Large version jump from 4.8.1 to 4.19.4 (latest upstream LTS).
Build changes:
- Refresh patches/004-fix-su-controoling-term.patch: su.c moved the
ioctl() call from line 1122 to 1169 and changed (char *) 0 to
(char *) NULL; update patch context and re-canonicalise through
quilt (blank context line spacing).
- New CONFIGURE_ARGS:
* --disable-logind: 4.19.4 added an optional libsystemd-based
logind integration which OpenWrt doesn't ship.
* --without-libbsd: shadow's configure now hard-fails on missing
readpassphrase() unless libbsd is found; the in-tree
lib/readpassphrase.c fallback is enabled by --without-libbsd.
* --without-sssd: avoid dragging in an sssd build dep.
* --disable-subordinate-ids: 4.19.4 builds libsubid (subuid/subgid
runtime API) unconditionally when subids are enabled, and its
libtool -export-symbols-regex generates a version script that
binutils 2.40+ rejects against libxcrypt's versioned
crypt_checksalt@@XCRYPT_4.3 symbol. Disabling subordinate-ids
skips libsubid entirely; OpenWrt doesn't ship libsubid.
- Drop newgidmap, newuidmap, lastlog and groups from SHADOW_APPLETS:
newgidmap/newuidmap are only built when subordinate-ids are
enabled, lastlog defaults to disabled in 4.19.4, and the groups
binary was removed from shadow upstream (use coreutils).
Test coverage:
- Replace the per-applet --version check in test.sh with per-applet
functional tests:
pwck -> 'pwck -r' read-only consistency check; accept
non-zero exit since the CI container's /etc/passwd
trips minor warnings.
grpck -> 'grpck -r' read-only consistency check.
chage -> 'chage -l root' lists password aging info.
useradd -> 'useradd -D' dumps defaults without modifying state.
passwd -> 'passwd -S root' prints the password status line.
faillog -> create empty /var/log/faillog then 'faillog -a'
must emit a header line.
login/su -> PAM-interactive; presence covered by generic tests.
Other applets -> verify binary presence (CI's generic tests
already check stripped, no build paths, linked-libs).
- Add test-version.sh as a generic-version-check override: shadow
tools don't honour --version (only --help), so the framework's
probe finds no PKG_VERSION match in any binary and would otherwise
fail Generic tests for every sub-package.
Signed-off-by: Alexandru Ardelean <alex@shruggie.ro>
Update from 0.26.5 to 1.0.4 (major version jump 0.x -> 1.x).
Changes:
- Add +libcurl to DEPENDS: libupnpp 1.0.4 introduced a new mandatory
dependency on libcurl (used for HTTP/SOAP communications)
- Build system remains meson (already in use)
- No patches needed
Signed-off-by: Alexandru Ardelean <alex@shruggie.ro>
Replace the four stub udev_hwdb_*() functions with a working
implementation that looks up vendor and product names from
/usr/share/hwdata/usb.ids, so callers using the standard libudev
hwdb API benefit without needing package-specific patches.
The patch is a clean backport of upstream commit 2bebebc9e0444
("udev: implement hwdb USB ID lookup from usb.ids (#80)") merged
to illiliti/libudev-zero master on 2026-05-19, post-1.0.3. Drop
when the package is bumped to the next libudev-zero release.
Upstream now defaults USB_IDS_PATH to ${SHAREDIR}/hwdata/usb.ids
with SHAREDIR=${PREFIX}/share, so the explicit
USB_IDS_PATH=/usr/share/hwdata/usb.ids in MAKE_FLAGS is no longer
needed and is dropped.
Fixes: https://github.com/openwrt/packages/issues/29386
Signed-off-by: Alexandru Ardelean <alex@shruggie.ro>
Update from 017 to 019. Version 019 dropped autoconf in favour of meson,
so switch to include/meson.mk and drop PKG_FIXUP:=autoreconf and the
autoconf CONFIGURE_ARGS.
The binary lsusb no longer reads usb.ids directly; it now queries the
udev hardware database. lsusb.py still searches /usr/share/hwdata/usb.ids
for device name resolution.
Signed-off-by: Alexandru Ardelean <alex@shruggie.ro>
On some build systems, the miniperl binary is created without execute
permission (errno 126 when running it as /bin/sh). This breaks building
the mro extension and cascades to all dependent packages.
Fix by ensuring chmod +x on miniperl after the main build step.
This matches how many other build systems handle this same issue.
Signed-off-by: Alexandru Ardelean <alex@shruggie.ro>
Stable bug-fix release in the 2.03.x series. The bundled
device-mapper library bumps from 1.02.209 to 1.02.215; track that
in PKG_VERSION_DM as well so the libdevmapper package shows the
correct upstream version.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
The ola host build (HostBuild path that produces ola_protoc_plugin)
failed in clean buildbot environments with:
configure: error: Missing the uuid library
even though libuuid is provided by tools/util-linux and is staged
at $(STAGING_DIR_HOST)/lib/pkgconfig/uuid.pc.
Root cause: HOST_CONFIGURE_VARS overrode PKG_CONFIG_PATH with
PKG_CONFIG_PATH="$(STAGING_DIR_HOSTPKG)/usr/protobuf-compat/lib/\
pkgconfig:$(PKG_CONFIG_PATH)"
$(PKG_CONFIG_PATH) here is the make-time variable, which is never
set for host context (include/host-build.mk only exports it as a
per-rule env variable, not a make variable). It therefore expanded
to the empty string, and the resulting single-entry PKG_CONFIG_PATH
overrode the exported defaults from host-build.mk, hiding uuid.pc
from the host pkg-config wrapper.
Fix: refer to the env variable via shell expansion ($$PKG_CONFIG_PATH)
instead of the make variable. The make recipe expands $$ to $, and
the shell resolves $PKG_CONFIG_PATH from the inherited environment
populated by include/host-build.mk (which sets it to
$(STAGING_DIR_HOST)/lib/pkgconfig:$(HOST_BUILD_PREFIX)/lib/pkgconfig).
Fixes: 5e4f937e ("ola: use protobuf-compat instead of protobuf")
Signed-off-by: Alexandru Ardelean <alex@shruggie.ro>
The upstream rsyslog build links against libyaml-0.so.2 whenever
pkg-config detects yaml-0.1, which made libyaml a hard dependency
of the rsyslog binary without any way to opt out from OpenWrt
config. libyaml is only used for YAML (.yaml/.yml) configuration
files and for loading rate-limiting policies from external files;
RainerScript (.conf) installs do not need it.
Introduce a new RSYSLOG_libyaml Config.in switch, default off, and
gate the +libyaml DEPENDS entry on it. Pass --enable-libyaml or
--disable-libyaml to configure based on the switch.
The upstream configure script in 8.2604.0 does not understand a
--disable-libyaml flag (libyaml was unconditionally autodetected).
Backport upstream commit c5c244861 ("configure: make libyaml
default-on explicit") as 001-configure-make-libyaml-default-on-
explicit.patch, which adds the AC_ARG_ENABLE(libyaml) block. The
patch dissolves cleanly once the package is bumped to 8.2606.0+.
PKG_FIXUP:=autoreconf is added so the configure.ac change flows
into the generated configure script during the SDK build.
Signed-off-by: Alexandru Ardelean <alex@shruggie.ro>
New stable release on the 2.5.x development series. Highlights from
upstream's NEWS:
* gpgsm: Implement GCM encryption.
* gpgsm: New option --attribute and server command SETATTR to
include arbitrary signed or unsigned attributes into a
signature. Requires libksba >= 1.7.0 (bumped to 1.8.0 in the
preceding commit).
* gpgsm: Introduce system attribute _signingCertificateV2.
* gpg: Fix wrong assertion failure which could very rarely occur
during key signature checking.
* gpg: Consider certify-only keys for revocation signature check.
* gpgsm: Fix possible double free in the CMS parser.
* gpgsm: Fix possible too early removal of ephemeral keys.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Minor version bump on the GnuPG X.509 library. Highlights from
upstream's NEWS:
1.8.0 (2026-05-13)
* New function ksba_cms_get_attribute.
* Support building of unsigned attributes with
ksba_cms_add_attribute.
1.7.0 (2026-05-07)
* Add support for building AuthEnvelopedData.
* New function ksba_cms_add_attribute.
* Fix silent truncation of 64 bit length fields.
* Fix incorrect overflow guard condition in _ksba_ber_read_tl.
The added interfaces (ksba_cms_add_attribute, _get_attribute) are
required by GnuPG >= 2.5.20 to expose gpgsm's --attribute option.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
PostgreSQL 18.4 is a quarterly bug-fix release of the 18.x major
series. No security advisories listed against this release.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Stable bug-fix release in the 1.25.x series. Highlights from
upstream's ChangeLog include:
* Fix STL hardening assertion in the reverb effect.
* Fix a potential crash with older PipeWire headers.
* Fix capturing mono from a stereo or greater WASAPI input device.
* Add capture support to the SDL3 backend.
* Implement 3D processing for Distortion, Chorus, Flanger,
Pitch Shifter and Frequency Shifter effects.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
When luci-proto-openvpn is selected in `make menuconfig`,
openvpn-openssl is picked up automatically. As mbedTLS is the default
TLS package, set DEFAULT_VARIANT on openvpn-mbedtls so that it is used
by default.
Signed-off-by: Qingfang Deng <dqfext@gmail.com>
Add DDNS update support for blazingfast.io Anycast DNS via their
REST API. Authentication is performed via JWT token obtained from
the login endpoint. Zone records are fetched to verify the record
type before update, ensuring IPv4 services only target A records
and IPv6 services only target AAAA records.
Service, zone and record IDs are passed via param_opt as
space-separated key=value pairs:
service_id=X zone_id=Y record_id=Z
curl --config file approach is used throughout to avoid eval and
shell injection from user-controlled values. Supports both IPv4
and IPv6. For dual-stack, create two separate DDNS service sections
with their respective record IDs.
Tested on GL.iNet MT5000 (Brume 3) running OpenWrt with
ddns-scripts 2.8.2.
Signed-off-by: Fotios Kitsantas <fkitsantas@icloud.com>
Add source packages and library to version check overrides.
Fixes: b5d3a38e ("python3: move version checks to override")
Signed-off-by: George Sapkin <george@sapk.in>
To find the correct network interface to create a network entry for, check
which driver is driving the network interface.
Restrict creating a network entry with DHCP client to network interfaces
driven by the cdc_ether, r8152, rndis_host, or ipheth driver.
Ensure UCI section name derived from interface name is proper.
Do not disable using DNS servers advertised by the ISP. This was a
requirement of bsbf-bonding. We can now do this as we transparently proxy
all DNS traffic to Xray which resolves queries.
Do not exit non-zero as it's useless.
Signed-off-by: Chester A. Unal <chester.a.unal@arinc9.com>
Update bsbf-resources to the GIT HEAD of 2026-05-16.
- files/etc/uci-defaults/99-bsbf-bonding:
- Do not ever exit non-zero. It prevents the script from being deleted
after it's run.
- Fix creating a new wan zone.
- Do not disable using DNS servers advertised by the ISP. We can now do
this as we transparently proxy all DNS traffic to Xray which resolves
queries.
- files/usr/sbin/bsbf-bonding:
- Attempting to source a file that doesn't exist breaks the rest of the
script. Therefore, only source /etc/bsbf/bsbf-bonding.conf if it
exists. Then, print to stderr if the configuration is improper.
Signed-off-by: Chester A. Unal <chester.a.unal@arinc9.com>
Jan Havelka