Language Selection

English French German Italian Portuguese Spanish

Gentoo 2005.0 All About Security

Filed under
Gentoo
Reviews

The Gentoo Linux "meta distribution" has released its first snapshot release of the year, version 2005.0.

Gentoo considers itself to be a "meta distribution," which means it allows users to pull packages that will provide a customized distribution. The Gentoo Portage system has a tree of over 6,000 packages that are used to build a user's Gentoo Linux OS.

A Gentoo release is essentially a "snapshot" of the stable packages that exist at a particular time in the stable Portage tree. The 2005.0 release updates most packages to the latest available stable version, though there was a particular impetus to make this release due to a number of security issues.

"It is really just a culmination of all the work put into Gentoo since November, when 2004.3 was released," Chris Gianelloni, Gentoo Linux Release Engineering Strategic Lead, told internetnews.com.

"We decided to postpone the release to do a security rebuild mostly because there were several remotely exploitable security flaws in several high-profile packages, like kdelibs and mozilla-firefox."

Red Monk Analyst Stephen O'Grady said the security updates in Gentoo 2005.0 are a key improvement.

"The most important facet of the 2005.0 release to me is the attention that has been paid to securing the release out of the box; this emphasis on security is time well-invested," O'Grady told internetnews.com.

However, the latest version of GNOME 2.10 (define) and KDE 3.4 desktop (define) environments are not included in 2005.0.
"We do not include any packages that are not marked stable in the tree. Both Gnome 2.10 and KDE 3.4 were released after we made our snapshot," Gianelloni explained.

The 2005.0 release also marks the beginning of a new six month release cycle for the Gentoo snapshots, up from the previous marker of three months.

"We found that releasing every three months gave us little gain for quite a large amount of work," Gianelloni said. "Also, with the longer release cycle, it allows us to do more inventive things that would otherwise be impossible to test in the limited amount of time. We typically release on a set cycle since we aren't bound by package releases in the tree."

Six months is also a release target for a number of other open source applications. For example, Novell's SUSE Linux Professional currently releases every six months, as is the aim for GNOME. MandrakeLinux also tends to issue its releases around a six-month time frame as well. Red Hat's Fedora Core releases more often and is likely set for three releases in 2005.

"The stable release cycle simply makes things more predictable, for some people. This is enough to increase adoption," Gianelloni said. "However, I really feel that it will take more than that. We currently have a server project [that is] working at creating a special 'stable' version of the portage tree, designed for server usage. This tree will have stable package versions and will only be updated for security fixes."

Gianelloni said in his view, the "stable" version of the portage tree will be more in line with what other distributions are doing and will make it easier to certify software against a particular version of "stable" or "enterprise" Gentoo.
Currently though, Red Monk's O'Grady feels that Gentoo is already doing a good job at keeping pace with commercial distros.

"As far as keeping pace with commercial distros, my feeling is that the Gentoo team does an excellent job keeping up with the crushing volume of new projects and packages; you can find nearly everything you need in Portage, usually for multiple architectures," O'Grady said. "There are instances where it's a bit behind in some specific areas but for the most part the Gentoo team does an excellent job of keeping pace and even being out in front."

"I think you'll see us branching out into many areas," Gianelloni said, including the embedded space. "I know that there is increased effort on both servers and the embedded space, more effort has been going into moving more of the hardened packages into gentoo as defaults, plus there's the installer project and the work they're doing on building a true mass-deployment tool for Gentoo."

Mr. Kerner's story.

More in Tux Machines

Artificial intelligence/Machine learning

  • Is your AI being handed to you by Google? Try Apache open source – Amazon's AWS did
    Surprisingly, the MXNet Machine Learning project was this month accepted by the Apache Software Foundation as an open-source project. What's surprising about the announcement isn't so much that the ASF is accepting this face in the crowd to its ranks – it's hard to turn around in the software world these days without tripping over ML tools – but rather that MXNet developers, most of whom are from Amazon, believe ASF is relevant.
  • Current Trends in Tools for Large-Scale Machine Learning
    During the past decade, enterprises have begun using machine learning (ML) to collect and analyze large amounts of data to obtain a competitive advantage. Now some are looking to go even deeper – using a subset of machine learning techniques called deep learning (DL), they are seeking to delve into the more esoteric properties hidden in the data. The goal is to create predictive applications for such areas as fraud detection, demand forecasting, click prediction, and other data-intensive analyses.
  • Your IDE won't change, but YOU will: HELLO! Machine learning
    Machine learning has become a buzzword. A branch of Artificial Intelligence, it adds marketing sparkle to everything from intrusion detection tools to business analytics. What is it, exactly, and how can you code it?
  • Artificial intelligence: Understanding how machines learn
    Learning the inner workings of artificial intelligence is an antidote to these worries. And this knowledge can facilitate both responsible and carefree engagement.
  • Your future boss? An employee-interrogating bot – it's an open-source gift from Dropbox
    Dropbox has released the code for the chatbot it uses to question employees about interactions with corporate systems, in the hope that it can help other organizations automate security processes and improve employee awareness of security concerns. "One of the hardest, most time-consuming parts of security monitoring is manually reaching out to employees to confirm their actions," said Alex Bertsch, formerly a Dropbox intern and now a teaching assistant at Brown University, in a blog post. "Despite already spending a significant amount of time on reach-outs, there were still alerts that we didn't have time to follow up on."

Red Hat News

Container-friendly Alpine Linux may get Java port

Alpine Linux, a security-focused lightweight distribution of the platform, may get its own Java port. Alpine is popular with the Docker container developers, so a Java port could pave the way to making Java containers very small. A proposal floated this week on an OpenJDK mailing list calls for porting the JDK (Java Development Kit), including the Java Runtime Environment, Java compiler and APIs, to both the distribution and the musl C standard library, which is supported by Alpine Linux. The key focus here is musl; Java has previously been ported to the standard glibc library, which you can install in Alpine, but the standard Alpine release switched two years ago to musl because it’s much faster and more compact Read more

OSS and Linux Foundation Work

  • Using Open Source Software to Speed Development and Gain Business Advantage
    Last week, we started by defining “Open Source” in common terms -- the first step for any organization that wants to realize, and optimize, the advantages of using open source software (OSS) in their products or services. In the next few articles, we will provide more details about each of the ways OSS adds up to a business advantage for organizations that use and contribute to open source. First, we’ll discuss why many organizations use OSS to speed up the delivery of software and hardware solutions.
  • Linux Foundation Creates New Platform for Network Automation
  • Tying together the many open source projects in networking
    There are a lot of pieces to the ongoing network transformation going up and down the stack. There's the shift away from proprietary hardware. There's the to need to manage complex network configurations. Add subscriber management and a wide range of other necessary functions. Add customer-facing services. All of those pieces need to fit together, integrate with each other, and interoperate. This was the topic of my conversation with Heather Kirksey, who heads up the Open Platform for Network Functions Virtualization (OPNFV) project when we caught up at the Open Source Leadership Summit in mid-February. OPNFV is a Linux Foundation Collaborative Project which focuses on the system integration effort needed to tie together the many other open source projects in this space, such as OpenDaylight. As Heather puts it: "Telecom operators are looking to rethink, reimagine, and transform their networks from things being built on proprietary boxes to dynamic cloud applications with a lot more being in software. [This lets them] provision services more quickly, allocate bandwidth more dynamically, and scale out and scale in more effectively."
  • Master the Open Cloud with Free, Community-Driven Guides
    One of the common criticisms of open source in general, especially when it comes to open cloud platforms such as OpenStack and ownCloud, is lack of truly top-notch documentation and training resources. The criticism is partly deserved, but there are some free documentation resources that benefit from lots of contributors. Community documentation and training contributors really can make a difference. In fact, in a recent interview, ClusterHQ’s Mohit Bhatnagar said: “Documentation is a classic example of where crowdsourcing wins. You just can’t beat the enthusiasm of hobbyist developers fixing a set of documentation resources because they are passionate about the topic.”
  • OpenStack Ocata Nova Cells Set to Improve Cloud Scalability
    Among the biggest things to land in the OpenStack Ocata cloud platform release this week is the Cells v2 code, which will help enable more scale and manageability in the core Nova compute project. Nova is one of the two original projects (along with Swift storage) that helped launch OpenStack in June 2010. The original Nova code, which was written by NASA, enables the management of virtualized server resources.