In this special issue of Dev. Updates, we are presenting to you a new, monthly, and function defined update pattern for AOSC OS. With this change to update pattern, AOSC OS will be updated in a scheduled fashion, where:
With that said, with July, you will not be receiving updates to your AOSC OS installation on a irregular basis (usually we aimed for a batch per week, but updates could had happened on a daily basis as well… essentially it was never planned or guaranteed), instead, we are expecting to ship the July wave of updates by around 28th - for all architectures/ports. But as aforementioned, security and important bugfix updates will be pushed as soon as they become available.
What if I can wait though, you asked… Well, by our schedule, we are expected to finish all update packages by Day 20, and tests finished by Day 25 of each month (February could be a mess but we will see). That said, by Day 20 of each month, updates will be pushed to our testing repositories, details coming in the following weeks leading up to AOSCC. However, if you do mean serious business when using AOSC OS, you might want to steer clear of that - as packages could be overwritten without any version change, making it hard sometimes to manage your updates - not to mention all the potential bugs you may run into, as we haven’t tested them yet when pushing all these fresh updates to the testing repositories.
It should also be noted that general version or feature updates of all AOSC OS packages are collected and scheduled on the first day of each month, meaning that if a package has a new version to be released on July 2nd, it will be pushed with the August wave of updates - could be sad for some of you cutting-edge users, but we have our reasons not to go full Arch Linux, and here are our reasons…
Firstly, with the introduction of multiple ports and noarch/data packages, updates across different AOSC OS ports could be asynchronous, meaning that some data packages - which is shared among all ports - could be unsuitable for one or more of the ports, as newer data packages could be unsuitable for older application/binary packages, and vice-versa. This was heavily exhibited in the past 6 months with our developers struggling to find time.
Secondly, quality is king, while it’s “cool” as a distribution to be able to push a new GNOME release set the week it’s got released, the price could be steep as it might come with all manners of issue - introduced with upstream code or general oversight of our packagers - making it hard for work to be carried out on AOSC OS when a big batch of updates come untested.
And lastly, this gives our developers more time (which is not in abundance as most of us are college students) to “improve” our packages, and not just updating them when an update is available - that is a general waste of time for us, and not exactly productive when it comes to improve user experience of AOSC OS. With more time on hand for handling updates and packaging, this could lead to a quality improvement, in general, to AOSC OS.
So that’s all we have for now, a quick heads up for our fellow AOSC OS users. Please enjoy the summer.
Unless the security update come in a form of a major update, which could potentially break its dependees. In which case you will be notified while we figure out a way to handle this issue. ↩︎
This means that if with a month’s update, the package simply stopped working (which is unlikely given that we will be doing tests on them), or a date-sensitive application ceased to function - for example,
youtube-dl, which relies constantly on newest protocols/routines to grab videos off websites. In that case, upon request, we will update the package(s) and make it (them) available as soon as possible. ↩︎
Please update your
systemd package to version
A security vulnerability was recently discovered in
systemd-resolved (DNS resolve configuration daemon) that…
Certain sizes passed to dns_packet_new can cause it to allocate a buffer that’s too small. A page-aligned number - sizeof(DnsPacket) + sizeof(iphdr) + sizeof(udphdr) will do this - so, on x86 this will be a page-aligned number - 80. Eg, calling dns_packet_new with a size of 4016 on x86 will result in an allocation of 4096 bytes, but 108 bytes of this are for the DnsPacket struct.
A malicious DNS server can exploit this by responding with a specially crafted TCP payload to trick systemd-resolved in to allocating a buffer that’s too small, and subsequently write arbitrary data beyond the end of it.
This security vulnerability was assigned CVE-2017-9445.
Please update your
linux+kernel package so that your Linux Kernel version is
4.11.5 or higher; or update your
linux+kernel+lts package so that your Linux Kernel on Long-Term Support branch is version
4.9.32 or higher.
A security vulnerability was reported recently that…
Until recently, /dev/snd/timer driver was prone to a data race, which led to uninitialized memory from the kernel heap being copied to the userspace.
And this was assigned CVE-2017-10000380.
After several months of hard work by our community members, we have finally settled on a venue and a date for this year’s AOSCC, so…
Welcome to our 4th annual community gathering in Guangzhou, from July 14th to 16th!
AOSCC 2017’s venue is generously sponsored by the Guangdong University of Technology on their campus location at the H.E.M.C. (Higher Education Mega Center; 大学城). The gathering will take place in Experiment Building 4, Room 304（实验四号楼 304 实验室）, here are some maps to the location…
While we are still preparing for other documentations and details for the event, here’s the information we are able to produce so far…
Already made up your mind? Just sign up here! There’s no need to provide your full name (though recommended) - it is required for all participants to sign up here so we could keep track on the amount of people coming, as this could be limited due to our venue.
We could say at present that we could hold 50 at our venue, but this could go up if it ended up going above this amount.
Again, please sign up here.
Please update your
firefox package to version
A recently released version of Firefox has addressed the following security vulnerabilities:
CVE-2017-5470, CVE-2017-5471, CVE-2017-5472, CVE-2017-7749, CVE-2017-7750, CVE-2017-7751, CVE-2017-7752, CVE-2017-7754, CVE-2017-7755, CVE-2017-7756, CVE-2017-7757, CVE-2017-7758, CVE-2017-7759, CVE-2017-7760, CVE-2017-7761, CVE-2017-7762, CVE-2017-7763, CVE-2017-7764, CVE-2017-7765, CVE-2017-7766, CVE-2017-7767, CVE-2017-7768, CVE-2017-7770, CVE-2017-7778.
Just a quick announcement that version 1.5.4 of our zh_CN (Simplified Chinese, China) Localization Guide is released.
This revision of the guide introduced a new section discussing the translation of Desktop Entry files (.desktop) files, more details could be found on the actual released document, zh_CN L10n Guide, version 1.5.4.
If you have any suggestions for future revisions or found any errors in our documentation, please report it here.
Please update your
irssi package to version
1.0.3 (PowerPC 32/64-bit big endian users: please move away from AOSC OS for the summer as we are unable to provide package update until September, see our last post for more information).
A new version of Irssi IRC/Web Chat Client has recently been released to address two security vulnerabilities:
With the release of Core 4.2.2, we have reached the end of the “Series 4” of AOSC OS Core.
This point release updated Linux API Headers to version 4.11.3 in order to retain compatibility of the new Chromium/Google Chrome 59 browser - which contains a great deal of security updates/fixes. With July closing in, we are getting ready to unveil the collection of features and updates coming in Core “E” - our fifth Core release series - coming this summer.
With the hint “E” - yes, we are about to start a call-for-codename for this new series of AOSC OS Core releases, we will vote for the next codename on the first day of AOSCC 2017 - details coming in the following week or so.
Just a short announcement to tell you what’s up with the new version - and moreover, to thank you for using AOSC OS and staying supportive of our development effort.
Core 4.2.2 is now available for
amd64 users, this update will come for
armel (ARMv7) and
arm64 (ARMv8, AArch64) users in the coming week.
powerpc (PowerPC 32-bit),
ppc64 (PowerPC 64-bit, big endian) users however… Please don’t wait around, as none of these architectures will support the Chromium browser family, we have elected to skip this release. Core “E” will come in time, however, so look out for that!
Lastly, as we have no PowerPC device available for development at the moment, we have decided to suspend all updates - and that includes security updates - for both PowerPC architectures.
We do apologise for the inconvenience and we would further recommend that you move away from AOSC OS for this summer, in our hope to keep you safe from cyberattacks and existing bugs.
— Mingcong Bai
Please update your
amd64 only) and
chromium packages to version
A recently released version of Chromium and Google Chrome has addressed a series of security vulnerabilities, assigned with the following CVE IDs:
CVE-2017-5070, CVE-2017-5071, CVE-2017-5072, CVE-2017-5073, CVE-2017-5074, CVE-2017-5075, CVE-2017-5076, CVE-2017-5077, CVE-2017-5078, CVE-2017-5079, CVE-2017-5080, CVE-2017-5081, CVE-2017-5082, CVE-2017-5083, CVE-2017-5085, CVE-2017-5086.
Please update your
sudo package to version
A recently released version of Sudo has addressed a security vulnerability titled “Potential overwrite of arbitrary files on Linux”:
“On Linux systems, sudo parses the /proc/[pid]/stat file to determine the device number of the process’s tty (field 7). The fields in the file are space-delimited, but it is possible for the command name (field 2) to include spaces, which sudo does not account for. A user with sudo privileges can cause sudo to use a device number of the user’s choosing by creating a symbolic link from the sudo binary to a name that contains a space, followed by a number.”
This vulnerability has been assigned CVE-2017-100036.