Urgent security patch for all systems running Adélie Linux

A grave security vulnerability has been found in apk, the package manager used by Adélie Linux. The vulnerability allows any attacker on the same network as your computer run malicious code as the superuser, if you are not using HTTPS repositories in /etc/apk/repositories.

This should not affect any standard installation of Adélie Linux, as our mirrors force HTTPS and our default repositories file uses HTTPS. However, if you have added your own custom repositories, or replaced ‘https’ with ‘http’ for any reason, you are vulnerable. A patch has been released in apk-tools 2.10.1 and it is critical for you to update all of your Adélie Linux computers immediately. New ISO and root FS images for 1.0-BETA1 went live this morning UTC (around 11 hours ago).

This vulnerability was discovered in early September by Max Justicz. A patch was written on 5 September by Alpine Linux developers and released on 10 September; the vulnerability was disclosed publicly on 13 September. The Adélie Linux team was not notified of this vulnerability before the public disclosure. This vulnerability was disclosed independently to Adélie Linux by Luke Dashjr via the public disclosure by Max Justicz.

We are deeply troubled by the lack of responsible disclosure by Alpine Linux, and we are actively investigating steps we may take in the future to mitigate our continued reliance on Alpine.

Adélie Linux 1.0-BETA1: Now available

The Adélie Linux Release Engineering Team is pleased to announce the immediate release of Adélie Linux 1.0-BETA1 for the 32-bit and 64-bit PowerPC, 32-bit and 64-bit x86, and 64-bit ARM platforms. Learn more about Adélie Linux on our Web site.

Please note: This is an early test release of Adélie Linux. While every care has been taken to ensure the stability of the system, features and packages may be missing or may not function correctly. You should always back up your computer’s data before you install a new Linux distribution. This release is being actively tested on multiple platforms. It is highly recommended that you use a dedicated computer or virtual machine to learn the environment until you are comfortable with using the Adélie Linux system and its package manager, apk.

Release Notes

All architectures

  • The Adélie Base System (adelie-base) no longer ships with Perl or vim included by default. Both of these are included in the Adélie Base POSIX System (adelie-base-posix), and are still available on the live CD. You will need to install vim manually if you are not using the adelie-base-posix package.
  • Many improvements have been made to Dracut, used for initramfs generation.
  • GNU Privacy Guard (GnuPG, GPG) is now built with smart card and USB support.
  • KDE Applications have been upgraded to 18.08.1, and KDE Frameworks have been upgraded to 5.50.
  • The Linux kernel has been upgraded to 4.14.56.
  • The musl libc has been upgraded to 1.1.20, bringing many correctness fixes and better reliability.
  • OpenVPN is now available.
  • Qemu has been upgraded to 3.0.0.
  • The qmail MTA is now available, as netqmail.
  • ScummVM is now available.
  • TTYs are now dynamically spawned using s6 instead of using static configuration in /etc/inittab. This brings more flexibility for server and virtual machine installations, and allows desktop users to only spawn the TTYs that they require. See /etc/conf.d/gettys for more information.
  • XFCE 4 is now available. Just install the xfce-desktop package.
  • …and over a thousand other enhancements, upgrades, and fixes!

Also new in this release are Root FS tarballs for all Tier 1 architectures, which can be unpacked on to a variety of different storage media and booted from – or extracted into a directory on your existing computer for a simple chroot-based installation. Combining this with qemu-user can provide you with a limited environment for testing Adélie for other CPU architectures.

Caution: If you are upgrading from a previous version of Adélie Linux to 1.0-BETA1, please merge the new user and group entries from /etc/passwd.apk-new into /etc/passwd, /etc/group.apk-new into /etc/group, and /etc/shadow.apk-new into /etc/shadow. This is only necessary to perform one time during the upgrade, before you restart your computer. For more information, feel free to contact us on IRC.

ARMv7

Support for ARMv7 is offered on a limited testing basis only, and ARMv7 remains a Tier 2 architecture. Currently, no binary packages are available for 1.0-BETA1.

64-bit ARM (AArch64)

  • Root FS tarballs are provided, allowing bootstrapping of AArch64 systems without needing a device already running Linux.

PowerPC (32-bit)

No architecture-specific release notes.

PowerPC (64-bit)

  • The live CD now ships with bootinfo.txt in the place where SLOF (IBM OpenFirmware) expects it to be. This should allow automatic booting on most CHRP compatible IBM servers, including QEMU/KVM.
  • POWER8 and POWER9 systems are supported by the POWER8 specific kernel. Please ensure you install the easy-kernel-power8 package.
  • POWER9 users: Qemu 3.0.0 no longer allows KVM HV guests to be created in Radix MMU mode. You will need to boot your system with disable_radix on your kernel command line to use KVM HV guests in Adélie 1.0-BETA1.

Intel x86 (all)

  • The syslinux bootloader has been removed, in favour of the GRUB 2 bootloader.
  • All live CDs should now support EFI boot. If you encounter any issues with EFI booting on the live CD, please file an issue.

Statistics

Adélie Packages

There were 1,394 commits to packages.git between 1.0-ALPHA7 and 1.0-BETA1 (307 since the last snapshot), by thirteen developers:

  • A. Wilcox (1,127)
  • Kiyoshi Aman (113)
  • Max Rees (63)
  • Dan Theisen (30)
  • Laurent Bercot (23)
  • Lee Starnes (3)
  • Horst G. Burkhardt (2)
  • William Pitcock (2)
  • Marek Benc (1)
  • Brandon Bergren (1)
  • Seamus Caveney (1)
  • Rich Felker (1)
  • Samuel Holland (1)

Team

  • We welcome Laurent Bercot as a packager; he is an upstream developer for s6, utmps, and other essential system software.
  • We welcome Lee Starnes as a package maintainer for VPN software.

Adélie Linux 1.0-BETA1 Snapshot 2: Now available

The Adélie Linux Release Engineering Team is pleased to announce the immediate release of the second snapshot of Adélie Linux 1.0-BETA1 for the 32-bit and 64-bit PowerPC, 32-bit and 64-bit x86, and 64-bit ARM platforms. Learn more about Adélie Linux on our Web site.

Note: This is not the release of 1.0-BETA1. The release of 1.0-BETA1 is still scheduled for early September and will bring further improvements, including an installation system and more compliance with the POSIX® standard.

Please note: This is an early test release of Adélie Linux. While every care has been taken to ensure the stability of the system, features and packages may be missing or may not function correctly. You should always back up your computer’s data before you install a new Linux distribution. This release is being actively tested on multiple platforms. It is highly recommended that you use a dedicated computer or virtual machine to learn the environment until you are comfortable with using the Adélie Linux system and its package manager, apk.

Release Notes

All architectures

  • The Adélie Base System (adelie-base) no longer ships with Perl or vim included by default. Both of these are included in the Adélie Base POSIX System (adelie-base-posix), and are still available on the live CD.
  • GNU Privacy Guard (GnuPG, GPG) is now built with smart card and USB support.

ARMv7

Support for ARMv7 is offered on a limited testing basis only, and ARMv7 remains a Tier 2 architecture. Currently, no binary packages are available for 1.0-BETA1 snapshot.

64-bit ARM (AArch64)

No architecture-specific release notes.

PowerPC (32-bit)

No architecture-specific release notes.

PowerPC (64-bit)

  • The live CD now ships with bootinfo.txt in the place where SLOF (IBM OpenFirmware) expects it to be. This should allow automatic booting on most CHRP compatible IBM servers, including QEMU/KVM.
  • POWER8 systems will now be able to load modules on the Live CD. The POWER8 specific kernel is now built separately from Easy Kernel, allowing both kernels to coexist on the same live media.

Intel x86 (all)

  • The syslinux bootloader has been removed, in favour of the GRUB 2 bootloader.
  • All live CDs should now support EFI boot. If you encounter any issues with EFI booting on the live CD, please file an issue.

Statistics

Adélie Packages

There were 1,098 commits to packages.git between 1.0-ALPHA7 and this snapshot (86 since the last snapshot), by nine developers:

  • A. Wilcox (998)
  • Kiyoshi Aman (31)
  • Dan Theisen (29)
  • Max Rees (15)
  • Horst G. Burkhardt (2)
  • William Pitcock (2)
  • Marek Benc (1)
  • Samuel Holland (1)
  • Seamus Caveney (1)

Team

  • We welcome back Elizabeth Myers (Elizafox@), who is hard at work on a new installer framework for Adélie Linux.
  • Zach van Rijn has kindly donated a mirror server located in Pennsylvania, US.

Adélie Linux 1.0-BETA1 Snapshot is now available

The Adélie Linux Release Engineering Team is pleased to announce the immediate release of a snapshot of Adélie Linux 1.0-BETA1 for the 32-bit and 64-bit PowerPC, 32-bit and 64-bit x86, and 64-bit ARM platforms. Learn more about Adélie Linux on our Web site.

This release is based on 1.0-ALPHA7, but has been fully audited. It includes many enhancements, new packages, and bug fixes and is based on the latest and most stable, secure software. All package license fields have been professionally audited and corrected wherever they were wrong. In addition, this marks our first independent release; we are no longer a soft-fork of Alpine. This offers us many degrees of freedom.

Note: This is not the release of 1.0-BETA1. The release of 1.0-BETA1 is still scheduled for early September and will bring further improvements, including an installation system and more compliance with the POSIX® standard.

Please note: This is an early test release of Adélie Linux. While every care has been taken to ensure the stability of the system, features and packages may be missing or may not function correctly. You should always back up your computer’s data before you install a new Linux distribution. This release is being actively tested on multiple platforms. It is highly recommended that you use a dedicated computer or virtual machine to learn the environment until you are comfortable with using the Adélie Linux system and its package manager, apk.

Release Notes

All architectures

  • Easy Kernel has been updated to 4.14.56-mc9.
  • GNU gettext has been replaced with gettext-tiny. This also means that all packages that support .po files now have -lang subpackages so that they may be used in any translation they support. We are very proud to include better native language support, and we hope that this allows us to reach more people that are not comfortable using computers in English.
  • KDE Frameworks have been updated to 5.48.0, and KDE Applications have been updated from 18.04.1 to 18.04.3.
  • SPDX license identifiers are now used for every package in the distribution.
  • Thunderbird is now available on all Tier 1 architectures.

ARMv7

Support for ARMv7 is offered on a limited testing basis only, and ARMv7 remains a Tier 2 architecture. Currently, no binary packages are available for 1.0-BETA1 snapshot.

64-bit ARM (AArch64)

Since the number of test failures is now below the threshold of five packages, 64-bit ARM is now officially a Tier 1 release architecture for Adélie. All packages are officially available and supported for 64-bit ARM.

PowerPC (all)

  • FFmpeg is now compiled with AltiVec support, and will use it on any PowerPC computer that supports it, bringing large performance improvements. You may still use FFmpeg on computers without AltiVec.

PowerPC (32-bit)

No architecture-specific release notes.

PowerPC (64-bit)

  • VLC chroma support has been fixed for 64-bit big endian targets, including PowerPC.

Intel x86 (all)

  • The syslinux bootloader has been removed, in favour of the GRUB 2 bootloader.
  • All live CDs should now support EFI boot. If you encounter any issues with EFI booting on the live CD, please file an issue.

Statistics

Adélie Packages

There were 1,012 commits to packages.git between 1.0-ALPHA7 and this snapshot, by seven developers:

  • A. Wilcox (953)
  • Dan Theisen (29)
  • Kiyoshi Aman (17)
  • Max Rees (8)
  • Horst G. Burkhardt (2)
  • William Pitcock (2)
  • Marek Benc (1)

Team

  • We welcome back Elizabeth Myers (Elizafox@), who is hard at work on a new installer framework for Adélie Linux.
  • Zach van Rijn has kindly donated a mirror server located in Pennsylvania, US.