Stuart Herbert

… but sometimes there’s just nothing else to be done.

I’ve justed package masked dev-php/asp2php. This package contains two confirmed buffer overflows, which can be used to maliciously install files using the permissions of whoever runs the script. This fault was first discovered a couple of weeks ago, and is one of the now infamous 44 problems discovered and reported by D. J. Bernstein.

It’s a buffer overflow. They happen to even the best of packages. Normally the fault gets fixed, a new version comes out, and life goes on. But not in this case.

Unfortunately, the author of asp2php either doesn’t understand that it is his code which contains the fault, or he simply doesn’t care. Honestly, I don’t know which. But either way, his denial leaves Gentoo with a problem. It leaves Gentoo with three choices:

1. Continue distributing the package, but warn users that it contains known security holes. Well, I’m not going to say that this should never happen, but it’s not something any responsible distribution can do regularly. There’s a trust thing between users and their Linux distributions, and part of that is being able to trust that the packages a user installs don’t contain known security holes.
2. Fix the package ourselves, and (hopefully) get the patch accepted upstream. This does happen sometimes, but does Gentoo really want to be stuck having to patch a package because the original author doesn’t want to fix his own code? What’s going to happen the next time? Or the time after that?
3. Remove the package, and publish a security advisory advising everyone to uninstall the package. It’s the saloon of last resort, but it’s the responsible thing to do with abandonware. An upstream package with known (and unfixed) security holes is a form of abandonware. Exploits allow machines connected to the Internet to be turned into zombies; machines used as relays to send spam (or worse) to other machines, and ultimately to me and you. Security matters, and anyone who has a cavalier attitude towards it should not be writing or selling software.

… and if you run any older version of Wordpress, you’re strongly advised to upgrade pronto. Stable on x86 and ppc.

… along with a patch to make it really delete files from the underlying versions directory. Without the patch, the versions directory soon fills up with temporary files created by vim and other editors.

… there are a number of gotchas in the existing 2004.3 release + documentation that you will need to work around. If you try and follow the existing documentation to the letter, you’ll be left with an installation that just won’t boot I don’t have access to any other type of PPC machine, so I can’t comment on whether these problems exist when installing Gentoo/PPC onto other hardware. Maybe they do; there’s only one Gentoo bug in here that appears to be Pegasos-specific.

Here’s a list of problems & workarounds that I’ve either seen myself, or kindly had forwarded to me from Genesi . I’ll get some bugs filed for these problems later in the week when I’ve got a bit more time. There’s also a few more potential problems that I need to verify before I can file bugs.

• PPC Handbook says that the Pegasos does not need a boot partition. This is only true if your root filesystem (containing /boot) is an ext2 filesystem. The handbook currently doesn’t mention the need for /boot to be on an ext2 partition. As with x86, make /dev/hda1 a small boot partition (say 20Mb to allow you to keep some old kernels around) and format it as ext2. This problem will prevent Gentoo from booting on your Pegasos machine.
• The PPC handbook does not mention that your compiled kernel must be less than 4Mb in size. The Pegasos firmware defaults to being able to load a maximum boot image of 4MB. This can be increased by setting the “load-base” variable in the firmware. If you think you’ve run into this problem, change the value of the “load-base” variable in the Pegasos’ firmware to 020000000, and then try to boot your kernel.
• The stage 3 tarball contains a pam authentication bug. When you reboot into Gentoo Linux, you won’t be able to log in from stage3 (stage2 is fine). This is a problem reported to me; I always build from stage1 because Gentoo’s choice of default CFLAGS on all arches don’t suit me. If you run into this problem, start from the stage2 tarball for now.
• The PPC handbook does not include the firmware command to boot the installed kernel image. The manual simply says “You don’t need a bootloader; just reboot the box.” It’s true that you don’t need a bootloader - the Pegasos firmware will handle that - but the default firmware configuration tells your Pegasos to boot into a bootmenu installed on /dev/hda1. If you’ve followed the PPC handbook closely enough, that bootmenu is gone, and your Pegasos won’t boot without your intervention. If you’ve created a boot partition at the start of your disk, the command you want is “boot /pci/ide/disk0,0:0 kernel-2.6.9″.
• Neither devfsd nor udev/coldplug are installed in the stage tarballs, and the PPC handbook currently doesn’t mention that you need one or the other. I haven’t used udev/coldplug myself yet, but it’s the future so I guess you should install those instead. Make sure you install devfsd or udev/coldplug after you’ve finished building stage3.

… and as promised I’ve done some primative benchmarking against my other dev boxes. These benchmarks are absolutely not scientific, and your own milage will vary. These figures merely represent my own experience working on the packages that I help the Gentoo community project with.

Here’s the result of emerging apache-2.0.52-r2. All tarballs had already been downloaded. Options such as ccache and binpkg were switched off, to try and make this a fair shootout. Slowest first:

• VIA Nehemiah EPIA M10000
  • real 14m28.472s
  • user 10m6.210s
  • sys 3m13.490s
• PPC:
  • real 7m58.429s
  • user 5m21.681s
  • sys 2m25.963s
• Athlon 64 3500+ (32-bit Linux, mostly compiled for Athlon-XP):
  • real 7m16.913s
  • user 4m49.541s
  • sys 1m0.441s
• Dual-Xeon 2.8GHz:
  • real 4m37.491s
  • user 2m56.962s
  • sys 2m34.929s

I think the Genesi Pegasos II machine has aquitted itself very well. It kicks the crap out of the VIA EPIA platform; so much so that I can’t help but wonder whether a mini-ITX form factor Pegaos II could make a real dent in the EPIA’s market. The Pegasos is much faster, even quieter (the EPIA M10000 isn’t totally passively cooled, but the Pegasos is), and (because it’s not x86) I’d expect it to be a little harder for the script kiddies to break into if you want to use it as a firewall.

The real disappointment (for me) is the dual-Xeon … it’s a screamer of a box, but ebuilds for smaller packages just don’t get the most out of the machine. GNU autoconf (in particular) is just too much of a bottleneck. If you’re looking to spec an on-site build-box to make binary packages for your in-house Gentoo machines, you might want to see if anyone has any benchmarks of using a P4-EE for the job.

GNU parted - the partition editor - is the recommended tool for editing partition tables on Gentoo PPC. If (like me) you’re coming from an x86 background, you may not have used this tool before. If so, here’s a couple of things about parted that I think you need to know before you use it.

The first thing you need to know is that parted works directly on the partition table. Every command you type to create, resize or delete a partition happens the moment you hit that enter key. The venerable fdisk or cfdisk commonly used on Gentoo x86 installs, by contrast, build up a new partition table in memory, and only commit it to disk when you decide that you’re ready. Just be mindful of it, especially if you’re going back to edit the partition table after you’ve installed Gentoo

Which leads me to the second thing you need to know. This is really a kernel thing; parted’s really just a means to trip up over this one. At the time of writing, the Gentoo PPC install handbook recommends that you create /dev/hda1 as a swap partition, and /dev/hda2 as your root partition. If you format /dev/hda2 with a filesystem that the Pegasos II’s OpenFirmware doesn’t support, your box isn’t going to boot. Using parted to split up the swap partition into two partitions (/dev/hda1 for ext2, and /dev/hda2 for swap) is very easy. But but but but … you must reboot the machine so that the Linux kernel re-reads the partition table.

Otherwise … a simple swapon /dev/hda2 actually nukes your root filesystem instead. (And yes, I did:))

I’ve made a few changes to Sunday’s article. The language and tone that has drawn so much critisism from Gentoo developers has been addressed. I’ve added

I apologise to anyone who found the tone of my first Gentoo PPC article offensive in any way. It certainly was not my intent to offend people.

I believe the article to be a fair reflection of my personal experience so far with, and personal opinion of, one of the Genesi Pegasos II boxes donated to Gentoo Linux. If you find any technical inaccuracies in this, or any other post in my blog, please email me (or talk to me on IRC) and draw it to my attention, so that I can correct it.

If my article has put anyone off donating hardware to Gentoo Linux, you should have faith in your product. You should expect members of the Free Software / Open Source (FOSS) community to have strong opinions, and for them to voice those opinions. It is one of the aspects of our community, and our philosophy, which many of us believe is at the heart of our successes. Those within our community - and without - who seek to stifle the voices of individual contributors do nobody a service but themselves.

Best regards,
Stu

I’ve added some comments since this was first posted. You’ll find them as italics in the text below. I’ve removed some language which people have rightly objected to, and rephrased some of the text to try to get the original point across in a clearer way.

Freescale Inc., a division of Motorola that was recently spun-off, was kind enough to donate ten of its Genesi PPC machines to us at Gentoo. I have one of the machines, and once everything’s up and running, I’ll be using it for testing and maintaining Apache and our web-based packages. Genesi is the start-up company behind the design and manufacturer of the Pegasos II machine and motherboard. Freescale’s role is that of benefactor. Freescale have funded the seeding of 100 Pegasos II machines across a number of projects, at the suggestion of Genesi.

I certainly won’t be spending time looking at the machine tho. I find it one ugly mother of a case :). It’s a horrible beige desktop case (expansion room is not what this machine is about). It has everything inconveniently hidden behind sprung blue and grey flaps at the front. These colours clash with each other, and somehow manage to clash with the case too. I’ve a few days off over Christmas; I’ll use one of them to see if the internals can be transplanted into a standard ATX midi-tower case or not. The motherboard is a micro-ATX, so it should transplant just fine. Phew

Spec wise, I find the machine disappointing. The machine has been supplied with a mere 256Mb of RAM, and a legacy 36GB PATA IDE hard drive. No dual-DDR or DDR2 RAM here alas. I don’t have any specs on the supplied DVD drive, but so far I haven’t spotted any evidence that it supports writing CDs or DVDs The drive is a combined CD burner / DVD ROM. That’ll come in handy. Given that dual-layer x8 DVD writers now cost less than 50 quid here in the UK, I find the DVD drive a little disappointing (but it’s a lot better than only having a CD-ROM drive!) As far as I know, this machine is the standard spec currently advertised for sale here in the UK.

My initial impressions are that the 1GHz PPC chip is no slouch. Once I manage to get this machine booting Gentoo off the hard drive, I’m looking forward to testing it against the dual-Xeon and AMD64 boxes. The machine isn’t sold as a competitor with these boxes. These are my other dev boxes, and I think the performance comparision will prove interesting to x86 users such as myself.

The motherboard is based around a PCI bus with an integrated IDE controller. It’s essentially PC hardware with a G4 PPC for a CPU instead of an x86-compatible CPU. It has integrated audio, USB 1.1 (a disappointment to me), onboard Firewire 400 (nice to see, but Firewire 800 would have been nicer), and 2 NICs. I’ve only had the case open the once, so maybe there’s a SATA controller or two still to be discovered (well, I can hope ;-)) The video is an ATI Radeon card (sorry, but I have a strong personal preference for NVidia cards).

To a PC user like myself, the firmware is a little … odd. I’m sure that a command-driven firmware has its advantages, but somehow I’ve never felt the need for one in a desktop machine. Certainly having to type a command just to boot from a CD is a little different. I can’t see Granny ever wanting one of these, somehow. The help command is amusing at first, as you watch pages of (presumably) useful information scroll off the top of the screen. I assume that, somewhere off the top of the screen where I can’t read it, are the instructions for how to make this command page, or maybe even how to use the scrollback buffer (although somehow I doubt that there is a scrollback buffer). There are two manuals available for the firmware: this one and this one.

The machine came with no documentation, only an EULA. Not even a piece of paper saying “Go to such and such website to find our friendly online documentation.” It might be because the Pegasos PPC website doesn’t seem to actually have that documentation (bit of an oversight!) If you search through the Freescale website, you can find some PDFs which cover the Pegasos II. But picture this. You’re sat at your machine, trying to boot the Gentoo CD so that you can install it. It’s the only machine you have. If you don’t know the firmware command to boot from CD, what are you going to do? You’re not going to get that machine booted from that CD. A ’start here’ page on the Pegasos PPC website would address this nicely. This machine literately is one of a kind, and I think easy-to-find material aimed at the first-time adopter would greatly benefit everyone.

In summary, I found the machine I received to be ugly, disappointingly specified, unfriendly firmware, and poorly documented. Compare each of these points to the experience you’d expect from a PC priced the same. Here in the UK, in every major town and city you can probably find half a dozen small firms churning out PCs at the same price point as the Pegasos II (or for less). The competition for the desktop is fierce.

The Genesi website has a screenshot bearing the phrase “Cool Computing”, yet I find there to be nothing cool or modern about the machine. The term Cool Computing actually refers to the low power consumption of this box. Unfortunately, this isn’t mentioned on that page. USB 1.1, low-capacity PATA IDE drives, no DVD-writer. Come on, this is the end of 2004, not the year 2002. If you can get one (and Pegasos UK is currently reporting that they’re currently out of stock), the Pegasos II may outperform a similarly-priced PC (the Pegasos II is advertised at £399 inc VAT, which is about the same price as a ready-assembled Intel 3.0Ghz Prescott P4 will cost you over here), but you’re buying a machine which includes what PC owners such as myself would consider legacy parts.

Hopefully tomorrow I’ll have time to post some initial thoughts on the Gentoo PPC 2004.3 install CD + docs.

Best regards,
Stu