Striving for greatness

Thoughts on emerging tech, open source, and life

The state of Gentoo

I just published an article over at LWN called “The state of Gentoo.”  In it, I talk about Gentoo’s progress over the past few years as well as its current problems, how they’re affecting Gentoo’s user and developer communities, and how to begin fixing them.

I’ve gotten a lot of positive feedback from our developers on the article so I’m confident that it’s generally a fair representation of where things stand today. However, Alex Legler (a3li) kindly told me our security team does much more behind the scenes to report vulnerabilities and get updated packages stabilized, even if we don’t see the results in the form of GLSAs.


Written by Donnie Berkholz

September 17, 2011 at 9:21 am

Posted in Blog

Tagged with , , ,

17 Responses

Subscribe to comments with RSS.

  1. It is a much better strategy to get maintainers to fix the issues than to do everything yourselves.


    September 17, 2011 at 10:54 am

    • That’s the same thing I was saying to Alex a couple of days ago. He thought there wasn’t much more they could offload, because maintainers of many packages don’t actually follow security issues.

      Donnie Berkholz

      September 17, 2011 at 12:07 pm

    • Your suggestion doesn’t make any sense. Maintainers *do* fix the issues. The other things like filing the issue properly, rating its severity and making sure that they get stabilized right away, is what we do. In many cases maintainers already take care of the stabilizing part after bumping a package, so that we just have to give ‘finishing touches’ to the information listed in Bugzilla.
      So, there’s not much more left we can or have to delegate, otherwise every developer would need a ‘Security Policies 101’ course before they could start.

      Alex Legler

      September 18, 2011 at 3:59 am

  2. Thanks for the article. I wonder whether some web page with requests for help which would drive users or developers directly where they are needed would be the thing to consider. GNU Savannah is service simmilar to this but I do not know how many people use it.


    September 17, 2011 at 1:02 pm

  3. I agree that security on Gentoo is generally good as long as you accept all updates. If you depend on GLSAs you will get burned (at the moment).


    September 17, 2011 at 3:02 pm

    • Rich, you know, repeating the same statement on several forums over and over again doesn’t make the situation any better. Have you offered any kind of actual help yet? (No, suggesting to write the advisories in plain XML is no help)

      Alex Legler

      September 18, 2011 at 4:04 am

    • It’s for that reason I wrote a helper application called “cvechecker”, allowing me to track public known vulnerabilities (identified through their CVE) and their effect on my system (as scanned by cvechecker or handed by a configuration file). It’s not fool-proof, but handy nonetheless.

      Sven Vermeulen

      September 18, 2011 at 4:38 am

  4. Thank you for the whole article, I think Gentoo badly needed a summary of the past few years. It is good news that devs agree about its contents, even better that you took the burden of writing all of this and made it public.

    Having statistics about devs is interesting, but I think you should also try to do something out of the forums statistics, because that’s definitely the main place where you can find active users. And as someone pointed out in the LWN comments, the whole purpose of a distribution is its users.

    I’m just going to point out that, as a user, I never felt compelled to try to become a dev because of all the ego wars that broke out a few years ago. I think the light was never brought out completely on that dark period, maybe it’s too late now, but I have a general feeling that many good devs resigned leaving some bad ones in control (or at least, untouched). I’m not talking here about talent in programming, of course, but devs as people and their social behaviour. Creating devrel always seemed to me like applying a patch but not fixing the problem at its roots.

    Also, I think Gentoo needs to do better in terms of communication, if only internally (towards its users). You explain in your article how the EAPI was upgraded several times, but was there ever a single piece of news somewhere to tell the users about it? The answer is simple: no. And please, I don’t want to have to read the gentoo-dev ML to know what’s new in Portage. Devs should be proud to announce the enhancements brought. The main web page ( is cluttered with peripheral information like planet posts and new packages added. I’d like to see more articles like the “Qt 4.7 and KDE 4.6 going stable, finally!” one. That kind of article should be the norm, not the exception.

    And yes, there’s definitely some lag with regards to security when you’re using a stable system. The latest stable version of Firefox is 3.6.20, which means the DigiNotar certificates aren’t revoked. It’s been 3 weeks, there’s even a 3.6.22 too revoking something else, why is it taking so long? It’s not like I’m talking about some obscure package used by 3 people in the world in which a local exploit was discovered. There’s something really wrong here.

    The current organisation of Gentoo seems like a giant bureaucracy in which it takes forever for something to happen. A big change is needed, IMHO.


    September 18, 2011 at 3:38 am

    • Hi Thomas,

      I have contacted mozilla team to know about this situation with firefox and, sadly, it’s caused by low man power as some devs don’t have much time for gentoo just now 😦

      The solution for this is hard as, without fresh blood, we cannot do much more currently. Jory will focus on bumping them and trying to get them stabilized soon but, if you feel you could be ready to become a gentoo dev, I wouldn’t doubt in mail to gentoo-dev mailing list asking for a mentor to you.

      Thanks a lot and sorry for the inconvenience


      September 28, 2011 at 10:39 am

  5. […] closely any news related to it. Donnie Berkholz, one of the current active developers and PR lead, has published kinda interesting article on the current state of Gentoo development. Even if you prefer a […]

    Tad-Do » The State of Gentoo

    September 18, 2011 at 5:41 am

  6. Thanks for the update. I’m an old gentoo arch-tester, and I left during the “troubles”. I still look to gentoo as my source for how to do it the right way, but I run Arch now because I’m Canadian, eh.

    One good way to measure a community is to request the channel list from freenode, and sort by number of users per channel. Gentoo is always near the top (currently 8th on my last search). That tells me the community is still quite strong.

    Mike "glide" Bonar

    September 20, 2011 at 8:16 am

    • “but I run Arch now because I’m Canadian, eh.”


      Gentoo OWNZ

      October 15, 2011 at 5:59 pm

  7. Why didn’t you link straight to LWN? The URL is already pretty short ( and since this isn’t twitter, it doesn’t count against your character count, and I don’t have to type it in by hand.. and better yet, it actually works ( seems to be down right now).

    Scott Dial

    September 25, 2011 at 11:33 am

    • I use to aggregate stats for clicks on my links from a variety of sources.

      Donnie Berkholz

      September 27, 2011 at 10:15 am

  8. First, thank you for the article!
    Second, in the article you write about looong migration of portage tree to vcs, isn’t it possible to “copy” it from Funtoo project? They have nice scripts for it 🙂

    Ivan S. Titov

    September 29, 2011 at 6:55 am

    • It’s not the repo conversion itself, it’s all of the supporting infrastructure we need. Git hooks, GPG-secured commits and pushes, and so on. Check out the tracker bug linked in the story.

      Donnie Berkholz

      September 29, 2011 at 8:55 am

  9. […] But what does biomedical engineering have to do with developers? Well Donnie is a developer at heart, and has been a long term open source contributor, a leading light in the Gentoo Linux distribution. […]

Comments are closed.

%d bloggers like this: