plate at gentoo
Jan 31, 2005, 4:17 AM
Post #1 of 1
(398 views)
Permalink
|
|
Gentoo Weekly Newsletter 31 January 2005
|
|
---------------------------------------------------------------------------
Gentoo Weekly Newsletter
http://www.gentoo.org/news/en/gwn/current.xml
This is the Gentoo Weekly Newsletter for the week of 31 January 2005.
---------------------------------------------------------------------------
==============
1. Gentoo News
==============
Trusted Gentoo
--------------
Initially suggested by Joseph Pingenot[1], the members of Gentoo's crypto
herd have set the goal of Trusted Computing Group (TCG - formerly known as
Trusted Computing Platform Alliance or TCPA[2]) support in Gentoo on the
agenda for the year.
1. http://bugs.gentoo.org/show_bug.cgi?id=35574
2. http://www.research.ibm.com/gsal/tcpa/
TCG is an open standard for hardware specification defining cryptographic
functions (Trusted Platform Module - TPM) that keep private keys away from
system memory. The hardware also provides trusted boot functions (TCG
Software Stack - TSS) that ensure private keys cannot be used if the
operating system changes to an untrusted one.
TSS applications of the TCG architectures that would be desireable for
Gentoo are:
* trusted kernel execution (http://enforcer.sourceforge.net/[3],
http://trousers.sourceforge.net/[4]
* trusted grub execution[5]
* trusted kernel modules
3. http://enforcer.sourceforge.net/
4. http://trousers.sourceforge.net/
5. http://www.prosec.rub.de/trusted_grub.html
TPM allows storing of cryptographic keys in hardware rather than placing
private keys on the filesystem. Examples include:
* unlocking of encrypted filesystems
* OpenSSH server
* SElinux[6]
* Apache
* OpenCA certification authorities[7]
* GnuPG and SSH keychains
6. http://www.finux.org/Reprints/Reprint-Halcrow-OLS2004.pdf
7. http://www.acsac.org/2004/abstracts/81.html
If you are interested in donating hardware or undertaking development in
this area contact Henrik Brix Andersen[8] or Peter Johanson[9]. Developers
will need to work largely independantly, and to have a good understanding
of security architectures and C coding. A TPM emulator that may be of
assistance is available[10].
8. brix [at] gentoo
9. latexer [at] gentoo
10. https://developer.berlios.de/projects/tpm-emulator
Looking for EM64T developers, hardware, and AMD64 "Arch-testers"
----------------------------------------------------------------
The Gentoo/AMD64 team has issued a request for developers who could help
extending support to Intel's x86-64 processors, the EM64T product line.
The devs will need to bring their own hardware and mainly do kernel
testing, since the chipsets on EM64T mainboards are different. Please
contact Jason Huebel[11] if you feel up to helping out with this.
11. jhuebel [at] gentoo
In a separate announcement[12], AMD64 is also looking for "Arch-testers"
or AT's, i.e. non-developers to help iron out bugs and mark applications
stable for a variety of ebuilds already available.
12. http://www.gentoo.org/proj/en/base/amd64/arch-testers-amd64.xml
Gentoo/PPC GameCD released
--------------------------
The PPC team has prototyped the first completely graphical LiveCD for the
PowerPC platform featuring a 3D multiplayer OpenGL/SDL game called
Cube[13]. Designed for the PegasosPPC, a CD variant to run on Macintosh
hardware is already in the works. While the 198 MB GameCD is already
available for download from the mirrors (in the experimental/ppc/livecd
directory), a whole cluster of ODWs running Cube will be part of the
presentations in the Gentoo developer room at FOSDEM[14] in Brussels,
26-27 February 2005.
13. http://cube.sourceforge.net
14. http://www.fosdem.org/
Figure 1.1: Gentoo Linux GameCD for PPC artwork by Christian Hartmann
http://www.gentoo.org/images/gwn/20050131_cube.png
==============
2. Future Zone
==============
Project goals for 2005
----------------------
Continuing our coverage of goals set by projects inside Gentoo Linux, this
week we look at the plans of the Hardened group:
Hardened
* Review of current approach and policies
* Improvement of CFLAGS filtering (especially "-fPIC" and
"-fstack-protector"
* Introduce AMD64/Sparc64/PPC64 stages, more hardware in the future as
hardware is aquired
* Improved Grsecurity2 documentation
* Improved and extended SELinux support
* Develop and document RSBAC policies
* More and better documentation of everything
* Assimilate new developers
* Elect new Hardened Committee
* Introduce a forensics and rescue LiveCD
* Support and improve kernel patchsets
* Promote the Gentoo Hardened Project outside of Gentoo and raise
awareness within Gentoo
==================
3. Gentoo security
==================
Konversation: Various vulnerabilities
-------------------------------------
Konversation contains multiple vulnerabilities that could lead to remote
command execution or information leaks.
For more information, please see the GLSA Announcement[15]
15. http://www.gentoo.org/security/en/glsa/glsa-200501-34.xml
Evolution: Integer overflow in camel-lock-helper
------------------------------------------------
An overflow in the camel-lock-helper application can be exploited by an
attacker to execute arbitrary code with elevated privileges.
For more information, please see the GLSA Announcement[16]
16. http://www.gentoo.org/security/en/glsa/glsa-200501-35.xml
AWStats: Remote code execution
------------------------------
AWStats fails to validate certain input, which could lead to the remote
execution of arbitrary code.
For more information, please see the GLSA Announcement[17]
17. http://www.gentoo.org/security/en/glsa/glsa-200501-36.xml
GraphicsMagick: PSD decoding heap overflow
------------------------------------------
GraphicsMagick is vulnerable to a heap overflow when decoding Photoshop
Document (PSD) files, which could lead to arbitrary code execution.
For more information, please see the GLSA Announcement[18]
18. http://www.gentoo.org/security/en/glsa/glsa-200501-37.xml
Perl: rmtree and DBI tmpfile vulnerabilities
--------------------------------------------
The Perl DBI library and File::Path::rmtree function are vulnerable to
symlink attacks.
For more information, please see the GLSA Announcement[19]
19. http://www.gentoo.org/security/en/glsa/glsa-200501-38.xml
SquirrelMail: Multiple vulnerabilities
--------------------------------------
SquirrelMail fails to properly sanitize user input, which could lead to
arbitrary code execution and compromise webmail accounts.
For more information, please see the GLSA Announcement[20]
20. http://www.gentoo.org/security/en/glsa/glsa-200501-39.xml
ngIRCd: Buffer overflow
-----------------------
ngIRCd is vulnerable to a buffer overflow that can be used to crash the
daemon and possibly execute arbitrary code.
For more information, please see the GLSA Announcement[21]
21. http://www.gentoo.org/security/en/glsa/glsa-200501-40.xml
TikiWiki: Arbitrary command execution
-------------------------------------
A bug in TikiWiki allows certain users to upload and execute malicious PHP
scripts.
For more information, please see the GLSA Announcement[22]
22. http://www.gentoo.org/security/en/glsa/glsa-200501-41.xml
VDR: Arbitrary file overwriting issue
-------------------------------------
VDR insecurely accesses files with elevated privileges, which may result
in the overwriting of arbitrary files.
For more information, please see the GLSA Announcement[23]
23. http://www.gentoo.org/security/en/glsa/glsa-200501-42.xml
f2c: Insecure temporary file creation
-------------------------------------
f2c is vulnerable to symlink attacks, potentially allowing a local user to
overwrite arbitrary files.
For more information, please see the GLSA Announcement[24]
24. http://www.gentoo.org/security/en/glsa/glsa-200501-43.xml
ncpfs: Multiple vulnerabilities
-------------------------------
The ncpfs utilities contain multiple flaws, potentially resulting in the
remote execution of arbitrary code or local file access with elevated
privileges.
For more information, please see the GLSA Announcement[25]
25. http://www.gentoo.org/security/en/glsa/glsa-200501-44.xml
=========================
4. Heard in the community
=========================
Web forums
----------
New old Portage utility
One of several Portage search utilities, portagedb, has been renamed to
"Ebuild Index" or eix recently. Developer Pythonhead acknowledges that
this alternative to esearch "gets better with every release" and lists eix
in his meta-thread:
* eix - Ebuild IndeX (search utility)[26]
* Portage utilities not in portage[27]
26. http://forums.gentoo.org/viewtopic.php?t=278819
27. http://forums.gentoo.org/viewtopic.php?t=67849
Is the beagle man's best friend?
Slow week in the English sections of the Forums, but the French had a go
at a piece of software comparable to the much-hyped SpotLight[28] that
Apple wants to integrate into their Tiger release of Mac OS X. It appears
that the Mono-based Beagle[29] is not only a completely free Linux
alternative to Apple's real time desktop search, it's also already usable,
at least to a certain degree...
28. http://developer.apple.com/macosx/tiger/spotlight.html
29. http://www.gnome.org/projects/beagle/
* [HOWTO] Installation de Beagle 0.0.5[30] (in French)
30. http://forums.gentoo.org/viewtopic.php?t=286104
gentoo-dev
----------
Reminder on the ebuild upgrade policy
Jason Wever[31] sent out a reminder about ebuild upgrade policy:
"Recently, there have been a lot of ebuild upgrades with arch keywords
getting dropped completely. Please do not do this unless there is a
specific reason for it (security bug, broken dependencies, see policy),
and if there is a valid reason, please notify the affected arches as to
why you have dropped their keywords."
31. weeve [at] gentoo
* ebuild upgrade reminder[32]
32. http://thread.gmane.org/gmane.linux.gentoo.devel/24740
[RFC] Versioned eclasses
Daniel Goller[33] and Patrick Lauer[34] started a thread asking for
versioned eclasses. This proposal (which is a recurring topic every six
months or so) was burnt to a crisp in one of the largest flamewars the
gentoo-dev mailing list has seen in the last months, and remained
unsolved.
33. morfic [at] gentoo
34. patrick [at] gentoo
* Versioned eclasses[35]
35. http://thread.gmane.org/gmane.linux.gentoo.devel/24677
Gentoo-dev seems to be hacked
Around the same time as the "versioned eclasses" flamewar a second
high-traffic thread developed around signatures, identity and paranoia.
The initial questions around possibly broken signatures got forgotten
while devs and users discussed the problem of identity in mostly
electronical communications and some other tangential questions.
* Gentoo-dev seems to be hacked?[36]
36. http://thread.gmane.org/gmane.linux.gentoo.devel/24377
BAS/c troubles
Ciaran McCreesh[37] pointed out some problems with the new Buildtime and
Statistics client BAS/c. The following thread has lots of good information
for all the ebuild hackers among you how ebuilds should be written (and
some good examples what not to do)
37. ciaranm [at] gentoo
* BAS/c problems[38]
38. http://thread.gmane.org/gmane.linux.gentoo.devel/24437
======================
5. Gentoo in the press
======================
Gentoo/OpenSolaris media fallout
--------------------------------
"Mixed feelings" best describe the open-source community's assessment of
Sun's OpenSolaris release. Regardless whether they're critical of Sun's
move or not, many authors tip their hats to Portaris and the
Gentoo/OpenSolaris project as a very interesting aspect of it. Here's a
list of press clippings covering both Sun's and Gentoo's announcements
from around the world:
* Sun lays groundwork for OpenSolaris community[39] (Computerworld
Australia)
* Will Sun's 1600 patents suck the life out of Linux?[40] (CNET's David
Berlind blogging, contains an interview with Pieter Van den Abeele[41])
* Split Reactions to Sun's OpenSolaris[42] (Internet News)
* Gentoo für OpenSolaris angekündigt[43] (Golem.de, in German)
* Gentoo bald auch für Open Solaris[44] (Austrian daily newspaper Der
Standard, in German)
* Gentoo、パッケージシステムのPortageで"OpenSolaris"をサポート[45] (MYCOM
PC Web, in Japanese)
* Sun、OpenSolarisコミュニティーの基盤を構築[46] (IT Media, in Japanese)
* 「オープンソースSolaris」への反応は?[47] (ditto)
39. http://www.linuxworld.com.au/index.php/id;443780237;fp;2;fpid;1
40. http://blogs.zdnet.com/BTL/index.php?p=978
41. pvdabeel [at] gentoo
42. http://www.internetnews.com/dev-news/article.php/3464221
43. http://www.golem.de/0501/35875.html
44. http://derstandard.at/?id=1927908
45. http://pcweb.mycom.co.jp/news/2005/01/25/019.html
46. http://www.itmedia.co.jp/enterprise/articles/0501/25/news088.html
47. http://www.itmedia.co.jp/news/articles/0501/27/news024.html
Mad Penguin (25 January 2005)
-----------------------------
"Gentoo done right"[48] is the title for a Mad Penguin article about
Vidalinux[49], the Gentoo spinoff installing via RedHat's Anaconda and
supplying binaries on a Gentoo core system. The Puerto-Rican distribution
- "essentially a stage 3 install" - receives an enthusiastic review, and
Author Adam Doxtater closes on recommending it "to anyone with a desire to
give Gentoo Linux a try but who might not have the time to compile
everything from scratch to get a basic system up and running."
48. http://madpenguin.org/cms/html/47/3321.html
49. http://www.vidalinux.org
Pro-Linux.de (25 January 2005)
------------------------------
The German online-only Linux magazine features the sales of Genesi's Open
Desktop Workstations in an article on PegasosPPC-Workstations with Gentoo
preinstalled[50]. Pro-Linux quotes last week's GWN announcement and adds a
few notes on the platform in general, identifying - among other things -
the ODW as "an Amiga reincarnation."
50. http://www.pro-linux.de/news/2005/7748.html
===========
6. Bugzilla
===========
Summary
-------
* Statistics
* Closed bug ranking
* New bug rankings
Statistics
----------
The Gentoo community uses Bugzilla (bugs.gentoo.org[51]) to record and
track bugs, notifications, suggestions and other interactions with the
development team. Between 23 January 2005 and 30 January 2005, activity on
the site has resulted in:
51. http://bugs.gentoo.org
* 844 new bugs during this period
* 516 bugs closed or resolved during this period
* 29 previously closed bugs were reopened this period
Of the 7945 currently open bugs: 109 are labeled 'blocker', 240 are
labeled 'critical', and 584 are labeled 'major'.
Closed bug rankings
-------------------
The developers and teams who have closed the most bugs during this period
are:
* Gentoo Games[52], with 34 closed bugs[53]
* media-video herd[54], with 29 closed bugs[55]
* Gentoo KDE team[56], with 29 closed bugs[57]
* Netmon Herd[58], with 28 closed bugs[59]
* AMD64 Porting Team[60], with 25 closed bugs[61]
* Gentoo Security[62], with 20 closed bugs[63]
* Net-Mail Packages[64], with 19 closed bugs[65]
* Java team[66], with 17 closed bugs[67]
52. games [at] gentoo
53.
http://bugs.gentoo.org/buglist.cgi?bug_status=RESOLVED&bug_status=CLOSED&chfield=bug_status&chfieldfrom=2005-01-23&chfieldto=2005-01-30&resolution=FIXED&assigned_to=games [at] gentoo
54. media-video [at] gentoo
55.
http://bugs.gentoo.org/buglist.cgi?bug_status=RESOLVED&bug_status=CLOSED&chfield=bug_status&chfieldfrom=2005-01-23&chfieldto=2005-01-30&resolution=FIXED&assigned_to=media-video [at] gentoo
56. kde [at] gentoo
57.
http://bugs.gentoo.org/buglist.cgi?bug_status=RESOLVED&bug_status=CLOSED&chfield=bug_status&chfieldfrom=2005-01-23&chfieldto=2005-01-30&resolution=FIXED&assigned_to=kde [at] gentoo
58. netmon [at] gentoo
59.
http://bugs.gentoo.org/buglist.cgi?bug_status=RESOLVED&bug_status=CLOSED&chfield=bug_status&chfieldfrom=2005-01-23&chfieldto=2005-01-30&resolution=FIXED&assigned_to=netmon [at] gentoo
60. amd64 [at] gentoo
61.
http://bugs.gentoo.org/buglist.cgi?bug_status=RESOLVED&bug_status=CLOSED&chfield=bug_status&chfieldfrom=2005-01-23&chfieldto=2005-01-30&resolution=FIXED&assigned_to=amd64 [at] gentoo
62. security [at] gentoo
63.
http://bugs.gentoo.org/buglist.cgi?bug_status=RESOLVED&bug_status=CLOSED&chfield=bug_status&chfieldfrom=2005-01-23&chfieldto=2005-01-30&resolution=FIXED&assigned_to=security [at] gentoo
64. net-mail [at] gentoo
65.
http://bugs.gentoo.org/buglist.cgi?bug_status=RESOLVED&bug_status=CLOSED&chfield=bug_status&chfieldfrom=2005-01-23&chfieldto=2005-01-30&resolution=FIXED&assigned_to=net-mail [at] gentoo
66. java [at] gentoo
67.
http://bugs.gentoo.org/buglist.cgi?bug_status=RESOLVED&bug_status=CLOSED&chfield=bug_status&chfieldfrom=2005-01-23&chfieldto=2005-01-30&resolution=FIXED&assigned_to=java [at] gentoo
New bug rankings
----------------
The developers and teams who have been assigned the most new bugs during
this period are:
* AMD64 Porting Team[68], with 26 new bugs[69]
* Gentoo X-windows packagers[70], with 14 new bugs[71]
* Gentoo Kernel Bug Wranglers and Kernel Maintainers[72], with 12 new
bugs[73]
* Gentoo Sound Team[74], with 11 new bugs[75]
* media-video herd[76], with 11 new bugs[77]
* Gentoo Linux Gnome Desktop Team[78], with 11 new bugs[79]
* Java team[80], with 9 new bugs[81]
* Desktop Misc. Team[82], with 9 new bugs[83]
68. amd64 [at] gentoo
69.
http://bugs.gentoo.org/buglist.cgi?bug_status=NEW&bug_status=ASSIGNED&bug_status=REOPENED&chfield=assigned_to&chfieldfrom=2005-01-23&chfieldto=2005-01-30&assigned_to=amd64 [at] gentoo
70. x11 [at] gentoo
71.
http://bugs.gentoo.org/buglist.cgi?bug_status=NEW&bug_status=ASSIGNED&bug_status=REOPENED&chfield=assigned_to&chfieldfrom=2005-01-23&chfieldto=2005-01-30&assigned_to=x11 [at] gentoo
72. kernel [at] gentoo
73.
http://bugs.gentoo.org/buglist.cgi?bug_status=NEW&bug_status=ASSIGNED&bug_status=REOPENED&chfield=assigned_to&chfieldfrom=2005-01-23&chfieldto=2005-01-30&assigned_to=kernel [at] gentoo
74. sound [at] gentoo
75.
http://bugs.gentoo.org/buglist.cgi?bug_status=NEW&bug_status=ASSIGNED&bug_status=REOPENED&chfield=assigned_to&chfieldfrom=2005-01-23&chfieldto=2005-01-30&assigned_to=sound [at] gentoo
76. media-video [at] gentoo
77.
http://bugs.gentoo.org/buglist.cgi?bug_status=NEW&bug_status=ASSIGNED&bug_status=REOPENED&chfield=assigned_to&chfieldfrom=2005-01-23&chfieldto=2005-01-30&assigned_to=media-video [at] gentoo
78. gnome [at] gentoo
79.
http://bugs.gentoo.org/buglist.cgi?bug_status=NEW&bug_status=ASSIGNED&bug_status=REOPENED&chfield=assigned_to&chfieldfrom=2005-01-23&chfieldto=2005-01-30&assigned_to=gnome [at] gentoo
80. java [at] gentoo
81.
http://bugs.gentoo.org/buglist.cgi?bug_status=NEW&bug_status=ASSIGNED&bug_status=REOPENED&chfield=assigned_to&chfieldfrom=2005-01-23&chfieldto=2005-01-30&assigned_to=java [at] gentoo
82. desktop-misc [at] gentoo
83.
http://bugs.gentoo.org/buglist.cgi?bug_status=NEW&bug_status=ASSIGNED&bug_status=REOPENED&chfield=assigned_to&chfieldfrom=2005-01-23&chfieldto=2005-01-30&assigned_to=desktop-misc [at] gentoo
===========================
7. Moves, adds, and changes
===========================
Moves
-----
The following developers recently left the Gentoo team:
* None this week
Adds
----
The following developers recently joined the Gentoo Linux team:
* Fernando Serboncini (fserb) - Python
* Kyle England (kengland) - Infrastructure
Changes
-------
The following developers recently changed roles within the Gentoo Linux
project:
* John Davis (zhen) - Stepped down from Release Engineering Strategic
Lead
* Aaron Walker (ka0ttic) - Joined netmon
* Daniel Black (dragonheart) - Left embedded - joined ppc and netmon
* Otavio Rodolfo Piske (AngusYoung) - Joined netmon
====================
8. Contribute to GWN
====================
Interested in contributing to the Gentoo Weekly Newsletter? Send us an
email[84].
84. gwn-feedback [at] gentoo
===============
9. GWN feedback
===============
Please send us your feedback[85] and help make the GWN better.
85. gwn-feedback [at] gentoo
================================
10. GWN subscription information
================================
To subscribe to the Gentoo Weekly Newsletter, send a blank email to
gentoo-gwn-subscribe [at] gentoo
To unsubscribe to the Gentoo Weekly Newsletter, send a blank email to
gentoo-gwn-unsubscribe [at] gentoo from the email address you are
subscribed under.
===================
11. Other languages
===================
The Gentoo Weekly Newsletter is also available in the following languages:
* Danish[86]
* Dutch[87]
* English[88]
* German[89]
* French[90]
* Japanese[91]
* Italian[92]
* Polish[93]
* Portuguese (Brazil)[94]
* Portuguese (Portugal)[95]
* Russian[96]
* Spanish[97]
* Turkish[98]
86. http://www.gentoo.org/news/da/gwn/gwn.xml
87. http://www.gentoo.org/news/nl/gwn/gwn.xml
88. http://www.gentoo.org/news/en/gwn/gwn.xml
89. http://www.gentoo.org/news/de/gwn/gwn.xml
90. http://www.gentoo.org/news/fr/gwn/gwn.xml
91. http://www.gentoo.org/news/ja/gwn/gwn.xml
92. http://www.gentoo.org/news/it/gwn/gwn.xml
93. http://www.gentoo.org/news/pl/gwn/gwn.xml
94. http://www.gentoo.org/news/pt_br/gwn/gwn.xml
95. http://www.gentoo.org/news/pt/gwn/gwn.xml
96. http://www.gentoo.org/news/ru/gwn/gwn.xml
97. http://www.gentoo.org/news/es/gwn/gwn.xml
98. http://www.gentoo.org/news/tr/gwn/gwn.xml
Ulrich Plate <plate [at] gentoo> - Editor
Daniel Black <dragonheart [at] gentoo> - Author
Danny van Dyk <kugelfang [at] gentoo> - Author
Patrick Lauer <patrick [at] gentoo> - Author
--
gentoo-gwn [at] gentoo mailing list
|
