Language Selection

English French German Italian Portuguese Spanish

Gentoo 2005.0 All About Security

Filed under
Gentoo
Reviews

The Gentoo Linux "meta distribution" has released its first snapshot release of the year, version 2005.0.

Gentoo considers itself to be a "meta distribution," which means it allows users to pull packages that will provide a customized distribution. The Gentoo Portage system has a tree of over 6,000 packages that are used to build a user's Gentoo Linux OS.

A Gentoo release is essentially a "snapshot" of the stable packages that exist at a particular time in the stable Portage tree. The 2005.0 release updates most packages to the latest available stable version, though there was a particular impetus to make this release due to a number of security issues.

"It is really just a culmination of all the work put into Gentoo since November, when 2004.3 was released," Chris Gianelloni, Gentoo Linux Release Engineering Strategic Lead, told internetnews.com.

"We decided to postpone the release to do a security rebuild mostly because there were several remotely exploitable security flaws in several high-profile packages, like kdelibs and mozilla-firefox."

Red Monk Analyst Stephen O'Grady said the security updates in Gentoo 2005.0 are a key improvement.

"The most important facet of the 2005.0 release to me is the attention that has been paid to securing the release out of the box; this emphasis on security is time well-invested," O'Grady told internetnews.com.

However, the latest version of GNOME 2.10 (define) and KDE 3.4 desktop (define) environments are not included in 2005.0.
"We do not include any packages that are not marked stable in the tree. Both Gnome 2.10 and KDE 3.4 were released after we made our snapshot," Gianelloni explained.

The 2005.0 release also marks the beginning of a new six month release cycle for the Gentoo snapshots, up from the previous marker of three months.

"We found that releasing every three months gave us little gain for quite a large amount of work," Gianelloni said. "Also, with the longer release cycle, it allows us to do more inventive things that would otherwise be impossible to test in the limited amount of time. We typically release on a set cycle since we aren't bound by package releases in the tree."

Six months is also a release target for a number of other open source applications. For example, Novell's SUSE Linux Professional currently releases every six months, as is the aim for GNOME. MandrakeLinux also tends to issue its releases around a six-month time frame as well. Red Hat's Fedora Core releases more often and is likely set for three releases in 2005.

"The stable release cycle simply makes things more predictable, for some people. This is enough to increase adoption," Gianelloni said. "However, I really feel that it will take more than that. We currently have a server project [that is] working at creating a special 'stable' version of the portage tree, designed for server usage. This tree will have stable package versions and will only be updated for security fixes."

Gianelloni said in his view, the "stable" version of the portage tree will be more in line with what other distributions are doing and will make it easier to certify software against a particular version of "stable" or "enterprise" Gentoo.
Currently though, Red Monk's O'Grady feels that Gentoo is already doing a good job at keeping pace with commercial distros.

"As far as keeping pace with commercial distros, my feeling is that the Gentoo team does an excellent job keeping up with the crushing volume of new projects and packages; you can find nearly everything you need in Portage, usually for multiple architectures," O'Grady said. "There are instances where it's a bit behind in some specific areas but for the most part the Gentoo team does an excellent job of keeping pace and even being out in front."

"I think you'll see us branching out into many areas," Gianelloni said, including the embedded space. "I know that there is increased effort on both servers and the embedded space, more effort has been going into moving more of the hardened packages into gentoo as defaults, plus there's the installer project and the work they're doing on building a true mass-deployment tool for Gentoo."

Mr. Kerner's story.

More in Tux Machines

Linux 4.7 RC5

  • Linux 4.7-rc5 Kernel Released
    The fifth weekly test release to the Linux 4.7 kernel is now available for testing. As of writing this article, Linus Torvalds has yet to send out an official 4.7-rc5 announcement but it's available for those interested in the latest installment of the kernel that's codenamed the Psychotic Stoned Sheep.
  • Linus Torvalds Announces Linux Kernel 4.7 RC5, Things Are Calming Down
    Another Sunday, another Release Candidate build of the upcoming Linux 4.7 kernel is out for testing, as announced by Linus Torvalds himself a few hours ago, June 26, 2016.
  • Linux 4.7-rc5
    Another week, another -rc. Hmm. I think things are calming down, although with almost two thirds of the commits coming in since Friday morning, it doesn't feel that way - my Fridays end up feeling very busy. But looking at the numbers, we're pretty much where we normally are at this time of the rc series. The stats looks fairly normal: about half the patch is drivers, roughly a quarter is architecture updates, and the remainder is "misc": filesystems, scheduler, mm, etc. The bulk of the drivers is GPU updates, but there's a smattering of rdma, hwmon, Xen, gpio, sound. The architecture side is powerpc, x86, some arm64, and some noise all over from some MM cleanups.. Go out and test. By -rc5, we really should be starting to be getting fairly ready. And please, if Thorsten Leemhuis is tracking one of your regressions, can you make sure to double-check it and see if it remains? It's lovely to have a regression tracker again, but it would also be really good to make sure that the ones that are solved get closed. Linus

Android Leftovers

The Internet Without Connection, Free Endless OS For Emerging Markets

There are four billion people on the planet without PCs or access to affordable personal computers. That figure should surely be tempered with some contextualization i.e. not everybody actually wants to have an Internet connection and many traditional, native or bucolic ways of live do still exist on the planet. Regardless, there are a batch of global initiatives in existence which seek to give computer access to every man, woman and especially child. Endless OS is one such project. The free operating system has been designed explicitly to work in the expensive or restrictive Internet data conditions that often exist in emerging markets where fabulously affordable broadband has yet to arrive. The software itself is built to provide useful information and educational content, with or without an Internet connection. Read more