Friday, 14 September 2018

Urgent security patch for all systems running Adélie Linux

A grave security vulnerability has been found in apk, the package manager used by Adélie Linux. The vulnerability allows any attacker on the same network as your computer run malicious code as the superuser, if you are not using HTTPS repositories in /etc/apk/repositories.

This should not affect any standard installation of Adélie Linux, as our mirrors force HTTPS and our default repositories file uses HTTPS. However, if you have added your own custom repositories, or replaced 'https' with 'http' for any reason, you are vulnerable. A patch has been released in apk-tools 2.10.1 and it is critical for you to update all of your Adélie Linux computers immediately. New ISO and root FS images for 1.0-BETA1 went live this morning UTC (around 11 hours ago).

This vulnerability was discovered in early September by Max Justicz. A patch was written on 5 September by Alpine Linux developers and released on 10 September; the vulnerability was disclosed publicly on 13 September. The Adélie Linux team was not notified of this vulnerability before the public disclosure. This vulnerability was disclosed independently to Adélie Linux by Luke Dashjr via the public disclosure by Max Justicz.

We are deeply troubled by the lack of responsible disclosure by Alpine Linux, and we are actively investigating steps we may take in the future to mitigate our continued reliance on Alpine.

Monday, 10 September 2018

Adélie Linux 1.0-BETA1: Now available

The Adélie Linux Release Engineering Team is pleased to announce the immediate release of Adélie Linux 1.0-BETA1 for the 32-bit and 64-bit PowerPC, 32-bit and 64-bit x86, and 64-bit ARM platforms. Learn more about Adélie Linux on our Web site.

Please note: This is an early test release of Adélie Linux. While every care has been taken to ensure the stability of the system, features and packages may be missing or may not function correctly. You should always back up your computer's data before you install a new Linux distribution. This release is being actively tested on multiple platforms. It is highly recommended that you use a dedicated computer or virtual machine to learn the environment until you are comfortable with using the Adélie Linux system and its package manager, apk.

Release Notes

All architectures

  • The Adélie Base System (adelie-base) no longer ships with Perl or vim included by default. Both of these are included in the Adélie Base POSIX System (adelie-base-posix), and are still available on the live CD. You will need to install vim manually if you are not using the adelie-base-posix package.
  • Many improvements have been made to Dracut, used for initramfs generation.
  • GNU Privacy Guard (GnuPG, GPG) is now built with smart card and USB support.
  • KDE Applications have been upgraded to 18.08.1, and KDE Frameworks have been upgraded to 5.50.
  • The Linux kernel has been upgraded to 4.14.56.
  • The musl libc has been upgraded to 1.1.20, bringing many correctness fixes and better reliability.
  • OpenVPN is now available.
  • Qemu has been upgraded to 3.0.0.
  • The qmail MTA is now available, as netqmail.
  • ScummVM is now available.
  • TTYs are now dynamically spawned using s6 instead of using static configuration in /etc/inittab. This brings more flexibility for server and virtual machine installations, and allows desktop users to only spawn the TTYs that they require. See /etc/conf.d/gettys for more information.
  • XFCE 4 is now available. Just install the xfce-desktop package.
  • ...and over a thousand other enhancements, upgrades, and fixes!

Also new in this release are Root FS tarballs for all Tier 1 architectures, which can be unpacked on to a variety of different storage media and booted from - or extracted into a directory on your existing computer for a simple chroot-based installation. Combining this with qemu-user can provide you with a limited environment for testing Adélie for other CPU architectures.

Caution: If you are upgrading from a previous version of Adélie Linux to 1.0-BETA1, please merge the new user and group entries from /etc/passwd.apk-new into /etc/passwd, /etc/group.apk-new into /etc/group, and /etc/shadow.apk-new into /etc/shadow. This is only necessary to perform one time during the upgrade, before you restart your computer. For more information, feel free to contact us on IRC.

ARMv7

Support for ARMv7 is offered on a limited testing basis only, and ARMv7 remains a Tier 2 architecture. Currently, no binary packages are available for 1.0-BETA1.

64-bit ARM (AArch64)

  • Root FS tarballs are provided, allowing bootstrapping of AArch64 systems without needing a device already running Linux.

PowerPC (32-bit)

No architecture-specific release notes.

PowerPC (64-bit)

  • The live CD now ships with bootinfo.txt in the place where SLOF (IBM OpenFirmware) expects it to be. This should allow automatic booting on most CHRP compatible IBM servers, including QEMU/KVM.
  • POWER8 and POWER9 systems are supported by the POWER8 specific kernel. Please ensure you install the easy-kernel-power8 package.
  • POWER9 users: Qemu 3.0.0 no longer allows KVM HV guests to be created in Radix MMU mode. You will need to boot your system with disable_radix on your kernel command line to use KVM HV guests in Adélie 1.0-BETA1.

Intel x86 (all)

  • The syslinux bootloader has been removed, in favour of the GRUB 2 bootloader.
  • All live CDs should now support EFI boot. If you encounter any issues with EFI booting on the live CD, please file an issue.

Statistics

Adélie Packages

There were 1,394 commits to packages.git between 1.0-ALPHA7 and 1.0-BETA1 (307 since the last snapshot), by thirteen developers:
  • A. Wilcox (1,127)
  • Kiyoshi Aman (113)
  • Max Rees (63)
  • Dan Theisen (30)
  • Laurent Bercot (23)
  • Lee Starnes (3)
  • Horst G. Burkhardt (2)
  • William Pitcock (2)
  • Marek Benc (1)
  • Brandon Bergren (1)
  • Seamus Caveney (1)
  • Rich Felker (1)
  • Samuel Holland (1)

Team

  • We welcome Laurent Bercot as a packager; he is an upstream developer for s6, utmps, and other essential system software.
  • We welcome Lee Starnes as a package maintainer for VPN software.

Thursday, 23 August 2018

Official statement on x86_64 architecture security flaws

Many of you that use x86_64 computers are likely concerned with the various security flaws that have been discovered in the silicon of virtually all 64-bit Intel CPUs this year. There have also been a few requests for packaging official microcode updates.

Unfortunately, the EULA required to install, use, and redistribute these microcode updates is non-free. Intel has ensured that providing these updates to you would cause us to violate US and European copyright and contract laws.

As further security flaws are inevitable due to the design of the x86_64 architecture, and we cannot legally provide you with the updates necessary to avoid these flaws, we highly recommend that our users invest in computers using different architectures, such as PowerPC or ARM. While the x86_64 architecture will continue to be a Tier 1 architecture for the foreseeable future, we can no longer guarantee user security or data integrity to users using x86_64 computers due to Intel's restrictive licensing.

Editor's note: The original version of this statement included the following statement: Furthermore, Intel has added a stipulation in the EULA for their latest microcode update that renders their CPUs non-free, by forbidding any usage of software that they arbitrarily determine to fall under "benchmarking". This includes tools such as hdparm. Intel has since removed this clause from their license; however, the microcode itself is still non-free and we cannot distribute it.

Tuesday, 7 August 2018

Adélie Linux 1.0-BETA1 Snapshot 2: Now available

The Adélie Linux Release Engineering Team is pleased to announce the immediate release of the second snapshot of Adélie Linux 1.0-BETA1 for the 32-bit and 64-bit PowerPC, 32-bit and 64-bit x86, and 64-bit ARM platforms. Learn more about Adélie Linux on our Web site.

Note: This is not the release of 1.0-BETA1. The release of 1.0-BETA1 is still scheduled for early September and will bring further improvements, including an installation system and more compliance with the POSIX® standard.

Please note: This is an early test release of Adélie Linux. While every care has been taken to ensure the stability of the system, features and packages may be missing or may not function correctly. You should always back up your computer's data before you install a new Linux distribution. This release is being actively tested on multiple platforms. It is highly recommended that you use a dedicated computer or virtual machine to learn the environment until you are comfortable with using the Adélie Linux system and its package manager, apk.

Release Notes

All architectures

  • The Adélie Base System (adelie-base) no longer ships with Perl or vim included by default. Both of these are included in the Adélie Base POSIX System (adelie-base-posix), and are still available on the live CD.
  • GNU Privacy Guard (GnuPG, GPG) is now built with smart card and USB support.

ARMv7

Support for ARMv7 is offered on a limited testing basis only, and ARMv7 remains a Tier 2 architecture. Currently, no binary packages are available for 1.0-BETA1 snapshot.

64-bit ARM (AArch64)

No architecture-specific release notes.

PowerPC (32-bit)

No architecture-specific release notes.

PowerPC (64-bit)

  • The live CD now ships with bootinfo.txt in the place where SLOF (IBM OpenFirmware) expects it to be. This should allow automatic booting on most CHRP compatible IBM servers, including QEMU/KVM.
  • POWER8 systems will now be able to load modules on the Live CD. The POWER8 specific kernel is now built separately from Easy Kernel, allowing both kernels to coexist on the same live media.

Intel x86 (all)

  • The syslinux bootloader has been removed, in favour of the GRUB 2 bootloader.
  • All live CDs should now support EFI boot. If you encounter any issues with EFI booting on the live CD, please file an issue.

Statistics

Adélie Packages

There were 1,098 commits to packages.git between 1.0-ALPHA7 and this snapshot (86 since the last snapshot), by nine developers:
  • A. Wilcox (998)
  • Kiyoshi Aman (31)
  • Dan Theisen (29)
  • Max Rees (15)
  • Horst G. Burkhardt (2)
  • William Pitcock (2)
  • Marek Benc (1)
  • Samuel Holland (1)
  • Seamus Caveney (1)

Team

  • We welcome back Elizabeth Myers (Elizafox@), who is hard at work on a new installer framework for Adélie Linux.
  • Zach van Rijn has kindly donated a mirror server located in Pennsylvania, US.

Thursday, 2 August 2018

Adélie Linux 1.0-BETA1 Snapshot is now available

The Adélie Linux Release Engineering Team is pleased to announce the immediate release of a snapshot of Adélie Linux 1.0-BETA1 for the 32-bit and 64-bit PowerPC, 32-bit and 64-bit x86, and 64-bit ARM platforms. Learn more about Adélie Linux on our Web site.

This release is based on 1.0-ALPHA7, but has been fully audited. It includes many enhancements, new packages, and bug fixes and is based on the latest and most stable, secure software. All package license fields have been professionally audited and corrected wherever they were wrong. In addition, this marks our first independent release; we are no longer a soft-fork of Alpine. This offers us many degrees of freedom.

Note: This is not the release of 1.0-BETA1. The release of 1.0-BETA1 is still scheduled for early September and will bring further improvements, including an installation system and more compliance with the POSIX® standard.

Please note: This is an early test release of Adélie Linux. While every care has been taken to ensure the stability of the system, features and packages may be missing or may not function correctly. You should always back up your computer's data before you install a new Linux distribution. This release is being actively tested on multiple platforms. It is highly recommended that you use a dedicated computer or virtual machine to learn the environment until you are comfortable with using the Adélie Linux system and its package manager, apk.

Release Notes

All architectures

  • Easy Kernel has been updated to 4.14.56-mc9.
  • GNU gettext has been replaced with gettext-tiny. This also means that all packages that support .po files now have -lang subpackages so that they may be used in any translation they support. We are very proud to include better native language support, and we hope that this allows us to reach more people that are not comfortable using computers in English.
  • KDE Frameworks have been updated to 5.48.0, and KDE Applications have been updated from 18.04.1 to 18.04.3.
  • SPDX license identifiers are now used for every package in the distribution.
  • Thunderbird is now available on all Tier 1 architectures.

ARMv7

Support for ARMv7 is offered on a limited testing basis only, and ARMv7 remains a Tier 2 architecture. Currently, no binary packages are available for 1.0-BETA1 snapshot.

64-bit ARM (AArch64)

Since the number of test failures is now below the threshold of five packages, 64-bit ARM is now officially a Tier 1 release architecture for Adélie. All packages are officially available and supported for 64-bit ARM.

PowerPC (all)

  • FFmpeg is now compiled with AltiVec support, and will use it on any PowerPC computer that supports it, bringing large performance improvements. You may still use FFmpeg on computers without AltiVec.

PowerPC (32-bit)

No architecture-specific release notes.

PowerPC (64-bit)

  • VLC chroma support has been fixed for 64-bit big endian targets, including PowerPC.

Intel x86 (all)

  • The syslinux bootloader has been removed, in favour of the GRUB 2 bootloader.
  • All live CDs should now support EFI boot. If you encounter any issues with EFI booting on the live CD, please file an issue.

Statistics

Adélie Packages

There were 1,012 commits to packages.git between 1.0-ALPHA7 and this snapshot, by seven developers:
  • A. Wilcox (953)
  • Dan Theisen (29)
  • Kiyoshi Aman (17)
  • Max Rees (8)
  • Horst G. Burkhardt (2)
  • William Pitcock (2)
  • Marek Benc (1)

Team

  • We welcome back Elizabeth Myers (Elizafox@), who is hard at work on a new installer framework for Adélie Linux.
  • Zach van Rijn has kindly donated a mirror server located in Pennsylvania, US.

Wednesday, 13 June 2018

Adélie Linux 1.0-ALPHA7 is now available

The Adélie Linux Release Engineering Team is pleased to announce the immediate release of Adélie Linux 1.0-ALPHA7 for the 32-bit and 64-bit PowerPC, 32-bit and 64-bit x86, and 64-bit ARM platforms. Learn more about Adélie Linux on our Web site.

This release is an iterative release based on 1.0-ALPHA6. It includes many enhancements, new packages, and bug fixes and is based on the latest and most stable, secure software.

Please note: This is an early test release of Adélie Linux. While every care has been taken to ensure the stability of the system, features and packages may be missing or may not function correctly. You should always back up your computer's data before you install a new Linux distribution. This release is being actively tested on multiple platforms. It is highly recommended that you use a dedicated computer or virtual machine to learn the environment until you are comfortable with using the Adélie Linux system and its package manager, apk.

Release Notes

All architectures

  • Easy Kernel has been updated to 4.14.48-mc8.
  • The Apache Web server is now available.
  • GNU Emacs has been updated to 26.1.
  • KDE Frameworks have been updated to 5.46.0, and KDE Applications have been updated from 17.12.2 to 18.04.1.
  • LXQt has been updated to version 0.13.0.
  • The Alpine-based mkinitfs tool is now supported on all architectures, allowing lbu and Alpine-style run-from-RAM support for systems that require it.
  • Documentation for the newapkbuild command and APKBUILD format are now included in the abuild-doc package in mdoc (man page) format.
  • An issue where Plasma 5 may fail to start on new installations has been fixed.

ARMv7

Adélie packages are now available for the 32-bit ARMv7 platform (internal arch name armv7). This support is offered on a limited testing basis only, and ARMv7 remains a Tier 2 architecture. Many issues are present, and some packages are currently unavailable as of the time of this writing; notably, Easy Kernel, Clang, and Firefox.

64-bit ARM (AArch64)

Adélie is now available on the 64-bit ARM architecture. Support is accelerating rapidly; there are currently only four known bugs left before 64-bit ARM is officially a Tier 1 release architecture for Adélie.

PowerPC (32-bit)

  • An issue where certain software that requires the apr framework would fail to compile has been fixed.

PowerPC (64-bit)

No architecture-specific release notes.

Intel x86 (all)

  • Fusion SCSI/SAS disk controllers, including the native SCSI controller used by VMware Workstation, is now supported in Easy Kernel as a boot device.
  • The syslinux bootloader has been deprecated, in favour of the GRUB 2 bootloader.

Statistics

Adélie Packages

There were 136 commits between 1.0-ALPHA6 and 1.0-ALPHA7, by five developers:
  • A. Wilcox (71)
  • Kiyoshi Aman (32)
  • Max Rees (19)
  • Dan Theisen (12)
  • Horst G. Burkhardt (2)

Team

  • We welcome Dan Theisen as a packages committer. He has an interest in general package maintenance and has a special interest in the the ARM ports.

Thursday, 26 April 2018

Adélie Linux 1.0-ALPHA6 is now available

The Adélie Linux Release Engineering Team is pleased to announce the immediate release of Adélie Linux 1.0-ALPHA6 for the 32-bit and 64-bit PowerPC and x86 platforms. Learn more about Adélie Linux on our Web site.

This release is an iterative release based on 1.0-ALPHA5. It includes many enhancements, new packages, and bug fixes and is based on the latest and most stable, secure software.

Please note: This is an early test release of Adélie Linux. While every care has been taken to ensure the stability of the system, features and packages may be missing or may not function correctly. You should always back up your computer's data before you install a new Linux distribution. This release is being actively tested on multiple platforms. It is highly recommended that you use a dedicated computer or virtual machine to learn the environment until you are comfortable with using the Adélie Linux system and its package manager, apk.

Release notes

All architectures

  • Easy Kernel has been updated to 4.14.33-mc6.
  • Light-weight PDF viewer qpdfview and KDE document viewer Okular are now available.
  • The musl library is now more conformant with the POSIX 2018 specification.
  • Phonon, the software that KDE uses for sounding notifications and controlling system volume, is now officially supported with the VLC backend.
  • POSIX compliant versions of pax, and a more featureful version of cpio, are now available.
  • SchismTracker is now available.
  • The KDE Education, Graphics, and Multimedia Suites of software are now available for all architectures.
  • VLC is now available for playing many types of media, including audio and video.

Live CD

  • More network utilities (links, mtr) and diagnostic utilities (smartmontools, tmux) are now available on all live images.
  • The ability to format JFS and VFAT file systems is now available on all live images.
  • The infamous "cannot login as live" bug has been fixed.

Intel x86 (32-bit)

  • WINE is once again available for running 32-bit Windows® applications on Adélie Linux.

Intel x86_64

  • PCMCIA and CardBus cards are now supported on 64-bit laptops.
  • Thunderbird, the email and newsreader, is available in an experimental state.

PowerPC (32-bit)

  • No architecture-specific release notes.

PowerPC (64-bit)

  • This release marks the first where the 64-bit PowerPC platform is truly 'even' with the others, providing the same experience and package set as all other architectures.