- Update from 2.1.1 (2016) to 2.3.0 (2021)
- Update of rootfile
- A build dependency has been added for twine. As this is to support the upload of
packages to PyPI it will not be used for IPFire. The changelog just notes the addition
of twine as a build dependency without any explanation. See entry in version 2.2.4
No other change was made when this dependency was added to setup.py
Adding twine added 9 further dependencies some of which caused further dependencies and
so on. 19 additional new packages were reached and the system was still coming up with
more.
Created a patch to remove the twine build dependency from setup.py
Subsequently found other people had done the same thing as there was no response to
requests from other people to not have it as a build dependency for situations where
packages were not going to be uploaded to PyPI.
- Changelog
Version 2.3.0
:Released: 2021-02-21
:Maintainer: Ben Finney <ben+python@benfinney.id.au>
Removed:
* Remove support for Python versions older than Python 3.
Python 2 has been unsupported by the Python project since 2020.
* Remove dependency on back-ported `unittest2` and `mock`.
Depend instead on standard library `unittest` and `unittest.mock`.
Thanks to Michał Górny for the merge requests.
Version 2.2.4
:Released: 2019-10-27
:Maintainer: Ben Finney <ben+python@benfinney.id.au>
Bugs Fixed:
* Run the Setuptools `egg-info` command as part of the `build`
command.
Closes: Pagure #31. Thanks to Stanislav Levin for the bug report and
diagnosis.
* Create the socket and catch “non-socket” errors.
Closes: Pagure #34. Thanks to Miro Hrončok for the bug report and
patch.
* Only deal with a range of file descriptors if the range is not empty.
Closes: Pagure #39. Thanks to Alex Pyrgiotis for the test scenario.
* Declare Twine as a build dependency.
* Reformat the change log entries with keepachangelog.com sub-sections.
Changed:
* Upgrade Tox dependency to version “3.7.0”.
Thanks to Miro Hrončok for the contribution.
* Significant speed-up to discovery of file descriptors to close.
By using a native `tuple` for the heavily-used file descriptor range
representation, this gives approximately 5× faster calls to
`close_all_open_files` in the typical case. This partially addresses
Pagure #40.
Thanks to Alex Pyrgiotis for testing various alternative proposals.
* Refactor the build system to use Makefile modules for each topic.
Version 2.2.3
:Released: 2019-01-21
:Maintainer: Ben Finney <ben+python@benfinney.id.au>
Bugs Fixed:
* Use custom fake file type for testing `fileno` behaviour.
This works around an incompatibility in Python 2.7 `file` type that
caused test cases to fail.
Deprecated:
* Promote the warning for `runner` module to a `DeprecationWarning`.
This has been an unofficial example module from the beginning, and
it will be removed in a future version.
Version 2.2.2
:Released: 2019-01-19
:Maintainer: Ben Finney <ben+python@benfinney.id.au>
Bugs Fixed:
* Remove from the build system specification a white space character
not permitted in TOML format.
Added:
* Implement test suite automation in virtualenvs, using Tox.
Version 2.2.1
:Released: 2019-01-18
:Maintainer: Ben Finney <ben+python@benfinney.id.au>
Added:
* Add a :PEP:`518` conformant build system specification (the
``pyproject.toml`` file).
Version 2.2.0
:Released: 2018-08-15
:Maintainer: Ben Finney <ben+python@benfinney.id.au>
Bugs Fixed:
* Correct the description of the return value for
`daemon.is_detach_process_context_required`.
Closes: Pagure #6.
* Set a sensible default for `Distribution.script_name`.
This works around a bug in Setuptools which calls commands before
the `Distribution` is initialised.
Closes: Pagure #2.
Changed:
* The test suite now relies on the test discovery feature in
‘unittest’. This feature is in Python version 2.7 and later.
* Improve performance of `daemon.close_all_open_files`.
Thanks to Darek Działak for the implementation.
Closes: Pagure #10.
Version 2.1.2
:Released: 2016-10-26
:Maintainer: Ben Finney <ben+python@benfinney.id.au>
Added:
* Add a README document for the code base.
Changed:
* Migrate code project hosting to Pagure.
Record the change of homepage URL in PyPI metadata.
Deprecated:
* Raise a warning that the ‘runner’ module is pending deprecation.
This has been an unofficial example module from the beginning, and
it will be removed in a future version.
Bugs Fixed:
* Ensure custom types are part of the Python type hierarchy.
* Avoid a circular dependency for the version string at install time.
Thanks to Maarten van Gompel for the reproducible test case.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
For some reason, this module is not present after the very first boot of
an IPFire installation.
Fixes: #12767
Reported-by: Arne Fitzenreiter <arne_f@ipfire.org>
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
- Update from 5.1.012 to 5.1.016
- Update of rootfile not required
- Changelog
Patch 013 - Bash did not always perform tilde expansion following an unquoted colon on
the rhs of an assignment statement in posix mode.
Patch 014 - Bash may produce corrupted input if a multibyte character spans a 512-byte
boundary while reading the output of a command substitution.
Patch 015 - There are some characters (e.g., cyrillic) that can't be displayed using
certain single-byte encodings (e.g., cp1251) because the negative signed
int is interpreted as EOF and not displayed.
Patch 016 - Multiple `!' tokens should toggle negation of an expression in a [[
conditional command, instead of simply negating the expression.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
Removing a lot of duplicate code parsing meta files, now replaced by
simple function calls, resulting in all metadata in one hash.
Signed-off-by: Robin Roevens <robin.roevens@disroot.org>
Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
This should *actually* exclude everything we want to exclude and
*actually* strip everything to the maximum.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update of lfs
- Update of rootfile
- Addition of Spanish file provided by Roberto Peña (listed as author)
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Fixes pakfire list installed/notinstalled command displaying the
count of all available paks instead of the count of actual installed
respectively not installed paks.
Signed-off-by: Robin Roevens <robin.roevens@disroot.org>
Reviewed-by: Bernhard Bitsch <bbitsch@ipfire.org>
Tested-by: Bernhard Bitsch <bbitsch@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
-update arm-trusted firmware to 2.6
-fix mac address generation on R2S because the CPUID fuses are not uniqe
-add support for NanoPi R4S
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
- Update from 4.2.1 (2015) to 4.11.1 (2021)
- Update rootfile
- Update patch for suppression of groups installation
- Change default hash from sha512 to yescrypt in lfs and logins.def
- Changelog
* Release 4.11.1
* build: include lib/shadowlog_internal.h in dist tarballs (Sam James)
* Release 4.11
* Handle possible TOCTTOU issues in usermod/userdel (edneville)
* (CVE-2013-4235)
* Use O_NOFOLLOW when copying file
* Kill all user tasks in userdel
* Fix useradd -D segfault (Xi Ruoyao)
* Clean up obsolete libc feature-check ifdefs (Alejandro Colomar)
* Fix -fno-common build breaks due to duplicate Prog declarations
(Adam Sampson)
* Have single date_to_str definition (Alejandro Colomar)
* Fix libsubid SONAME version (Sam James)
* Clarify licensing info, use SPDX.
* Release 4.10
Note: From this release forward, su from this package should be
considered deprecated. Please replace any users of it with su from
util-linux. Please open an issue if there is a problem with that.
We intend to remove it in an upcoming release.
This release features many fixes expecially to the building of
libsubid, some SELinux labeling issues, and a few signaling
issues.
* libsubid fixes (Xi Ruoyao, Serge Hallyn, Iker Pedrosa, Mike Gilbert,
GalaxyMaster, and Luís Ferreira)
* Rename the test program list_subid_ranges to getsubids, write
a manpage, so distros can ship it. (Iker Pedrosa)
* Add libeconf dep for new*idmap (Iker Pedrosa)
* Allow all group types with usermod -G (Iker Pedrosa)
* Avoid useradd generating empty subid range (Iker Pedrosa)
* Handle NULL pw_passwd (Jaroslav Jindrak)
* Fix default value SHA_get_salt_rounds (Mike Gilbert)
* Use https where possible in README (Paul Menzel)
* Update content and format of README (Iker Pedrosa)
* Translation updates (Balint Reczey, Frans Spiesschaert)
* Switch from xml2po to itstool in 'make dist' (Serge Hallyn)
* Fix double frees (Michael Vetter)
* Add LOG_INIT configurable to useradd (Andy Zaugg)
* Add CREATE_MAIL_SPOOL documentation (Andy Zaugg)
* Create a security.md
* Fix su never being SIGKILLd when trapping TERM (Ruihan li)
* Fix wrong SELinux labels in several possible cases (Iker Pedrosa)
* Fix missing chmod in chadowtb_move (GalaxyMaster)
* Handle malformed hushlogins entries (Tobias Stoeckmann)
* Fix groupdel segv when passwd does not exist (François Rigault)
* Fix covscan-found newgrp segfault (Iker Pedrosa)
* Remove trailing slash on hoedir (Ed Neville)
* Fix passwd -l message - it does not change expirey (Ed Neville)
* Fix SIGCHLD handling bugs in su and vipw (Tobias Stoeckmann)
* Remove special case for "" in usermod (Alejandro Colomar)
* Implement usermod -rG to remove a specific group
(Andy Zaugg)
* call pam_end() after fork in child path for su and login
(Björn Fischer)
* useradd: In absence of /etc/passwd, assume 0 == root
(Ludwig Nussel)
* lib: check NULL before freeing data (Iker Pedrosa)
* Fix pwck segfault (Iker Pedrosa)
* Release 4.9
2021-07-22 Serge Hallyn <serge@hallyn.com>
* Updated translations (Björn Esser, Juergen Hoetzel)
* Major salt updates (Björn Esser)
* Various coverity and cleanup fixes (Iker Pedrosa)
* Consistently use 0 to disable PASS_MIN_DAYS in man (tzccinct)
* Implement NSS support for subids and a libsubid (Serge Hallyn)
* setfcap: retain setfcap when mapping uid 0 (Christian Brauner)
* login.defs: include HMAC_CRYPTO_ALGO key (Iker Pedrosa)
* selinux fixes (Christian Göttsche)
* Fix path prefix path handling (Lucas Servén Marín)
* Manpage updates (tzccinct, Sevan Janiyan, Iker Pedrosa, Geert Ijewski,
谭九鼎, Jamin W. Collins, towerpark, andydna, Frans Spiesschaert)
* Treat an empty passwd field as invalid (Haelwenn Monnier)
* newxidmap: allow running under alternative gid (Martijn de Gouw)
* usermod: check that shell is executable (Geert Ijewski)
* Add yescript support (Rodolphe Bréard)
* useradd memleak fixes (whzhe)
* useradd: use built-in settings by default (Ludwig Nussel)
* getdefs: add foreign (non-shadow-utils) items (Karel Zak)
* buffer overflow fixes (Tobias Stoeckmann)
* Adding run-parts style for pre and post useradd/del (ed@s5h.net)
2020-01-23 Serge Hallyn <serge@hallyn.com>
* selinux: inclue stdio (Michael Vetter)
* man: don't suggest making groupmems user-writeable (Michael Weiser)
* Makefile: bail out on error in for loops (Wolfgang Bumiller)
* Adding logging of SSH_ORIGINAL_COMMAND to nologin. (ed@s5h.net)
* add new HOME_MODE login.defs option (Duncan Overbruck)
* Add tty logging to useradd (ed@s5h.net)
* Useradd: make non-executable shell check only a warning (Tomas Mraz)
* Update Dutch translation (Frans-Spiesschaert)
* user_busy: Do not mistake a regular user process for a namespaced one (Tomas Mraz)
* Revert "Honor --sbindir and --bindir for binary installation" Patrick McLean)
2019-12-20 Dave Reisner <dreisner@archlinux.org>
* Do not auto-enable acct_tools_setuid just because
pam is enabled. NOTE - any distros which are relying
on this behavior will need to switch to configure
--enable-account-tools-setuid
* Release 4.8
2019-12-01 Serge Hallyn <serge@hallyn.com>
* Initial optional bcrypt support.
* Make build/install of 'su' optional.
* Fix for vipw not resuming correctly when suspended
* Sync password field descriptions in manpages
* Check for valid shell argument in useradd
* Allow translation of new strings through POTFILES.in
* Migrate to itstool for translations
* Migrate to new SELinux api
* Support --enable-vendordir
* pwck: Only check homedir if set and not a system user
* Support nonstandard usernames
* sget{pw,gr}ent: check for data at EOL
* Add YYY-MM-DD support in chage
* Fix failing chmod calls for suidubins
* Fix --sbindir and --bindir for binary installations
* Fix LASTLOG_UID_MAX in login.defs
* Fix configure error with dash
* Release 4.7
2019-06-13 Serge Hallyn <serge@hallyn.com>
* Spawn: don't loop forever on ECHILD
* Do not fail locking if there is a stale lockfile Tomas Mraz)
* Use lckpwdf if prefix not set (Tomas Mraz)
* Build: check correct DocBook version (Jan Tojnar)
* Usermod: Print 'no changes' to stdout, not stderr (Serge Hallyn)
* Add support for btrfs subvolumes for home (Adam Majer)
* Fix chpasswd long line handling (Nathan Ruiz)
* Use secure_getenv for gettime (Chris Lamb)
* Make sp_lstchg reproducible (Chris Lamb)
* Do not crash commonio_close if db file is not open (Tomas Mraz)
* Don't flush nscd and sssd cache in read-only mode (Charlie Vuillemez)
* French manpage update (Alban VIDAL)
* Fix manpage defaults for SUB_UID/GID_COUNT (Tomas Mraz)
* Sync po files from shadow.pot (Alban VIDAL)
* Usermod: guard against unsafe chown of homedir contents (Tomas Mraz)
* Add LASTLOG_UID_MAX to login.defs (Tomas Mraz)
* new[ug]idmap file capabilities support (Giuseppe Scrivano and Christian Brauner)
* Fix segfault in useradd (Tomas Mraz)
* Coverity issues (Tomas Mraz)
* Flush sssd caches (Jakub Hrozek)
* Log UID in nologin (Vladimir Ivanov)
* run pam_getenvlist after setup_env in su.c (Michael Vogt)
* Support systems with only utmpx (A. Wilcox)
* Fix unguarded ENABLE_SUBIDS code (Jan Chren (rindeal))
* Update po/zh_CN translation (Lion Yang)
* Create parent dirs for useradd -m (Michael Vetter)
* Prevent usermod segv
* Fix usermod crash (fariouche)
* Release 4.6
2018-04-29 Serge Hallyn <serge@hallyn.com>
* Newgrp: avoid unnecessary lookups
* Make language less binary
* Add error when turning off man switch
* Spelling fixes
* Make userdel work with -R
* newgidmap: enforce setgroups=deny if self-mapping a group
* Norwegian bokmål translation
* pwck: prevent crash by not passing O_CREAT
* WITH_TCB fixes from Mandriva
* Fix pwconv and grpconv entry skips
* Fix -- slurping in su
* add --prefix option
2017-07-16 Serge Hallyn <serge@hallyn.com>
* Import new Dutch translations.
2017-07-10 Serge Hallyn <serge@hallyn.com>
* Expand error codes for groupmod.
2017-05-17 Serge Hallyn <serge@hallyn.com>
* Release 4.5
2017-05-17 Serge Hallyn <serge@hallyn.com>
* Patch from Tobias Stoeckmann fixing regression in previous CVE fix
preventing SIGTERM to su from being propagated to the job.
* Patch from Chris Lamb making sp_lstchg shadow field reproducible.
* Merge Russian translation updates from Yuri Kozlov
* Fix missing close of subuid file on error
2017-02-23 Serge Hallyn <serge@hallyn.com>
* Merge patch by Tobias Stoeckmann <tobias@stoeckmann.org> to fix
the equivalent of util-linux CVE-2017-2616.
2017-02-08 Serge Hallyn <serge@hallyn.com>
* Update Kazakh translations
* Consult configuration before calculating subuids
* Remove misplaced semicolon
2017-01-29 Serge Hallyn <serge@hallyn.com>
* Patch from Fedora to improve performance with SSSD, Winbind,
or nss_ldap. (Tomas Mraz)
* Make sure knowndef_table is NULL-terminated. (Bernhard Rosenkränzer)
2016-12-21 Serge Hallyn <serge@hallyn.com>
* Drop leading underscore from _COMMONIO_H and _SHADOWIO_H
* Fix readability in usermod error messages.
* Reset user in tallylog
* Add audit support to su
* Changes since 4.4
2016-12-02 Serge Hallyn <serge@hallyn.com>
- Use sizeof rather than hardcoding snprintf args
- Fix useradd improper default loading
- Update Vietnamese translations
- Update Polish translations
- Remove non-POSIX chmod option in Makefile
- Fix suidubins assignments
- Fix --add-subuids etc spelling in manpages
- Audit homedir ownership change.
- Print error on selinux file context update failure
- Keep original file perms when creating a backup
* Changes since 4.2.1:
2016-12-02 Serge Hallyn <serge@hallyn.com>
- Documentation, error report and translations updates
- Replace path_max with 32
- User namespace support fixes/updates including:
- Correct sanity checks in newXidmap
- Fix building without subuid support
- Add /etc/subuid support for UID matching
- Support subuid for nonlocal users
- Default to 65536 subuid allocations
- Respect -r
- Check for range overflows
- Add tests from svn tree
- Use AC_CHECK_SIZEOF for uid_t size checks
- Accomodate missing /etc and login.defs
- Support FORCE_SHADOW
- Be more robust in hostile environment
- Allow removing a primary group
- Clear passwords on __pw_dup errors
- Memory leak fix in commonio_update and get_map_ranges
- Fix resource leak in syslog_sg
- Fix user busy error at userdel
- Support set/clear lastlog record via lastlog command
- Add --no-create-home as longopt for -M
- Fix signal races
- Reduce syslog priority of common usage events
Fixes: Bug 12762
Tested-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
Similar to the Location block, this chain logs and drops all traffic
from and to networks known to pose technical threats to IPFire users.
Doing so in a dedicated chain makes sense for transparency reasons, as
we won't interfer with other firewall rules or the Location block, so it
is always clear why a packet from or to such a network has been dropped.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
There is no legitimate reason why traffic from our own IP address on RED
should ever appear incoming on that interface.
This prevents attackers from impersonating IPFire itself, and is only
cleared/reset if the RED interface is brought up. Therefore, an attacker
cannot bypass this by foring a dial-up or DHCP connection to break down.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Traffic from and to 127.0.0.0/8 must only appear on the loopback
interface, never on any other interface. This ensures offending packets
are logged, and the loopback interface cannot be abused for processing
traffic from and to any other networks.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Inbound Tor traffic conflicts with Location block as inbound connections
have to be accepted from many parts of the world. To solve this,
inbound Tor traffic has to be accepted before jumping into Location block
chain.
Note this affects Tor relay operators only.
Rolled forward as ongoing from
https://patchwork.ipfire.org/project/ipfire/patch/f8ee2e1d-b642-8c63-1f8a-4f24c354cd90@ipfire.org/,
note the documentation in the wiki needs to be updated once this landed
in production.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
In case of faulty connection tracking, this ensures such packets are
logged, to make analysing network incidents less troublesome. Since
NewNotSYN is handled before, where logging can be turned off for systems
running on weak flash devices, the amount of log messages emitted here
should be neglectible.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
- Update from 6.5.0 to 7.10.0 (17 releases between these versions)
- Update of rootfile
- Update of patch as source file contents changed enough that old patch failed to work
- Build changed to meson/ninja as autotools option has been removed
- Most of the existing options were available as meson options - look in
meson_options.txt file in the source tarball.
Three options were not available with meson
--with-virtualport
--with-macvtap
--without-dbus
- Changelog is too large to include here (~1200 lines) but the detail can be seen in the
NEWS.rst file in the source tarball. Many bug fixes identified in the changelog
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Some paths might not exist on some systems which caused the installer to
abort the installation. This patch makes the installer ignore this
condition.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
This prevents from running the script while the WUI is performing
operations at the same time or to launch multiple instances of the
script.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
