The same firmware image may be deployed on either bare metal device or
virtualized platforms (e.g., Proxmox VE).
On bare metal device, `qemu-ga` may still be started even though no
virtio-serial channel is available, resulting in repeated attempts to
access /dev/virtio-ports/org.qemu.guest_agent.0.
This causes continuous service respawning by procd and unnecessary log
spam.
This commit adds a pre-check for /dev/virtio-ports to avoid starting
`qemu-ga` when virtio-serial support is not present.
Signed-off-by: Andy Chiang <AndyChiang_git@outlook.com>
vzlogger is a tool to read and log measurements of a wide variety of smart
meters and sensors to the volkszaehler.org middleware.
Signed-off-by: Andy Voigt <a.voigt@mailbox.org>
Large version jump from 4.8.1 to 4.19.4 (latest upstream LTS).
Build changes:
- Refresh patches/004-fix-su-controoling-term.patch: su.c moved the
ioctl() call from line 1122 to 1169 and changed (char *) 0 to
(char *) NULL; update patch context and re-canonicalise through
quilt (blank context line spacing).
- New CONFIGURE_ARGS:
* --disable-logind: 4.19.4 added an optional libsystemd-based
logind integration which OpenWrt doesn't ship.
* --without-libbsd: shadow's configure now hard-fails on missing
readpassphrase() unless libbsd is found; the in-tree
lib/readpassphrase.c fallback is enabled by --without-libbsd.
* --without-sssd: avoid dragging in an sssd build dep.
* --disable-subordinate-ids: 4.19.4 builds libsubid (subuid/subgid
runtime API) unconditionally when subids are enabled, and its
libtool -export-symbols-regex generates a version script that
binutils 2.40+ rejects against libxcrypt's versioned
crypt_checksalt@@XCRYPT_4.3 symbol. Disabling subordinate-ids
skips libsubid entirely; OpenWrt doesn't ship libsubid.
- Drop newgidmap, newuidmap, lastlog and groups from SHADOW_APPLETS:
newgidmap/newuidmap are only built when subordinate-ids are
enabled, lastlog defaults to disabled in 4.19.4, and the groups
binary was removed from shadow upstream (use coreutils).
Test coverage:
- Replace the per-applet --version check in test.sh with per-applet
functional tests:
pwck -> 'pwck -r' read-only consistency check; accept
non-zero exit since the CI container's /etc/passwd
trips minor warnings.
grpck -> 'grpck -r' read-only consistency check.
chage -> 'chage -l root' lists password aging info.
useradd -> 'useradd -D' dumps defaults without modifying state.
passwd -> 'passwd -S root' prints the password status line.
faillog -> create empty /var/log/faillog then 'faillog -a'
must emit a header line.
login/su -> PAM-interactive; presence covered by generic tests.
Other applets -> verify binary presence (CI's generic tests
already check stripped, no build paths, linked-libs).
- Add test-version.sh as a generic-version-check override: shadow
tools don't honour --version (only --help), so the framework's
probe finds no PKG_VERSION match in any binary and would otherwise
fail Generic tests for every sub-package.
Signed-off-by: Alexandru Ardelean <alex@shruggie.ro>
Update from 017 to 019. Version 019 dropped autoconf in favour of meson,
so switch to include/meson.mk and drop PKG_FIXUP:=autoreconf and the
autoconf CONFIGURE_ARGS.
The binary lsusb no longer reads usb.ids directly; it now queries the
udev hardware database. lsusb.py still searches /usr/share/hwdata/usb.ids
for device name resolution.
Signed-off-by: Alexandru Ardelean <alex@shruggie.ro>
Stable bug-fix release in the 2.03.x series. The bundled
device-mapper library bumps from 1.02.209 to 1.02.215; track that
in PKG_VERSION_DM as well so the libdevmapper package shows the
correct upstream version.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
New stable release on the 2.5.x development series. Highlights from
upstream's NEWS:
* gpgsm: Implement GCM encryption.
* gpgsm: New option --attribute and server command SETATTR to
include arbitrary signed or unsigned attributes into a
signature. Requires libksba >= 1.7.0 (bumped to 1.8.0 in the
preceding commit).
* gpgsm: Introduce system attribute _signingCertificateV2.
* gpg: Fix wrong assertion failure which could very rarely occur
during key signature checking.
* gpg: Consider certify-only keys for revocation signature check.
* gpgsm: Fix possible double free in the CMS parser.
* gpgsm: Fix possible too early removal of ephemeral keys.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
The binary does not report the OpenWrt package version (2023.06.11~ab78c48f);
override the generic version check with test-version.sh.
Signed-off-by: Alexandru Ardelean <alex@shruggie.ro>
The git archive hash changed due to .gitattributes normalization in the
upstream repository. Update PKG_MIRROR_HASH to the current value.
Signed-off-by: Alexandru Ardelean <alex@shruggie.ro>
Major version jump from 1.1.1 covering the 1.2.x - 1.9.x series.
Highlights:
- portmap: implement netfilter (nft) backend; bandwidth: optimization
- bridge: support "vlanTrunk" property and DAD/PVID support
- macvlan: support "linkInContainer" mode
- ipvlan: support "linkInContainer" mode
- dhcp: support DHCP option 121 classless static routes
- host-local: handle ranges with single IP
- firewall: support "ingressPolicy" with iptables and nftables
- tuning: allow specifying tx queue length
- Go module bumps including security fixes
- Minimum Go version: 1.23
Link: https://github.com/containernetworking/plugins/releases/tag/v1.9.1
Link: https://github.com/containernetworking/plugins/blob/v1.9.1/CHANGELOG.md
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Update PKG_SOURCE_VERSION to 8a4db579f5c88af5a0d036fad34bddc9c1f703f3
(latest upstream main).
oci-runtime-tools is a rolling release without versioned upstream
releases. The new commit brings updated runtime-spec dependencies
and bug fixes accumulated since November 2024.
Link: https://github.com/opencontainers/runtime-tools/compare/f7e3563b...8a4db579
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Update the build flags to the new spelling required by fish.
The groff directory no longer exists, and the manual pages are never
built, so there's no need to remove them.
The MIPS patch was cherry-picked from upstream and can be dropped.
Signed-off-by: David Adam <zanchey@ucc.gu.uwa.edu.au>
Some SDK/host GCC configurations, when meson invokes cc.preprocess() to
expand fcobjshash.gperf.h, produce output that includes predefined macro
dumps (e.g. #define __STDC__ 1) alongside linemarker lines. The upstream
cutout.py script, which strips CUT_OUT_BEGIN/END-delimited sections from
the preprocessed output before feeding it to gperf, passes these lines
through verbatim into fcobjshash.gperf.
gperf then copies them into the declarations section of fcobjshash.h.
When fcobjs.c includes fcobjshash.h, the compiler encounters #define
redefinitions and stray # tokens, causing a build failure.
Fix cutout.py to skip any line starting with # (C preprocessor
linemarkers and predefined macro definitions) before writing to the
output gperf file.
Signed-off-by: Alexandru Ardelean <alex@shruggie.ro>
1.3.2 (2026-03-09):
* fsck.exfat: add an option to show a progress bar
* mkfs.exfat: discard blocks prior to write outs by default
* mkfs.exfat: add a read-after-write verification for the VBR
* exfatprogs: adjust utility exit codes
* dump.exfat: handle paths including '.', '..', and repeated '/'
* fsck.exfat: convert 0x80 entries into deleted file entries
1.3.1 (2025-12-15):
* fsck.exfat: support repairing the allocation bitmap size
* exfatprogs: temporarily disable building defrag.exfat (data loss)
* libexfat: fix a NULL pointer dereference in read_file_dentry_set()
1.3.0 (2025-10-15):
* defrag.exfat: new tool to defragment an exFAT filesystem
* mkfs.exfat: minimize zero-out initialization in quick format mode
* fsck.exfat: set the entry after an unused entry as unused
* Various bug fixes
Link: https://github.com/exfatprogs/exfatprogs/blob/1.3.2/NEWS
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Update GnuPG to the current upstream stable release. As listed at
https://gnupg.org/download/, the 2.5.x series is currently 'stable'
while 2.4.x is 'oldstable' (LTS).
Highlights of changes since 2.4.8:
* New OpenPGP key formats: Curve25519 and Curve448 (RFC9580)
* SHA3 family signature support
* Kyber post-quantum hybrid keys
* KEM (Key Encapsulation Mechanism) operations
* dirmngr: improved LDAP and HTTP keyserver support
* scdaemon: better support for new smartcard tokens
* Many bug fixes and security improvements
Link: https://dev.gnupg.org/source/gnupg/browse/master/NEWS
Link: https://gnupg.org/download/release_notes.html
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
1.7.4 (13 February 2026):
- pcsc_scan: use different variables for spin running and state
- pcsc_scan: give some time to the spinner thread in spin_start()
- Various ga workflow improvements (Windows artifact upload, etc.)
Link: https://pcsc-tools.apdu.fr/
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2.4.1 (1 January 2026):
- Add backward version support on the client side
- Add backward version support on the server side
- hotplug libudev: rescan the USB bus with "pcscd --hotplug"
- fix a value in pcscd.service systemd file
- meson: install systemd files even if libsystemd is not used
2.4.0 (19 October 2025):
- Run pcscd under a pcscd user instead of root when using systemd
- Set PIDFile in systemd service file
- Protect contextMapList modifications using a mutex
- meson: fix libpcsclite.pc, respect default_library option
Link: https://pcsclite.apdu.fr/files/ChangeLog
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
0.27.0 includes a number of CVE fixes and many improvements:
Security fixes (0.27.0):
* CVE-2025-13763: Uninitialized memory uses detected by fuzzers
* CVE-2025-49010: Write beyond buffer bounds in GET RESPONSE APDU
* CVE-2025-66215: Write beyond buffer bounds in oberthur driver
* CVE-2025-66038: Read beyond buffer bounds in PIV historical bytes
* CVE-2025-66037: Buffer overrun while parsing SPKI
General improvements:
* Added support for PKCS#11 3.2 in tools and pkcs11-spy/p11test
* Added support for Ed448, X448 mechanisms; improved Edwards and
Montgomery key support.
* Support CKA_PUBKEY_KEY_INFO PKCS#11 attribute.
* Remove obsolete tokend support.
* Correctly detect OS-level FIPS mode in OpenSSL automatically.
* Added support for Brainpool twisted curves.
* EsteID: EstEID 2025, FinEID 4.0/4.1, Latvian IDEMIA Cosmo X & 8.2.
* D-Trust Card 5.1 & 5.4 with PIN change/unblock.
* Belpic: support for belpic applet version 1.8.
* Many other card-specific improvements (OpenPGP, PIV, ...).
0.27.1 is a bug-fix release for infrastructure issues.
Link: https://github.com/OpenSC/OpenSC/blob/0.27.1/NEWS
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
1.7.1 (4 February 2026):
- Add support of: ACS APG8201-B2, BUDGET E-ID BUD001, CHERRY Smart
Board 1150, CryptnoxCR CryptnoxCR, Diebold Nixdorf PN7362au CCID,
FT BioPass FIDO2 Pro, Nitrokey Nitrokey Passkey
- Add SCARD_CTL_CODE(3601): USB path of the reader
- Some other minor improvements
1.7.0 (2 October 2025):
- Add support of: GIGA-TMS NFC CCID Reader, Identiv SmartOS Reader,
SEC1210URT, TOKEN2 FIDO2 Security Key (multiple variants),
TOKEN2 Molto2 (older version), VIX TECHNOLOGY SECURE READER
- Remove support of SIMHUB pcsc reader
- Give pcscd group permission to CCID devices in udev rule
- Avoid a timeout issue with the Thales Fusion NFC reader
- Provide the option to synchronize the 2 interfaces of a SEC1210
- Some other minor improvements
Link: https://ccid.apdu.fr/files/ChangeLog
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
The upstream repository was renamed from checksec.sh to checksec and the
main script was renamed from checksec to checksec.bash (still installed as
/usr/bin/checksec). The checksec_automator subpackage was removed upstream,
so drop it. Update PKG_NAME accordingly and adjust the install rule.
Changelog: https://github.com/slimm609/checksec/releases/tag/3.1.0
Co-authored-by: George Sapkin <george@sapk.in>
Signed-off-by: Alexandru Ardelean <alex@shruggie.ro>
Update test.sh to use $2 (positional version argument) instead of the
$PKG_VERSION environment variable, and add a check that the alternative
binary /usr/libexec/less-gnu is present.
Changelog: https://www.greenwoodsoftware.com/less/news.692.html
Signed-off-by: Alexandru Ardelean <alex@shruggie.ro>
Remove <linux/prctl.h> from backend.c via Build/Prepare sed: both
<linux/prctl.h> and <sys/prctl.h> define struct prctl_mm_map in newer
musl toolchains, causing a redefinition build error. sys/prctl.h alone
provides everything fio needs.
Changelog: https://github.com/axboe/fio/blob/fio-3.42/HOWTO.rst
Signed-off-by: Alexandru Ardelean <alex@shruggie.ro>
Update LVM2 from 2.03.33 to 2.03.40, bundled libdm from 1.02.207 to
1.02.209.
LVM2 highlights since 2.03.33:
2.03.40 (28th April 2026):
* Many bug fixes and memory/lock leak fixes throughout the
tree (vgcreate, vgmerge, vgimportclone, pvscan, raid, dmeventd,
pvmove, lvmpolld).
* Validate area_count and metadata sizes to prevent overflows.
* Fix percent_check threshold stuck above 100% in dmeventd
thin/vdo plugins.
* Pre-create udev cookie before critical section to avoid
resume failures.
2.03.39 (13th March 2026):
* Support --interval +N to delay first poll in pvmove and lvpoll.
* Add atomic leases using Compare and Write (CAW) to lvmlockd.
* Add lvm-index(7), lvm-categories(7), lvm-args(7) man pages.
* Show active cache mode in kernel table line (lvs -o kernel_cache_mode).
* Switch from internal device_mapper library to libdm.
2.03.34 - 2.03.38:
* Persistent reservation support on a VG; VG attr character + pr
field on vgs reflecting persistent reservation status.
* dmeventd: restart with no monitored devices, no actions on
removed devices.
* Various filter, integrity, cache, raid and pvmove fixes.
libdm changes since 1.02.207 (1.02.208 / 1.02.209) consist purely
of internal cleanups and version bumps; no user-visible changes
documented in WHATS_NEW_DM.
Link: https://gitlab.com/lvmteam/lvm2/-/blob/v2_03_40/WHATS_NEW
Link: https://gitlab.com/lvmteam/lvm2/-/blob/v2_03_40/WHATS_NEW_DM
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Stable bug-fix release. All users of cryptsetup 2.8.x must upgrade.
Changes since 2.8.4:
* Fix FileVault (fvault2) metadata parsing crash with crafted images.
Reported by David Pokora (Trail of Bits/Anthropic).
* Fix reading FileVault image metadata from incorrect image offset.
* OpenSSL backend: increase the number of allowed threads to 64
(workaround for parallel Argon2 PBKDF deadlock).
* Fix LUKS2 reencryption lock name when the device is being reencrypted.
* Check UUID of the resumed device to match UUID stored in metadata.
* Add a specific error for failed detached header allocation.
* Fix tests not to use aes-generic kernel cipher name (Linux 7.0+).
* Fix OpenSSL crypto backend if built with LibreSSL.
* Several compatibility fixes to the alternative Meson configuration.
* Various code fixes based on AI-assisted reviews (memory wiping,
error paths, integrity sector overflow, device-mapper flags, ...).
Link: https://gitlab.com/cryptsetup/cryptsetup/-/blob/v2.8.6/docs/v2.8.6-ReleaseNotes
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Changes in 0.1.7 (2025-04-07):
* Drop the autotools build system
* Unbreak the CI
* Prevent a crash on disconnect
* Fix building with glibc >= 2.43
* Fix the eavesdrop filtering to prevent message interception
Link: https://github.com/flatpak/xdg-dbus-proxy/blob/0.1.7/NEWS
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Changes from 5.3.x to 5.4.0:
* Use Mike Haertel's MinRX regular expression matcher by default.
The old regex and dfa engines are still available.
* New @nsinclude directive: like @include but doesn't reset
the namespace to "awk".
* lshift()/rshift() return 0 when shifting more bits than in uintmax_t.
* Persistent memory: store meta-info in backing file; warn on
version mismatch; allow dynamic extensions with persistent memory.
* ordchr extension now supports multibyte / wide characters.
* length(array) is no longer an extension (POSIX 2024); --posix
no longer rejects it and --lint no longer warns.
* --traditional rationalised to match BWK awk behaviour.
* Assertions are now enabled in the C code.
* Hexadecimal floating-point values may now be used in source,
strtonum() and -n/--non-decimal-data option.
* UDP networking support is now deprecated, will be removed in 6.0.
* Reading regular disk input files is somewhat faster (no timeout check).
* Various bug fixes.
Link: https://git.savannah.gnu.org/cgit/gawk.git/plain/NEWS?h=gawk-5.4.0
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2026-04-06: Version 7.5.5
* New option --error-binary: Return an error if a
binary file is skipped.
* Fix: dos2unix error on empty input. The problem was introduced
in version 7.5.4.
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
0.11.2 (CVE-2026-41163):
* In setuid mode, don't run the low-privileged parts of the setup
as dumpable, as that allows it to be ptraced which can lead to problems.
* New build option -Dsupport_setuid, which if set to false (the default)
disables the support for setuid.
0.11.1:
* Reset disposition of SIGCHLD, restoring normal subprocess management
if bwrap was run from a process that was ignoring that signal.
* Don't ignore --userns 0, --userns2 0 or --pidns 0 if used.
* Fix grammar in an error message and a broken link in the documentation.
Link: https://github.com/containers/bubblewrap/blob/v0.11.2/NEWS.md
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Update from 1.27.0 to 1.28.0, tracking the MicroPython 1.28.0 release.
Add version check to test.sh using importlib.metadata to verify the
installed package version matches the expected version string.
Signed-off-by: Alexandru Ardelean <alex@shruggie.ro>
Javier Marcet