• Number of packages in Gentoo Linux: 15554 packages in 154 categories.
• Number of total* packages in Gentoo Prefix: 9483 packages in 154 categories.
• Number of KEYWORDED packages in Gentoo Prefix: About 3000 for the most popular arch
• Number of packages still NOT in the main Gentoo Linux tree: 369 packages

* The total packages in the tree also contains non-keyworded packages because that just makes life simple. Once packages started migrating to the main tree, I helped think of this “whitelist” concept. The short version of the whitelist is that if a package is listed in that text file, it gets included in the Gentoo Prefix tree as a direct copy of the version in the Gentoo Linux tree. The presense of the package in the old repo means that it is used instead. Eventually, this concept will go away and we will overlay the Gentoo Linux tree directly.

So why is it taking so long to migrate ALL packages to the Gentoo Linux tree? Well, that is where the rubber meets the road and we get into roadblocks. A roadblock for us could be a number of things, such as a disagreement with the Gentoo Linux maintainer, some patches existing that we don’t feel are a good fit for Gentoo Linux, or even us being lazy and not submitting stuff to upstream. We also don’t want to push invasive changes to Gentoo Linux for critical packages, like the toolchain for example.

It has long since been our agenda to not add anymore packages to the old repo and going forward only adding new stuff to Gentoo Linux directly. I hope we can make a dent in those remaining 369 in 2012!


% cat /etc/conf.d/keymaps
# Use keymap to specify the default console keymap. There is a complete tree
# of keymaps in /usr/share/keymaps to choose from.
keymap="en-latin9"
<...>


% cat /etc/X11/xorg.conf.d/30-keyboard.conf
Section "InputClass"
        Identifier "keyboard-all"
        Option "XkbVariant" "colemak"
EndSection

I find it annoying that the GMail web interface chooses to thread messages based on subject name alone, this creates two threads for every new bug report sent to you from bugzilla. Sadly, we can’t control the threading that Google tells us is “the only way” (subject based threading or email header based threading, which bugzilla does correctly). If you want to follow the rabbit trail that I went on regarding this subject, I won’t stop you…

Or you can use procmail to rewrite the subject, that is, remove “New: ” from the first email:

# Remove "New: " from the subject so threading in gmail works
SUBJ_=`formail -xSubject: | expand | tr -d '\n' | sed -e 's/^[ ]*//g' -e 's/New: //'`
:0
* ^From: bugzilla-daemon@gentoo.org
{
    :0 fwh
    | formail -i"Subject: ${SUBJ_}"
}

Tangentially related that may be useful, is this rule that kills duplicate messages when you report a bug and are assigned the same bug (or in CC). The bugzilla software has no way of knowing what email aliases you may be in.

# Kill duplicate messages. If I am the reporter *and* the bug is assigned to a
# team I am in, delete the mail to me directly
:0
* ^To: username@gentoo.org
* ^From: bugzilla-daemon@gentoo.org
* ^X-Bugzilla-Reporter: username@gentoo.org
* ^X-Bugzilla-(Assigned-To|CC):.*(team1|team2)@gentoo.org
/dev/null

I like the GMail WebUI. I use it. Please don't suggest that I should use other clients, I already know that other clients can handle the threading fine.

So, let this be an advanced notice that you may see some rebuilds for useflag changes. There has been sufficient testing such that there should be few to nil problems, but we can’t test everything. Please file bug reports, if needed.

See also:

• Gentoo Announce Message
• Gentoo Developer Announce Message
• Bug 250179

% cat /etc/portage/package.env
app-office/libreoffice notmpfs.conf
% cat /etc/portage/env/notmpfs.conf
PORTAGE_TMPDIR=”/var/tmp/notmpfs”

(More info available in the portage man page)

Now, when I find my next package that needs notmpfs, it is as easy as: echo "cat-egory/pkg notmpfs.conf" >> /etc/portage/package.env which is much easier than bashrc hacks or something else insane that I have seen. Of course you can extend that to most make.conf settings, hope that helps someone.

• You may have seen the Bugzilla upgrade that Christian was working on. Gentoo moved from the bottom of the list provided from one of the upstream devs to the top of the list. (As of April 2011)
• I finally put an idea of mine into reality of graphing the number of “emerge –sync’s” against the rsync.gentoo.org rotation. Full graph and last 4 weeks
• A new reporting website was born: http://qa-reports.gentoo.org/ – The vision was: “Many Gentoo devs have useful scripts and many people complain that there is not a central place to see all the output.” This site is a solution, and open for all. repo: qa-scripts.git
• A new “Get Gentoo at a glance” website was born: http://get.gentoo.org/ that Matthew is still working on, so maybe expect some layout changes – The motivation for this was inspired from bug 350271, repo: get-gentoo.git
• Some behind the scenes work involving our mastermirror service. The current hardware running this important service is one of the oldest hosts we have.

Of course, there is always the untold hours to keep Gentoo Linux infrastructure running happily for all customers. As a final note, if you have a good idea, feel free to propose it via bugs or IRC. We will listen and definately avoid NIH syndrome if we can. Cheers.

Solution: The obvious solution that comes to mind is a ssh key. But a password-less key that allows root login? RED FLAG. However, there is a way to accomplish this without allowing a root login completely. That is to create, what I call, a single purpose key. I feel like this not a widely known trick, so I am archiving it so I don’t forget myself.

Details:
(Where local host is the host that needs ssh access and remote host is the host that you are “opening” up or allowing ssh access to)

1. On the local host, create a ssh key without a passphrase for the root user, this is widely documented via other sources
2. On the remote host, add the key to the /root/.ssh/authorized_keys file. However, start the line in that file with command="/root/bin/validate-ssh.sh"
3. On the remote host, the /root/bin/validate-ssh.sh script is a simple script that allows access to your service and exits for anything else. An example of allowing rsync access [only]:

   
   % cat /root/bin/validate-ssh.sh
   #!/bin/bash
   case "$SSH_ORIGINAL_COMMAND" in
   	rsync\ --server*)
   		# uncomment for debug
   		# echo "$(date +%Y%m%d): $SSH_ORIGINAL_COMMAND" >> /var/log/ssh-cmd.log
   		$SSH_ORIGINAL_COMMAND
   		;;
   	# debug
   	testconnect)
   		echo "You successfully connected to $(hostname)"
   		;;
   	*)
   		echo "Sorry, command '$SSH_ORIGINAL_COMMAND' is not allowed"
   		exit 1
   		;;
   esac
   

4. Optional, if you only want to allow this access from a small set of hosts add from="192.168.1.11,10.80.80.1" to the same line in /root/.ssh/authorized_keys

So, now, you can use that password-less ssh key as root (assuming the remote host allows root logins via ssh) and you should see something. ssh root@remote testconnect will return that string. rsync root@remote:/file will work. Everything else will get the message that indicates it wasn’t allowed. This is expandable to just about everything provided that you know the “$SSH_ORIGINAL_COMMAND” – on another host I use it to allow password-less sshfs access, so SSH_ORIGINAL_COMMAND=/usr/lib/misc/sftp-server and so-forth.

Naturally, this will work for other users/uses as well. I’ve seen references that some admins are using this to allow access if and only if they enter a sekrit token, etc. I’ll also say that you should be smart with this, opening up root access is a hole – if anyone compromises the local host, I suppose they could get access to the remote host if they knew how.

% dmesg | grep -i micro
Atom PSE erratum detected, BIOS microcode update recommended
Atom PSE erratum detected, BIOS microcode update recommended
microcode: CPU0 sig=0x106c2, pf=0x4, revision=0x208
microcode: CPU1 sig=0x106c2, pf=0x4, revision=0x208
microcode: Microcode Update Driver: v2.00 , Peter Oruba

I found out that some recent kernel that I loaded at an unknown time, was able to point out that I had ‘old’ microcode for my processor on my Aspire1 ZG5. I searched around for a BIOS upgrade, but since this is an older generation netbook, I quickly gave up when my searching yielded nothing useful. There is a userspace tool that you can use to ‘upgrade’ the microcode provided by Intel on every boot. In Gentoo Linux, that is called sys-apps/microcode-ctl. Simply install that and enable the init script on boot.

The output after:

% dmesg | grep -i micro
Atom PSE erratum detected, BIOS microcode update recommended
Atom PSE erratum detected, BIOS microcode update recommended
microcode: CPU0 sig=0x106c2, pf=0x4, revision=0x208
microcode: CPU1 sig=0x106c2, pf=0x4, revision=0x208
microcode: Microcode Update Driver: v2.00 , Peter Oruba
microcode: CPU0 updated to revision 0x218, date = 2009-04-10
microcode: CPU1 updated to revision 0x218, date = 2009-04-10

References:

• https://wiki.archlinux.org/index.php/Microcode
• Flameeyes’s Weblog : Microupdates for microcodes

Edit: Added a reference

The QA team has said that there is some sort of “policy” on masking packages that break reverse dependencies. I’ll subscribe that that policy for the sake of not breaking users machines on purpose, however, let’s take a look at the current case study: poppler-0.16

package.mask (in context, name removed because it isn’t needed):
+# Masked because of ABI change, breaks
+# depending packages. Keep masked until depended packages
+# got fixed (adjusted dependency or fixing version bump).
+# tracer bug 349918
+=app-text/poppler-0.16.0

…and there was some discussion on IRC. The QA team (at least a few members) says that the “tree is broken” with poppler-0.16. At time of this writing, 7 packages were reported on the tracker bug and 2 were fixed already. So, it is my opinion that progress for Gentoo is hampered because of this masking. I’ll explain why but first the different theories to package testing that I have observed.

Theory 1:
Run full arch for stability. The problem with this theory is that some group of people/machines need to test ~arch packages first and report issues, otherwise they will hit the stable users and the concept of the arch/~arch tree will break down. The advantage being less compilation in general, and the goal being stability or less breakage. I consider this theory for people that are new to Gentoo.

Theory 2:
Run full ~arch to find interaction issues. This is a fine theory, but not for me. Even though I am a Gentoo dev, I don’t have copious amounts of free time to contribute how I want if I am running ~arch. It is my personal opinion that users should not run full ~arch if they do not want to be bothered contributing back to gentoo/upstream, via bug reports, patches, etc. The advantage here, is that full ~arch users/machines will be able to find issues with the package before it is deemed “stable” – in theory, finding issues fast and being fixed fast. The downside being more compilation, occasional breakage, and/or random mistakes (devs are human, after-all). The Gentoo Handbook says that ~arch needs more testing and isn’t enabled by default. I’d consider this theory for power users. “I only want the latest packages” is no excuse for using this theory if you are going to complain about the above mentioned downsides.

Theory 3:
Run mostly arch and a few ~arch packages. This is what most of my machines run. That is, arch (stable) system and ~arch for packages that I maintain (or help maintain). The advantage here is what I consider real integration testing. The theory is that everything in ~arch will become arch, at one point. These ~arch packages are coming in one-by-one, so it makes no sense to only test a full ~arch tree if the package will be entering the arch tree. This is what the arch team does when they mark packages stable. The downside being, more management, maybe some dependency issues if they aren’t stated properly, etc. I’d consider this theory for people that prefer stability but enjoy the latest packages for some apps.

I think it is valuable to have a user base that is doing all of those theories. …back to poppler.

As we have seen in the past, once a package is “masked for testing” – it may take years to lift that mask because no one actually tests it. And why should you? It is masked and therefore not even in the testing category (~arch)!! Bingo, the crux of this case study. Technically speaking, there is nothing wrong with poppler-0.16.0, it is perfectly fine to be in ~arch by its own criteria. On the other hand, it’s ABI change breaks packages that haven’t been fixed to work with the new ABI yet. By masking a package that changes ABI with a soname change, it could (and should, in my opinion) be considered slowing progress for Gentoo. It should not be considered that the “[whole] tree is broken” – these 7 packages may just be the tip of the iceberg in the breakage category, but we won’t know if it is masked and users are not contributing. Let’s remind ourselves that the arch tree is still functioning properly at this point and “stable” users won’t see any issues…now. For them, thankfully, the ~arch users (including devs) are contributing to Gentoo via bug reports & patches. It should also be noted that nothing is being broke “on purpose” here, bugs are being filed and bugs are being fixed – this is the goal of a software project, right?

So, the way I see it, is a chain reaction.

1. Package enters the tree that causes a slight nuisance. 7/14205 known packages affected or 0.04 % of the tree.
2. The QA team deems this problem package as too severe to allow in ~arch and masks it. (Personal opinion is the 0.04% of the tree is not a servere problem)
3. The maintainer of the problem package is trying to identify breakages by leaving it in ~arch (and relying on the power users)
4. Since the package is masked, the effects of this problem package will be prolonged because “no one” will be testing it in ~arch.
5. The 7 affected packages are fixed, the problem package is unmasked
6. A new set of affected packages are found
7. repeat above

And now for some hard questions:

• How should Gentoo make it easier to add packages that break reverse dependencies if ~arch isn’t appropriate and nothing really happens when package.mask’d?
• Is ~arch becoming a second stable tree and thus losing value in general?
• Related, are overlays hurting Gentoo? The Xfce team subscribes to the theory that ~arch is the place to get useful testing feedback. The Xfce pre releases are in ~arch so the final release is ready for arch asap. This means that we have less work in the long run because we are maintaining less versions sooner and in better quality. The GNOME team subscribes to the theory that their overlay is for new releases and it takes longer to get packages in ~arch and thus longer to arch (my observation only, not official)
• portage-2.2 has this cool “preserved-libs” feature that wouldn’t help compilation issues in this case but might help runtime issues by keeping the old lib(s) around. I like this feature but it is still masked for majority of the users, even though many devs are using it – is it time to release it to the world with all the bugs it has?
• Related, does masking a feature block contributors? I want to say yes simply due to exposure.

Disclaimer: This was in NO WAY meant to be a personal attack against anyone. I can live with agreeing to disagree with people. But I can’t agree with not bringing something up because it is a controversial topic.

The final 4.8 release is scheduled for January 16th, 2011. The Gentoo Xfce team will continue to bring you 0day bumps if possible. The 4.8 series will not hit the Gentoo stable tree until after the final release.