1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
|
- urls: [https://github.com/flori/json/pull/567]
tags: [Ruby, JSON, SoftwareFreedom]
desc: |
ruby-json contains code that is not Free under the FSF's
definition, not Open Source under the OSI's definition, and not
GPL-compatible. This has caused much consternation among folks
who care about any of those 3 things.
This PR replaces that non-Free code with Free code, removing
friction for Ruby users on GNU/Linux distros that care about those
3 things.
- urls: [https://gitlab.archlinux.org/archlinux/mkinitcpio/mkinitcpio/-/merge_requests/328]
id: mkinitcpio-arm-zimage
tags: [ARM, boot]
sponsored-by: Umorpha Systems
desc: |
To do its work, mkinitcpio needs to know the version number of the
Linux kernel that it is generating an image for; the normal way
that it knows this is to sniff the version number from the kernel
file. However, it fails to sniff the version number from ARM
zImage kernels, which means that Arch Linux ARM and Parabola for
ARM need to resort to hacks to get mkinitcpio to work right.
This PR removes that friction by teaching mkinitcpio to understand
ARM zImage files.
See also: [mkinitcpio#362](#contrib-mkinitcpio-arm-zimage-tests)
- urls: [https://gitlab.archlinux.org/archlinux/mkinitcpio/mkinitcpio/-/merge_requests/277]
tags: [boot]
sponsored-by: Umorpha Systems
desc: |
One of the things going on in the secure-boot world is moving
toward "Unified Kernel Images" (UKI), which are when the kernel
and the init-ramdisk are bundled together into a single file to
reduce the risk of a compromised init-ramdisk being able to
compromise a secured kernel. This PR reduces friction when using
mkinitcpio to generate images directly as UKI without generating a
plain init-ramdisk first.
- urls:
- https://mailman.astron.com/pipermail/file/2024-April/001335.html
- https://github.com/file/file/commit/cf139abf35d07ebfd0c3edcab2fc400a211c0fbb
tags: [ARM]
desc: |
This PR improves its ability to detect information about Linux
kernel ARM zImage files.
- urls:
- https://mailman.astron.com/pipermail/file/2024-March/001327.html
- https://github.com/file/file/commit/3b92878ee277a6b6c0a37429e9edf5e5b55fcdd4
tags: [docs]
desc: |
To do this, `file` reads a "magic" file that describes the magic
numbers that it might see in a file. This PR fixes a mistake in
the `magic(5)` manual for writing such files.
- urls: [https://github.com/diamondburned/gotk4/pull/140]
tags: [Go, GI, docs]
desc: |
The not-quite-markdown format that `.gir` files use for
documentation is under-specified and hard to parse. Right now I'm
focusing on how to properly parse it, so that we can have
top-notch language-specific documentation for GI libraries.
This PR is laying the groundwork for the new parser.
- urls:
- https://lists.ozlabs.org/pipermail/linux-erofs/2023-November/009765.html
- https://github.com/erofs/erofs-utils/commit/f528b82ffbcb15484a7195c1a1d08ece0ff67350
- https://github.com/erofs/erofs-utils/commit/197e3294bcdf93f37d12989cd830a33c055b1a53
- https://github.com/erofs/erofs-utils/commit/f97311883337eb7e0ded55e60995e6599eba73e5
tags: [docs]
sponsored-by: Umorpha Systems
desc: |
This patchset improves the `--help` documentation and man-pages of
the EroFS userspace tools, and reduces friction by having
`fsck.erofs` accept common command line flags that fsck
implementions for other filesystems take.
- urls: [https://github.com/liberapay/liberapay.com/pull/2334]
tags: [federated]
status: merged + deployed
desc: |
When managing your profile, Liberapay nominally supports using
your [Libravatar federated avatar](https://www.libravatar.org/) as
your profile pic. However, it only loads avatars from the
`libravatar.org` instance; not actually supporting federation.
This PR properly implements the Libravatar federation API to load
avatars from any instance.
- urls: [https://github.com/diamondburned/gotk4/pull/109]
tags: [Go, GI, docs]
desc: |
This PR makes it easier to contribute to gotk4 by improving
developer documentation and automated checks.
- urls: [https://gitlab.archlinux.org/archlinux/mkinitcpio/mkinitcpio/-/merge_requests/362]
id: mkinitcpio-arm-zimage-tests
tags: [ARM, boot, testing]
desc: |
This PR adds tests for the [earlier ARM zImage
work](#contrib-mkinitcpio-arm-zimage). This was split off into a
separate PR from the main ARM zImage PR because the maintainers
had concerns about merging binary test files (very understandable,
especially given the recent XZ issue!), but didn't want to hold up
the main work.
- urls:
- https://github.com/golang/net/pull/208
- https://go-review.googlesource.com/c/net/+/580855
tags: [Go, docs]
desc: |
The functions `html.EscapeString` and `html.UnescapeString` were
once the same between `"golang.org/x/net/html"` and std `"html"`,
but have been slowly drifting apart since 2012. This PR ports
over documentation and performance improvements from std to x/net.
This will provide a consistent base for fixing bugs in
`html.UnescapeString` that were found when working on the
documentation parser in gotk4.
- urls:
- https://github.com/golang/go/pull/66970
- https://go-review.googlesource.com/c/go/+/580896
tags: [Go]
desc: |
The functions `html.EscapeString` and `html.UnescapeString` were
once the same between `"golang.org/x/net/html"` and std `"html"`,
but have been slowly drifting apart since 2012. This PR ports
over documentation and performance improvements from x/net to std.
This will provide a consistent base for fixing bugs in
`html.UnescapeString` that were found when working on the
documentation parser in gotk4.
- urls: [https://github.com/luigifab/awf-extended/pull/9]
tags: [Parabola, GTK]
desc: |
Just a minor touch-up to `configure.ac` that I noticed could be
made when updating Parabola's `pcr/awf` package. Parabola makes
other software better!
- urls: [https://gitlab.archlinux.org/archlinux/packaging/packages/systemd/-/merge_requests/12]
tags: [Parabola, init-freedom]
desc: |
Some changes to the way that Arch Linux packages systemd that
should make it easier for distros downstream of Arch (certainly
Parabola, hopefully Artix) to provide init-freedom and support
other init systems.
- urls: [https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/5586382]
id: vboot-32
tags: [boot]
desc: |
This fixes a bug in the code that both (1) may allow a
specially-crafted partition to bypass a bounds check, and (2)
makes it so that the code does not compile when `sizeof(size_t)=4`
(that is: x86-32).
See also: [libreboot#218](#contrib-libreboot-32)
- urls: [https://codeberg.org/libreboot/lbmk/pulls/218]
id: libreboot-32
tags: [boot]
desc: |
This has the Libreboot build-system apply the [fix I submitted to
vboot](#contrib-vboot-32), so that Libreboot can be compiled on
x86-32. Libreboot does not use the affected vboot functionality,
but the bug was preventing things from compiling.
- urls:
- https://sourceware.org/pipermail/binutils/2024-June/134608.html
- https://sourceware.org/pipermail/gdb-patches/2024-June/209720.html
tags: [GNU, supply-chain-security]
status: open
desc: |
The binutils-gdb sources bundle a number of files from other
sources (including the autotools, libtools, readline, texinfo,
gnulib, zlib, and GDB). I audited the binutils-gdb sources to
pin-point exactly which versions were being bundled and what
patches were being applied, then wrote a `./bootstrap` script to
automate that bundling.
As the recent XZ issue taught us, this kind of audit is an
important part of supply-chain security. The `./bootstrap` script
will greatly ease this type of audit in the future, and can even
enable enforcing up-to-date-ness of the audit in CI.
Also, hopefully this will make it easier to keep binutils' and
GDB's bundled dependencies more up-to-date in the future; as many
are quite out-of-date right now.
|
