Gentoo Linux participates in World IPv6 day

In light of World IPv6 day, the Gentoo Linux Infrastructure team would like to announce new IPv6-availability of several services, and list the existing IPv6 services. Every service listed below is running a dual-stack native IPv4/IPv6 service, no tunnels.

The new services available via IPv6 are:

• http://forums.gentoo.org/
• http://www.gentoo.org/
• AnonSVN, AnonGit

The existing services available via IPv6 are:

• CVS/SVN/Git services for developers
• http://sources.gentoo.org/
• rsync://rsync.gentoo.org/ - our primary rsync rotation
• rsync://${CC}.rsync.gentoo.org - our regional community rsync rotations
• A number of our mirrors

All of our IPv6 services will remain online after today, unless serious IPv6 problems (esp. regarding routing) are encountered.

Gentoo would like to extend thanks to all our sponsors & mirrors who have provided IPv6 service, and the servers to make use of it!

Syndicated 2011-06-08 11:06:46 from Move along, nothing to read

Robin's 2011 conferences plans and ideas

Working on my conference travel plans and wishes for the year. I am downgrading OLS to a maybe, the cost is becoming more of a factor. Likewise, while I had incredible fun at FOSDEM last year, and OSCON in 2006, I cannot justify the airfare/hotel expenses for them. I would like to attend SCALE at some point as well, but uncertain for the same cost reason.

• April 11-14, MySQL UC @ Santa Clara, CA, USA [1]
• August 17-19, LinuxCon 2011 @ Vancouver, BC, Canada [2]

• June 13-15, Linux Symposium @ Ottawa, ON, Canada.

• February 5-6, FOSDEM @ Brussels, Belgium.
• February 25-27, SCALE 9x @ Los Angeles, CA, USA.
• July 25-29, OSCON @ Portland, OR
• (Not yet announced), Linux Plumbers.

1. I will be manning the phpMyAdmin booth, like past 5 years.
   I have no accommodation yet, I'd love to split a hotel room at the Hyatt (or another spot within walking distance) with somebody.
2. Local this year, so no travel costs :-)

Syndicated 2011-01-16 10:34:46 from Move along, nothing to read

Complaining at Journalists again: Gentoo Security and the UnrealIRCd backdoor

Those that have followed me for a while might have seen me previously complain at journalism that's misleading, wrong, or outright fictitious. Now I've got another case...
This article by Ed Bott at ZDNet:
Linux infection proves Windows malware monopoly is over; Gentoo ships backdoor? [updated]

The article was first published 2010/06/12 20:37 UTC.
It claims to be "worse" when updated at 2010/06/14 19:30 UTC.

Gentoo had a revision bump to a known good copy of the tarball at 2010/06/12 16:34 UTC (using a different filename, and verified against the GPG signature provided by upstream), so it was ALREADY fixed when the article was published. The old revision was explicitly removed at 2010/06/12 21:18 UTC.
Commit data for fixes:
Changes for unrealircd-3.2.8.1-r1.ebuild
Changes for unrealircd-3.2.8.1.ebuild

The trojaned tarball was then removed from the Gentoo master mirror at 2010/06/13 08:00 UTC, about 11 hours after the article was published. It would have been sooner, but it was a matter of bad timing.

Gentoo bug 323691.

The article also claims: "There’s a great deal of comment in the Talkback section of this post about how official repositories can be trusted. It appears that system broke down thoroughly in this case."
This claim is bogus. The developer that updated the package made perhaps a mistake in trusting that the upstream had not been tampered with. However, in lacking anything to verify against (the upstream apparently did not sign releases at that point), he couldn't have detected the backdoor except by manual inspection of all the code. He downloaded the package AFTER it had been tampered with (2009/11/11 I believe), so he never saw the tamper-free version either.

The entire point of the Gentoo Manifests are to ensure that OUR mirrors are not the point where a compromise is introduced. We can detect upstream changes by this same mechanism, but they mostly tend to be upstream deciding to 'fix' something without bumping the version number. In this regard, they functioned perfectly.

P.S. I'm not saying the existing Gentoo mirroring is perfect either, see my prior writings on tree-signing, and the "Attacks on Package Manager" papers by Cappos et al., which are blocked only with the full tree-signing system.

Syndicated 2010-06-15 08:36:34 from Move along, nothing to read

On Google Summer of Code Applications

(This post inspired by Petteri Räty (betelgeuse)'s similar post

For this year's Gentoo GSoC projects, I'm a mentor on two of our suggested ideas (but also interested in totally new ideas that fit my fields):

• upstart on Gentoo
• Distfile Fetcher Intelligence

Do you actually understand the project idea?

This is actually a gap that I didn't expect to exist, but I have seen in previous years. This is mainly a difference of expectations between the proposal and what the potential student sees as what the idea really entails.
Using Upstart as an example, it supports an existing init.d compatibility mode, but we're not interested in that. Instead we want our init.d scripts to be treated just like upstart jobs (located in /etc/init/). The init.5 manpage shipped with upstart gives a good start...

Code maintainability

betelgeuse spoke about long-term maintenance, but you should think about it long ahead of that. Some degrees of abstraction, and avoiding difficult to understand logic should be prevalent here. betelgeuse mentioned spaghetti code, but it's important to realize that even well formatted code can impose a much larger mental workload if not well thought out.

Timezones, Timezones!

Most of your project should not be blocking on asking for mentor advice, as timezones and real world pressures often conspire to prevent easy real world communication. I may live in UTC-7, but my hours drift as needed by work but I tend to be online anywhere between 17h00 UTC and 10h00 UTC. If you're trying to communicate with me on a regular basis, this can be tough, so being able work on a problem independently, ask highly directed questions via email can go a long way.

Syndicated 2010-03-30 19:24:24 from Move along, nothing to read

Advice for Google Summer of Code students

Good advice for any prospective GSoC student, regardless of gender

I'm also a mentor for Gentoo again this year, after taking a break last year.
You can find our list of potential ideas here: Google Summer of Code 2010 ideas for Gentoo
But don't limit yourself to them! Creative ideas can get you very far too :-)

I'll also be the infrastructure contact for the accepted SoC students, for any issues you have with the source code repositories (we'll be offering Git again), your shell accounts, and a sounding board on deploying your successful project (for those that hosting or larger resources).

Syndicated 2010-03-26 05:14:46 from Move along, nothing to read