Read hard, get it all caught up :-D

Things are (actually) going on around the community (surprise!), you may find latest news and happenings in and around the community, and of course, latest information for you to better enjoy AOSC OS.

Most good programmers do programming not because they expect to get paid or get adulation by the public, but because it is fun to program. – Linus Torvalds


  • AOSA-2017-0019: Update BashFEBRUARY 8, 2017

    Please update your bash package to version 4.4.12.

    At patch level 7, which would be version 4.4.7 of Bash, a security issue was addressed that:

    “An exploit can be realized by creating a file or directory with a specially crafted name. A user utilizing GNU Bash’s built-in path completion by hitting the Tab button (f.e. to remove it with rm) triggers the exploit without executing a command itself. The vulnerability has been introduced on the devel-branch in May 2015.”

    And was consequently assigned CVE-2017-5932.

    Relevant documentation:

  • AOSA-2017-0018: Update GlibcFEBRUARY 8, 2017

    Please update your glibc package to version 2.25.

    Two security vulnerabilities were addressed in the recently released GNU C Library, version 2.25:

    • On ARM EABI (32-bit), generating a backtrace for execution contexts which have been created with makecontext could fail to terminate due to a missing .cantunwind annotation. This has been observed to lead to a hang (denial of service) in some Go applications compiled with gccgo. Reported by Andreas Schwab. (CVE-2016-6323)
    • The DNS stub resolver functions would crash due to a NULL pointer dereference when processing a query with a valid DNS question type which was used internally in the implementation. The stub resolver now uses a question type which is outside the range of valid question type values. (CVE-2015-5180)

    Relevant documentation:

  • Dev. Updates (Issue #1, 2017)FEBRUARY 6, 2017

    Here’s a quick introduction to a new series of posts regarding AOSC OS development updates over a period of time (per one to two months) - a brief description about what we have done while nothing was posted on the Portal, and a look into the next period of time - what would we do, and what could you expect from us.

    What happened?

    January is a month when most of our developers took a break from busy school work (winter break, whee), and the month when time allows for major changes to AOSC OS. In the past month, we have updated some major components of AOSC OS, including Python 3.6, OpenMPI 2.0, and Boost 1.63. All of these changes will definitely improve performance, and making work easier for developers using AOSC OS. Do keep in mind that these update required an extensive amount of rebuild due to ABI/API incompatibilities introduced with new versions of these components - do expect hundreds to thousands of package updates, and (unfortunately) some bugs introduced by our oversight. If you did happen to bump into a friendly (or not so friendly) bug, do report it to us.

    Progress was also made on the MIPS64 front, for which we have finished building a base system - it’s ready to boot with full Systemd - when a Kernel is ready for Junde Yhi’s Loongson 3A. But given time constraints in recent weeks, we could not guarantee a released tarball until summer break time (June, or July).

    What you could expect before Issue #2

    In the coming month, we will push out a new series of tarballs (system releases) for the spring, which of course, will include the newest packages we could offer for each of our AOSC OS ports. Also, we will make another attempt on pushing out Live system releases with a functional and graphical installation program.

    On the question of ports, we are now armed with a bare-metal RISC-V rv32i toolchain, once we get our hands on a device, we should be able to start a new port (8th!) for AOSC OS - if not, we might have to start with RISC-V’s official ISA emulator, Spike.

    WSAOSC (Windows Subsystem for AOSC OS) will also start a complete rewrite, led by Yi Rong, the original creator of the old installer written in Go language. More details will be posted when development restarts.

    And that’s all for this issue of Dev. Update for AOSC OS, we will see you around in a bit. If you want to get in touch with us, please join our IRC channel at #aosc on

  • New package additions: Feb. 6, 2017FEBRUARY 6, 2017

    Per users’ requests, we have added the following packages to our community repository:

    • ariamaestosa - Midi sequencer/editor with a user-friendly interface.
    • avidemux - A simple free video editor.
    • binutils+cross-bm-rv32i - Binutils for RISC-V rv32i subset bare metal build.
    • dgsh - A Unix-style shell (based on bash) allowing the specification of pipelines with non-linear non-uniform operations.
    • dssi - API for audio processing plugins & softsynths with UIs.
    • dssi-vst - DSSI adapter for win32 VST plug-ins.
    • dunst - Customizable and lightweight notification-daemon.
    • elixir - A dynamic, functional meta-programming aware language.
    • epub2txt - Utility to extract and format text from EPUB documents.
    • etl - C++ STL complementory multiplatform template library.
    • fisherman - A plugin manager for the Fish shell.
    • flite - A lighweight speech synthesis engine.
    • gcc+cross-bm-rv32i - GCC for bare metal RISC-V rv32i build.
    • gnome-web-photo - Generate full-size image files and thumbnails from HTML files and web pages.
    • goocanvas-1 - A cairo canvas widget for GTK+ (version 1).
    • grumpy - A Python to Go source code transcompiler and runtime.
    • kirigami2 - A QtQuick-based component set (version 2).
    • lincity-ng - A city simulation game.
    • mapcrafter - High performance minecraft map renderer.
    • newlib+cross-bm-rv32i - newlib for RISC-V bare metal rv32i build.
    • perl-file-copy-recursive - Perl extension for recursively copying files and directories.
    • perl-gnome2 - Perl binding for GNOME 2.
    • perl-gnome2-canvas - Perl binding for libgnomecanvas.
    • perl-gnome2-vfs - Perl binding for GNOME VFS.
    • perl-gnome2-wnck - Perl binding for Window Navigator Construction Kit (GNOME 2).
    • perl-goo-canvas - Perl binding for GooCanvas version 1.
    • perl-gtk2-appindicator - Perl extension for libappindicator.
    • perl-gtk2-imageview - Perl bindings to the GtkImageView image viewer widget.
    • perl-gtk2-unique - Perl binding for libunique.
    • perl-html-form - Class that represents an HTML form element.
    • perl-http-response-encoding - Adds encoding to HTTP::Response.
    • perl-http-server-simple - Lightweight HTTP server for Perl.
    • perl-proc-processtable - Provides a consistent interface to process table information.
    • perl-proc-simple - Launch and control background processes.
    • perl-sort-naturally - Sort lexically, but sort numeral parts numerically.
    • perl-www-mechanize - Automates web page form & link interaction.
    • perl-x11-protocol - Raw interface to X Window System servers.
    • perl-x11-protocol-other - Extra extesions for perl-x11-protocol
    • pngcrush - An optimizer for PNG files.
    • qtvirtualkeyboard - Qt virtual keyboard framework.
    • rosegarden - A music composition and editing environment.
    • schedtool - Query or alter a process’ scheduling policy.
    • sdl-gfx - SDL Graphic Primitives.
    • shutter - A feature-rich screenshot tool.
    • synfig - Professional vector animation program (tools only).
    • typescript - A superset of JavaScript that compiles to clean JavaScript output.
    • zstd - Fast real-time compression algorithm.

    To learn about how to request new packages for addition into our community repository, please check out our “pakreq” guide. Or simply shout out requests with #pakreq hashtag on our #aosc IRC channel, or on our Telegram group (joining information available on IRC).

  • AOSA-2017-0017: Update TCPDumpFEBRUARY 6, 2017

  • AOSA-2017-0016: Update LCMS2FEBRUARY 6, 2017

    Please update your lcms2 package to version 2.8.

    A security vulnerability for the Little CMS 2 color management library was recently announced as a part of Debian Security Advisory:


    Relevant documentation:

  • AOSA-2017-0015: Update Chromium and Google ChromeFEBRUARY 6, 2017

    Please update your chromium and google-chrome packages to version 56.0.2924.76.

    Recently released Chromium and Google Chrome browsers have addressed the following security vulnerabilities:

    CVE-2017-5006, CVE-2017-5007, CVE-2017-5008, CVE-2017-5009, CVE-2017-5010, CVE-2017-5011, CVE-2017-5012, CVE-2017-5013, CVE-2017-5014, CVE-2017-5015, CVE-2017-5016, CVE-2017-5017, CVE-2017-5018, CVE-2017-5019, CVE-2017-5020, CVE-2017-5021, CVE-2017-5022, CVE-2017-5023, CVE-2017-5024, CVE-2017-5025, CVE-2017-5026.

    Relevant documentation:

  • AOSA-2017-0014: Update PHP5FEBRUARY 6, 2017

    Please update your php package to version 5.6.30.

    A recently released version of PHP (5.x branch) has addressed the following security vulnerabilities:

    CVE-2016-10158, CVE-2016-10159, CVE-2016-10160, CVE-2016-10161

    Relevant documentation:

  • AOSA-2017-0013: Update PHP7FEBRUARY 6, 2017

    Please update your php7 package to version 7.1.1.

    A recently released version of PHP (7.x branch) has addressed the following security vulnerabilities:

    CVE-2016-1016, CVE-2016-10162, CVE-2017-5340.

    Relevant documentation:

  • AOSA-2017-0012: Update FirefoxFEBRUARY 6, 2017

    Please update your firefox package to (at least) version 51.0 - the newest version available from the repository is 51.0.1.

    A recently released version of Mozilla Firefox has addressed the following security vulnerabilities:

    CVE-2017-5373, CVE-2017-5375, CVE-2017-5376, CVE-2017-5378, CVE-2017-5380, CVE-2017-5383, CVE-2017-5386, CVE-2017-5390, CVE-2017-5396.

    Also note that PowerPC 64-bit (Big Endian) is now merged Firefox version with all other ports, you will get a version update to 51.0.1 as well, rather than a new ESR release (45.7.0).

    Relevant documentation: