[RAUC] [ANNOUNCE] RAUC v1.3 released

["Enrico Jörns" <ejo@pengutronix.de>]

Hi everyone,

here it is, commit number 1700, 291 commits after the v1.2 tag: The v1.3
release auf RAUC is out in the wild and adds a lot of new and useful
features together with some fixes.

  https://github.com/rauc/rauc/releases/tag/v1.3

We start with the most 'visible' feature: When invoking the command line
tool 'rauc status' you will notice a reorganized output. This provides a
colored output (with optional UTF-8 character support) together with a
changed layout that should make it easier to identify the system status.

With a new D-Bus API method for starting an installation, we have
eliminated a significant drawback of the initial API design that made it
impossible to pass optional arguments when installing.

A few notable improvements to bundle signing landed in RAUC 1.3. By
default, RAUC does not check the certificate's key usage attributes.
When the bundle signing certificates are part of a larger, shared PKI,
RAUC can now require specific purposes like codeSigning, thereby
allowing better policy enforcement via the PKI. Checking of key usage
attributes can be enabled with the 'check-purpose' configuration option.

Also, you can now require checking of CRLs during installation (which is
disabled by default in OpenSSL). Setting the 'check-crl' configuration
option changes this. If the keyring already contains a CRL, but checking
is not enabled, a warning will now be printed.

As the OpenSSL project dropped support for all version before 1.1.1, we
have now removed support for those as well. If you still use a
deprecated and thus insecure OpenSSL version, this is the time to upgrade!

A couple of limitations in bundle and image size handling RAUC had when
running on a 32 bit system were removed.

For those running on very constrained systems, some options for
reducing the size of the RAUC binary were added.

A couple of minor bugs and memory leaks were fixed, especially an error
reporting bug that may trigger during bundle verification if an invalid
keyring was configured and produces a non-intuitive error message
"rauc-ERROR **: Not enough substeps: check_bundle".


As always, find a detailed list on what was added, changed and fixed
since v1.2 below.

We would like to say thank you to everyone who tested for v1.3, reported
issues or contributed new features!

Best regards and fail-safe updating,

The RAUC Team


---

CHANGES: Release 1.3 (released Apr 23, 2020)
============================================

Enhancements
------------

* Added a new D-Bus method (InstallBundle) which supports optional
  parameters ("ignore-compatible" for now).
* Added support for X.509 key usage attributes (code signing and
  others).
* Added a ``check-crl`` configuration option to require Certificate
  Revocation List (CRL) checking during installation.
  If the keyring already contains a CRL, but checking is not enabled, a
  warning will be printed.
* Support updating of already mounted slots via a custom install hook
  when enabled with "allow-mounted=true" in the system configuration.
  This can be useful for updating bootloaders in a boot partition (for
  example on the Raspberry Pi or BeagleBone). (by Martin Hundebøll and
  Rasmus Villemoes)
* Added the ``--mksquashfs-args`` option for bundle creation. This can
  be used to configure the details of the squashfs compression. (by
  Louis des Landes)
* Added the ``--casync-args`` option for the ``rauc convert`` command.
  This can be used to configure the details of the casync conversion.
  (by Christopher Obbard)
* Added support for installing UBIFS images via casync (depends on the
  casync PR https://github.com/systemd/casync/pull/227). (by Ulrich
  Ölmann)
* Enabled usage of ``--no-verify`` with ``rauc resign``.
  This can be useful for resigning of bundles signed with expired
  certificates.
* Exposed the ``RAUC_BUNDLE_MOUNT_POINT`` environment variable to hook
  scripts. This also deprecates the old name ``RAUC_UPDATE_SOURCE`` for
  this value in handler scripts. (by Rasmus Villemoes)
* Reduced size of the installed ``rauc`` binary. This was done by using
  ``--gc-sections`` and adding a configure switch to disable the
  ``bundle``, ``resign`` and ``convert`` commands. (by Rasmus Villemoes)
* Added support for explicitly telling RAUC that all slots are inactive
  on the kernel command line (``rauc.external``). This is useful for
  using RAUC in a factory installer. (by Marco Felsch)
* Improved layout of the ``rauc status`` output.

Bug fixes
---------

* Fixed SD/eMMC detection when using /dev/disk/by-path/ symlinks. (by
  Marco Felsch)
* Fixed handling of HTTP Content-Encoding: gzip. (by Jan Kundrát)
* Fixed reporting of errors during bundle verification. This solves a
  ``rauc-ERROR **: Not enough substeps: check_bundle`` abort. (by Rouven
  Czerwinski)
* Fixed handling of surrounding whitespace in the system variant by
  removing it. A warning is printed in this case.
* Fixed the RAUC D-Bus interface introspection file name to be
  consistent with the interface name. (by Michael Tretter)

Testing
-------

* Switched testing environment from user-mode-linux (UML) to QEMU. This
  allows us to use our own kernel configuration and avoids the (unusual)
  dependency.
* Reenabled support for coverity, as they have added support for GCC 8.
* Added some more tests in several areas.

Code
----

* Removed support for OpenSSL versions < 1.1.1.
  OpenSSL versions 1.0.2 and 1.1.0 are no longer supported by the
  OpenSSL project: https://www.openssl.org/policies/releasestrat.html
* Improved support for large bundles on 32 bit systems, but some work
  remains to be done.
* Disabled automatic ``-Werror`` and ``-O0`` when building from a git
  repository.
  This caused confusion in several cases.
* Updated uncrustify and enabled some additional formatting rules.
* Reduced redundant prefixes in error messages.
* Removed unused verification functions left over from the old network
  mode.
* Removed minor memory leaks.

Documentation
-------------

* Clarified documentation about hooks and handlers (and the available
  environment variables).
* Fixed minor typos and inconsistencies.

Contributions from: Arnaud Rebillout, Christopher Obbard, Enrico Jörns,
Jan Kundrát, Jan Lübbe, Louis des Landes, Marco Felsch, Martin
Hundebøll, Michael Heimpold, Michael Tretter, Rasmus Villemoes, Rouven
Czerwinski, Trent Piepho, Ulrich Ölmann

-- 
Pengutronix e.K.                           | Enrico Jörns                |
Embedded Linux Consulting & Support        | https://www.pengutronix.de/ |
Steuerwalder Str. 21                       | Phone: +49-5121-206917-180  |
31137 Hildesheim, Germany                  | Fax:   +49-5121-206917-9    |

_______________________________________________
RAUC mailing list