NEWS

Read hard, get it all caught up :-D

Things are (actually) going on around the community (surprise!), you may find latest news and happenings in and around the community, and of course, latest information for you to better enjoy AOSC OS.

Most good programmers do programming not because they expect to get paid or get adulation by the public, but because it is fun to program. -- Linus Torvalds

ALL NEWS

  • New package additions: Dec 16th, 2016DECEMBER 16, 2016

    Per users' requests, we have added the following packages to our community repository:

    • abbs - Configuration/manifest manager for Autobuild.
    • aosc-os-arm-boot-flasher - AOSC OS boot-related file update(flash)er for ARM architecture (and maybe more).
    • apm - Atom Package Manager.
    • arc-openbox - Arc theme for the Openbox window manager.
    • atool - A script for managing file archives of various types.
    • compton - A compositor for X11.
    • easy-rsa - Simple shell based CA utility.
    • electron - Build cross platform desktop apps with JavaScript, HTML, and CSS.
    • flat-remix-icon-theme - A pretty simple icon theme for Linux.
    • gost - GO Simple Tunnel.
    • gtk3-tqt-engine - GTK+ 3 engine for TQt.
    • gtk-qt-engine - GTK+ engine for TQt/Qt 3.
    • http-parser - Parser for HTTP Request/Response written in C.
    • lrzsz - xmodem, ymodem and zmodem file transfer protocols.
    • ncbi-vdb - The NCBI VDB.
    • neofetch - A fast, highly customizable system info script.
    • netperf - Network benchmark for multiple types of networks.
    • ngs - NGS Language Bindings.
    • nitrogen - Background browser and setter for X windows.
    • opencryptoki - Implementation of the PKCS#11 (Cryptoki) specification.
    • pysocks - SOCKS4, SOCKS5 or HTTP proxy for Python.
    • quodlibet - Music library manager and player.
    • racer - Rust Code Completion Utility.
    • ranger - A simple, vim-like file manager.
    • rustfmt - Rust Code Formatter.
    • rxvt-unicode - A customizable terminal emulator forked from rxvt.
    • sassc - Command line driver for libsass.
    • skanlite - Image scanning application for KDE.
    • sra-tools - The NCBI SRA (Sequence Read Archive).
    • tde-i18n - Translation and l10n data for Trinity Desktop.
    • tdenetworkmanager - NetworkManager frontend for Trinity Desktop.
    • tpm-tools - Management tools for TPM hardware.
    • virtualenv - A tool to create isolated Python environments.

    To learn about how to request new packages for addition into our community repository, please check out our "pakreq" guide. Or simply shout out requests with #pakreq hashtag on our #aosc IRC channel, or on our Telegram group (joining information available on IRC).

  • AOSA-2016-0037: Update w3mDECEMBER 16, 2016

    Please update your w3m to version 1:20161215.

    A series of security fixes have been committed to the w3m project to fix ~20 security fixes, all of which are yet to be officially assigned with a CVE - but we still strongly advise that you update this package.

  • AOSA-2016-0036: Update FirefoxDECEMBER 16, 2016

    Please update your firefox package to version 50.1.0, or 45.6.0esr if you are using the PowerPC 64-bit port.

    A new version of Firefox was recently released to fix the following security issues:

    CVE-2016-9080, CVE-2016-9893, CVE-2016-9894, CVE-2016-9895, CVE-2016-9896, CVE-2016-9897, CVE-2016-9898, CVE-2016-9899, CVE-2016-9900, CVE-2016-9901, CVE-2016-9902, CVE-2016-9903.

    Relevant documentation:

  • AOSA-2016-0035: Update APTDECEMBER 16, 2016

    Please update your apt package to version 1.3.1-2.

    A security vulnerability in APT has recently been disclosed that the "high level package manager, does not properly handle errors when validating signatures on InRelease files. An attacker able to man-in-the-middle HTTP requests to an apt repository that uses InRelease files (clearsigned Release files), can take advantage of this flaw to circumvent the signature of the InRelease file, leading to arbitrary code execution."

    A CVE is assigned for this issue:

    CVE-2016-1252.

    Relevant documentation:

  • Updates to Allwinner ImagesDECEMBER 13, 2016

    A new batch of ARMv7 images for Allwinner is now released by Icenowy Zheng (with date tags 20161212 and 20161213). One of the main changes is the inclusion of AOSC ARM Flasher for updating Linux Kernel for all supported Allwinner devices (will be available for Raspberry Pi 2/3 soon).

    As a side note however, any images released before December 12th, 2016 (thus a date tag older than 20161212) does not include this mechanism, and it is strongly advised that you enroll your device to the Flasher so that you may obtain Kernel updates (feature and security).

    To enroll your device, run the following series of commands as root (just copy and paste to the terminal and press Enter, the commands should finish automatically):

    echo deb http://repo.aosc.io/os-armel/sunxi/os3-dpkg / > /etc/apt/sources.list.d/10-sunxi.list && apt update && apt dist-upgrade -y && apt install aosc-os-armel-sunxi-boot aosc-os-arm-boot-flasher -y && FLASHER_CAPABILITIES='bootloader kernel' aosc-arm-flasher

    New images are now available in the Downloads page.

  • AOSA-2016-0034: Update OpenJPEGDECEMBER 9, 2016

    Please update your openjpeg package to version 2.1.2-1.

    Two vulnerabilities in OpenJPEG have just been disclosed:

    • CVE-2016-9580 integer overflow in tiftoimage resulting into heap buffer overflow.
    • CVE-2016-9581 infinite loop in tiftoimage resulting into heap buffer overflow in convert32sC1P1.

    Relevant documentation:

  • Winter Distribution Updates (and Looking Ahead)!DECEMBER 8, 2016

    You might have already noticed by looking at the Downloads page that we have expanded our line-up of releases (again). The winter distribution updates is a major update to our AOSC OS releases, and it packs a lot more than just software updates:

    • Cinnamon and LXDE are added as new variants.
    • SD/eMMC images based on the "Base" variant are now available for ARM devices (Raspberry Pi and Allwinner).
    • Desktop variants (variants with pre-configured desktop environments) are now available for multiple architectures (for instance, XFCE is now available for AMD64, ARMv7, ARMv8 64-bit, PowerPC 32-bit, and PowerPC 64-bit *).
    • All system distributions are now assembled using our new *-base collections (for lack of a good name). They are now built from a minimal system release (a "stub" variant, for our own convenience) every time, instead of being "refreshed" by doing a system update on the old one (a more detailed *-base description/explanation is on the way).

    Also, GTK+ based desktop variants are now released with a brand new look, incorporating the elegance of the Arc GTK+ theme, and the simplicity of the Flat-Remix icon theme. As seen in this screenshot of our new GNOME release below.

    gnome-preview


    Now, looking ahead, there are several things to do between now and our next distribution update - and some changes to our distribution update schedule: we are currently planning to shift the distribution update to a set, seasonal schedule (with the exception of BuildKit and important security updates) - instead of this random and fire-at-will mess we currently have... More on that in a later news post.

    Also, from the next update on, we will no longer set the default password for root with the default distribution. Enabling root user with a default password is quite a bad idea, as some users may forget to disable or reset the password of the root user, potentially making the system defenseless on a open network.


    But for now, please enjoy (or much rather, please, try our) AOSC OS!


    (*) PowerPC ports are big endian only, and are only tested on PowerPC-based Macintosh computers with G3 or newer processors.

  • Raspberry Pi images available!DECEMBER 7, 2016

    Shortly after the release of Allwinner AOSC OS images, the image for Raspberry Pi 2/3 is now available as well. The image is based on the "Base" variant of AOSC OS releases and they can now be obtained in the respective section in the Download page.

    Note that currently the image is based on ARMv7 (therefore 32-bit) userspace, as the official kernel that Raspberry Pi supplies (BSP) is ARMv6/ARMv7 only. We will be releasing separate images for Raspberry Pi 3 soon, as mainline Kernel support will land for this particular board.

    Before then, do a fast SD card burn/dd...

    # dd if=imagefile of=/dev/sdX bs=4M status=progress

    (Where imagefile is the .img file you would obtain after extracting from the .img.xz you would download, and sdX is the device file of your SD card)

    And enjoy AOSC OS on your Pi!

    pi-aosc

  • Allwinner images available!DECEMBER 7, 2016

    Our ARM/SunXi guru Icenowy Zheng has just released a big batch of system images for ARMv7-based Allwinner boards and tablets. The images are based on the "Base" variant of AOSC OS releases and they can now be obtained in the respective section in the Download page.

    icenowy-opi1

    Icenowy Zheng's Orange Pi One runnning on mainline kernel, and of course, AOSC OS.

    And here below is a full list of devices supported by these images, in case you got lost:

    Colorfly

    • Colorfly E708 Q1

    CubieTech

    • Cubieboard1
    • Cubieboard2
    • Cubietruck

    FriendlyARM

    • NanoPi NEO

    LeMaker

    • Banana Pi
    • Banana Pro

    LinkSprite

    • pcDuino
    • pcDuino2
    • pcDuino3
    • pcDuino3 Nano

    Olimex

    • A10-OLinXino-LIME
    • A10S-OLinuXino-MICRO
    • A13-OLinuXino
    • A13-OLinXino-MICRO
    • A20-SOM-EV
    • A20-OLinuXino-LIME
    • A20-OLinuXino-LIME2
    • A20-OLinuXino-LIME2-eMMC
    • A20-OLinuXino-MICRO

    Sinlinx

    • SinA31s
    • SinA33

    Sinovoip

    • Banana Pi M1+
    • Banana Pi M2
    • Banana Pi M2+

    Xunlong

    • Orange Pi 2
    • Orange Pi Lite
    • Orange Pi One
    • Orange Pi PC
    • Orange Pi PC Plus
    • Orange Pi Plus
    • Orange Pi Plus 2E
  • AOSA-2016-0033: Update Apache HTTPDDECEMBER 6, 2016

    Please update your httpd package to version 2.4.23-1.

    A 0-day vulnerability was recently announced by Apache, "Server memory can be exhausted and service denied when HTTP/2 is used". And a CVE was consequently assigned for this vulnerability:

    CVE-2016-8740.

    Relevant documentation: