Gentoo Logo
Gentoo Logo Side
Gentoo Spaceship

Contributors:
. Aaron W. Swenson
. Agostino Sarubbo
. Alec Warner
. Alex Alexander
. Alex Legler
. Alexey Shvetsov
. Alexis Ballier
. Alistair Bush
. Amadeusz Żołnowski
. Andreas K. Hüttel
. Andreas Proschofsky
. Andrew Gaffney
. Anthony Basile
. Arun Raghavan
. Bernard Cafarelli
. Bjarke Istrup Pedersen
. Brent Baude
. Brian Harring
. Christian Ruppert
. Chí-Thanh Christopher Nguyễn
. Constanze Hausner
. Dane Smith
. Daniel Gryniewicz
. David Abbott
. Denis Dupeyron
. Detlev Casanova
. Diego E. Pettenò
. Domen Kožar
. Donnie Berkholz
. Doug Goldstein
. Eray Aslan
. Fabio Erculiani
. Gentoo Haskell Herd
. Gentoo News
. Gilles Dartiguelongue
. Greg KH
. Hanno Böck
. Hans de Graaff
. Ian Whyman
. Ioannis Aslanidis
. Jan Kundrát
. Jeffrey Gardner
. Jeremy Olexa
. Joachim Bartosik
. Joe Peterson
. Johannes Huber
. Jonathan Callen
. Jorge Manuel B. S. Vicetto
. Joseph Jezak
. Josh Saddler
. José Alberto Suárez López
. Kenneth Prugh
. Krzysiek Pawlik
. Lance Albertson
. Liam McLoughlin
. LinuxCrazy Podcasts
. Luca Barbato
. Luis Francisco Araujo
. Marcus Hanwell
. Mark Kowarsky
. Mark Loeser
. Markos Chandras
. Markus Ullmann
. Mart Raudsepp
. Matt Turner
. Matthew Marlowe
. Matthew Thode
. Matthias Geerdsen
. Matti Bickel
. Michal Hrusecky
. Michal Januszewski
. Michał Górny
. Mike Doty
. Mike Gilbert
. Mike Pagano
. Mounir Lamouri
. Mu Qiao
. Nathan Zachary
. Ned Ludd
. Nirbheek Chauhan
. Ole Markus With
. Olivier Crête
. Pacho Ramos
. Patrick Kursawe
. Patrick Lauer
. Patrick McLean
. Paul de Vrieze
. Paweł Hajdan, Jr.
. Petteri Räty
. Piotr Jaroszyński
. Rafael Goncalves Martins
. Raúl Porcel
. Remi Cardona
. Richard Freeman
. Robert Buchholz
. Robin Johnson
. Romain Perier
. Ryan Hill
. Sean Amoss
. Sebastian Pipping
. Serkan Kaba
. Steev Klimaszewski
. Steve Dibb
. Stratos Psomadakis
. Stuart Longland
. Sune Kloppenborg Jeppesen
. Sven Vermeulen
. Sven Wegener
. Thilo Bangert
. Thomas Anderson
. Tim Sammut
. Tiziano Müller
. Tobias Heinlein
. Tobias Klausmann
. Tobias Scherbaum
. Tomáš Chvátal
. Torsten Veller
. Vikraman Choudhury
. Zack Medico
. Zhang Le

Last updated:
August 05, 2012, 14:31 UTC

Disclaimer:
Views expressed in the content published here do not necessarily represent the views of Gentoo Linux or the Gentoo Foundation.


Bugs? Comments? Suggestions? Contact us!

Powered by:
Planet Venus

Welcome to Gentoo Universe, an aggregation of weblog articles on all topics written by Gentoo developers. For a more refined aggregation of Gentoo-related topics only, you might be interested in Planet Gentoo.

August 05, 2012
Gentoo Website survey 2012 launched (August 05, 2012, 10:07 UTC)

Building a website that fits the needs of users and editors alike is hard. That's why the Gentoo PR team would like to ask you a few questions about our websites, mainly www.gentoo.org, but also about our other sites.

Take the survey now

Thanks for your time and interest in making our website experience better!

Gentoo Screenshot Contest 2012 (August 05, 2012, 10:07 UTC)

After the success of the 2011 Screenshot Contest the Contest Team is doing it again!

Gentoo Users, Developers, and Staffers are encouraged to submit their sweetest screenshots. This year likewhoa went all out and put together a custom cms for us to use for the contest. Please head over to the 2012 Contest Page for all of the details.

You can visit this forum post for comments and suggestions. OK enough talk, get started tricking out that desktop.

Today, the most ambitious Free Software event of the Czech Republic officially opens registration! We’ve got an awesome event for you in store with sessions on all major subjects in Free Software and around it. Entry will be free of charge for everyone and we’ll give you 4 events AND a bonus track for that money! One of the events will be our very own Gentoo Miniconf 2012.

We hope to see you all in Prague on October 20-23 2012!

Theo Chatzimichos provided the draft for this announcement.

x32 ABI release candidates (August 05, 2012, 10:07 UTC)

We are pleased to announce the initial x32 release candidate. This is a new ABI for amd64 platforms that aims to marry the best of both worlds: smaller pointers from 32bit x86 with more registers and enhanced instructions from 64bit x86_64. All you need to get started is Linux 3.4!

For more information, please check out the Gentoo developer mailing list.

ARM v6+ stages switching to hardfp (August 05, 2012, 10:07 UTC)

From now on, we are defaulting ARMv6 and ARMv7 targets to hardfp. Since the ARM definition for these cores mandates vector floating point units, it would be silly to continue defaulting these to soft float. This also keeps us in sync with the cross-distro standardization that is occurring in the ARM space.

More specifically, ARMv6 targets will default to "vfp" while ARMv7 targets will default to "vfp3-d16". This will cause upgrade pains for existing installs, and that makes us sad, but we're looking at the long term here. Updated stages should be available already.

If you have any questions, please consult the Gentoo embedded mailing list.

If you've always wanted to visit the lovely city of Prague, here's a reason to finally do it: On October 20th and 21st the city is going to be hosting numerous open-source related conferences, including the Gentoo Miniconf.

This is a great opportunity to meet each other and hack on Gentoo together.
We're going to have a room just for ourselves to discuss, give presentations and workshops, do some ebuild hacking, and much much more.
Thanks to the other conferences we're co-hosted with, we expect lots of local and international visitors who can enjoy plenty of talks for all levels of Gentoo proficiency.

For more information, please visit the conference website which provides details about all the events that are going to take place.
Information specific to the Gentoo Miniconf can be found on our website.

Call for papers started
If you would like to give a presentation, hold a workshop or lead a BoF session, please hand in your session proposals. The registration deadline for the CfP is August 1st.

We hope to see you all in Prague this October!

Theo Chatzimichos provided the draft for this announcement.

Usually we bring you news in writing. This time we have something special though: Gentoo developer Jeff Horelick talked to Randal Schwartz and Aaron Newcomb of FLOSS Weekly, a podcast about free and open source software.

You can listen to the recording on the podcast's website.

Gentoo at LinuxTag 2012 in Berlin (August 05, 2012, 10:07 UTC)

LinuxTag 2012 runs from May 23rd to May 26th in Berlin, Germany. With more than 10,000 visitors last year, it is one of the biggest Linux and open source events in Europe.

You will find the Gentoo booth at Hall 7.2b, Booth 273. Come and visit us! You will meet many of our developers and users, talk with us, plus get some of the Gentoo merchandise you have always wanted.

Gentoo at FOSSCOMM 2012 (August 05, 2012, 10:07 UTC)

What? FOSSCOMM 2012

When? 12th, May 2012 - 13th, May 2012

Where? Technological Educational Institute of Serres, Greece

FOSSCOMM 2012 is almost here, and Gentoo will be there!

Check out our Gentoo presentation and workshop on DistCC/CrossDev. We will have a booth with Gentoo promo stuff, flyers, stickers, badges, live CD's, DVD's and much more! Whether you're a developer, user, or simply curious, be sure and stop by. See you there!

Dimitris Papapoulios and Pavlos Ratis contributed the draft for this announcement.

Students, only a few days remain to apply for Gentoo's 7th year in the Google Summer of Code! GSoC pays college students $5000 to work full-time on an open-source project for a summer. Check out our GSoC 2012 homepage if you are interested in this year's GSoC for Gentoo. We particularly encourage applications from students who are new to Gentoo development—many of our students become Gentoo developers after a successful summer.

Interested students can browse Gentoo's project ideas. Student applications will be accepted until 1900 UTC April 6, so start now if you haven't already!

Developers, if you'd like to apply to be a mentor, you can do so on the webapp. Please read the mentoring guide before applying.

August 04, 2012
Nathan Zachary a.k.a. nathanzachary (homepage, stats, bugs)
Wine tasting review – 04 August 2012 (August 04, 2012, 23:52 UTC)

At the Saturday tasting today, the wines were all in the 90+ point category, so it made for some great choices! Four of the wines were from the West Coast of the United States (three from California and one from Washington), and one was from Argentina. I didn’t leave with any of them today, but one in particular was quite nice. As a quick sidebar, there isn’t a photo this week because apparently I couldn’t hold the camera steady whilst taking the photo; sorry about that.

The first wine was a 2011 Riesling from Columbia Valley, Washington. Known as Poet’s Leap, it was the 90-point recipient from Long Shadows Winery. It was a light golden colour at the edge, and nearly clear when viewed straight on. It had very few legs, but the ones that were there were thick and slow-running. There was a great peach flavour, and I picked up some hints of honey in the mid-palate and at the finish.

The second offering was Domaine Eden’s 2009 Chardonnay. Receiving 90 points from Wine Spectator, it exhibited a light yellow colour throughout. To me, the acidity was light, and the wine was not as crisp as the previous Riesling. Interestingly, this wine reminded me of a potato soup that I had at a nice restaurant several months ago. I believe that it was likely due to the combination of the buttery mouth feel and the mild flavour of dill.

The third pour was the 2008 ‘Q’ Malbec from Zuccardi Wines, and it received 91 points from The Wine Advocate – E. Robert Parker. Zuccardi is the largest family-owned estate vineyard in Argentina, and they have been producing for over 40 years. It had a medium garnet colour with medium, quick legs. There were hints of plum and some mild spice that came through to me. However, I thought that it had an almost astringent mouth feel, and that the finish was a bit dull.

The fourth wine was the 2009 Tanbark Hill Cabernet Sauvignon from producer Philip Togni, and it received 93 points from The Wine Advocate. It had a deep red colour that was nearing purple, and thick, slow legs. There was a mild spiced scent of cloves, and a fantastic finish that had hints of smoke, tobacco, to me, some black olive. Though I didn’t purchase it today, it was my favourite by a long shot.

The final pour of the day was 2008 ‘Muldoon’ (which is a Syrah [57%] and Grenache [43%] blend) from Grey Stack Cellars, which took home 92 points from the Wine Spectator. It had a deep red centre, with a medium red edge. It was a bit cloudy, but that is due to the producer using absolutely no filtering or fining, and as such, it had some nice depth. There was a beautiful cigar and suede scent to it, but those aromas didn’t seem to manifest themselves in term of flavour to me. Instead, I picked up a heavy blackberry flavour. Along with it came a very heavy mouth feel and a huge punch of fruit at the finish. It was nice, but a bit tannic given the age. I think that it will be fantastic in about four or five years.

Cheers,
Zach

Seems obviously for many of you, but a lot of people in the past, ask me how to test toolchain components and be sure to don’t break anything.

Ok, as usual we will start to test the singular package with multiple USE combinations. Don’t expect that should work with USE=”vanilla”; for who don’t know:

Do not add extra patches which change default behaviour; DO NOT USE THIS ON A GLOBAL SCALE as the severity of the meaning changes drastically

If the various tests passes without build failure, now, you should try to recompile your system, to check if the new package could break something, so:
emerge -e system

If there are failures, check if them are related to what you are testing(e.g. don’t post zlib failures when you test binutils). If you don’t know how to understand who causes the failure, just poke a developer on irc.

If you have a powerful machine, or it should be in idle, feel free to rebuild entire world.
Obviously for failures, file a bug and block the stabilization bug or the tracker.

August 03, 2012
Nathan Zachary a.k.a. nathanzachary (homepage, stats, bugs)
Ip Man review (August 03, 2012, 23:13 UTC)

I’ve been an Amazon Prime member for quite some time now, but one aspect that I don’t use nearly often enough are the prime videos on demand. This past week, I took advantage of the free films that were available and watched one entitled Ip Man. I thought it was a little unusual that a martial arts film would have such high ratings, and considering I was in the mood for something like it, I decided to give it a go. I was very pleasantly surprised!

Ip Man - Donnie Yen

The film focuses on Yip Man (also spelled Ip Man), who was a martial artist in the southern Chinese town of Foshan. Foshan was known as one of the primary kung fu hubs for many decades, and many travelled there in order to learn from one of the many masters who opened martial arts schools in the city.

Even though there were several inaccuracies about Ip Man’s life (which were likely there for cinematic effect and drama), much of the story was factual and based during the Second Sino-Japanese War (taking place from 1937 to 1945). During that time, the Japanese were infiltrating regions of China and attempting to enforce their cultural beliefs and systems. Though I’m unsure if Foshan was one of the targeted cities, or if Ip Man really had any influence on the war, it was fascinating to get a little bit more background regarding an event about which I essentially knew nothing.

Yip Man studied the martial art of Wing Chun, and trained many students throughout his career. Amongst those students was the very well-known Bruce Lee. Having not read anything about the film before I watched it, I actually didn’t know that until right at the end as the credits were starting to roll.

As I said, the film was surprisingly good! I expected just another martial arts show, but this one had a great story (no matter how embellished it may have been regarding his life, the war, et cetera), some great drama, and nice cinematography in spots. The only problem was that the version to which I had access was dubbed instead of subtitled, and the voices were a bit distracting. In any case, I would recommend you watch it. It’s not the most exceptional film I’ve ever seen, but it was entertaining, and provided some perspective on a historical event. I would say that it’s deserving of 7 stars:

Filled starFilled starFilled starFilled starFilled starFilled starFilled starUnfilled starUnfilled starUnfilled star

Cheers,
Zach

Robin Johnson a.k.a. robbat2 (homepage, stats, bugs)
Making transparent PDFs in Linux (August 03, 2012, 22:15 UTC)

Just documenting this again, so I don't forget it, and it might help others too.

Specifically, how to make a PDF with transparency, using ImageMagick, so that it can be used as a stamp for PDFTK. This requires a PNG with transparency as input.

convert $INPUT.PNG -transparent white -background none $OUTPUT.PDF
pdftk $FORM.PDF stamp $OUTPUT.PDF output $COMPLETED_FORM.PDF

Always looking for arch tester(s) (August 03, 2012, 20:23 UTC)

We always looking for new arch testers.

Simple answers to possible questions:
1) What you should do? you should test the packages on a specific architecture on a stable environment.

2)Do you use also ~arch packages? No problem, there is a way to set a stable chroot.

3)You not believe you have the skill to do it? wrong. You will be ‘guided’ to do an excellent work, so is an opportunity to ‘grow’.

What you need is: love for gentoo and time to devote.

This post is not related only for amd64; you can contribute with any architecture you are using.
To join, for amd64, feel free to contact me (via mail) and/or read
1) FAQ
2) Official Page

If you are using a different arch from amd64, contact me as well, I will guide you to the right way.

Nathan Zachary a.k.a. nathanzachary (homepage, stats, bugs)
Fortune cookie wisdom part IV (August 03, 2012, 00:17 UTC)

It’s that time again, where I’ve accumulated far too many of those little scraps of paper wisdom from fortune cookies. Before reading these little Confucian tidbits, you may want to check out parts I, II, and III (which are all examples that I eat far too much Asian food ;) ).

Anyway, here are the ones from the past few weeks:

  • They say you are stubborn; you call it persistence.
  • There are a lot of bumps on the road to easy street.
  • Opportunities multiply as they are seized; they die when neglected.
  • Never confuse a single defeat with a final defeat.
  • Those who can endure most are rewarded most.
  • The most beautiful adventures are not those we go to seek.
  • Our brightest blazes of gladness are commonly kindled by unexpected sparks.
  • Our life is the creation of our mind.

I thought that these ones provided a good mix of existentialism, Eastern philosophy, and internal versus external perspective. The first one is something that I say all the time when discussing doctoral programmes–you don’t need to be intelligent, you just need to be stubborn (or the more nicely connoted “persistent”). I am particularly fond of the penultimate one though, as I have found it to be true throughout my own life, and sometimes personal anecdote turns something sterile and cold into something rich and warm.

Cheers,
Zach

August 01, 2012
Tim Sammut a.k.a. underling (homepage, stats, bugs)
Bundled Software Security: OSCON Slides (August 01, 2012, 18:50 UTC)

I was lucky enough to be selected to present on bundled third-party software security at OSCON 2012 in Portland. This was a great opportunity for me to speak more openly about a topic that I quite enjoy and that consumes a large portion of my day job.

In that session I speak to some of the most common challenges with managing the product, application or service impact of bundled third-party software (TPS) security. I see those challenges as:

  • Knowing Where TPS is Used
  • Understanding Dependencies
  • Inconsistent Package Naming
  • Unmanageable Selection Processes
  • Learning of Vulnerabilities
  • Inconsistent Fixes
  • External Development Partners

I also speak to potential remedies such as standardization and bug database instrumentation. We’ve posted the slides from this session online on slideshare.net.

Many thanks to my friends on the Cisco Security Marketing team for posting them.

Check it out and let me know what you think!

July 31, 2012
Nathan Zachary a.k.a. nathanzachary (homepage, stats, bugs)
Ice Age 4: Continental Drift – review (July 31, 2012, 22:47 UTC)

Not all that long ago, a friend and I went to see Ice Age 4: Continental Drift in the theatre. I was a little iffy about it, seeing as it is the fourth part of the series. It has been my experience that by the fourth instalment, the cast, story, and humour has been overplayed. However, the newest Ice Age film was packed with as much action, plot, and laughter as its predecessors!

Ice Age 4 - Continental Drift - crew on a boat

Manny, Diego, and Sid set out on another adventure, but this time, they have to find their way back to land. Due to the actions of a particularly mischievous saber-toothed squirrel, the land starts to separate (which, by the way, is a far better explanation of continental drift than is tectonic plate shifting ;-) ) and split away from its state of Pangaea. The three find themselves setting sail on an iceberg, not knowing which way will get them back home. On their way, they face treacherous storms, a band of pirates attempting to rule the open seas, and arguably worst of all, Sid’s Granny (voiced by the incredible Wanda Sykes).

As with the previous Ice Age films, this one was packed with hysterical one-liners. I don’t want to give away any of the great ones, but I will mention the one that was in the trailer (as you’ve likely already seen that). During one of the storms at sea, a gigantic crab lands on the iceberg on which the crew are stranded. Sid gets a look of terror on his face, points upward, and exclaims “HOLY CRAB!” The play on words was great, and I hope that the writers found a way to preserve the humour when translating the film into other languages.

Ice Age 4 - Continental Drift - HOLY CRAB

Anyway, don’t be worried about seeing the latest release in the Ice Age tetralogy (or quadrilogy if you like to follow the industry’s diction) thinking that it won’t live up to the rest of the series; it definitely does!

Cheers,
Zach

Matthew Thode a.k.a. prometheanfire (homepage, stats, bugs)

Disclaimer

  1. Keep in mind that ZFS on Linux is not fully supported and stuff...
  2. I don't care much for hibernate, normal suspending works.
  3. This is for a laptop/desktop, so I choose multilib.
  4. If you patch the kernel to add in ZFS support directly, you cannot share the binary, the cddl and gpl2 are not compatible in that way.

Initialization

Make sure your installation media supports zfs on linux and installing whatever bootloader is required (uefi needs media that supports it as well). You can use the Gentoo LiveDVD, look for 12.1 or newer for the zfs portion of it, then, if you need to install the bootloader via uefi, you can use one of the latest fedora CDs. This is the method I used on my 2011 MacBook Pro, because Apple hardware is 'special'. You can install your system normally up until the formatting begins.

Formatting

I will be assuming the following.

  1. /boot on /dev/sda1
  2. cryptroot on /dev/sda2
  3. swap inside cryptroot OR not used.

When using GPT for partitioning, create the first partition at 1M, just to make sure you are on a sector boundry

General Setup

#setup encrypted partition
cryptsetup luksFormat -l 512 -c aes-xts-plain64 -h sha512 /dev/sda2
cryptsetup luksOpen /dev/sda2 cryptroot

#setup ZFS
zpool create -f -o ashift=12 -o cachefile= -O normalization=formD -m none -R /mnt/gentoo rpool /dev/mapper/cryptroot
zfs create -o mountpoint=none -o compression=on rpool/ROOT
#rootfs
zfs create -o mountpoint=/ rpool/ROOT/rootfs
zfs create -o mountpoint=/opt rpool/ROOT/rootfs/OPT
zfs create -o mountpoint=/usr rpool/ROOT/rootfs/USR
zfs create -o mountpoint=/var rpool/ROOT/rootfs/VAR
#portage
zfs create -o mountpoint=none rpool/GENTOO
zfs create -o mountpoint=/usr/portage rpool/GENTOO/portage
zfs create -o mountpoint=/usr/portage/distfiles -o compression=off rpool/GENTOO/distfiles
zfs create -o mountpoint=/usr/portage/packages -o compression=off rpool/GENTOO/packages
#homedirs
zfs create -o mountpoint=/home rpool/HOME
zfs create -o mountpoint=/root rpool/HOME/root

cd /mnt/gentoo

#Download the latest stage3 and extract it.
wget ftp://gentoo.osuosl.org/pub/gentoo/releases/amd64/autobuilds/current-stage3-amd64-hardened/stage3-amd64-hardened-*.tar.bz2
tar -xf /mnt/gentoo/stage3-amd64-hardened-*.tar.bz2 -C /mnt/gentoo

#get the latest portage tree
emerge --sync

#copy the zfs cache from the live system to the chroot
mkdir -p /mnt/gentoo/etc/zfs
cp /etc/zfs/zpool.cache /mnt/gentoo/etc/zfs/zpool.cache

Kernel Config

If you are compiling the modules into the kernel staticly, then keep these things in mind.

  • When configuring the kernel, make sure that CONFIG_SPL and CONFIG_ZFS are set to 'Y'.
  • Portage will want to install sys-kernel/spl when emerge sys-fs/zfs is run because of dependencies. Also, sys-kernel/spl is still necessary to make the sys-fs/zfs configure script happy.
  • You do not need to run or install module-rebuild.
  • There have been some updates to the kernel/userspace ioctl since 0.6.0-rc9 was tagged.
    • An issue occurs if newer userland utilities are used with older kernel modules.

Install as normal up until the kernel install.

echo "=sys-kernel/genkernel-3.4.40 ~amd64       #needed for zfs and encryption support" >> /etc/portage/package.accept_keywords
echo "=sys-apps/openrc-0.9.9.3 ~amd64           #needed for zfs support" >> /etc/portage/package.accept_keywords
echo "=sys-kernel/gentoo-sources-3.5.0 ~amd64   #needed for non-module zfs" >> /etc/portage/package.accept_keywords
emerge sys-kernel/genkernel
emerge sys-kernel/gentoo-sources

#patch the kernel
wget http://dev.gentoo.org/~prometheanfire/dist/kernel-patches/linux-3.5.0-gfp-vmalloc.patch -O - | patch -p1 -d /usr/src/linux

#If you want to build the modules into the kernel directly, you will need to patch the kernel directly.  Otherwise, skip the patch commands.
wget http://dev.gentoo.org/~ryao/dist/linux-3.5.0-zfs.patch -O - | patch -p1 -d /usr/src/linux
wget http://dev.gentoo.org/~prometheanfire/dist/kernel-patches/linux-3.5.0-zfs-builtin.patch -O - | patch -p1 -d /usr/src/linux

#finish configuring, building and installing the kernel

#if not building zfs into the kernel, install module-rebuild
emerge module-rebuild

#install SPL (needed for ZFS)
echo "=sys-kernel/spl-0.6.0_rc9-r2 ~amd64       #needed for zfs support" >> /etc/portage/package.accept_keywords
emerge sys-kernel/spl

#install zfs utils
echo "=sys-fs/zfs-0.6.0_rc9-r6 ~amd64           #needed for zfs support" >> /etc/portage/package.accept_keywords
emerge sys-fs/zfs

# Add zfs to the correct runlevels
rc-update add zfs boot
rc-update add zfs-shutdown shutdown

#initrd creation, add '--callback="module-rebuild rebuild"' to the options if not building the modules into the kernel
genkernel --luks --zfs --disklabel initramfs

Finish installing as normal, your kernel line should look like this, and you should also have a the initrd defined.

#kernel line for grub2, libzfs support is not needed in grub2 because you are not mounting the filesystem directly.
linux  /kernel-3.5.0-gentoo real_root=ZFS=rpool/ROOT/rootfs crypt_root=/dev/sda2 dozfs=force ro
initrd /initramfs-genkernel-x86_64-3.5.0

In /etc/fstab, make sure BOOT, ROOT and SWAP lines are commented out and finish the install.

You should now have a working encryped zfs install.

July 30, 2012
Nathan Zachary a.k.a. nathanzachary (homepage, stats, bugs)

I have been a big fan of Celldweller, since the self-titled release in 2003. Just a few weeks ago, Klayton released the newest Celldweller album, entitled Wish Upon a Blackstar. There was a Deluxe Edition that was only available through FiXT, and it featured a second disc with all instrumentals presented in a different order.

Celldweller - Wish Upon a Blackstar cover

1. The ArrivalNo score
As it is just the introductory track, and is only 35″ long, there’s not much to it. It’s just a neat blend of sound effects, but probably could have just been tacked on to the beginning of It Makes no Difference who we Are.

2. It Makes no Difference who we Are8 / 10
The track starts with a neat guitar plucking melodramatically. Klayton’s vocals are doubled, which has a really awesome effect, and sounds like there’s another vocalist as well. It then picks up with a neat delayed synth and some high-frequency bends in the background. Overall, a neat trance-style rock start to the album.

3. Blackstar8 / 10
With a significantly faster tempo, Blackstar picks up right where the previous track left off (there’s even a lyrical throughback toward the end). Combining a lot of neat breaks, digital effects, and guitars, this track sounds a bit more like Celldweller’s self-titled album. The digitised choir in the background is a really cool deviation from the norm.

4. Louder than Words9 / 10
More guitar driven than the other two previous tracks, this song provides a nice balance of rock and dubstep beats. The chorus, even with the somewhat cliché lyrics of “Actions speak louder than words do,” is very catchy. There really isn’t a definitive bridge of this song, which makes the flow a bit monotonous and trance-like, but it is seamless in execution.

5. The Lucky One8 / 10
This song has a slight retro-rock feel to it, but is mixed with a heavy front of electronica. The lyrics in the verses are very interesting, if not a bit trite by comparison to some of his earlier work. Musically, though, the track is one of the better ones in the first half of the album (and it finally gets heavier). The track does seem experimental, but it works for the most part.

6. Unshakeable10 / 10
This track starts off with a prominent electronica and beats feel, and has a great tempo accented by the synthed percussion. The chorus is glitchy and very much a mix of dubstep sounds (almost like 12th Planet or Skrillex) and the Blue Stahli-esque scream of “Unshakeable.” In fact, this track actually sounds more like the work of Blue Stahli than Klayton, yet he manages to put his own spin on it.

7. I can’t Wait8 / 10
Again, this track shows a musical shift toward the glitchy dubstep sounds presented in the chorus of Unshakeable. It transitions abruptly into a fast-paced guitar assault, coupled with equally quick beats, and piercing lyrics. There’s a neat psuedo guitar solo and some pitch-bending during the bridge that slides into the final chorus.

8. Eon10 / 10
One of the harder songs on the album, Eon is in the vein of Celldweller’s self-titled album that I liked so much. The difference is that Klayton shows how he’s really refined his overall sound since then. There’s a great ~2-minute bridge in the middle of the track, with several builds and breakdowns, that lends to the song’s epic nature (and makes it one of my favourites on the album).

9. So Long Sentiment8 / 10
This track starts out with a guitar slam and a bunch of pitch bending thereof, which fades into Klayton singing over very subtle atmospheric sounds in the background. The chorus really just adds some quick beats to the background sounds, and the guitar riffs make the occasional appearance throughout. The bridge revisits the subtleties that were presented at the start, and the song finishes with an iteration of the chorus. Though it doesn’t have a huge amount of musical variability, it makes for a great trance-style track which makes for awesome background music.

10. Gift for You7 / 10
This song is introduced by some female whispers about having a “gift” to give, and some haunting effects. Klayton’s lyrics in this song are killer, especially when he talks about the gifts that he has in return. Musically, it is very subdued and provides a chilled feeling, especially when coupled with the message.

11. The Seven Sisters7 / 10
This track continues with the digital “wah wah” that has carried through many of the other tracks on the album, and the higher-frequency melody line from earlier songs makes a comeback. It doesn’t really pick up musically, so I would group it in the same category as the other “trance” songs on the album.

12. The Best it’s gonna Get7 / 10
Starting off in the trance style of the previous track, this one progresses into a heavier chorus that is guitar-driven. Thereafter, there is some fast-tempo picking mixed with a bunch of synth and some neat 4/4 beats. The vocals follow the same type of patterns that were in The Lucky One, which seems a little dissonant when paired with flow of the music.

13. Memories of a Girl I haven’t MetNo score
At only 1″ in length, this track manages to be really thought-provoking both it its title and lyrics. Since it is really just an interlude, though, I don’t think it should have a score.

14. Birthright10 / 10
Starting off with fast plucking and some standard drum beats, Birthright continues one of the coolest tracks from Klayton’s previous album Soundtrack for the Voices in my Head, Vol. 1. He has really changed a few aspects of the arrangement, and they were all great! This song has a really neat combination of synthesised orchestral instruments, pounding guitars, and glitchy effects.

15. Tainted5 / 10
With a darker introduction that many of the other tracks, Tainted sounds a little over produced in terms of the dubstep effects. I can’t really figure out a particular element of the song that I dislike, but I just find it too dissonant for my liking.

16. Against the Tide10 / 10
The last full-length track on the album, Against the Tide starts with the ocean sounds, a very traditional piano piece, some strings, and Klayton’s vocals. It then picks up tempo, and adds some electronic-rock elements, but fades back into the opening solemnity. The multiple transitions back and forth between these two styles makes for a really moody track, which is something I had missed throughout many of the other songs on the album.

17. The DepartureNo score
Though a little longer than the 35″ introduction, the outro doesn’t add all that much to the album in my opinion. I think that it should have simply ended with the fading out of Against the Tide.

Though I don’t particularly care for this album nearly as much as the self-titled one from years ago, it is still quite good. I was hoping for something similar in style, but this album focused more on the electronica than on the mix thereof with metal. That being said, it still has some highlights and I think that it is worth a few listens. The points total to 115 / 140, which is ~8.2 or 8 stars.

Filled starFilled starFilled starFilled starFilled starFilled starFilled starFilled starUnfilled starUnfilled star

Liam McLoughlin a.k.a. hexxeh (homepage, stats, bugs)
Chromium OS for Raspberry Pi – first look (July 30, 2012, 21:36 UTC)

This is quite some way from being usable, so don’t get too excited, but I wanted to share where I’m up to with porting Chromium OS to the Raspberry Pi. Here’s a shot of a Pi running Chromium OS sat at the login screen:

A little under two weeks ago, I began offering Chromium binaries that run on the Pi. Using these same patches, plus the Raspberry Pi overlay that made it into the Chromium OS source tree some weeks ago, I’ve built an image that will run on the Raspberry Pi. By run, I mean you can boot up and browse pages. Browse them really, really slowly. This is because there’s no graphical acceleration, once we have that in place I expect this to run reasonably well.

I’m chipping away at adding in the required code to have the UI GPU accelerated, but it’s really not an area I know much about and so progress is slow. If you’re interested in getting this running, I may possibly set up some kind of bounty to get the code written, get in touch with me for more details (contact details are linked at the top of this page, @Hexxeh is usually best). My current plan is to remove X from the stack completely and run Chromium directly. However, this means making Chromium dispman aware, which is easier said than done.

Given the state that this is in, I’m not going to be providing an image, since it’s really so slow it’s not of use to anyone. The code is all publicly available, though, so somebody else could. Hopefully somebody will actually improve the state of things rather than releasing this raw version.

Sabayon on Amazon EC2 (July 30, 2012, 21:11 UTC)

During the last week, while I was enjoying my vacations, I’ve also had a lot of fun preparing a new EC2-friendly kernel (and sources) based off our kernel git repo (which is based on Linus’ kernel tree + some patches like the BFQ scheduler, fbcondecor and aufs3).

The outcome of my puzzle game (trying to figure out why an instance doesn’t boot on EC2 is like solving puzzles at times) is that sys-kernel/ec2-sources and sys-kernel/linux-ec2 (precompiled binaries) are now available on the sabayon-distro overlay and the Sabayon Entropy repository “sabayonlinux.org”.

As you may expect, I rapidly started to get bored again. For this very simple reason, and since I always wanted to have a fallback website/webservices infra ready on EC2 (in case of a disaster) I started cooking an EBS baked AMI, copycating the current Virtual Machines snapshots from our backup server.

As you may expect, I rapidly started to get bored once again. So, I prepared a molecule .spec file that automatically creates a ready-to-go ext4-based Sabayon Server filesystem image tarball ready to be dumped into a spare EBS volume. Once you have an EBS volume you just need to snapshot it and create the AMI from there (fyi).

As you may expect, I was getting bored of course. So I started preparing a “BuildBot” AMI that could be launched programmatically (say, from a cronjob) and once started (@reboot cronjob target is <3), attaches an existing EBS volume containing a Sabayon chroot, runs equo update && equo upgrade and other stuff, then detaches the volume, makes a snapshot, creates a versioned AMI.
Yes, boring stuff deserve a lot of bash scripting, can’t be otherwise. In this way, I can continuosly build updated Sabayon AMIs for EC2 without much human intervention (of course the BuildBot AMI mails back to me the upgrade result (both stderr and stdout)).
If anybody is interested in my “BuildBot” scripts, just drop a line here.

I don’t know yet where to go from here, but you may be interested in reading this wiki entry: “Sabayon on EC2“. Moreover, you may be also interested in knowing that the aforementioned filesystem image tarballs are already available on Sabayon mirrors, inside the iso/daily directory.

You can have a look at the currently available Sabayon AMIs here:


Sven Vermeulen a.k.a. swift (homepage, stats, bugs)
Kickstarting the Integrity subproject (July 30, 2012, 19:34 UTC)

Now that Gentoo Hardened has its integrity subproject, I started with writing down the concepts (draft – will move to the project site when finished!) used within the subproject: what is integrity, how does trust fit into this, what kind of technologies will we look at, etc. I’m hoping that this document will help users in positioning this project as well as already identify a few areas where I think we need to work on.

The guide starts with talking about hashes (since hashes are often used in integrity validation schemes), continuing towards HMAC (for authenticated hashes) and signed HMAC digests (for better protection of the cryptographic keys while verifying the integrity). It already talks a bit about trust (and trust chains) and how it works in both ways (top-down and bottom up – the latter especially when considering you are running services on platforms you do not manage yourself).

I will be working further on this, describing how the trusted computing group’s vision and the trusted platform module standard they developed fits into this as a possible implementation of trust validation (hopefully without getting to the religious part of it) as well as giving first highlights on other technologies we will look at as well.

July 29, 2012
24 hours with CM10 on SGS2 (July 29, 2012, 21:50 UTC)

Yesterday I took the leap and installed the CyanogenMod 10 preview for the Samsung Galaxy S2. The installation went fine and the backup/restore process were less of a pain than when I last performed a wipe/factory reset. Here is a quick summary so far.

The Good:

  • Almost everything seems to work fine. No more FCs like on CM9RC1.
  • K9 Mail restore went fine with AppExtractor.
  • Google Now works and is fun to play with...
  • Keyboard also seems better and now closer to the apple keyboard in precision.

The Bad:

  • Wifi doesn't work for me using WPA2. Issue reported here. So it's a bit expensive on the data subscription.
  • Voice recognition in Google Now is not working very well for my voice/pronunciation.
  • Voice recognition for local places is almost useless here in .dk.
  • Traffic card in Google Now only supports navigation by car or public transportation and not by bike or on foot.
  • Gallery is not syncing with Picasa.
  • Battery life is very poor like CM9.

Though the Bad list is long I'll keep this as my daily driver from now on.

July 28, 2012
Steve Dibb a.k.a. beandog (homepage, stats, bugs)
freebsd (July 28, 2012, 05:53 UTC)

I’ve started looking at FreeBSD at work this week, because I was reading some blog posts about how MySQL performs well on a combination of that and ZFS together.  I haven’t gotten around to getting ZFS setup yet, but I have been looking into FreeBSD as an OS a lot, and so far, I like it.

This makes the second distro in the past year that I’ve really started to seriously look into, the other one being Ubuntu.  I’m still trying to wrap my head around the whole FreeBSD design structure and philosophy, and for now I’m having a hard time summing it up.  In my mind, it kind of feels like a mashup of functionality between Gentoo and Ubuntu.  I like that there is a set group of packages that are always there, kind of like Ubuntu, but that you can compile everything from source, like Gentoo.

What has really surprised me is how quickly I’ve been able to pick it up, understand it, and already work on getting an install up and running.  I think that having patience is probably the primary reason there.  Figuring out how things work hasn’t really been that hard, but I say that because of past Linux experience that has helped me figure out where to look for answers more easily.  That is, when I get stuck on something, I can usually figure it out just by guessing or poking around with little effort.

Years ago, if I would have looked at any BSD, I would have been asking “why?”  I still don’t know why I’m looking at it, other than I believe it’s not a good idea to put all your eggs in one basket.  At work we already support CentOS, Gentoo and Ubuntu, and it’d be awesome to add FreeBSD to the list.

I’m really enjoying it so far.  It’s easy to install packages using the ports system.  I tried going the route of binary packages at first, but that wasn’t working out so well for me.  Then I tried mixing ports and packages, and that wasn’t doing too great either, so I switched to just using ports for now.

The only thing I don’t like so far is how it’s kind of hard to find what I’m looking for.  I totally chalk that up to me being a noob, and not as any real flaw of the distro or it’s documentation — I just don’t know where to look yet.  Fortunately, ‘whereis’ has saved me a lot of time.

The system seems familiar enough and easy to use for me, coming from a Linux background.  In fact, I really can’t find many differences.  The things I have noticed are that it uses much less memory, even on old underpowered boxes, and that it is relatively quick out of the box.  I never would have guessed that.

I’m curious to see how ZFS integrates into the system, if at all.  I like the filesystem, and it’s feature set, but that’s about it for now (I got to play with it a bit as we had a FreeNAS install for a few months).  If it’s a major pain to integrate it, I’m probably not going to push for it right now — I’m content with riding out the learning curve until I feel more comfortable with the system.

So, all in all, it’s cool to find something different, that doesn’t feel too different, but still lets me get my head in there and figure out something new.

If you guys know of any killer apps to use on here, let me know.  I’m kind of wishing I had an easier way to install stuff using ports aside from tromping through /usr/ports manually looking for package names.


July 26, 2012
Andreas K. Hüttel a.k.a. dilfridge (homepage, stats, bugs)

There's very good news- our first Regensburg article on carbon nanotube nano-electromechanical systems, "Magnetic damping of a carbon nanotube NEMS resonator", was just accepted for publication by New Journal of Physics.
Let me give you a short introduction what we've been working on here. A very exciting discovery some time ago was that at low temperatures (T<0.1K) mechanical resonators made from single-wall carbon nanotubes show very large quality factors Q. That means, once vibrating they store energy for a long time, and the vibration decays only very slowly - a piano string with a similar Q would sound for over five minutes after hitting the key! 
Now this has all sorts of interesting side effects. It's so easy to keep the vibration going that it basically runs on its own once a current passes through the device and some prerequisites are given. The device switches between different stability regions, and the usually very predictable transport spectroscopy pattern of a carbon nanotube quantum dot gains strange shapes and sharp edges.
Amazingly, as soon as you apply a magnetic field, this effect is all gone again, and the transport spectrum becomes regular. The overall current does not change significantly, so our tunnel rates should not be influenced too much by the magnetic field. Which means, according to the theory, that our magnetic field has to tune the second available "knob", the quality factor Q of the mechanical vibration. And indeed if we now drive the system with a radio-frequency signal, we see that the resonance becomes broader in frequency in a high magnetic field - the quality factor decreases.
So what's the damping mechanism? Actually, that is pretty straightforward. In a magnetic field, the vibrating nanotube acts as an ac voltage source, generating a small voltage the same way as a macroscopic ac generator. In addition, high-frequency signals can be transmitted capacitively between, say, parallel cables. Consequently a small ac current flows across a parasitic circuit with a ~100kOhm resistance somewhere, which dissipates energy; the resulting upper limit for Q scales with 1/B2. We can compare this model with our observed Q(B), and see a very nice agreement. Effectively, we've built the world's smallest eddy current brake!

"Magnetic damping of a carbon nanotube NEMS resonator"
D. R. Schmid, P. L. Stiller, Ch. Strunk, and A. K. Hüttel
accepted for publication by New Journal of Physics; arXiv:1203.2319 (PDF)

July 25, 2012
Sven Vermeulen a.k.a. swift (homepage, stats, bugs)
Gentoo Hardened on the move (July 25, 2012, 22:41 UTC)

Gentoo Hardened is thriving and going forward. For those that don’t exactly know what Gentoo Hardened is – it is a Gentoo project dedicated to bring Gentoo in a shape ready for highly secure, high stability production server environments. This is what we live by, and why we do what we do. To accomplish this goal, we use a great community of developers & users that work on several subprojects: the implementation of kernel hardening features such as grSecurity, memory-based protection schemes such as PaX, toolchain updates to harden against buffer overflows and memory attacks, mandatory access control schemes such as SELinux and RSBAC.

In Gentoo Hardened we then integrate these technologies in Gentoo Linux so that it is usable by a larger community, well documented and supported. I’m myself heavily working on the SELinux integration & documentation aspects, and am hoping to contribute even further – but more about that in a minute.

Today, we had an online meeting where developers present their current “state of affairs” and the upcoming things they are going to work on. This is done about once every month in the IRC chat channel #gentoo-hardened on the freenode network. Of course, most of the developers are available on the chat channel on an (almost) daily basis.

Todays meeting gave us feedback on the following (and remind you, this is one month of volunteer-driven work)…

Toolchain

When we talk about the toolchain, we mean the set of tools and libraries needed to build a (hardened) system. We put most focus on the GCC compiler because it contains most of the changes we support (like stack smashing protection, position independent code/executable changes, etc.) but work on libraries like glibc and uclibc are on their way as well.

Zorry (yeah, I’m going to use nicknames here so you know who you’re talking to on IRC ;-) is working on getting our patches upstream (meaning that the main GCC development can incorporate our patches). Sending and working together with the main projects is very important as it provides not only continuity on the patches (once they are upstream, more people are maintaining the code than just you/us), but also gives a multi-eye view on the code: is it of high quality? Does it comply with the proper security guidelines? What about impact of the code on things we don’t or haven’t considered yet?

On the library part, blueness (one of our Gentoo Hardened developers and – imho – an expert in many fields) has been working on Hardened support on ARM (armv7a) with uclibc. He has put up stage4 files for armv7a softfloat uclibc hardened and is working on those for hardfloat. This means that ARM with uclibc+hardened or ARM with glibc+hardened are working – he has even tested an xfce4 desktop on ARM with uclibc and hardened toolchain.

ARM support is becoming more and more important in the technology field. Other major processor players like SPARC, Itanium, PowerPC, … are slowly seeing less and less market share, whereas ARM – albeit currently still a very small player – is rapidly gaining momentum. You all know ARM from the smartphones and other embedded-like platforms, but ARM on servers is coming faster than you expect. Being a simple platform with low energy consumption and good commercial backing (both on CPU level as well as platform support), we can see ARM becoming a major player on this – and Gentoo Hardened is actively working towards it.

Kernel

Within Gentoo Hardened, we support the grSecurity and PaX kernel patches for a more hardened Linux kernel. But this additional hardening can also sometimes interfere with the normal functioning of systems. To help users in their configuration quest, grSecurity allows users to select a few “prebuilt configuration types” in the kernel build.

Previously, these types where one of the following label: “virtualization”, “workstation” or “server”. Based on these labels, the security settings that did not negatively effect the functioning of the system were selected. Recently, the labels have changed into a question-based configuration: is it a server or not? will you use it for virtualization and if so, on host or guest? Is performance for you more important than security? These questions are now also integrated in our hardened-sources.

While working and testing one of the kernel settings (KERNEXEC – kernel non-executable pages, to protect non-code containing memory pages from being used to run (potentially hostile/injected) code from) in a virtualized environment, prometheanfire (another Gentoo Hardened developer) noticed a possible regression on the performance of guests if the host had KERNEXEC set. A severe performance hit is to be expected if the host processor doesn’t support hardware-assisted nested page tables (a method for supporting memory page virtualization), but this also seemed to occur on systems with nested page tables (/proc/cpuinfo flag ept for Intel, or rvi for AMD). So more testing (from others as well) is therefore needed to confirm and work on this.

SELinux

One of Gentoo Hardened’s subprojects (and one I’m most actively working on) is its support for SELinux or Security Enhanced Linux. It offers a Mandatory Access Control implementation for Linux, ensuring that users cannot change the security settings that an administrator has set (which is Discretionary Access Control if they can), but also enforce that services/processes can not be forced to do things they are not meant to do. This provides reasonable protection against things like remote code execution exploits, or just limit what an administrator wants particular processes to do. With SELinux, you can even define roles to properly identify and segregate tasks, providing a method for “segregation of duties” on OS level.

Anyway, as I said, Gentoo Hardened is actively working on SELinux integration. First of all is stages support (providing a small, deployable system unit that users can use to install a SELinux-enabled system) as currently, users are forced to switch to SELinux after having installed Gentoo, which is a multi-step approach. By offering stages, we can simplify the deployment of Gentoo Hardened SELinux. Currently, building stages works but requires some manual steps (labeling mostly) which need to be removed before we can automatically build stages. The next steps here are to see if we can build SELinux stages on non-SELinux systems (as all we need is to link the proper files with the SELinux-supporting libraries, which should work regardless of SELinux being enabled or not). The fact that users need to relabel their system during deployment is just a minor inconvenience (and a one-command fix, so easy to document too).

Another item of progression made is a SELinux-enabled (well, Gentoo Hardened grSecurity with PaX and SELinux enforcing enabled) virtual image called “selinuxnode”. This Qemu/KVM image is a simple Gentoo base installation but with those security features already enabled, allowing users to take a first look at SELinux before trying it out on their own system. But this image has the potential (and now roadmap ;-) to become much more:

  • Provide a play-ground for users to test things in. Try out hammering the SELinux policy, or reproducing potential issues before reporting them (to make sure they are easily reproduceable).
  • Become a Proof-of-Concept location for new enhancements: not only updates on SELinux, but also on other hardening measures and technologies that Gentoo Hardened can support. Implementing the technologies in the VM allow other developers to test and work on it without needing to sacrifice one of their own systems.
  • Become the main system for educational (course-like) documentation. If we develop HOWTO documents, using this VM as a base allows users to follow the instructions to the letter and try things out while keeping the documentation consistent. The documentation can, in the future, also contain instructions that users need to follow as a sort-of test. At the end of the test, a simple script can easily verify on the VM if the test was finished succesfully or not.

Even further down the road, it might evolve into a system for building appliance-like, hardened services based on Gentoo Hardened. But that’s a milestone too far for now. But you can always dream ;-)

On the SELinux policy development side, I’m recently focusing on two aspects: the change towards /run (which already required a few “urgent” updates and will probably need a lot more) as well as confining popular attack surfaces like browsers. Not many SELinux users run their browser in a confined space, but I personally don’t run anything in unconfined domains and feel that browsers are too popular in the security area to not put attention to. So I’m struggling to have the browsers (first focus is Chromium as that one has an open bug for it, and Firefox because that is my main browser platform) fully confined yet still flexible enough (using SELinux booleans) to support users that have other wishes on their browsers.

Speaking of policy development, in the meeting it was also brought forward to support a change of stabilization of SELinux policies from the standard 30-days towards a 14-day stabilization period. In most cases, this doesn’t harm users as policies are usually enhanced (allow something that was denied before) and less about reducing privileges (as it is quite hard to find out why a rule was enabled in the first place, hence our reluctant approach to “quickly” update policies). For such updates, We’re suggesting a 14-day stabilization period, while retaining 30 days for larger updates such as domain policy rewrites (which are sometimes needed if an application changes too much – think init and systemd – or when its segregated into multiple parts that each need (or can have) their own SELinux domain.

Finally, we gave a quick update on our status for upstream support (as I mentioned before, having patches supported and accepted upstream is very important for us): we have 116 changesets to the policy in comparison with the 20120215 refpolicy release (which is our “upstream”). Of those changesets, 45 have been accepted and implemented upstream, 12 are pending. 55 have not been sent yet (because they still need work or more documentation before they can be accepted) and 4 will not be sent (mostly because they are gentoo-only or deviate from upstream’s acceptance guidelines but fit in Gentoo’s approach).

grSecurity’s PaX

Blueness worked on the xattr pax support implementation (using extended attributes to store and manage the PaX flags, rather than using the ELF header changes used in the past) within Gentoo Hardened. This is now production-ready, so the proper tools will be made generally available shortly whereas the older method (mainly chpax) will be decommissioned in the very near future.

PaX markings allow the Linux kernel to toggle specific PaX settings on or off for processes so that the general state of the system can use the PaX protections while a very few set of programs that cannot work with these settings (often binary software or third party software, but some self-built software can have difficulties with PaX as well) can run without them (or with a lower set). This is much more flexible than an all-or-nothing approach. By using extended attributes, managing these markings can be done without modifying the binaries themselves. In Gentoo, proper support is also given through the paxctl-ng.eclass so developers can automatically set markings at deploy-time when needed.

Profiles

In Gentoo, users select “profiles” as a way to define the defaults for their system. Profiles define stuff like the default kernel, C library, specific USE flags, toolchain, etc. For instance, users that want to use a Gentoo Hardened system with SELinux on an x86_64 system with no-multilib (all 64-bit only) select the hardened/linux/amd64/no-multilib/selinux profile.

In the last few weeks, blueness has been working on the uclibc-related profiles (hardened/linux/uclibc/${ARCH}) using a clean slate. Gentoo supports profile inheritance, so you can “stack” one profile on top of the other. This is great for manageability, but when the profile is to support systems that are quite different from what Gentoo developers are used to, it makes sense to use a clean setup and start from there. And this is the case for hardened uclibc systems.

System integrity subproject

On this meeting the initial kick-off (after approval) was given of a new hardened subproject called system integrity. This project will focus on the implementation and support of integrity-related technologies such as (well, mainly) Linux IMA/EVM and its supporting userspace utilities and documentation. Integrity validation & enforcement is an important aspect of system security and, since I already work with SELinux, feel this is a natural improvement (since you need a MAC to enforce runtime security and use integrity to enforce detection and prevention of offline tampering).

We have great plans with IMA/EVM here, and can hopefully introduce the first few steps towards it in the selinuxnode virtual image soon ;-)

Documentation

Of course, technologies are great, but documentation is always needed (even if nobody reads it (sic)). I have been documenting hardening of some settings/services using the XCCDF/OVAL languages (part of the SCAP set of standards) since not only do they provide the means to generate guides (we can generate guides in every language, XCCDF is probably the least flexible of them all) but they also support the validation of the settings in an automated manner.

By using XCCDF/OVAL-supporting software such as Open-SCAP (app-forensics/openscap in Gentoo) you can interpret these guides in an unattended manner, generating reports on the state of your services compared to these guides, and even have specific profiles (one system uses a different set of hardening guidelines than another). Since Gentoo Hardened is about supporting secure & stable production environments, it is logical that we can offer best practices on how to handle Gentoo-provided/supported services. And by using these within the SCAP standard, the guides might even be leveraged further than a regular online HOWTO could.

And all that from one project?

Not really. Gentoo Hardened here plays several roles: integrator for technologies that are managed in other (free software) projects, and development for technologies or settings that are either specific to Gentoo or not available to the public to the extend Gentoo Hardened believes is needed. You must understand this is possible thanks to the tremendous effort that all these projects perform. Gentoo Hardened here plays the role that every Linux distribution has: making all these technologies and advancements fit in a way that the users can easily work with it – integrated and well supported.

Thanks to the free software nature though, Gentoo Hardened does more than what “commercial integrators” do when they deal with closed, propriatary software: it updates the code, improves it and brings it back for broader re-use. As such, it also acts a bit as development within those projects to assist them in their quest. And in my book, users are more likely to believe in an integrator that can react code-wise rather than using workarounds or “helping create a service request”.

The full excerpts of this meeting (the meeting minutes – well, actually an IRC chat log excerpt) will be sent out soon by the Gentoo Hardened project lead, Zorry. Big thanks to him (and the rest of the crew) to make all this happen! I love to be part of it, and hope I can remain so for a long, long time.

Edit: RSBAC, not grSecurity’s RBAC.

Greg KH a.k.a. gregkh (homepage, stats, bugs)
Ask a Kernel Maintainer (July 25, 2012, 19:27 UTC)

I've been writing an occasional "Ask a kernel maintainer" column on the lwn.net weekly kernel page. It's been a while since I last wrote one, so I figured it's time to start it up again.

So, consider this an open request for questions that you've always wondered, but never knew who to ask, or how to find the answer to, that you have had about the Linux kernel.

Note, any question that can easily be answered by reading either the Documentation/HOWTO or Documentation/SubmittingPatches or Documentation/CodingStyle files in the Linux kernel source code are not eligible. You should read them first before asking.

Please email them to me or post them in this Google+ thread, and I'll work over the next few weeks to answer them in the column.

July 24, 2012
Tomáš Chvátal a.k.a. scarabeus (homepage, stats, bugs)
Slowly going nuts (July 24, 2012, 08:24 UTC)

Gentoo dictionaries are slowly making me loose it… I got to 31 transfered myspell dictionaries which use upstream versioning scheme and have proper homepages. It still leaves behind 15 of those I didn’t find out anywhere or didn’t sort out the complexity of availale resources (eg 3 different tarballs to fetch from 3 different sites with insane versioning).

As it takes around 1-2 hours to just figure this s*it for one mutation PLEASE if you speak any of the following crazy languages help me out by figuring it for me and sending me ebuild (enough inspiration in the tree on how to write that darn ebuild) or at least instructions how to obtain the dict/hyph/thes set. The only help that I won’t be able to use is the one that uses the extensions.openoffice.org as the screwed up the downloads to have fancy IDs (i think I explained that in one of my previous blags) so it is not possible to track updates nor verify that we are downloading proper file (putting the version number into the provided files is for pussies right?).

Note that the English is a bit special friend. It has various mutations and each have its special versioning and homepage, so I will have to split that one out when I have free afternoon someday.

app-dicts/myspell-cy
app-dicts/myspell-en
app-dicts/myspell-ga
app-dicts/myspell-hr
app-dicts/myspell-hu
app-dicts/myspell-ia
app-dicts/myspell-mi
app-dicts/myspell-mk
app-dicts/myspell-ms
app-dicts/myspell-pl
app-dicts/myspell-ru
app-dicts/myspell-sw
app-dicts/myspell-tn
app-dicts/myspell-zu

Now for the more fun stuff. Libreoffice 3.6 is shaping up nicely and the 3.6.9999 ebuild should be safe to consume now as the 3.6.0 release is imminent (around 5th August). Try it with your unholy CFLAGS combos and report if something explode for you. There is still time to merge some build fixes. Remember that the test phase is still not fixed (I should just disable it for this release as I won’t prolly have time to fix it before 3.7) so run with FEATURES+-test if you enable those by default.

July 22, 2012
Josh Saddler a.k.a. nightmorph (homepage, stats, bugs)
new album: distance (July 22, 2012, 20:55 UTC)


distance by ioflowit’s been a few months since my last album. here’s the new one. four tracks, recorded one per day. these are the final pieces of my year-long creative one-a-day, which began in july 2011 and ended in july 2012.

this album was recorded and produced entirely with gentoo linux, using JACK timemachine and audacity, which are available in portage.

released 7/22/2012. free download. solo acoustic piano improvisations. four tracks plus wallpaper-sized album art. thanks for listening.

Sven Vermeulen a.k.a. swift (homepage, stats, bugs)
Dynamic transitions in SELinux (July 22, 2012, 19:11 UTC)

In between talks on heap spraying techniques and visualization of data for fast analysis, I’m working on integrating the chromium SELinux policy that was offered in bug bug #412637 within Gentoo Hardened. If you take a look at the bug, you notice I’m not really fond of the policy because it uses dynamic transitions. That’s not something the policy writer can do anything about if he can’t access the source code of the application though, since it means that the application is SELinux aware and will trigger transitions when needed.

So what’s this dynamic transitioning? Well, in short, it means that a process can decide to switch domains whenever it pleases (hence the dynamic part) instead of doing this on fork/exec’s. Generally, that sounds like a flexible feature – and it is. But it’s also dangerous.

Dynamic transitions might seem like a way to enhance security – the application knows it will start a “dangerous” or more risky piece of code, and thus transitions towards another domain with less privileges. Once the dangerous code is passed, it transitions back to the main domain. The problem with this is that the entire process is still live – anything that happened within the transitioned domain remains, and SELinux cannot prevent what happens within the domain itself (like memory accesses within the same process space). If the more risky code resulted in corruption or modification of memory, this remains regardless of the SELinux context transitioning back or not. Assume that some code is “injected” in the transitioned domain (which isn’t allowed to execute other applications) the moment it transitions back to the main domain which is allowed to execute applications, this injected code can become active and do its thing.

This is why I didn’t allow the original code (which ran chromium in the main user domain and used dynamic transitions towards chromium_renderer_t) to be used, asking to confine the browser itself within its own domain too (chromium_t) so that we have a more clear view on the allowed privileges (which is the set of the chromium domain and the renderer domain together). It is that policy that I’m now enhancing to work on a fully confined system (no unconfined domains).

If you want to know more about dynamic transitions, it seems that the blog post Subject & Object Tranquility, part 2 (and don’t forget to read the comments too) is a fine read.

July 21, 2012
Hanno Böck a.k.a. hanno (homepage, stats, bugs)
And you thought 3D printers are useless (July 21, 2012, 19:50 UTC)

3D-printed replacement partSeveral years ago I bought a kind of very simple wardrobe from IKEA. It's called Bardu and is made out of steel rods and a plastic covering. It stands on wheels.

There are small plastic piece that connects the plastic rods with the wheels. And one of them broke a while back. I went to IKEA and asked for a replacement part. They told me that they don't ship parts for such old items - but they have an offering quite similar to the Bardu that I could buy. Sadly, the design has changed and the wheels are directly connected, so no compatible replacement part. The E-Mail service from IKEA told me the same: No replacement parts for old products.

At this point I could've complained about the fact that we live in a crazy world where someone suggests to you buying a new piece of furniture because a small plastic part of the old one is broken.

I posted a message in the RepRap-forum asking for help. If you don't know the RepRap: It's a 3D-printer, creating objects based on computer models out of simple plastic. The RepRap is an Open Source project built partly out of parts printed on other 3D printers. The idea is: Everyone can (with enough time and passion) built his own RepRap, all the documentation is available online.

I quickly got a response from someone from France who was willing to give it a try and re-create the needed plastic part on his 3D printer. Some message exchange later I sent him the broken and a non-broken part. Today, I got my RepRap-printed replacement part. It fits in perfectly. I'm seriously impressed.

Sven Vermeulen a.k.a. swift (homepage, stats, bugs)
Hardening the Linux kernel updates (July 21, 2012, 19:06 UTC)

Thanks to a comment by Andy, the guide now has information about additional settings: stackprotector, read-only data, restrict access to /dev/mem, disable /proc/kcore and restrict kernel syslog (dmesg). One suggestion he made didn’t make it to the guide (about CONFIG_DEBUG_STACKOVERFLOW) since I can’t find any resources about the setting on how it would made the system more secure or more resilient against attacks.

Underlyingly, the OVAL now correctly identifies unset variables (it previously searched for “is not set” strings in the kernel configuration, and now it searches for the key entry definition and validates if it doesn’t find it – e.g. “CONFIG_PROC_KCORE=” – since that matches both the definition not being there, or “# CONFIG_PROC_KCORE has not been set”).

How to test Kernel (*-sources) (July 21, 2012, 13:00 UTC)

In the past, a lot of people ask me how test a new kernel. This tip could help new arch tester.

First, emerge the new sources ( 3.4.5 is just an example, replace it with your ${version} ):
echo "=sys-kernel/gentoo-sources-3.4.5" >> /etc/portage/package.keywords
emerge -av =sys-kernel/gentoo-sources-3.4.5

Now go to kernel directory, try to enable all modules and check if them compile:
cd /usr/src/linux
make allyesconfig
make # don't forget to add '-j'

Might seem strange, but in the past, with allyesconfig, I found bug like this, not reproducible with normal config.

The next step is clean the past build and make your custom kernel.
make distclean
make menuconfig
make
make modules_install # if you use modules

Now try to boot with new kernel, and check if there are not bad message with:
dmesg

Now, try to reach a bit of uptime and if all is ok, please give a feedback.

This is a base guide to test {vanilla,gentoo}-sources. If you are testing a kernel with other/special features ( e.g. hardened/zen/tuxonice ), make sure that these features work perfectly.

July 20, 2012
Sven Vermeulen a.k.a. swift (homepage, stats, bugs)
Hardening the Linux kernel (July 20, 2012, 20:05 UTC)

I have moved out the kernel configuration settings (and sysctl stuff) from the Hardening Gentoo Linux benchmark into its own Hardening the Linux kernel guide. It covers some common hardening-related kernel configuration entries (although I’m sure I’m missing a lot of them still) as well as grSecurity and PaX settings (which is something the Gentoo Hardened project works on), and finally the system controls (sysctl) that are commonly suggested for a more secure system.

The overview of hardening guides now thus contains three guides: one for Gentoo, one for OpenSSH and one for the kernel. These ones were definitions I already had in the past so were “quickly” possible to write down. I’m going to look at BIND and DHCP next.

But simultaneously, I’m looking at Linux IMA/EVM support in the hope I can have this supported in Gentoo as well. Looks like a promising technology, and if I can get it working, it’ll definitely deserve its place within Gentoo Hardened!

Matthew Thode a.k.a. prometheanfire (homepage, stats, bugs)
Well, here we go again. (July 20, 2012, 05:00 UTC)

Well, here we go again, I think (hope) to actually keep this blog more up to date with the little projects I do. Going to be writing about selinux zfsonlinux the 'cloud' and whatever strikes my fancy.

I supose I should introduce myself, name's Matthew Thode, I currently work for Rackspace as a Linux Admin with a current focus on Big Data, I am also a Gentoo Developer on the hardened project, helping mostly with virtualization, selinux and testing. I know enough python to get by (it's in github actually) and that's about it for now.

July 19, 2012
Remi Cardona a.k.a. remi (homepage, stats, bugs)
SNA on xf86-video-intel 2.20.0 (July 19, 2012, 22:07 UTC)

xf86-video-intel 2.20.0 brings a couple of changes regarding SNA. The first change is that the choice between UXA and SNA (the 2 available acceleration architectures for the Xrender protocol) can be done without rebuilding the driver.

However, SNA is no longer enabled by default, even if built in. To enable it, the following snippet in your /etc/X11/xorg.conf will do the trick:

Section “Device”
Identifier “intel driver”
Driver “intel”
Option “AccelMethod” “sna”
EndSection

That’s all for now.

Liam McLoughlin a.k.a. hexxeh (homepage, stats, bugs)
Chromium for Raspberry Pi BETA (July 19, 2012, 20:28 UTC)

I’m happy to announce that Chromium binaries are now available for you to download and try out. These will ONLY work on Raspbian images, if you’re running Squeeze or anything that isn’t hardfp, don’t even think about it.

Whilst it’s not required, using the 224MB memory split, overclocking your Pi and using a fast USB stick or SD card for your root filesystem will improve your browsing experience. I’ve had the RaspberryPi.org blog frontpage load in as little as 5 seconds by combining all three of these. With that said, let’s get started.

If you’re closer to Europe than the US, type this into a shell: bash <(curl -sL http://goo.gl/5vuJI)
If you’re closer to the US than Europe, type this into a shell: bash <(curl -sL http://goo.gl/go5yx)

Let that command run for a while. It’ll download about 35MB and probably take a while to do it’s thing. Once it’s finished, you can launch Chromium by typing:

chrome –disable-ipv6

Make sure you specify the –disable-ipv6 flag, else your pages will take longer to load than they should (yes, this is probably a bug). This is somewhat of an experiment as the post title suggests, and your input in improving the experience is welcomed. Currently, builds are manual, but if they prove popular and useful, I’ll automate them and produce nightly builds.

If you have suggestions, post them over at the Raspberry Pi forums thread: http://www.raspberrypi.org/phpBB3/viewtopic.php?f=63&t=11800

Nirbheek Chauhan a.k.a. nirbheek (homepage, stats, bugs)
GUADEC 2012, A Coruña (July 19, 2012, 15:05 UTC)


This will be my first GUADEC, and I'm looking forward to it. Thanks to my employer Collabora for sponsoring this trip!



I'll be around from 25th evening to 30th morning. Hope to see you all there. :)

July 18, 2012
Sven Vermeulen a.k.a. swift (homepage, stats, bugs)
Hardening OpenSSH (July 18, 2012, 20:20 UTC)

A while ago I wrote about a Gentoo Security Benchmark which would talk about hardening a Gentoo Linux installation. Within that document, I was documenting how to harden specific services as well. However, I recently changed my mind and wanted to move the hardening stuff for the services in separate documents.

The first one is now finished – Hardening OpenSSH is a benchmark informing you how to potentially harden your SSH installation further. It uses XCCDF/OVAL so that users of openscap (and other compliant tools) can test their system automatically, generating nice reports on the state of their SSH configuration.

For now, the SSH stuff is also still part of the Gentoo document, but I’ll move that out soon and refer to this new document.

Hardened Gentoo’s purpose is to make Gentoo viable for highly secure, high stability production server environments. Hence, hardening documents
should be one of its deliverables as well. So, dear users, do you think it is wise for the Gentoo Hardened project to also focus on delivering hardening guides for services? If so, I’m sure we can draft up others…

Jeremy Olexa a.k.a. darkside (homepage, stats, bugs)
Gentoo Miniconf / Linux Days 2012 (July 18, 2012, 14:25 UTC)

I’ll be there.

July 17, 2012
Ole Markus With a.k.a. olemarkus (homepage, stats, bugs)
PHP 5.4 about to be stabilised (July 17, 2012, 18:30 UTC)

PHP 5.4 has been in the tree for quite some time now, without any major bugs. Personally I have been using it on my development box since it went stable upstream and everything has been working just fine. PHP 5.4 has been in ~arch since 5.4.0 as well, so the upgrade path should (hopefully) be well-tested. So it is about time that PHP 5.4 gets a stable version in Portage!

The reason I have been holding off for so long is the lack of support from certain key extensions. The most important, in my opinion, is APC, which I personally need in place before using PHP in production. Unfortunately there are several outstanding issues with the current version of APC for PHP 5.4, and there is no ETA for when a stable version will be released. Those who can may look into XCache, which do have a working PHP 5.4 version.

Another extension that someone might miss is Suhosin. The Suhosin patch is also missing.

Steve Dibb a.k.a. beandog (homepage, stats, bugs)
what i’m reading: “real boys” (July 17, 2012, 06:04 UTC)

Summer is rough for me.  I take fewer classes, I have lots more free time, and things are generally a lot less unstructured.  This means my life is full of chaos.

One thing I’ve noticed about school, recently, is that if I’m not taking any psychology courses, I become indifferent about working towards a degree.  It’s hard slogging through generals for any student, but in my case, where there’s limited amounts of time and money to spend on pursuing an education, it just feels like it’s not worth the hassle.

So, summer is a little rougher for me, and I’m looking forward to Fall and Spring semesters again.

In the meantime, and I’ve been doing this for awhile, I always have one book about psychology or counseling that I’m reading.  Right now, I’m making my way through a great book called “Real Boys.”

If I could summarize the book, it’s basically documenting the effects of boys not expressing their feelings.  I was going to expound on that, but that’s just about how it goes.  I also use the term ‘boys’ here from the author’s context, not mine. He tends to cover a large age group, from about eight to sixteen.

Flipping it open tonight, the page I started on perfectly expressed the “why” I want to work with youth so much — or, that is, the kinds of problems I want to encounter and help people out with:

When boys become hardened, they become willing to endure emotional and physical pain–even to risk their lives–if it means winning the approval of their peers.  Boys can become so thoroughly hardened that they literally anesthetize themselves against the pain they must cope with.  And they are often left unsupervised at an earlier age than girls and are usually discouraged by adults from engaging in help-seeking behaviors at their time of greatest vulnerability or need, boys learn to remain silent despite their suffering.

Incredibly sad commentary, of course, but also accurate.

I suppose that the solution could be summed up in “love your kids,” but what I see happening is that culture is a strong influence of how to love them — when to cut them loose, when to have them “man up,” and so on.  Culture is a poor guide for determining personal milestones.

I’ve been learning more about counseling and people not just with what I read, but as I casually observe people and realize how simple things are.  The realization is dawning on me that humans are alike emotionally, wanting the same basics subsets of love and caring: respect, communication, validation, correction and instruction.  Things that people do that are “weird” or “out there” are most times going to be tied back to some fundamental need that is unaddressed.  And in the cases where that is the case, there can be a check for internal chemical imbalances (depression, schizophrenia, OCD, mood disorders etc.) where medication can do a lot of good in providing more stability.

On a personal level, not an academic one, from helping out others, I’ve noticed how important it is that people have someone that will look them in the eye and listen to them.  I’ve noticed that just looking at someone directly often times can slightly startle someone, since it is so unexpected.  I’ve seen though, how talking calmly and directly to someone will both relax them and engender some trust.  People just want to be listened to.

Anyway, it’s all fascinating stuff, and I love reading up on it, and discovering new things.  In a lot of ways, I’m finding that counseling is based on really simple principles of caring and communicating.


July 16, 2012
Andreas K. Hüttel a.k.a. dilfridge (homepage, stats, bugs)
Gentoo in c't magazine (July 16, 2012, 21:39 UTC)

For the German speakers around here, today's edition of c't magazine (that's the company that people from UK/USA may know as "The H") includes an introductory article on Gentoo Linux: "Made to measure - Gentoo Linux: source code and rolling releases". So, go to your newsagent and grab it while it's hot! :)

Sven Vermeulen a.k.a. swift (homepage, stats, bugs)
Updated Gentoo Hardened/SELinux VM image (July 16, 2012, 16:31 UTC)

I have updated the Gentoo Hardened/SELinux VM image, available on the mirrors under experimental/amd64/qemu-selinux.

The new image now asks for the keyboard layout, has a short DHCP timeout value (5 seconds) and provides the nano editor. If you plan on running the image using qemu, please use -cpu kvm64 to use a 64-bit virtual processor.

July 12, 2012
Andreas K. Hüttel a.k.a. dilfridge (homepage, stats, bugs)
Lab::Measurement 3.00 released (July 12, 2012, 17:56 UTC)

I'm happy to be able to announce a first real release of the Lab::Measurement Perl package, providing a platform for measurement control with Perl.

Lab::Measurement is based on the packages Lab::VISA, Lab::Instrument, and Lab::Tools started by Daniel Schröer in 2005. Many people have contributed in the meantime, amongst others in roughly historical order Daniela Taubert, David Kalok, Florian Olbrich, and Alois Dirnaichner. The efforts of the last year have focussed on a general modularization, originally driven by a certain frustration with National Instruments NI-VISA support on Linux. Now, the hardware driver backend can be exchanged transparently, making measurements both with NI-VISA and with e.g. LinuxGPIB or the operating system serial port drivers on Linux and Windows possible.
Since VISA does not form a central part or even requirement anymore, the original use of Lab::VISA as name for the entire package became impractical, and we've decided to switch to Lab::Measurement instead. As version numbers of all components should still increase monotonously, our first release of the code rewrite then actually ended up as Lab::Measurement 3.00.

For downloads and documentation, including installation instructions for Linux and Windows and examples, visit the homepage of the package, http://www.labmeasurement.de/. Of course, if you're using Gentoo, the package is readily available in the main portage tree as dev-perl/Lab-Measurement.

Not all device drivers have been ported to the new internal architecture so far, but work is progressing swiftly. In the Regensburg nanophysics groups, we're using the new code already all the time in measurements at three different cryogenic setups. More drivers, bugfixes, and improvements are present in Git master. If you're willing to hack, I can only recommend that you give it a try. Contributors are always welcome; feel free to clone our git repository on Gitorious.

July 11, 2012
How to test a library (July 11, 2012, 16:21 UTC)

This article should be useful for every arch tester that ask how properly test a library.

Today we see a case like boost. The firsts steps will be:

  1. Emerge the new boost version
  2. Do a multiple compile test changing the USE
  3. Make sure the new boost is set as default: eselect boost list

Now, to make sure to don’t break the tree, you will compile all stable packages that have boost as DEPEND. To do this task we will use the reverse-dependencies.py script from the arch-tools repository ( thanks to Paweł Hajdan to make it ).

How reverse-dependencies works? Is very simple, follow this example:

touch boost_in;touch boost_out
echo "=dev-libs/boost-1.49.0-r1" >> boost_in
echo "=dev-util/boost-build-1.49.0" >> boost_in
python reverse-dependecies.py -i boost_in -o boost_out

Let me explain a bit.

First we have created 2 files;

  • in the first will go the package that needs to check.
  • in the last will go the package found by the script.

Yes in this case boost-build is not useful, but this example should tell you that you can put more than one package in the input file(boost_in). With the last command we have now a boost_out structured in this manner:

# One of the following USE flag combinations is required:
# boost
sci-mathematics/singular

That obviously means that you need to enable boost USE to make sure that sci-mathematics/singular use boost.

 

Now you need to compile all of packages in boost_out list and if you see failure related to boost you need to create a new bug on our bugzilla and make it as a blocker for boost stabilization.

July 10, 2012
Donnie Berkholz a.k.a. dberkholz (homepage, stats, bugs)
How to recruit open-source contributors (July 10, 2012, 21:49 UTC)

I just posted a video and write-up on how to recruit open-source contributors over on my RedMonk blog. It’s based on my years of experience as admin for Gentoo’s involvement in the Google Summer of Code, where I’ve greatly increased our ability to recruit students as long-term developers. Check it out.


Tagged: communication, culture, gentoo, gsoc

Sven Vermeulen a.k.a. swift (homepage, stats, bugs)
Gentoo Hardened/SELinux VM image (July 10, 2012, 19:27 UTC)

A few weeks ago, I pushed out a VM image (Qemu QCOW2 format) to the /experimental/amd64/qemu-selinux/ location in our mirrors. This VM image (which is about 1.6 Gib large decompressed) provides a SELinux-enabled, Gentoo Hardened (with PaX and other grSecurity security settings) base installation. Thanks to the Qcow2 image format, only the used 1.6 Gib of data is taken on your disk, even though the image is made for a 50 Gib deployment).

The purpose of this image is, eventually, to allow users to test our Gentoo Hardened with SELinux in a virtual environment, offering decent isolation (so you can mess things up if you want, it doesn’t hurt your own system). I’m also contemplating of providing more serious SELinux-focused course material (self-teaching stuff) based on this image, so that users can learn about Gentoo Hardened (and SELinux) in a structured manner.

But before all that, I first need to see if the image is usable by most people:

  • Does it boot? It is an amd64 image for the Qemu KVM64 CPU, but the kernel uses paravirtualization for disk and network access, and I don’t know if that’s a safe bet to do or not. People that know KVM know that the paravirtualization support is needed for decent performance, but I’m not sure if it still makes the images sufficiently portable or not.
  • Does it work? The build is done based on my own systems, but these are all built in a similar fashion (and use binhosts to simplify deployment) so in effect, I can only test the images on a single system type (multiple, but they’re all the same, so doesn’t matter).

If I can get some comments on this (it boots, it doesn’t boot, it sucks, …) and can work out things, I hope I can have the images better for all of us.

Edit: yes, keyboard layout is azerty, not qwerty. So your rootpass will be rootpqss. Updates-are-a-comin’

Donnie Berkholz a.k.a. dberkholz (homepage, stats, bugs)

I gave an introductory talk on Gentoo at a local BarCamp called MinneBar a couple of months back, and the videos were just posted online. The sound isn’t perfect but it’s perfectly understandable. Oddly, this is the first time I’ve ever given a formal talk on Gentoo in nearly 10 years of working on it.

The slides are pretty tough to read from the video, so I also uploaded them to Slideshare. I updated and heavily customized the same “Intro to Gentoo” slide deck that’s been floating around for years. It still could stand to lose a whole lot more text, and hopefully I can optimize it further if I give it again.


Tagged: communication, gentoo, pr