Historically, the MD5 checksums in our LFS files serve as a protection
against broken downloads, or accidentally corrupted source files.
While the sources are nowadays downloaded via HTTPS, it make sense to
beef up integrity protection for them, since transparently intercepting
TLS is believed to be feasible for more powerful actors, and the state
of the public PKI ecosystem is clearly not helping.
Therefore, this patch switches from MD5 to BLAKE2, updating all LFS
files as well as make.sh to deal with this checksum algorithm. BLAKE2 is
notably faster (and more secure) than SHA2, so the performance penalty
introduced by this patch is negligible, if noticeable at all.
In preparation of this patch, the toolchain files currently used have
been supplied with BLAKE2 checksums as well on
https://source.ipfire.org/.
Cc: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Acked-by: Michael Tremer <michael.tremeripfire.org>
This reverts commit d96d979e2a.
Arne requested to revert this commit as well since dhcpcd still does not
run without any problems on i586 systems.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
For details (9.1.2 => 9.1.3 => 9.1.4) see:
https://roy.marples.name/blog/dhcpcd-9-1-3-released.html
"configure: Fix fallout with disabling embedded config
inet6: Add support for reporting Mobile IPv6 RA's
inet6: Report RA Proxy flag if set
BSD: Allow non NetBSD and OpenBSD to set IN6_IFF_AUTOCONF
privsep: Don't handle any signals meant for the main process
eloop: Try and survive a signal storm
configure: add --with-eghook=foo
dhcpcd: Add an option to poll the interface carrier state
script: Make visible some link level parameters to lease dumping
Linux: ignore unsupported interfaces by default, such as sit0
Linux: support aarch64 for reading cpu info
Linux: keep the generic netlink socket around to get ssid with privsep
Linux: restore fix when no address is returned by getifaddrs(3)
inet6: Don't regen temp addresses we didn't add
privsep: Don't limit file writes if logging to a file
DHCP6: Fix lease timings with nodelay option"
https://roy.marples.name/blog/dhcpcd-9-1-4-released.html
"Fix SMALL builds
Ensure DBDIR exists at startup"
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
For details see:
https://roy.marples.name/blog/dhcpcd-9-1-2-released.html
"Fix installing dhcpcd-definitions.conf rather than embedding it
NetBSD: free ARP state once IPv4LL address announced
Linux: fix compile for older distros
udev: disable plugin for non Linux OS's
BSD: Mark RA dervied addresses as AUTOCONF on NetBSD-current
BSD: Only mark static routes from dhcpcd.conf as static
DHCP6: Ensure requested addresses are requested
DHCP6: Fix prefix length calculation when no prefix specified
privsep: Implement a resource limited sandbox [1]
privsep: Remove inet and dns pledges from master process
privsep: call getifaddrs when the BSD lacks SIOCGIFALIAS
privsep: free getifaddrs the right way if from privsep or not
[1] You will see a control proxy process now. This is for the resource
limited sandbox so that we can isolate requests over the control socket.
For NetBSD, FreeBSD and derivatives such as DragonFlyBSD this is
a massive win as these OS now enjoy a similar level of protection
as Capsicum or Pledge, but without the syscall filtering."
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
For details see:
https://roy.marples.name/archives/dhcpcd-discuss/0002941.html
"* Control sockets are not opened in test mode
* privsep: no longer aborts if protocol not available
* inet6: Don't regen temporary addresses without a state
* inet6: Reduce RA log spam
* dhcp6: Don't log when things consitently fail
* inet6: Add temporary directive to slaac option [1]
* Ensure current interface flags persist when setting a flag
* DHCP via BPF is now aligned correctly
* CMSG buffers are now aligned correctly
* hostnames are no longer clobbered when being forced and a RA is recieved"
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
For details see:
https://roy.marples.name/blog/dhcpcd-8-1-0-released
"DragonFlyBSD: Improved rc.d handling
Fix carrier status after a route socket overflow
Allow domain spaced options
DHCP: Allow not sending Force Renew Nonce or Reconf Accept
IPv4LL: Now passes Apple Bonjour test versions 1.4 and 1.5
ARP: Fix a typo and remove pragma (thus working with old gcc)
DHCP6: Fix a cosmetic issue with infinite leases
DHCP6: SLA 0 and Prefix Len 0 will now add a delegated /64 address
Ignore some virtual interfaces such as Tap and Bridge by default
BPF: Move validation logic out of BPF and back into dhcpcd"
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
For details see:
https://roy.marples.name/blog/dhcpcd-8-0-6-released
"inet6: Fix default route not being installed
DHCP: If root fs is network mounted, enable last lease extend
man: Fix lint errors.
BSD: avoid RTF_WASCLONED routes
DHCP: Give a better message when packet validation fails
DHCP: Ensure we have enough data to checksum IP and UDP
The last change fixes a potential DoS attack introduced in dhcpcd-8.0.3
when the checksuming code was changed to accomodate variable length
IP headers. The commit says since 7.2.0, but I've now decided that's not
the case."
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
https://roy.marples.name/blog/dhcpcd-8-0-3-released
"DHCP: Work with IP headers with options
script: Assert that env string are correctly terminated
script: Terminate env strings with no value
script: Don't attempt to use an invalid env string
route: Fix NULL deference error when using static routes
ARP: Respect IFF_NOARP
DHCP: Add support for ARPHRD_NONE interfaces
DHCP: Allow full DHCP support for PtP interfaces, but not by default
DragonFlyBSD: 500704 announces IPv6 address flag changes
control: sends correct buffer to listeners"
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
For details see:
https://roy.marples.name/
"NetBSD: Can be build without ARP support but listen to kernel DaD
ND6: Removed NA support from SMALL builds
ND6: Remove and warn about NA issues on OS's other than NetBSD and Linux
script: /tmp files are now cleaned up for systems without open_memstream(3)
configure: open_memstream(3) detected on recent glibc
DHCP: Avoid duplicate read of UDP socket when BPF is also open
IP: Avoid adding address if already exists on OS other than Linux
IP6: Avoid adding address is already exists on Solaris
route: Fixed a NULL de-reference error on statically configured routes
DHCP6: Move to REQUEST when any IA has error no-binding in RENEW/REBIND
DragonFlyBSD: Now compiles and works for
IP: Accept packets with IP header options"
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
For details see:
https://roy.marples.name/blog/dhcpcd-7-1-1-released
"A minor update, highlights include:
IPv4LL: Fixed build with this disabled
IPv4LL: Remember last address between carrier resets
BSD: Fixed initial link infos reported as LINK_STATE_UNKNOWN
FreeBSD: Avoid panicing kernel when RTA_IFP is set for IPv6 prefix routes"
Best,
Matthias
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
For some informations about this update see:
https://roy.marples.name/blog/dhcpcd-7-1-0-released
"dhcpcd-7.1.0 has been released with the following changes:
- OpenBSD: works alongside slaacd(8)
- NetBSD: sets SO_RERROR on to detect receive socket overflow
- BSD: route improvements to avoid listening for own changes
- Linux: use NETLINK_BROADCAST_ERROR
- BSD: avoid late address deletion messages by testing address existance
- IP6: implement IP6 address sharing
- BSD: catch UP/DOWN events when interfaces does support media changes
- IPv4LL: remember old address when carrier is lost
Many other minor fixes and documenation updates have been submitted by various
community members for this release..."
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Most of these files still used old dates and/or domain names for contact
mail addresses. This is now replaced by an up-to-date copyright line.
Just some housekeeping... :-)
Signed-off-by: Peter Müller <peter.mueller@link38.eu>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Normally 576 is the smallest valid mtu but some cable provider set this
also if they support much higher mtu's. Fedora does not accept
this to prevent speed problems with such isp connections so we do the same.
If you really need mtu=576 you can still force at at the setup.
