Weekly Status Report: 2020-02-16

Hello all!

The news of the week is definitely our release of Adélie Linux 1.0-RC1. It doesn’t stop there, though. We’ve made a lot of exciting progress since then.

Horizon

The DiskMan component has been written, and with it, the majority of the Qt 5-based partitioning user interface.

Calvin Buckley has rewritten the Horizon CLI tools to use Boost::program_options instead of clipp.

Infrastructure

The majority of our project servers have been upgraded to RC1 and easy-kernel 5.4.

Packages

A. Wilcox (awilfox@) has integrated graphical fixes to Firefox while updating it for the latest security patches. This should resolve most rendering issues on big-endian systems. They also enabled IPv6 support in the default Chrony configuration.

Kiyoshi Aman (aerdan@) overhauled Perl packages and updated MATE to its latest version.

Weekly Status Report: 2019-06-23

Hello all!

This has been an exciting week for Adélie Linux. We have formally created an Infrastructure Team, responsible for managing our servers and network infrastructure. This will allow us to have a more holistic approach to tending to our server systems, and help ensure that administration is handled smoothly and cleanly. We have also added and updated many packages; read on for more about these developments.

Web Site

Top 5 referring sites to the Web site:

  • 110: DistroWatch
  • 62: Google
  • 35: Reddit
  • 28: Repology
  • 21: Ungleich blog

Top 5 pages accessed (and homepage):

  • 1089: /
  • 374: /about.html
  • 133: /announcements/
  • 82: /about-qa.html
  • 51: /team.html
  • 44: /contribute.html

APK Tools

Max Rees (sroracle@) has identified and fixed an important security bug in APK Tools that has been issued CVE-2019-12875.

Kernel

A. Wilcox (awilfox@) updated the -mc patchset to 4.14.127, creating -mc14.

Packaging

A. Wilcox (awilfox@):

  • Updated 20 Perl modules to their current versions.
  • Updated many packages to their current versions, including eudev, the Enchant spell check library, file system utilities, Git, OpenSSL, the Ruby programming language, the SASS web development package, Subversion, the VLC Media Player, Wacom tablet support, various KDE applications, and various X11 applications and drivers.
  • Updated the POWER8 and POWER9 kernel package to the newest patchset.
  • Updated the packaging for the Quaternion Matrix chat client.
  • Fixed security issues in the Expat XML library and the libarchive tar package.
  • Added experimental builds for the LMMS music creation package, and the Nim programming language. (Note: These packages are not yet available for Adélie Linux.)

Kiyoshi Aman (aerdan@):

  • Fix installation of various fonts so that they are usable in all applications.

Luis Ressel (aranea@):

  • Updated the nsd and Unbound DNS server packages.

Max Rees (sroracle@):

  • Fixed security issues in many packages, including APK Tools, Cairo, cURL, CVS, the FLAC codec, Lua, Python, the PostgreSQL database system, and the TIFF image library.

Molly Miller (sysvinit@):

  • Added the cbindgen package, a dependency of newer Firefox versions. This is also the very first Rust package for Adélie Linux!

Urgent security patch for all systems running Adélie Linux

A grave security vulnerability has been found in apk, the package manager used by Adélie Linux. The vulnerability allows any attacker on the same network as your computer run malicious code as the superuser, if you are not using HTTPS repositories in /etc/apk/repositories.

This should not affect any standard installation of Adélie Linux, as our mirrors force HTTPS and our default repositories file uses HTTPS. However, if you have added your own custom repositories, or replaced ‘https’ with ‘http’ for any reason, you are vulnerable. A patch has been released in apk-tools 2.10.1 and it is critical for you to update all of your Adélie Linux computers immediately. New ISO and root FS images for 1.0-BETA1 went live this morning UTC (around 11 hours ago).

This vulnerability was discovered in early September by Max Justicz. A patch was written on 5 September by Alpine Linux developers and released on 10 September; the vulnerability was disclosed publicly on 13 September. The Adélie Linux team was not notified of this vulnerability before the public disclosure. This vulnerability was disclosed independently to Adélie Linux by Luke Dashjr via the public disclosure by Max Justicz.

We are deeply troubled by the lack of responsible disclosure by Alpine Linux, and we are actively investigating steps we may take in the future to mitigate our continued reliance on Alpine.

Official statement on x86_64 architecture security flaws

Many of you that use x86_64 computers are likely concerned with the various security flaws that have been discovered in the silicon of virtually all 64-bit Intel CPUs this year. There have also been a few requests for packaging official microcode updates.

Unfortunately, the EULA required to install, use, and redistribute these microcode updates is non-free. Intel has ensured that providing these updates to you would cause us to violate US and European copyright and contract laws.

As further security flaws are inevitable due to the design of the x86_64 architecture, and we cannot legally provide you with the updates necessary to avoid these flaws, we highly recommend that our users invest in computers using different architectures, such as PowerPC or ARM. While the x86_64 architecture will continue to be a Tier 1 architecture for the foreseeable future, we can no longer guarantee user security or data integrity to users using x86_64 computers with Intel processors due to Intel’s restrictive licensing.

Editor’s note: The original version of this statement included the following statement: Furthermore, Intel has added a stipulation in the EULA for their latest microcode update that renders their CPUs non-free, by forbidding any usage of software that they arbitrarily determine to fall under “benchmarking”. This includes tools such as hdparm. Intel has since removed this clause from their license; however, the microcode itself is still non-free and we cannot distribute it.