Language Selection

English French German Italian Portuguese Spanish

Gentoo News

Syndicate content
News and information from Gentoo Linux
Updated: 6 hours 47 min ago

AArch64 (arm64) profiles are now stable!

Sunday 11th of August 2019 12:00:00 AM

The ARM64 project is pleased to announce that all ARM64 profiles are now stable.

While our developers and users have contributed significantly in this accomplishment, we must also thank our Packet sponsor for their contribution. Providing the Gentoo developer community with access to bare metal hardware has accelerated progress in achieving the stabilization of the ARM64 profiles.

About Packet.com

This access has been kindly provided to Gentoo by bare metal cloud Packet via their Works on Arm project. Learn more about their commitment to supporting open source here.

About Gentoo

Gentoo Linux is a free, source-based, rolling release meta distribution that features a high degree of flexibility and high performance. It empowers you to make your computer work for you, and offers a variety of choices at all levels of system configuration.

As a community, Gentoo consists of approximately two hundred developers and over fifty thousand users globally.

Impact of SKS keyserver poisoning on Gentoo

Wednesday 3rd of July 2019 12:00:00 AM

The SKS keyserver network has been a victim of certificate poisoning attack lately. The OpenPGP verification used for repository syncing is protected against the attack. However, our users can be affected when using GnuPG directly. In this post, we would like to shortly summarize what the attack is, what we did to protect Gentoo against it and what can you do to protect your system.

The certificate poisoning attack abuses three facts: that OpenPGP keys can contain unlimited number of signatures, that anyone can append signatures to any key and that there is no way to distinguish a legitimate signature from garbage. The attackers are appending a large number of garbage signatures to keys stored on SKS keyservers, causing them to become very large and cause severe performance issues in GnuPG clients that fetch them.

The attackers have poisoned the keys of a few high ranking OpenPGP people on the SKS keyservers, including one Gentoo developer. Furthermore, the current expectation is that the problem won’t be fixed any time soon, so it seems plausible that more keys may be affected in the future. We recommend users not to fetch or refresh keys from SKS keyserver network (this includes aliases such as keys.gnupg.net) for the time being. GnuPG upstream is already working on client-side countermeasures and they can be expected to enter Gentoo as soon as they are released.

The Gentoo key infrastructure has not been affected by the attack. Shortly after it was reported, we have disabled fetching developer key updates from SKS and today we have disabled public key upload access to prevent the keys stored on the server from being poisoned by a malicious third party.

The gemato tool used to verify the Gentoo ebuild repository uses WKD by default. During normal operation it should not be affected by this vulnerability. Gemato has a keyserver fallback that might be vulnerable if WKD fails, however gemato operates in an isolated environment that will prevent a poisoned key from causing permanent damage to your system. In the worst case; Gentoo repository syncs will be slow or hang.

The webrsync and delta-webrsync methods also support gemato, although it is not used by default at the moment. In order to use it, you need to remove PORTAGE_GPG_DIR from /etc/portage/make.conf (if it present) and put the following values into /etc/portage/repos.conf:

[gentoo] sync-type = webrsync sync-webrsync-delta = true # false to use plain webrsync sync-webrsync-verify-signature = true

Afterwards, calling emerge --sync or emaint sync --repo gentoo will use gemato key management rather than the vulnerable legacy method. The default is going to be changed in a future release of Portage.

When using GnuPG directly, Gentoo developer and service keys can be securely fetched (and refreshed) via:

  1. Web Key Directory, e.g. gpg --locate-key developer@gentoo.org
  2. Gentoo keyserver, e.g. gpg --keyserver hkps://keys.gentoo.org ...
  3. Key bundles, e.g.: active devs, service keys

Please note that the aforementioned services provide only keys specific to Gentoo. Keys belonging to other people will not be found on our keyserver. If you are looking for them, you may try keys.openpgp.org keyserver that is not vulnerable to the attack, at the cost of stripping all signatures and unverified UIDs.

More in Tux Machines

Top 20 Best Openbox Themes for Linux System in 2019

Have you ever heard about the stacking window manager, Openbox? It is broadly used in Unix-like systems. Most probably, it’s among the most customizable parts out there. You can easily modify and beautify this with a little bit of effort. The question may arise- with what and how can you do this? Well! We are going to disclose it now. It’s by Openbox themes, which lets you have a minimalist and fantastic visual interface for your desktop manager. Read more

Fedora IoT Review

With the rise in IoT use, we are witnessing a demand for ready-made operating systems to support smart device development. Currently, the race is between proprietary versions such as IoT Plug and Play by Microsoft and open source operating systems. One such emerging open source player is Fedora which has a workstation that supports virtualization and containers. Fedora is also slated to release an Internet of Things edition called “Fedora IoT” in future. Here is a review of the open source product’s support capabilities for IoT and relevant installation details. Read more

5 Practical Examples of the Read Command in Linux

With read command, you can make your bash script interactive by accepting user inputs. Learn to use the read command in Linux with these practical examples. Read more

Programming: C++, C and Python

  • Extend C++ capabilities with LLVM STLExtras.h

    The LLVM compiler project provides a header file called STLExtras.h that extends the capabilities of C++ without any dependency on the rest of LLVM. In this article, we take a quick look at its basic functionality.

  • Rewriting Old Solaris C Code In Python Yielded A 17x Performance Improvement

    While we normally hear of rewriting code from Python and other scripting languages into C/C++ when its a matter of performance, in the case of Oracle Solaris it was taking old C code and modernizing it in Python 3 to yield a ~17x performance improvement. Shared today on Oracle's official Solaris blog was an interesting anecdote about their listusers command being rewritten in Python 3 from C. Oracle's Darren Moffat noted the C code was largely untouched since around 1988 and given its design at a time when systems were less dense than today with hundreds or even thousands of users per system.

  • Python Projects for Beginners: The Best Way to Learn

    Learning Python can be difficult. You can spend time reading a textbook or watching videos, but then struggle to actually put what you've learned into practice. Or you might spend a ton of time learning syntax and get bored or lose motivation. How can you increase your chances of success? By building Python projects. That way you're learning by actually doing what you want to do! When I was learning Python, building projects helped me bring together everything I was learning. Once I started building projects, I immediately felt like I was making more progress.

  • PyCon 2019: The People of PyCon

    I can’t tell you how amazing it was to meet the individuals I read, listen to, or who make the tools I use. I was so happy to meet the authors that helped me to grow over the last few years, especially Dan Bader, Peter Baumgartner, Matt Harrison, Reuven Lerner, Harry Percival , and Lacey Williams Henschel. I love podcasts, so it was wonderful to meet Michael Kennedy and Brian Okken in person. And I was happy to meet Paul Ganssle, Russell Keith-Magee, Barry Warsaw, and other maintainers and contributors. It was a delight to meet Bob Belderbos and Julian Sequeira from PyBites.

  • Find the first non-consecutive number with Python

    Your task is to find the first element of an array that is not consecutive. E.g. If we have an array [1,2,3,4,6,7,8] then 1 then 2 then 3 then 4 are all consecutive but 6 is not, so that’s the first non-consecutive number. If the whole array is consecutive then return None.

  • Perceiving Python programming paradigms

    Early each year, TIOBE announces its Programming Language of The Year. When its latest annual TIOBE index report came out, I was not at all surprised to see Python again winning the title, which was based on capturing the most search engine ranking points (especially on Google, Bing, Yahoo, Wikipedia, Amazon, YouTube, and Baidu) in 2018.