Age | Commit message (Collapse) | Author | Files | Lines |
|
system/binutils: patch multiple CVEs (#116)
See merge request adelie/packages!304
|
|
system/s6-linux-init: upgrade to 1.0.2.1
system/utmps: upgrade to 0.0.2.2
See merge request adelie/packages!302
|
|
Previously, autodetection on the arm64 builder chose to
put lockfiles in /var/lock. This broke running pvscan from
a udev rule with read-only / and separate /var. Make this
option and related ones always use /run, independent of the
build environment.
|
|
Signed-off-by: Samuel Holland <samuel@sholland.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Cleanup OpenRC init.d scripts, and more
See merge request adelie/packages!295
|
|
CVE patches for 2019-07-23
See merge request adelie/packages!298
|
|
|
|
bzip2-1.0.4-POSIX-shell.patch integrated:
https://sourceware.org/git/?p=bzip2.git;a=commit;h=33414da1d2bedf2cbe693f0e21fdaef11d221b1d
CVE-2016-3189.patch integrated:
https://sourceware.org/git/?p=bzip2.git;a=commit;h=c1cdd98db3238cb711c7d9cdc5671452ce2822cb
|
|
|
|
|
|
|
|
|
|
|
|
Purge bashisms, adduser, and addgroup from packages.git
See merge request adelie/packages!293
|
|
|
|
system/patch: patch(!) for CVE-2018-6952, 2019-13636, 2019-13638
See merge request adelie/packages!294
|
|
system/abuild: Fix URL
See merge request adelie/packages!292
|
|
system/s6-linux-init-early-getty: new subpackage of s6-linux-init
See merge request adelie/packages!291
|
|
system/adelie-base-posix: Depend on utmps
See merge request adelie/packages!290
|
|
|
|
|
|
|
|
|
|
|
|
|
|
This makes the packages significantly saner, at the expense of pulling
in a few more MB worth of files for users who only need dmsetup or
libdevicemapper. Currently, it's not clear to users where the
development headers or man pages for these can be found, and there are a
few more minor annoyances such as the dmeventd openrc script not being
contained in an -openrc subpackage.
The /lib/libdevmapper.so symlink should be unneccessary, since there's
already a symlink in /usr/lib/.
Half the .so symlinks are in /lib/, while the other half is in
/usr/lib/, but imho fixing that isn't worth the hassle.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
See merge request adelie/packages!281
|
|
|
|
At least scp(1) requires the client stuff to be present on the server.
|
|
These were meant to be in my MR.
|
|
* Use Westwood+ as default TCP cc algo, instead of CUBIC.
* Ensure JFS and XFS are =y.
* Allow all users to read dmesg.
* Enable ALi PATA controller on pmmx.
|
|
This is an attempt at syncing the kernel configs of our different
arches. So far, only the 'Networking support/Networking options',
'Filesystems', 'Security Options' and 'Cryptographic API' sections have
been handled, since those require much less knowledge about some of the
more exotic hardware we support than some of the other sections.
Some notable changes:
Network
* Enable IPsec, miscellaneous tunnels, and the diag interfaces for all
socket families.
* Enable policy routing (for wireguard).
* Make the CUBIC TCP congestion control algorithm the default
everywhere, provide a few other common choices.
* Support FQ_CODEL. We may want to support further QoS features.
* Disable support for PF_KEY sockets, which shouldn't be required by our
IPsec userland tools.
* Enable most netfilter features, except for arptables/ebtables/nfacct/
nfqueue/ipset, whose userland tools we don't provide yet, and a few
other very specialized options.
Filesystems
* Build everything except for ext4, iso9660, vfat and squashfs as
modules.
* Use the ext4 driver for ext2 filesystems.
* Disable the kernel automounter, which is currently only enabled on
ppc32 and aarch64.
Security
* Only grant root access to dmesg by default; this can be overriden via
a sysctl.
* Support Yama; it doesn't do anything unless explicitly enabled by a
sysctl, and may be useful to some users.
* Disable AppAarmor, which is currently only enabled on pmmx and x86_64.
Crypto
* Disable a lot of uncommon ciphers which are unlikely to be used by
anything.
* Build all crypto code as modules (where possible); this means users
with a dm-crypt-encrypted root filesystem now need to provide the
appropriate kernel modules in their initramfs images on all arches.
* Disable support for dedicated cryptographic coprocessors; we are not
in a position to evaluate their security and performance benefits or
disadvantages.
Other
* Allow serial consoles to be used as the kernel console on all arches;
this is important for VMs.
|
|
|
|
|