Gentoo Logo
Gentoo Logo Side
Gentoo Spaceship

. Aaron W. Swenson
. Agostino Sarubbo
. Alec Warner
. Alex Alexander
. Alex Legler
. Alexey Shvetsov
. Alexis Ballier
. Alexys Jacob
. Amadeusz Żołnowski
. Andreas K. Hüttel
. Andreas Proschofsky
. Andrew Gaffney
. Anthony Basile
. Arun Raghavan
. Bernard Cafarelli
. Bjarke Istrup Pedersen
. Brent Baude
. Brian Harring
. Christian Faulhammer
. Christian Ruppert
. Christopher Harvey
. Chí-Thanh Christopher Nguyễn
. Dane Smith
. Daniel Gryniewicz
. David Abbott
. Denis Dupeyron
. Detlev Casanova
. Diego E. Pettenò
. Domen Kožar
. Donnie Berkholz
. Doug Goldstein
. Eray Aslan
. Fabio Erculiani
. Gentoo Haskell Herd
. Gentoo Monthly Newsletter
. Gentoo News
. Gilles Dartiguelongue
. Greg KH
. Hanno Böck
. Hans de Graaff
. Ian Whyman
. Ioannis Aslanidis
. Jan Kundrát
. Jason Donenfeld
. Jeffrey Gardner
. Jeremy Olexa
. Joachim Bartosik
. Johannes Huber
. Jonathan Callen
. Jorge Manuel B. S. Vicetto
. Joseph Jezak
. Kenneth Prugh
. Lance Albertson
. Liam McLoughlin
. LinuxCrazy Podcasts
. Luca Barbato
. Luis Francisco Araujo
. Mark Loeser
. Markos Chandras
. Mart Raudsepp
. Matt Turner
. Matthew Marlowe
. Matthew Thode
. Matti Bickel
. Michael Palimaka
. Michal Hrusecky
. Michał Górny
. Mike Doty
. Mike Gilbert
. Mike Pagano
. Mu Qiao
. Nathan Zachary
. Ned Ludd
. Nirbheek Chauhan
. Olivier Crête
. Pacho Ramos
. Patrick Kursawe
. Patrick Lauer
. Patrick McLean
. Paul de Vrieze
. Pavlos Ratis
. Paweł Hajdan, Jr.
. Petteri Räty
. Piotr Jaroszyński
. Rafael Goncalves Martins
. Raúl Porcel
. Remi Cardona
. Richard Freeman
. Robin Johnson
. Ryan Hill
. Sean Amoss
. Sebastian Pipping
. Serkan Kaba
. Steev Klimaszewski
. Stratos Psomadakis
. Sune Kloppenborg Jeppesen
. Sven Vermeulen
. Sven Wegener
. Theo Chatzimichos
. Thomas Kahle
. Tim Sammut
. Tiziano Müller
. Tobias Heinlein
. Tobias Klausmann
. Tom Wijsman
. Tomáš Chvátal
. Torsten Veller
. Victor Ostorga
. Vikraman Choudhury
. Zack Medico
. Zhang Le

Last updated:
March 28, 2014, 23:06 UTC

Views expressed in the content published here do not necessarily represent the views of Gentoo Linux or the Gentoo Foundation.

Bugs? Comments? Suggestions? Contact us!

Powered by:
Planet Venus

Welcome to Planet Gentoo, an aggregation of Gentoo-related weblog articles written by Gentoo developers. For a broader range of topics, you might be interested in Gentoo Universe.

March 27, 2014
Sven Vermeulen a.k.a. swift (homepage, bugs)
Online hardened meeting of March (March 27, 2014, 21:44 UTC)

I’m back from the depths of the unknown, so time to pick up my usual write-up of the online Gentoo Hardened meeting.


GCC 4.9 is being worked on, and might be released by end of April (based on the amount of open bugs). You can find the changes online.

Speaking of GCC, pipacs asked if it is possible in the upcoming 4.8.2 ebuilds to disable the SSP protection for development purposes (such as when you’re developing GCC plugins that do similar protection measures like SSP, but you don’t want those to collide with each other). Recent discussion on Gentoo development mailinglist had a consensus that the SSP protection measures (-fstack-protector) can be enabled by default, but of course if people are developing new GCC plugins which might interfere with SSP, disabling it is needed. One can use -fno-stack-protector for this, or build stuff with -D__KERNEL__ (as for kernel builds the default SSP handling is disabled anyway, allowing for kernel-specific implementations).

Other than those, there is no direct method to make SSP generally unavailable.

Blueness is also working on musc-libc on Gentoo, which would give a strong incentive for hardened embedded devices. For desktops, well, don’t hold your breath just yet.

Kernel grSec/PaX

It looks like kernel 3.13 will be Ubuntu’s LTS kernel choice, which also makes it the kernel version that grSecurity will put the long term support for in. And with Linux 3.14 almost out, the grsec patches for it are ready as well. Of the previous LTS kernels, 3.2 will probably finish seeing grsec support somewhere this year.

The C wrapper (called install-xattr) used to preserve xattr information during Portage builds has not been integrated in Portage yet, but the development should be finished.

During the chat session, we also discussed the gold linker and how it might be used by more and more packages (so not only by users that explicitly ask for it). udev version 210 onwards is one example, but some others exist. But other than its existence there’s not much to say right here.


The 20140311 release of the reference policy is now in the Portage tree.

Also, prometheanfire caught a vulnerability (CVE-2014-1874) in SELinux which has been fixed in the latest kernels.

System Integrity

I made a few updates to the gentoo hardening guide in XCCDF/OVAL format. Nothing major, and I still need to add in a lot of other best practices (as well as automate the tests through OVAL), but I do intend to update the files (at least the gentoo one and ssh as OpenSSH 6 is now readily available) regularly in the next few weeks.


A few minor changes have been made to hardened/uclibc to support multilib, but other than that nothing has been done (nor needed to be done) to our profiles.

That’s it for this months hardened meeting write-up. See you next time!

March 26, 2014
Jan Kundrát a.k.a. jkt (homepage, bugs)
Tagged pointers, and saving memory in Trojita (March 26, 2014, 17:02 UTC)

One of the improvements which were mentioned in the recent announcement of Trojitá, a fast Qt e-mail client, were substantial memory savings and speed improvements. In the rest of this post, I would like to explain what exactly we have done and how it matters. This is going to be a technical post, so if you are not interested in C++ or software engineering, you might want to skip this article.

Planting Trees

At the core of Trojitá's IMAP implementation is the TreeItem, an abstract class whose basic layout will be familiar to anyone who has worked with a custom QAbstractItemModel reimplementation. In short, the purpose of this class is to serve as a node in the tree of items which represent all the data stored on a remote IMAP server.

The structure is tree-shaped because that's what fits both the QAbstractItemModel's and the IMAP way of working. At the top, there's a list of mailboxes. Children of these mailboxes are either other, nested mailboxes, or lists of messages. Below the lists of messages, one can find individual e-mails, and within these e-mails, individual body parts as per the recursive nature of the MIME encapsulation. (This is what enables messages with pictures attached, e-mail forwarding, and similar stuff. MIME is fun.) This tree of items is used by the QAbstractItemModel for keeping track of what is where, and for issuing the QModelIndex instances which are used by the rest of the application for accessing, requesting and manipulating the data.

When a QModelIndex is used and passed to the IMAP Model, what matters most is its internalPointer(), a void * which, within Trojitá, always points to an instance of some TreeItem subclass. Everything else, like the row() and column(), are actually not important; the pointer itself is enough to determine everything about the index in question.

Each TreeItem has to store a couple of interesting properties. Besides the usual Qt-mandated stuff like pointer to the parent item and a list of children, there are also application-specific items which enable the code to, well, actually do useful things like printing e-mail subjects or downloading mail attachments. For a mailbox, this crucial information might be the mailbox name. For a message, the UID of the message along with a pointer to the mailbox is enough to uniquely identify everything which is needed.

Lazy Loading

Enter the lazy loading. Many people confirm that Trojitá is fast, and plenty of them are not afraid to say that it is blazingly fast. This speed is enabled by the fact that Trojitá will only do the smallest amount of work required to bring the data over the network (or from disk, for that matter). If you open a huge mailbox with half a million messages, perhaps the GMail's "All messages" account, or one's LKML archive, Trojitá will not start loading half a million of subjects. Instead, the in-memory TreeItem nodes are created in a special state "no data has been requested yet". Trojitá still creates half a million items in memory, but these items are rather lightweight and only contain the absolute minimum of data they need for proper operation.

Some of these "empty" nodes are, eventually, consulted and used for item display -- perhaps because a view is attached to this model, and the view wants to show the recent mail to the user. In Qt, this usually happens via the data() method of the QAbstractItemModel, but other methods like rowCount() have a very similar effect. Whenever more data are needed, the state of the tree node changes from the initial "no data have been requested" to "loading stuff", and an asynchronous request for these data is dispatched. An important part of the tale is that the request is indeed completely asynchronous, so you won't see any blocking whatsoever in the GUI. The QTreeView will show an animation while a subtree is expanded, the message viewer might display a spinner, and the mail listing shows greyed-out "Loading..." placeholder instead of the usual message subjects.

After a short while, the data arrive and the tree node is updated with the extracted contents -- be it e-mail subject, or perhaps the attached image of dancing pigs. As the requested data are now here, the status of the tree node is updated from the previous "loading stuff" into "done". At the same time, an appropriate signal, like dataChanged or rowsInserted, is emitted. Requesting the same data again via the classic MVC API will not result in network requests, but everything will be accommodated from the local cache.

What we see now is that there is just a handful of item states, yet the typical layout of the TreeItem looks roughly like this:

enum class FetchingStatus {
class TreeItem {
    TreeItem *m_parent;
    QList<TreeItem*> m_children;
    FetchingStatus m_status;

On a 64bit system, this translates to at least three 64bit words being used -- one for the painter to the parent item, one (or much more) for storage of the list of children, and one more for storing the enum FetchingStatus. That's a lot of space, given we have just created half a million of these items.

Tagged Pointers

An interesting property of a modern CPU is that the data structures must be aligned properly. A very common rule is that e.g. a 32bit integer can only start at memory offset which is a multiple of four. In hex, this means that an address, or a pointer value, could end with 0x0, or 0x4, or 0x8, or 0xc. The detailed rules are platform-specific and depend on the exact data structure which we are pointing to, but the important message is that at least some of the low bits in the pointer address are always going to be zero. Perhaps we could encode some information in there?

Turns out this is exactly what pointer tagging is about. Instead of having two members, one TreeItem * and one FetchingStatus, these are squashed into a single pointer-sized value. The CPU can no longer use the pointer value directly, all accesses have to go via an inlined function which simply masks away the lowest bits which do bring a very minor performance hit, but the memory conservation is real.

For a real-world example, see this commit in Trojitá.

Using Memory Only When Needed

Back to our example of a mailbox with 500k messages. Surely a user is only going to see a small subset of them at once, right?

That is indeed the case. We still have to at least reserve space for 500k items for technical reasons, but there is certainly no need to reserve space for heavy stuff like subjects and other headers. Indeed, in Trojitá, we track the From/To/Cc/Bcc headers, the subjects, various kinds of timestamps, other envelope items and similar stuff, and this totals a couple hundred bytes per each message. A couple hundred bytes is not much (pun intended), but "a couple hundred bytes" times "half a million" is a ton of memory.

This got implemented here. One particular benchmark which tests how fast Trojitá resynchronizes a mailbox with 100k of messages showed immediate reduction in memory usage from previous 45 MB to 25 MB. The change, again, does come with a cost; one now has to follow one more pointer redirection, and one has to perform one more dynamic allocation for each message which is actually visible. That, however, proves to be negligible during typical usage.

Measure, Don't Guess

As usual with optimizing, the real results might sometimes be surprising. A careful reader and an experienced Qt programmer might have noticed the QList above and shuddered in horror. In fact, Trojitá now uses QVector in its place, but when I was changing the code, using std::vector sounded like a no-brainer. Who needs the copy-on-write semantics here anyway, so why should I pay its price in this context? These data (list of children of an item) are not copied that often, and copying a contiguous list of pointers is pretty cheap anyway (it surely is dwarfed by dynamic allocation overhead). So we should just stick with std::vector, right?

Well, not really. It turned out that plenty of these lists are empty most of the time. If we are looking at the list of messages in our huge mailbox, chances are that most of these messages were not loaded yet, and therefore the list of children, i.e. something which represents their inner MIME structure, is likely empty. This is where the QVector really shines. Instead of using three pointers per vector, like the GCC's std::vector does, QVector is happy with a single pointer pointing to a shared null instance, something which is empty.

Now, factor of three on an item which is used half a million times, this is something which is going to hurt. That's why Trojitá eventually settled on using QVector for the m_children member. The important lesson here is "don't assume, measure".

Wrapping up

Thanks to these optimization (and a couple more, see the git log), one particular test case now runs ten times faster while simultaneously using 38% less memory -- comparing the v0.4 with v0.3.96. Trojitá was pretty fast even before, but now it really flies. The sources of memory diet were described in today's blog post; the explanation on how the time was cut is something which will have to wait for another day.

Sven Vermeulen a.k.a. swift (homepage, bugs)
Fixing the busybox build failure (March 26, 2014, 12:18 UTC)

Since a few months I have a build failure every time I try to generate an initial ram file system (as my current primary workstation uses a separate /usr and LVM for everything except /boot):

* busybox: >> Compiling...
* ERROR: Failed to compile the "all" target...
* -- Grepping log... --
*           - busybox-1.7.4-signal-hack.patch
* busybox: >> Configuring...
*COMMAND: make -j2 CC="gcc" LD="ld" AS="as"  
*  HOSTCC  scripts/basic/fixdep
*make: execvp: /var/tmp/genkernel/18562.2920.28766.17301/busybox-1.20.2/scripts/ Permission denied
*make: *** [gen_build_files] Error 127
*make: *** Waiting for unfinished jobs....
*/bin/sh: scripts/basic/fixdep: Permission denied
*make[1]: *** [scripts/basic/fixdep] Error 1
*make: *** [scripts_basic] Error 2

I know it isn’t SELinux that is causing this, as I have no denial messages and even putting SELinux in permissive mode doesn’t help. Today I found the time to look at it with more fresh eyes, and noticed that it wants to execute a file ( situated in /var/tmp somewhere. That file system however is mounted with noexec (amongst other settings) so executing anything from within that file system is not allowed.

The solution? Update /etc/genkernel.conf and have TMPDIR point to a location where executing is allowed. Of course, this being a SELinux system, the new location will need to be labeled as tmp_t as well, but that’s just a simple thing to do.

~# semanage fcontext -a -t tmp_t /var/build/genkernel(/.*)?
~# restorecon -R /var/build/genkernel

The new location is not world-writable (only for root as only root builds initial ram file systems here) so not having noexec here is ok.

March 24, 2014
Sven Vermeulen a.k.a. swift (homepage, bugs)
Create your own SELinux Gentoo profile (March 24, 2014, 19:51 UTC)

Or any other profile for that matter ;-)

A month or so ago we got the question how to enable SELinux on a Gentoo profile that doesn’t have a <some profilename>/selinux equivalent. Because we don’t create SELinux profiles for all possible profiles out there, having a way to do this yourself is good to know.

Sadly, the most efficient way to deal with this isn’t supported by Portage: creating a parent file pointing to /usr/portage/profiles/features/selinux in /etc/portage/profile, as is done for all SELinux enabled profiles. The /etc/portage/profile location (where users can do local changes to the profile settings) does not support a parent file in there.

Luckily, enabling SELinux is a matter of merging the files in /usr/portage/profiles/features/selinux into /etc/portage/profile. If you don’t have any files in there, you can blindly copy over the files from features/selinux.

Edit: aballier on #gentoo-dev mentioned that you can create a /etc/portage/make.profile directory (instead of having it be a symlink managed by eselect profile) which does support parent files. In that case, just create one with two entries: one path to the profile you want, and one path to the features/selinux location.

Hidden symbols and dynamic linking (March 24, 2014, 19:14 UTC)

A few weeks ago, we introduced an error in the (~arch) libselinux ebuild which caused the following stacktrace to occur every time the semanage command was invoked:

~ # semanage
Traceback (most recent call last):
  File "/usr/lib/python-exec/python2.7/semanage", line 27, in 
    import seobject
  File "/usr/lib64/python2.7/site-packages/", line 27, in 
    import sepolicy
  File "/usr/lib64/python2.7/site-packages/sepolicy/", line 11, in 
    import sepolgen.interfaces as interfaces
  File "/usr/lib64/python2.7/site-packages/sepolgen/", line 24, in 
    import access
  File "/usr/lib64/python2.7/site-packages/sepolgen/", line 35, in 
    from selinux import audit2why
ImportError: /usr/lib64/python2.7/site-packages/selinux/ undefined symbol: sepol_set_policydb

Usually this error means that a needed library (a .so file) is missing, or is not part of the /etc/ list of directories to scan. And when SELinux is enabled, you might want to check the permissions of that file as well (who knows). But that wasn’t the case here. After trying to figure things out (which includes switching Python versions, grepping for sepol_set_policydb in and more) I looked at the audit2why.c code and see if/where sepol_set_policydb is needed, as well as at the libsepol sources to see where it is defined. And yes, the call is (of course) needed, but the definition made me wonder if this wasn’t a bug:

int hidden sepol_set_policydb(policydb_t * p)
        policydb = p;
        return 0;

Hidden? But, that means that the function symbol is not available for dynamic linking… So if that is the case, shouldn’t audit2why.c not call it? Turns out, this was due to a fix we introduced earlier on, where libsepol got linked dynamically instead of statically (i.e. using libsepol.a). Static linking of libraries still allows for the (hidden) symbols to be used, whereas dynamic linking doesn’t.

So that part of the fix got reverted (and should fix the bug we introduced), and I learned a bit more about symbols (and the hidden statement).

Bonus: if you need to check what symbols are available in a binary / shared library, use nm:

~$ nm -D /path/to/binary

March 21, 2014
Nathan Zachary a.k.a. nathanzachary (homepage, bugs)

Recently I ran into a problem with RHEL 6 (and any derivatives, like CentOS 6 or Scientific Linux 6) where having two NICs (network interfaces) in the same subnet resulted in strange behaviour. In RHEL ≤5 (or CentOS ≤5), one could have two interfaces with IPs in the same subnet and there weren’t any problems (besides the obvious question of why one would set it up this way instead of just bonding the interfaces). However, in RHEL 6 (or CentOS 6), having two interfaces with IPs in the same subnet results in the primary one pinging but the secondary one not responding.

The cause of this problem is that the rp_filter settings changed between these kernels (2.6.18 in RHEL 5 and 2.6.32 in RHEL 6). In RHEL 5, the rp_filter setting was a boolean where 1 meant that source validation was done by reversed path (as in RFC1812), and 0 meant no source validation. However, in RHEL 6, this setting changed to an integer with the following settings:

0 – No source validation

1 – Strict Reverse Path validation (RFC3704) – Packets are checked against the FIB (Forwarding Information Base), and only the best ones succeed

2 – Loose Reverse Path validation (RFC3704) – Packets are checked against the FIB, but only non-reachable BY ANY INTERFACE will fail

So, though the default setting is still 1, it now has a different meaning. In order to get these two network interfaces with IPs in the same subnet to both respond, I needed to make two changes in /etc/sysctl.conf:

  • Change net.ipv4.conf.default.rp_filter from ’1′ to ’2′
  • Add the line net.ipv4.conf.all.rp_filter = 2

To better illustrate the changes, here are the differences:

# grep '.rp_filter' /etc/sysctl.conf
net.ipv4.conf.default.rp_filter = 1

# grep '.rp_filter' /etc/sysctl.conf
net.ipv4.conf.default.rp_filter = 2
net.ipv4.conf.all.rp_filter = 2

In order to make these changes effective immediately, you can reload the configuration with:

# sysctl -p

Ultimately, the new defaults make it so that the kernel discards packets when the route for outbound traffic differs from the route of incoming traffic. Changing these settings as mentioned above will make the kernel handle those packets like it did before 2.6.32. That way, having two or more interfaces with IPs in the same subnet will function as intended. Also, these changes aren’t limited to just RHEL 6 and derivatives, but also to any distribution with ≥kernel-2.6.32 in which the defaults were not changed.


March 20, 2014
Jan Kundrát a.k.a. jkt (homepage, bugs)


An SSL stripping vulnerability was discovered in Trojitá, a fast Qt IMAP e-mail client. User's credentials are never leaked, but if a user tries to send an e-mail, the automatic saving into the "sent" or "draft" folders could happen over a plaintext connection even if the user's preferences specify STARTTLS as a requirement.


The IMAP protocol defines the STARTTLS command which is used to transparently upgrade a plaintext connection to an encrypted one using SSL/TLS. The STARTTLS command can only be issued in an unauthenticated state as per the IMAP's state machine.

RFC 3501 also allows for a possibility of the connection jumping immediately into an authenticated state via the PREAUTH initial response. However, as the STARTTLS command cannot be issued once in the authenticated state, an attacker able to intercept and modify the network communication might trick the client into a state where the connection cannot be encrypted anymore.

Affected versions

All versions of Trojitá up to 0.4 are vulnerable. The fix is included in version 0.4.1.


Connections which use the SSL/TLS form the very beginning (e.g. the connections using port 993) are secure and not vulnerable.

Possible impact

The user's credentials will never be transmitted over a plaintext connection even in presence of this attack.

Because Trojitá proceeded to use the connection without STARTTLS in face of PREAUTH, certain data might be leaked to the attacker. The only example which we were able to identify is the full content of a message which the user attempts to save to their "Sent" folder while trying to send a mail.

We don't believe that any other data could be leaked. Again, user's credentials will not be leaked.


Thanks to Arnt Gulbrandsen on the imap-protocol ML for asking what happens when we're configured to request STARTTLS and a PREAUTH is received, and to Michael M Slusarz for starting that discussion.

March 18, 2014
Donnie Berkholz a.k.a. dberkholz (homepage, bugs)

Students, this Friday at 1900 UTC is the deadline to apply for this year’s GSoC. It’s an awesome program that pays you to work on open-source projects for a summer (where you == a university/college student).

It’s by no means too late, but start your application today. You can find more information on Gentoo’s projects here (click on the Ideas page to get started; also see our application guidelines) and on the broader GSoC program here.

Good luck!

Tagged: community, development, gentoo, gsoc

March 07, 2014
Alexys Jacob a.k.a. ultrabug (homepage, bugs)
Couchbase on Gentoo Linux (March 07, 2014, 16:29 UTC)

Back in 2010 when I was comparing different NoSQL solutions I came across CouchDB. Even tho I went for mongoDB in the end, it was still a nice and promising technology even more since the merge with the Membase guys in late 2012 which lead to the actual Couchbase.

I won’t go into the details of Couchbase itself since it’s way covered all around the net but I wanted to let you guys know that I’ve packaged most of the couchbase ecosystem for Gentoo Linux :

  • dev-db/couchbase-server-community-2.2.0 : the community server edition (bin)
  • dev-libs/libcouchbase-2.2.0 : the C client library
  • dev-python/couchbase-1.2.0 : the python client library

Those packages are still only available on my overlay (ultrabug on layman) since I’m not sure about the interest of other users in the community and I still need to make sure it’s production ready enough.

If you’re interested in seeing this package in portage, please say so !

I dedicate this packaging to @atorgfr :)

March 05, 2014
Michał Górny a.k.a. mgorny (homepage, bugs)

In a previous article titled ‘using deltas to speed up SquashFS ebuild repository updates’, the author has considered benefits of using binary deltas to update SquashFS images. The proposed method has proven very efficient in terms of disk I/O, memory and CPU time use. However, the relatively large size of deltas made network bandwidth a bottleneck.

The rough estimations done at the time proved that this is not a major issue for a common client with a moderate-bandwidth link such as ADSL. Nevertheless, the size is an inconvenience both to clients and to mirror providers. Assuming that there is an upper bound on disk space consumed by snapshots, the extra size reduces the number of snapshots stored on mirrors, and therefore shortens the supported update period.

The most likely cause for the excessive delta size is the complexity of correlation between input and compressed output. Changes in input files are likely to cause much larger changes in the SquashFS output that the tested delta algorithms fail to express efficiently.

For example, in the LZ family of compression algorithms, a change in input stream may affect the contents of the dictionary and therefore the output stream following it. In block-based compressors such as bzip2, a change in input may shift all the following data moving it across block boundaries. As a result, the contents of all the blocks following it change, and therefore the compressed output for each of them.

Since SquashFS splits the input into multiple blocks that are compressed separately, the scope of this issue is much smaller than in plain tarballs. Nevertheless, small changes occurring in multiple blocks are able to grow delta two to four times as large as it would be if the data was not compressed. In this paper, the author explores the possibility of introducing a transparent decompression in the delta generation process to reduce the delta size.

Read on… [PDF]

Jan Kundrát a.k.a. jkt (homepage, bugs)
Trojita 0.4 "Ukraine" is released (March 05, 2014, 14:22 UTC)

Hi all,
we are pleased to announce version 0.4 of Trojitá, a fast Qt IMAP e-mail client. For this release, a lot of changes were made under the hood, but of course there are some changes that are visible to the user as well.


  • Users are able to use multiple sessions, which means that it is possible to use Trojitá with multiple IMAP accounts at the same time. It can be used by invoking Trojitá with the --profile something switch. For each profile, a new instance of the application is started. Please note that this is not our final solution for the multi-accounts problem; work on this is ongoing. For details, refer to the detailed instructions.
  • In the Composer Window, users can now control whether the current message is a reply to some other message. Hopefully, this will make it easier to reply to a ton of people while starting a new thread, not lumping the unrelated conversations together.
  • Trojitá will now detect changes to the network connection state. So for example, when a user switches from a wireless connection to a wired one, Trojitá will detect that and try to reconnect automatically.
  • Trojitá gained a setting to automatically use the system proxy settings.
  • SOCKS5 and HTTP proxies are supported.
  • Memory usage has been reduced and speed has been improved. Our benchmarks indicate being ten times faster when syncing huge mailboxes, and using 38% less memory at the same time.
  • The Compose Window supports editing the "From" field with hand-picked addresses as per common user requests.

This release has been tagged in git as "v0.4". You can also download a tarball (GPG signature). Prebuilt binaries for multiple distributions are available via the OBS .

This release is dedicated to the people of all nations living in Ukraine. We are no fans of political messages in software announcements, but we also cannot remain silent when unmarked Russian troops are marching over a free country. The Trojitá project was founded in a republic formerly known as Czechoslovakia. We were "protected" by foreign aggressors twice in the 20th century — first in 1938 by the Nazi Germany, and second time in 1968 by the occupation forces of the USSR. Back in 1938, Adolf Hitler used the same rhetorics we hear today: that a national minority was oppressed. In 1968, eight people who protested against the occupation in Moscow were detained within a couple of minutes, convicted and sent to jail. In 2014, Moscowians are protesting on a bigger scale, yet we all see the cops arresting them on Youtube — including those displaying blank signs.

This is not about politics, this is about morality. What is happening today in Ukraine is a barbaric act, an occupation of an innocent country which has done nothing but stopped being attracted to their more prominent eastern neighbor. No matter what one thinks about the international politics and the Crimean independence, this is an act which must be condemned and fiercely fought against. There isn't much what we could do, so we hope that at least this symbolic act will let the Ukrainians know that the world's thoughts are with them in this dire moment. За вашу и нашу свободу, indeed!

Finally, we would like to thank Jai Luthra, Danny Rim, Benjamin Kaiser and Yazeed Zoabi, our Google Code-In students, and Stephan Platz, Karan Luthra, Tomasz Kalkosiński and Luigi Toscano, people who recently joined Trojitá, for their code contributions.

The Trojitá developers

  • Jan Kundrát
  • Yuri Chornoivan
  • Karan Luthra
  • Pali Rohár
  • Tomasz Kalkosiński
  • Christian Degenkolb
  • Jai Luthra
  • Stephan Platz
  • Thomas Lübking

March 03, 2014
Gentoo Monthly Newsletter - February 2014 (March 03, 2014, 19:02 UTC)

The February 2014 GMN issue is now available online.

This month on GMN:

  • Interview with Gentoo developer Sven Vermeulen (swift)
  • Latest Gentoo news, job openings, interesting stats and much more.

March 01, 2014
Gentoo Monthly Newsletter: February 2014 (March 01, 2014, 19:00 UTC)

Gentoo news

Interview with Gentoo developer Sven Vermeulen (swift)

(by David Abbott)

1. Hi Sven, tell us about yourself?
My name is Sven Vermeulen. Although Sven is a primarily Scandinavian name, I have no roots with Scandinavia. I’m born (and still living) in Belgium, growing up with geeky domains such as technology, math, science and computing. In 2005 I graduated as engineer and started working for KBC, one of Belgium’s leading financial institutions (bank & insurance). In it, I always kept technology close to me, first as system engineer and now as IT architect.

My interest in technology & science never faded. Although computer systems and software development are my primary hobbies (as they can be handled hands-on easily without heavy investments) I still like to learn about the progress made in other fields and give myself exercises to keep my knowledge on those fields up to date. And for some reason, that always tends to help me with my real-life work (for instance for contract optimizations I used mathematical optimization methods).

I live with my daughter close to my work (between Brussels and Antwerp) which allows me to go to work by bicycle if my presence isn’t needed elsewhere. My work does require me to go abroad from time to time, but mostly within the European Union.

In my free time I enjoy … wait, free time? Nope, don’t have that nowadays. Let me rephrase it: if I had more free time, I’d probably spend it jogging or swimming (which I currently only do to clear my mind), sitting behind my computer (programming, documenting or just playing around), watching cats do stupid things on my tv (youtube – I don’t have cable or other TV services) and playing board games with friends.

Alas, most time is spent either on work, on working in my home (renovations) or providing taxi services to my daughter.

2. How did you get involved with Linux and Open Source?
That started in ‘96 or ‘97. I got a RedHat installation to play with and thought I could become a kernel developer with it. Well, I did have lots of imagination back then ;-) But I did enjoy the difference from the previous operating systems I used (Atari and Microsoft DOS/Windows) and was quite hooked by the idea of free software (I think then it was still mostly coined as “open source”).

I never deployed anything commercial / proprietary on my own systems anymore since. The BBS’es (and later Internet) provided all the information I needed to continue with free software. And as a C programmer (not saying I’m good at it, just saying I program in it) I took on the challenge of supporting my (then unsupported) Matrox graphics card with dual output in Linux. I got good help by the Linux development community, and got in touch with Linux’ internal structures. Which I immediately embraced as a new source of knowledge, as I moved to software engineering in my studies.

All software related things I did were in the free software world, patching here and there. After a while, I stumbled upon the next challenge, which was convincing other users to use free software. A major gap in this area was documentation, so I started learning about writing good documentation (I’m still disappointed that the Darwin Information Typing Architecture (DITA) hasn’t broken through), which is about the point that I joined Gentoo Linux.

In Gentoo, I first helped with translations, then moving on to English documentation, authoring, etc. Internally, I’ve been through various roles (regular developer, project manager, top-level project lead, trustee, council) in various areas (most of them non-technical, such as documentation, PR, recruitment). After quitting and joining a few times (I seem to have ups and downs in available time) I’m now running to keep the Gentoo documentation maintained, as well as supporting SELinux through the Gentoo Hardened project.

I often bounce from one technology or software to another, depending on the needs of the day. Need to detect installed libraries (in order to track potential vulnerabilities) but can’t find a tool? I’ll write one. Want to confirm secure configurations? I’ll learn about SCAP technologies and implement that. Require a web-based question & answer application? Let’s look how HTML5 works shall we. I’m pretty fluent in learning about technologies, protocols and what not.

Almost wished I was equally fluent in languages and history, which was my major obstacle at school…

3. I read your book Linux Sea and not only was impressed, really enjoyed it. Doing a Gentoo Linux install using the book as a classroom textbook would be the kind of class I would love to take. How did the book come about, and why Gentoo?
I wanted to create a documentation resource on Linux, discussing how Linux operating systems work (the concepts and architecture, but without diving into the details and advanced usage) and to which I can refer people who have a need for understanding a particular aspect of the operating system.

As a target distribution, I choose Gentoo because there aren’t many resource on Gentoo, and because Gentoo sticks close to the implementations of the projects themselves. There are no interfaces or APIs surrounding any of the functionalities that a Linux operating system provides, so I can easily discuss the real implementations. Not completely a “Linux from scratch”, but sufficiently close.

Another advantage of using Gentoo as example distribution is that readers, who use different distributions, can still enjoy the book (as it explains how things work) and then refer to the distribution-specific information of their distribution to go further, now with the knowledge of how things work “under the hood”.

4. With your skillset you would be welcome in any project, why do you support Gentoo?
I switch between many interest fields, and Gentoo is one of the few distributions that caters for it. If you need a responsive desktop, Gentoo can offer that. You want good support for many graphical environments? Gentoo can offer that. Need to implement a secure server: yes, Gentoo can offer that. Want to run Gentoo on a very small, lightweight device? Gentoo can offer that. Want to create a Linux router? Of course Gentoo can offer that.

If I want to do something similar with another distribution, I would most likely need to use a different set of distributions depending on my needs.

A second reason is the flexibility offered by Gentoo. Many tools offered by Gentoo are meant to assist in the maintenance and use of one or more tools or services, but without limiting the configuration abilities of the underlying components. Take portage for instance: you can hook into the various phases of package deployment easily, and many ebuilds support epatch_user, allowing for customizing deployments without removing functionality offered by Gentoo.

Or OpenRC’s dependency-based service scripts. Instead of naming it with a number depending on when you want to launch it, just put in the necessary dependencies in the scripts and you’re all set. That’s not just easy. That’s what makes Gentoo unique and powerful.

5. What could we be doing better?
I think we should be focusing more on (functional) areas than package sets (herds), and looking for ways to innovate in those areas. Right now, we’re happily following along with (most) upstream projects, and doing our job as a distribution that upstreams patches and supports users.

But why not look for more innovative ideas? Be open and bold with ideas, discuss them publicly (now that we have the Gentoo wiki, this should be easy to implement), create concept code and documentation. Do things other distributions can’t.

We should dare to fail, in order to learn. Right now, it seems that we’re sometimes afraid of making the wrong choice. We’re an organization with several hundred developers and volunteers, but not bound by service agreements, contractual obligations or implied functional adherence based on financial contributions. We should leverage that and move towards more innovative fields.

A second item that I believe would improve Gentoo as a distribution would be to remove complexity. Often, we do things in a somewhat complex way because there is no other way. That’s fine. But after a while, new and simpler methods come by that should replace the functionality we implemented more simplified.

Think about how the Gentoo Handbook is currently developed. We used our own format / syntax for reasons that were, back then, correct reasons. But things move on and mature. And while there are now much better alternatives available, we can’t use it because we customized everything to our needs. Writing documentation in the Gentoo Handbook almost requires you to learn how to program, as we use keywords, conditionals, include directives, automatic link generation, string substitutions and more. This is complex, and we should focus on simplifying this.

*I* should focus on simplifying this.

I’m pretty sure other examples can be found. Are all our eclasses still fully needed? How come the ruby-ng eclass is quite different from python-r1 eclass, even though they generally want to offer the same functionality? TIMTOWTDI, but if there is a method better and more simple than the other, use it.

6. Describe to our readers the relationship between the council and the foundation?
Basically speaking, the council is for technical matters and organization with regards to the Gentoo project, whereas the foundation is for the legal and financial aspects to support the Gentoo project. The two work orthogonal to each other (I am not aware of any overlap).

7. Is this relationship working, does it need to be changed or improved?
I think this is working pretty well and see little room for changes.

8. Same question for improving our partnership with Förderverein Gentoo e.V.
The Förderverein Gentoo e.V. and Gentoo Foundation, Inc. are sort-of siblings. After the decommissioning of Gentoo Technologies, Inc. each organization took on the responsibility of protecting the Gentoo trademark and supporting the Gentoo project in their home base: Förderverein Gentoo e.V. in Germany/Europe, and Gentoo Foundation in the United States of America.

9. What about moving the Gentoo Foundation to Belgium or somewhere in Europe?
I don’t think (re)locating a company to a specific location helps if there isn’t a need to. We should focus on what matters: protection and support of the Gentoo project and its intellectual property, and then evolve towards a structure that can easily support this now and in the future.

10. What documentation is moving to the wiki?
Well, right now we want to have all GuideXML documentation (which is non-handbook formats) on the Gentoo wiki. Most of the GDP-maintained documents (those in /doc/en) have been moved already, and moved into the main name space of the wiki so that others can contribute to it. That is also one of the main motivations for the move, as the Gentoo Documentation Project, for now, has insufficient resources to maintain GDP-only documentation.

In the next phase, handbook format documents (such as the SELinux Handbook, Gentoo Security Handbook and eventually the Gentoo Handbook itself) can be moved to the wiki as well. For the Gentoo Handbook though, this is more than just a copy of the data – it will require a refactoring of the documentation into a way that we can structure. I know the wiki supports inclusions and even conditionals, but this is some complexity I want to remove from the handbook.

A second thing a3li and I will look into (when time comes) is the ability to actually generate booklets from the wiki (like does). I think this is a logical consequence, as those plugins (as used by wikibooks) are made with larger documents in mind, and allow us to align the documentation development with those best practices as gently suggested by the plugins.

But to do so, I believe that the architecture-specifics will need to be cleaned out. Either an entire chapter can be written independently of an architecture, or it can’t. Having a chapter that is “mostly” for one architecture, but with parameters and variables for each architecture just to make sure it reads fine for that architecture, is probably not doable or maintainable.

I have considered moving the larger documents in DocBook format (which is the format I use for my other, non-Gentoo documents), and that is still not abandoned. I guess I’ll need to sleep over it some more.

But first make sure that our wiki is qualitatively up to the standards we once had for our documentation.

11. With the documentation moving to the wiki have you noticed more contributions from the community?
The main advantage is that there are new documents being created of good quality, which upon discovery I also mark for translations (so that our translation teams can provide the same documentation to non-English readers) and perhaps even add metadata to it (so that it is taken up in the “featured documentation” overview). The Gentoo wiki is constantly growing, and is more and more becoming a standard source of information when trying to debug or troubleshoot issues reported on our support channels or forums.

Existing documentation, which is moved to the wiki, doesn’t get as much updates as I expected. But there are many reasons why, such as documentation being quite explicit, or people being afraid of editing documents written in a particular style they are not familiar with, or people just suggesting things in the discussion pages but not in the main page, …

12. What should we be doing to get more users involved?
One thing is to make it clear to users that the wiki is open for everybody, and that we welcome all additions. Even when the change is not within the expectations of the English language (style and grammar) as we have enough people watching over to fix these styles and who do this gladly, without any remark towards the original author. Not everyone is fluent in English, and we shouldn’t restrict contributions to language puritans as the broader community has a lot more knowledge ready to be shared.

A second thing is to try and get the discussions through the discussion pages more active. Right now, many discussions are still slow-paced. We should promote this more, but also make sure that we can follow up on these discussions easily. There are two ways to do this in a wiki. One is to watch the page (and the discussions), the second one is to mark the discussions as being “open”, so they can be aggregated and viewed through the proper category in the wiki.

13. Who would you like to see recruited to become Gentoo Developers?
I’d like to see more package maintainers. There is still plenty of software without ebuilds, and that is after all what our users expect us to do the most. Even if a developer only maintains a handful of packages, that shouldn’t be a criteria to grant or deny access to the repository.

With the (eventual) implementation of git repositories, we should also be able to work with the pull request methods allowing people who don’t want to become developer to still contribute to the portage tree.

But the most important is not what technical or non-technical abilities they have, or which role they want to take in the Gentoo project, but rather their willingness to perform and work on an operating system used by several thousand users.

14. What else can we utilize the wiki for?
When the wiki was first launched, I started using it as some sort of Knowledge Base [1]. It allows for specific issues or misconfigurations to be documented and assist users in troubleshooting them. I still think this is a worthwhile set of documents to pursue, but needs a lot more content. I hope to, one day, be able to just mine the knowledge from #gentoo (i.e. historical discussions and questions) and put those in the knowledge base.


Perhaps we can, one day, use the wiki as some sort of reference architecture for Gentoo. Such a reference architecture would explain readers how Gentoo could be used to create an integrated environment, where each component has bindings with other components, in a well-orchestrated manner.

Right now, most documents focus on a single technology implementation and there is no full picture as to what Gentoo can really offer to organizations and companies of reasonable size.

15. What would you like the main site to be used for and what framework / language should we use for the redesign?
Personally, I think it would be a good idea to focus on a small main site, using a no-nonsense interface like Bootstrap, with support for mobile devices. Keep the amount of information that is dynamic of nature on other sites, like the Gentoo wiki (perhaps in a closed category so that only privileged developers can access it, for instance if it is about the social contract) and focus on telling the reader what Gentoo is and how to get it.

Underlying, this can even be made static HTML. That’s quite powerful, well known to most people, and doesn’t need any (potentially risky) modules on the web sites.

16. As a Gentoo Developer what are some of your accomplishments?
It’s difficult to put these in any order, as their accomplishment value depends on the time ;-) Still, it would be to assist in the Gentoo Handbook, the creation of the Gentoo Foundation, improved integration of SELinux in Gentoo, the Dutch translations (now they’re fully abandoned, but were once the top translation language), package maintenance here and there, support on #gentoo and the Gentoo Forums and what not.

17. What would be your dream job?
Honestly, I have no idea what it would be. However, it would not be as much about the content, but rather the energy that it would give me to go forward. A job with responsibility (but only on areas that you can influence – not the “You’re responsible for everything that goes wrong” kind of jobs), flexibility in hours, close to home, continuous education/improvement possibilities, lots of social contact (but not necessarily in team manner) and an innovative, evolving goal (not a day-in, day-out same kind of job).

18. What are the specs of your current boxes?
I have two laptops at home (a 2-year old i5 and a recent i7 laptop), a hacked Samsung TV, a hacked Ubiquiti router and two Synology DiskStations (which I oddly haven’t modified yet).

Next to the systems at home, I also manage two Dell PowerEdge servers which both host virtual systems for various personal purposes (such as attempts to move current cloud-driven solutions, such as Google mail and calendar) towards self-hosted solutions. These servers are co-located (luckily, because they make too much noise to be in my home).

19. Can you describe your personal desktop setup (WM/DE)?
I run XFCE with 7 xterms and two browsers open. I’m more a CLI guy ;-)

My previous one was fluxbox, which I enjoyed much as well. However, I ran XFCE due to a bug that someone reported (in SELinux support) and I wanted to reproduce it. And for some reason, it stuck.

20. What gives you the most enjoyment within the Gentoo community?
The appreciation received when fixing someone’s situation or helping them get the most of their installation. Honestly, I think that’s the best thing one can receive. Not only because it gives you a warm and fuzzy feeling, but also because these users often start helping others as well. This is why #gentoo is one of the largest support channels out there.

Gentoo @ FOSDEM 2014

(by Pavlos Ratis)

Gentoo Developers @ FOSDEM 2014
Photo by jmbsvicetto

On the 1st and 2nd of February, many Gentoo users and developers attended FOSDEM, the biggest F/OSS conference in Europe. Gentoo developer and council member Donnie Berkholz(dberkholz) had a talk about the status of distribution-level package management and the latest trends. Furthermore, a Gentoo BoF took place on Saturday. There, we had the chance to meet each other and talk about our favorite distro. The day ended with a Gentoo-ish dinner and beers at city’s center.

Council News

(by Andreas K. Huettel)

First of all, Robin Johnson’s (robbat2) GnuPG key policy GLEP is progressing; it is now officially GLEP (draft) 63 [1], will be posted to the mailing list for discussion one last time soon, and be on the agenda of the next council meeting (March 2014) for final confirmation. In the meantime, we’ll be happy to receive feedback.

About EAPIs, the council decided to immediately deprecate EAPI 0 and EAPI 3, which means they should in general not be used in new ebuilds anymore and repoman gives a non-fatal warning on commit. EAPI 1 and EAPI 2, already deprecated for long, will be banned immediately, in the sense that repoman does not allow committing new ebuilds (but existing ones keep working and can also be modified).

Regarding stable keywords usage on m68k, sh, s390 some discussion about details took place. In the end, based on a suggestion by Mike Frysinger (vapier), it was decided that the profiles of these arches should all be marked as experimental; the consensus was that then package maintainers do not have to care about the keywording status on these particular arches and can e.g. remove the last stable marked or keyworded ebuild of a package at will.

The last important topic that was brought up was the policy on tree wide use of the gtk / gtk2 / gtk3 useflags, or to be more precise the clash between the documentation provided by the gnome team and the policy decided on in a recent QA team meeting. Both Chris Reffett (creffett) as QA team lead and Chí-Thanh Christopher Nguyễn (chithead) presented their viewpoints. Further discussion touched upon the question how far-reaching policy decisions the QA team may make. In the end the council members affirmed that “QA’s right to create standards in glep 48 includes flag names / functions”. Subsequent discussion encouraged QA and Gnome team to keep talking.


Staffing Needs

If you are interested in helping out, please visit our staffing needs page on the Gentoo wiki.

Gentoo Developer Moves


Gentoo is made up of 252 active developers, of which 40 are currently away.
Gentoo has recruited a total of 794 developers since its inception.


The following developers have recently joined the project:
Returning Dev :D Steve Dibbs (announcement)


This section summarizes the current state of the portage tree.

Architectures 45
Categories 159
Packages 17243
Ebuilds 37610
Architecture Stable Testing Total % of Packages
alpha 3613 510 4123 23.91%
amd64 10644 6102 16746 97.12%
amd64-fbsd 0 1575 1575 9.13%
arm 2625 1628 4253 24.67%
hppa 3027 468 3495 20.27%
ia64 3187 569 3756 21.78%
m68k 585 77 662 3.84%
mips 2 2292 2294 13.30%
ppc 6870 2354 9224 53.49%
ppc64 4332 849 5181 30.05%
s390 1538 243 1781 10.33%
sh 1762 288 2050 11.89%
sparc 4138 876 5014 29.08%
sparc-fbsd 0 322 322 1.87%
x86 11404 5146 16550 95.98%
x86-fbsd 0 3224 3224 18.70%



The Gentoo Foundation recently received a donation of services from Rackspace. We would like to thank Rackspace for their donation and for continuing to support Open Source and Free Software Projects.



The following GLSAs have been released by the Security Team

GLSA Package Description Bug
201402-27 x11-plugins/pidgin-knotify pidgin-knotify: Arbitrary code execution 336916
201402-26 net-libs/libssh libssh: Arbitrary code execution 444147
201402-25 dev-libs/openssl OpenSSL: Denial of Service 497838
201402-24 app-crypt/gnupg GnuPG: Multiple vulnerabilities 449546
201402-23 x11-libs/libXfont libXfont: Multiple vulnerabilities 378797
201402-22 net-analyzer/tcptrack TCPTrack: Arbitrary code execution 377917
201402-21 media-libs/tiff libTIFF: Multiple vulnerabilities 440154
201402-20 net-irc/kvirc KVIrc: Multiple vulnerabilities 326149
201402-19 dev-libs/libtar libtar: Arbitraty code execution 487420
201402-18 app-misc/mc GNU Midnight Commander: User-assisted execution of arbitrary code 436518
201402-17 app-text/xpdf Xpdf: User-assisted execution of arbitrary code 386271
201402-16 media-libs/freetype FreeType: Multiple vulnerabilities 448550
201402-15 mail-client/roundcube Roundcube: Arbitrary code execution 488954
201402-14 dev-libs/icu International Components for Unicode: Denial of Service 460426
201402-13 app-text/djvu DjVu: User-assisted execution of arbitrary code 497088
201402-12 sys-auth/pam_skey PAM S/Key: Information disclosure 482588
201402-11 www-client/links Links: Denial of Service 493138
201402-10 media-sound/pulseaudio PulseAudio: Insecure temporary file usage 313329
201402-09 www-apache/mod_fcgid Apache mod_fcgid: Arbitrary code execution 487314
201402-08 net-misc/stunnel stunnel: Arbitrary code execution 460278
201402-07 games-strategy/freeciv Freeciv: User-assisted execution of arbitrary code 329949
201402-06 www-plugins/adobe-flash Adobe Flash Player: Multiple vulnerabilities 491148
201402-05 media-sound/banshee Banshee: Arbitrary code execution 345567
201402-04 dev-perl/libwww-perl libwww-perl: Multiple vulnerabilities 329943
201402-03 x11-libs/pixman Pixman: User-assisted execution of arbitrary code 493292
201402-02 x11-drivers/nvidia-drivers NVIDIA Drivers: Privilege Escalation 493448
201402-01 net-libs/libmicrohttpd GNU libmicrohttpd: Multiple vulnerabilities 493450

Package Removals/Additions


Package Developer Date
dev-php/PEAR-HTML_BBCodeParser mabi 13 Feb 2014
dev-php/PEAR-HTML_QuickForm_ElementGrid mabi 13 Feb 2014
dev-php/PEAR-HTTP_Upload mabi 13 Feb 2014
dev-php/PEAR-HTTP_WebDAV_Server mabi 13 Feb 2014
dev-php/PEAR-Tree mabi 13 Feb 2014
dev-php/PHPUnit_Selenium mabi 13 Feb 2014
dev-php/PHPUnit_MockObject mabi 13 Feb 2014
media-plugins/vdr-xxvautotimer hd_brummy 14 Feb 2014
media-plugins/vdr-skinclassic hd_brummy 14 Feb 2014
media-plugins/vdr-sky hd_brummy 14 Feb 2014
media-plugins/vdr-skinreel hd_brummy 14 Feb 2014
net-misc/usbip ssuominen 18 Feb 2014


Package Developer Date
app-crypt/ssdeep radhermit 01 Feb 2014
sec-policy/selinux-couchdb swift 02 Feb 2014
app-text/bdf2psf floppym 10 Feb 2014
dev-python/llvmpy bicatali 10 Feb 2014
dev-python/numba bicatali 10 Feb 2014
dev-python/blz bicatali 10 Feb 2014
dev-python/datashape bicatali 10 Feb 2014
dev-libs/libdynd bicatali 10 Feb 2014
dev-python/dynd-python bicatali 11 Feb 2014
dev-python/llvmmath bicatali 11 Feb 2014
dev-python/pykit bicatali 11 Feb 2014
dev-python/blaze bicatali 11 Feb 2014
dev-util/squashdelta mgorny 11 Feb 2014
dev-util/squashmerge mgorny 11 Feb 2014
dev-python/astroid idella4 12 Feb 2014
net-im/birdie jlec 12 Feb 2014
media-libs/libomxil-bellagio chithanh 12 Feb 2014
dev-ruby/instantiator graaff 13 Feb 2014
dev-ruby/introspection graaff 13 Feb 2014
dev-ruby/multi_test graaff 13 Feb 2014
app-emacs/redo+ ulm 13 Feb 2014
sys-apps/install-xattr blueness 13 Feb 2014
dev-python/astor patrick 14 Feb 2014
dev-lang/hy patrick 14 Feb 2014
sys-block/kvpm kensington 14 Feb 2014
app-misc/mediacrush-cli maksbotan 17 Feb 2014
sec-policy/selinux-pcscd swift 17 Feb 2014
dev-vcs/git-crypt patrick 18 Feb 2014
app-emacs/mediawiki ulm 18 Feb 2014
dev-python/repoze-sphinx-autointerface radhermit 19 Feb 2014
dev-python/kazoo radhermit 19 Feb 2014
kde-misc/kdeconnect mrueg 20 Feb 2014
net-news/canto-daemon pinkbyte 20 Feb 2014
net-news/canto-curses pinkbyte 20 Feb 2014
dev-ruby/http_parser_rb graaff 21 Feb 2014
dev-ruby/http graaff 21 Feb 2014
dev-python/keyczar radhermit 22 Feb 2014
app-emacs/hexrgb ulm 23 Feb 2014
dev-python/scoop slis 23 Feb 2014


The Gentoo community uses Bugzilla to record and track bugs, notifications, suggestions and other interactions with the development team.


The following tables and charts summarize the activity on Bugzilla between 27 January 2014 and 26 February 2014. Not fixed means bugs that were resolved as NEEDINFO, WONTFIX, CANTFIX, INVALID or UPSTREAM.


Bug Activity Number
New 1583
Closed 1051
Not fixed 227
Duplicates 171
Total 5480
Blocker 4
Critical 17
Major 67

Closed bug ranking

The developers and teams who have closed the most bugs during this period are as follows.

Rank Team/Developer Bug Count
1 Gentoo Security 105
2 Gentoo Linux Gnome Desktop Team 63
3 Perl Devs @ Gentoo 37
4 Robin Johnson 34
5 Gentoo KDE team 28
6 Gentoo X packagers 25
7 Gentoo Sound Team 25
8 Python Gentoo Team 21
9 Bernard Cafarelli 20
10 Others 692


Assigned bug ranking

The developers and teams who have been assigned the most bugs during this period are as follows.

Rank Team/Developer Bug Count
1 Gentoo Linux bug wranglers 104
2 Gentoo Security 88
3 Gentoo Linux Gnome Desktop Team 73
4 Gentoo KDE team 37
5 Gentoo's Team for Core System packages 35
6 Default Assignee for New Packages 34
7 Java team 34
8 Portage team 34
9 Default Assignee for Orphaned Packages 32
10 Others 1111


Tip of the month

Are you using a packages that needs a maintainer?
To find out use this python script developed by Ewoud Kohl Van Wijngaarden and Chris Stout. The script requires dev-python/beautifulsoup. Users can become maintainers for packages via the proxy-maintainer process.

Heard in the community

Problem installing net-libs/webkit-gtk:* hangs (gobject-introspection problem?) with =x11-drivers/nvidia-drivers-325.*
If you are using the nvidia proprietary driver, you may encounter a g-ir-failure as emerge will hang.
See BUG 463960
There is also a forum post about this.
Work around is:

# eselect opengl set xorg-x11
# emerge -1 webkit-gtk
# eselect opengl set nvidia

Want to emerge (update) all installed packages which depend on some given package P?

eix --deps -# -I P

That will list all packages in short that are installed and have P in their dependency variables plus the package itself.

Thanks go to for that :)

What do you do if you encounter a bug and it may have already been fixed. Search on bugzilla with this to show all the bugs even if they have been fixed and closed?

ALL category/package

Gentoo Website survey 2012 launched (March 01, 2014, 18:17 UTC)

Building a website that fits the needs of users and editors alike is hard. That's why the Gentoo PR team would like to ask you a few questions about our websites, mainly, but also about our other sites.

Take the survey now

Thanks for your time and interest in making our website experience better!

Gentoo at FOSSCOMM 2013 (March 01, 2014, 18:17 UTC)

What? FOSSCOMM 2013

Free and Open Source Software COMmunities Meeting(FOSSCOMM) 2013

When? 20th, April 2013 - 21st, April 2013

Where? Harokopio University, Athens, Greece


FOSSCOMM 2013 is almost here, and Gentoo will be there!

We will have a booth with Gentoo promo stuff, stickers, flyers, badges, live DVD's and much more! Whether you're a developer, user, or simply curious, be sure and stop by. We are also going to represent Gentoo in a round table with other foss communities. See you there!

Pavlos Ratis contributed the draft for this announcement.

Gentoo Monthly Newsletter - November 2013 (March 01, 2014, 18:17 UTC)

The November 2013 GMN issue is now available online. This month on GMN:

  • Interview with Richard Freeman. A Gentoo developer, Council and Trustees member.
  • Gentoo as a development environment for newcomers.
  • Overall Gentoo activity status with bugzilla, portage and developer statistics.

Gentoo Monthly Newsletter - January 2014 (March 01, 2014, 18:17 UTC)

The January 2014 GMN issue is now available online.

This month on GMN:

  • Meet up with Gentoo developers and users at this years FOSDEM'14 event.
  • Give back by helping the proxy-maintainers project.
  • Latest Gentoo news, job openings, interesting stats and much more.

Gentoo at LinuxTag 2013 in Berlin (March 01, 2014, 18:17 UTC)

LinuxTag 2013 runs from May 22nd to May 25th in Berlin, Germany. With more than 10,000 visitors last year, it is one of the biggest Linux and open source events in Europe.

You will find the Gentoo booth at Hall 7.1c, Booth 179. Come and visit us! You will meet many of our developers and users, talk with us, plus get some of the Gentoo merchandise you have always wanted.

Miniconf: Gentoo on the OLPC XO-1.75 (March 01, 2014, 18:17 UTC)

At the Gentoo Miniconf 2012 in Prague we will install Gentoo on the OLPC XO-1.75, an ARM based laptop designed as an educational tool for children. If you are interested in joining us, come to the Gentoo booth and start hacking with us!

—Chí-Thanh Christopher Nguyễn

Imagination Technologies

Imagination Technologies has donated two MIPS64-based Ubiquiti ERLite-3 routers, plus resources to aid Gentoo in providing up-to-date root file system builds for MIPS.

Imagination Technologies is a global leader in multimedia, processor and communication technologies. The company creates and licenses market-leading IP solutions for graphics, video and vision, CPU/general purpose processing, multi-standard communications and connectivity, and cross-platform voice and video communications. Imagination's MIPS CPU cores and architectures range from solutions for ultra low-power 32-bit microcontrollers to high-performance 32/64-bit advanced applications and network processing. MIPS is supported by a broad ecosystem of tools and software including open source Linux distributions like Gentoo.

Gentoo Monthly Newsletter - December 2013 (March 01, 2014, 18:17 UTC)

The December 2013 GMN issue is now available online. This month on GMN:

  • Interview with Sergey Popov. A Gentoo developer and the team leader of Qt, proxy-maintainers and desktop-effects teams.
  • Overall Gentoo activity status with bugzilla, portage and developer statistics.

2012 Gentoo Screenshot Contest Results (March 01, 2014, 18:17 UTC)

Gentoo - Still alive and kicking ...

As the quantity and quality of this year's entries will attest, Gentoo is alive, well, and taking no prisoners!

We had 70 entries for the 2012 Gentoo screenshot contest, representing 11 different window managers / desktop environments. Thanks to all that participated, the judges and likewhoa for the screenshot site.

The Winners!

February 28, 2014
Patrick Lauer a.k.a. bonsaikitten (homepage, bugs)
INSTALL_MASK'ing for a better future (February 28, 2014, 07:37 UTC)

So today I was pointed at a funny one:

Now instead of being wrongly installed in /usr/lib (whuarghllaaaaaaaawwreghhh!?!$?) there's some config files for systemd bleeding into /etc.

Apart from being inconsistent with itself this eludes all previous ways to avoid useless files from being installed. The proper response thus looks like this now:
INSTALL_MASK="/lib/systemd /lib32/systemd /lib64/systemd /usr/lib/systemd /usr/lib32/systemd /usr/lib64/systemd /etc/systemd"
And on the upside this will break udev unless you carefully move config to /etc (lolwat ur no haz EUNICHS system operation?) - which just motivated me to shift everything I can to eudev.

Reading recommendation: FHS

February 23, 2014
Alexys Jacob a.k.a. ultrabug (homepage, bugs)
py3status v1.3 (February 23, 2014, 19:23 UTC)

I’m glad to announce the release of py3status v1.3 which brings to life a feature request from @tasse and @ttyE0. Guys, I hope this one will please you !

what’s new ?

Along with a localization bug fix thanks to @zetok from Poland, the main new feature is that py3status now supports a standalone mode which you can use when you only want your own modules displayed in an i3bar !

As usual, this release is already available for my fellow Gentoo Linux users and on pypi !

Changelog is here and quick to get, enjoy !

February 22, 2014
Michał Górny a.k.a. mgorny (homepage, bugs)
A few words on lzip compressor (February 22, 2014, 17:08 UTC)

Some of you may already have noticed that sys-apps/ed and sys-fs/ddrescue packages started pulling in lzip archiver. «Is this some new fancy archiver?» you may ask. The answer is «no. It’s been around for a very long time, and it never got any real interest.»

You can read some of the background story in New Options in the World of File Compression Linux Gazette article. Long story short, lzip was created before xz as a response to the limitations of .lzma format used by lzma-utils. However, it never got any real attention and when xz-utils was released as a direct successor to lzma-utils it became practically redundant. And the two projects co-existed silently until lately…

Over the past five years, Antonio Diaz Diaz, lzip’s author, and a few project supporters were trying to convince the community that the lzip format is superior to xz. However, they were never able to provide any convincing arguments to the community, and while xz gained popularity lzip stayed in the shadow. And it was used mostly by the projects Diaz was member of.

It seems that he has finally decided that advocacy will not help his pet project in gaining popularity. Instead, he decided to take advantage of his administrator position in the mentioned GNU projects and discontinue providing non-.lz tarballs. As he says, «surely every user of ddrescue would like to know about lzip […]».

So, Gentoo user, would you like to know about lzip? Let’s try to get a few fair points here.

First of all, it should be noted that the two competing projects are two different implementations of the same compression algorithm — LZMA2, and they use incompatible file formats. Therefore, both can achieve the same compression ratio (and similar speed) but using either of them requires users to download the appropriate tool.

xz is gaining traction lately. The initial doubt period seems to be over, and growing number of projects is adapting the format. This includes both use of the compression library and distribution of sources in .tar.xz. An xz coder is implemented within the kernel and it can be used as a compressor for filesystems. Practically saying, it’s inevitable for Gentoo users since it is used to compress some of the larger sources (like kernel sources).

Lzip is a side project with minor interest. Most of our users were unaware of its existence until they were forced to install it in order to unpack some other package. In fact, since it is used in particularly small packages, the gain from using it (compared to gzip) is even smaller than size of lzip tarball. Not to mention if we compare it to xz that most of our users have installed already.

As analyzed by Ohloh, xz-utils «has a well established, mature codebase» though it is mostly maintained by a single person. lzip is developed by a single person with no officially known contributors, and no public source code repository. The author claims that lzip is mature and will be continually developed but those are only promises, compared to the community growing around xz.

Feature-wise, xz supports more fine-grained configuration of LZMA2 and additional filters (alike 7-Zip). Lzip has a recovery tool and a few extra promises.

xz-utils are written in C, with the compression library and basic utilities being public-domain. Lzip is C++, and GPLv3 (but there’s also a limited public-domain C version). xz-utils use clean autotools, lzip — custom configure script and Makefile.

To sum up: both tools are quite similar and have no strong advantages over the other. However, the popularity of xz makes it a better choice most of the time, while using lzip mostly forces users to install an extra tool for no real benefit. The continuous support and development in xz-utils is guaranteed by the community, while in lzip it’s just author’s promise.

This post would end here if not for the late events. Now lzip gained an important disadvantage: its author is simply unprofessional. While many other projects start shipping .xz compressed tarballs following its rise in popularity, Diaz is grasping at straws and abusing his position trying to force people to use his pet project instead. He has clearly more concern about the popularity of lzip than about the friendliness to users of the other projects he is administering.

February 20, 2014
Patrick Lauer a.k.a. bonsaikitten (homepage, bugs)
gentoo-x86 to git, round two (February 20, 2014, 08:32 UTC)

After my not-so-good experiments with cvs2git I was pointed at cvsps. The currently masked 3.13 release (plus the lastest ~arch version of cvs) seems to do the trick quite well. It throws a handful of warnings about timestamps that appear to be harmless to me.
What I haven't figured out yet is how to "fix" the email addresses, but that's a minor thing.
Take the raw cvs repo as in the first blogpost, then:

$ time cvsps --root :local:/var/tmp/git-test/gentoo-x86-raw/ --fast-export gentoo-x86 > git-fast-export-stream
cvsps: NOTICE: used alternate strip path /var/tmp/git-test/gentoo-x86-raw/gentoo-x86/
cvsps: broken revision date: 2003-02-18 13:46:55 +0000 -> 2003-02-18 13:46:55 file: dev-php/PEAR-Date/PEAR-HTML_Common-1.0.ebuild, repairing.


real    212m56.219s
user    12m11.170s
sys     6m59.110s
So this step takes near 3h walltime, and consumes ~10GB RAM. It generates about 17GB of temporary data.
To get performance up you'd need a machine with 32GB+ RAM so that you can do that in TMPFS (and don't forget to make /tmp a tmpfs too, because tmpfile() creates lots and lots of temporary files there) - and the tmpfs needs to be >18GB

In theory you can pipe that directly into git-fast-import. To make testing easier I didn't do that..
Throwing everything into git takes "a while" (forgot to time it, about 20 minutes I think):
Alloc'd objects:    9680000
Total objects:      9675121 (    190979 duplicates                  )
      blobs  :      3020032 (    158366 duplicates    1389088 deltas of    2989578 attempts)
      trees  :      5150778 (     32613 duplicates    4633675 deltas of    4709477 attempts)
      commits:      1504311 (         0 duplicates          0 deltas of          0 attempts)
      tags   :            0 (         0 duplicates          0 deltas of          0 attempts)
Total branches:           8 (         3 loads     )
      marks:     1073741824 (   4682709 unique    )
      atoms:         431658
Memory total:        516969 KiB
       pools:         63219 KiB
     objects:        453750 KiB

pack_report: getpagesize()            =       4096
pack_report: core.packedGitWindowSize = 1073741824
pack_report: core.packedGitLimit      = 8589934592
pack_report: pack_used_ctr            =    7139457
pack_report: pack_mmap_calls          =    1976288
pack_report: pack_open_windows        =          3 /          9
pack_report: pack_mapped              = 2545679911 / 8589934592
And then run git gc (warning: Another mem-hungry operation peaking at ~8GB).
The result is about 7.2GB git repository and appears to have full history.

Files to play around with:
Raw copy of the CVS repo (~440MB)
The git-fast-importable stream created by cvsps (biiig)
The mangled compressed git repository that results from it (~6GB)
The same repo recompressed (~1.7GB)
"git repack -a -d -f --max-pack-size=10g --depth=100 --window=250" takes ~3 CPU-hours and collapses the size nicely. Thanks, Mr.Klausmann!

February 19, 2014
Anthony Basile a.k.a. blueness (homepage, bugs)
Lilblue Linux: release 20140218 (February 19, 2014, 18:34 UTC)

I just pushed out a new release of Lilblue Linux 20140218 [1] which you can download from any Gentoo mirror [2].  For those of you who don’t know, Lilblue Linux is a security-enhanced fully featured XFCE4 desktop system for amd64.  It is built with Gentoo’s hardened toolchain [3] and uses Gentoo’s hardened-sources for the kernel which include the Grsec/PaX patches [4] for added security.  Lilblue Linux really is Gentoo, so the name is a bit pretentious, but there is one important and interesting twist: it is built using uClibc [5] as its standard C library rather than glibc, giving it some advantages of an embedded system, such as speed.

Release 20140218 is primarily a maintenance release in which I updated all the packages so as to sync up with maintream Gentoo’s stable amd64 set.  I didn’t touch the toolchain since there was no pressing need, but I did update the kernel to hardened-sources-3.12.6.  There were no known major security issue nor major bugs in the previous release.  But, there was a lot of package flux, with lots of fixes that resolved some annoying issues which plagued the earlier release.  One such annoyance was SMPlayer that used to open up a second window to play a video rather than rendering it in the main window.

If you are already running Lilblue, you can probably just do a `emerge –sync; layman -S; emerge -uvND world` and get caught up [6], but if you are starting a fresh system, the newer image cleans out those annoyances, so you want to start there.  One of the reasons I push out new images every few months is that there are always glitches when updating.  This is true of any Gentoo system but all the moreso of Lilblue because most software is developed under the assumption that we are building against glibc.  These assumptions (GNU-isms) manifest themselves in varioius ways: 1) assumptions about the availability of functions which are GNU extensions, such as secure_getenv() in systemd’s code base which eudev removes [7],  2) assumptions about header stacking, eg. using variadic functions without including stdarg.h (You can sometimes get away with this on a glibc system because it sneaks in via some other included header, but not in uClibc), [8] and 3) missing LDFLAGS like, -liconv -lintl or -largp, which are needed to find these breakout libraries [9].  There are, however, some very deep issue which require serious investigation, such as the removal of poll_waiting in glib (versions above 2.30.3) which lead to a dead lock for all applications linking against it.  It turned out that the issue there was in uClibc’s implementation of eventfd() [10].  Another interesting bug in uClibc- was the non-atomic implementation of pread() and pwrite() in terms of open() and lseek() [11].  This caused a race in git-1.8.x which does a multithreaded unpacking of the deltas and requires atomic pread/pwrite.  Mike Frysinger (vapier) had already worked out the implementation in terms of SYS_pread64/pwrite64 but these had not yet been backported.  The latest adventure was on arm architecture (yes I’m thinking of porting Lilblue to arm) where the syscall for pread/pwrite was being done using _syscall5() rather than _syscall6() and not properly aligning the 64-bit value on even register pairs.  This again broke pread/pwrite and git, but only on arm arch! [12]  Mike again had the fix and backported it.

Lilblue is built form a stage3-amd64-uclibc-hardened tarball that can be found on any gentoo mirror under /experimental/uclibc along side the Lilblue image itself [2].  I keep the build scripts on Gentoo’s releng (release engineering) git repo [13] and I run them occassionally to see if any major issues are creeping in as mainstream Gentoo evolves.  If everything goes well, then I don’t push out another release to avoid taxing the mirrors.  But when things get complicated, or a large number of packages need updating, I get the feeling I’d better push out another release.  I hope one day to have a binpkg system going where you can donwload a ~200MB seed image and then install from a binhost but this is more involved than I first suspected.

So give it a try in a virtual machine if you like.  It runs out-of-the-box on VirtualBox.  Installation instructions are on the home page [1].  Or run it as you main desktop as I do on one of my boxes at home!



[2] The image is named desktop-amd64-uclibc-hardened-[release].tar.bz2 and can be found at




[6] While I’ve tried to get most of the fixes either into the main Gentoo tree, or upstream, some patches still remain and so I maintain a repository for them:;a=shortlog;h=refs/heads/uclibc

[7] See man 3 getenv.  While getenv conforms to SVr4, POSIX.1-2001, 4.3BSD, C89 and C99, secure_getenv() is a GNU extension.

[8] The header stacking problem works both ways.  In, sys-apps/kbd failed to build on uClibc because of a missing stdarg.h when trying to prototype functions with variadic parameters.  Contrast this to, where app-cdr/cdrtools fails to build because including stdio.h indirectly includes bits/sched.h which defines clone() (as in man 2 clone).  But this clashes with a definition of clone() in cdrtools’ readcd.c.  Upstream felt that this was a poor implementation on the part of uClibc and the stacking problem there should be fixed.  I can’t disagree, but it is a thorny issue!

BTW, for those interested, you can get a little python script I wrote to analyse header stacking from my dev space:

[9] In this way Lilblue is similar to Gentoo on FreeBSD.  Rather than using uClibc’s iconv which has issues, Lilblue pulls in dev-libs/libiconv. The additional LDFLAGS are added on a per package basis using /etc/portage/package.env.





Patrick Lauer a.k.a. bonsaikitten (homepage, bugs)
Thunderbird - double sending is better sending (February 19, 2014, 06:43 UTC)

So here's something brilliant I've found while debugging some PGP-issues:

-- --  END PGP MESSAGE     

--  -- --  --  -- 070107010101000406000609
Content Type: text/html; charset=ISO 8859 1
Content Transfer Encoding: 8bit

    <meta content="text/html; charset=ISO 8859 1"
      http equiv="Content Type">
  <body bgcolor="#FFFFFF" text="#000000">
         BEGIN PGP MESSAGE      <br>
    Charset: ISO 8859 1 <br>
    Version: GnuPG v2.0.22 (MingW32) <br>
    Comment: Using GnuPG with Thunderbird   <a class="moz txt link freetext" href=""></a> <br>
    hQIMA0dhXCfgRaeBAQ/+P2NCYSVE7vxW742D9eYJmJ/7g7xHSvPFuYvGSZk2gRaJ <br>
    JoZ98x+TPjSlvYVWuS+Y2Fz04ydhi4vNcK+QAqImVO0nO6dFvxUfmZiERBcYGs4C <br>
    Lhe+B/I0P/hEDl+Zu/QJ/v+SEcFoXKv2iclrXwWF6RyLlO97iu8UsLYUjLIZ7Y+r <br>
    YGqphoIdJLfVZ9bb05RIb0ZKnYX5dzunpqu6V6zRpwckWCkos7qBOZ9hfBjaFkvD <br>
    ZQAoJM78qQ0//vV6qyxSpXXFEFbDZuJjPjjDfIF+qyNbcW657bDHQH2ctcyvdcTf <br>
(Modulo some dashes, but you get the idea)

So, uhm, there's a multipart-mime mail, with a PGP-encrypted attachment, and then there's a properly quoted HTML attachment, CONTAINING the same PGP attachment BASE64 encoded. Or something. The funny thing is that Thunderbird itself fails to display the body directly, but displays it in the editor window when you reply.
In vino veritas, and tonight I will need lots of veritas to unremember this madness.

February 18, 2014
Alexys Jacob a.k.a. ultrabug (homepage, bugs)
mongoDB v2.4.9/v2.2.7, rabbitMQ v3.2.3 (February 18, 2014, 16:11 UTC)

Quick post about some recent bumps.

mongodb-2.4.9 & mongodb-2.2.7

IMPORTANT : These versions fix a mongos bug which could lead it to report a write as successful when it was not. This affects all versions of MongoDB prior to and including v2.4.8.

Stay tuned on mongoDB, the next post will probably talk about the release of pymongo v2.7 which supports some neat futures from the upcoming mongoDB v2.6 series.


I skipped a bump post when releasing the v3.2.2 so you should check out the v3.2.3 changelog as well if you’re willing to know more about those bug fix releases.

Patrick Lauer a.k.a. bonsaikitten (homepage, bugs)
Converting gentoo-x86 to git, first attempt (February 18, 2014, 05:14 UTC)

A first attempt at cvs-to-git conversion of gentoo-x86; not yet complete. Needs: ~4GB storage for cvs repo, a few GB for temporary files, and a few GB for the git repo

Where possible using tmpfs is recommended as this whole operation is very IO-heavy.
Aquire a complete (server-side) copy of the CVS repo:

mkdir cvs; cd cvs
rsync . -r --stats
WIP: Use ferringb's modifications to cvs2git to transform the repo
git clone git://
I haven't figured out why it fails for me yet, but that would make the whole thing a lot easier.

Naive cvs2git run on one category to demonstrate that it works in theory:
cvs2git --encoding=utf_8 --fallback-encoding=ascii 
        --trunk-only --blobfile=./blob --dumpfile=./dump 
        --username=derp cvs/gentoo-x86/app-emulation/
This does work, but it's really slow and doesn't do things like rewrite committer names etc.etc.
cvs2svn Statistics:

Total CVS Files:              6569
Total CVS Revisions:         37696
Total CVS Branches:              0
Total CVS Tags:                  0
Total Unique Tags:               0
Total Unique Branches:           0
CVS Repos Size in KB:        37135
Total SVN Commits:           11385
First Revision Date:    Thu Oct 26 15:02:06 2000
Last Revision Date:     Mon Feb 10 06:58:17 2014

Timings (seconds):

   6   pass1    CollectRevsPass
   0   pass2    CleanMetadataPass
   0   pass3    CollateSymbolsPass
1100   pass4    FilterSymbolsPass
   0   pass5    SortRevisionsPass
   0   pass6    SortSymbolsPass
   2   pass7    InitializeChangesetsPass
   2   pass8    BreakRevisionChangesetCyclesPass
   2   pass9    RevisionTopologicalSortPass
   0   pass10   BreakSymbolChangesetCyclesPass
   2   pass11   BreakAllChangesetCyclesPass
   1   pass12   TopologicalSortPass
   3   pass13   CreateRevsPass
   0   pass14   SortSymbolOpeningsClosingsPass
   0   pass15   IndexSymbolsPass
   3   pass16   OutputPass
1121   total
This creates some temporary files which we feed to git fast-import:
$ git init --bare git-test; cd git-test
$ git fast-import --export-marks=../cvs2git-tmp/git-marks.dat <../blob                    
$ git fast-import --import-marks=../cvs2git-tmp/git-marks.dat <../dump 
git-fast-import statistics:

Alloc'd objects:      70000
Total objects:        40469 (       253 duplicates                  )
      blobs  :            0 (         0 duplicates          0 deltas of          0 attempts)
      trees  :        29085 (       253 duplicates      26014 deltas of      26667 attempts)
      commits:        11384 (         0 duplicates          0 deltas of          0 attempts)
      tags   :            0 (         0 duplicates          0 deltas of          0 attempts)
Total branches:           1 (         1 loads     )
      marks:     1073741824 (     43450 unique    )
      atoms:           5742
Memory total:          5454 KiB
       pools:          2173 KiB
     objects:          3281 KiB

pack_report: getpagesize()            =       4096
pack_report: core.packedGitWindowSize = 1073741824
pack_report: core.packedGitLimit      = 8589934592
pack_report: pack_used_ctr            =      28072
pack_report: pack_mmap_calls          =          2
pack_report: pack_open_windows        =          2 /          2
pack_report: pack_mapped              =   19836762 /   19836762
And there's our converted category. Runtime of the cvs2git step is ~1200sec = 20min, the git fast-import steps both take ~5 seconds.
There's still a lot left to figure out, but this should be enough information to allow others to attempt to do this reliably.

February 16, 2014
The future of Gnome 2 (February 16, 2014, 18:49 UTC)

Following forum [1], IRC and mailing list reading, I wanted to clarify Gnome team position on what will happen now that Gnome 3.8 has moved to stable.

Gnome 2 is going to be removed.

I think it cannot be more clear and there are multiple reasons for that. Let’s write a bit about those so people do not try to invent conspiracy theories:

  • Gnome 2 is not maintained anymore, nothing will make this fact go away.
  • the team is understaffed, many of our talented contributors are too busy with real life or simply quit the (Gentoo) project.
  • Bug reports are still flowing for Gnome 2 but none of us in the team are running it anymore because we do not have the extent of time needed for that.

So, yes, Gnome 3 does not suit everyone’s tastes, but most of us still love it, yes, it depends on systemd and most of us would rather keep our good ol’ openrc that did the work just fine but Gnome 2 is going away and nothing will change that.

What we recommend to people who loved Gnome 2 is to switch to alternatives like XFCE, MATE or Cinnamon because there is no point in living in the past.


February 08, 2014
Gentoo Haskell Herd a.k.a. haskell (homepage, bugs)
7.8.1-rc1 Gentoo experience (February 08, 2014, 18:34 UTC)

A week ago Austin Seipp and GHC team announced first release candidate from 7.8 branch.

As a packager I was especially interested in following features:

  1. GHCi (and dynamic linking) on unregisterised arches, like ia64 and powerpc64
  2. jobs argument for ghc make. Parallel builds for free.
  3. what did seriously break, what was fixed?

First off, -rc1 is packaged in gentoo-haskell overlay (not keyworded as quite a bit of packages fail to build against ghc-7.8).

GHCi (and dynamic linking)

Dynamic linking works like a charm! GHCi loads binaries noticeaby faster. Let’s test it! Simplest synthetic test: how fast do you get prompt from interpreter?

# ghc-7.6:
$ time { echo '1+1' | ghci -package yesod-core >/dev/null; }
real    0m0.626s
user    0m0.550s
sys     0m0.074s
# ghc-7.8:
$ time { echo '1+1' | ghci -package yesod-core >/dev/null; }
real    0m0.209s
user    0m0.172s
sys     0m0.034s

It’s a case, when files are cached in RAM. 3-4 times faster. The same boost should apply every time when you compile something template-haskell related.

jobs argument for ghc make

I’ve went ahead and tried to enable it for all ebuilds.

For some reason ghc eats a lot of system time in that mode. Likely jobs without arguments is not very good idea and i’ll need to limit it by minimum of MAKEOPTS value and some N (Cabal picked 64).

Even in this mode 2-time speedup is visible on large packages.

So what did break?

Not _that_ much, actually.

alex and happy generated parsers

All package maintainers who ship lexers generated by alex and parsers generated by happy are strongly advised to update those tools locally and reissue hackage update, as old parsers do not compile against ghc-7.8.

If you have happened to use low-level

(==#) :: Int# -> Int# -> Bool

primitives, you might need to port your code a bit, as how their type is a bit different:

(==#) :: Int# -> Int# -> Int#

Here is our example fix for arithmoi.

Type inference changed a bit.

Traditionally darcs needed a patch :] In that big mostly dumb patch most interesting bit is explicit assignment:

- where copyRepo =
+ where copyRepo :: IO ()
+ copyRepo =

Even more amusing breakage was in shake, where error was in inability to infer Addr# argument. No idea was it a bug or feature.

Unsafe removals

As we’ve seen in darcs patch many unsafe${something} functions went away from Foreign modules down to their Unsafe counterparts.


Typeable representation did change in a substantial way, thus advanced generic stuff will break. I have no example fix, but have a few of broken packages, like dependent-sum.

Hashtable gone from base

Example of fix for frag package. By the way, ghc-7.6 used to eat 8GBs of RAM compiling frag. For ghc-7.8 it was enough 700MBs even for 8 building threads.

Compiler itself

The thing I expected to try didn’t compile: unregisterised arches and GHCi on them.

I’ve hacked-up a workaround to make them build, but in threaded RTS mode it still SIGSEGVs.

STG gurus are welcome to help me :]

I have fundamental questions like:

  • can unregisterised builds support SMP in theory? (via __thread attribute for example)
  • did UNREG ever produce working threaded runtime?
$ cat __foo/foo.hs 
main = print 1
# non-threaded works, as always been
$ inplace/bin/ghc-stage1 --make __foo/foo.hs -threaded -debug -fforce-recomp
$ gdb --args ./__foo/foo +RTS -D{s,i,w,g,G,b,S,t,p,a,l,m,z,c,r}
(gdb) run
7ffff7fb9700: resuming capability 0
7ffff7fb9700: cap 0: created thread 1
7ffff7fb9700: new bound thread (1)
7ffff7fb9700: cap 0: schedule()
7ffff7fb9700: cap 0: running thread 1 (ThreadRunGHC)
Jumping to 0x7ec17f
Program received signal SIGSEGV, Segmentation fault.
0x00000000007ec1a2 in stg_returnToStackTop ()
(gdb) bt
#0  0x00000000007ec1a2 in stg_returnToStackTop ()
#1  0x00000000007d26d9 in StgRun (f=0x7ec17f , basereg=0xca0648) at rts/StgCRun.c:81
#2  0x00000000007c7a30 in schedule (initialCapability=0xca0630, task=0xcc3b30) at rts/Schedule.c:463
#3  0x00000000007ca2c4 in scheduleWaitThread (tso=0x7ffff6b05390, ret=0x0, pcap=0x7fffffffd218) at rts/Schedule.c:2346
#4  0x00000000007c0162 in rts_evalIO (cap=0x7fffffffd218, p=0xb61450 , ret=0x0) at rts/RtsAPI.c:459
#5  0x00000000007e04c3 in ioManagerStartCap (cap=0x7fffffffd218) at rts/posix/Signals.c:184
#6  0x00000000007e04f6 in ioManagerStart () at rts/posix/Signals.c:194
#7  0x00000000007d1d5d in hs_init_ghc (argc=0xc96570 , argv=0xc96578 , rts_config=...) at rts/RtsStartup.c:262
#8  0x00000000007d000b in real_main () at rts/RtsMain.c:47
#9  0x00000000007d0122 in hs_main (argc=17, argv=0x7fffffffd418, main_closure=0xb527a0 , rts_config=...) at rts/RtsMain.c:114
#10 0x0000000000404df1 in main ()

Looks like CurrentTSO is complete garbage. Should not happen :]


The experience is positive. I already get bored, when see single-threaded make of ghc-7.6 and want to update a compiler.

Things like yesod, darcs, hoogle, pandoc and xmonad build fine, thus you can get working environment very fast.

Package authors are more eager to fix stuff for this release: it turns bug lookup and benchmarking into very interactive process.

I want to thank All Of You to make push haskell forward!

Thank you!

February 07, 2014
Anthony Basile a.k.a. blueness (homepage, bugs)
The Gentoo Profile Stacking Problem (February 07, 2014, 21:40 UTC)

I thought I’d write a bit about a long standing problem that the hardened team has been facing with Gentoo’s profile system.  Ever since I joined the team around 2009, we’ve had to deal with the “profile stacking problem”.  Most users and devs just merily go along using `eselect profile` to pick the profile closest to the type of system they want and then tweak the various files under /etc/portage, adding a USE flag here, and keywording or unmasking a package there, until they get the “perfect” system.  What I want to do in this post is expose just what goes into designing the profiles that we publicly export.

I was inpsired to write this because of bug #492312.  There we want to re-introduce the hardened desktop profile for amd64, x86 and arm.  I say “re-introduce” because we had to remove it and its sibling profiles /server and /developer.  So what was going on there?

To start, let me give you a nice pice of python code:

import portage
for p in portage.settings.profiles:
    print("%s" % p)

What this little snippet does is print out the profile stack as the directories inherited from one another via the parent file.  Its a useful tool because profile stacking can get very hard to follow.  When the parent file has something simple like just “..” then the inheritance is easy and that directory just inherits all the package.mask, package.unmask etc of the parent directory, as you would expect from the shell meaning of “..”  But what happens when the parent file looks like this:


as it does for hardened/linux/amd64?  Well then we get some interesting behavior. The first line says, inherit from base. Easy enough since base inherits from nothing else you get all of base’s settings. The second line says inherit from default/linux, which aslo doesn’t inherit from anything.  These setting just add and override those from base.  Easy enough. Ah! But now we come to arch/amd64, where the parent file says


and the inheritance continues to those directories in order. Finally “..” in hardened/linux/amd64 means inherit hardened/linux which sets most of hardened’s needs via make.defaults, package.mask, use.mask and friends. But alas, hardened/linux has its own parent file which reads


and the trip down the rabbit hole continues!  If you are starting to get a little lost, don’t feel bad. It is hard to wrap your brain around stacking, which is why that little script above is so useful.  But the difficulty in following profiles stacking is not the real problem. If you’re like me, you’re too proud to admit you can’t get your head around any complexity ;)   No, the real problem is that you can’t control the stacking order.

To demonstrate, let me refer again to bug #492312.  There we’d like to have a profile which reads


Okay, but what should we put for its parent file?  We’ll need “..” in there to inherit all of hardened/amd64 settings, but we also would like targets/desktop.  So let’s try a parent file that looks like this


In that case, our little script tells us that our profile stack as follows:


And if you switch the order of .. and targets/desktop, you get


The problem with the first ordering is that targets/desktop overrides hardened/linux/amd64 and so any USE flags that we may turn off or on in hardened can get reverse in desktop.  The example here is the jit flag — Just-In-Time compilers write executable code on the fly in areas of memory which must be both writeable and executable.  But a PaX hardened kernel will not allow WX mmap-ings because this is an obvious exploit vector.  Rather, in hardened, we prefer slower and safer methods for compiling/interpreting code on the fly than JIT.

Okay, so what about the second ordering.  It may look strange to have target/desktop before base, but that in itself is not an issue.  Here we have the same problem as above but in an even more subtle way!  (See my comment #9 of bug #492312.)  Consider a fairly important package like dev-libs/libxml2.  In the current state of the tree, `emerge -vp dev-libs/libxml2` would give

 [ebuild   R    ] dev-libs/libxml2-2.9.1-r1:2  USE="ipv6 python* ...

for both stacking choices. But if at some point in the future, someone added the following to profiles/default/linux/package.use

#Python support causes problems on xyz
#Don't pull it in if we don't neeed it
dev-libs/libxml2  -python

The vanilla profile default/linux/amd64/13.0/desktop and our hardened profile with targets/desktop last would not change since they have “dev-libs/libxml2 python” in package.use near the bottom of the stack, but our proposed hardened profile with targets/desktop on top would give

 dev-libs/libxml2-2.9.1-r1:2  USE="ipv6 readline ... -python ...

So, both choices for orderings of “..” and “targets/desktop” in our parent file for hardened/linux/amd64/desktop lead to situations where we can’t control what packages get what use flags. What we would like is a stacking that looks something like this


but how do we get that with our current inheritance mechanism? One idea that Magnus (Zorry) had was to gutt out this portion of portage and replace the parsing of the parent file with something along the lines of openrc’s depend() { … } clause. Then we just locally say what has to come before/after what and we let the algorithm figure it out. It sounds like an interesting problem if there were two of me and if there were a good chance that it would actually get implemented. In the mean time, we limp along with what we have and do ad hoc fixes as changes in one part of the profiles means we have to adjust other things. Since we are all responsible for different areas of the tree’s profiles, inevitably we cause one another breakage even with the best of intentions. For example, a few days ago, Mike (vapier) removed a masking on the uclibc USE flag in the base profile.  Doing so makes perfect sense. He didn’t tell me, and why should he have to?, but this lead to a small breakage in hardened/linux/uclibc/amd64 and friends where I had to relax that masking.  I only discovered this upon a catalyst run which is a bit annoying.

February 06, 2014
Michał Górny a.k.a. mgorny (homepage, bugs)
Using deltas to speed up SquashFS updates (February 06, 2014, 08:11 UTC)

The ebuild repository format that is used by Gentoo generally fits well in the developer and power user work flow. It has a simple design that makes reading, modifying and adding ebuilds easy. However, the large number of separate small files with many similarities do not make it very space efficient and often impacts performance. The update (rsync) mechanism is relatively slow compared to distributions like Arch Linux, and is only moderately bandwidth efficient.

There were various attempts at solving at least some of those issues. Various filesystems were used in order to reduce the space consumption and improve performance. Delta updates were introduced through the emerge-delta-webrsync tool to save bandwidth. Sadly, those solutions usually introduce other inconveniences.

Using a separate filesystem for the repositories involves additional maintenance. Using a read-only filesystem makes updates time-consuming. Similarly, the delta update mechanism — while saving bandwidth — usually takes more time than plain rsync update.

In this article, the author proposes a new solution that aims both to save disk space and reduce update time significantly, bringing Gentoo closer to the features of binary distributions. The ultimate goal of this project would be to make it possible to use the package manager efficiently without having to perform additional administrative tasks such as designating an extra partition.

Read on… [PDF]

February 04, 2014
Richard Freeman a.k.a. rich0 (homepage, bugs)
Quick EC2 Backups with Duplicity (February 04, 2014, 22:07 UTC)

I’ve been doing online EC2 backups on my Gentoo box for a while, but switched to Duplicity a few months ago and have been very happy with the results.  Setting this up took some trial and error, so I figured I’d share my config in case others find it useful.  But first, here’s why I switched…

Duplicity is based on librsync, and is designed to be a simple command-line-based tool.  Due to librsync the incremental backups it generates are VERY small – if you change one byte in a 2GB file it sends only a few bytes, just like rsync.  It supports encryption and EC2 upload (and a bunch of other options) natively, which means I can ditch a bunch of shell scripting.  It also stores encrypted manifests on the backup destination, which means that if your local index gets out of sync it can quickly synchronize and continue sending incrementals.

My configuration makes use of an alternates-filename patch which you can find in the duplicity bugzilla, or obtain from the rich0 Gentoo overlay.  v0.6.24 of Duplicity will actually implement this in a slightly different manner, so if you do use this patch be aware that you’ll need to do new full backups after you upgrade.  You can just drop the –alternate-filenames option and not use the patch, but if you do so you won’t be able to configure Amazon S3 to archive your difftar files to Glacier.

Once you install duplicity from either Gentoo portage or using my overlay, you’ll need your EC2 credentials.  Then to execute a backup you can run:

duplicity --encrypt-key ABCDEF01 --archive-dir /var/cache/duplicity \
--exclude-if-present .noonlinebackup \
--exclude-filelist /etc/duplicity-configs/dup-online1-exclude \
--include /etc --include /home --include /root \
--exclude '**' --full-if-older-than 60D --volsize 500 --asynchronous-upload
--alternate-filenames / s3+http://bucket/path/

You should substitute your AWS credentials.  Setting TMPDIR is optional, but if you’re running tmpfs you might not have space for all the stuff you’re backing up.  Setting archive-dir is also optional, but the archives are expendable and I don’t want it in my home getting backed up – if they get deleted duplicity will automatically fetch them back from EC2 (which will cost you money – so don’t delete them needlessly).

Exclude-if-present means that if you touch .noonlinebackup in a directory it won’t back up that directory.  The exclude list is just a file with one path per row which will be excluded.  You can have as many include options as you like.  The exclude/include/exclude followed by a backup on / was the only way I could get it to back up paths relative to root while excluding files that were otherwise in the include paths.  Otherwise the default include/exclude order wasn’t terribly helpful, but I might not be grokking the intent.

Full-if-older-than tells duplicity to create a new full backup every 60d.  You can separately run a variation of this to do cleanup:

duplicity --encrypt-key ABCDEF01 --archive-dir /var/cache/duplicity \ 
remove-all-but-n-full 2 --force s3+http://bucket/path/

This will delete all but the last two full backups, and any incrementals that depend on them.

As far as how it performs, this log speaks for itself:

Reading filelist /etc/duplicity-configs/dup-online1-exclude
Sorting filelist /etc/duplicity-configs/dup-online1-exclude
Local and Remote metadata are synchronized, no sync needed.
Last full backup date: Tue Jan 21 03:11:45 2014
--------------[ Backup Statistics ]--------------
StartTime 1391501490.67 (Tue Feb 4 03:11:30 2014)
EndTime 1391502084.80 (Tue Feb 4 03:21:24 2014)
ElapsedTime 594.13 (9 minutes 54.13 seconds)
SourceFiles 332755
SourceFileSize 32503585361 (30.3 GB)
NewFiles 456
NewFileSize 22332746 (21.3 MB)
DeletedFiles 11
ChangedFiles 76
ChangedFileSize 2181064980 (2.03 GB)
ChangedDeltaSize 0 (0 bytes)
DeltaEntries 543
RawDeltaSize 110980087 (106 MB)
TotalDestinationSizeChange 38473179 (36.7 MB)
Errors 0

30GB of source data with 2GB of files that changed, and this was protected by transferring 36MB of data with the whole operation completed in 10 minutes.

By using alternative filenames you can set a prefix in S3 to archive your difftar files to glacier.  I wouldn’t archive anything else – the manifests do not account for much space and if you lose your local copy it will re-download them (which is very expensive for glacier if not carefully managed).  The future Duplicity release will allow you to specify separate prefixes for each file type created so that you can just put your difftars in a separate directory.

Filed under: foss, gentoo, linux

February 01, 2014
LinuxCrazy Podcasts a.k.a. linuxcrazy (homepage, bugs)
Podcast 99 | Gentoo Monthly Newsletter (February 01, 2014, 22:33 UTC)


Gentoo Monthly Newsletter
All about Choice!




January 31, 2014
Gentoo Monthly Newsletter: January 2014 (January 31, 2014, 19:00 UTC)

Gentoo News


(by Markos Chandras) By the time you read this, a few of us will be heading to the FOSDEM 2014 event. As usual, FOSDEM takes place the first weekend of February in Brussels. Quite a few Gentoo developers will be there so come and look for us if you want to meet us in person or discuss something that you want to see improved in our favorite distribution. Yes, we accept bribes if you want your bug fixed ASAP ;-) Chances are most of us will be lurking at the Distribution devroomDonnie Berkholz is scheduled to give a talk titled “Is distribution-level package management obsolete?” on Saturday afternoon. Do not miss it!

Tracking orphaned packages

(by Markos Chandras) Orphaned packages is not an uncommon thing in the portage tree. Nearly 6.45% of the available packages lack a maintainer. However, not having a maintainer is not always a bad thing. Actually, most of these packages still work flawlessly. However, looking at the history of orphaned packages (Figure 1) one may observe that their number grew significantly over the past year.

Figure 1

Figure 1

AFRAID NOT! It is not as bad as it seems ;-) Truth is, the reason for the high number of unmaintained packages is the outstanding retirements that happened last year. The retirement team has been actively tracking developer and herd activity removing those who have been inactive for a long time. However, this only justifies the increased number of packages since 2010. On the other hand, the absolute number of packages is definitely something to worry about. Nobody is going to remove unmaintained packages from the tree for no good reason. However, if one of them breaks at some point, then chances are the package will go away if nobody steps up to pick up the pieces. If you are using any of these packages, you can easily help us maintain it through the proxy-maintainers project.

Council News

One first agenda topic concerned the EAPI of the profile directories. Since  all non-deprecated profiles require EAPI=5 support already for a year, the  council decided to give an additional 30 days notice and then switch the  whole profile tree to EAPI=5. This also means that the deprecated 10.0 profiles will  be removed. Next, the move of the Gentoo Linux Enhancement Proposals (GLEPs) to the wiki  and improvements to the GLEP submission process were addressed. Without much discussion, the decision was to follow the suggestions by Chris Reffett (creffett) and update GLEP 1 (which defines the procedures) and GLEP 2 (an example text) accordingly. Summarizing the most important new points, GLEP proposals are now submitted on Bugzilla, can be  discussed on the gentoo-project mailing list instead of gentoo-dev if appropriate, are written in MediaWiki markup and stored on, and are licensed CC-BY-SA 3.0. Regarding the status of the PGP key requirements GLEP that has been in the works for a while, it will be the first test case for the new procedures, and we’re waiting for Robin Johnson (robbat2) to finalize the text. Finally, during open floor discussion the question of architecture teams lagging behind in stabilizations came up again. The main question here was whether similar rules as already in place for alpha and ia64 should be put in place for all stable arches (maintainers may remove the last stable version of a package if the stablerequest is delayed without reason for more than 90 days). Any decision was deferred; discussion on the mailing lists should take place first.

Catalyst News

After a long period on “life support”, the catalyst repository is going to have major changes introduced to master in the next few days. The work done in the rewrite branch by Brian Dolbec, is finally going to be merged into master through the pending branch. Anyone using catalyst to produce stages is advised to use the latest release (currently 2.0.16). If you need to track the stable branch, please use the catalyst 2.0.9999 ebuild that tracks the 2.X branch. Anyone wanting to help with catalyst development and testing is encouraged to use the 9999 version and report issues to the catalyst team, pending the understanding that master may be broken during the next few months. Please report any issues to our bugzilla with Component: Catalyst. You can always find us in the #gentoo-releng irc channel of freenode. To be clear, these changes will only affect catalyst-9999 and the master branch of the repository. If you’re not using either, this doesn’t affect you.

 Job Openings

The following job openings have been posted since 2014-01-01:

Role Project Requirements
Gentoo-keys Developer Gentoo-keys Good python skills and or gpg key creation, verification knowledge
Web Developer Recruiters Web development knowledge, Ruby on Rails, Bootstrap, basic database knowledge
PyPy hacker Python Moderate ebuild knowledge (we can help with that). Understanding of Python integration within Gentoo. Ability to hack on PyPy's source code. We can provide the infrastructure capable of building PyPy if necessary.

You can see all job openings in the Gentoo Wiki.

Gentoo Developer Moves


Gentoo is made up of 251 active developers, of which 38 are currently away. Gentoo has recruited a total of 794 developers since its inception.


The following developers have recently changed roles

Zac Medico, the Lead developer of the Portage package manager announced that is he stepping down from portage development. As a result of which, the team had to ask for help, and after a very short period of time, the team now comprises 18 contributors. Please take a moment to thank Zac for his hard work all these years, and for all of the new contributors for keeping our package manager alive :)


The following developers have recently joined the project: Yixun Lan (announcement) Samuel Damashek (announcement) Alexander Berntsen (announcement)


New SSL Certificates

(by Robin H. Johnson) The Gentoo Infrastructure team would like announce that almost all of the public Gentoo services with SSL have been migrated away from CACert. We would like to extend thanks to the certificate authorities that have provided our new certificates: GlobalSign (*, and DigiCert (all other certificates). We would also like to thank CACert for their longstanding support.

Fortune is Fickle: Restoring

(by Alex Legler) This month, Gentoo saw the biggest service outage it has had for a long time. On Friday, January 10, the machine powering went down. The same day, we reached out to our sponsor who is providing the machine. Unfortunately, the email was only received and acted upon the following Monday where a remote reboot command was issued that sadly could not resolve the issue. Thus, a datacenter technician was dispatched to assess the state of the machine. He found out the mainboard has died. We had hoped that we could restore service by plugging the disks into another machine provided by the same sponsor only to find out that they were in fact still good old IDE drives. Don’t believe me? Here they are:

IDE drives from the old machine

IDE drives from the old machine

Thanks to the tireless efforts of our sponsor’s contact, Vassilis, we were able to finally get the overlays data on Thursday (as well as the great picture above). After importing the data into a new, empty overlays setup provisioned by our configuration management and a quick test of a few repositories, I was glad to be able to announce the service restoration. Sadly, the bad patch we’ve been going through wasn’t over yet: Several of the repositories showed corruption which forced us to start looking into the backup and merge the recovered live state with a backup taken a few hours before the outage. Having suffered from all these little setbacks, on Saturday we were able to finally fully restore the service. What have we learned during this outage?

  • First and foremost: Redundancy would have spared us almost a week of downtime. Thus, we’re looking into preparing a second machine to host Overlays.
  • Very important as well: Keeping up an information flow. The incident marked the baptism by fire for our recently launched Infrastructure Status web site. We were glad to have this site at our disposal to update the community on developments and the status of the service. We’re hoping that next time (let’s hope not too soon though) even more people know about this site and use it.
  • The decision to restore from backup should have been made earlier. In the end, we ascertained only a couple of hours of work were lost and could easily be re-pushed onto the server.

Special thanks again to Vassilis and his colleagues for their help and to you, our community, for bearing with us during the outage as well as countless offers of help with hardware and hosting.


This section summarizes the current state of the portage tree.

Architectures 45
Categories 159
Packages 17189
Ebuilds 37614
Architecture Stable Testing Total % of Packages
alpha 3606 517 4123 23.99%
amd64 10636 6050 16686 97.07%
amd64-fbsd 0 1573 1573 9.15%
arm 2604 1598 4202 24.45%
hppa 3022 464 3486 20.28%
ia64 3162 573 3735 21.73%
m68k 548 68 616 3.58%
mips 0 2285 2285 13.29%
ppc 6865 2357 9222 53.65%
ppc64 4323 856 5179 30.13%
s390 1548 230 1778 10.34%
sh 1767 279 2046 11.90%
sparc 4128 884 5012 29.16%
sparc-fbsd 0 322 322 1.87%
x86 11390 5111 16501 96.00%
x86-fbsd 0 3219 3219 18.73%



The following GLSAs have been released by the Security Team

GLSA Package Description Bug
201401-33 perl-core/digest-base Perl Digest-Base module: Arbitrary code execution 385487
201401-32 mail-mta/exim Exim: Multiple vulnerabilities 322665
201401-31 app-emacs/cedet CEDET: Privilege escalation 398227
201401-30 None Oracle JRE/JDK: Multiple vulnerabilities 404071
201401-29 media-libs/vips VIPS: Privilege Escalation 344561
201401-28 app-misc/tomboy Tomboy: Privilege escalation 356583
201401-27 app-office/texmacs GNU TeXmacs: Privilege escalation 337532
201401-26 net-analyzer/zabbix Zabbix: Shell command injection 493250
201401-25 net-libs/ldns ldns: Arbitrary code execution 384249
201401-24 net-nntp/inn INN: Man-in-the-middle attack 432002
201401-23 app-admin/sudo sudo: Privilege escalation 459722
201401-22 dev-ruby/activerecord Active Record: SQL injection 449826
201401-21 app-text/poppler Poppler: Multiple vulnerabilities 489720
201401-20 net-analyzer/cacti Cacti: Multiple vulnerabilities 324031
201401-19 dev-libs/gmime GMime: Arbitrary code execution 308051
201401-18 dev-libs/opensc OpenSC: Arbitrary code execution 349567
201401-17 sys-apps/pcsc-lite PCSC-Lite: Arbitrary code execution 349561
201401-16 app-crypt/ccid CCID: Arbitrary code execution 349559
201401-15 net-misc/asterisk Asterisk: Multiple vulnerabilities 449828
201401-14 net-misc/curl cURL: Multiple vulnerabilities 456074
201401-13 app-emulation/virtualbox VirtualBox: Multiple Vulnerabilities 434872
201401-12 gnustep-base/gnustep-base GNUstep Base library: Multiple vulnerabilities 325577
201401-11 dev-lang/perl Locale Maketext Perl module: Multiple vulnerabilities 384887
201401-10 media-libs/libexif exif: Multiple vulnerabilities 426366
201401-09 net-misc/openswan Openswan: User-assisted execution of arbitrary code 483204
201401-08 net-misc/ntp NTP: Traffic amplification 496776
201401-07 dev-libs/libxslt libxslt: Denial of Service 433603
201401-06 dev-vcs/git Git: Privilege escalation 335891
201401-05 net-misc/dhcp ISC DHCP: Denial of Service 463848
201401-04 dev-lang/python Python: Multiple vulnerabilities 325593
201401-03 net-analyzer/nagstamon Nagstamon: Information disclosure 476538
201401-02 net-im/gajim Gajim: Information disclosure 442860
201401-01 dev-dotnet/libgdiplus Libgdiplus: Arbitrary code execution 334101

Package Removals/Additions


Package Developer Date
dev-php/DBUnit mabi 06 Jan 2014
dev-php/PEAR-File_PDF mabi 06 Jan 2014
dev-java/jdictrayapi mr_bones_ 08 Jan 2014
app-office/rabbit mrueg 13 Jan 2014
app-i18n/rskkserv mrueg 13 Jan 2014
dev-ruby/postgres mrueg 13 Jan 2014
dev-ruby/radiant mrueg 17 Jan 2014
dev-ruby/actionwebservice graaff 18 Jan 2014
dev-ruby/gettext_activerecord graaff 18 Jan 2014
dev-ruby/gettext_rails graaff 18 Jan 2014
kde-base/solid kensington 20 Jan 2014
kde-base/kuiviewer kensington 20 Jan 2014
kde-base/kstartperf kensington 20 Jan 2014
kde-base/kdesdk-scripts kensington 20 Jan 2014
kde-base/kdesdk-misc kensington 20 Jan 2014
kde-base/kdegraphics-strigi-analyzer kensington 20 Jan 2014
games-board/capitalism hasufell 23 Jan 2014
games-board/CapiCity ulm 23 Jan 2014
dev-ruby/sqlite-ruby mrueg 24 Jan 2014
dev-ruby/dbd-sqlite3 mrueg 24 Jan 2014
dev-ruby/dbd-sqlite mrueg 24 Jan 2014
dev-ruby/dbd-pg mrueg 24 Jan 2014
dev-ruby/dbd-odbc mrueg 24 Jan 2014
dev-ruby/dbd-mysql mrueg 24 Jan 2014
dev-ruby/dbi mrueg 24 Jan 2014


Package Developer Date
sci-libs/vtkdata jlec 02 Jan 2014
dev-util/icemon scarabeus 02 Jan 2014
media-libs/hupnp-ng pinkbyte 02 Jan 2014
dev-java/jlibeps mrueg 03 Jan 2014
dev-python/mox3 idella4 03 Jan 2014
dev-vcs/git-merge-changelog ulm 04 Jan 2014
dev-perl/MediaWiki-API dilfridge 04 Jan 2014
net-misc/libreswan floppym 05 Jan 2014
dev-python/bcrypt idella4 05 Jan 2014
lxde-base/lxappearance-obconf nullishzero 05 Jan 2014
app-text/openlp anarchy 05 Jan 2014
kde-base/calendarjanitor creffett 06 Jan 2014
kde-base/contactthemeeditor dilfridge 06 Jan 2014
dev-php/phpcov mabi 06 Jan 2014
dev-vcs/gitinspector jlec 06 Jan 2014
net-misc/stuntman chainsaw 07 Jan 2014
sci-libs/magma bicatali 07 Jan 2014
kde-misc/redshift-plasmoid mrueg 08 Jan 2014
dev-util/igprof maksbotan 08 Jan 2014
dev-php/phpDocumentor mabi 08 Jan 2014
app-text/XML-Schema-learner mjo 09 Jan 2014
app-admin/cdist hwoarang 09 Jan 2014
dev-python/tmdb3 floppym 11 Jan 2014
dev-perl/Statistics-Distributions civil 12 Jan 2014
dev-perl/Statistics-TTest civil 12 Jan 2014
dev-perl/Getopt-Tabular civil 12 Jan 2014
dev-perl/Benchmark-Timer civil 12 Jan 2014
dev-java/disruptor ercpe 12 Jan 2014
net-misc/leapcast vapier 12 Jan 2014
dev-java/jackson-annotations ercpe 12 Jan 2014
dev-java/jackson-databind ercpe 12 Jan 2014
games-rpg/to-the-moon hasufell 12 Jan 2014
sci-libs/chemkit jlec 13 Jan 2014
dev-libs/rapidxml jlec 13 Jan 2014
dev-java/cal10n ercpe 13 Jan 2014
dev-java/slf4j-ext ercpe 13 Jan 2014
sci-libs/lemon jlec 13 Jan 2014
sci-libs/coinor-sample bicatali 14 Jan 2014
sci-libs/coinor-utils bicatali 14 Jan 2014
sci-libs/coinor-osi bicatali 14 Jan 2014
sci-libs/coinor-vol bicatali 14 Jan 2014
sci-libs/coinor-dylp bicatali 14 Jan 2014
sci-libs/scalapack bicatali 14 Jan 2014
sci-libs/mumps bicatali 14 Jan 2014
sci-libs/coinor-clp bicatali 14 Jan 2014
sci-libs/coinor-cgl bicatali 14 Jan 2014
sci-libs/coinor-cbc bicatali 14 Jan 2014
sci-libs/coinor-alps bicatali 14 Jan 2014
sci-libs/coinor-netlib bicatali 14 Jan 2014
sci-libs/coinor-bcp bicatali 14 Jan 2014
sci-libs/coinor-bcps bicatali 14 Jan 2014
sci-libs/coinor-blis bicatali 14 Jan 2014
sci-libs/coinor-csdp bicatali 14 Jan 2014
sci-libs/coinor-dip bicatali 14 Jan 2014
sci-libs/coinor-flopcpp bicatali 14 Jan 2014
sci-libs/coinor-mp bicatali 14 Jan 2014
sci-libs/coinor-smi bicatali 14 Jan 2014
sci-libs/coinor-symphony bicatali 14 Jan 2014
sci-libs/coinor-bonmin bicatali 15 Jan 2014
sci-libs/coinor-couenne bicatali 15 Jan 2014
sci-libs/coinhsl bicatali 15 Jan 2014
sci-libs/ipopt bicatali 15 Jan 2014
sci-libs/coinor-cppad bicatali 15 Jan 2014
sci-libs/coinor-os bicatali 15 Jan 2014
sci-libs/avogadrolibs jlec 16 Jan 2014
sys-cluster/libcircle ottxor 18 Jan 2014
app-emulation/armv8-fast-model vapier 18 Jan 2014
dev-db/lmdb eras 18 Jan 2014
www-client/google-chrome-beta floppym 19 Jan 2014
www-client/google-chrome-unstable floppym 19 Jan 2014
dev-ml/pa_bench aballier 19 Jan 2014
dev-ml/typerep aballier 19 Jan 2014
dev-ml/pa_test aballier 19 Jan 2014
dev-ml/re2 aballier 19 Jan 2014
dev-ml/async_kernel aballier 19 Jan 2014
dev-ml/faillib aballier 19 Jan 2014
sec-policy/selinux-cachefilesd swift 19 Jan 2014
net-libs/libmbim alexxy 20 Jan 2014
dev-java/jortho sera 20 Jan 2014
app-misc/asciinema kensington 20 Jan 2014
net-libs/libnftnl chainsaw 20 Jan 2014
sys-firmware/iwl7260-ucode gienah 23 Jan 2014
media-gfx/librecad slis 23 Jan 2014
sys-apps/getent blueness 23 Jan 2014
games-board/CapiCity hasufell 23 Jan 2014
games-board/capicity ulm 23 Jan 2014
x11-libs/gtk-mac-integration grobian 23 Jan 2014
x11-misc/sxhkd radhermit 24 Jan 2014
x11-wm/bspwm radhermit 24 Jan 2014
app-crypt/scrypt radhermit 24 Jan 2014
net-firewall/nftables chainsaw 24 Jan 2014
sys-firmware/iwl3160-ucode gienah 25 Jan 2014
sys-firmware/iwl3160-7260-bt-ucode gienah 25 Jan 2014
dev-libs/efl tommy 25 Jan 2014
dev-python/sphinx-better-theme floppym 25 Jan 2014
dev-python/backports radhermit 26 Jan 2014
dev-python/backports-ssl-match-hostname radhermit 26 Jan 2014
app-leechcraft/lc-rosenthal maksbotan 26 Jan 2014


The Gentoo community uses Bugzilla to record and track bugs, notifications, suggestions and other interactions with the development team.


The following tables and charts summarize the activity on Bugzilla between 29 December 2013 and 28 January 2014. Not fixed means bugs that were resolved as NEEDINFO, WONTFIX, CANTFIX, INVALID or UPSTREAM.


Bug Activity Number
New 1653
Closed 1298
Not fixed 233
Duplicates 186
Total 5427
Blocker 5
Critical 19
Major 68

Closed bug ranking

The developers and teams who have closed the most bugs during this period are as follows.

Rank Team/Developer Bug Count
1 Gentoo Security 95
2 Gentoo's Team for Core System packages 60
3 Perl Devs @ Gentoo 43
4 Default Assignee for Orphaned Packages 42
5 Gentoo Linux Gnome Desktop Team 32
6 Robin Johnson 31
7 Gentoo KDE team 30
8 Gentoo Sound Team 29
9 Python Gentoo Team 28
10 Others 907


Assigned bug ranking

The developers and teams who have been assigned the most bugs during this period are as follows.

Rank Team/Developer Bug Count
1 Gentoo Linux bug wranglers 145
2 Gentoo Security 65
3 Gentoo Linux Gnome Desktop Team 59
4 Gentoo's Team for Core System packages 55
5 Portage team 40
6 Default Assignee for New Packages 38
7 Gentoo KDE team 38
8 media-video herd 34
9 Default Assignee for Orphaned Packages 30
10 Others 1148


Tip of the month

(by Pavlos Ratis) Many of us are using overlays every day. Overlays vary from very small to big enough in size. As a result they slow down the majority of Portage operations. That happens because overlays do not contain metadata cache. The cache is used to speed up searches and the building of dependency trees. A neat trick is to generate local metadata cache after syncing overlays.

# layman -S
# emerge --regen

This trick also works in conjunction with eix. eix-update can use metadata cache generated by emerge –regen to speed up things. To enable this, add the following variable in /etc/eixrc. OVERLAY_CACHE_METHOD="assign"

Bonus: Fun tips

  1. Have you mooed today?: emerge --moo
  2. Emerge games-misc/doge and/or games-misc/cowsay to beautify your motd ;)

Alexys Jacob a.k.a. ultrabug (homepage, bugs)
keepalived v1.2.11 & glusterfs v3.4.2 (January 31, 2014, 16:46 UTC)

Quick post for two quick bumps related to clustering.


  • quite a lot of bug fixes and improvements
  • contains a backport for libgfapi support for integrating with NFS Ganesha
  • nfs/mount3: fix crash in subdir resolution


  • autoconf: better libnl3 detection
  • Fix memory allocation for MD5 digest
  • Quite some nice memory leak fixes on different components
  • vrrp: dont try to load ip_vs module when not needed
  • Pim van den Berg work on libipvs-2.6 to sync with libipvs from ipvsadm 1.27
  • vrrp: extend ip parser to support default and default6
  • vrrp: fix/extend gratuitous ARP handling (multiple people reported issues where MASTER didnt recover properly after outage due to no gratuitous ARP sent)
  • Multiple fixes to genhash
  • vrrp: fix vrrp socket sync while leaving FAULT state (old old bug here)
  • Full changelog here

January 30, 2014
Luca Barbato a.k.a. lu_zero (homepage, bugs)
Fosdem! (January 30, 2014, 16:58 UTC)

About 26h before Fosdem (yes, the beer event is the glorious start of the conference)!


I’ll be around bearing chocolate and chocolate for friends and fellow members of the communities I belong to (no beers this time, sorry guys!), hopefully we’ll find some space to discuss anything you’d like to discuss with me.


  • Libav (We should also have a room to discuss some more Libav10 and Libav11 planned releases)
  • VLC (Probably most discussions during the meeting, where Felix will stab me for not having done hwaccel2)
  • Gentoo/Sabayon (Complaints and rants welcome only during the beer event)
  • Any of my other many projects (contributions welcome btw!)
  • Anything else.


There might be a room to discuss for about 1 hour about Libav10 Sunday, I’ll be around the Gentoo BoF Saturday and obviously I’ll be around attending some of the events.

See you there! (hopefully)

January 29, 2014
Michael Palimaka a.k.a. kensington (homepage, bugs)
app-misc/asciinema – new package (January 29, 2014, 10:41 UTC)

I recently added app-misc/asciinema to the tree, a tool used to record and share terminal sessions. Everything is text-based, so it’s much more lightweight than video recording approaches.

Let me know if you do anything useful with it. :-)

ASCII Solitaire

January 28, 2014
Robin Johnson a.k.a. robbat2 (homepage, bugs)

Munin is commonly used to graph lots of systems stuff, however it lacks a common piece of functionality: 95th percentile.

The Munin bug tracker has ticket #443 sitting open for 7 years now, asking for this, and proving a not-great patch for it.

I really wanted to add 95th percentile to one of my complicated graphs (4 base variables, and 3 derived variables deep), but I didn't like the above patch either. Reading the Munin source to consider implementing VDEF properly, I noticed an undocumented setting: graph_args_after. It was introduced by ticket #1032, as a way of passing things directly to rrdtool-graph.

Clever use of this variable can pass in ANYTHING else to rrdtool-graph, including VDEF! So without further ado, here's how to put 95th percentile into individual Munin graphs, relatively easily.

# GRAPHNAME is the name of the graph you want to render on.
# VARNAME is the name of the new variable to call the Percentile line.
# DEF_VAR is the name of the CDEF or DEF variable from earlier in your graph definition.
# LEGEND is whatever legend you want to display on the graph for the line.
#   FYI Normal rrdtool escaping rules apply for legend (spaces, pound, slash).
${GRAPHNAME}.graph_args_after \
  LINE1:${VARNAME}\#999999:${LEGEND}:dashes \
# Example of the above I'm using
bandwidth1.graph_args_after \
  VDEF:totalperc=gcdeftotal,95,PERCENT \
  LINE1:totalperc\#999999:95th\ Percentile\ (billable\):dashes \

January 27, 2014
David Abbott a.k.a. dabbott (homepage, bugs)
Ambiance-Gentoo Theme Buttons (January 27, 2014, 21:50 UTC)

Just installed the theme Ambiance-Gentoo from the package x11-themes/light-themes for my Gnome3 desktop. I just had to get rid of those orange buttons. Unpack this file and read the readme.

Thats it :)

Luca Barbato a.k.a. lu_zero (homepage, bugs)
Gentoo on Macbookpro 2013 – part2 (January 27, 2014, 04:19 UTC)

Go read here for the first part.

What changed

  • The linux 3.13 still doesn’t sport support for the wireless yet. The closed source driver works almost great beside when conman crashes horribly due some bad interaction, luckily doesn’t happen often, sadly I do not have time to debug it.
  • Using grub with the patch pointed in the comments here does make appear the intel gpu and you can enjoy using it for hardware decoding using QSV, patches for Libav availabe in the usual place.
  • vga switcheroo doesn’t let me switch properly, apparently nouveau takes the console framebuffer and does not really wants to release it.
  • the nvidia closed source driver works but you lose the access to the gmux, so you can’t change the brightness, and your console framebuffer is gone as well.
  • bbswitch seems confused enough to give up, I might ask upstream to help me figure out since seems almost everything is there post-grub-setup.
  • My pommed patches are waiting for more testers, then I’ll bake a release for everybody. Here it is working nicely.

What next

  • Probably I’ll try to figure out better how get the intel gpu work fully, since nouveau works mostly fine but Blizzard games on wine do not play at all.
  • Pommed will see more cleanups.
  • Hopefully I’ll play more with the displayports.

So far I’m still quite happy about this model even if the mentioned quirks.

January 24, 2014
Patrick Lauer a.k.a. bonsaikitten (homepage, bugs)
NTP: Working around bad hardware since 1842 (January 24, 2014, 06:00 UTC)

After my recent troubles with NTP and excessive time drift things have settled down.

For reasons unknown to me the time drift on the problem server changed from -330ppm to +2.3ppm. I'm not quite sure how to interpret that.
Comparing some other machines I have access to:

Old P4:         -292.238
Dell R510:        12.428
Another R510:     13.232
Random amd64:    -28.438
Another amd64:   -23.323
A newish Xeon:    -7.296
So the general trend seems to be older = more time drift. And machines with "same" hardware appear to have similar drift factors.
The stability of <30ppm means a drift of about 0.1sec/day. Without extra correction that's tolerable (a few seconds a month), but still unsatisfactory.

The old P4 drifting at 300ppm means it'll be getting close to 3 minutes a week away from "real time" - that's enough to cause problems if you rely on it.

I think the lesson in this is "manufacturers use the cheapest they can get away with", so every computer should have a time correction mechanism (NTP, DCF-77, GPS - doesn't matter as long as you correct it). And there's a reasonable assumption that environmental factors (heat, hardware aging, change in the provided voltage, ...) will randomly change the time drift.

And I thought timekeeping was a problem solved two centuries ago ...

January 21, 2014
Mike Pagano a.k.a. mpagano (homepage, bugs)

I did a minor bump to fix a compile error for the fbcondecor patch. If you don’t use fbcondecor,  there is no need to upgrade. That is the only change.

January 20, 2014
Paweł Hajdan, Jr. a.k.a. phajdan.jr (homepage, bugs)
System update report (last update a year ago) (January 20, 2014, 22:32 UTC)

I have some systems that I update more rarely than the others. Of course I highly recommend keeping up to date, especially for the security fixes. I've also written similar update reports in the past. You may want to read them and compare the experience:

Another 5-month update (December 2011)
Another report from rarely updated system (September 2012)

Read more »

January 17, 2014
Alexys Jacob a.k.a. ultrabug (homepage, bugs)
uWSGI v2.0 (January 17, 2014, 11:09 UTC)

Yesterday was a big day for the famous application container uWSGI. We released the brand new version 2.0 LTS along with quite a huge bump of the ebuild, closing 6 bugs at once. I thought I’d give some input about the ebuild changes and some quick notes about uWSGI. Many thanks again to @dev-zero !

New plugins selection : UWSGI_PLUGINS

We introduced a new USE_EXPAND named UWSGI_PLUGINS so that you can now select which plugins to build individually. This is a great step as it makes the compilation more clear and lets you fine tune your uWSGI installation.

Along this work, we had to describe each plugin which was also quite a challenge. To my knownledge, this has not been done anywhere else so here it is. Please ping me if you have something to add or if we failed to describe a plugin correctly.

Migration note : You will need to change your package.use configuration to switch to using UWSGI_PLUGINS. As an example, where you had the USE flag spooler enabled you’ll now need to use uwsgi_plugins_spooler.

uWSGI v2.0 highlights

These are my biased favorites, go check for more, it’s huge !

Patrick Lauer a.k.a. bonsaikitten (homepage, bugs)
Unexpected fun with NTP (January 17, 2014, 03:24 UTC)

This morning I had to fix an unexpected dovecot "failure" by restarting it. Apparently it only tolerates time jumps of less than seven seconds.
The trigger of this oopsie is NTP:

Jan 16 23:52:53 stupidserver ntpd[27668]: synchronized to, stratum 3
Jan 16 23:52:45 stupidserver ntpd[27668]: time reset -7.732856 s
Riiight. That's not nice, but why does it jump around so much? Looks like the time behaviour worsened over the last days:
Jan 15 19:34:18 stupidserver ntpd[27668]: no servers reachable
Jan 15 19:59:56 stupidserver ntpd[27668]: synchronized to, stratum 2
Jan 15 20:06:22 stupidserver ntpd[27668]: time reset +0.533773 s
Jan 16 11:47:33 stupidserver ntpd[27668]: synchronized to, stratum 2
Jan 16 11:47:30 stupidserver ntpd[27668]: time reset -2.966137 s
Jan 16 18:14:28 stupidserver ntpd[27668]: synchronized to, stratum 2
Jan 16 18:15:27 stupidserver ntpd[27668]: time reset -4.223295 s
Jan 16 23:52:53 stupidserver ntpd[27668]: synchronized to, stratum 3
Jan 16 23:52:45 stupidserver ntpd[27668]: time reset -7.732856 s
That's an offset of more than 1sec/h, and that's with ntpd correcting at around 330 PPM. The docs say: "The capture range of the loop is 500 PPM at an interval of 64s decreasing by a factor of two for each doubling of interval." (PPM = parts-per-million)
In other words, if the drift is above 500 PPM it may force a clock reset because it can't drift fast enough. And it looks like this situation was either a failing mainboard RTC clock, or a screwed up ntp server (since it always sync'ed to the same one).

I've tried two things to avoid this time skipping:
1) Change the ntp servers used to something more "local" - the global may not be as reliable as servers geographically close you
2) Remove the drift file to force the system to re-learn

The results, at first glance, look promising:
Jan 17 10:48:37 stupidserver ntpd[3059]: kernel time sync status 0040
Jan 17 10:52:55 stupidserver ntpd[3059]: synchronized to, stratum 3
Jan 17 10:52:50 stupidserver ntpd[3059]: time reset -5.023639 s
Jan 17 10:57:54 stupidserver ntpd[3059]: synchronized to, stratum 3
Jan 17 11:01:08 stupidserver ntpd[3059]: synchronized to, stratum 1
Jan 17 11:05:34 stupidserver ntpd[3059]: kernel time sync enabled 0001
So after an initial 5-second skip it managed to sync twice without abnormal drift. Let's hope that it's going to stay sane ...

January 16, 2014
Patrick Lauer a.k.a. bonsaikitten (homepage, bugs)
EAPI usage in tree (January 16, 2014, 06:36 UTC)

Total number of ebuilds: 37807

EAPI 0:  5959  15.78%
EAPI 1:   370   0.98%
EAPI 2:  3335   8.82%
EAPI 3:  3005   7.95%
EAPI 4: 12385  32.76%
EAPI 5: 12746  33.72%
That looks quite good: EAPI5 has grown very well, EAPI1 is almost gone.

EAPI0 is still needlessly common, and EAPI 2+3 should be deprecated.

Update: Now running as a cronjerb, Output here, History here

January 15, 2014
Greg KH a.k.a. gregkh (homepage, bugs)
kdbus details (January 15, 2014, 20:57 UTC)

Now that is over, there has been a bunch of information running around about the status of kdbus and the integration of it with systemd. So, here’s a short summary of what’s going on at the moment.

Lennart Poettering gave a talk about kdbus at The talk can be viewed here, and the slides are here. Go read the slides and watch the talk, odds are, most of your questions will be answered there already.

For those who don’t want to take the time watching the talk, wrote up a great summary of the talk, and that article is here. For those of you without a subscription, what are you waiting for? You’ll have to wait two weeks before it comes out from behind the paid section of the website before reading it, sorry.

There will be a systemd hack-fest a few days before FOSDEM, where we should hopefully pound out the remaining rough edges on the codebase and get it ready to be merged. Lennart will also be giving his kdbus talk again at FOSDEM if anyone wants to see it in person.

The kdbus code can be found in two places, both on google code, and on github, depending on where you like to browse things. In a few weeks we’ll probably be creating some patches and submitting it for inclusion in the main kernel, but more testing with the latest systemd code needs to be done first.

If you want more information about the kdbus interface, and how it works, please see the kdbus.txt file for details.

Binder vs. kdbus

A lot of people have asked about replacing Android’s binder code with kdbus. I originally thought this could be done, but as time has gone by, I’ve come to the conclusion that this will not happen with the first version of kdbus, and possibly can never happen.

First off, go read that link describing binder that I pointed to above, especially all of the links to different resources from that page. That should give you more than you ever wanted to know about binder.

Short answer

Binder is bound to the CPU, D-Bus (and hence kdbus), is bound to RAM.

Long answer


Binder is an interface that Android uses to provide synchronous calling (CPU) from one task to a thread of another task. There is no queueing involved in these calls, other than the caller process is suspended until the answering process returns. RAM is not interesting besides the fact that it is used to share the data between the different callers. The fact that the caller process gives up its CPU slice to the answering process is key for how Android works with the binder library.

This is just like a syscall, and it behaves a lot like a mutex. The communicating processes are directly connected to each other. There is an upper limit of how many different processes can be using binder at once, and I think it’s around 16 for most systems.


D-Bus is asynchronous, it queues (RAM) messages, keeps the messages in order, and the receiver dequeues the messages. The CPU does not matter at all other than it is used to do the asynchronous work of passing the RAM around between the different processes.

This is a lot like network communication protocols. It is a very “disconnected” communication method between processes. The upper limit of message sizes and numbers is usually around 8Mb per connection and a normal message is around 200-800 bytes.


The model of Binder was created for a microkernel-like device (side note, go read this wonderful article about the history of Danger written by one of the engineers at that company for a glimpse into where the Android internals came from, binder included.) The model of binder is very limited, inflexible in its use-cases, but very powerful and extremely low-overhead and fast. Binder ensures that the same CPU timeslice will go from the calling process into the called process’s thread, and then come back into the caller when finished. There is almost no scheduling involved, and is much like a syscall into the kernel that does work for the calling process. This interface is very well suited for cheap devices with almost no RAM and very low CPU resources.

So, for systems like Android, binder makes total sense, especially given the history of it and where it was designed to be used.


D-Bus is a create-store-forward, compose reply and then create-store-forward messaging model which is more complex than binder, but because of that, it is extremely flexible, versatile, network transparent, much easier to manage, and very easy to let fully untrusted peers take part of the communication model (hint, never let this happen with binder, or bad things will happen…) D-Bus can scale up to huge amounts of data, and with the implementation of kdbus it is possible to pass gigabytes of buffers to every connection on the bus if you really wanted to. CPU-wise, it is not as efficient as binder, but is a much better general-purpose solution for general-purpose machines and workloads.


Yes, it’s an over simplification of a different set of complex IPC methods, but these 3 words should help you explain the differences between binder and D-Bus and why kdbus isn’t going to be able to easily replace binder anytime soon.

Never say never

Ok, before you start to object to the above statements, yes, we could add functionality to kdbus to have some blocking ioctl calls that implement something like: write question -> block for reply and read reply one answer for the request side, and then on the server side do: write answer -> block in read That would get kdbus a tiny bit closer to the binder model, by queueing stuff in RAM instead of relying on a thread pool.

That might work, but would require a lot of work on the binder library side in Android, and as a very limited number of people have write access to that code (they all can be counted on one hand), and it’s a non-trivial amount of work for a core function of Android that is working very well today, I don’t know if it will ever happen.

But anything is possible, it’s just software you know…


Many thanks to Kay Sievers who came up with the CPU vs. RAM description of binder and D-Bus and whose email I pretty much just copied into this post. Also thanks to Kay and Lennart for taking the time and energy to put up with my silly statements about how kdbus could replace binder, and totally proving me wrong, sorry for having you spend so much time on this, but I now know you are right.

Also thanks to Daniel Mack and Kay for doing so much work on the kdbus kernel code, that I don’t think any of my original implementation is even present anymore, which is probably a good thing. Also thanks to Tejun Heo for help with the memfd implementation and cgroups help in kdbus.