Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: Gentoo: GWN

Gentoo Weekly Newsletter 31 January 2005



Gentoo gwn RSS feed   Index | Next | Previous | View Threaded

plate at gentoo

Jan 31, 2005, 4:17 AM

Post #1 of 1 (449 views)
Gentoo Weekly Newsletter 31 January 2005

Gentoo Weekly Newsletter
This is the Gentoo Weekly Newsletter for the week of 31 January 2005.

1. Gentoo News

Trusted Gentoo

Initially suggested by Joseph Pingenot[1], the members of Gentoo's crypto
herd have set the goal of Trusted Computing Group (TCG - formerly known as
Trusted Computing Platform Alliance or TCPA[2]) support in Gentoo on the
agenda for the year.
1. http://bugs.gentoo.org/show_bug.cgi?id=35574
2. http://www.research.ibm.com/gsal/tcpa/

TCG is an open standard for hardware specification defining cryptographic
functions (Trusted Platform Module - TPM) that keep private keys away from
system memory. The hardware also provides trusted boot functions (TCG
Software Stack - TSS) that ensure private keys cannot be used if the
operating system changes to an untrusted one.

TSS applications of the TCG architectures that would be desireable for
Gentoo are:

* trusted kernel execution (http://enforcer.sourceforge.net/[3],
* trusted grub execution[5]
* trusted kernel modules
3. http://enforcer.sourceforge.net/
4. http://trousers.sourceforge.net/
5. http://www.prosec.rub.de/trusted_grub.html

TPM allows storing of cryptographic keys in hardware rather than placing
private keys on the filesystem. Examples include:

* unlocking of encrypted filesystems
* OpenSSH server
* SElinux[6]
* Apache
* OpenCA certification authorities[7]
* GnuPG and SSH keychains
6. http://www.finux.org/Reprints/Reprint-Halcrow-OLS2004.pdf
7. http://www.acsac.org/2004/abstracts/81.html

If you are interested in donating hardware or undertaking development in
this area contact Henrik Brix Andersen[8] or Peter Johanson[9]. Developers
will need to work largely independantly, and to have a good understanding
of security architectures and C coding. A TPM emulator that may be of
assistance is available[10].
8. brix [at] gentoo
9. latexer [at] gentoo
10. https://developer.berlios.de/projects/tpm-emulator

Looking for EM64T developers, hardware, and AMD64 "Arch-testers"

The Gentoo/AMD64 team has issued a request for developers who could help
extending support to Intel's x86-64 processors, the EM64T product line.
The devs will need to bring their own hardware and mainly do kernel
testing, since the chipsets on EM64T mainboards are different. Please
contact Jason Huebel[11] if you feel up to helping out with this.
11. jhuebel [at] gentoo

In a separate announcement[12], AMD64 is also looking for "Arch-testers"
or AT's, i.e. non-developers to help iron out bugs and mark applications
stable for a variety of ebuilds already available.
12. http://www.gentoo.org/proj/en/base/amd64/arch-testers-amd64.xml

Gentoo/PPC GameCD released

The PPC team has prototyped the first completely graphical LiveCD for the
PowerPC platform featuring a 3D multiplayer OpenGL/SDL game called
Cube[13]. Designed for the PegasosPPC, a CD variant to run on Macintosh
hardware is already in the works. While the 198 MB GameCD is already
available for download from the mirrors (in the experimental/ppc/livecd
directory), a whole cluster of ODWs running Cube will be part of the
presentations in the Gentoo developer room at FOSDEM[14] in Brussels,
26-27 February 2005.
13. http://cube.sourceforge.net
14. http://www.fosdem.org/

Figure 1.1: Gentoo Linux GameCD for PPC artwork by Christian Hartmann

2. Future Zone

Project goals for 2005

Continuing our coverage of goals set by projects inside Gentoo Linux, this
week we look at the plans of the Hardened group:


* Review of current approach and policies
* Improvement of CFLAGS filtering (especially "-fPIC" and
* Introduce AMD64/Sparc64/PPC64 stages, more hardware in the future as
hardware is aquired
* Improved Grsecurity2 documentation
* Improved and extended SELinux support
* Develop and document RSBAC policies
* More and better documentation of everything
* Assimilate new developers
* Elect new Hardened Committee
* Introduce a forensics and rescue LiveCD
* Support and improve kernel patchsets
* Promote the Gentoo Hardened Project outside of Gentoo and raise
awareness within Gentoo

3. Gentoo security

Konversation: Various vulnerabilities

Konversation contains multiple vulnerabilities that could lead to remote
command execution or information leaks.

For more information, please see the GLSA Announcement[15]
15. http://www.gentoo.org/security/en/glsa/glsa-200501-34.xml

Evolution: Integer overflow in camel-lock-helper

An overflow in the camel-lock-helper application can be exploited by an
attacker to execute arbitrary code with elevated privileges.

For more information, please see the GLSA Announcement[16]
16. http://www.gentoo.org/security/en/glsa/glsa-200501-35.xml

AWStats: Remote code execution

AWStats fails to validate certain input, which could lead to the remote
execution of arbitrary code.

For more information, please see the GLSA Announcement[17]
17. http://www.gentoo.org/security/en/glsa/glsa-200501-36.xml

GraphicsMagick: PSD decoding heap overflow

GraphicsMagick is vulnerable to a heap overflow when decoding Photoshop
Document (PSD) files, which could lead to arbitrary code execution.

For more information, please see the GLSA Announcement[18]
18. http://www.gentoo.org/security/en/glsa/glsa-200501-37.xml

Perl: rmtree and DBI tmpfile vulnerabilities

The Perl DBI library and File::Path::rmtree function are vulnerable to
symlink attacks.

For more information, please see the GLSA Announcement[19]
19. http://www.gentoo.org/security/en/glsa/glsa-200501-38.xml

SquirrelMail: Multiple vulnerabilities

SquirrelMail fails to properly sanitize user input, which could lead to
arbitrary code execution and compromise webmail accounts.

For more information, please see the GLSA Announcement[20]
20. http://www.gentoo.org/security/en/glsa/glsa-200501-39.xml

ngIRCd: Buffer overflow

ngIRCd is vulnerable to a buffer overflow that can be used to crash the
daemon and possibly execute arbitrary code.

For more information, please see the GLSA Announcement[21]
21. http://www.gentoo.org/security/en/glsa/glsa-200501-40.xml

TikiWiki: Arbitrary command execution

A bug in TikiWiki allows certain users to upload and execute malicious PHP

For more information, please see the GLSA Announcement[22]
22. http://www.gentoo.org/security/en/glsa/glsa-200501-41.xml

VDR: Arbitrary file overwriting issue

VDR insecurely accesses files with elevated privileges, which may result
in the overwriting of arbitrary files.

For more information, please see the GLSA Announcement[23]
23. http://www.gentoo.org/security/en/glsa/glsa-200501-42.xml

f2c: Insecure temporary file creation

f2c is vulnerable to symlink attacks, potentially allowing a local user to
overwrite arbitrary files.

For more information, please see the GLSA Announcement[24]
24. http://www.gentoo.org/security/en/glsa/glsa-200501-43.xml

ncpfs: Multiple vulnerabilities

The ncpfs utilities contain multiple flaws, potentially resulting in the
remote execution of arbitrary code or local file access with elevated

For more information, please see the GLSA Announcement[25]
25. http://www.gentoo.org/security/en/glsa/glsa-200501-44.xml

4. Heard in the community

Web forums

New old Portage utility

One of several Portage search utilities, portagedb, has been renamed to
"Ebuild Index" or eix recently. Developer Pythonhead acknowledges that
this alternative to esearch "gets better with every release" and lists eix
in his meta-thread:

* eix - Ebuild IndeX (search utility)[26]
* Portage utilities not in portage[27]
26. http://forums.gentoo.org/viewtopic.php?t=278819
27. http://forums.gentoo.org/viewtopic.php?t=67849

Is the beagle man's best friend?

Slow week in the English sections of the Forums, but the French had a go
at a piece of software comparable to the much-hyped SpotLight[28] that
Apple wants to integrate into their Tiger release of Mac OS X. It appears
that the Mono-based Beagle[29] is not only a completely free Linux
alternative to Apple's real time desktop search, it's also already usable,
at least to a certain degree...
28. http://developer.apple.com/macosx/tiger/spotlight.html
29. http://www.gnome.org/projects/beagle/

* [HOWTO] Installation de Beagle 0.0.5[30] (in French)
30. http://forums.gentoo.org/viewtopic.php?t=286104


Reminder on the ebuild upgrade policy

Jason Wever[31] sent out a reminder about ebuild upgrade policy:
"Recently, there have been a lot of ebuild upgrades with arch keywords
getting dropped completely. Please do not do this unless there is a
specific reason for it (security bug, broken dependencies, see policy),
and if there is a valid reason, please notify the affected arches as to
why you have dropped their keywords."
31. weeve [at] gentoo

* ebuild upgrade reminder[32]
32. http://thread.gmane.org/gmane.linux.gentoo.devel/24740

[RFC] Versioned eclasses

Daniel Goller[33] and Patrick Lauer[34] started a thread asking for
versioned eclasses. This proposal (which is a recurring topic every six
months or so) was burnt to a crisp in one of the largest flamewars the
gentoo-dev mailing list has seen in the last months, and remained
33. morfic [at] gentoo
34. patrick [at] gentoo

* Versioned eclasses[35]
35. http://thread.gmane.org/gmane.linux.gentoo.devel/24677

Gentoo-dev seems to be hacked

Around the same time as the "versioned eclasses" flamewar a second
high-traffic thread developed around signatures, identity and paranoia.
The initial questions around possibly broken signatures got forgotten
while devs and users discussed the problem of identity in mostly
electronical communications and some other tangential questions.

* Gentoo-dev seems to be hacked?[36]
36. http://thread.gmane.org/gmane.linux.gentoo.devel/24377

BAS/c troubles

Ciaran McCreesh[37] pointed out some problems with the new Buildtime and
Statistics client BAS/c. The following thread has lots of good information
for all the ebuild hackers among you how ebuilds should be written (and
some good examples what not to do)
37. ciaranm [at] gentoo

* BAS/c problems[38]
38. http://thread.gmane.org/gmane.linux.gentoo.devel/24437

5. Gentoo in the press

Gentoo/OpenSolaris media fallout

"Mixed feelings" best describe the open-source community's assessment of
Sun's OpenSolaris release. Regardless whether they're critical of Sun's
move or not, many authors tip their hats to Portaris and the
Gentoo/OpenSolaris project as a very interesting aspect of it. Here's a
list of press clippings covering both Sun's and Gentoo's announcements
from around the world:

* Sun lays groundwork for OpenSolaris community[39] (Computerworld
* Will Sun's 1600 patents suck the life out of Linux?[40] (CNET's David
Berlind blogging, contains an interview with Pieter Van den Abeele[41])
* Split Reactions to Sun's OpenSolaris[42] (Internet News)
* Gentoo für OpenSolaris angekündigt[43] (Golem.de, in German)
* Gentoo bald auch für Open Solaris[44] (Austrian daily newspaper Der
Standard, in German)
* Gentoo、パッケージシステムのPortageで"OpenSolaris"をサポート[45] (MYCOM
PC Web, in Japanese)
* Sun、OpenSolarisコミュニティーの基盤を構築[46] (IT Media, in Japanese)
* 「オープンソースSolaris」への反応は?[47] (ditto)
39. http://www.linuxworld.com.au/index.php/id;443780237;fp;2;fpid;1
40. http://blogs.zdnet.com/BTL/index.php?p=978
41. pvdabeel [at] gentoo
42. http://www.internetnews.com/dev-news/article.php/3464221
43. http://www.golem.de/0501/35875.html
44. http://derstandard.at/?id=1927908
45. http://pcweb.mycom.co.jp/news/2005/01/25/019.html
46. http://www.itmedia.co.jp/enterprise/articles/0501/25/news088.html
47. http://www.itmedia.co.jp/news/articles/0501/27/news024.html

Mad Penguin (25 January 2005)

"Gentoo done right"[48] is the title for a Mad Penguin article about
Vidalinux[49], the Gentoo spinoff installing via RedHat's Anaconda and
supplying binaries on a Gentoo core system. The Puerto-Rican distribution
- "essentially a stage 3 install" - receives an enthusiastic review, and
Author Adam Doxtater closes on recommending it "to anyone with a desire to
give Gentoo Linux a try but who might not have the time to compile
everything from scratch to get a basic system up and running."
48. http://madpenguin.org/cms/html/47/3321.html
49. http://www.vidalinux.org

Pro-Linux.de (25 January 2005)

The German online-only Linux magazine features the sales of Genesi's Open
Desktop Workstations in an article on PegasosPPC-Workstations with Gentoo
preinstalled[50]. Pro-Linux quotes last week's GWN announcement and adds a
few notes on the platform in general, identifying - among other things -
the ODW as "an Amiga reincarnation."
50. http://www.pro-linux.de/news/2005/7748.html

6. Bugzilla


* Statistics
* Closed bug ranking
* New bug rankings


The Gentoo community uses Bugzilla (bugs.gentoo.org[51]) to record and
track bugs, notifications, suggestions and other interactions with the
development team. Between 23 January 2005 and 30 January 2005, activity on
the site has resulted in:
51. http://bugs.gentoo.org

* 844 new bugs during this period
* 516 bugs closed or resolved during this period
* 29 previously closed bugs were reopened this period

Of the 7945 currently open bugs: 109 are labeled 'blocker', 240 are
labeled 'critical', and 584 are labeled 'major'.

Closed bug rankings

The developers and teams who have closed the most bugs during this period

* Gentoo Games[52], with 34 closed bugs[53]
* media-video herd[54], with 29 closed bugs[55]
* Gentoo KDE team[56], with 29 closed bugs[57]
* Netmon Herd[58], with 28 closed bugs[59]
* AMD64 Porting Team[60], with 25 closed bugs[61]
* Gentoo Security[62], with 20 closed bugs[63]
* Net-Mail Packages[64], with 19 closed bugs[65]
* Java team[66], with 17 closed bugs[67]
52. games [at] gentoo
http://bugs.gentoo.org/buglist.cgi?bug_status=RESOLVED&bug_status=CLOSED&chfield=bug_status&chfieldfrom=2005-01-23&chfieldto=2005-01-30&resolution=FIXED&assigned_to=games [at] gentoo
54. media-video [at] gentoo
http://bugs.gentoo.org/buglist.cgi?bug_status=RESOLVED&bug_status=CLOSED&chfield=bug_status&chfieldfrom=2005-01-23&chfieldto=2005-01-30&resolution=FIXED&assigned_to=media-video [at] gentoo
56. kde [at] gentoo
http://bugs.gentoo.org/buglist.cgi?bug_status=RESOLVED&bug_status=CLOSED&chfield=bug_status&chfieldfrom=2005-01-23&chfieldto=2005-01-30&resolution=FIXED&assigned_to=kde [at] gentoo
58. netmon [at] gentoo
http://bugs.gentoo.org/buglist.cgi?bug_status=RESOLVED&bug_status=CLOSED&chfield=bug_status&chfieldfrom=2005-01-23&chfieldto=2005-01-30&resolution=FIXED&assigned_to=netmon [at] gentoo
60. amd64 [at] gentoo
http://bugs.gentoo.org/buglist.cgi?bug_status=RESOLVED&bug_status=CLOSED&chfield=bug_status&chfieldfrom=2005-01-23&chfieldto=2005-01-30&resolution=FIXED&assigned_to=amd64 [at] gentoo
62. security [at] gentoo
http://bugs.gentoo.org/buglist.cgi?bug_status=RESOLVED&bug_status=CLOSED&chfield=bug_status&chfieldfrom=2005-01-23&chfieldto=2005-01-30&resolution=FIXED&assigned_to=security [at] gentoo
64. net-mail [at] gentoo
http://bugs.gentoo.org/buglist.cgi?bug_status=RESOLVED&bug_status=CLOSED&chfield=bug_status&chfieldfrom=2005-01-23&chfieldto=2005-01-30&resolution=FIXED&assigned_to=net-mail [at] gentoo
66. java [at] gentoo
http://bugs.gentoo.org/buglist.cgi?bug_status=RESOLVED&bug_status=CLOSED&chfield=bug_status&chfieldfrom=2005-01-23&chfieldto=2005-01-30&resolution=FIXED&assigned_to=java [at] gentoo

New bug rankings

The developers and teams who have been assigned the most new bugs during
this period are:

* AMD64 Porting Team[68], with 26 new bugs[69]
* Gentoo X-windows packagers[70], with 14 new bugs[71]
* Gentoo Kernel Bug Wranglers and Kernel Maintainers[72], with 12 new
* Gentoo Sound Team[74], with 11 new bugs[75]
* media-video herd[76], with 11 new bugs[77]
* Gentoo Linux Gnome Desktop Team[78], with 11 new bugs[79]
* Java team[80], with 9 new bugs[81]
* Desktop Misc. Team[82], with 9 new bugs[83]
68. amd64 [at] gentoo
http://bugs.gentoo.org/buglist.cgi?bug_status=NEW&bug_status=ASSIGNED&bug_status=REOPENED&chfield=assigned_to&chfieldfrom=2005-01-23&chfieldto=2005-01-30&assigned_to=amd64 [at] gentoo
70. x11 [at] gentoo
http://bugs.gentoo.org/buglist.cgi?bug_status=NEW&bug_status=ASSIGNED&bug_status=REOPENED&chfield=assigned_to&chfieldfrom=2005-01-23&chfieldto=2005-01-30&assigned_to=x11 [at] gentoo
72. kernel [at] gentoo
http://bugs.gentoo.org/buglist.cgi?bug_status=NEW&bug_status=ASSIGNED&bug_status=REOPENED&chfield=assigned_to&chfieldfrom=2005-01-23&chfieldto=2005-01-30&assigned_to=kernel [at] gentoo
74. sound [at] gentoo
http://bugs.gentoo.org/buglist.cgi?bug_status=NEW&bug_status=ASSIGNED&bug_status=REOPENED&chfield=assigned_to&chfieldfrom=2005-01-23&chfieldto=2005-01-30&assigned_to=sound [at] gentoo
76. media-video [at] gentoo
http://bugs.gentoo.org/buglist.cgi?bug_status=NEW&bug_status=ASSIGNED&bug_status=REOPENED&chfield=assigned_to&chfieldfrom=2005-01-23&chfieldto=2005-01-30&assigned_to=media-video [at] gentoo
78. gnome [at] gentoo
http://bugs.gentoo.org/buglist.cgi?bug_status=NEW&bug_status=ASSIGNED&bug_status=REOPENED&chfield=assigned_to&chfieldfrom=2005-01-23&chfieldto=2005-01-30&assigned_to=gnome [at] gentoo
80. java [at] gentoo
http://bugs.gentoo.org/buglist.cgi?bug_status=NEW&bug_status=ASSIGNED&bug_status=REOPENED&chfield=assigned_to&chfieldfrom=2005-01-23&chfieldto=2005-01-30&assigned_to=java [at] gentoo
82. desktop-misc [at] gentoo
http://bugs.gentoo.org/buglist.cgi?bug_status=NEW&bug_status=ASSIGNED&bug_status=REOPENED&chfield=assigned_to&chfieldfrom=2005-01-23&chfieldto=2005-01-30&assigned_to=desktop-misc [at] gentoo

7. Moves, adds, and changes


The following developers recently left the Gentoo team:

* None this week


The following developers recently joined the Gentoo Linux team:

* Fernando Serboncini (fserb) - Python
* Kyle England (kengland) - Infrastructure


The following developers recently changed roles within the Gentoo Linux

* John Davis (zhen) - Stepped down from Release Engineering Strategic
* Aaron Walker (ka0ttic) - Joined netmon
* Daniel Black (dragonheart) - Left embedded - joined ppc and netmon
* Otavio Rodolfo Piske (AngusYoung) - Joined netmon

8. Contribute to GWN

Interested in contributing to the Gentoo Weekly Newsletter? Send us an
84. gwn-feedback [at] gentoo

9. GWN feedback

Please send us your feedback[85] and help make the GWN better.
85. gwn-feedback [at] gentoo

10. GWN subscription information

To subscribe to the Gentoo Weekly Newsletter, send a blank email to
gentoo-gwn-subscribe [at] gentoo

To unsubscribe to the Gentoo Weekly Newsletter, send a blank email to
gentoo-gwn-unsubscribe [at] gentoo from the email address you are
subscribed under.

11. Other languages

The Gentoo Weekly Newsletter is also available in the following languages:

* Danish[86]
* Dutch[87]
* English[88]
* German[89]
* French[90]
* Japanese[91]
* Italian[92]
* Polish[93]
* Portuguese (Brazil)[94]
* Portuguese (Portugal)[95]
* Russian[96]
* Spanish[97]
* Turkish[98]
86. http://www.gentoo.org/news/da/gwn/gwn.xml
87. http://www.gentoo.org/news/nl/gwn/gwn.xml
88. http://www.gentoo.org/news/en/gwn/gwn.xml
89. http://www.gentoo.org/news/de/gwn/gwn.xml
90. http://www.gentoo.org/news/fr/gwn/gwn.xml
91. http://www.gentoo.org/news/ja/gwn/gwn.xml
92. http://www.gentoo.org/news/it/gwn/gwn.xml
93. http://www.gentoo.org/news/pl/gwn/gwn.xml
94. http://www.gentoo.org/news/pt_br/gwn/gwn.xml
95. http://www.gentoo.org/news/pt/gwn/gwn.xml
96. http://www.gentoo.org/news/ru/gwn/gwn.xml
97. http://www.gentoo.org/news/es/gwn/gwn.xml
98. http://www.gentoo.org/news/tr/gwn/gwn.xml

Ulrich Plate <plate [at] gentoo> - Editor
Daniel Black <dragonheart [at] gentoo> - Author
Danny van Dyk <kugelfang [at] gentoo> - Author
Patrick Lauer <patrick [at] gentoo> - Author

gentoo-gwn [at] gentoo mailing list

Gentoo gwn RSS feed   Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.