLSA Announcement
shadow: Privilege escalation
A security issue in shadow allows a local user to perform certain actions
with escalated privileges.
For more information, please see the GLSA Announcement
Dia: Format string vulnerabilities
Format string vulnerabilities in Dia may lead to the execution of arbitrary
code.
For more information, please see the GLSA Announcement
Tor: Several vulnerabilities
Tor is vulnerable to a possible buffer overflow, a Denial of Service,
information disclosure and information leak.
For more information, please see the GLSA Announcement
Pound: HTTP request smuggling
Pound is vulnerable to HTTP request smuggling, which could be exploited to
bypass security restrictions or poison web caches.
For more information, please see the GLSA Announcement
AWStats: Remote execution of arbitrary code
AWStats contains a bug in the sanitization of the input parameters which
can lead to the remote execution of arbitrary code.
For more information, please see the GLSA Announcement
Vixie Cron: Privilege Escalation
Vixie Cron allows local users to execute programs as root.
For more information, please see the GLSA Announcement
WordPress: Arbitrary command execution
WordPress fails to sufficiently check the format of cached username data.
For more information, please see the GLSA Announcement
SpamAssassin: Execution of arbitrary code
SpamAssassin, when running with certain options, could allow local or even
remote attackers to execute arbitrary commands, possibly as the root user.
For more information, please see the GLSA Announcement
Cscope: Many buffer overflows
Cscope is vulnerable to multiple buffer overflows that could lead to the
execution of arbitrary code.
For more information, please see the GLSA Announcement
JPEG library: Denial of Service
The JPEG library is vulnerable to a Denial of Service.
For more information, please see the GLSA Announcement
Mozilla Firefox: Multiple vulnerabilities
Vulnerabilities in Mozilla Firefox allow privilege escalations for
JavaScript code, cross site scripting attacks, HTTP response smuggling and
possibly the execution of arbitrary code.
For more information, please see the GLSA Announcement
MySQL: SQL Injection
MySQL is vulnerable to an SQL Injection flaw in the multi-byte encoding
process.
For more information, please see the GLSA Announcement
8. Bugzilla
Summary
Statistics
The Gentoo community uses Bugzilla (bugs.gentoo.org) to record and track
bugs, notifications, suggestions and other interactions with the
development team. Between 28 May 2006
and 11 June 2006, activity on the site has resulted in:
- 1756 new bugs during this period
- 812 bugs closed or resolved during this period
- 54 previously closed bugs were reopened this period
Of the 10196 currently open bugs: 53 are labeled 'blocker', 144 are labeled 'critical', and 549 are labeled 'major'.
Closed bug rankings
The developers and teams who have closed the most bugs during this period are:
New bug rankings
The developers and teams who have been assigned the most new bugs during this period are:
9. GWN feedback
Please send us your
feedback and help make the
GWN better.
10. GWN subscription information
To subscribe to the Gentoo Weekly Newsletter, send a blank e-mail to
gentoo-gwn+subscribe@gentoo.org.
To unsubscribe to the Gentoo Weekly Newsletter, send a blank e-mail
to
gentoo-gwn+unsubscribe@gentoo.org from the e-mail address you are
subscribed under.
11. Other languages
The Gentoo Weekly Newsletter is also available in the following
languages:
|