Gentoo Logo
Gentoo Logo Side
Gentoo Spaceship

Contributors:
. Aaron W. Swenson
. Agostino Sarubbo
. Alec Warner
. Alex Alexander
. Alex Legler
. Alexey Shvetsov
. Alexis Ballier
. Alexys Jacob
. Amadeusz Żołnowski
. Andreas K. Hüttel
. Andreas Proschofsky
. Anthony Basile
. Arun Raghavan
. Bernard Cafarelli
. Bjarke Istrup Pedersen
. Brent Baude
. Brian Harring
. Christian Faulhammer
. Christian Ruppert
. Christopher Harvey
. Chí-Thanh Christopher Nguyễn
. Daniel Gryniewicz
. David Abbott
. Denis Dupeyron
. Detlev Casanova
. Diego E. Pettenò
. Domen Kožar
. Donnie Berkholz
. Doug Goldstein
. Eray Aslan
. Fabio Erculiani
. Gentoo Haskell Herd
. Gentoo Monthly Newsletter
. Gentoo News
. Gilles Dartiguelongue
. Greg KH
. Hanno Böck
. Hans de Graaff
. Ian Whyman
. Ioannis Aslanidis
. Jan Kundrát
. Jason Donenfeld
. Jeffrey Gardner
. Jeremy Olexa
. Joachim Bartosik
. Johannes Huber
. Jonathan Callen
. Jorge Manuel B. S. Vicetto
. Joseph Jezak
. Kenneth Prugh
. Lance Albertson
. Liam McLoughlin
. LinuxCrazy Podcasts
. Luca Barbato
. Luis Francisco Araujo
. Mark Loeser
. Markos Chandras
. Mart Raudsepp
. Matt Turner
. Matthew Marlowe
. Matthew Thode
. Matti Bickel
. Michael Palimaka
. Michal Hrusecky
. Michał Górny
. Mike Doty
. Mike Gilbert
. Mike Pagano
. Nathan Zachary
. Ned Ludd
. Nirbheek Chauhan
. Pacho Ramos
. Patrick Kursawe
. Patrick Lauer
. Patrick McLean
. Pavlos Ratis
. Paweł Hajdan, Jr.
. Petteri Räty
. Piotr Jaroszyński
. Rafael Goncalves Martins
. Raúl Porcel
. Remi Cardona
. Richard Freeman
. Robin Johnson
. Ryan Hill
. Sean Amoss
. Sebastian Pipping
. Steev Klimaszewski
. Stratos Psomadakis
. Sune Kloppenborg Jeppesen
. Sven Vermeulen
. Sven Wegener
. Theo Chatzimichos
. Thomas Kahle
. Tiziano Müller
. Tobias Heinlein
. Tobias Klausmann
. Tom Wijsman
. Tomáš Chvátal
. Victor Ostorga
. Vikraman Choudhury
. Zack Medico

Last updated:
May 12, 2014, 23:05 UTC

Disclaimer:
Views expressed in the content published here do not necessarily represent the views of Gentoo Linux or the Gentoo Foundation.


Bugs? Comments? Suggestions? Contact us!

Powered by:
Planet Venus

Welcome to Planet Gentoo, an aggregation of Gentoo-related weblog articles written by Gentoo developers. For a broader range of topics, you might be interested in Gentoo Universe.

May 12, 2014
Luca Barbato a.k.a. lu_zero (homepage, bugs)
Libav 10.1 released (in Gentoo) (May 12, 2014, 22:08 UTC)

I just committed the ebuild in Portage and noticed that Homebrew already updated its Formula.

I spent some time in Berlin at LinuxTAG manning the VideoLAN booth and feeding people with VLC and Libav chocolate (many thanks to Borgodoro for providing me with their fine goods).

During the weekend we held the VideoLAN association meeting in the SoundCloud office, thanks a lot again for the wonderful venue.

Unmask in Gentoo

I’m slowly getting a tinderbox up with the help of Flameeyes so we can make sure nothing unexpected happens, the new refcounted API for Frames and Packets makes quite compelling updating from 9 even if we’ll keep updating both release branches for the next year and half.

You can help

There are a number of packets that depend on old 0.8 ffmpeg application and it won’t really work with the current avconv nor with the ffmpeg provided by the recent versions since the new option parsing code written by Anton ended up there as well. Most of those application are either fully orphaned or they have patches to work with avconv because the Debian and Ubuntu developers took care of it. Nikoli provided me with a list.

HWAccel 1.2

This week-end I eventually merged hwaccel1.2 and I hope to get the AVResample updates finalized by this week.

There had been some discussion regarding backporting the latter to release 10 since they simplify a bit porting to the new resampling library.

Rotation reporting API

Vittorio was working on a mean to export the rotation matrix from MOV and SEI NALs since a while. The devil is usually in the details and I guess it had been an hell of fun for him. Even more since he switched continent meanwhile.

After the Linus rant about not having the automagic support for rotation, we had some decent pressure applied to get it out so people will be able to enjoy it. Hopefully it will appear by the week end as well.

Sven Vermeulen a.k.a. swift (homepage, bugs)
Revamped our SELinux documentation (May 12, 2014, 20:15 UTC)

In the move to the Gentoo wiki, I have updated and revamped most of our SELinux documentation. The end result can be seen through the main SELinux page. Most of the content is below this page (as subpages).

We start with a new introduction to SELinux article which goes over a large set of SELinux’ features and concepts. Next, we cover the various concepts within SELinux. This is mostly SELinux features but explained more in-depth. Then we go on to the user guides. We start of course with the installation of SELinux on Gentoo and then cover the remainder of administrative topics within SELinux (user management, handling AVC denials, label management, booleans, etc.)

The above is most likely sufficient for the majority of SELinux users. A few more expert-specific documents are provided as well (some of them still work in progress, but I didn’t want to wait to get some feedback) and there is also a section specific for (Gentoo) developers.

Give it a review and tell me what you think.

May 09, 2014
Sven Vermeulen a.k.a. swift (homepage, bugs)
Dropping sesandbox support (May 09, 2014, 19:03 UTC)

A vulnerability in seunshare, part of policycoreutils, came to light recently (through bug 509896). The issue is within libcap-ng actually, but the specific situation in which the vulnerability can be exploited is only available in seunshare.

Now, seunshare is not built by default on Gentoo. You need to define USE="sesandbox", which I implemented as an optional build because I see no need for the seunshare command and the SELinux sandbox (sesandbox) support. Upstream (Fedora/RedHat) calls it sandbox, which Gentoo translates to sesandbox as it collides with the Gentoo sandbox support otherwise. But I digress.

The build of the SELinux sandbox support is optional, mostly because we do not have a direct reason to support it. There are no Gentoo users that I’m aware of that use it. It is used to start an application in a chroot-like environment, based on Linux namespaces and a specific SELinux policy called sandbox_t. The idea isn’t that bad, but I rather focus on proper application confinement and full system enforcement support (rather than specific services). The SELinux sandbox makes a bit more sense when the system supports unconfined domains (and users are in the unconfined_t domain), but Gentoo focuses on strict policy support.

Anyway, this isn’t the first vulnerability in seunshare. In 2011, another privilege escalation vulnerability was found in the application (see bug 374897).

But having a vulnerability in the application (or its interaction with libcap-ng) doesn’t mean an exploitable vulnerability. Most users will not even have seunshare, and those that do have it will not be able to call it if you are running with SELinux in strict or have USE="-unconfined" set for the other policies. If USE="unconfined" is set and you run mcs, targeted or mls (which isn’t default either, the default is strict) then if your users are still mapped to the regular user domains (user_t, staff_t or even sysadm_t) then seunshare doesn’t work as the SELinux policy prevents its behavior before the vulnerability is triggered.

Assuming you do have a targeted policy with users mapped to unconfined_t and you have built policycoreutils with USE="sesandbox" or you run in SELinux in permissive mode, then please tell me if you can trigger the exploit. On my systems, seunshare fails with the message that it can’t drop its privileges and thus exits (instead of executing the exploit code as it suggested by the reports).

Since I mentioned that most user don’t use SELinux sandbox, and because I can’t even get it to work (regardless of the vulnerability), I decided to drop support for it from the builds. That also allows me to more quickly introduce the new userspace utilities as I don’t need to refactor the code to switch from sandbox to sesandbox anymore.

So, policycoreutils-2.2.5-r4 and policycoreutils-2.3_rc1-r1 are now available which do not build seunshare anymore. And now I can focus on providing the full 2.3 userspace that has been announced today.

May 06, 2014
Denis Dupeyron a.k.a. calchan (homepage, bugs)
Tagaini Jisho (May 06, 2014, 18:30 UTC)

I haven’t been using Tagaini Jisho for long, but so far I’m impressed. Tagaini Jisho is a kanji dictionary and study tool. Here’s what the author has to say about it:

Tagaini Jisho is a free, open-source Japanese dictionary and kanji lookup tool that is available for Windows, MacOS X and Linux and aims at becoming your Japanese study assistant. It allows you to quickly search for entries and mark those that you wish to study, along with tags and personal notes. It also let you train entries you are studying and follows your progression in remembering them. Finally, it makes it easy to review entries you did not remember by listing them on screen or printing them on a small booklet.

Tagaini Jisho also features complete stroke order animations for more than 6000 kanji.

You can find the author’s website at http://www.tagaini.net/.

I have pushed version 1.0.2 to the tree. Note that there is a version of sqlite which is bundled with the source tarball. I tried to unbundle it but it wasn’t trivial (to me, at least), so I left it there for the time being. If you figure out how to properly unbundle sqlite, feel free to commit the changes yourself. As usual with my packages, don’t waste time asking if you can do it, just do it.

Alexys Jacob a.k.a. ultrabug (homepage, bugs)
uWSGI v2.0.4 (May 06, 2014, 07:58 UTC)

Quick post for an interesting version bump of uWSGI which brings an experimental loopengine for python3.4 asyncio (aka tulip) !

If you want to try it out, I added a python_asyncio USE flag. I’ve also made some cleanups on the ebuild wrt python versions and dropped older versions of uWSGI.

highlights

  • experimental asyncio loop engine (python 3.4 only)
  • httprouter advanced timeout management
  • purge LRU cache (v2) feature
  • allow duplicate headers in http parsers
  • faster on_demand Emperor management
  • fixed segfault for unnamed loggers

See the full changelog here.

May 04, 2014
Andreas K. Hüttel a.k.a. dilfridge (homepage, bugs)
KDE forums and Baloo discussion (May 04, 2014, 17:49 UTC)

In a recent blog post, I have criticized the events around the inclusion of Baloo in KDE 4.13.0. Since then, I have removed the blog post again, since a nice person convinced me it would not bring any good.

I would like to clarify two things.

First, I do not know of any forum threads that were locked in connection with this discussion or recent events, and I do not know of any similar, related actions on the KDE Forums. While I haven't directly stated this, I may have incorrectly insinuated that such an action took place, and for this I would like to offer my sincere apologies to the KDE Forums team.

Second, my post was interpreted the way that dissenting material had been removed in the KDE Forums. This was never my intention, and such an idea never even crossed my mind until I received feedback. I trust the integrity of the KDE Forum administrators and sincerely believe that such an action never happened and will never happen. I am sorry if you got a different impression from my words.

Please let us now get back to making KDE the best desktop environment ever.

Alexys Jacob a.k.a. ultrabug (homepage, bugs)
After vacation bug hunting (May 04, 2014, 16:53 UTC)

Two weeks vacations always seem short yet the 900+ mails waiting for sorting on my Gentoo Linux inbox was a reminder that our beloved distribution is well alive ! So I guess it was time for a little bug killing spree :)

rabbitMQ v3.3.0

This release improves performance in a variety of conditions, adds monitoring information to identify performance bottlenecks, adds dynamically manageable shovels, and allows Java-based clients to reconnect automatically after network failure.

This release also corrects a number of defects in the broker and plugins, as well as introducing a host of smaller features as you can see on the changelog. Be warned that the behavior of the guest user has been altered !

I also fixed a long awaiting bug to bump the rabbitMQ C client to v0.5.0

redis v2.8.9

Johan Bergström is as always doing a great and helpful job and is actively working on redis, thanks mate !

  • [NEW] The HyperLogLog data structure. You can read more about it  in this blog post
  • [NEW] The Sorted Set data type has now support for lexicographic range queries, check the new commands ZRANGEBYLEX, ZLEXCOUNT and ZREMRANGEBYLEX, which are documented at http://redis.io

py3status v1.5

  • fixes installation via pip
  • added a –version command line argument to get the currently installed version of py3status

upcoming bumps

You might be interested in what’s next on the todo list :

  • With the help of Thomas D. aka @Whissi, we’re working on bumping and enhancing rsyslog to v7.6.3. For this a series of its dependencies have been bumped today as well.
  • mongoDB v2.6.0 is also on track, as usual the guys @mongodb have broken the scons building so it’s taking more time than it should to fix this hell (all help appreciated).

May 03, 2014
Patrick Lauer a.k.a. bonsaikitten (homepage, bugs)

KDE 4.13 was released with a new indexer, named "Baloo". It mostly replaces the 'old' Akonadi indexer, which at first glance appears to be a good idea. It seems to work, so that's quite swell. There's only a problem. Or rather, some little problems, and upstream is one of them as they don't want to acknowledge that these issues exist. So let me try to explain ...

  • There are times when I just need the indexer to not run. For example when I'm watching a movie (IO activity -> stutter), doing a presentation (random lag?!) etc. And there are times (e.g. at night) when the indexer can run as much as it wants.
  • There are times when the indexer interferes with normal operation - e.g. when using firefox, the added IO activity causes the FF UI to lag severely, as if the machine was swapping. Partially also because the IO activity evacuates the filesystem cache, which is quite funny. And fsync plus lots of reads means the latency goes up to multiple seconds or even multiple tens of seconds for a single IO activity
  • The indexer claims to not interfere with normal operation. It limits itself to 10% CPU usage - which is the wrong metric, since I have lots of CPU and very little IO, relatively speaking. Thus it takes 100% of available IO bandwidth. Akonadi used up to 4 CPUs for longer amounts of time, but as it didn't hurt IO much I could just ignore it.
  • The indexer takes a LONG time. On boot it needs about 20 minutes walltime just to figure out if anything has changed. During that time service quality is severely degraded.
  • The indexer takes a long time. The initial scan of my home directory takes about, hmm, 36-48h I think, during which time service quality is severely degraded
  • The indexer isn't polite, it auto-respawns if you just kill the baloo_file_indexer process. You have to kill its parent too, otherwise it'll just respawn and bother you some more
  • [Fixed in next release] Removing a directory from the index causes an index cleaner to run, which is even more severe than the indexer itself
So, to summarize: As much as I like the indexer, it prevents me from working normally, so I have to insist that it has a simple "off" button. A lesson that akonadi learned, that gnome's tracker learned, is that you need to nice yourself down. It would be very much appreciated if baloo were to nice and ionice itself down to idle, which usually avoids the severe lag that foreground tasks may experience.

An extra bonus would be this: The indexer should do a microbenchmark on startup (or let the user provide a guesstimate) to figure out IO capacity in IO/s, and then limit itself to a configurable amount of that. If it takes 1/10th of my IO bandwidth (about 10-15 IO/s with a single SATA disk) it wouldn't even bother me more than, say, Firefox running in the background.

Another interesting glitch is that most indexers use inotify listeners to see if anything in a directory changes. This has the funny effect that it only works on small data sets - on my desktop I get random popups that an application wants to change system limits. Well, /proc/sys/fs/inotify/max_user_watches is already set to "262144" by default, and that's still not enough? This also takes memory, and it can't scale up. I "only" have a few million files, that's not even a lot.

So, to summarize:
Simple fixes:
  • Nice and ionice the indexer on startup
  • Provide users with a simple on/off mechanism
Advanced fixes:
  • Throttle on IO instead of CPU
  • Delay indexer startup for a little while on boot. Maybe 120sec grace period
  • Figure out system limits and fail gracefully instead of annoying users with popups
Well, dear upstream, don't accuse me of not being constructive ...
<DrEeevil> people complain about user-hostile behaviour, and you tell them to ... be nicer and not complain so loud?
<unormal> DrEeevil: To be honest. The only things I see from you in here since hours and days is hostile behaviour. I really would like to ask you to stop this and be constructive or otherwise leave <DrEeevil> unormal: well, if I didn't have to remove binaries and kill processes I'd be a lot happier
<DrEeevil> since upstream hasn't shown any understanding I'll rather escalate until the bugs are resolved
<DrEeevil> constructive: give me an off button so I can stop the indexer when it hurts me, give me a rate limit so I can run it while using the computer
<DrEeevil> (using 99% of available IO bandwidth for up to 72h is just not acceptable in normal use)
<DrEeevil> I don't want to remove the indexer, but I want to control how much resource usage it has
<DrEeevil> (bonus: ionice + nice it down to lowest/idle, then it doesn't bother that much)
<DrEeevil> it's not THAT hard to figure that out ...
<unormal> DrEeevil: Ok and now explicitely: Please do us a favor and leave the channel.
<DrEeevil> unormal: once I can have baloo installed and working as described above you'll never hear from me again
<DrEeevil> just every time I get a local DoS you get a complaint, so that you don't lose the motivation to fix the bugs
<unormal> That's not how you motivate people, please leave.
<DrEeevil> that's not how you write software, please fix
<DrEeevil> I'll be the stone in your shoe until you stop being the one in mine
<DrEeevil> heck, I'll even test patches once they are provided!
<krop> and ultimately, you'll roll on the floor crying until something happens ? how can gentoo accept immature people in their staff ?
--> seaLne (~seaLne@kde/kenny) has joined #kde-baloo
*** Mode #kde-baloo +o seaLne by ChanServ
<DrEeevil> krop: how can kde have releases with such serious regressions?
<DrEeevil> sorry, I don't deal with C++, in this case I'm just a QA tool
<krop> no, you just behave like a stubborn child
<DrEeevil> because I actually would like to USE kde
<DrEeevil> not sure how you see that, but it's kinda nice usually, except when someone staples in a DoS and then tells me that's all fine and dandy
<DrEeevil> maybe I should use git HEAD again to catch regressions earlier
*** Mode #kde-baloo +b DrEeevil!*@* by seaLne
*** Mode #kde-baloo +b not!*@* by seaLne
*** Mode #kde-baloo +b being!*@* by seaLne
*** Mode #kde-baloo +b constructive!*@* by seaLne
<DrEeevil> heh
<-* seaLne has kicked DrEeevil from #kde-baloo (DrEeevil)

May 02, 2014
Andreas K. Hüttel a.k.a. dilfridge (homepage, bugs)

KDE 4.13.0 has arrived for users of all distributions by now, and with it the new Baloo indexer. It may be well a fine-working piece of software for many use cases. However, it seems also many people have trouble with it, including myself. Let us google "baloo indexer". This is what I get as first search results (I'm dropping 2 related entries that clearly refer to a KDE Beta or RC):


  1. [kubuntu] How to disable baloo indexer - Ubuntu Forums

    ubuntuforums.org/showthread.php?t=2217434
    Apr 23, 2014 - 8 posts - ‎5 authors
    After the update to 14.04 Kubuntu I did notice an executable running constantly using up to 95% of my CPU time that I had never noticed before ...
  2. How to turn off baloo in KDE 4.13? - Ask Ubuntu

    askubuntu.com/questions/437635/how-to-turn-off-baloo-in-kde-4-13
    ... just installed the newest updates. Looking at the process list I see baloo indexer running. I could not find a checkbox in Baloo settings to turn off the indexing.
  3. Gentoo Forums :: View topic - KDE 4.13: How to disable baloo file ...

    https://forums.gentoo.org/viewtopic-t-986946.html?sid...
    Mar 22, 2014 - 25 posts - ‎12 authors
    So KDE 4.13 is looming, and it'll bring a new indexer 'baloo' while 'nepomuk'/'strigi' is still in the process of being phased out apparently.

  4. [SOLVED] KDE screw up: baloo-file indexer - how to shut it down ...

    https://www.kubuntuforums.net/showthread.php?...baloo...indexer...
    Apr 22, 2014 - 10 posts - ‎4 authors
    Just updated my last box - my main one - to KB 14.04. As I'm adjusting various things, I notice that something is seriously devouring CPU cycles ...
  5. KDE 4.13 Baloo sucking system resources. (Page 1) / Applications ...

    bbs.archlinux.org › ... › KDE 4.13 Baloo sucking system resources.
    Apr 19, 2014 - 25 posts - ‎13 authors
    Baloo only indexes files in /home/$user and doesn't not index any removable device by default. So that trick says to don't index anything.
The list goes on, including Kubuntu, Gentoo, Arch, and OpenSuSE users at least. Now, totally independent of the actual software details, this is for KDE a complete public relations disaster which no promotional press release can cure. Even if many many bugs are fixed until the next released version, the aftertaste will remain for a long time. [1]

Let's try to figure out what went wrong.

No software will ever be perfect, especially not in a first version. And most users are perfectly willing to try out something new and accept that it may be buggy in the beginning. (Seriously, why else would you run a KDE 4.X.0 release? :D [2,3]) However, they appreciate if this is a deliberate, and informed decision on their part, and if things go wrong they want to be able to switch them off.

What options are there to disable Baloo indexing?
  • The recommended one for files - add the home directory to the exclude list.
    Fairly unintuitive. Direct opposite of previous Nepomuk behaviour. Does not affect e-mail indexing. Only mentioned in "outside" documentation. In 4.13.0, if you dont do it immediately the resulting database cleaner process will pull your system down worse than the indexer ever did. (This is fixed in 4.13.1, I think.)
  • Do not install the Baloo package if your distribution allows that [4].
    Not an option for multi-user systems. Hey, maybe someone wants to try the cool new features and doesn't have a >100G home directory.
  • killall, sudo chmod, sudo rm, or fiddling in configuration files.
    What, seriously?
Here's the fairly official statement on why the Enable/Disable button is gone:
There is no explicit “Enable/Disable” button any more. We would like to promote the use of searching and feel that Baloo should never get in the users way. However, we are smart about it and IF you add your HOME directory to the list of “excluded folders”, Baloo will switch itself off since it no longer has anything to index.
OK, something about this statement is incongruent with reality. Found it? Right, the part about getting in the way. But please, this is a .0 release, so it's completely natural that the software can be buggy, and this was already foreseeable during RC and Beta releases. No problem, and we're happy to help getting the bugs fixed. However, this makes the decision to deliberately omit the big, clearly marked "OFF" button, hmm, slightly provocative. Maybe it would have been better to leave the button in for a while and get a bit less testing feedback in exchange.

Well, feedback. It is coming, as you can see all from the Google results. The response seems to be clearly divided into two groups. The large-number, loud one is the protesting users; many of them are getting angry, some get abusive. We're not talking about a few corner cases here. This went so far that on the kde-devel mailing list emergency moderation was turned on, and criticizing how the situation is handled seems to be the best way to get the KDE Community Code of Conduct cited to you by the second group, especially the "Be respectful" paragraph. However... switching the mailing list to moderated, kicking people from irc channels, or locking forum threads doesn't really solve any problem, and barely masks anything, it just helps you keep your personal bubble quiet. The unwanted side effect is to increase the general sense of frustration and shift annoyance and/or protest to other channels. Note that none of the links above is a KDE website? It's all distribution pages. Google finds them anyway.

Finally, what seems to be quietly dropped is that the KDE Community Code of Conduct contains two large sections "Be considerate" and "Be pragmatic". Quoting the former,
Your actions and work will affect and be used by other people and you in turn will depend on the work and actions of others. Any decision you take will affect other community members, and we expect you to take those consequences into account when making decisions.
In some other forum the question was asked, "Can you imagine a non-technical user wanting to temporarily disabling indexing?" I don't really have to imagine these users. They are pretty hard to miss, and they are people using baloo and being affected by its code. Please try to be aware that placing attitude over simple functionality add-ons hurts KDE as a whole.

So, how about a simple, immediately-acting, easy-to-find "off" button? Better late than never... and maybe backportable to 4.13.0? Or maybe, if that has already happened [5] and I only completely missed it, a clear statement of "We heard you"?



[1] No, rebranding to Rikki-Tikki-Tavi Community Edition won't help either.
[2] To be honest, the last .0 releases (4.10.0, 4.11.0, 4.12.0) were very unproblematic and smooth; that came as a pleasant surprise.
[3] Of course, not all the bugfixing in a new 4.X.Y release takes place upstream in the KDE git repositories. Having many willing users test 4.X.0 also leads to downstream fixes, be it packaging problems, reverts, or backports.
[4] Gentoo allows for an installation without any desktop search features, by disabling the semantic-desktop use flag. However, part of the relevant library code is, e.g., hard-required by kdepim (kmail, kontact, ...), which is why these programs require semantic-desktop to be switched on.
[5] Yes I know about the alternative configuration module by Lindsay Mathieson, I'm just testing it, and from the user interface I like it. I'll bring up in our next team meeting to have that installed as default. In the end, that's however just the distros doing the work for you... (and while users might be happier, everyone "upstream" will only rant about that impossible Gentoo again).

May 01, 2014
Gentoo Monthly Newsletter: April 2014 (May 01, 2014, 22:20 UTC)

Gentoo News

Interview with Chris Reffett (creffett)

1. Hi Chris, tell us about yourself.
I’m a Computer Science student studying at George Mason University in Fairfax, Virginia, USA, and I’m currently finishing my junior year. In my free time I read science fiction and play video games. I’m also a member of the student-run computing club and Linux user group on campus.

2. Bring us back to your start with electronics and computers.
Not all that much to say here; I’ve been playing with (and breaking) computers since I was about three years old. As my parents can attest, I managed to mess up my first computer within a few days of getting access to it, to the point of needing a complete reinstall.

3. How did you get involved with open source, and what path did you take to become a Gentoo developer?
I became involved in open source in high school; the school had a student-run Linux computer lab, and I joined the team in my second year. We used Gentoo heavily in the lab, and I ended up getting a lot of experience maintaining it there (and installing it—I made a point of grabbing any old odd-architecture hardware that came through the lab and putting Gentoo on it). I filed a few bugs and wrote a few in-lab ebuilds during my time there, but nothing too major.
Once I left and went to college, I decided I wanted to start actually contributing to Gentoo. The recruiters suggested a few different ways to contribute, and I ended up working with the KDE team, which put me on the road to becoming a dev.

4. Hows your programming skills and are they important in becoming a developer?
My programming skills aren’t anything special, enough to get through my classes and all that. I would say that the average developer needs to know enough programming to decipher error messages, do basic bash scripting, and understand how to read most code (to find and fix basic errors in packages). Entry-level knowledge, you don’t have to be a coding wizard.

5. Tell us about your mentor and the process to become a developer?
My mentor was tampakrap, the KDE team lead at the time, who has since ventured forth into the forbidden realms of the Infra team. After I had been contributing to the KDE team on bugzilla for a couple months, he asked if I was being recruited yet, and then if I wanted to become a dev. After that, I spent some time contributing to the KDE team repo, and was assigned tommy as my recruiter.

6. How can Gentoo improve?
One aspect of Gentoo that I think is both one of our biggest strengths and weaknesses is the very independent-minded culture among our developers. While this is not in itself a bad thing, it leads to a lot of instances where people refuse to cooperate or communicate, get very territorial about their packages, flamewars on gentoo-dev@, and so on. I think the project as a whole would be improved if developers were a little more civil and cooperative and a little less quick to shout at each other.

7. Tell us about some of the projects you are involved in.
I started out as a KDE team member, and am still a member (though recently I’m a lot less active there than I should be). Also, I am currently the sole developer in the theology team, though that isn’t so bad since it’s a small set of packages and the release schedules are pretty slow. I’m also one of the more recent inductees to the Security project (along with Pinkbyte and zlogene), a GLEP editor, and of course, I am a member of the QA team.

8. The QA project just made a overhaul, what does the project do, who is involved, where would you like to see it in 3 years?
The purpose of the Quality Assurance project is to help maintain consistency throughout the Portage tree and prevent things breaking. The project is also tasked with keeping documentation up to date. The current membership is available on the wiki, but every developer should be doing their part to minimize tree breakage (and this can be as simple as always running repoman when committing!).
Right now we are having a lot of growing pains, since we were handed a vague mandate of “maintain quality in the tree” (not particularly well defined in GLEP 48), had basically no notes or direction from the remains of the previous team, and as I’m sure you’ve noticed, have had our share of missteps as we figured everything out. I am listening to the complaints, though, and we will improve. In three years, I hope to see QA as a respected and reasonably non-controversial group of developers serving as the technical counterpart to the ComRel team. It’s a long way between where we are right now and that ideal role, though.

9. I see you as very organized and able to stay calm in flame wars, how do you do it?
Contrary to appearances, I am not all that calm when I’m in the middle of a flamewar, I just don’t show it. I do my venting outside of Gentoo channels, as several of my friends can attest, since I make a point of trying to be professional and calm when dealing with Gentoo matters. I also have gotten better at knowing when an argument is going nowhere and it’s most productive to just step away from the computer.

10. What are you learning from being a team lead?
Two things. First, that there are some decisions where no matter what you choose, somebody will be upset. Second, that people’s perception of you and your team is everything when you want people to cooperate.

11. What are your favorite programs?
Firefox for web browsing, Thunderbird for mail, Pidgin for IM/IRC.

12. Age old question for Gentoo, how can we get more help?
Proxy-maint is probably the first place I’d want to expand in order to get more help. My impression is that there are a lot of users out there who want their specific package in Portage and are willing to help out to that end, and so we should be welcoming them and helping them to maintain their ebuild (and hopefully, stepping up further and becoming devs).

13. Describe your desktop setup (WM/DE)?
KDE, of course, though for a long time now I’ve only really been using the WM and the terminal app, since most of the work I do is done on the command line.

14. Tell us about you boxes and home network setup?
Since I’m at college, there isn’t much of interest here. My main computer is a three-year-old laptop which dual-boots Windows (for games) and Linux. I also have a Pandaboard ES which I occasionally fiddle around with.

15. What gives you the most enjoyment within the Gentoo community?
Closing bugs. It’s always satisfying to be able to say that you’ve figured out an issue and fixed it.

16. What gives you the most enjoyment outside the Gentoo community?
Video games. I like games that involve building things, games that involve space, and strategy/tactics games.

17. What are your plans for the future, where do you see yourself 5 years from now?
I hope that in 5 years, I will still be doing Gentoo work. I also hope to be employed. That would be nice.

Google Summer of Code 2014

GSoC 2014 is going to start soon! We are right now in the middle of the community bonding period. Students and mentors are getting to know each others before projects start for real on May 20th. This is also the perfect time for them to review documentation and polish their plan for the entire project duration.

You are welcome to follow developments in the mailing list at gentoo-soc at gentoo.org or on Freenode in the #gentoo-soc channel. There you can interact with students, mentors, and offer suggestions.

We are excited about the four projects students will work on this year. Here they are:

netifrc on systemd
Student: Rabi Shanker Guha
Mentor: Robin Johnson
Short description: The goal of this project is to abstract away the tight dependence of netifrc on OpenRC and write a compatibility layer for netifrc to work with other init systems like Systemd

Gentoo Keys: Expansion and improvements
Student: Pavlos Ratis
Mentor: Brian Dolbec
Short description: I am interested in improving and expanding the capabilities of Gentoo Keys. Gentoo Keys is a Python based project that aims to manage the GPG keys used for validation on users and Gentoo’s infra servers. Gentoo Keys will be able to verify GPG keys used for Gentoo’s release media, such as installation CD’s, Live DVD’s, packages and other GPG signed documents. It will also be used by Gentoo infrastructure to achieve GPG signed git commits in the forthcoming git migration of the main CVS tree.

Layman Improvements
Student: Devan Franchini
Mentor: Matthew Summers
Short description: This project is aimed at adding python3 support to Layman while maintaining backwards compatibility with python2.7, as well as adding new features to the codebase.

Micro Gentoo
Student: Yiyong Chen
Mentor: Sébastien Fabbro
Short description: The Micro Gentoo project goal is to create an extremely minimal Gentoo VM and fetch compiled files on-demand. These files are initially on a remote server. Meanwhile, the project also considers the smooth-secure OS updates and remote repositories selection. I would comprehensively base my work on the technologies of uCernVM, Chromeos and CoreOS, and then adapt them to Gentoo. The deliverables include Micro-Gentoo building scripts, updaters, eselect module and patches to genkernel, etc.

See you in #gentoo-soc!

Council News

(by Andreas K. Huettel)

We’ve got to catch up one council meeting, so some things have accumulated by now and I’m summarizing a bit more than usual…

First of all, “GLEP 63: Gentoo GPG key policies” is finally finalized. Yay! You can find the approved text version here [1]. Most important part, if you want to follow the best practices you need a RSA (v4) 4096bit main key with expiry time of at most 3 years. Hard requirement for the main key is either DSA 2048bit or RSA (v4) >=2048bit and maximum 5 years expiry time. Anyway, this means we can actually start thinking about some marginally more advanced topics such as, say, even maybe sometime in the future signature verification!

Then… regarding the Filesystem Hierarchy Standard. Some debate had come up whether packages (i.e. udev, eudev, systemd) storing default config files in /usr/lib violate existing policies. End result of debate and motion was that this is OK and that no additional policy is required.

On the subject of base-2 (2^10) versus base-10 (10^3), kB versus KiB. Given that the council is heavily dominated by those SI-indoctrinated “scientists”, it didn’t really come as a big surprise that at least clear and unambiguous unit prefixes should be used. So here’s the adopted motion: “Whenever practical, developers are required to use unit prefixes defined in IEC 80000-13 (kB, KiB, etc) so that output is unambiguous. This does not require maintainers to patch upstream code to change its behavior, but they should be applied with code that originates in Gentoo.”

Next, we discussed some recent commits around virtual/libudev and the sequence of events that followed them. The feeling was that no additional policy is required at the moment, but that it would be useful to state the opinion of the council regarding these events. So, we wrote it up and sent an e-mail [2], please read it and keep it close to your heart.

Finally we would like to remind Petteri to upload the council meeting summary of June 2013! :)

[1] https://wiki.gentoo.org/wiki/GLEP:63
[2] http://thread.gmane.org/gmane.linux.gentoo.project/3549

Gentoo Developer Moves

Summary

Gentoo is made up of 232 active developers, of which 32 are currently away.
Gentoo has recruited a total of 794 developers since its inception.

Changes

The following developers have recently changed roles:

  • Jonathan Callen (jcallen) has joined the multilib project
  • Jason A. Donenfeld (zx2c4) has joined the radio herd
  • The entire mobile-phone herd has been removed due to lack of maintainers and interest

 Additions

No new developers have joined the project this month.

Moves

The following developers left the project (pending retirements since 2013)

  • Stephanie J. Lockwood-Childs (wormo)
  • Paul de Vrieze (pauldv)
  • Torsten Veller (tove)
  • Constanze Hausner (constanze)
  • Dane Smith (c1pher)
  • Robert Piasek (dagger)
  • Zhang Le (r0bertz)
  • Christian Parpart (trapni)
  • Rajiv Aaron Manglani (rajiv)
  • Mu Qiao (qiaomuf)
  • Lukasz Damentko (rane)
  • Olivier Crête (tester)
  • Tim Sammut (underling)
  • Serkan Kaba (serkan)
  • Benedikt Boehm (hollow)
  • Ron Gemeinhardt (timebandit)
  • Andrew Gaffney (agaffney)
  • Chris PeBenito (pebenito)
  • Michele Noberasco (s4t4n)

Help Wanted

The Ruby and Java projects are looking for help to keep jruby dev-java/jruby up to date and included in the portage tree. See this blog post and bug 442230 for more information. Moreover, proxy-maintainers are looking for new developers as well.

Portage

This section summarizes the current state of the portage tree.

Architectures 45
Categories 161
Packages 17380
Ebuilds 37123
Architecture Stable Testing Total % of Packages
alpha 3592 538 4130 23.76%
amd64 10707 6172 16879 97.12%
amd64-fbsd 0 1578 1578 9.08%
arm 2627 1656 4283 24.64%
arm64 436 29 465 2.68%
hppa 3041 489 3530 20.31%
ia64 3176 596 3772 21.70%
m68k 574 93 667 3.84%
mips 4 2375 2379 13.69%
ppc 6813 2397 9210 52.99%
ppc64 4310 878 5188 29.85%
s390 1476 312 1788 10.29%
sh 1673 384 2057 11.84%
sparc 4118 903 5021 28.89%
sparc-fbsd 0 319 319 1.84%
x86 11423 5196 16619 95.62%
x86-fbsd 0 3235 3235 18.61%

gmn-portage-stats-2014-04

Security

The following GLSAs have been released by the Security Team

GLSA Package Description Bug
201404-07 dev-libs/openssl OpenSSL: Information Disclosure 505278
201404-06 media-libs/mesa Mesa: Multiple vulnerabilities 432400
201404-05 net-fs/openafs OpenAFS: Multiple vulnerabilities 265538
201404-04 dev-ruby/crack Crack: Arbitrary code execution 460164
201404-03 media-gfx/optipng OptiPNG: User-assisted execution of arbitrary code 435340
201404-02 net-libs/libproxy libproxy: User-assisted execution of arbitrary code 438146
201404-01 net-print/cups CUPS: Arbitrary file read/write 442926

Package Removals/Additions

Removals

Package Developer Date
app-i18n/prime naota 02 Apr 2014
app-i18n/gtkimprime naota 02 Apr 2014
app-i18n/scim-prime naota 02 Apr 2014
app-emacs/prime-el naota 02 Apr 2014
dev-libs/suikyo naota 02 Apr 2014
app-emacs/mell ulm 02 Apr 2014
dev-ruby/locale_rails mrueg 05 Apr 2014
dev-ruby/parsetree mrueg 05 Apr 2014
dev-ruby/rubymail mrueg 05 Apr 2014
net-proxy/swiftiply mrueg 05 Apr 2014
www-servers/mongrel mrueg 05 Apr 2014
app-pda/libopensync-plugin-evolution2 ssuominen 06 Apr 2014
x11-themes/gdm-themes-livecd ulm 12 Apr 2014
net-ftp/pftpfxp ulm 14 Apr 2014
kde-misc/youtube-servicemenu johu 15 Apr 2014
sys-infiniband/libsdp alexxy 16 Apr 2014
dev-ruby/oniguruma mrueg 18 Apr 2014
dev-ruby/sary-ruby mrueg 18 Apr 2014
dev-ruby/rand mrueg 18 Apr 2014
dev-ruby/system_timer mrueg 18 Apr 2014
dev-ruby/fastercsv mrueg 18 Apr 2014
dev-ruby/ruby-taglib mrueg 19 Apr 2014
dev-ruby/rubytorrent mrueg 19 Apr 2014
dev-ruby/revolution mrueg 19 Apr 2014
app-misc/alexandria mrueg 19 Apr 2014
app-misc/bins zlogene 19 Apr 2014
dev-python/certifi floppym 20 Apr 2014
dev-python/mozfile floppym 20 Apr 2014
dev-python/mozinfo floppym 20 Apr 2014
dev-python/mozprocess floppym 20 Apr 2014
dev-python/mozprofile floppym 20 Apr 2014
dev-python/mozrunner floppym 20 Apr 2014
x11-themes/faenza-xfce-icon-theme ssuominen 23 Apr 2014
media-plugins/vdr-eggtimer hd_brummy 26 Apr 2014
media-plugins/vdr-ac3mode hd_brummy 26 Apr 2014
media-plugins/vdr-bitstreamout hd_brummy 26 Apr 2014
gnome-extra/evolution-groupwise pacho 26 Apr 2014
net-analyzer/ethstatus jer 27 Apr 2014

Additions

Package Developer Date
sys-apps/toybox patrick 01 Apr 2014
kde-base/zeroconf-ioslave johu 01 Apr 2014
dev-python/kivy-garden slis 02 Apr 2014
dev-python/Kivy slis 02 Apr 2014
dev-ruby/combustion mrueg 02 Apr 2014
dev-libs/double-conversion bicatali 02 Apr 2014
sci-libs/openlibm bicatali 02 Apr 2014
dev-python/cryptography-vectors radhermit 03 Apr 2014
media-libs/gstreamer-editing-services eva 06 Apr 2014
app-admin/clog tomwij 07 Apr 2014
dev-ruby/pygments_rb mrueg 07 Apr 2014
app-i18n/libcangjie naota 08 Apr 2014
sys-apps/netloc alexxy 08 Apr 2014
mate-base/caja tomwij 10 Apr 2014
dev-ruby/rkelly-remix zerochaos 11 Apr 2014
app-emulation/rex-client mduft 11 Apr 2014
xfce-extra/multiload-nandhp ssuominen 11 Apr 2014
app-backup/duply hwoarang 13 Apr 2014
dev-python/sparqlwrapper idella4 14 Apr 2014
media-video/movit patrick 15 Apr 2014
dev-python/cangjie naota 16 Apr 2014
sys-infiniband/libmlx5 alexxy 16 Apr 2014
sys-infiniband/qperf alexxy 16 Apr 2014
sys-infiniband/libocrdma alexxy 16 Apr 2014
dev-python/pyringe dastergon 16 Apr 2014
kde-base/baloo-widgets johu 16 Apr 2014
kde-base/kfilemetadata johu 16 Apr 2014
kde-base/baloo johu 16 Apr 2014
dev-python/pyroma dastergon 16 Apr 2014
dev-libs/libntru hasufell 16 Apr 2014
sys-libs/ntdb polynomial-c 17 Apr 2014
www-apps/jekyll mrueg 18 Apr 2014
dev-ruby/awesome_nested_set mrueg 18 Apr 2014
sec-policy/selinux-accountsd swift 18 Apr 2014
net-analyzer/nagios-check_openvpn-simple mjo 20 Apr 2014
dev-python/oslo-rootwrap prometheanfire 20 Apr 2014
dev-python/oslo-messaging prometheanfire 21 Apr 2014
dev-python/pycadf prometheanfire 21 Apr 2014
dev-ruby/fivemat zerochaos 21 Apr 2014
dev-python/python-saharaclient prometheanfire 22 Apr 2014
dev-ruby/charlock_holmes mrueg 22 Apr 2014
dev-ruby/forgery mrueg 22 Apr 2014
kde-base/kqtquickcharts kensington 22 Apr 2014
kde-base/artikulate kensington 22 Apr 2014
app-admin/eselect-lua mabi 22 Apr 2014
dev-python/pycollada xmw 23 Apr 2014
app-i18n/ibus-cangjie naota 24 Apr 2014
www-misc/zoneminder dilfridge 25 Apr 2014
net-libs/libosmo-abis zx2c4 26 Apr 2014
net-wireless/openbsc zx2c4 26 Apr 2014
net-wireless/osmobts zx2c4 26 Apr 2014
dev-ruby/actionview graaff 26 Apr 2014
dev-libs/uchardet maksbotan 26 Apr 2014
net-dns/dnscap wschlich 26 Apr 2014
net-libs/liba53 zx2c4 26 Apr 2014
net-firewall/fwknop tomwij 27 Apr 2014
net-misc/lcr zx2c4 27 Apr 2014
app-arch/engrampa tomwij 27 Apr 2014
app-editors/pluma tomwij 27 Apr 2014
app-text/atril tomwij 27 Apr 2014
media-libs/libmediaart eva 27 Apr 2014
net-libs/libgfbgraph eva 27 Apr 2014

Bugzilla

The Gentoo community uses Bugzilla to record and track bugs, notifications, suggestions and other interactions with the development team.

Activity

The following tables and charts summarize the activity on Bugzilla between 29 March 2014 and 28 April 2014. Not fixed means bugs that were resolved as NEEDINFO, WONTFIX, CANTFIX, INVALID or UPSTREAM.
gmn-activity-2014-04

Bug Activity Number
New 1452
Closed 891
Not fixed 148
Duplicates 164
Total 5677
Blocker 4
Critical 17
Major 68

Closed bug ranking

The following table outlines the teams and developers with the most bugs resolved during this period.

Rank Team/Developer Bug Count
1 Gentoo Games 44
2 Gentoo KDE team 37
3 Python Gentoo Team 35
4 Gentoo Linux Gnome Desktop Team 34
5 Gentoo Security 30
6 Nikoli 23
7 Java team 19
8 media-video herd 18
9 Gentoo Linux MySQL bugs team 17
10 Others 633

gmn-closed-2014-04

Assigned bug ranking

The developers and teams who have been assigned the most bugs during this period are as follows.

Rank Team/Developer Bug Count
1 Gentoo Linux bug wranglers 90
2 Gentoo Security 85
3 Gentoo KDE team 55
4 Gentoo Linux Gnome Desktop Team 55
5 Nikoli 52
6 Python Gentoo Team 48
7 Gentoo's Team for Core System packages 44
8 Portage team 34
9 Gentoo Games 28
10 Others 960

gmn-opened-2014-04

Tip of the month

Portage File List

What is Portage File List?
Portage File List collects which files are installed by which ebuild on users machines. It shares this data publicly for searching/browsing.

PFL needs Portage data from your system. The more ebuilds you have installed the better. The more exotic ebuilds you have installed the better. Every Gentoo user can help!

emerge app-portage/pfl

This will install a cron job that submits new data to the PFL servers every week. Don’t worry, your privacy remains protected as we are not collecting anything else than portage data, and we don’t store who sends what.

As a bonus you get /usr/bin/e-file a command line utility to search for files installed by ebuilds. It allows a user to search for files that are not installed on their system and figure out which ebuild they need to install in order to obtain it. E-file requires internet access to obtain its information from the PFL website and database. Pfl is quicker than equery to search for files (even if not installed locally), while equery is more powerful and gives more options to search. Equery is limited to currently installed packages only.

The equery program is installed with the app-portage/gentoolkit package, a collection of administration scripts for Gentoo.

Heard in the community

Send us your favorite Gentoo script or tip at gmn@gentoo.org

Getting Involved?

Interested in helping out? The GMN relies on volunteers and members of the community for content every month. If you are interested in writing for the GMN or thinking of another way to contribute, please send an e-mail to gmn@gentoo.org.

April 28, 2014
Alex Legler a.k.a. a3li (homepage, bugs)
Gentoo LaTeX Beamer Theme (April 28, 2014, 11:44 UTC)

Due to frequent requests, here’s the LaTeX Beamer theme I made for the 2012 Gentoo Miniconf in Prague:

Gentoo beamer theme

It’s available via git:
https://git.a3li.li/r/gentoo/beamer-gentoo.git
or to browse online:
https://git.a3li.li/summary/gentoo!beamer-gentoo.git

The contrib/ directory contains a fixed outer template for LaTeX Beamer that increases the top and bottom margins. That hack was needed as the projector back in Prague cropped the image in a weird way. May come in handy for other venues as well. ;)

April 23, 2014
Hans de Graaff a.k.a. graaff (homepage, bugs)
The precarious state of jruby in Gentoo (April 23, 2014, 17:13 UTC)

tl;dr jruby in Gentoo will have to go unless we get volunteers to help us with the jruby 1.7 series.

jruby has been available in Gentoo since 2004 and is currently at version 1.6.8. People following jruby will realize that this is a problem: the latest upstream version is 1.7.12 as of this writing. The 1.6 series is also based on ruby 1.8.7 by default. This is a problem since we have removed ruby 1.8 from the tree altogether, and support for it in ruby packages is disappearing fast. jruby 1.6 has a 1.9 mode, but that is based on ruby 1.9.2 where most packages expect at least 1.9.3. We are currently experimenting with defaulting to 1.9.2 mode to extend the 1.6 series. In short, more and more packages that currently have jruby target will loose it on updates since it simply is no longer compatible with jruby 1.7 and in its current state jruby in Gentoo is ready for a slow and agonizing descent. Or we could just be quick about it and mask it soon.

Why not just update to jruby 1.7, you might wonder? We have bug 442230 to track this update, but unfortunately it turns out that it is not easy to add the 1.7 series of jruby to Gentoo. The biggest stumbling block here is that the 1.7 build system is based on Maven. Using Maven is not well supported in Gentoo, mostly because Maven requires the ability to download code during its build phase and does not play very nice with Gentoo's package structure in general. It may be possible to fix this, but that requires good knowledge of Java and Ruby on Gentoo. Currently we don't have any developers capable of both, and passing the code back and forth isn't very practical and proves to go very slow in practice.

So we are looking for a volunteer who wants to pick up this project, and help us bring the jruby 1.7 series to Gentoo. If you see this as a step to become a Gentoo developer than that's great and we can mentor you. If you see this as an interesting one-off project to help out with, that's great too. Once 1.7 is in the tree it should not be a big deal to keep up with new versions. Feel free to drop by in #gentoo-ruby to discuss this with us if you are interested. Our ruby overlay holds the current work-in-progress on jruby 1.7.

If no-one volunteers, unless a magical break-through suddenly appears, we will most likely be forced to mask jruby and remove it from the tree. Help us to not do that!

April 20, 2014
Sven Vermeulen a.k.a. swift (homepage, bugs)

Today I had to verify a patch that I pushed upstream but which was slightly modified. As I don’t use the tool myself (it was a user-reported issue) I decided to quickly drum up a live ebuild for the application and install it (as the patch was in the upstream repository but not in a release yet). The patch is for fcron‘s SELinux support, so the file I created is fcron-9999.ebuild.

Sadly, the build failed at the documentation generation (something about “No targets to create en/HTML/index.html”). That’s unfortunate, because that means I’m not going to ask to push the live ebuild to the Portage tree itself (yet). But as my primary focus is to validate the patch (and not create a live ebuild) I want to ignore this error and go on. I don’t need the fcron documentation right now, so how about I just continue?

To do so, I start using the ebuild command. As the failure occurred in the build phase (compile) and at the end (documentation was the last step), I tell Portage that it should assume the build has completed:

~# touch /var/portage/portage/sys-process/fcron-9999/.compiled

Then I tell Portage to install the (built) files into the images/ directory:

~# ebuild /home/swift/dev/gentoo.overlay/sys-process/fcron/fcron-9999.ebuild install

The installation phase fails again (with the same error as during the build, which is logical as the Makefile can’t install files that haven’t been properly build yet.) As documentation is the last step, I tell Portage to assume the installation phase has completed as well, continuing with the merging of the files to the life file system:

~# touch /var/portage/portage/sys-process/fcron-9999/.installed
~# ebuild /home/swift/dev/gentoo.overlay/sys-process/fcron/fcron-9999.ebuild qmerge

Et voila, fcron-9999 is now installed on the system, ready to validate the patch I had to check.

April 17, 2014
Sven Vermeulen a.k.a. swift (homepage, bugs)
If things are weird, check for policy.29 (April 17, 2014, 19:01 UTC)

Today we analyzed a weird issue one of our SELinux users had with their system. He had a denial when calling audit2allow, informing us that sysadm_t had no rights to read the SELinux policy. This is a known issue that has been resolved in our current SELinux policy repository but which needs to be pushed to the tree (which is my job, sorry about that). The problem however is when he added the policy – it didn’t work.

Even worse, sesearch told us that the policy has been modified correctly – but it still doesn’t work. Check your policy with sestatus and seinfo and they’re all saying things are working well. And yet … things don’t. Apparently, all policy changes are ignored.

The reason? There was a policy.29 file in /etc/selinux/mcs/policy which was always loaded, even though the user already edited /etc/selinux/semanage.conf to have policy-version set to 28.

It is already a problem that we need to tell users to edit semanage.conf to a fixed version (because binary version 29 is not supported by most Linux kernels as it has been very recently introduced) but having load_policy (which is called by semodule when a policy needs to be loaded) loading a stale policy.29 file is just… disappointing.

Anyway – if you see weird behavior, check both the semanage.conf file (and set policy-version = 28) as well as the contents of your /etc/selinux/*/policy directory. If you see any policy.* that isn’t version 28, delete them.

April 16, 2014
Alexys Jacob a.k.a. ultrabug (homepage, bugs)
py3status v1.4 (April 16, 2014, 10:18 UTC)

I’m glad to announce the release of py3status-1.4 which I’d like to dedicate to @guiniol who provided valuable debugging (a whole Arch VM) to help me solve the problem he was facing (see changelog).

I’m gathering wish lists an have some (I hope) cool ideas for the next v1.5 release, feel free to post your most adventurous dreams !

changelog

  • new ordering mechanism with verbose logging on debug mode. fixes rare cases where the modules methods were not always loaded in the same order and caused inconsistent ordering between reloads. thx to @guiniol for reporting/debugging and @IotaSpencer and @tasse for testing.
  • debug: dont catch print() on debug mode
  • debug: add position requested by modules
  • Add new module ns_checker.py, by @nawadanp
  • move README to markdown, change ordering
  • update the README with the new options from –help

contributors

Special thanks to this release’s contributors !

  • @nawadanp
  • @guiniol
  • @IotaSpencer
  • @tasse

April 15, 2014

Recent versions of OpenSSL were found to be affected by an information disclosure vulnerability related to TLS heartbeats, nicknamed Heartbleed. It allows attackers to read up to 64kb of random server memory, possibly including passwords, session IDs or even private keys.

After the public disclosure on April 7, we have confirmed that several services provided by Gentoo Infrastructure were vulnerable as well. We have immediately updated the affected software, recreated private keys, reissued certificates, and invalidated all running user sessions. Despite these measures, we cannot exclude the possibility of attackers exploiting the issue during the time it was not publicly known to gain access to credentials or session IDs of our users. There are currently no indications this has happened.

However, to be safe, we are asking you to reset your passwords used for Gentoo services within the next 7 days. You need to take action if you have an account on one of the following sites:

  • blogs.gentoo.org
  • bugs.gentoo.org
  • forums.gentoo.org
  • wiki.gentoo.org

After 7 days, we will be removing all passwords to avoid abuse. For more information and the full announcement, visit http://infra-status.gentoo.org/notice/20140413-heartbleed.

April 10, 2014
Luca Barbato a.k.a. lu_zero (homepage, bugs)
Security and Tools (April 10, 2014, 09:51 UTC)

Everybody should remember than a 100% secure device is the one unplugged and put in a safe covered in concrete. There is always a trade-off on the impairment we inflict ourselves in order to stay safe.

Antonio Lioy

In the wake of the heartbleed bug. I’d like to return again on what we have to track problems and how they could improve.

The tools of the trade

Memory checkers

I wrote in many places regarding memory checkers, they are usually a boon and they catch a good deal of issues once coupled with good samples. I managed to fix a good number of issues in hevc just by using gcc-asan and running the normal tests and for vp9 took not much time to spot a couple of issues as well (the memory checkers aren’t perfect so they didn’t spot the faulty memcpy I introduced to simplify a loop).

If you maintain some software please do use valgrind, asan (now also available on gcc) and, if you are on windows, drmemory. They help you catch bugs early. Just beware that sometimes certain versions of clang-asan miscompile. Never blindly trust the tools.

Static analyzers

The static analyzers are a mixed bag, sometimes they spot glaring mistakes sometimes they just point at impossible conditions.
Please do not put asserts to make them happy, if they are right you just traded a faulty memory access for a deny of service.

Other checkers

There are plenty other good tools from the *san family one can use, ubsan is maybe the newest available in gcc and it does help. Valgrind has plenty as well and the upcoming drmemory has a good deal of interesting perks, if only upstream hadn’t been so particular with release process and build systems you’d have it in Gentoo since last year…

Regression tests

I guess everybody is getting sick of me talking about fuzzy testing or why I spent weeks to have a fast regression test archive called playground for Libav and I’m sure everybody in Gentoo is missing the tinderbox runs Diego used to run.
Having a good and comprehensive batch of checks to make sure new code and new fixes do not have the uncalled side effect of breaking stuff is nice, coupled with git bisect makes backporting to fix issues in release branches much easier.

Debuggers

We have gdb, that works quite well, and we have lldb that should improve a lot. And many extensions on top of them. When they fail we can always rely on printf, or not

What’s missing

Speed

If security is just an acceptable impairment over performance in order not to crash, using the tools mentioned are an acceptable slow down on the development process in order not to spend much more time later tracking those issues.

The teams behind valgrind and *san are doing their best to just make the execution three-four times as slow when the code is instrumented.

The static analyzers are usually just 5 times as slow as a normal compiler run.

A serial regression test run could take ages and in parallel could make your system not able to do anything else.

Any speed up there is a boon. Bigger hardware and automation mitigates the problem.

Precision

While gdb is already good in getting you information out of gcc-compiled data apparently clang-compiled binaries are a bit harder. Using lldb is a subtle form of masochism right now for many reasons, it getting confused is just the icing of a cake of annoyance.

Integration

So far is a fair fight between valgrind and *san on which integrates better with the debuggers. I started using asan mostly because made introspecting memory as simple as calling a function from gdb. Valgrind has a richer interface but is a pain to use.

Reporting

Some tools are better than other in pointing out the issues. Clang is so far the best with gcc-4.9 coming closer. Most static analyzers are trying their best to deliver the big picture and the detail. gdb so far is incredibly better compared to lldb, but there are already some details in lldb output that gdb should copy.

Thanks

I’m closing this post thanking everybody involved in creating those useful, yet perfectible tools, all the people actually using them and reporting bugs back and everybody actually fixing the mentioned bugs so I don’t have to do myself alone =)

Everything is broken, but we are fixing most of it together.

April 08, 2014
Alexys Jacob a.k.a. ultrabug (homepage, bugs)
mongoDB 2.4.10 & pymongo 2.7 (April 08, 2014, 16:05 UTC)

I’m pleased to announce those latest mongoDB related bumps. The next version bump will be for the brand new mongoDB 2.6 for which I’ll add some improvements to the Gentoo ebuild so stay tuned ;)

mongodb-2.4.10

  •  fixes some memory leaks
  • start elections if more than one primary is detected
  • fixes issues about indexes building and replication on secondaries
  • chunk size is decreased to 255 KB (from 256 KB) to avoid overhead with usePowerOf2Sizes option

All mongodb-2.4.10 changelog here.

pymongo-2.7

  • of course, the main feature is the mongoDB 2.6 support
  • new bulk write API (I love it)
  • much improved concurrency control for MongoClient
  • support for GridFS queries

All pymongo-2.7 changelog here.

April 06, 2014
Raúl Porcel a.k.a. armin76 (homepage, bugs)
New AArch64/arm64 stage3 available (April 06, 2014, 12:54 UTC)

Hello all,

Following up with my AArch64/ARM64 on Gentoo post, in the last months Mike Frysinger (vapier) has worked in bringing arm64 support to the Gentoo tree.

He has created the profiles and the keyword, along with keywording a lot of packages(around 439), so props to him.

Upstream qemu-2.0.0-rc now supports aarch64/arm64, so I went ahead and created a stage3 using the new arm64 profile. Thanks to Mike I didn’t had to fight with a lot of problems like in the previous stage3.

For building I just had to have this in my package.keywords file:

=app-text/opensp-1.5.2-r3 **
=dev-util/gperf-3.0.4 **
=sys-apps/busybox-1.21.0 **
=app-text/sgml-common-0.6.3-r5 **
=app-text/openjade-1.3.2-r6 **
=app-text/po4a-0.42 **
=dev-perl/Text-CharWidth-0.40.0 **
=dev-perl/SGMLSpm-1.03-r7 **
=dev-util/intltool-0.50.2-r1 **
=dev-perl/XML-Parser-2.410.0 **
=dev-perl/Text-WrapI18N-0.60.0 **
=sys-apps/coreutils-8.22

And in my package.use file:

sys-apps/busybox -static

coreutils-8.21 fails to build, 8.22 built fine. And building busybox with USE=”static” still fails.

Also I’ve just found out that USE=”hpn” on net-misc/openssh makes the client segfault. Not sure if its because of qemu or because the unaligned accesses hpn had aren’t happy on arm64. So if you plan to use the ssh client in the arm64 chroot, make sure you have USE=”-hpn”

By the way, app-arch/lbzip2 seems to fail to run here, not sure if its because of qemu or it simply doesn’t work on arm64. It segfaults.

You can download it from: http://gentoo.osuosl.org/experimental/arm/arm64

I’ve also starting to upload some binary packages: http://tinderbox.dev.gentoo.org/default/linux/arm64/

Also, if someone wants to give us access to arm64 hardware, we would be really happy :)

 


April 05, 2014
Patrick Lauer a.k.a. bonsaikitten (homepage, bugs)
"smart" software (April 05, 2014, 10:29 UTC)

1) Grab webbwrowser
2) Enter URL
3) Figure out that webbrowser doesn't want to use HTTP because ... saturday? I don't know, but ass'u'me'ing that some URLs are ftp is just, well stupid, because your heuristic is whack.

Or, even more beautiful:

$ clementine
18:02:59.662 WARN  unknown                          libpng warning: iCCP: known incorrect sRGB profile 
Bus error


I have no idea what this means, so I'll be explicitly writing http:// at the beginning of all URL I offer to Firefox. And Clementine just got a free travel to behind the barn, where it'll get properly retired - after all it doesn't do the simple job it was hired to do. Ok, before it randomly didn't play "some" music files because gstreamer, which makes no sense either, but open rebellion will not have happy results.

I guess the moral of the story is: Don't misengineer things, clementine should output music and not be a bus driver. Firefox should not interpret-dance the URLS offered to it, but since it's still less retarded than the competition it'll be allowed to stay a little bit longer.

Sigh. Doesn't anyone engineer things anymore?

April 01, 2014
Gentoo Monthly Newsletter - March 2014 (April 01, 2014, 03:02 UTC)

The March 2014 GMN issue is now available online.

This month on GMN:

  • Interview with Gentoo developer Tom Wijsman (TomWij)
  • Tracking the history of Gentoo: Gentoo Galaxy
  • Latest Gentoo news, tips, interesting stats and much more.

March 31, 2014
Gentoo Monthly Newsletter: March 2014 (March 31, 2014, 19:07 UTC)

Gentoo News

Interview with Tom Wijsman (TomWij)

(by David Abbott)

1. To get started, can you give us a little background information about yourself?

Tom Wijsman is my full name; TomWij is formed as a shorter nickname, taking the first three letters twice. 24 years is how long I’ve been alive and Antwerp, Belgium is where you can find me eating, hanging around, sleeping, studying, working and so on…

At university, I study the Computer Science programme with a specialization in Software Engineering. As the last year starts now, my student time is almost over.

Over the last years, a lot of programming languages have passed by there and on Gentoo Linux; which makes participation in both of them really worth it.

Besides programming, listening and playing some music is what I like to do. Currently I own an electric guitar, which sometimes is played on; but maybe I go for another instrument soon and practice in a more dedicated manner. Occasionally, I play FPS or RTS games too.

2. Tell us about your introduction to Gentoo?

The first look at Gentoo was when I was a dedicated enthusiast Windows user, who would run as much on Windows as possible. Once I’ve tried to set up a Windows / Linux combination by running SUA / Interix together with Xming, but as I barely knew Linux back then that didn’t come to a good end. Later, Linux was needed for university; as we needed to guarantee our software compiles and works on the lab computers that run Linux.

Having used another distribution in a virtual machine for some time; I discovered that it was slow without hardware virtualization, which we didn’t have yet back then. Something fast and small on a separate partition was needed; and thus, a small bit of space was cleaned out at the end of the partition and Gentoo was used to create a quite minimal setup with just what’s necessary to develop, compile and test.

When the need for that was over, the small partition was ditched; thus I have been using Windows for several years, but with Windows 8 going RTM and the changes that happened I started to realize that I wanted an OS that can be changed to what I like, instead of doing things the way in the limited amount of ways they can be done.

So, Gentoo Linux came back in mind; and that’s how I made the switch to it last year.

3. Describe your journey to become a Gentoo developer?

Not long after becoming an user of Gentoo, I decided to contribute back; so, I started to try to package some things that I used on Windows or which fitted the current needs back then. From there on I looked for ways to contribute, at which time I found a blog post that the kernel team is looking for users to help; there was too many users, so, I didn’t make the cut.

Apparently, none of them sticked to it; so, later I got back to try again and then the kernel lead mentored me. As this was a good opportunity, the next days were spent on studying the development manual and answering the quizzes as detailed as possible; I took a self-study approach here, looking back on it having seen every part of the devmanual certainly gains you a lot, as you can recall where things are and know enough to not break the Portage tree.

After a recruiter reviewed the quiz responses a year ago; I learned more during the review, that’s how I became Gentoo Developer and six months after I switched from Windows.

4. What are some of the projects you are involved with and the packages you help maintain?

Besides working on our Kernel releases, recently I have joined the QA and Portage team to keep the quality of our distribution high and improve repoman; in the longer end I plan to improve Portage and/or pkgcore when I get to learn their code base better. Other teams I am on are the Proxy Maintainers (to help Gentoo users maintain packages without them needing to become a Gentoo Developer); as well as the Java, Dotnet, Bug Wranglers and Bug Cleaners projects. The last two projects help get bugs assigned and cleaned up.

Next to those projects I maintain or help maintain some packages that I either personally use, am interested in or where work was needed. One of the last introduced packages is Epoch, a new minimal init system. It boots extremely fast on the Raspberry Pi.

5. I proxy-maintain a few packages myself. I am a staff member without commit rights. Its a great way to give back and also help maintain a package that you like and use. To prepare I did the ebuild quiz for my own understanding of ebuild writing and set up a local overlay to test my ebuilds. What are some other ways a user can become confident enough to maintain some packages?

The basic guide to write Gentoo Ebuilds is a guide that was started to cover the very first steps to writing an ebuild; this resource was previously non existing, it was written to close the gap between having no prior knowledge and the Gentoo Development Guide.

The Gentoo Development Guide is a great reference to find most details and policy one needs to know for writing ebuilds; when working in the terminal, checking out man 5 ebuild can be handy to quickly look up syntax, variables and functions of the ebuild format.

Creating a local overlay allows you to start locally experimenting with ebuilds. When you feel confident you can request a hosted overlay (or create one yourself on a third party service like GitHub and file a similar bug requesting it to be added to the overlay list) or contribute to the Portage tree (through proxy maintenance or you can become developer if you want to) or an existing overlay.

When you do proxy maintenance, the proxy maintainers will help you by advising and reviewing the ebuild and letting you know how to improve it; if you work on an overlay, there are other mediums (where proxy maintainers are present as well) to ask questions or get your ebuild reviewed. For example, #gentoo-dev-help on the Freenode IRC network is helpful.

Besides that users are advised to run

repoman manifest && repoman full

to check for QA errors, QA keywords are explained in the last part of man repoman it can help find common mistakes, as well as help increase the quality for it to be added to the Portage tree.

6. What do you think Gentoo’s strengths and weaknesses are both as a development platform and as a general purpose Linux Distribution?

That you can very easily patch up packages is a very nice feature, as well as the code that gets compiled by those packages; you can simply unpack the code;

ebuild unpack foo-1.ebuild

and write a patch for one or more file(s), then put the patch in /etc/portage/patches/app-bar/foo and there you have your patched code.

Besides patching up packages, the USE flag control in Gentoo is what makes Gentoo powerful. This controls the features of packages to allow you to have packages fit your usage rather than become bloated with features, libraries and other size hogs you never need. Alongside USE flag control becomes the ability to choose alternative libraries, alternative GUIs more; which is nice when you prefer the way something works or looks like.

What I think Gentoo could use more is more manpower; what made Gentoo powerful is its community, and its community is formed by users who contribute. And to this extent the amount of contributions determine how powerful Gentoo becomes.

If users are interested; they are welcome to contribute to Gentoo, to make it even more powerful than ever before. They don’t necessarily need much prior knowledge, there’s something for everybody; and if needed, we can help them learn more.

7. Can you describe your personal desktop setup (WM/DE)?

As desktop environment; I use GNOME 3, I’m glad to see the way they have progressed in terms of their user interface. GNOME 2 I’ve also used in the past, because I didn’t bother searching further too much; but didn’t really like GNOME 2’s UI. GNOME 3’s UI gets out of the way and I like how it focuses on the more typical user that has no special requirements.

Alongside that comes the requirement to run systemd; though that was in use long before running GNOME 3, as a while ago I was on XFCE and was experimenting around to see if systemd fits certain needs. It does; so does XFCE as well, so while I don’t really like it UI like with GNOME 2, I considered XFCE as an alternative DE to switch to. However, very recently I’m using MATE on top of GNOME 3; if GNOME 3 breaks, MATE is my new alternative DE.

The particular thing that I like about systemd is that it allows you to easily make a huge cut in boot time; while this kind of parameter has no good purpose in general, it does help as I need to test kernel releases and sometimes switch between NVIDIA and Nouveau module. The boot is down to two seconds after the boot loader hands over; at this point, you discover that the bootchart PNG export feature doesn’t allow you to scale the graph…

On the Raspberry Pi, Epoch gets the boot time down to seconds; as it was bothering that it previously took over a minute, as that is what running init scripts (which are shell) does together with all what they call when you run it on slow embedded hardware. Whereas Epoch is a daemon with a single configuration file that just starts a few processes and that’s it.

It also helped for bisecting as well as hacking up a reclocking patch for the Nouveau module a bit; while making it work on the NVIDIA card, the patch is still unstable and might break other cards and further improving it is quite a steep learning curve and a lot of work.

Other software that I use is AutoKey to quickly paste text that I need to repeat often (comments on bugs, e-mail responses, …); Chromium which I think is a browser that gets out of the way with its minimal interface; WeeChat (actively developed irssi clone with a ton of extra features); a mail client that does what I need (Claws Mail); and I could go on for hours, so, feel free to ask if you want to know more…

8. What are the specs of your current boxes?

Currently I own a Clevo W870CU barebone laptop that is put together; it features a Intel Corporation 5 Series/3400 Series Chipset, a Full HD 17 inch screen and enough interface ports. The processor in it is an Intel(R) Core(TM) i7 CPU Q 720. As hard disks I use a Intel X25-M 160 GB SSD and a Seagate Momentus 7200.3 320 GB HDD. There are also a NVIDIA GeForce GTX 285M, Intel Corporation WiFi Link 5100 and Realtek RTL8111/8168/8411 PCIE Gigabit Ethernet Controller inside.

As for the Raspberry Pi, it is a model B; you can find its specifications here. I gave it a 32 GB SD card with Gentoo on it where the 32 GB gives it some room before wearing it out. Alongside there are two external drives of a few terabytes to store big data and backups.

The Raspberry Pi here kind of acts like a cheap all-in-one NAS and/or media solution.

9. As a Gentoo Developer what are some of your accomplishments?

On the kernel team, the kernel eclass and genpatches scripts were adapted to bring support for experimental patches; this allows adding experimental patches to kernel packages using USE=experimental, without applying them by default. A condition for an experimental patch to be added is that applying the patch does not change the runtime behavior; in other words, we want changes to be guarded by a config option, in addition to USE=experimental. The eventual end goal is to have a lot of the regular experimental patches supported, to deduplicate work amongst kernel packages and our users.

Besides making improvements to the kernel packaging I maintain packages that I use and/or packages that need maintenance; at the moment, MATE is being brought to the Portage tree. Quality Assurance work I also do to keep the quality of the Portage tree high.

10. What would be your dream job?

While not having anything specific in mind, developing on “something” is what I have in mind.

In the context of the business world, that could be solutions that aid users with their daily tasks; in the context of the gaming world, maybe some indie game in the hope that it grows out; and last, I listen to music a lot, so, maybe within that context it could be some kind of computer science solution within that field.

Relying on yet-to-discover science is what I’d like to avoid, and rather rely on what is a given already; such that becoming popular is the only real risk. Once popularity has been obtained, then exploration might become an option; although one should not ignore that exploration can lead to popularity, but as said that is not without risk.

11. What users would you like to recruit to become Gentoo Developers?

Good question; many people are qualified, anyone that’s interested can expect help from us.

12. What gives you the most enjoyment within the Gentoo community?

Giving back to the community as an appreciation of what the community has given to me.

Gentoo Galaxy: Keeping History of Gentoo

(by Seemant Kulleen)

Gentoo Galaxy aims to make sure that Gentoo’s history is as accurate as possible, that every Gentoo developer’s contribution is acknowledged and valued. We’re starting with our list of Gentoo developers. We currently have all developers who have been active in Bugzilla and/or the 4 main CVS repositories throughout Gentoo’s history represented in a visualization here: http://kulleen.org/gentoo/galaxy

That page contains a list of developers for whom we need more information — we want to visualize everybody’s contributions. If you are or know a developer on that list, please get in touch with us via bugzilla. e-mail, twitter, google plus or IRC in #gentoo or #gentoo-dev.

Trustee News

Gentoo Foundation 2013 Treasure Summary
In the fiscal year 2013, for the period of July 1st through June 30th we had total assets of $73,494.40. Our main income was $7,000.00 from GSOC, next was donations thru paypal for $6,386.94 and the official Gentoo store generated $558.85 in commissions.

Our expenses totaled $3,396.01 with $2,399.23 to Gentoo GSoC 2012 mentor’s summit travel reimbursement.

Our expenses are kept to a minimium because of all our generous sponsors plus the work of our Infrastructure team to secure donations of hosting, hardware and bandwidth.

Requests for Funds, Project Support, or Equipment
Requests for funds, project support, or equipment need to be sent to the Foundation in the form of a proposal. This proposal is to inform all trustees of the need (not all of them will be aware of the need or the background of the situation). The proposal process will also help to maintain a trusting relationship between the Foundation and its donors. Donors know and expect that without exception money will only be spent after a proposal and vote by the Board of Trustees. Additionally, the proposals will be archived to provide accountability for money spent.

Please review our policy documentation for more information.

News Items

Subject: Ruby 1.8 removal, Ruby 1.9 and Ruby 2.0 activated by default

The Gentoo Ruby team would like to inform you, that the default active ruby targets changed from “ruby19 ruby18″ to “ruby19 ruby20″.

It is about time, because Ruby 1.8 was retired by upstream in July 2013 [1] and has got known security issues (CVE-2013-4164). In Gentoo, we’re going to remove the currently package.masked Ruby MRI 1.8 soon. All packages, depending on ruby, have been converted to support at least Ruby 1.9 or were added to the package.mask at the same time with Ruby 1.8. In case of issues during or after the upgrade, feel free to fill a bug at bugs.gentoo.org

If your currently eselected Ruby interpreter is ruby18, our recommendation is to change it to ruby19. [2] At the moment Ruby MRI 1.9 delivers the best possible support of all Ruby interpreters in tree.

Check the current setting via:
eselect ruby show

Change the current setting to Ruby MRI 1.9 via:
eselect ruby set ruby19

[1] https://www.ruby-lang.org/en/news/2013/06/30/we-retire-1-8-7/
[2] https://wiki.gentoo.org/wiki/Project:Ruby/Ruby_1.9_migration

Gentoo Developer Stats

Summary

Gentoo is made up of 252 active developers, of which 38 are currently away.
Gentoo has recruited a total of 794 developers since its inception.

Changes

The following developers have recently changed roles:
Jason A. Donenfeld (zx2c4) Joined the systemd project

Additions

The following developers have recently joined the project:
None this month

Moves

The following developers recently left the Gentoo project:
None this month

Portage

This section summarizes the current state of the portage tree.

Architectures 45
Categories 161
Packages 17342
Ebuilds 36489
Architecture Stable Testing Total % of Packages
alpha 3612 510 4122 23.77%
amd64 10703 6142 16845 97.13%
amd64-fbsd 0 1577 1577 9.09%
arm 2631 1636 4267 24.61%
hppa 3034 484 3518 20.29%
ia64 3186 575 3761 21.69%
m68k 576 88 664 3.83%
mips 4 2362 2366 13.64%
ppc 6865 2349 9214 53.13%
ppc64 4334 849 5183 29.89%
s390 1493 290 1783 10.28%
sh 1714 339 2053 11.84%
sparc 4135 877 5012 28.90%
sparc-fbsd 0 323 323 1.86%
x86 11418 5183 16601 95.73%
x86-fbsd 0 3233 3233 18.64%

gmn-portage-stats-2013-11

Security

The following GLSAs have been released by the Security Team

GLSA Package Description Bug
201403-08 dev-perl/PlRPC PlRPC: Arbitrary code execution 497692
201403-07 sys-apps/grep grep: User-assisted execution of arbitrary code 448246
201403-06 net-libs/libupnp libupnp: Arbitrary code execution 454570
201403-05 app-editors/emacs GNU Emacs: Multiple vulnerabilities 398239
201403-04 dev-qt/qtcore QtCore: Denial of Service 494728
201403-03 sys-apps/file file: Denial of Service 501574
201403-02 dev-libs/libyaml LibYAML: Arbitrary code execution 499920
201403-01 www-client/chromium Chromium-V8: Multiple vulnerabilities 486742

Package Removals/Additions

Removals

Package Developer Date
x11-misc/slimlock titanofold 10 Mar 2014
dev-libs/ido ssuominen 15 Mar 2014
dev-ruby/ruby-bdb mrueg 15 Mar 2014
www-servers/mongrel_cluster mrueg 15 Mar 2014
virtual/emacs-cedet ulm 17 Mar 2014
gnustep-libs/cddb voyageur 17 Mar 2014
app-emacs/nxml-mode ulm 17 Mar 2014
app-emacs/erc ulm 17 Mar 2014
app-emacs/cperl-mode ulm 17 Mar 2014
app-emacs/alt-font-menu ulm 17 Mar 2014
app-emacs/u-vm-color ulm 17 Mar 2014
app-emacs/eperiodic ulm 20 Mar 2014
app-emacs/view-process ulm 20 Mar 2014
media-sound/audio-entropyd angelos 22 Mar 2014
app-emacs/http-emacs ulm 23 Mar 2014
app-emacs/mairix ulm 23 Mar 2014

Additions

Package Developer Date
dev-python/pretend radhermit 01 Mar 2014
dev-python/cryptography radhermit 01 Mar 2014
dev-java/boilerpipe ercpe 01 Mar 2014
media-plugins/gst-plugins-vaapi pacho 01 Mar 2014
dev-db/derby ercpe 01 Mar 2014
net-analyzer/masscan robbat2 01 Mar 2014
mate-base/mate-desktop tomwij 02 Mar 2014
mate-extra/mate-dialogs tomwij 02 Mar 2014
mate-extra/mate-polkit tomwij 02 Mar 2014
x11-libs/libmatewnck tomwij 02 Mar 2014
dev-python/ssl-fetch dolsen 02 Mar 2014
dev-java/hamcrest-integration ercpe 02 Mar 2014
sci-libs/Fiona slis 03 Mar 2014
dev-python/ipdbplugin slis 03 Mar 2014
sci-libs/pyshp slis 03 Mar 2014
dev-util/lttng-modules dlan 04 Mar 2014
dev-util/lttng-ust dlan 04 Mar 2014
dev-util/lttng-tools dlan 04 Mar 2014
dev-util/babeltrace dlan 04 Mar 2014
games-misc/papers-please hasufell 04 Mar 2014
dev-haskell/scientific qnikst 04 Mar 2014
dev-haskell/text-stream-decode qnikst 04 Mar 2014
kde-base/kwalletmanager johu 04 Mar 2014
mate-base/mate-panel tomwij 05 Mar 2014
mate-base/mate-settings-daemon tomwij 05 Mar 2014
net-wireless/crackle zerochaos 05 Mar 2014
dev-util/appdata-tools polynomial-c 06 Mar 2014
media-libs/libepoxy mattst88 06 Mar 2014
dev-ruby/magic mrueg 06 Mar 2014
net-wireless/mate-bluetooth tomwij 07 Mar 2014
x11-themes/mate-icon-theme tomwij 07 Mar 2014
x11-wm/mate-window-manager tomwij 07 Mar 2014
dev-ruby/ruby-feedparser mrueg 07 Mar 2014
dev-java/dnsjava ercpe 07 Mar 2014
dev-haskell/abstract-deque-tests gienah 09 Mar 2014
dev-haskell/exceptions gienah 09 Mar 2014
dev-haskell/errorcall-eq-instance gienah 09 Mar 2014
dev-haskell/asn1-encoding gienah 09 Mar 2014
dev-haskell/asn1-parse gienah 09 Mar 2014
dev-haskell/chunked-data gienah 09 Mar 2014
dev-haskell/enclosed-exceptions gienah 09 Mar 2014
dev-haskell/esqueleto gienah 09 Mar 2014
dev-haskell/foldl gienah 09 Mar 2014
dev-haskell/x509 gienah 09 Mar 2014
dev-haskell/x509-store gienah 09 Mar 2014
dev-haskell/x509-system gienah 09 Mar 2014
dev-haskell/x509-validation gienah 09 Mar 2014
mate-base/mate-file-manager tomwij 09 Mar 2014
mate-extra/mate-calc tomwij 09 Mar 2014
mate-extra/mate-character-map tomwij 09 Mar 2014
mate-extra/mate-power-manager tomwij 09 Mar 2014
mate-extra/mate-screensaver tomwij 10 Mar 2014
mate-extra/mate-sensors-applet tomwij 10 Mar 2014
dev-python/ansicolor jlec 10 Mar 2014
dev-libs/liblogging ultrabug 10 Mar 2014
sys-apps/gentoo-functions williamh 10 Mar 2014
mate-extra/mate-system-monitor tomwij 10 Mar 2014
mate-extra/mate-utils tomwij 11 Mar 2014
x11-terms/mate-terminal tomwij 11 Mar 2014
x11-themes/mate-backgrounds tomwij 11 Mar 2014
x11-themes/mate-themes tomwij 11 Mar 2014
media-video/atomicparsley-wez ssuominen 11 Mar 2014
app-arch/mate-file-archiver tomwij 12 Mar 2014
app-editors/mate-text-editor tomwij 12 Mar 2014
app-text/mate-document-viewer tomwij 12 Mar 2014
games-misc/games-envd hasufell 12 Mar 2014
perl-core/Dumpvalue zlogene 12 Mar 2014
dev-python/python-caja tomwij 12 Mar 2014
dev-haskell/fingertree qnikst 12 Mar 2014
dev-haskell/reducers qnikst 12 Mar 2014
dev-haskell/monadrandom qnikst 12 Mar 2014
dev-haskell/either qnikst 12 Mar 2014
media-libs/x265 aballier 12 Mar 2014
dev-haskell/tasty-rerun qnikst 12 Mar 2014
dev-haskell/ekg qnikst 12 Mar 2014
dev-lang/lfe patrick 13 Mar 2014
dev-ml/optcomp aballier 13 Mar 2014
dev-ml/deriving aballier 13 Mar 2014
dev-python/venusian patrick 14 Mar 2014
dev-python/pyramid patrick 14 Mar 2014
kde-misc/about-distro johu 14 Mar 2014
dev-haskell/errors qnikst 14 Mar 2014
perl-core/Math-Complex zlogene 14 Mar 2014
dev-libs/ido ssuominen 15 Mar 2014
dev-python/dugong radhermit 17 Mar 2014
mate-base/mate-applets tomwij 17 Mar 2014
mate-extra/caja-dropbox tomwij 17 Mar 2014
mate-extra/mate-file-manager-image-converter tomwij 17 Mar 2014
mate-extra/mate-file-manager-open-terminal tomwij 17 Mar 2014
mate-extra/mate-file-manager-sendto tomwij 17 Mar 2014
mate-extra/mate-file-manager-share tomwij 17 Mar 2014
dev-util/emilpro zerochaos 18 Mar 2014
kde-misc/kcmsystemd johu 18 Mar 2014
media-gfx/mate-image-viewer tomwij 19 Mar 2014
x11-misc/mate-menu-editor tomwij 19 Mar 2014
net-analyzer/mate-netspeed tomwij 19 Mar 2014
x11-misc/mate-notification-daemon tomwij 19 Mar 2014
x11-themes/mate-icon-theme-faenza tomwij 19 Mar 2014
dev-ruby/rb-readline zerochaos 19 Mar 2014
dev-vcs/hg-fast-export ottxor 21 Mar 2014
sys-apps/audio-entropyd angelos 22 Mar 2014
dev-vcs/git-flow johu 22 Mar 2014
app-emacs/gnuplot-mode ulm 22 Mar 2014
app-admin/mate-system-tools tomwij 22 Mar 2014
mate-extra/mate-media tomwij 22 Mar 2014
mate-base/mate-control-center tomwij 22 Mar 2014
net-misc/portspoof zerochaos 22 Mar 2014
app-leechcraft/lc-ooronee maksbotan 23 Mar 2014
app-leechcraft/lc-cpuload maksbotan 23 Mar 2014
app-leechcraft/lc-certmgr maksbotan 23 Mar 2014
mate-extra/mate-user-share tomwij 23 Mar 2014

Bugzilla

The Gentoo community uses Bugzilla to record and track bugs, notifications, suggestions and other interactions with the development team.

Activity

The following tables and charts summarize the activity on Bugzilla between 25 February 2014 and 27 March 2014. Not fixed means bugs that were resolved as NEEDINFO, WONTFIX, CANTFIX, INVALID or UPSTREAM.
gmn-activity-2014-02

Bug Activity Number
New 1820
Closed 1307
Not fixed 177
Duplicates 159
Total 5600
Blocker 4
Critical 19
Major 65

Closed bug ranking

The developers and teams who have closed the most bugs during this period are as follows.

Rank Team/Developer Bug Count
1 Python Gentoo Team 76
2 Perl Devs @ Gentoo 63
3 Gentoo KDE team 47
4 Gentoo Security 41
5 Gentoo's Team for Core System packages 41
6 Gentoo's Haskell Language team 35
7 Gentoo Linux Gnome Desktop Team 31
8 GNU Emacs Team 29
9 Default Assignee for Orphaned Packages 28
10 Others 915

gmn-activity-2014-02

Assigned bug ranking

The developers and teams who have been assigned the most bugs during this period are as follows.

Rank Team/Developer Bug Count
1 Gentoo Linux bug wranglers 119
2 Gentoo Security 95
3 Gentoo Games 75
4 Gentoo KDE team 57
5 Gentoo Linux Gnome Desktop Team 57
6 Python Gentoo Team 52
7 Gentoo's Team for Core System packages 51
8 Gentoo's Haskell Language team 41
9 GNU Emacs Team 41
10 Others 1231

gmn-activity-2014-02

Tip of the month

Gentoolkit has a little known utility called enalyze.

Enalyze analyzes the deployment information Gentoo keeps of all packages and checks this against the current settings status.

There are 2 sub-modules:
- the “analyze” module produces the reports, and
- the “rebuild” module which allows for rebuilding package.use, package.accept_keywords, and package.unmask files which can be placed in /etc/portage.

The difference between it and equery, is that equery does specific queries, while enalyze does complete reports. So, essentially it can be used as a tune up or repair kit for your gentoo system. It does not do everything for you, it does leave some of the decision making to you. But after reviewing the reports, you may want to edit your make.conf to optimize its settings. An interesting feature is that enalyze supports creation of new package.use, package.accept_keywords or package.unmask files based on the currently installed package information, your current profile and make.conf settings. Through it, enalyze can help you rebuild these files or remove obsolete entries from it.

Please note that it does not use or modify existing /etc/portage/package.* files

eg:

# enalyze analyze -v use

This produces a report of all use flags used by packages on your system as well as how they are used. It shows if a USE flag is enabled or disabled, and shows if the USE flag has a “default” setting (a summary of: a profile enabled USE flag, a global make.defaults USE flag, etc.) For each USE flag, the packages that use it are listed as well when called with the -v module option.

From that information you can edit your make.conf’s USE= and remove any flags that are already defaulted. if there is a flag that has more than a few packages using that setting, you could add it to the USE= instead of relying on having that flag in package.use for those packages.

When finished the above:

# enalyze rebuild use

Will generate a new package.use file (neatly sorted) of only the entries needed to preserve the current state of the packages installed. Once you check over the file, add some custom tweaks (to your satisfaction) you can replace the existing or missing file in /etc/portage.

It also runs completely as any user in the portage group. There is no need to run it with superuser rights. Any files generated are saved in the users home directory.

Tip: It is very useful for changing profiles too. Just run them to adapt to the new profile and the new defaults.

P.S. There is room for the utility to get many more reports and rebuild options. So, submit your requests (and hopefully code).

Send us your favorite Gentoo script or tip at gmn@gentoo.org

Getting Involved?

Interested in helping out? The GMN relies on volunteers and members of the community for content every month. If you are interested in writing for the GMN or thinking of another way to contribute, please send an e-mail to gmn@gentoo.org.

Sven Vermeulen a.k.a. swift (homepage, bugs)
Proof of concept for USE enabled policies (March 31, 2014, 16:33 UTC)

tl;dr: Some (-9999) policy ebuilds now have USE support for building in (or leaving out) SELinux policy statements.

One of the “problems” I have been facing since I took on the maintenance of SELinux policies within Gentoo Hardened is the (seeming) inability to make a “least privilege” policy that suits the flexibility that Gentoo offers. As a quick recap: SELinux policies describe the “acceptable behavior” of an application (well, domain to be exact), often known as the “normalized behavior” in the security world. When an application (which runs within a SELinux domain) wants to perform some action which is not part of the policy, then this action is denied.

Some applications can have very broad acceptable behavior. A web server for instance might need to connect to a database, but that is not the case if the web server only serves static information, or dynamic information that doesn’t need a database. To support this, SELinux has booleans through which optional policy statements can be enabled or disabled. So far so good.

Let’s look at a second example: ALSA. When ALSA enabled applications want to access the sound devices, they use IPC resources to “collaborate” around the sound subsystem (semaphores and shared memory to be exact). Semaphores inherit the type of the domain that first created the semaphore (so if mplayer creates it, then the semaphore has the mplayer_t context) whereas shared memory usually gets the tmpfs-related type (mplayer_tmpfs_t). When a second application wants to access the sound device as well, it needs access to the semaphore and shared memory. Assuming this second application is the browser, then mozilla_t needs access to semaphores by mplayer_t. And the same for chromium_t. Or java_t applications that are ALSA-enabled. And alsa_t. And all other applications that are ALSA enabled.

In Gentoo, ALSA support can be made optional through USE="alsa". If a user decides not to use ALSA, then it doesn’t make sense to allow all those domains access to each others’ semaphores and shared memory. And although SELinux booleans can help, this would mean that for each application domain, something like the following policy would need to be, optionally, allowed:

# For the mplayer_t domain:
optional_policy(`
  tunable_policy(`use_alsa',`
    mozilla_rw_semaphores(mplayer_t)
    mozilla_rw_shm(mplayer_t)
    mozilla_tmpfs_rw_files(mplayer_t)
  ')
')

optional_policy(`
  tunable_policy(`use_alsa',`
    chromium_rw_semaphores(mplayer_t)
    chromium_rw_shm(mplayer_t)
    chromium_tmpfs_rw_files(mplayer_t)
  ')
')

And this for all domains that are ALSA-enabled. Every time a new application is added that knows ALSA, the same code needs to be added to all policies. And this only uses a single SELinux boolean (whereas Gentoo supports USE="alsa" on per-package level), although we can create separate booleans for each domain if we want to. Not that that will make it more manageable.

One way of dealing with this would be to use attributes. Say we have a policy like so:

attribute alsadomain;
attribute alsatmpfsfile;

allow alsadomain alsadomain:sem rw_sem_perms;
allow alsadomain alsadomain:shm rw_shm_perms;
allow alsadomain alsatmpfsfile:file rw_file_perms;

By assigning the attribute to the proper domains whenever ALSA support is needed, we can toggle this more easily:

# In alsa.if
interface(`alsa_domain',`
  gen_require(`
    attribute alsadomain;
    attribute alsatmpfsfile;
  ')
  typeattribute $1 alsadomain;
  typeattribute $2 alsatmpfsfile;
')


# In mplayer.te
optional_policy(`
  tunable_policy(`use_alsa',`
    alsa_domain(mplayer_t, mplayer_tmpfs_t)
  ')
')

That would solve the problem of needlessly adding more calls in a policy for every ALSA application. And hey, we can probably live with either a global boolean (use_alsa) or per-domain one (mplayer_use_alsa) and toggle this according to our needs.

Sadly, the above is not possible: one cannot define typeattribute assignments inside a tunable_policy code: attributes are part of the non-conditional part of a SELinux policy. The solution would be to create build-time conditionals (rather than run-time):

ifdef(`use_alsa',`
  optional_policy(`
    alsa_domain(mplayer_t, mplayer_tmpfs_t)
  ')
')

This does mean that use_alsa has to be known when the policy is built. For Gentoo, that’s not that bad, as policies are part of separate packages, like sec-policy/selinux-mplayer. So what I now added was USE-enabled build-time decisions that trigger this code. The selinux-mplayer package has IUSE="alsa" which will enable, if set, the use_alsa build-time conditional.

As a result, we now support a better, fine-grained privilege setting inside the SELinux policy which is triggered through the proper USE flags.

Is this a perfect solution? No, but it is manageable and known to Gentoo users. It isn’t perfect, because it listens to the USE flag setting for the selinux-mplayer package (and of course globally set USE flags) but doesn’t “detect” that the firefox application (for which the policy is meant) is or isn’t built with USE="alsa". So users/administrators will need to keep this in mind when using package-local USE flag definitions.

Also, this will make it a bit more troublesome for myself to manage the SELinux policy for Gentoo (as upstream will not use this setup, and as such patches from upstream might need a few manual corrections before they apply to our tree). However, I gladly take that up if it means my system will have somewhat better confinement.

March 29, 2014
Robin Johnson a.k.a. robbat2 (homepage, bugs)

This is a slightly edited copy of an email I send to the mailing lists for my local hackspace, VHS. I run their mailing lists presently for historical reasons, but we're working on migrating them slowly.


Hi all,

Speaking as your email list administrator here. I've tried to keep the logs below as intact as possible, I've censored only one user's domain as being identifying information explicitly, and then two other recipient addresses.

There have been a lot of reports lately of bounce notices from the list, and users have correctly contacted me, wondering what's going on. The bounce messages are seen primarily by users on Gmail and hosted Google Apps, but the problems do ultimately affect everybody.

67.6% of the vhs-general list uses either gmail or google apps (347 subs of 513). For the vhs-members list it's 68.3% (both of these stats created by checking if the MX record for the user's domain points to Google).

Google deciding that a certain list message is too much like spam, because of two things:

  • because of content
  • because of DMARC policy

Content:

We CAN do something about the content.

Please don't send email that has one or twos, containing a URL and a short line of text. It's really suspicious and spam-like.

Include a better description (two or three lines) with the URL.

This gets an entry in the mailserver logs like:

delivery 47198: failure:
+173.194.79.26_failed_after_I_sent_the_message./Remote_host_said:_550-5.7.1_[66.196.40.251______12]_Our_system_has_detected_that_this_message_is/550-5.7.1_likely_unsolicited_mail._To_reduce_the_amount_of_spam_sent_to_Gmail,/550-5.7.1_this_message_has_been_blocked._Please_visit/550-5.7.1_http://support.google.com/m
+ail/bin/answer.py?hl=en&answer=188131_for/550_5.7.1_more_information._mu18si1139639pab.287_-_gsmtp/

That was triggered by this email earlier in the month:

> Subject: Kano OS for RasPi
> http://kano.me/downloads
> Apparently it's faster than Rasbian

DMARC policy:

TL;DR: If you work on an open-source mailing list app, please implement DMARC support ASAP!

Google and other big mail hosters have been working on an anti-spam measure called DMARC [1].

Unlike many prior attempts, it latches onto the From header as well as the SMTP envelope sender, and this unfortunately interferes with mailing lists [2], [3].

I do applaud the concept behind DMARC, but the rollout seems to be hurting lots of the small guys.

At least person (Eric Sachs) at Google is aware of this [4]. There is no useful workaround that I can enact as a list admin right now, other than asking the one present user to tweak his mailserver if possible.

There is also no completed open source support I can find for DMARC. Per the Google post above, the Mailman project is working on it [5], [6], but it's not yet available as of the last release. Our lists run on ezmlm-idx, and I run some other very large lists using mlmmj (gentoo.org) and sympa; none of them have DMARC support.

The problem is only triggering with a few conditions so far:

  • Recpient is on a mail service that implements DMARC (and DKIM and SPF)
  • Sender is on a domain that has a DMARC policy of reject

Of the 115 unique domains used by subscribers on this list, here are all the DMARC policies:

_dmarc.gmail.com.       600  IN TXT "v=DMARC1\; p=none\; rua=mailto:mailauth-reports@google.com"
_dmarc.USERDOMAIN.ca.   7200 IN TXT "v=DMARC1\; p=reject\; rua=mailto:azrxfkte@ag.dmarcian.com\; ruf=mailto:azrxfkte@fr.dmarcian.com\; adkim=s\; aspf=s"
_dmarc.icloud.com.      3600 IN TXT "v=DMARC1\; p=none\; rua=mailto:dmarc_agg@auth.returnpath.net, mailto:d@rua.agari.com\; ruf=mailto:d@ruf.agari.com, mailto:dmarc_afrf@auth.returnpath.net\;rf=afrf\;pct=100"
_dmarc.mac.com.         3600 IN TXT "v=DMARC1\; p=none\; rua=mailto:d@rua.agari.com\; ruf=mailto:d@ruf.agari.com\;"
_dmarc.me.com.          3600 IN TXT "v=DMARC1\; p=none\; rua=mailto:d@rua.agari.com\; ruf=mailto:d@ruf.agari.com\;"
_dmarc.yahoo.ca.        7200 IN TXT "v=DMARC1\; p=none\; pct=100\; rua=mailto:dmarc-yahoo-rua@yahoo-inc.com\;"
_dmarc.yahoo.com.       1800 IN TXT "v=DMARC1\; p=none\; pct=100\; rua=mailto:dmarc-yahoo-rua@yahoo-inc.com\;"
_dmarc.yahoo.co.uk.     1800 IN TXT "v=DMARC1\; p=none\; pct=100\; rua=mailto:dmarc-yahoo-rua@yahoo-inc.com\;"

Only one of those includes a reject policy, but I suspect it's a matter of time until more of them will include it. I'm going to use USERDOMAIN.ca here as the rest of the example, and that user is indirectly responsible for lots of the rejects we are seeing.

Step 1.

User sends this email.

From: A User <someuser@userdomain.ca>
To: vhs-general@lists.hackspace.ca

Delivered to list server via SMTP (these two addresses form the SMTP envelope)

MAIL FROM:<someuser@userdomain.ca>
RCPT TO:<vhs-general@lists.hackspace.ca>

Step 2.

If the MAIL-FROM envelope address is on the list of list subscribers, your message is accepted.

Step 3.0.

The list adjusts the mail to outgoing, and uses SMTP VERP [7] to get the mail server to send the new message. This means it hands off a single copy of the email, as well as a list of all recipients for the mail. Envelope from address in this case will encode the name of the list and the number of the mail in the archive.

If it was delivering to me (robbat2@orbis-terrarum.net), the outgoing SMTP connection would look roughly like:

MAIL FROM:<vhs-general-return-18094-robbat2=orbis-terrarum.net@lists.hackspace.ca>
RCPT TO:<robbat2@orbis-terrarum.net>

And the mail itself still looks like:

From: A User <someuser@userdomain.ca>
To: vhs-general@lists.hackspace.ca

Step 3.1.

I got this email, and if I open it I see this telling me about the SMTP details:

Return-Path: <vhs-general-return-18094-robbat2=orbis-terrarum.net@lists.hackspace.ca>

I don't implement DMARC on my domain. If my system bounced the email, it would have gone to that address, and the list app would know that message 18094 on list vhs-general bounced to user robbat2@orbis-terrarum.net.

Step 3.2.

Google DOES implement DMARC, so lets run through that.

The key part of DMARC is that it takes the domain from the From header.

_dmarc.USERDOMAIN.ca.   7200 IN TXT "v=DMARC1\; p=reject\; rua=mailto:azrxfkte@ag.dmarcian.com\; ruf=mailto:azrxfkte@fr.dmarcian.com\; adkim=s\; aspf=s"

The relevant parts to us are:

p=reject, aspf=s

The ASPF section applies strict mode, and says the mail with a From header of someuser@USERDOMAIN.ca, must have an exact match of the MAIL FROM transaction of @USERDOMAIN.ca.

It doesn't match, as the list changed the MAIL FROM address. The p=reject says to reject the mail if this happens.

This runs counter to the design principles of mailing lists, so DMARC has a bunch of options, all of which require changing the mail in some way.

Here's the logs from the above failure:

> 2014-03-19 11:19:50.783996500 new msg 98907
> 2014-03-19 11:19:50.783998500 info msg 98907: bytes 8864 from <vhs-general-return-18094-@lists.hackspace.ca-@[]> qp 32511 uid 89
> 2014-03-19 11:19:50.785359500 starting delivery 211352: msg 98907 to remote user1@gappsdomain.com
> 2014-03-19 11:19:50.785385500 status: local 1/10 remote 1/40
> 2014-03-19 11:19:50.785450500 starting delivery 211353: msg 98907 to remote user2@gmail.com
> ...
> 2014-03-19 11:19:58.713558500 delivery 211352: failure:
+74.125.25.27_failed_after_I_sent_the_message./Remote_host_said:_550-5.7.1_Unauthenticated_email_from_USERDOMAIN.ca_is_not_accepted_due_to_domain's/550-5.7.1_DMARC_policy._Please_contact_administrator_of_USERDOMAIN.ca_domain_if/550-5.7.1_this_was_a_legitimate_mail._Please_visit/550-5.7.1__http://support.google.com
+/mail/answer/2451690_to_learn_about_DMARC/550_5.7.1_initiative._ub8si9386628pac.133_-_gsmtp/
> 2014-03-19 11:19:59.053816500 delivery 211353: failure:
+173.194.79.26_failed_after_I_sent_the_message./Remote_host_said:_550-5.7.1_Unauthenticated_email_from_USERDOMAIN.ca_is_not_accepted_due_to_domain's/550-5.7.1_DMARC_policy._Please_contact_administrator_of_USERDOMAIN.ca_domain_if/550-5.7.1_this_was_a_legitimate_mail._Please_visit/550-5.7.1__http://support.google.co
+m/mail/answer/2451690_to_learn_about_DMARC/550_5.7.1_initiative._my2si9389106pab.76_-_gsmtp/

[1] http://dmarc.org/
[2] http://dmarc.org/faq.html#s_3
[3] http://dmarc.org/faq.html#r_2
[4] https://sites.google.com/site/oauthgoog/mlistsdkim
[5] http://www.marshut.com/qskkv/adding-dmarc-support-for-mailman-3.html
[6] https://code.launchpad.net/~jimpop/mailman/dmarc-reject
[7] http://en.wikipedia.org/wiki/Variable_envelope_return_path

March 27, 2014
Sven Vermeulen a.k.a. swift (homepage, bugs)
Online hardened meeting of March (March 27, 2014, 21:44 UTC)

I’m back from the depths of the unknown, so time to pick up my usual write-up of the online Gentoo Hardened meeting.

Toolchain

GCC 4.9 is being worked on, and might be released by end of April (based on the amount of open bugs). You can find the changes online.

Speaking of GCC, pipacs asked if it is possible in the upcoming 4.8.2 ebuilds to disable the SSP protection for development purposes (such as when you’re developing GCC plugins that do similar protection measures like SSP, but you don’t want those to collide with each other). Recent discussion on Gentoo development mailinglist had a consensus that the SSP protection measures (-fstack-protector) can be enabled by default, but of course if people are developing new GCC plugins which might interfere with SSP, disabling it is needed. One can use -fno-stack-protector for this, or build stuff with -D__KERNEL__ (as for kernel builds the default SSP handling is disabled anyway, allowing for kernel-specific implementations).

Other than those, there is no direct method to make SSP generally unavailable.

Blueness is also working on musc-libc on Gentoo, which would give a strong incentive for hardened embedded devices. For desktops, well, don’t hold your breath just yet.

Kernel grSec/PaX

It looks like kernel 3.13 will be Ubuntu’s LTS kernel choice, which also makes it the kernel version that grSecurity will put the long term support for in. And with Linux 3.14 almost out, the grsec patches for it are ready as well. Of the previous LTS kernels, 3.2 will probably finish seeing grsec support somewhere this year.

The C wrapper (called install-xattr) used to preserve xattr information during Portage builds has not been integrated in Portage yet, but the development should be finished.

During the chat session, we also discussed the gold linker and how it might be used by more and more packages (so not only by users that explicitly ask for it). udev version 210 onwards is one example, but some others exist. But other than its existence there’s not much to say right here.

SELinux

The 20140311 release of the reference policy is now in the Portage tree.

Also, prometheanfire caught a vulnerability (CVE-2014-1874) in SELinux which has been fixed in the latest kernels.

System Integrity

I made a few updates to the gentoo hardening guide in XCCDF/OVAL format. Nothing major, and I still need to add in a lot of other best practices (as well as automate the tests through OVAL), but I do intend to update the files (at least the gentoo one and ssh as OpenSSH 6 is now readily available) regularly in the next few weeks.

Profiles

A few minor changes have been made to hardened/uclibc to support multilib, but other than that nothing has been done (nor needed to be done) to our profiles.

That’s it for this months hardened meeting write-up. See you next time!

March 26, 2014
Jan Kundrát a.k.a. jkt (homepage, bugs)
Tagged pointers, and saving memory in Trojita (March 26, 2014, 17:02 UTC)

One of the improvements which were mentioned in the recent announcement of Trojitá, a fast Qt e-mail client, were substantial memory savings and speed improvements. In the rest of this post, I would like to explain what exactly we have done and how it matters. This is going to be a technical post, so if you are not interested in C++ or software engineering, you might want to skip this article.

Planting Trees

At the core of Trojitá's IMAP implementation is the TreeItem, an abstract class whose basic layout will be familiar to anyone who has worked with a custom QAbstractItemModel reimplementation. In short, the purpose of this class is to serve as a node in the tree of items which represent all the data stored on a remote IMAP server.

The structure is tree-shaped because that's what fits both the QAbstractItemModel's and the IMAP way of working. At the top, there's a list of mailboxes. Children of these mailboxes are either other, nested mailboxes, or lists of messages. Below the lists of messages, one can find individual e-mails, and within these e-mails, individual body parts as per the recursive nature of the MIME encapsulation. (This is what enables messages with pictures attached, e-mail forwarding, and similar stuff. MIME is fun.) This tree of items is used by the QAbstractItemModel for keeping track of what is where, and for issuing the QModelIndex instances which are used by the rest of the application for accessing, requesting and manipulating the data.

When a QModelIndex is used and passed to the IMAP Model, what matters most is its internalPointer(), a void * which, within Trojitá, always points to an instance of some TreeItem subclass. Everything else, like the row() and column(), are actually not important; the pointer itself is enough to determine everything about the index in question.

Each TreeItem has to store a couple of interesting properties. Besides the usual Qt-mandated stuff like pointer to the parent item and a list of children, there are also application-specific items which enable the code to, well, actually do useful things like printing e-mail subjects or downloading mail attachments. For a mailbox, this crucial information might be the mailbox name. For a message, the UID of the message along with a pointer to the mailbox is enough to uniquely identify everything which is needed.

Lazy Loading

Enter the lazy loading. Many people confirm that Trojitá is fast, and plenty of them are not afraid to say that it is blazingly fast. This speed is enabled by the fact that Trojitá will only do the smallest amount of work required to bring the data over the network (or from disk, for that matter). If you open a huge mailbox with half a million messages, perhaps the GMail's "All messages" account, or one's LKML archive, Trojitá will not start loading half a million of subjects. Instead, the in-memory TreeItem nodes are created in a special state "no data has been requested yet". Trojitá still creates half a million items in memory, but these items are rather lightweight and only contain the absolute minimum of data they need for proper operation.

Some of these "empty" nodes are, eventually, consulted and used for item display -- perhaps because a view is attached to this model, and the view wants to show the recent mail to the user. In Qt, this usually happens via the data() method of the QAbstractItemModel, but other methods like rowCount() have a very similar effect. Whenever more data are needed, the state of the tree node changes from the initial "no data have been requested" to "loading stuff", and an asynchronous request for these data is dispatched. An important part of the tale is that the request is indeed completely asynchronous, so you won't see any blocking whatsoever in the GUI. The QTreeView will show an animation while a subtree is expanded, the message viewer might display a spinner, and the mail listing shows greyed-out "Loading..." placeholder instead of the usual message subjects.

After a short while, the data arrive and the tree node is updated with the extracted contents -- be it e-mail subject, or perhaps the attached image of dancing pigs. As the requested data are now here, the status of the tree node is updated from the previous "loading stuff" into "done". At the same time, an appropriate signal, like dataChanged or rowsInserted, is emitted. Requesting the same data again via the classic MVC API will not result in network requests, but everything will be accommodated from the local cache.

What we see now is that there is just a handful of item states, yet the typical layout of the TreeItem looks roughly like this:

enum class FetchingStatus {
    INITIAL_NOTHING_REQUESTED_YET,
    LOADING,
    DONE,
    FAILED
};
class TreeItem {
    TreeItem *m_parent;
    QList<TreeItem*> m_children;
    FetchingStatus m_status;
};

On a 64bit system, this translates to at least three 64bit words being used -- one for the painter to the parent item, one (or much more) for storage of the list of children, and one more for storing the enum FetchingStatus. That's a lot of space, given we have just created half a million of these items.

Tagged Pointers

An interesting property of a modern CPU is that the data structures must be aligned properly. A very common rule is that e.g. a 32bit integer can only start at memory offset which is a multiple of four. In hex, this means that an address, or a pointer value, could end with 0x0, or 0x4, or 0x8, or 0xc. The detailed rules are platform-specific and depend on the exact data structure which we are pointing to, but the important message is that at least some of the low bits in the pointer address are always going to be zero. Perhaps we could encode some information in there?

Turns out this is exactly what pointer tagging is about. Instead of having two members, one TreeItem * and one FetchingStatus, these are squashed into a single pointer-sized value. The CPU can no longer use the pointer value directly, all accesses have to go via an inlined function which simply masks away the lowest bits which do bring a very minor performance hit, but the memory conservation is real.

For a real-world example, see this commit in Trojitá.

Using Memory Only When Needed

Back to our example of a mailbox with 500k messages. Surely a user is only going to see a small subset of them at once, right?

That is indeed the case. We still have to at least reserve space for 500k items for technical reasons, but there is certainly no need to reserve space for heavy stuff like subjects and other headers. Indeed, in Trojitá, we track the From/To/Cc/Bcc headers, the subjects, various kinds of timestamps, other envelope items and similar stuff, and this totals a couple hundred bytes per each message. A couple hundred bytes is not much (pun intended), but "a couple hundred bytes" times "half a million" is a ton of memory.

This got implemented here. One particular benchmark which tests how fast Trojitá resynchronizes a mailbox with 100k of messages showed immediate reduction in memory usage from previous 45 MB to 25 MB. The change, again, does come with a cost; one now has to follow one more pointer redirection, and one has to perform one more dynamic allocation for each message which is actually visible. That, however, proves to be negligible during typical usage.

Measure, Don't Guess

As usual with optimizing, the real results might sometimes be surprising. A careful reader and an experienced Qt programmer might have noticed the QList above and shuddered in horror. In fact, Trojitá now uses QVector in its place, but when I was changing the code, using std::vector sounded like a no-brainer. Who needs the copy-on-write semantics here anyway, so why should I pay its price in this context? These data (list of children of an item) are not copied that often, and copying a contiguous list of pointers is pretty cheap anyway (it surely is dwarfed by dynamic allocation overhead). So we should just stick with std::vector, right?

Well, not really. It turned out that plenty of these lists are empty most of the time. If we are looking at the list of messages in our huge mailbox, chances are that most of these messages were not loaded yet, and therefore the list of children, i.e. something which represents their inner MIME structure, is likely empty. This is where the QVector really shines. Instead of using three pointers per vector, like the GCC's std::vector does, QVector is happy with a single pointer pointing to a shared null instance, something which is empty.

Now, factor of three on an item which is used half a million times, this is something which is going to hurt. That's why Trojitá eventually settled on using QVector for the m_children member. The important lesson here is "don't assume, measure".

Wrapping up

Thanks to these optimization (and a couple more, see the git log), one particular test case now runs ten times faster while simultaneously using 38% less memory -- comparing the v0.4 with v0.3.96. Trojitá was pretty fast even before, but now it really flies. The sources of memory diet were described in today's blog post; the explanation on how the time was cut is something which will have to wait for another day.

Sven Vermeulen a.k.a. swift (homepage, bugs)
Fixing the busybox build failure (March 26, 2014, 12:18 UTC)

Since a few months I have a build failure every time I try to generate an initial ram file system (as my current primary workstation uses a separate /usr and LVM for everything except /boot):

* busybox: >> Compiling...
* ERROR: Failed to compile the "all" target...
* 
* -- Grepping log... --
* 
*           - busybox-1.7.4-signal-hack.patch
* busybox: >> Configuring...
*COMMAND: make -j2 CC="gcc" LD="ld" AS="as"  
*  HOSTCC  scripts/basic/fixdep
*make: execvp: /var/tmp/genkernel/18562.2920.28766.17301/busybox-1.20.2/scripts/gen_build_files.sh: Permission denied
*make: *** [gen_build_files] Error 127
*make: *** Waiting for unfinished jobs....
*/bin/sh: scripts/basic/fixdep: Permission denied
*make[1]: *** [scripts/basic/fixdep] Error 1
*make: *** [scripts_basic] Error 2

I know it isn’t SELinux that is causing this, as I have no denial messages and even putting SELinux in permissive mode doesn’t help. Today I found the time to look at it with more fresh eyes, and noticed that it wants to execute a file (gen_build_files.sh) situated in /var/tmp somewhere. That file system however is mounted with noexec (amongst other settings) so executing anything from within that file system is not allowed.

The solution? Update /etc/genkernel.conf and have TMPDIR point to a location where executing is allowed. Of course, this being a SELinux system, the new location will need to be labeled as tmp_t as well, but that’s just a simple thing to do.

~# semanage fcontext -a -t tmp_t /var/build/genkernel(/.*)?
~# restorecon -R /var/build/genkernel

The new location is not world-writable (only for root as only root builds initial ram file systems here) so not having noexec here is ok.

March 24, 2014
Sven Vermeulen a.k.a. swift (homepage, bugs)
Create your own SELinux Gentoo profile (March 24, 2014, 19:51 UTC)

Or any other profile for that matter ;-)

A month or so ago we got the question how to enable SELinux on a Gentoo profile that doesn’t have a <some profilename>/selinux equivalent. Because we don’t create SELinux profiles for all possible profiles out there, having a way to do this yourself is good to know.

Sadly, the most efficient way to deal with this isn’t supported by Portage: creating a parent file pointing to /usr/portage/profiles/features/selinux in /etc/portage/profile, as is done for all SELinux enabled profiles. The /etc/portage/profile location (where users can do local changes to the profile settings) does not support a parent file in there.

Luckily, enabling SELinux is a matter of merging the files in /usr/portage/profiles/features/selinux into /etc/portage/profile. If you don’t have any files in there, you can blindly copy over the files from features/selinux.

Edit: aballier on #gentoo-dev mentioned that you can create a /etc/portage/make.profile directory (instead of having it be a symlink managed by eselect profile) which does support parent files. In that case, just create one with two entries: one path to the profile you want, and one path to the features/selinux location.

Hidden symbols and dynamic linking (March 24, 2014, 19:14 UTC)

A few weeks ago, we introduced an error in the (~arch) libselinux ebuild which caused the following stacktrace to occur every time the semanage command was invoked:

~ # semanage
Traceback (most recent call last):
  File "/usr/lib/python-exec/python2.7/semanage", line 27, in 
    import seobject
  File "/usr/lib64/python2.7/site-packages/seobject.py", line 27, in 
    import sepolicy
  File "/usr/lib64/python2.7/site-packages/sepolicy/__init__.py", line 11, in 
    import sepolgen.interfaces as interfaces
  File "/usr/lib64/python2.7/site-packages/sepolgen/interfaces.py", line 24, in 
    import access
  File "/usr/lib64/python2.7/site-packages/sepolgen/access.py", line 35, in 
    from selinux import audit2why
ImportError: /usr/lib64/python2.7/site-packages/selinux/audit2why.so: undefined symbol: sepol_set_policydb

Usually this error means that a needed library (a .so file) is missing, or is not part of the /etc/ld.so.conf list of directories to scan. And when SELinux is enabled, you might want to check the permissions of that file as well (who knows). But that wasn’t the case here. After trying to figure things out (which includes switching Python versions, grepping for sepol_set_policydb in libsepol.so and more) I looked at the audit2why.c code and see if/where sepol_set_policydb is needed, as well as at the libsepol sources to see where it is defined. And yes, the call is (of course) needed, but the definition made me wonder if this wasn’t a bug:

int hidden sepol_set_policydb(policydb_t * p)
{
        policydb = p;
        return 0;
}

Hidden? But, that means that the function symbol is not available for dynamic linking… So if that is the case, shouldn’t audit2why.c not call it? Turns out, this was due to a fix we introduced earlier on, where libsepol got linked dynamically instead of statically (i.e. using libsepol.a). Static linking of libraries still allows for the (hidden) symbols to be used, whereas dynamic linking doesn’t.

So that part of the fix got reverted (and should fix the bug we introduced), and I learned a bit more about symbols (and the hidden statement).

Bonus: if you need to check what symbols are available in a binary / shared library, use nm:

~$ nm -D /path/to/binary

March 21, 2014
Nathan Zachary a.k.a. nathanzachary (homepage, bugs)

Recently I ran into a problem with RHEL 6 (and any derivatives, like CentOS 6 or Scientific Linux 6) where having two NICs (network interfaces) in the same subnet resulted in strange behaviour. In RHEL ≤5 (or CentOS ≤5), one could have two interfaces with IPs in the same subnet and there weren’t any problems (besides the obvious question of why one would set it up this way instead of just bonding the interfaces). However, in RHEL 6 (or CentOS 6), having two interfaces with IPs in the same subnet results in the primary one pinging but the secondary one not responding.

The cause of this problem is that the rp_filter settings changed between these kernels (2.6.18 in RHEL 5 and 2.6.32 in RHEL 6). In RHEL 5, the rp_filter setting was a boolean where 1 meant that source validation was done by reversed path (as in RFC1812), and 0 meant no source validation. However, in RHEL 6, this setting changed to an integer with the following settings:

*****
0 – No source validation

1 – Strict Reverse Path validation (RFC3704) – Packets are checked against the FIB (Forwarding Information Base), and only the best ones succeed

2 – Loose Reverse Path validation (RFC3704) – Packets are checked against the FIB, but only non-reachable BY ANY INTERFACE will fail
*****

So, though the default setting is still 1, it now has a different meaning. In order to get these two network interfaces with IPs in the same subnet to both respond, I needed to make two changes in /etc/sysctl.conf:

  • Change net.ipv4.conf.default.rp_filter from ’1′ to ’2′
  • Add the line net.ipv4.conf.all.rp_filter = 2

To better illustrate the changes, here are the differences:

DEFAULT SETTINGS:
# grep '.rp_filter' /etc/sysctl.conf
net.ipv4.conf.default.rp_filter = 1

REQUIRED SETTINGS:
# grep '.rp_filter' /etc/sysctl.conf
net.ipv4.conf.default.rp_filter = 2
net.ipv4.conf.all.rp_filter = 2

In order to make these changes effective immediately, you can reload the configuration with:

# sysctl -p

Ultimately, the new defaults make it so that the kernel discards packets when the route for outbound traffic differs from the route of incoming traffic. Changing these settings as mentioned above will make the kernel handle those packets like it did before 2.6.32. That way, having two or more interfaces with IPs in the same subnet will function as intended. Also, these changes aren’t limited to just RHEL 6 and derivatives, but also to any distribution with ≥kernel-2.6.32 in which the defaults were not changed.

Cheers,
Zach

March 20, 2014
Jan Kundrát a.k.a. jkt (homepage, bugs)

Summary

An SSL stripping vulnerability was discovered in Trojitá, a fast Qt IMAP e-mail client. User's credentials are never leaked, but if a user tries to send an e-mail, the automatic saving into the "sent" or "draft" folders could happen over a plaintext connection even if the user's preferences specify STARTTLS as a requirement.

Background

The IMAP protocol defines the STARTTLS command which is used to transparently upgrade a plaintext connection to an encrypted one using SSL/TLS. The STARTTLS command can only be issued in an unauthenticated state as per the IMAP's state machine.

RFC 3501 also allows for a possibility of the connection jumping immediately into an authenticated state via the PREAUTH initial response. However, as the STARTTLS command cannot be issued once in the authenticated state, an attacker able to intercept and modify the network communication might trick the client into a state where the connection cannot be encrypted anymore.

Affected versions

All versions of Trojitá up to 0.4 are vulnerable. The fix is included in version 0.4.1.

Remedies

Connections which use the SSL/TLS form the very beginning (e.g. the connections using port 993) are secure and not vulnerable.

Possible impact

The user's credentials will never be transmitted over a plaintext connection even in presence of this attack.

Because Trojitá proceeded to use the connection without STARTTLS in face of PREAUTH, certain data might be leaked to the attacker. The only example which we were able to identify is the full content of a message which the user attempts to save to their "Sent" folder while trying to send a mail.

We don't believe that any other data could be leaked. Again, user's credentials will not be leaked.

Acknowledgement

Thanks to Arnt Gulbrandsen on the imap-protocol ML for asking what happens when we're configured to request STARTTLS and a PREAUTH is received, and to Michael M Slusarz for starting that discussion.

March 18, 2014
Donnie Berkholz a.k.a. dberkholz (homepage, bugs)

Students, this Friday at 1900 UTC is the deadline to apply for this year’s GSoC. It’s an awesome program that pays you to work on open-source projects for a summer (where you == a university/college student).

It’s by no means too late, but start your application today. You can find more information on Gentoo’s projects here (click on the Ideas page to get started; also see our application guidelines) and on the broader GSoC program here.

Good luck!


Tagged: community, development, gentoo, gsoc

March 07, 2014
Alexys Jacob a.k.a. ultrabug (homepage, bugs)
Couchbase on Gentoo Linux (March 07, 2014, 16:29 UTC)

Back in 2010 when I was comparing different NoSQL solutions I came across CouchDB. Even tho I went for mongoDB in the end, it was still a nice and promising technology even more since the merge with the Membase guys in late 2012 which lead to the actual Couchbase.

I won’t go into the details of Couchbase itself since it’s way covered all around the net but I wanted to let you guys know that I’ve packaged most of the couchbase ecosystem for Gentoo Linux :

  • dev-db/couchbase-server-community-2.2.0 : the community server edition (bin)
  • dev-libs/libcouchbase-2.2.0 : the C client library
  • dev-python/couchbase-1.2.0 : the python client library

Those packages are still only available on my overlay (ultrabug on layman) since I’m not sure about the interest of other users in the community and I still need to make sure it’s production ready enough.

If you’re interested in seeing this package in portage, please say so !

I dedicate this packaging to @atorgfr :)

March 05, 2014
Michał Górny a.k.a. mgorny (homepage, bugs)

In a previous article titled ‘using deltas to speed up SquashFS ebuild repository updates’, the author has considered benefits of using binary deltas to update SquashFS images. The proposed method has proven very efficient in terms of disk I/O, memory and CPU time use. However, the relatively large size of deltas made network bandwidth a bottleneck.

The rough estimations done at the time proved that this is not a major issue for a common client with a moderate-bandwidth link such as ADSL. Nevertheless, the size is an inconvenience both to clients and to mirror providers. Assuming that there is an upper bound on disk space consumed by snapshots, the extra size reduces the number of snapshots stored on mirrors, and therefore shortens the supported update period.

The most likely cause for the excessive delta size is the complexity of correlation between input and compressed output. Changes in input files are likely to cause much larger changes in the SquashFS output that the tested delta algorithms fail to express efficiently.

For example, in the LZ family of compression algorithms, a change in input stream may affect the contents of the dictionary and therefore the output stream following it. In block-based compressors such as bzip2, a change in input may shift all the following data moving it across block boundaries. As a result, the contents of all the blocks following it change, and therefore the compressed output for each of them.

Since SquashFS splits the input into multiple blocks that are compressed separately, the scope of this issue is much smaller than in plain tarballs. Nevertheless, small changes occurring in multiple blocks are able to grow delta two to four times as large as it would be if the data was not compressed. In this paper, the author explores the possibility of introducing a transparent decompression in the delta generation process to reduce the delta size.

Read on… [PDF]

Jan Kundrát a.k.a. jkt (homepage, bugs)
Trojita 0.4 "Ukraine" is released (March 05, 2014, 14:22 UTC)

Hi all,
we are pleased to announce version 0.4 of Trojitá, a fast Qt IMAP e-mail client. For this release, a lot of changes were made under the hood, but of course there are some changes that are visible to the user as well.

Improvements:

  • Users are able to use multiple sessions, which means that it is possible to use Trojitá with multiple IMAP accounts at the same time. It can be used by invoking Trojitá with the --profile something switch. For each profile, a new instance of the application is started. Please note that this is not our final solution for the multi-accounts problem; work on this is ongoing. For details, refer to the detailed instructions.
  • In the Composer Window, users can now control whether the current message is a reply to some other message. Hopefully, this will make it easier to reply to a ton of people while starting a new thread, not lumping the unrelated conversations together.
  • Trojitá will now detect changes to the network connection state. So for example, when a user switches from a wireless connection to a wired one, Trojitá will detect that and try to reconnect automatically.
  • Trojitá gained a setting to automatically use the system proxy settings.
  • SOCKS5 and HTTP proxies are supported.
  • Memory usage has been reduced and speed has been improved. Our benchmarks indicate being ten times faster when syncing huge mailboxes, and using 38% less memory at the same time.
  • The Compose Window supports editing the "From" field with hand-picked addresses as per common user requests.

This release has been tagged in git as "v0.4". You can also download a tarball (GPG signature). Prebuilt binaries for multiple distributions are available via the OBS .

This release is dedicated to the people of all nations living in Ukraine. We are no fans of political messages in software announcements, but we also cannot remain silent when unmarked Russian troops are marching over a free country. The Trojitá project was founded in a republic formerly known as Czechoslovakia. We were "protected" by foreign aggressors twice in the 20th century — first in 1938 by the Nazi Germany, and second time in 1968 by the occupation forces of the USSR. Back in 1938, Adolf Hitler used the same rhetorics we hear today: that a national minority was oppressed. In 1968, eight people who protested against the occupation in Moscow were detained within a couple of minutes, convicted and sent to jail. In 2014, Moscowians are protesting on a bigger scale, yet we all see the cops arresting them on Youtube — including those displaying blank signs.

This is not about politics, this is about morality. What is happening today in Ukraine is a barbaric act, an occupation of an innocent country which has done nothing but stopped being attracted to their more prominent eastern neighbor. No matter what one thinks about the international politics and the Crimean independence, this is an act which must be condemned and fiercely fought against. There isn't much what we could do, so we hope that at least this symbolic act will let the Ukrainians know that the world's thoughts are with them in this dire moment. За вашу и нашу свободу, indeed!

Finally, we would like to thank Jai Luthra, Danny Rim, Benjamin Kaiser and Yazeed Zoabi, our Google Code-In students, and Stephan Platz, Karan Luthra, Tomasz Kalkosiński and Luigi Toscano, people who recently joined Trojitá, for their code contributions.

The Trojitá developers

  • Jan Kundrát
  • Yuri Chornoivan
  • Karan Luthra
  • Pali Rohár
  • Tomasz Kalkosiński
  • Christian Degenkolb
  • Jai Luthra
  • Stephan Platz
  • Thomas Lübking

March 03, 2014
Gentoo Monthly Newsletter - February 2014 (March 03, 2014, 19:02 UTC)

The February 2014 GMN issue is now available online.

This month on GMN:

  • Interview with Gentoo developer Sven Vermeulen (swift)
  • Latest Gentoo news, job openings, interesting stats and much more.

March 01, 2014
Gentoo Monthly Newsletter: February 2014 (March 01, 2014, 19:00 UTC)

Gentoo news

Interview with Gentoo developer Sven Vermeulen (swift)

(by David Abbott)

1. Hi Sven, tell us about yourself?
My name is Sven Vermeulen. Although Sven is a primarily Scandinavian name, I have no roots with Scandinavia. I’m born (and still living) in Belgium, growing up with geeky domains such as technology, math, science and computing. In 2005 I graduated as engineer and started working for KBC, one of Belgium’s leading financial institutions (bank & insurance). In it, I always kept technology close to me, first as system engineer and now as IT architect.

My interest in technology & science never faded. Although computer systems and software development are my primary hobbies (as they can be handled hands-on easily without heavy investments) I still like to learn about the progress made in other fields and give myself exercises to keep my knowledge on those fields up to date. And for some reason, that always tends to help me with my real-life work (for instance for contract optimizations I used mathematical optimization methods).

I live with my daughter close to my work (between Brussels and Antwerp) which allows me to go to work by bicycle if my presence isn’t needed elsewhere. My work does require me to go abroad from time to time, but mostly within the European Union.

In my free time I enjoy … wait, free time? Nope, don’t have that nowadays. Let me rephrase it: if I had more free time, I’d probably spend it jogging or swimming (which I currently only do to clear my mind), sitting behind my computer (programming, documenting or just playing around), watching cats do stupid things on my tv (youtube – I don’t have cable or other TV services) and playing board games with friends.

Alas, most time is spent either on work, on working in my home (renovations) or providing taxi services to my daughter.

2. How did you get involved with Linux and Open Source?
That started in ‘96 or ‘97. I got a RedHat installation to play with and thought I could become a kernel developer with it. Well, I did have lots of imagination back then ;-) But I did enjoy the difference from the previous operating systems I used (Atari and Microsoft DOS/Windows) and was quite hooked by the idea of free software (I think then it was still mostly coined as “open source”).

I never deployed anything commercial / proprietary on my own systems anymore since. The BBS’es (and later Internet) provided all the information I needed to continue with free software. And as a C programmer (not saying I’m good at it, just saying I program in it) I took on the challenge of supporting my (then unsupported) Matrox graphics card with dual output in Linux. I got good help by the Linux development community, and got in touch with Linux’ internal structures. Which I immediately embraced as a new source of knowledge, as I moved to software engineering in my studies.

All software related things I did were in the free software world, patching here and there. After a while, I stumbled upon the next challenge, which was convincing other users to use free software. A major gap in this area was documentation, so I started learning about writing good documentation (I’m still disappointed that the Darwin Information Typing Architecture (DITA) hasn’t broken through), which is about the point that I joined Gentoo Linux.

In Gentoo, I first helped with translations, then moving on to English documentation, authoring, etc. Internally, I’ve been through various roles (regular developer, project manager, top-level project lead, trustee, council) in various areas (most of them non-technical, such as documentation, PR, recruitment). After quitting and joining a few times (I seem to have ups and downs in available time) I’m now running to keep the Gentoo documentation maintained, as well as supporting SELinux through the Gentoo Hardened project.

I often bounce from one technology or software to another, depending on the needs of the day. Need to detect installed libraries (in order to track potential vulnerabilities) but can’t find a tool? I’ll write one. Want to confirm secure configurations? I’ll learn about SCAP technologies and implement that. Require a web-based question & answer application? Let’s look how HTML5 works shall we. I’m pretty fluent in learning about technologies, protocols and what not.

Almost wished I was equally fluent in languages and history, which was my major obstacle at school…

3. I read your book Linux Sea and not only was impressed, really enjoyed it. Doing a Gentoo Linux install using the book as a classroom textbook would be the kind of class I would love to take. How did the book come about, and why Gentoo?
I wanted to create a documentation resource on Linux, discussing how Linux operating systems work (the concepts and architecture, but without diving into the details and advanced usage) and to which I can refer people who have a need for understanding a particular aspect of the operating system.

As a target distribution, I choose Gentoo because there aren’t many resource on Gentoo, and because Gentoo sticks close to the implementations of the projects themselves. There are no interfaces or APIs surrounding any of the functionalities that a Linux operating system provides, so I can easily discuss the real implementations. Not completely a “Linux from scratch”, but sufficiently close.

Another advantage of using Gentoo as example distribution is that readers, who use different distributions, can still enjoy the book (as it explains how things work) and then refer to the distribution-specific information of their distribution to go further, now with the knowledge of how things work “under the hood”.

4. With your skillset you would be welcome in any project, why do you support Gentoo?
I switch between many interest fields, and Gentoo is one of the few distributions that caters for it. If you need a responsive desktop, Gentoo can offer that. You want good support for many graphical environments? Gentoo can offer that. Need to implement a secure server: yes, Gentoo can offer that. Want to run Gentoo on a very small, lightweight device? Gentoo can offer that. Want to create a Linux router? Of course Gentoo can offer that.

If I want to do something similar with another distribution, I would most likely need to use a different set of distributions depending on my needs.

A second reason is the flexibility offered by Gentoo. Many tools offered by Gentoo are meant to assist in the maintenance and use of one or more tools or services, but without limiting the configuration abilities of the underlying components. Take portage for instance: you can hook into the various phases of package deployment easily, and many ebuilds support epatch_user, allowing for customizing deployments without removing functionality offered by Gentoo.

Or OpenRC’s dependency-based service scripts. Instead of naming it with a number depending on when you want to launch it, just put in the necessary dependencies in the scripts and you’re all set. That’s not just easy. That’s what makes Gentoo unique and powerful.

5. What could we be doing better?
I think we should be focusing more on (functional) areas than package sets (herds), and looking for ways to innovate in those areas. Right now, we’re happily following along with (most) upstream projects, and doing our job as a distribution that upstreams patches and supports users.

But why not look for more innovative ideas? Be open and bold with ideas, discuss them publicly (now that we have the Gentoo wiki, this should be easy to implement), create concept code and documentation. Do things other distributions can’t.

We should dare to fail, in order to learn. Right now, it seems that we’re sometimes afraid of making the wrong choice. We’re an organization with several hundred developers and volunteers, but not bound by service agreements, contractual obligations or implied functional adherence based on financial contributions. We should leverage that and move towards more innovative fields.

A second item that I believe would improve Gentoo as a distribution would be to remove complexity. Often, we do things in a somewhat complex way because there is no other way. That’s fine. But after a while, new and simpler methods come by that should replace the functionality we implemented more simplified.

Think about how the Gentoo Handbook is currently developed. We used our own format / syntax for reasons that were, back then, correct reasons. But things move on and mature. And while there are now much better alternatives available, we can’t use it because we customized everything to our needs. Writing documentation in the Gentoo Handbook almost requires you to learn how to program, as we use keywords, conditionals, include directives, automatic link generation, string substitutions and more. This is complex, and we should focus on simplifying this.

*I* should focus on simplifying this.

I’m pretty sure other examples can be found. Are all our eclasses still fully needed? How come the ruby-ng eclass is quite different from python-r1 eclass, even though they generally want to offer the same functionality? TIMTOWTDI, but if there is a method better and more simple than the other, use it.

6. Describe to our readers the relationship between the council and the foundation?
Basically speaking, the council is for technical matters and organization with regards to the Gentoo project, whereas the foundation is for the legal and financial aspects to support the Gentoo project. The two work orthogonal to each other (I am not aware of any overlap).

7. Is this relationship working, does it need to be changed or improved?
I think this is working pretty well and see little room for changes.

8. Same question for improving our partnership with Förderverein Gentoo e.V.
The Förderverein Gentoo e.V. and Gentoo Foundation, Inc. are sort-of siblings. After the decommissioning of Gentoo Technologies, Inc. each organization took on the responsibility of protecting the Gentoo trademark and supporting the Gentoo project in their home base: Förderverein Gentoo e.V. in Germany/Europe, and Gentoo Foundation in the United States of America.

9. What about moving the Gentoo Foundation to Belgium or somewhere in Europe?
I don’t think (re)locating a company to a specific location helps if there isn’t a need to. We should focus on what matters: protection and support of the Gentoo project and its intellectual property, and then evolve towards a structure that can easily support this now and in the future.

10. What documentation is moving to the wiki?
Well, right now we want to have all GuideXML documentation (which is non-handbook formats) on the Gentoo wiki. Most of the GDP-maintained documents (those in /doc/en) have been moved already, and moved into the main name space of the wiki so that others can contribute to it. That is also one of the main motivations for the move, as the Gentoo Documentation Project, for now, has insufficient resources to maintain GDP-only documentation.

In the next phase, handbook format documents (such as the SELinux Handbook, Gentoo Security Handbook and eventually the Gentoo Handbook itself) can be moved to the wiki as well. For the Gentoo Handbook though, this is more than just a copy of the data – it will require a refactoring of the documentation into a way that we can structure. I know the wiki supports inclusions and even conditionals, but this is some complexity I want to remove from the handbook.

A second thing a3li and I will look into (when time comes) is the ability to actually generate booklets from the wiki (like wikibooks.org does). I think this is a logical consequence, as those plugins (as used by wikibooks) are made with larger documents in mind, and allow us to align the documentation development with those best practices as gently suggested by the plugins.

But to do so, I believe that the architecture-specifics will need to be cleaned out. Either an entire chapter can be written independently of an architecture, or it can’t. Having a chapter that is “mostly” for one architecture, but with parameters and variables for each architecture just to make sure it reads fine for that architecture, is probably not doable or maintainable.

I have considered moving the larger documents in DocBook format (which is the format I use for my other, non-Gentoo documents), and that is still not abandoned. I guess I’ll need to sleep over it some more.

But first make sure that our wiki is qualitatively up to the standards we once had for our documentation.

11. With the documentation moving to the wiki have you noticed more contributions from the community?
The main advantage is that there are new documents being created of good quality, which upon discovery I also mark for translations (so that our translation teams can provide the same documentation to non-English readers) and perhaps even add metadata to it (so that it is taken up in the “featured documentation” overview). The Gentoo wiki is constantly growing, and is more and more becoming a standard source of information when trying to debug or troubleshoot issues reported on our support channels or forums.

Existing documentation, which is moved to the wiki, doesn’t get as much updates as I expected. But there are many reasons why, such as documentation being quite explicit, or people being afraid of editing documents written in a particular style they are not familiar with, or people just suggesting things in the discussion pages but not in the main page, …

12. What should we be doing to get more users involved?
One thing is to make it clear to users that the wiki is open for everybody, and that we welcome all additions. Even when the change is not within the expectations of the English language (style and grammar) as we have enough people watching over to fix these styles and who do this gladly, without any remark towards the original author. Not everyone is fluent in English, and we shouldn’t restrict contributions to language puritans as the broader community has a lot more knowledge ready to be shared.

A second thing is to try and get the discussions through the discussion pages more active. Right now, many discussions are still slow-paced. We should promote this more, but also make sure that we can follow up on these discussions easily. There are two ways to do this in a wiki. One is to watch the page (and the discussions), the second one is to mark the discussions as being “open”, so they can be aggregated and viewed through the proper category in the wiki.

13. Who would you like to see recruited to become Gentoo Developers?
I’d like to see more package maintainers. There is still plenty of software without ebuilds, and that is after all what our users expect us to do the most. Even if a developer only maintains a handful of packages, that shouldn’t be a criteria to grant or deny access to the repository.

With the (eventual) implementation of git repositories, we should also be able to work with the pull request methods allowing people who don’t want to become developer to still contribute to the portage tree.

But the most important is not what technical or non-technical abilities they have, or which role they want to take in the Gentoo project, but rather their willingness to perform and work on an operating system used by several thousand users.

14. What else can we utilize the wiki for?
When the wiki was first launched, I started using it as some sort of Knowledge Base [1]. It allows for specific issues or misconfigurations to be documented and assist users in troubleshooting them. I still think this is a worthwhile set of documents to pursue, but needs a lot more content. I hope to, one day, be able to just mine the knowledge from #gentoo (i.e. historical discussions and questions) and put those in the knowledge base.

[1] https://wiki.gentoo.org/wiki/Knowledge_Base

Perhaps we can, one day, use the wiki as some sort of reference architecture for Gentoo. Such a reference architecture would explain readers how Gentoo could be used to create an integrated environment, where each component has bindings with other components, in a well-orchestrated manner.

Right now, most documents focus on a single technology implementation and there is no full picture as to what Gentoo can really offer to organizations and companies of reasonable size.

15. What would you like the main site to be used for and what framework / language should we use for the redesign?
Personally, I think it would be a good idea to focus on a small main site, using a no-nonsense interface like Bootstrap, with support for mobile devices. Keep the amount of information that is dynamic of nature on other sites, like the Gentoo wiki (perhaps in a closed category so that only privileged developers can access it, for instance if it is about the social contract) and focus on telling the reader what Gentoo is and how to get it.

Underlying, this can even be made static HTML. That’s quite powerful, well known to most people, and doesn’t need any (potentially risky) modules on the web sites.

16. As a Gentoo Developer what are some of your accomplishments?
It’s difficult to put these in any order, as their accomplishment value depends on the time ;-) Still, it would be to assist in the Gentoo Handbook, the creation of the Gentoo Foundation, improved integration of SELinux in Gentoo, the Dutch translations (now they’re fully abandoned, but were once the top translation language), package maintenance here and there, support on #gentoo and the Gentoo Forums and what not.

17. What would be your dream job?
Honestly, I have no idea what it would be. However, it would not be as much about the content, but rather the energy that it would give me to go forward. A job with responsibility (but only on areas that you can influence – not the “You’re responsible for everything that goes wrong” kind of jobs), flexibility in hours, close to home, continuous education/improvement possibilities, lots of social contact (but not necessarily in team manner) and an innovative, evolving goal (not a day-in, day-out same kind of job).

18. What are the specs of your current boxes?
I have two laptops at home (a 2-year old i5 and a recent i7 laptop), a hacked Samsung TV, a hacked Ubiquiti router and two Synology DiskStations (which I oddly haven’t modified yet).

Next to the systems at home, I also manage two Dell PowerEdge servers which both host virtual systems for various personal purposes (such as attempts to move current cloud-driven solutions, such as Google mail and calendar) towards self-hosted solutions. These servers are co-located (luckily, because they make too much noise to be in my home).

19. Can you describe your personal desktop setup (WM/DE)?
I run XFCE with 7 xterms and two browsers open. I’m more a CLI guy ;-)

My previous one was fluxbox, which I enjoyed much as well. However, I ran XFCE due to a bug that someone reported (in SELinux support) and I wanted to reproduce it. And for some reason, it stuck.

20. What gives you the most enjoyment within the Gentoo community?
The appreciation received when fixing someone’s situation or helping them get the most of their installation. Honestly, I think that’s the best thing one can receive. Not only because it gives you a warm and fuzzy feeling, but also because these users often start helping others as well. This is why #gentoo is one of the largest support channels out there.

Gentoo @ FOSDEM 2014

(by Pavlos Ratis)

Gentoo Developers @ FOSDEM 2014
Photo by jmbsvicetto

On the 1st and 2nd of February, many Gentoo users and developers attended FOSDEM, the biggest F/OSS conference in Europe. Gentoo developer and council member Donnie Berkholz(dberkholz) had a talk about the status of distribution-level package management and the latest trends. Furthermore, a Gentoo BoF took place on Saturday. There, we had the chance to meet each other and talk about our favorite distro. The day ended with a Gentoo-ish dinner and beers at city’s center.

Council News

(by Andreas K. Huettel)

First of all, Robin Johnson’s (robbat2) GnuPG key policy GLEP is progressing; it is now officially GLEP (draft) 63 [1], will be posted to the mailing list for discussion one last time soon, and be on the agenda of the next council meeting (March 2014) for final confirmation. In the meantime, we’ll be happy to receive feedback.

About EAPIs, the council decided to immediately deprecate EAPI 0 and EAPI 3, which means they should in general not be used in new ebuilds anymore and repoman gives a non-fatal warning on commit. EAPI 1 and EAPI 2, already deprecated for long, will be banned immediately, in the sense that repoman does not allow committing new ebuilds (but existing ones keep working and can also be modified).

Regarding stable keywords usage on m68k, sh, s390 some discussion about details took place. In the end, based on a suggestion by Mike Frysinger (vapier), it was decided that the profiles of these arches should all be marked as experimental; the consensus was that then package maintainers do not have to care about the keywording status on these particular arches and can e.g. remove the last stable marked or keyworded ebuild of a package at will.

The last important topic that was brought up was the policy on tree wide use of the gtk / gtk2 / gtk3 useflags, or to be more precise the clash between the documentation provided by the gnome team and the policy decided on in a recent QA team meeting. Both Chris Reffett (creffett) as QA team lead and Chí-Thanh Christopher Nguyễn (chithead) presented their viewpoints. Further discussion touched upon the question how far-reaching policy decisions the QA team may make. In the end the council members affirmed that “QA’s right to create standards in glep 48 includes flag names / functions”. Subsequent discussion encouraged QA and Gnome team to keep talking.

[1] https://wiki.gentoo.org/wiki/GLEP:63

Staffing Needs

If you are interested in helping out, please visit our staffing needs page on the Gentoo wiki.

Gentoo Developer Moves

Summary

Gentoo is made up of 252 active developers, of which 40 are currently away.
Gentoo has recruited a total of 794 developers since its inception.

Additions

The following developers have recently joined the project:
Returning Dev :D Steve Dibbs (announcement)

Portage

This section summarizes the current state of the portage tree.

Architectures 45
Categories 159
Packages 17243
Ebuilds 37610
Architecture Stable Testing Total % of Packages
alpha 3613 510 4123 23.91%
amd64 10644 6102 16746 97.12%
amd64-fbsd 0 1575 1575 9.13%
arm 2625 1628 4253 24.67%
hppa 3027 468 3495 20.27%
ia64 3187 569 3756 21.78%
m68k 585 77 662 3.84%
mips 2 2292 2294 13.30%
ppc 6870 2354 9224 53.49%
ppc64 4332 849 5181 30.05%
s390 1538 243 1781 10.33%
sh 1762 288 2050 11.89%
sparc 4138 876 5014 29.08%
sparc-fbsd 0 322 322 1.87%
x86 11404 5146 16550 95.98%
x86-fbsd 0 3224 3224 18.70%

gmn-portage-stats-2013-11

Infrastructure

The Gentoo Foundation recently received a donation of services from Rackspace. We would like to thank Rackspace for their donation and for continuing to support Open Source and Free Software Projects.

Rackspace

Security

The following GLSAs have been released by the Security Team

GLSA Package Description Bug
201402-27 x11-plugins/pidgin-knotify pidgin-knotify: Arbitrary code execution 336916
201402-26 net-libs/libssh libssh: Arbitrary code execution 444147
201402-25 dev-libs/openssl OpenSSL: Denial of Service 497838
201402-24 app-crypt/gnupg GnuPG: Multiple vulnerabilities 449546
201402-23 x11-libs/libXfont libXfont: Multiple vulnerabilities 378797
201402-22 net-analyzer/tcptrack TCPTrack: Arbitrary code execution 377917
201402-21 media-libs/tiff libTIFF: Multiple vulnerabilities 440154
201402-20 net-irc/kvirc KVIrc: Multiple vulnerabilities 326149
201402-19 dev-libs/libtar libtar: Arbitraty code execution 487420
201402-18 app-misc/mc GNU Midnight Commander: User-assisted execution of arbitrary code 436518
201402-17 app-text/xpdf Xpdf: User-assisted execution of arbitrary code 386271
201402-16 media-libs/freetype FreeType: Multiple vulnerabilities 448550
201402-15 mail-client/roundcube Roundcube: Arbitrary code execution 488954
201402-14 dev-libs/icu International Components for Unicode: Denial of Service 460426
201402-13 app-text/djvu DjVu: User-assisted execution of arbitrary code 497088
201402-12 sys-auth/pam_skey PAM S/Key: Information disclosure 482588
201402-11 www-client/links Links: Denial of Service 493138
201402-10 media-sound/pulseaudio PulseAudio: Insecure temporary file usage 313329
201402-09 www-apache/mod_fcgid Apache mod_fcgid: Arbitrary code execution 487314
201402-08 net-misc/stunnel stunnel: Arbitrary code execution 460278
201402-07 games-strategy/freeciv Freeciv: User-assisted execution of arbitrary code 329949
201402-06 www-plugins/adobe-flash Adobe Flash Player: Multiple vulnerabilities 491148
201402-05 media-sound/banshee Banshee: Arbitrary code execution 345567
201402-04 dev-perl/libwww-perl libwww-perl: Multiple vulnerabilities 329943
201402-03 x11-libs/pixman Pixman: User-assisted execution of arbitrary code 493292
201402-02 x11-drivers/nvidia-drivers NVIDIA Drivers: Privilege Escalation 493448
201402-01 net-libs/libmicrohttpd GNU libmicrohttpd: Multiple vulnerabilities 493450

Package Removals/Additions

Removals

Package Developer Date
dev-php/PEAR-HTML_BBCodeParser mabi 13 Feb 2014
dev-php/PEAR-HTML_QuickForm_ElementGrid mabi 13 Feb 2014
dev-php/PEAR-HTTP_Upload mabi 13 Feb 2014
dev-php/PEAR-HTTP_WebDAV_Server mabi 13 Feb 2014
dev-php/PEAR-Tree mabi 13 Feb 2014
dev-php/PHPUnit_Selenium mabi 13 Feb 2014
dev-php/PHPUnit_MockObject mabi 13 Feb 2014
media-plugins/vdr-xxvautotimer hd_brummy 14 Feb 2014
media-plugins/vdr-skinclassic hd_brummy 14 Feb 2014
media-plugins/vdr-sky hd_brummy 14 Feb 2014
media-plugins/vdr-skinreel hd_brummy 14 Feb 2014
net-misc/usbip ssuominen 18 Feb 2014

Additions

Package Developer Date
app-crypt/ssdeep radhermit 01 Feb 2014
sec-policy/selinux-couchdb swift 02 Feb 2014
app-text/bdf2psf floppym 10 Feb 2014
dev-python/llvmpy bicatali 10 Feb 2014
dev-python/numba bicatali 10 Feb 2014
dev-python/blz bicatali 10 Feb 2014
dev-python/datashape bicatali 10 Feb 2014
dev-libs/libdynd bicatali 10 Feb 2014
dev-python/dynd-python bicatali 11 Feb 2014
dev-python/llvmmath bicatali 11 Feb 2014
dev-python/pykit bicatali 11 Feb 2014
dev-python/blaze bicatali 11 Feb 2014
dev-util/squashdelta mgorny 11 Feb 2014
dev-util/squashmerge mgorny 11 Feb 2014
dev-python/astroid idella4 12 Feb 2014
net-im/birdie jlec 12 Feb 2014
media-libs/libomxil-bellagio chithanh 12 Feb 2014
dev-ruby/instantiator graaff 13 Feb 2014
dev-ruby/introspection graaff 13 Feb 2014
dev-ruby/multi_test graaff 13 Feb 2014
app-emacs/redo+ ulm 13 Feb 2014
sys-apps/install-xattr blueness 13 Feb 2014
dev-python/astor patrick 14 Feb 2014
dev-lang/hy patrick 14 Feb 2014
sys-block/kvpm kensington 14 Feb 2014
app-misc/mediacrush-cli maksbotan 17 Feb 2014
sec-policy/selinux-pcscd swift 17 Feb 2014
dev-vcs/git-crypt patrick 18 Feb 2014
app-emacs/mediawiki ulm 18 Feb 2014
dev-python/repoze-sphinx-autointerface radhermit 19 Feb 2014
dev-python/kazoo radhermit 19 Feb 2014
kde-misc/kdeconnect mrueg 20 Feb 2014
net-news/canto-daemon pinkbyte 20 Feb 2014
net-news/canto-curses pinkbyte 20 Feb 2014
dev-ruby/http_parser_rb graaff 21 Feb 2014
dev-ruby/http graaff 21 Feb 2014
dev-python/keyczar radhermit 22 Feb 2014
app-emacs/hexrgb ulm 23 Feb 2014
dev-python/scoop slis 23 Feb 2014

Bugzilla

The Gentoo community uses Bugzilla to record and track bugs, notifications, suggestions and other interactions with the development team.

Activity

The following tables and charts summarize the activity on Bugzilla between 27 January 2014 and 26 February 2014. Not fixed means bugs that were resolved as NEEDINFO, WONTFIX, CANTFIX, INVALID or UPSTREAM.

gmn-activity-2014-02

Bug Activity Number
New 1583
Closed 1051
Not fixed 227
Duplicates 171
Total 5480
Blocker 4
Critical 17
Major 67

Closed bug ranking

The developers and teams who have closed the most bugs during this period are as follows.

Rank Team/Developer Bug Count
1 Gentoo Security 105
2 Gentoo Linux Gnome Desktop Team 63
3 Perl Devs @ Gentoo 37
4 Robin Johnson 34
5 Gentoo KDE team 28
6 Gentoo X packagers 25
7 Gentoo Sound Team 25
8 Python Gentoo Team 21
9 Bernard Cafarelli 20
10 Others 692

gmn-closed-2014-02

Assigned bug ranking

The developers and teams who have been assigned the most bugs during this period are as follows.

Rank Team/Developer Bug Count
1 Gentoo Linux bug wranglers 104
2 Gentoo Security 88
3 Gentoo Linux Gnome Desktop Team 73
4 Gentoo KDE team 37
5 Gentoo's Team for Core System packages 35
6 Default Assignee for New Packages 34
7 Java team 34
8 Portage team 34
9 Default Assignee for Orphaned Packages 32
10 Others 1111

gmn-opened-2014-02

Tip of the month

Are you using a packages that needs a maintainer?
To find out use this python script developed by Ewoud Kohl Van Wijngaarden and Chris Stout. The script requires dev-python/beautifulsoup. Users can become maintainers for packages via the proxy-maintainer process.

Heard in the community

Problem installing net-libs/webkit-gtk:* hangs (gobject-introspection problem?) with =x11-drivers/nvidia-drivers-325.*
If you are using the nvidia proprietary driver, you may encounter a g-ir-failure as emerge will hang.
See BUG 463960
There is also a forum post about this.
Work around is:

# eselect opengl set xorg-x11
# emerge -1 webkit-gtk
# eselect opengl set nvidia

Want to emerge (update) all installed packages which depend on some given package P?

eix --deps -# -I P

That will list all packages in short that are installed and have P in their dependency variables plus the package itself.

Thanks go to gentoo-user@lists.gentoo.org for that :)

What do you do if you encounter a bug and it may have already been fixed. Search on bugzilla with this to show all the bugs even if they have been fixed and closed?

ALL category/package

Gentoo Website survey 2012 launched (March 01, 2014, 18:17 UTC)

Building a website that fits the needs of users and editors alike is hard. That's why the Gentoo PR team would like to ask you a few questions about our websites, mainly www.gentoo.org, but also about our other sites.

Take the survey now

Thanks for your time and interest in making our website experience better!

Gentoo at FOSSCOMM 2013 (March 01, 2014, 18:17 UTC)

What? FOSSCOMM 2013

Free and Open Source Software COMmunities Meeting(FOSSCOMM) 2013

When? 20th, April 2013 - 21st, April 2013

Where? Harokopio University, Athens, Greece

Website?http://hua.fosscomm.gr

FOSSCOMM 2013 is almost here, and Gentoo will be there!

We will have a booth with Gentoo promo stuff, stickers, flyers, badges, live DVD's and much more! Whether you're a developer, user, or simply curious, be sure and stop by. We are also going to represent Gentoo in a round table with other foss communities. See you there!

Pavlos Ratis contributed the draft for this announcement.

Gentoo Monthly Newsletter - November 2013 (March 01, 2014, 18:17 UTC)

The November 2013 GMN issue is now available online. This month on GMN:

  • Interview with Richard Freeman. A Gentoo developer, Council and Trustees member.
  • Gentoo as a development environment for newcomers.
  • Overall Gentoo activity status with bugzilla, portage and developer statistics.

Gentoo Monthly Newsletter - January 2014 (March 01, 2014, 18:17 UTC)

The January 2014 GMN issue is now available online.

This month on GMN:

  • Meet up with Gentoo developers and users at this years FOSDEM'14 event.
  • Give back by helping the proxy-maintainers project.
  • Latest Gentoo news, job openings, interesting stats and much more.

Gentoo at LinuxTag 2013 in Berlin (March 01, 2014, 18:17 UTC)

LinuxTag 2013 runs from May 22nd to May 25th in Berlin, Germany. With more than 10,000 visitors last year, it is one of the biggest Linux and open source events in Europe.

You will find the Gentoo booth at Hall 7.1c, Booth 179. Come and visit us! You will meet many of our developers and users, talk with us, plus get some of the Gentoo merchandise you have always wanted.

Miniconf: Gentoo on the OLPC XO-1.75 (March 01, 2014, 18:17 UTC)

At the Gentoo Miniconf 2012 in Prague we will install Gentoo on the OLPC XO-1.75, an ARM based laptop designed as an educational tool for children. If you are interested in joining us, come to the Gentoo booth and start hacking with us!

—Chí-Thanh Christopher Nguyễn

Imagination Technologies

Imagination Technologies has donated two MIPS64-based Ubiquiti ERLite-3 routers, plus resources to aid Gentoo in providing up-to-date root file system builds for MIPS.

Imagination Technologies is a global leader in multimedia, processor and communication technologies. The company creates and licenses market-leading IP solutions for graphics, video and vision, CPU/general purpose processing, multi-standard communications and connectivity, and cross-platform voice and video communications. Imagination's MIPS CPU cores and architectures range from solutions for ultra low-power 32-bit microcontrollers to high-performance 32/64-bit advanced applications and network processing. MIPS is supported by a broad ecosystem of tools and software including open source Linux distributions like Gentoo.

February 28, 2014
Patrick Lauer a.k.a. bonsaikitten (homepage, bugs)
INSTALL_MASK'ing for a better future (February 28, 2014, 06:37 UTC)

So today I was pointed at a funny one:

/etc/systemd/system/ntpdate.service.d/00gentoo.conf
Now instead of being wrongly installed in /usr/lib (whuarghllaaaaaaaawwreghhh!?!$?) there's some config files for systemd bleeding into /etc.

Apart from being inconsistent with itself this eludes all previous ways to avoid useless files from being installed. The proper response thus looks like this now:
INSTALL_MASK="/lib/systemd /lib32/systemd /lib64/systemd /usr/lib/systemd /usr/lib32/systemd /usr/lib64/systemd /etc/systemd"
And on the upside this will break udev unless you carefully move config to /etc (lolwat ur no haz EUNICHS system operation?) - which just motivated me to shift everything I can to eudev.

Reading recommendation: FHS

February 23, 2014
Alexys Jacob a.k.a. ultrabug (homepage, bugs)
py3status v1.3 (February 23, 2014, 19:23 UTC)

I’m glad to announce the release of py3status v1.3 which brings to life a feature request from @tasse and @ttyE0. Guys, I hope this one will please you !

what’s new ?

Along with a localization bug fix thanks to @zetok from Poland, the main new feature is that py3status now supports a standalone mode which you can use when you only want your own modules displayed in an i3bar !

As usual, this release is already available for my fellow Gentoo Linux users and on pypi !

Changelog is here and quick to get, enjoy !

February 22, 2014
Michał Górny a.k.a. mgorny (homepage, bugs)
A few words on lzip compressor (February 22, 2014, 17:08 UTC)

Some of you may already have noticed that sys-apps/ed and sys-fs/ddrescue packages started pulling in lzip archiver. «Is this some new fancy archiver?» you may ask. The answer is «no. It’s been around for a very long time, and it never got any real interest.»

You can read some of the background story in New Options in the World of File Compression Linux Gazette article. Long story short, lzip was created before xz as a response to the limitations of .lzma format used by lzma-utils. However, it never got any real attention and when xz-utils was released as a direct successor to lzma-utils it became practically redundant. And the two projects co-existed silently until lately…

Over the past five years, Antonio Diaz Diaz, lzip’s author, and a few project supporters were trying to convince the community that the lzip format is superior to xz. However, they were never able to provide any convincing arguments to the community, and while xz gained popularity lzip stayed in the shadow. And it was used mostly by the projects Diaz was member of.

It seems that he has finally decided that advocacy will not help his pet project in gaining popularity. Instead, he decided to take advantage of his administrator position in the mentioned GNU projects and discontinue providing non-.lz tarballs. As he says, «surely every user of ddrescue would like to know about lzip […]».

So, Gentoo user, would you like to know about lzip? Let’s try to get a few fair points here.

First of all, it should be noted that the two competing projects are two different implementations of the same compression algorithm — LZMA2, and they use incompatible file formats. Therefore, both can achieve the same compression ratio (and similar speed) but using either of them requires users to download the appropriate tool.

xz is gaining traction lately. The initial doubt period seems to be over, and growing number of projects is adapting the format. This includes both use of the compression library and distribution of sources in .tar.xz. An xz coder is implemented within the kernel and it can be used as a compressor for filesystems. Practically saying, it’s inevitable for Gentoo users since it is used to compress some of the larger sources (like kernel sources).

Lzip is a side project with minor interest. Most of our users were unaware of its existence until they were forced to install it in order to unpack some other package. In fact, since it is used in particularly small packages, the gain from using it (compared to gzip) is even smaller than size of lzip tarball. Not to mention if we compare it to xz that most of our users have installed already.

As analyzed by Ohloh, xz-utils «has a well established, mature codebase» though it is mostly maintained by a single person. lzip is developed by a single person with no officially known contributors, and no public source code repository. The author claims that lzip is mature and will be continually developed but those are only promises, compared to the community growing around xz.

Feature-wise, xz supports more fine-grained configuration of LZMA2 and additional filters (alike 7-Zip). Lzip has a recovery tool and a few extra promises.

xz-utils are written in C, with the compression library and basic utilities being public-domain. Lzip is C++, and GPLv3 (but there’s also a limited public-domain C version). xz-utils use clean autotools, lzip — custom configure script and Makefile.

To sum up: both tools are quite similar and have no strong advantages over the other. However, the popularity of xz makes it a better choice most of the time, while using lzip mostly forces users to install an extra tool for no real benefit. The continuous support and development in xz-utils is guaranteed by the community, while in lzip it’s just author’s promise.

This post would end here if not for the late events. Now lzip gained an important disadvantage: its author is simply unprofessional. While many other projects start shipping .xz compressed tarballs following its rise in popularity, Diaz is grasping at straws and abusing his position trying to force people to use his pet project instead. He has clearly more concern about the popularity of lzip than about the friendliness to users of the other projects he is administering.

February 20, 2014
Patrick Lauer a.k.a. bonsaikitten (homepage, bugs)
gentoo-x86 to git, round two (February 20, 2014, 07:32 UTC)

After my not-so-good experiments with cvs2git I was pointed at cvsps. The currently masked 3.13 release (plus the lastest ~arch version of cvs) seems to do the trick quite well. It throws a handful of warnings about timestamps that appear to be harmless to me.
What I haven't figured out yet is how to "fix" the email addresses, but that's a minor thing.
Take the raw cvs repo as in the first blogpost, then:

$ time cvsps --root :local:/var/tmp/git-test/gentoo-x86-raw/ --fast-export gentoo-x86 > git-fast-export-stream
cvsps: NOTICE: used alternate strip path /var/tmp/git-test/gentoo-x86-raw/gentoo-x86/
cvsps: broken revision date: 2003-02-18 13:46:55 +0000 -> 2003-02-18 13:46:55 file: dev-php/PEAR-Date/PEAR-HTML_Common-1.0.ebuild, repairing.

[SNIP]

real    212m56.219s
user    12m11.170s
sys     6m59.110s
So this step takes near 3h walltime, and consumes ~10GB RAM. It generates about 17GB of temporary data.
To get performance up you'd need a machine with 32GB+ RAM so that you can do that in TMPFS (and don't forget to make /tmp a tmpfs too, because tmpfile() creates lots and lots of temporary files there) - and the tmpfs needs to be >18GB

In theory you can pipe that directly into git-fast-import. To make testing easier I didn't do that..
Throwing everything into git takes "a while" (forgot to time it, about 20 minutes I think):
Alloc'd objects:    9680000
Total objects:      9675121 (    190979 duplicates                  )
      blobs  :      3020032 (    158366 duplicates    1389088 deltas of    2989578 attempts)
      trees  :      5150778 (     32613 duplicates    4633675 deltas of    4709477 attempts)
      commits:      1504311 (         0 duplicates          0 deltas of          0 attempts)
      tags   :            0 (         0 duplicates          0 deltas of          0 attempts)
Total branches:           8 (         3 loads     )
      marks:     1073741824 (   4682709 unique    )
      atoms:         431658
Memory total:        516969 KiB
       pools:         63219 KiB
     objects:        453750 KiB

pack_report: getpagesize()            =       4096
pack_report: core.packedGitWindowSize = 1073741824
pack_report: core.packedGitLimit      = 8589934592
pack_report: pack_used_ctr            =    7139457
pack_report: pack_mmap_calls          =    1976288
pack_report: pack_open_windows        =          3 /          9
pack_report: pack_mapped              = 2545679911 / 8589934592
And then run git gc (warning: Another mem-hungry operation peaking at ~8GB).
The result is about 7.2GB git repository and appears to have full history.

Files to play around with:
Raw copy of the CVS repo (~440MB)
The git-fast-importable stream created by cvsps (biiig)
The mangled compressed git repository that results from it (~6GB)
Edit:
The same repo recompressed (~1.7GB)
"git repack -a -d -f --max-pack-size=10g --depth=100 --window=250" takes ~3 CPU-hours and collapses the size nicely. Thanks, Mr.Klausmann!

February 19, 2014
Anthony Basile a.k.a. blueness (homepage, bugs)
Lilblue Linux: release 20140218 (February 19, 2014, 18:34 UTC)

I just pushed out a new release of Lilblue Linux 20140218 [1] which you can download from any Gentoo mirror [2].  For those of you who don’t know, Lilblue Linux is a security-enhanced fully featured XFCE4 desktop system for amd64.  It is built with Gentoo’s hardened toolchain [3] and uses Gentoo’s hardened-sources for the kernel which include the Grsec/PaX patches [4] for added security.  Lilblue Linux really is Gentoo, so the name is a bit pretentious, but there is one important and interesting twist: it is built using uClibc [5] as its standard C library rather than glibc, giving it some advantages of an embedded system, such as speed.

Release 20140218 is primarily a maintenance release in which I updated all the packages so as to sync up with maintream Gentoo’s stable amd64 set.  I didn’t touch the toolchain since there was no pressing need, but I did update the kernel to hardened-sources-3.12.6.  There were no known major security issue nor major bugs in the previous release.  But, there was a lot of package flux, with lots of fixes that resolved some annoying issues which plagued the earlier release.  One such annoyance was SMPlayer that used to open up a second window to play a video rather than rendering it in the main window.

If you are already running Lilblue, you can probably just do a `emerge –sync; layman -S; emerge -uvND world` and get caught up [6], but if you are starting a fresh system, the newer image cleans out those annoyances, so you want to start there.  One of the reasons I push out new images every few months is that there are always glitches when updating.  This is true of any Gentoo system but all the moreso of Lilblue because most software is developed under the assumption that we are building against glibc.  These assumptions (GNU-isms) manifest themselves in varioius ways: 1) assumptions about the availability of functions which are GNU extensions, such as secure_getenv() in systemd’s code base which eudev removes [7],  2) assumptions about header stacking, eg. using variadic functions without including stdarg.h (You can sometimes get away with this on a glibc system because it sneaks in via some other included header, but not in uClibc), [8] and 3) missing LDFLAGS like, -liconv -lintl or -largp, which are needed to find these breakout libraries [9].  There are, however, some very deep issue which require serious investigation, such as the removal of poll_waiting in glib (versions above 2.30.3) which lead to a dead lock for all applications linking against it.  It turned out that the issue there was in uClibc’s implementation of eventfd() [10].  Another interesting bug in uClibc-0.9.33.2 was the non-atomic implementation of pread() and pwrite() in terms of open() and lseek() [11].  This caused a race in git-1.8.x which does a multithreaded unpacking of the deltas and requires atomic pread/pwrite.  Mike Frysinger (vapier) had already worked out the implementation in terms of SYS_pread64/pwrite64 but these had not yet been backported.  The latest adventure was on arm architecture (yes I’m thinking of porting Lilblue to arm) where the syscall for pread/pwrite was being done using _syscall5() rather than _syscall6() and not properly aligning the 64-bit value on even register pairs.  This again broke pread/pwrite and git, but only on arm arch! [12]  Mike again had the fix and backported it.

Lilblue is built form a stage3-amd64-uclibc-hardened tarball that can be found on any gentoo mirror under /experimental/uclibc along side the Lilblue image itself [2].  I keep the build scripts on Gentoo’s releng (release engineering) git repo [13] and I run them occassionally to see if any major issues are creeping in as mainstream Gentoo evolves.  If everything goes well, then I don’t push out another release to avoid taxing the mirrors.  But when things get complicated, or a large number of packages need updating, I get the feeling I’d better push out another release.  I hope one day to have a binpkg system going where you can donwload a ~200MB seed image and then install from a binhost but this is more involved than I first suspected.

So give it a try in a virtual machine if you like.  It runs out-of-the-box on VirtualBox.  Installation instructions are on the home page [1].  Or run it as you main desktop as I do on one of my boxes at home!

References:

[1] https://wiki.gentoo.org/wiki/Project:Hardened_uClibc/Lilblue

[2] The image is named desktop-amd64-uclibc-hardened-[release].tar.bz2 and can be found at http://distfiles.gentoo.org/experimental/amd64/uclibc/

[3] https://wiki.gentoo.org/wiki/Hardened/Toolchain

[4] http://grsecurity.net/

[5] http://uclibc.org/

[6] While I’ve tried to get most of the fixes either into the main Gentoo tree, or upstream, some patches still remain and so I maintain a repository for them: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-dev.git;a=shortlog;h=refs/heads/uclibc

[7] See man 3 getenv.  While getenv conforms to SVr4, POSIX.1-2001, 4.3BSD, C89 and C99, secure_getenv() is a GNU extension.

[8] The header stacking problem works both ways.  In https://bugs.gentoo.org/show_bug.cgi?id=497200, sys-apps/kbd failed to build on uClibc because of a missing stdarg.h when trying to prototype functions with variadic parameters.  Contrast this to https://bugs.gentoo.org/show_bug.cgi?id=486782, where app-cdr/cdrtools fails to build because including stdio.h indirectly includes bits/sched.h which defines clone() (as in man 2 clone).  But this clashes with a definition of clone() in cdrtools’ readcd.c.  Upstream felt that this was a poor implementation on the part of uClibc and the stacking problem there should be fixed.  I can’t disagree, but it is a thorny issue!

BTW, for those interested, you can get a little python script I wrote to analyse header stacking from my dev space: http://dev.gentoo.org/~blueness/misc/header-stack.py

[9] In this way Lilblue is similar to Gentoo on FreeBSD.  Rather than using uClibc’s iconv which has issues, Lilblue pulls in dev-libs/libiconv. The additional LDFLAGS are added on a per package basis using /etc/portage/package.env.

[10] https://bugzilla.gnome.org/show_bug.cgi?id=691168

[11] https://bugs.gentoo.org/show_bug.cgi?id=500382

[12] https://bugs.gentoo.org/show_bug.cgi?id=500382

[13] http://git.overlays.gentoo.org/gitweb/?p=proj/releng.git;a=tree;f=tools-uclibc/desktop

Patrick Lauer a.k.a. bonsaikitten (homepage, bugs)
Thunderbird - double sending is better sending (February 19, 2014, 05:43 UTC)

So here's something brilliant I've found while debugging some PGP-issues:

0q2CYNVFEz6wXHAGYArfO/F/faOL5L6fQw9f93FurZgx7Y+iR1J7Civaa7LHxQ8h
FzstP7BYEhCx2HmEZuDf18htDsTBZAlNVGsI0DMb2wFKudCaI7hXhMHpYBQF/rdZ
=3Dw1hZ
-- --  END PGP MESSAGE     


--  -- --  --  -- 070107010101000406000609
Content Type: text/html; charset=ISO 8859 1
Content Transfer Encoding: 8bit

<html>
  <head>
    <meta content="text/html; charset=ISO 8859 1"
      http equiv="Content Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    <br>
         BEGIN PGP MESSAGE      <br>
    Charset: ISO 8859 1 <br>
    Version: GnuPG v2.0.22 (MingW32) <br>
    Comment: Using GnuPG with Thunderbird   <a class="moz txt link freetext" href="http://www.enigmail.net/">http://www.enigmail.net/</a> <br>
     <br>
    hQIMA0dhXCfgRaeBAQ/+P2NCYSVE7vxW742D9eYJmJ/7g7xHSvPFuYvGSZk2gRaJ <br>
    JoZ98x+TPjSlvYVWuS+Y2Fz04ydhi4vNcK+QAqImVO0nO6dFvxUfmZiERBcYGs4C <br>
    Lhe+B/I0P/hEDl+Zu/QJ/v+SEcFoXKv2iclrXwWF6RyLlO97iu8UsLYUjLIZ7Y+r <br>
    YGqphoIdJLfVZ9bb05RIb0ZKnYX5dzunpqu6V6zRpwckWCkos7qBOZ9hfBjaFkvD <br>
    ZQAoJM78qQ0//vV6qyxSpXXFEFbDZuJjPjjDfIF+qyNbcW657bDHQH2ctcyvdcTf <br>
(Modulo some dashes, but you get the idea)

So, uhm, there's a multipart-mime mail, with a PGP-encrypted attachment, and then there's a properly quoted HTML attachment, CONTAINING the same PGP attachment BASE64 encoded. Or something. The funny thing is that Thunderbird itself fails to display the body directly, but displays it in the editor window when you reply.
In vino veritas, and tonight I will need lots of veritas to unremember this madness.