RAUC v1.0 Released
Four days before Christmas Pengutronix prepared a very special present that probably many of you have been waiting for: The 1.0 version of RAUC!
This finally visibly underlines the maturity RAUC already had in the prior releases.
This v1.0 release adds several enhancements and new features concerning signing and signature handling. One of the most important improvements is the support for passing keys/certificates stored on PKCS#11 tokens (e.g. for using a smart card or HSM). Also the boot selection interface gained several fixes and enhancements, especially concerning the U-Boot integration that now implements the full feature set of obtaining and setting the boot status.
Several extensions of the D-Bus API and some code refactoring now allow 'rauc status' to fully work over D-Bus (if enabled) and finalize the clear separation between client and service.
Another topic that got a lot attention is easing RAUC debugging by providing more targeted debugging and error messages, adding documentation, etc.
It is important to note that also several potential issues for the actual installation process were fixed, e.g. by adding proper fsync() handling, using O_EXCL for opening devices, or by fixing uid/gid handling during tar extraction.
RAUC now also fully supports using file:// URIs and allows to open bundles that have a custom file name extensions for cases where this is really mandatory of any reason.
With the 1.0 release we now also support OpenSSL 1.1.
The rest are 'only' minor new options, bug fixes, documentation updates, typo fixes, etc.
Thanks to all contributors since v0.4: Ahmad Fatoum, Alexander Dahl, Arnaud Rebillout, Bastian Stender, Emmanuel Roullit, Enrico Jörns, Jan Lübbe, Jan Remmet, Jim Brennan, Marcel Hamer, Matthias Bolte, Michael Heimpold, Philip Downer, Philipp Zabel, Rasmus Villemoes, Thomas Petazzoni, Timothy Lee, Ulrich Ölmann, Vyacheslav Yurkov, Yann E. MORIN
This release fixes a vulnerability in RAUC that can be exploited under certain circumstances to achieve a local privilege escalation. It provides both a mitigation for the vulnerability when using the existing bundle format as well as a new bundle format that uses dm-verity to continuously authenticate the update data while it is installed.
It's been 3 weeks ago now since the tag for RAUC 1.4 was created. But it is vacation time and so we have a good excuse for communicating things with some delay. Fortunately, the media team is back now and so also those of you who haven't noticed the new release yet will be informed about notable changes.