This is recommended by KSPP, Lynis, and others. Indeed, there is no
legitimate reason why an unprivileged user on IPFire should do any
profiling. Unfortunately, this change never landed in the mainline
kernel, hence a distribution patch is necessary.
The second version of this patch rebases the kernel patch by Jeff
Vander Stoep against Linux 5.15.17 to avoid fuzzying.
Tested-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Since we dropped support for blocking P2P protocols, the corresponding translation strings
are no longer needed.
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
Historically, the MD5 checksums in our LFS files serve as a protection
against broken downloads, or accidentally corrupted source files.
While the sources are nowadays downloaded via HTTPS, it make sense to
beef up integrity protection for them, since transparently intercepting
TLS is believed to be feasible for more powerful actors, and the state
of the public PKI ecosystem is clearly not helping.
Therefore, this patch switches from MD5 to BLAKE2, updating all LFS
files as well as make.sh to deal with this checksum algorithm. BLAKE2 is
notably faster (and more secure) than SHA2, so the performance penalty
introduced by this patch is negligible, if noticeable at all.
In preparation of this patch, the toolchain files currently used have
been supplied with BLAKE2 checksums as well on
https://source.ipfire.org/.
Cc: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Acked-by: Michael Tremer <michael.tremeripfire.org>
This script only appeared in conjunction with Core Update 75, released
January 2014. Although it is still being executed while restoring a
backup, it would only be effective if anyone tried to restore a backup
created before C75.
I don't think there is a realistic need to carry this script along any
further. In doubt, it might be better to start from scratch again rather
than trying to restore an 8 year old backup, expecting everything to be
peachy and vanilla with it.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
This reverts commit 77e3829dc1.
For the time being, shipping this was found to be too difficult, since
we cannot get linux-firmware down to an acceptable size limit.
Compressing the firmware on installations would work, but takes about 4
minutes on an Intel Xenon CPU alone, hence it is an unacceptable
workload to do for IPFire installation running on weaker hardware.
Therefore, we do not proceed with this at the moment.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Full changelog, as retrieved from https://www.zlib.net/ChangeLog.txt :
Changes in 1.2.12 (27 Mar 2022)
- Cygwin does not have _wopen(), so do not create gzopen_w() there
- Permit a deflateParams() parameter change as soon as possible
- Limit hash table inserts after switch from stored deflate
- Fix bug when window full in deflate_stored()
- Fix CLEAR_HASH macro to be usable as a single statement
- Avoid a conversion error in gzseek when off_t type too small
- Have Makefile return non-zero error code on test failure
- Avoid some conversion warnings in gzread.c and gzwrite.c
- Update use of errno for newer Windows CE versions
- Small speedup to inflate [psumbera]
- Return an error if the gzputs string length can't fit in an int
- Add address checking in clang to -w option of configure
- Don't compute check value for raw inflate if asked to validate
- Handle case where inflateSync used when header never processed
- Avoid the use of ptrdiff_t
- Avoid an undefined behavior of memcpy() in gzappend()
- Avoid undefined behaviors of memcpy() in gz*printf()
- Avoid an undefined behavior of memcpy() in _tr_stored_block()
- Make the names in functions declarations identical to definitions
- Remove old assembler code in which bugs have manifested
- Fix deflateEnd() to not report an error at start of raw deflate
- Add legal disclaimer to README
- Emphasize the need to continue decompressing gzip members
- Correct the initialization requirements for deflateInit2()
- Fix a bug that can crash deflate on some input when using Z_FIXED
- Assure that the number of bits for deflatePrime() is valid
- Use a structure to make globals in enough.c evident
- Use a macro for the printf format of big_t in enough.c
- Clean up code style in enough.c, update version
- Use inline function instead of macro for index in enough.c
- Clarify that prefix codes are counted in enough.c
- Show all the codes for the maximum tables size in enough.c
- Add gznorm.c example, which normalizes gzip files
- Fix the zran.c example to work on a multiple-member gzip file
- Add tables for crc32_combine(), to speed it up by a factor of 200
- Add crc32_combine_gen() and crc32_combine_op() for fast combines
- Speed up software CRC-32 computation by a factor of 1.5 to 3
- Use atomic test and set, if available, for dynamic CRC tables
- Don't bother computing check value after successful inflateSync()
- Correct comment in crc32.c
- Add use of the ARMv8 crc32 instructions when requested
- Use ARM crc32 instructions if the ARM architecture has them
- Explicitly note that the 32-bit check values are 32 bits
- Avoid adding empty gzip member after gzflush with Z_FINISH
- Fix memory leak on error in gzlog.c
- Fix error in comment on the polynomial representation of a byte
- Clarify gz* function interfaces, referring to parameter names
- Change macro name in inflate.c to avoid collision in VxWorks
- Correct typo in blast.c
- Improve portability of contrib/minizip
- Fix indentation in minizip's zip.c
- Replace black/white with allow/block. (theresa-m)
- minizip warning fix if MAXU32 already defined. (gvollant)
- Fix unztell64() in minizip to work past 4GB. (Daniël Hörchner)
- Clean up minizip to reduce warnings for testing
- Add fallthrough comments for gcc
- Eliminate use of ULL constants
- Separate out address sanitizing from warnings in configure
- Remove destructive aspects of make distclean
- Check for cc masquerading as gcc or clang in configure
- Fix crc32.c to compile local functions only if used
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Some files are identical which is why we don't need to ship them mutiple
times. This will save about 13 MiB of disk space and presumably the same
on the compressed distro image.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This firmware is required for a switch ASIC which we build the kernel
module for, but which is probably not usable with IPFire.
This saves about 40 MiB of compressed firmware space.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
For details see:
https://mmonit.com/monit/changes/
"Fixed: Issue #1028: If the Monit statefile was removed, the monit
start <service> action for services with onreboot nostart option
started the service, but did not enable monitoring of said service.
The same problem occurred if a new onreboot nostart service was
added, even if the statefile did exist.
Fixed: Issue #1029: The generic protocol test truncated received
data if the response contained zeros.
Fixed: PAM authentication: Users with a valid password for
a disabled account could still login to Monit. Thanks to Youssef
Rebahi-Gilbert.
Fixed: The Monit HTTP interface could be blocked by sending
a request with an infinite stream of HTTP headers. Thanks to Youssef
Rebahi-Gilbert for report."
For more details see:
https://bitbucket.org/tildeslash/monit/commits/tag/release-5-32-0
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This package installs some firmware files. Since linux-firmware is now
compressed, files will no longer be overwritten, but this package will
put the uncompressed files next to the compressed ones.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
