I have to say it's kinda comical to read blogs and ML postings lately, after I have bascially been saying all this months ago. I was kinda put aside as a blathering idiot, though.

Now I realize it was probably because I just wanted some consensus. Which wasn't the opportune thing at that point due to all the head bashing, flaming and other stuff that has no names.

Well, I don't blame anybody. I probably just joined at the most unfavorable time. Too bad, really.

One day, I am sure, the world is going to debate itself to death over the direction the top of a dog's poo is pointing to. There will be a turning point when the last tremor of evolution comes to a grinding halt. From that point on, the world will stop circling around the sun and instead just circle around itself forever. People on said earth are going to circle around their individual selves forever. Better yet, there will be 'group self circling', fueled by the internet proudly acting as flame war superconductor. Forever.

The good news, of course, is that all the commerce suits will be happy forever. When the last brain cell has ceased to produce anything but shop-soiled dirt, the world will be heaven for those guys.

Why would we be different?

To be honest, it saddens me to see how much energy is wasted on territorial "boxing" behaviour. It's probably just a law of nature. Entropy grows - there's nothing we can do to stop it. Just imagine all this energy spent doing interesting things. Oh boy, we had probably colonized half of the known galaxy by now! [Editor's note: Whether that is a Good Thing (TM) is debatable.]

I makes me wonder what the difference between a real war and a flame war is. Maybe it's nothing more than cowardice to bash your opponent's head with a mace. Maybe it's just the fear to be the loser of a penis size comparison [look in your mailbox to find a cure for that].

The thing is, you're not alone. That, dear reader, is a a fact you have to face. Now, if you look at somebody other than your mirror self, you might notice he or she looks different. From your mirror self, that is. What you might not notice is that he or she also *thinks* different. Now, what makes you think your own thoughts are more 'right' then his/hers? By what standard? Regarding what background? If you use that strange matter in your head for something else besides trying to defend your own useless boxed thinking you might realize you actually can't answer that question.

At this point, I am quite sure, somebody from #gentoo-pr is going to add '(uncurable)' to the note saying "frilled: esoteric". Heh. Well, life's a bit^H^Heach. Rest assured I appreciate your work a _lot_ .-)

Boxed thinking leads nowhere except to conflict. By defending your pretty little box you do not only deny your own chance of further development, you also provoke hostile reactions from other box-thinkers and cause major annoyance to the others.

You will not accomplish anything meaningful, though.

Now, for those barking "What the heck has this got to do with Gentoo?", feel free to stab me on IRC if you can't figure it out. Or by mail. Or, even better, in person. That, unfortunately, might require leaving your box for a minute. I'm (not really) sorry for that.

Ok, after ranting I feel much better

Now, I wish to officially thank some devs for their suppport and for bearing with my stupid questions and failures:

jaervosz, koon and dercorny as well as solar "the cool", plasmaroo, taviso and vorlon, of course, for everything ^^. I really enjoy what we do however small it may be, and I hope we will always get better. An extra hug to plasmaroo for responding to major nags! (Falco, you're included, too

wolf31o2 and stuart, for withstanding and still helping me

kloeri, for being so easy ... all things in life should be like this!

christel and chriswhite, for not making me lose that smiling face altogether

dberkholz, for gently not-recognizing my n00b efforts

beandog, yo man! (he, he)

swift, for getting me on board *grin*

Out of line, I also have to thank SeJo for all the censored stuff [lol].

Now, everybody sadly not mentioned here is invited to poke me on IRC - whenever you see fit

Thanks, guys & girls, it's been fun so far, it still is, and I hope it will be in the future!

I need to rant. Again ^^.

I'm so pestered by "Web 2.0". Or should I say AJAX. Or whatever you want to call it.

As a software developer, I learnt that you need a strong foundation to put your complex code on. Now, look at the Web 2.0. We don't even have a platform, since it only exists in the minds of people and some documents. What we really have is [**BLEEP*CENSORED**] browsers that do things their own way with no sign of stability or coherence. And upon that, people, you build your applications?

Ho, ho, ho. Now I have a machine gun.

Since then, I got used to ignore 95% of sites that require JabbaScript and Gookies. It's all turned off except for some sites I really fancy. The others that I visit on a regular basis do work without. My own ones do as well, of course.

I can see the pain ... I have worked with IBM 3270 terminal technology, and that was even dumber than HTML1 forms. But I am convinced we took the wrong turn at some junction back in the past. OTOH, who knows - CORBA virtually died [it does seem to have some lazarus ambition, though], maybe AJAX will go the same way once developer's minds settle on something feasible again.

I just hope.

You're not actually still reading this, are ya?

Since SearchSecurity's ranking is dragging some attention, I'd like to share my opionion. Though being part of the security team I can only present my personal point of view (as always in this blog .-).

You can doubt or disagree with the ranking in any form you like, and there may be some strange points in there. But that, frankly, is not important.

What is important is to ask how good we do compared to how good we can do . And then make changes accordingly

First of all, note that we will not be able to deal with vulnerabilities like Ubuntu. Or other companies that pay their employees for doing that stuff. We're community-based. People spend their time digging into vulnerabilities, getting new ebuilds ready and testing them in their free time.

Second, we do have a lot more architectures than other distros to care about. Not all are supported security-wise, but still, it's a nice list if you want to make an impression.

Third, fixes are often available way ahead of any GLSA. That is not true for every arch, it is not true for any case, and it is not generally true .-) Still, users who update often are indeed not so seldomly protected even if no GLSA has been issued yet. The GLSA is only the last step in the whole process.

That being said, it should be clear we are not aiming to be #1 on that list.

But there's things we could make better.

• Work faster. That's kinda hideous to say to somebody who is spending his free time on a project, of course. At least it applies evenly to sec team, herds and arch teams :] The latest vulnerabilities in the Mozilla products were a good example that shows a nice mix of problems:
  
  • The mozilla herd recently reformed itself and was thus hampered in action.
  • Arch teams can't always stabilize on time regarding the vulnerability policy.
  • Sec team isn't always as fast as can be. (In this case the GLSA could have been ready once the last arch went stable, but it wasn't. I do admit, for example, that I had not commented on the GLSA at that point in time yet, as I should have.)
• Collect a little love for Security. Security bugs are fascinating to those who discover them, try to exploit them or try to defend against them. For developers interested in the progression of a piece software, they are a boring nuisance that blocks the way ahead. Still we might want remind everybody that there is the Vulnerability Treatment Policy, and it's agreed upon to be an important part of Gentoo.
• Enforce the policy. Another hideous suggestion, I know. But we might want to adhere stricter to our own rules. We might want to mask apps with vulnerabilites that don't get fixed in due time. This is of course bad, because it will break things. A lot. And I hate broken things.

All this may, of course, be complete bull from someone who hasn't been around long enough, at least from a dev's perspective. And I don't want all that "in there" like I wrote it. Nevertheless it might get one or two of you to think about it, poke me in the eye and suggest something better. Please!

I'll try to make it short this time and share some experience I've had with the 'new user' side.

Installation

• I've had absolute Linux newbies successfully install Gentoo as their first Linux ever, with *very* little input from my side. (I guess I should just praise the efforts of the documentation team at this stage: You've done a nice job!)
• I've also had more experienced users fail on the installation, even multiple times.

Conclusion

• The Gentoo Handbook will reliably get you up and running if you follow it closely. It's easy to stray off, though, simply by skipping a line. You're also very much in the dark if 'something bad' happens (grub won't install, for example) or you're on non-mainstream hardware. I think the first part can be helped, the second part only to little degree, of course.

Suggestion

• Maybe a bit of simple formatting could already help, meaning whitespace. If you install Gentoo, chances are that you're using links to view the documentation, and it's very easy to get lost there. Really, this is not a joke. I've seen it multiple times: People follow the doc, skip a line and end up in a mess.

• Maybe some more background info (even better maybe to have a background document/wiki to link to, although that only works for online users) could make things clearer, too. Meaning if I don't know about grub I can get some hints or read what others have written in the gentoo-wiki, for example. That might also help the 'in the dark' part a bit. If anybody from docs is interested I'd be willing to contribute.

Maintenance

I run Gentoo on multiple servers and workstations. It is by far the best manageable Linux on the planet. Here's the pros & cons:

Pros

• I call Gentoo a 'streaming distro', since there are no releases (okok, there *are* releases, but you know what I mean .-), resulting in Gentoo being the only distribution that completely misses to make me explode in anger because I need to go through an 'upgrade'. I have had dangerously high blood pressure with any other distro, SuSE being notoriously ugly in wrecking systems (back in the < v.7 times, at least). Even Ubuntu failed to upgrade from 5 to 6 in a really smooth manner (it worked, but there were quite some quirks left that were difficult to figure out). I can even upgrade the toolchain without fearing for my life. So far Gentoo has prolonged my life quite some, since blood pressure that thigh sure ain't healthy.
• Portage is just great. It figures out dependencies and (almost always) does 'The Right Thing (TM)'. Probably I'm just too stupid to use rpm, but I've had the hell of a time with that thing. Need some extra feature? USE it, build it, done. Great, great, great. I don't even have to figure out obscure packet names of dependencies .-)

Cons

• You really need to keep updated. There's no real path of *not* updating. No security backports, for example. That is a little dangerous on the servers. If you don't keep up, you may easily be buried under a lot of changes; especially since you need to keep updated on those changes, too (mailing lists/announces etc.). Chances are, you don't have all the information at hand if you wait too long before updating. It gets problematic on stuff you might not want to update, say PHP. When PHP6 comes it, it will break a lot of apps, presumably. Now, we still have 4.x in the tree (and 5.x didn't break as many apps as 6 will do, IMHO), but for how long?
• That also means Gentoo is still high maintenance. I have little problem with that, but I think some may have. I use to update all boxes frequently (at least once a week), so it's basically continuous work, but short periods only. Nevertheless, you need to have some time to put aside for maintenance.
• Things break. This comes in waves. All can be fine for months, and then you have a week where everything breaks. I have no clue how this happens, but it happens. The bad thing is that with all the configurability you can't test everything (unless you have completely redundant servers). I have some 'single' machines that are backed up by standby hardware and backups, though, that don't have a test environment assigned. An update that merges fine on 4 test and 4 productive machines may still break on the next box due to a different USE flag, for example.
• Design changes. Those really hurt. Like Apache. Reminds me of the SuSE times again (every release did everything completely different; it was so unbelievably bad to have to look for all the stuff in different places every time ...). Sure, if you make a bad design choice, you'll have to fix it at some time. It's probably better for everybody's sanity than keeping wrong stuff around for ages (see Windows .-). But it hurts.

Suggestion

• Most if not all b0rkage can be avoided by using portage logging or ELOG. I have wanted this from the beginning, and now it's been around for some time, it's great, and everybody should use it. Though none of the new Gentoo users around here knew about it. That's bad. It needs to go somewhere in bold and big.
• Given the number of times you need to revdep-rebuild something, 'gentoolkit' should IMHO be in the default profiles.
• Users need to be informed of changes, so something like GLEP 42 would be more than helpful.

Verdict

Gentoo is not a 'dumb user' distro, and I guess we all know that, and I guess we're not really aiming for that, either. Nevertheless, we still fall a small step short of what we can do for the 'educated user', what is what I'd call the Gentoo target. If we can push it a little more, we're on solid ground. I think it's amazing how mature this project has become already.

Nevertheless, I'd like to remind everybody that we should not ignore users with low level of expertise. Our forums are known as one of the top resources to get Linux help. Our users are known to be helpful, our devs are know to be skillful. There is no need to ignore the lower end, and, seeing that the 2006 releases contain a graphical installer (didn't try it, though), it seems we aren't, either.

So, in my opinion, we should do whatever is possible to help new users (and gain new users, in that regard). I'm about to discuss some ideas with the re-formed PR project and we'll see how that goes. My two cents are simply: Don't redline somebody when in doubt, only when you're sure you have very good reasons .-)

-frilled (hmm, was that 'short'?)

When the setuid() bug hit vixie-cron I was sure we were going to have a lot more of those exploits in the near future. It seems I was too pessimistic, though; there were only one or two discovered since then, although I think auditors will keep an eye on that from now on. Anyway, I'd like to recommend some (IMHO) good reading:

http://www.csl.sri.com/users/ddean/papers/usenix02.pdf

Update: Next in line is mit-krb5 ... more to come, I guess

First of all, welcome everybody - and thanks for your welcome to a new dev.

I was going to write something about the commotion in the dev community, but then I figured it's not much use. We need to sort things out, and there is little need to comment on that.

What I would like to talk about is making things better. Change is an integral and unavoidable part of life. It's natural that some people turn away from a project and new people join. Those come with new ideas, and, over time, the global goal may shift and change. It's not something that comes from above, but evolves from the inside. At least when there's no big boss sitting on a high chair.

Things that don't change usually don't live. There are some notable exceptions, but the general rule is, you better change if you want to live. Even if it sucks, what it often enough does. I can't imagine how many times I wished that somebody would just stop. But they won't, and if you don't move, they'll wash you away sooner or later.

So why am I wallowing in all this oh so great wisdom? We're not going to solve any of the world's problems. We have lots of great developers dedicating enormous amounts of time to the project. We have a great user community that is recognized for being helpful and friendly. So what's the problem? What do we need to make better?

I think we need to take a step back. What I heard a couple of times now is "I don't wont to spend time on that *** crap, I simply want ... to develop". I also heard a lot of "We should do ...".

Once principle of an effective project is to let everybody do what he/she is best at and only enforce a minimum of behavioral and communication standards. You better live with the various types of people you have instead of trying to change them (there we are again) since they can only do that on their own.

Today I was talking about PR and raised the question "How do we define Gentoo?" That may sound like one of those esoteric things nobody cares about, and I don't expect anybody to care about it. But from my p.o.v. it's interesting. Can we actually promote Gentoo? Since we are "The Meta Distribution", is there a common base? Enterprise stability freaks, tech fans, gadget lovers, ricers, we got them all - users and devs. On what common ground can we present ourselves to the world?

Now, if I follow my own words the answer is clear: let everybody do his/her "job", dead simple. There are people who see fit to promote Gentoo. But can we just let them? Would you - as a developer or a user - trust those people to represent you in any way? A handful of people to funnel what hundreds of dedicated people are all about? In an enterprise setting, this is not a question. The management has a "vision" (ehrm ... sometimes ... as blurred as it might be), and that's it. We, on the other hand, don't have a management, which is probably why we have any developers at all .-)

Still, I sincerely think all we need is some glue to keep all those brilliant people together. This will sound like a very bad idea to some of you, since it might resemble some kind of "elite", "structure" or "authority". But I am not thinking about authority. I am thinking about a common agreement that (mostly) everybody can live with, that will have to be refined constantly(!), but will, in it's respective form, be transported to the world without interruption from individuals. This sounds stupidly theoretic, but if you think about it for 30 seconds, you'll see that all the tools are there. We just need to use them accordingly. And then let everybody to what they do best. And stop worrying.