ostree 2014.2
- From: Colin Walters <walters verbum org>
- To: ostree-list <ostree-list gnome org>
- Subject: ostree 2014.2
- Date: Sat, 01 Mar 2014 19:18:10 +0000
Hi all,
OSTree 2014.2 is now available:
You may observe the primary thing driving me now is rpm-ostree (I'll post a new release shortly).
For example, OSTree now has deep SELinux integration (compile and runtime optional though). I really designed OSTree from the very beginning to support SELinux and make it shine, and while there were a few things I hadn't thought of initially such as some of the details for /etc and /var, it works now.
This release also contains several security fixes from the ongoing thorough review thanks to Florian Weimer. The downgrade protection is probably most notable. The rest so far, broadly speaking are hardening against local, authenticated malicious users. Which are still important, but I'm prioritizing work on any man-in-the-middle network attacks.
Some other miscellaneous stuff like fixes for ordering with respect to Plymouth bootup, and a fix to precreate /var/lock from Cosimo Cecchi to help out Debian code that predate the whole /run thing.
Another important thing to mention is that while I merged the longstanding "static deltas" work and the code compiles, it's not enabled. The current static deltas can be used to apply a delta offline, from a USB stick, but the HTTP code is not wired up.
Also, the static delta format can and will likely change. So don't try to actually ship them. But if you are interested, do look at it.
Oh! And the "ostree pull" HTTP code should be more reliable now. We have a fix thanks to Daniel Drake to make use of timeouts, and the fetcher no longer involves an impossible-to-reason-about mess of threads and async. Now it's just merely somewhat-difficult-to-reason-about async code, and this should improve reliability.
That's about it, this one needs to go out the door so rpm-ostree can depend on the SELinux code.
$ git shortlog v2014.1..v2014.2
Colin Walters (41):
doc: Update manpage a bit
boot/ostree-remount.service: Run before plymouth-read-write.service
ostree-prepare-root.service: Also order before plymouth-switch-root.service
build: Install README-gpg in /usr/share/ostree/trusted.gpg.d
libostree: Actually trusted.gpg.d/*.gpg for GPG verification
repo: Improve GPG error messages
build: Look for /usr/bin/gpgv2 vs /usr/bin/gpgv
repo: Add API to provide xattrs
Add SELinux support
Add --disable-fsync option to pull-local, and API to repo
libostree: Also use xattr callback for directories
SELinux: Ensure we label /var, and fix /etc merge wrt xattrs
build: Fix --without-selinux case
build: Drop SELinux required version a bit earlier
core: Import bup's "rollsum" code, add a test case
Initial basic static delta code drop
pull: Don't crash if the URL is not found
sysroot: Add a log with MESSAGE_ID when deployment is complete
Drop refs/summary
repo: Don't set GPG engine executable path
tests: Fix up GPG tests for more strict EL7 GPG
pull: Remove a duplicate hash table
deltas: Add a timestamp to delta metadata
repo: Split generic GPG commit verification out into helper
deploy: Remove now-unimplemented --no-bootloader argument
build: make "sudo make install" over existing install work
manual-tests: New directory with custom test scripts
Add internal SELinux policy overrides
libostree: Split off SELinux OstreeSePolicy class
build: Fix build without SELinux
repo: Fix crash without SELinux policy enabled during commit
upgrade: Refuse chronologically older commits unless --allow-downgrade
pull: Remove explicit threading
switch: Don't check whether revision matches
upgrade: Properly set origin_refspec variable for resolve/printing
Update libgsystem, use it to set dirfd-relative xattrs on symlinks
checkout: Only fchown/fchmod directories after we're done populating them
checkout: Use fd-relative open of newly created directory
upgrade/switch: Fix status line being overwritten with pull progress
Add /run/ostree-booted
Release 2014.2
Cosimo Cecchi (1):
os-init: also create a symlink for /var/lock
Daniel Drake (2):
boot/ostree-remount.service: run before tmpfiles.d
fetcher: set timeouts on HTTP connections
[Date Prev][
Date Next] [Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]
