With all the noise going on in Gentoo this week concerning ex-developers almost rejoining, it was easy to miss out on the fact that Gentoo has a brand new developer. So let's take our eyes off the retired old guard and have a look at what's going on with the vanguard of Gentoo Linux.

By day, Matt Drew, from North Carolina, USA, works in network security and is a devoted father and husband. By night however, Matt aka 'Aetius' is now part of the Gentoo Security Team, the crack team of volunteers who keep all our computers safe.

One of the more high profile activities of the Security Team is the Gentoo Linux Security Announcements (GLSAs), these are how Gentoo informs the wider community about vulnerabilities in free/open source software, and how to keep your systems safe. The GLSAs are so respected that they are syndicated in many of the largest mainstream computer security information services.

I caught up with Gentoo's latest developer and got an interview.

How did you first start using Linux?

I started using Linux (Redhat 5.2) in 1998 or 1999, as a firewall at my house. I had some 486dx100's from work.

I used Red Hat for a long time. I worked for them from around the 6.2 release through to the 7.2 release, doing installation and commercial support. After I left Red Hat I grew frustrated with the rpm/yum setup, so I started to look around for a new distro.

I settled on Gentoo after reading some articles about it, back in 2004. Essentially, I was attracted by portage and the USE flag system. Total control, packaged in a pretty easy to use way.

You have also been having some fun with Itanium?

At Red Hat I was involved in the pre-release testing of the IA64 servers, which mostly involved watching them crash until we got new processors. They did not take off because they were too expensive and AMD torpedoed them with x86_64. AMD offered the easy transition. Going to Itanium was tough.

What led you to volunteer with Gentoo?

I had it in my mind that I wanted to help out with Gentoo, since I liked the distro and was using it on a daily basis both for work and at home. So I started hanging out in #gentoo-security and helping file bugs.

I liked what I saw on the security team. Most of the guys are really busy, like me, but they make time to do things on Gentoo. So when they asked for help a few months ago, I volunteered.

How did you get interested in security?

I just sorta gravitated to it. I'm still fairly "young" as far as security work goes; it's a really interesting field, with a lot of activity and interesting people. A lot to learn very fast.

How did you find the process of becoming a Gentoo Dev?

It was interesting. Very different from applying for a job. I would say simple but not easy, because you're measured very much by what you do and how you handle yourself. I had a lot of help from the senior security devs.

So the Gentoo security team seems to cover quite a lot of ground, what have you been involved with so far?

I file bugs, try to keep an eye on them, and write GLSAs. Very occasionally, I look at a vulnerability when the reports aren't clear about what the exact impact is, or get help from the senior devs on understanding how it works and what the impact is.

It is definitely a group process. You get blinders on when you are writing the GLSA, and sometimes you miss the most basic stuff. So we have a process where other devs check over what you've done, to make sure there aren't any mistakes. They sometimes slip through, but not very often.

Everything gets a security bug at some point.

** Gentoo always seems to be ahead of the curve on security, and there are always seems to be a resolution and upgrade before most other distros are onto it, is it sometimes a job to get the resolution ready and out there? **

Yah, we don't backport much. Sometimes we patch things, meaning the dev that maintains the package.

Some are tougher than others. Firefox/Thunderbird/Seamonkey releases are always tough. It's just a lot of work. It's a very popular package, so there are a lot of bugs. We have to be precise about what bugs are fixed in what version. Sometimes the Mozilla security announcements don't match up with the CVE numbers, so we have to investigate. If you look, most GLSAs are for one CVE, one vulnerability. Firefox ones are sometimes 10 or more in the same release.

So I am quite impressed you have chosen an ancient Greek name as your hacker alias. Is it because you send the barbarian insecurities in terror?

Heh! No, I took it from the Roman general, Flavius Aetius. He fought Attila the Hun to a standstill, but then was killed by the Emperor, who feared his popularity. Aetius was a master diplomat and strategist, from what we know of him. He grew up among the Goths and Huns.

** Were you born and bred in North Carolina? **

No, I was an Army brat, so I was born in Oklahoma and lived in all the usual places - North Carolina, Louisiana, New Jersey, 3 years in Vicenza, Italy, etc.

Wow, have you made it to England yet?

Yep. My wife's parents actually used to live in Oxford.

We have a lot of Gentoo hackers here in Europe

I've noticed! I'd like to get over for a conference or two this year.

What kind of conferences have you been to recently?

Not many! I talked work into sending me to BlackHat/Defcon last year. Loads of fun.

Good grounding in security there then, you clearly knew what was coming! As a family man like yourself, with probably lots of demands on your time, as well as being dedicated to your job, I expect a lot of people are wondering where you find the time for Gentoo? You must be a very organised person.

Mostly it was reorienting my free time (what little there is of it). Do I want to play WoW tonight or work on Gentoo? I make that decision every night. When the security page says what they need is a few minutes a day, they mean it. Long-term just being around is more important than large chunks of time.

Excellent, great advice for us all. I have taken up a lot of your time, so thanks a lot for that, is any thing else you want to add about Gentoo?

It's good that people are passionate about stuff. The worst thing is when people stop talking altogether. :

Thanks again!

No problem.