commit 3ff690148e6ca60973d6dcf2fd7e1f07bf464b8f Author: Michael Tremer Date: Thu Sep 18 15:58:17 2025 +0000 installer: Move installing chroot to the right place Signed-off-by: Michael Tremer commit 2a83e4d83f204603086e0889e61f7dfae85245d5 Author: Michael Tremer Date: Thu Sep 18 15:56:58 2025 +0000 core199: Ship dracut-ng and regenerate initramdisks Signed-off-by: Michael Tremer commit f24001e8524f4bad32c7b9e062c4e4d5b157b771 Author: Adolf Belka Date: Mon Sep 8 14:09:23 2025 +0200 cdrom: Install chroot into dracut environment - dracut-058 had a commit for base to not require chroot inside initramfs - However the install of an iso requires chroot to be available for some of the actions such as the creation of the language cache etc. - Adding the install of the chroot binary into the dracut command in the cdrom package allowed thye full installation of IPFire to be carried out. Tested-by: Adolf Belka Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit f1eb14c3e2ec8cb8ecd856c96281183f3f7d941c Author: Adolf Belka Date: Mon Sep 8 14:09:22 2025 +0200 dracut-ng: Replace dracut with dracut-ng - dracut was at version 056 and the last version available was 059 from 2022. - dracut-ng has been created as a fork from dracut with most of the same developers. - From dracut-ng-100 onwards it was made to be a drop-in compatible replecement to dracut. - Update from version 056 to 108 - Update of rootfile. Number order was modified in version 108 bringing more modules with unimportant ordering to order 70. Selection was done based on the rootfiles entries used by dracut-056 - Patches no longer needed as the fixes are now part of the provided tarball. - In update dracut-058 a change was made "do not require chroot inside initramfs" and this caused the chroot commands when setting up the language cache to not work as the binary was no longer available within dracut. To fix this a change was made to the dracut command in the cdrom package so that chroot is available to the installer package. Suggestion for this fix was provided by Stefan Schantle. - Tested out this new package in my vm testbed. When combined with the cdrom change an iso build was able to be successfully installed and a restore done resulting in a fully working IPFire. - Changelog 108 Performance systemd-udevd: 99-systemd.rules added in two places (a8c0a15c) watchdog: only install wdctl for the non-systemd case (ad0fd3a8) Features add Debian/Ubuntu specific Dracut configuration (cba1a2c2) allow the use of $kernel in initrdname= config (696397dd) add support for removing a space separated list of files (f8dfe3ee) make variable set check work with "set -u" (ee8f4f9d) support dracutsysrootdir being unset (348888b8) tests are not packaged by default to simplify packaging (e65a87cf) set hostonly_cmdline config to no by default (efaee447) set hostonly config by default in configure (62fdf59c) Makefile: explicitly list configs to install (f7416501) base: add support for rd.driver.pre (5ca76df3) crypt-gpg: handle multiple gpg pubkeys (28ad7910) dracut: drop DRACUT_PATH and rely on PATH (2606f985) support SOURCE_DATE_EPOCH (dfcfa6fb) allow users to choose which dlopen dependencies they want (96a91d04) replace ldd with dracut-install --dry-run or header check (e8b733f7) set systemdversion global var using pkg-config (ed80f9f4) dracut-install: add --dry-run option to replace external ldd usage (161153f9) extend new ELF parsing code to replace ldd calls (aac5c914) parse ELF .note.dlopen entries for extra deps (19b5faad) initqueue: factor out initqueue into its own module (3daf6783) network-manager: use upstream initrd services if available (83dffc58) resume: do not depend on initqueue if systemd is used (34457e07) rootfs-block-fallback: factor out rootfallback into its own module (2676f1a5) watchdog: do not depend on initqueue if systemd is used (c8dbd9ec) Bug Fixes load essential storage kernel modules in sloppy hostonly mode (87304767) increase deteminism by not relying on the default sorting from ls (c9f6b867) network-manager dracut module no longer depends on systemd (8f063e23) support DRACUT_SYSTEMD being unset (79ffbd28) support hostonly being unset (c85c9324) support DRACUT_RESOLVE_LAZY being unset (3d383ba4) loongarch architecture support (38f44b35) let check_vol_slaves_all return 1 when checks on all slaves fail (b117013b) improve hostonly sloppy mode (53537ae7, closes #1321) load more kernel modules in sloppy hostonly mode (de862885) Makefile: remove test modules after renumbering (80961ee0) base: base module failure if root password is already set (e4551d40) dracut-lib.sh soft depends on poweroff/reboot/halt (237108c3) support PREFIX being unset (7bea9dfe) only create nobody user for nfs dracut module (8934a8e5) dmsquash-live: erofs collision with latest util-linux (950475e8) dracut: only call uname -r if it is safe to do (3f4497ed) detect if systemd-detect-virt is available before calling it (5d3298ea) consolidate reporting running in a container (000f5dbf) ensure hardlink deduplication is reproducible (9fdf683f) respect PKG_CONFIG env var instead of hardcoding pkg-config (0ee92dbb) dracut-init: use sysroot when checking udev rule program existence (c1000cda) dracut-init.sh: support DRACUT_NO_XATTR being unset (d520252a) initialize _files in inst_libdir_file (2311abeb) dracut-initramfs-restore: check for Debian initrd.img symlink (f80128e9) dracut-install: sort output of --modalias (41e43068) install all suppliers of a supplier's module (80574db7) do not limit supplier handling to platform bus (e35c5173) add sysfs node parents' modules as dependencies (3607cd8f) rework broken destination existence logic (425e263b) plug memory leak on kerneldir (082b6b0a) deadcode.DeadStores static analyzer warnings (28041543) dracut-lib.sh: initialize variables in getargs (ef60bd71) dracut-logger.sh: initialize errmsg in dlog_init (f35a8c7f) dracut.conf.d: reserve namespace 50 to out-of-tree configurations (d470b436) dracut.sh: do not use uname to detect kernel version in a container (2b2debd7) initialize variables that get exported (50426818) don't pass empty string as dir (758f3eaf, closes #1275) fcoe-uefi: exit early on empty vlan (555b6e1d) fips: make sha512hmac an optional requirement (3d319b55) generic.conf: increase ordering for generic.conf (d823fd86) i18n: add $dracutsysrootdir to systemd-vconsole-setup.service path (90956522) livenet: drop stray command call (9135136d, closes #1240) lsinitrd: resolve initrd to real path (22d93bc0) man: document what to expect running dracut non-root (b853eba8) modules: free up range 00-09 to out of tree dracut modules (1edcb076) document known module dependencies (2d98ddb5) move more modules with unimportant ordering to 70 (c439438d) all modules with 99 ordering should have a unique number (2199846f) network-manager: depend on dbus only when using systemd (58baf861) simpledrm: add =drivers/gpu/drm/panel (b7a2f8d0) systemd: systemd.volatile needs overlayfs kernel module (e1452003) make checking for systemd availability consistent (8e575556) systemd-cryptsetup: don't pull in fido2/pkcs11/tpm2-tss if omitted (01b369a5) systemd-repart: allow partition format (02201361) copy systemd system drop-in configuration (bb8bf124) systemd-sysext: install the required kernel modules (7f524d3d) make non-hostonly non-host (e42755c3) systemd-sysusers: maintain users and groups (50285645) remove (g)shadow created by systemd-sysusers (97b5f91f, closes #1242) systemd-udevd: handle root=gpt-auto for systemd-v258 (fa17b6fb) test: renumber test modules to 70 (99ed458b) 107 Bug Fixes improve hostonly sloppy mode (8519dcdb) don't use command -v to find binaries in the sysroot (c0d3b120) add $dracutsysrootdir to paths where it should be present (a3fea596) 90kernel-modules: explicitly include xhci-pci-renesas (20cc20d2) base: tighten /dev/pts permissions (5ec66e97) only set ID to dracut if systemd is not used (82487fc8) crypt: always install s390 crypto modules (dea50f64) dracut: kernel module name normalization in drivers lists (8674d84f) protect existing output file against build errors (39a765de) avoid mktemp collisions with find filter (9b822c31) dracut-init: do not detect virt environment in non-hostonly mode (b2c72e10) assign real path to srcmods (bb6d0c11) dracut-install: install compressed blobs that match wildcard fwpath (57911e76) dracut-lib: support "set -e" in setdebug (89da4257) hwdb: enable hwdb dracut module when hostonly is sloppy (5ff7dab0) iscsi: make sure services are shut down when switching root (fcde3355) don't require network setup for qedi (3d5bab81) man: --include can be specified multiple times (18375a5c) mdraid: do not call mdadm with full path (b0c37531) multipath: disable user_friendly_names with mpathconf (1d7464cf) skip default multipath.conf with mpathconf (c43b7905) nfs: add possible statd user and group (7eaa8536) use DRACUT_CP instead of cp (2f5a759f) libnfsidmap plugins not added in some distributions (6b30662e) release: tagging and release generation is no longer automated (5c2864dc) rngd: adjust license to match the license of the whole project (da099c30) do not check for +x perms (04841c42) squash-erofs: adjust configuration in order to match SquashFS (e2f19b65) systemd-sysusers: make sure tss user for tpm2 is created (c6d38cb4) silence "Creating " on stderr (cb8fb964) always silence stdout (62c75393) systemd-veritysetup: install dm-verity kernel module (f3fffa1e) Features strip out unused/unlikely AMDGPU firmware (c06f2481) add simpledrm module (as subset of drm module) (2ae73d63) UKI: use ukify when available to generate UKI (acfddd69) btrfs: also install btrfstune (ddbeed81) systemd: add new systemd-validatefs@.service (1b5669c1) systemd-integritysetup: add remote-integritysetup.target (4402aeb2) Performance base: move the chmod dependency from base to systemd (ddc1f54d) 106 Bug Fixes check if xx-lib.sh is needed before executing (8b71a80e) check if dracut-lib.sh is needed before executing (8f249c2b) add bash dependency when bash scripts are used in the module (3a04a139) initqueue -> /sbin/initqueue (6f9b5a52) set initrd-release in the base module (41f9e8f9) remove extra bracket (512215c7) 01fips-crypto-policies: use /bin in shebang (f7ca0f3e) 35network-manager: install nftables kernel modules needed (fca71490) install nft binary during module installation (a6264d17) ENC-RAID-LVM: correct test name and remove obsolete step (90f46fcb) Makefile: remove irrelevant testcases (5b58bbea) path for make clean (a81782ce) base: fallback when shell-interpreter is not included (7f13ea21) remove fallback for shell selection (e139edb8) crypt: crypt-lib.sh optionally depends on stty (4532fb0f) dm: remove 59-persistent-storage-dm.rules (d2ade8a6) dmsquash-live-root.sh: support images with non-existing /proc (e37c67f6) docs: correct spelling mistake of recommended (4e03ac7c) dracut: rework timeout for devices added via --mount and --add-device (c79fc8fd) dracut-functions.sh: check_kernel_module go one dir further up (16abd45f) check for modules in --kmoddir, not in --sysroot (b90eda4b) dracut-init: add compatibility with Debian/Ubuntu for libdirs detection (8809b246) dracut-lib: initialize getcmdline/getarg local variables (fc18d0b3) dracut-systemd: check SYSTEMD_SULOGIN_FORCE before allowing passwordless (27024d67) check systemd-cryptsetup before including (484a8a23) unquote variable in udev conf (3b753bf7) dracut.sh: do not add cmdline for force_drivers if --kernel-only (95fe9048) ensure abs path for objcopy args (1579bb0c) fips-crypto-policies: improve check for module inclusion (1ef60f9f) i18n: make /etc/vconsole.conf optional (1246c4a1) img-lib: trim required binaries (755c5c52) iscsi: attempt iSCSI login before all interfaces are up (f30cf46e) don't require network setup for bnx2i (cc2c48a0) do not install services when not using systemd (87fefd3c) remove duplicate inst_multiple calls for iscsiadm and iscsid (73cdd31c) include /usr/lib/open-iscsi/startup-checks.sh if needed (7fe7fa94) kernel-network-modules: if running inside vm, include qemu-net (2ecdda2d) lsinitrd: improve KERNEL_VERSION detection (37ce14fb) lvmthinpool-monitor: make sure systemd is included (359e1e9a) nfs: do not set DRACUT_RESOLVE_LAZY for musl (9060fe6b) use the same directory set ownership and permissions as the host (6c3b8b2f) pcsc: add libpcsclite_real.so.* (bfa00c2a) plymouth: change severity of shutdown log messages (62c79128) silence warnings (85bb1bc6) do not depend on dpkg-architecture (1b374931) qemu-net: align check logic between qemu modules (bb7425b8) rngd: do not include the module if we can not start the service (3c727b60) shell-interpreter: move later in the module ordering (8f247f2f) systemd: systemd dlopens libbpf (659c2681) include dmi-sysfs (817dd612) systemd-ask-password: do not half-install systemd-ask-password-wall (d8d11852) systemd-networkd: depend on net-lib (80e9d891) systemd-pcrphase: include systemd-pcrphase in hostonly mode (ea6a47ed) systemd-sysext: install new initrd-specific units (68a09b43) systemd-sysuser: add support for Gentoo (1c5f45a2) systemd-sysusers: systemd.conf no longer exists (8f30a001) systemd-tmpfiles: passwd and group file management (4e520c88) copy 20-systemd-stub.conf into the initrd (0df92885) test: running tests on bare metal fail with syntax error (e26a4ab9) test-root: dracut-getarg and dracut-lib are no longer used for test-root (97e502c4) Performance base: /etc/initrd-release is only for systemd (5bf724fa) hwdb: only include when another module requires it in hostonly (7766da60) systemd: remove crypto API kernel modules (fa45d844) Features default config profile (8c15bb61) systemd-battery-check dracut module (7cf47b26) create a documentation site (77e0571c) Makefile: roll cleaninstall target into the install target (9825dd7b) cleaninstall target (dc40daa8) base: create /proc if it does not exists (ff370f55) configure: allow dracut-cpio to be disabled (4a4ab928) let's build dracut-cpio if cargo is installed (89a86dcb) crypt: remove empty /etc/crypttab to allow creating it later (23ef35d3) dmsquash-live: add support for rd.live.overlay.nouserconfirmprompt (6ac1033c) dracut-init.sh: give --force-add precedence over --omit (a0d92d39) dracut-systemd: install dracut-* into /usr/bin (00902e25) dracut.install: force hostonly for kernel-install plugin (17706f9a) fips: include openssl's fips.so and openssl.cnf (97c5d43c) livenet: get live image size from TFTP servers (93df9ad2) lsinitrd.sh: look for initrd in /usr/lib/modules/ (f01eec69) nvmf: enable other shells (dash) not just bash (43707cab) systemd-battery-check: always include the module if possible (961daa9d) systemd-emergency: install rescue and emergency targets (be7e87fb) systemd-sysusers: run systemd-sysusers as part of the build process (f3dacc01) 105 Resolve a regression in release v104 that impacts generated initrds when both systemd and i18n dracut modules are included. Bug Fixes dmsquash-live: checkisomd5 is installed into /usr/bin (39887041) man: use US English spelling for initialization (c12a018e) correct spelling of initramfs (b5ada6cc) systemd: remove typo from the dracut module name (7d998705) systemd-cryptsetup: change the ordering for consistency (43581cd0) udev-rules: move relevant rules from systemd (1ef30c83) 104 New dracut modules: shell-interpreter: meta package for improved shell selection fips-crypto-policies: make c-p follow FIPS mode automatically squash-lib: code shared by 95squash-{squashfs,erofs} Removed dracut modules: ifcfg: no longer needed for networking mksh: lack of interest to maintain Notable new features: add --add-confdir option to dracut new dracut configuration profiles under dracut.conf.d/ (e.g. for uki) systemd-udevd: make systemd-sysctl, systemd-modules-load optional Notable bug fixes: crypt: include systemd-cryptsetup module when needed udev-rules: move installation of libkmod to udev-rules module busybox: install busybox symlinks later in the generation process nvmf: install (only) required nvmf modules systemd: include systemd config files from /usr/lib/systemd systemd: trigger systemd-vconsole-setup.service only on demand multipath: include module with "find_multipaths strict" nfs: include also entries from /usr/lib/{passwd,group} network: handle '-m network' systemd-networkd: remove basename dependency remove obsolete syntax for many command line options without the rd. prefix Features config example for cloud provider uki vm (cc0a0e42) add common config when networking is not desired (9ffabd59) busybox: use busybox --install to install itself (3975e26a) dracut: detect kernel initrd support (b41c2401) dracut-functions: check more paths (ede2a05a) dracut-init.sh: allow changing the destination directory for inst et al (3ad7e6c2) dracut-initramfs-restore: unpack erofs images (ce83d38d) dracut.sh: add --add-confdir option (6107f5e5) fips: add support for UKIs (1000265a) fips-crypto-policies: make c-p follow FIPS mode automatically (bd3c1e1c) lsinitrd: add support for erofs images (2a3bc5af) pcmcia: only include when another module requires it (ea4199b3) rescue: move command line arguments to 50-rescue.conf (d24917fa) shell-interpreter: meta package for improved shell selection (e1fcfe64) squash: add module 95squash-erofs (ebc9e84d) split 95squash-squashfs from 99squash (5d03cc3b) move mksquashfs to 99squash/modules-setup (b5482f07) systemd: always install libsystemd libraries (921792f2) systemd: include systemd config files from /usr/lib/systemd (6c99c073) test-root: only include debug module if V is set to 2 (8974fea2) Bug Fixes install test infrastructure (a0d12aa7) typo in variable name (76b2f1a9) Dockerfile-Gentoo: explicitly pull in all build dependencies (2f8ea1c9) Makefile: install dracut config examples under /usr (0d369e3e) base: init from base is not needed when systemd is enabled (ae94b24f) remove the undocumented real_init, realinitpath and rd.distroinit (b1dbe859) busybox: install busybox symlinks later in the generation process (4e78a870) install busybox symlinks manually (95ba0327) crypt: include systemd-cryptsetup module when needed (8907ba12) install dm_crypt module in non-hostonly mode as well (59af2fff) dracut: --list-modules should imply --no-kernel as well (bd7736e9) don't apply aggressive strip to kernel modules (a1c51af1) do not add all lib subdirs to LD_LIBRARY_PATH with --sysroot (d0c82322) ldd output borked with --sysroot (e0b87682) re-enable extended attributes in containers (c964a56f) dracut-fuctions.sh: avoid reading the wrong kconfig (d8fb0ef8) dracut-functions: allow for \ in get_maj_min file path (91b1574c) dracut-functions.sh: only return block devices from get_persistent_dev (6611c6e4) dracut-init.sh: add module to mods_to_load before checking dependencies (d0f8fde5) dracut-install: use correct data type for pid (36dc45ca) handle correctly sysrootdir with trailing '/' (1c44cd71) do not assume handled path starts with sysrootdir (7bc1f538) resolve -Wextra warnings (8de0258d) refuse empty DRACUT_LDD environment variable (a9e11447) dracut-systemd: include systemd-cryptsetup module when needed (e0e5424a) dracut.sh: exit when installing the squash loader fails (abac41d0) use only compressor that kernel supports (cc17951e) account for the kernel being named kernel (c520f3a4) fips-crypto-policies: make it depend on fips dracut module (a2096daf) hwdb: only install /etc/udev/udev.hwdb in hostonly mode (f2b1491f) lsinitrd: check skipcpio file directly (2815f021) lvm: clean up whitespace in messages (5e9cb283) man: update description of the --gzip option (206b5448) multipath: include module with "find_multipaths strict" (1e802f15) network: call both check_module and module_check (c81c9552) handle '-m network' (c4b57722) nfs: include also entries from /usr/lib/{passwd,group} (d954e3a9) nvmf: install (only) required nvmf modules (3748ed4d) require NVMeoF modules (41332702) release: improve commit message (267d002c) rescue: make rescue always no-hostonly (224c0091) rngd: install system service file (a9528201) squash: remove cyclic dependency (5f6b6fa4) use 99busybox instead of installing it manually (69ebcb58) explicitly create required directories (d23b0eea) squash-erofs: properly exclude $squashdir (323af181) squash-lib: harden against empty $initdir (924e2e85) systemd: do not set unused target as the default (982735c7) /sbin/init is not required inside initrd (a066b07f) systemd-vconsole-setup has a dependency on loadkeys (55517460) remove duplicate systemd cryptsetup targets (ad520855) make nologin optional (953b48a7) move installation of libkmod to udev-rules module (ef0972fe) systemd-cryptsetup: install cryptsetup-pre.target (181e1f11) systemd-initrd: add base as dependency (56c84cde) systemd-networkd: remove basename dependency (2bb74448) make sure default network is always last (e1dfdaca, closes #618) systemd-sysctl: systemd-modules-load is not a dependency (4fb67460) systemd-udevd: make systemd-sysctl, systemd-modules-load optional (1de08390) test: always install kernel modules (9c79e226) udev-rules: remove systemd-specific rules (6243b7b6) move *-persistent-storage.rules to rootfs-block (d67251aa) install dropins for udev.conf (bdaa4e5b) watchdog: change the priority of watchdog kernel modules (0097ded1) Performance systemd-initrd: do not depend on base module (06074459) initrd.target is already the default (b7b4f039) 103 New dracut modules introduced by this release: hwdb: separate out hwdb module Notable new features: erofs support for dmsquash-live module install platform/chrome modules on ARM/RISC-V force the inclusion of crypttab entries with x-initrd.attach configuration files for common packaging options (50-hostonly.conf.example) Commits that resolve notable regressions: perf(dracut-install): memoize find_kmod_module_from_sysfs_node perf(dracut-install): use driver/module sysfs dirs for module name fix(crypt): decryption when rd.luks.name is set fix(systemd-pcrphase): make tpm2-tss an optional dependency Features add common config for Integrity Measurement (5d9fe8c5) add additional common configs (69e119da) crypt: force the inclusion of crypttab entries with x-initrd.attach (61ab3386) debug: add findmnt to help debugging (41d61114) dmdquash-live: add support for using erofs (ca5ae5d3) dracut: search for zstd compressor first (9663307c) dracut-install: configure if weak dep is still not supported in kmod (77c3efa6) add weak dependencies support (8517a6be) add hashmap_get_exists() (2b13d74d) hwdb: separate out hwdb module (3c5d5e39) kernel-modules: install platform/chrome modules on ARM/RISC-V (e69e4132) lsinitrd.sh: support configurable initrd filenames (7c11c8cf) multipath: warn if included with no multipath devices and no user conf (ae1b1003) qemu: include the virtio_crypto kernel module (0fe20f85) test: add erofs-utils to the containers (e11bc8bf) support V=2 without logtee (3f005c8a) Bug Fixes check for searched initrds to be present (9c396ce2) rename dracut.conf.d .conf files to conf.example (ddc9e4e9) disable SC2317 for calls by for_each_host_dev_and_slaves (23c9d85a) quote single CTTY parameter (61d93421) address shellcheck SC2166 (d3802b10) move shellcheck SC3045 override to occurrences (e1728ee9) 01fips: replace read -d that is not supported by dash (15b94c44) 90kernel-modules: install blk modules using symbol blk_alloc_disk (194ef8eb) Dockerfile-Gentoo: add requirements for systemd-pcrphase (f7e19b3a) TEST-35-ISCSI-MULTI: increrase storage space (9f183a98) TEST-40-NBD: disable broken tests (eb32b30b) return actual test run result from test_run() (cfe3ce3c) enable serial console for test runs (1993786f) don't double-pass test dir to marker check (5928c938) TEST-NFS: use --add instead of --modules to create test-makeroot (0a94eab6) convertfs: drop unused find_mount function (04628fc4) disable SC2317 for EXIT trap function (6668694d) quote single CP_HARDLINK variable (00ba4dae) crypt: decryption when rd.luks.name is set (015a0fa6) dbus: drop unreachable return statement (c3764b92) dbus-daemon: actually enable the dbus service and socket (71f2ff50) dmsquash-live: make sure erofs module is installed (e52cf3c1) quote variables (5391fa2e) dmsquash-live-autooverlay: quote variables (24ab9e66) dracut: microcode loading named .initramfs (cd3f04ab) address shellcheck SC2004 (79e372de) quote strip_cmd variable (538689bc) dracut-catimages.sh: drop unused dwarning function (34bf2fe4) dracut-functions: avoid awk in get_maj_min() (ec7efd57) dracut-init: change lookup order for rules files (46932e33) dracut-init.sh: clarify the error message (f83d8f90) quote dracutbasedir variable (5969b230) dracut-initramfs-restore.sh: correct initrd globbing (cc5e8d6f) dracut-install: copy xattr when use clone ioctl (3e1d0bc1) dracut-lib: quote _ctty variable (22910365) quote var variable (7a277629) quote _b variable (e4ec0d33) dracut-logger.sh: disable SC2317 for logger functions (c77365ce) quote _dlogfd variable (89eddc42) dracut.sh: drop unused read_arg function (a9ea0175) fips: remove reference to kernel module zlib in fips module (22f451d5) iscsi: address shellcheck SC2319 (54676c83) lsinitrd.sh: disable SC2317 for cat functions (f62049b2) lunmask: quote LUN variable (d20be112) lvmthinpool-monitor: adress shellcheck SC2319 (199f4108) man: clarify semantics for --kernel-cmdline (aba502f3) mdraid: try to assemble the missing raid device (3fd43858) multipath: omit module if included with no multipath devices (377d52cb) omit module if included with no multipath devices (4957ffa9) net-lib: require and install only the necessary binaries (29609268) network: deprioritize connman for network selection (dec4978f) network-legacy: quote bridgename variable (bc166ece) nfs: support rpcbind user named _rpc (4a236f01) quote rpcpipefspath variable (58a46715) release: version lock clog (58d4d7d6) rt: use singular argument for timeout value (e2e6579a) shell-completion: remove hashbang from bash completions (c50e742c) syslog: quote conf variable (28e1b17b) systemd: check for systemd-vconsole-setup.service (5a3ad259) systemd-hostnamed: also enable socket units (133978d9) add missing systemd-hostnamed.socket (f25bb1e2) systemd-networkd: remove default network if others were generated (02a1ea4b) add support for proper netroot invocation (0e1e7871) this module depends on systemd (1aa2e4ff) systemd-pcrphase: make tpm2-tss an optional dependency (a2193b71) in hostonly mode do not try to include systemd-pcrphase (96d153fe) test: run test 14 with systemd again (43fa0c4e) reenable extended tests for Arch (130f4dfc) tests needs more storage space (96aa5073) use --add instead of --modules to create test-makeroot (51d06540) use -cpu max by default (44f5359f) test-root: quote _terminfodir variable (db4ea5f3) udev-rules: install all rules even if systemd is not installed (df8bf213) zipl: quote zipl_env variable (39b1ffa2) quote ID_FS_TYPE variable (34da5799) znet: quote initdir variable (79dbd435) Performance dracut-install: use driver/module sysfs dirs for module name (d71bec4a) memoize find_kmod_module_from_sysfs_node (6500e954) preload kmod resources for quicker module lookup (5a3f3773) 102 This release includes fixes for compatibility with the latest Linux kernel (v6.9), Linux firmware, and systemd (v256). New dracut modules introduced by this release: pcmcia: factor out pcmcia support into its own module systemd-bsod: display a blue screen which contains a message relating to a boot failure numlock: module to turn Num Lock on systemd-cryptsetup: factor out systemd-cryptsetup support into its own module dracut modules removed by this release: dasd_rules: remove dasd handling consolidated in s390-tools qeth_rules: remove qeth handling consolidated in 95znet zfcp_rules: remove zfcp handling consolidated in s390-tools crypt: move more rules to systemd-cryptsetup (6325af42) dracut-init.sh: stop parsing args in dracut_instmods if --silent is found (16863113) dracut-systemd: check for systemd binary (51d0257b) drm: group dracut_instmods calls (80f2caf4) systemd: remove duplicate rules (d6ba849b) remove duplicate rules (45a65df3) remove duplicate rules (db20908c) remove duplicate rules (fb75d4a8) remove duplicate rules (6c5520df) systemd-udevd: remove duplicate rules (28846382) Bug Fixes /etc/modprobe.d --> /run/modprobe.d (424717af) crypt-gpg-lib.sh (1ca38f04) module-setup.sh missing stty (1af35319) network-manager should include kernel-network-modules (cabd38d8) clean Makefile rule (b89a0fb2) 01systemd-ldconfig: install ldconfig.real (125bb0a8) 35-network-manager: let the kernel generate a UUID for /etc/machine-id (1e2b5c30) 90kernel-modules: add psmouse for some Fujitsu laptops (343ce3bb) Dockerfile-Gentoo: resolve glibc/libxcrypt conflict (b6b8cf3e) pull in virtual/pkgconfig (4d5e9079) add --deep, --autounmask-continue, and depclean (b182af73) base: add support for rd.udev.log_level (a471ca60) install /etc/udev/udev.conf in hostonly mode only (2ab9ecce) log the full udev database in rdsosreport (3fc15986) configure: resolve regression for crosscompiling (25dabef1) cpio: eliminate compile time warning (18788930) crypt: unlock encrypted devices by default during boot (2339acfa) add systemd-ask-password dependency if systemd is used (caafea4e) dmsquash-live: do not check ISO md5 if image filesystem (c6906fea) use load_fstype to load driver for filesystems (541ae946) update documentation (d2d41a36) dracut: microcode loading (16573680) bsdcpio compatibility (572afed1) add support for RISC-V EFI (136a9a10) move hooks directory from /usr/lib to /var/lib (a45048b8, closes #2588) dracut-fuctions.sh: correct wrong regex pattern for LVM dm devices (4c2f756f) dracut-init.sh: force to perform the actual action (ffeb32b2) handle decompress with --sysroot (91cdd57f) dracut-install: release memory allocated for regular expressions (d93bac05) continue parsing if ldd prints "cannot be preloaded" (ace9e1b5) dracut-lib: only remove initqueue/finished scripts, not the hook dir (e8257deb, closes #2620) dracut-systemd: include systemd-ask-password module (0bfe0867) replace rd.udev.log-priority with rd.udev.log_level (c1275d87) dracut.sh: include efi mountpoint for hostonly (4a6a4ac6) don't unset LD_PRELOAD (1eff6933) do not add device if find_block_device fails (0f6c46aa) make uki's reproducible (aabb5a41) omit compressed kernel modules from find searching exec files (ad36b61e) fips: remove /dev/{random,urandom} pre-creation (5beda2ea) github: add the recently introduced modules to the labeler (5957f5c5) i18n: handle keymap includes with --sysroot (5b714d25) install.d: prevent failure when kernel-install command is not add (6fec7d39) correctly install pre-genned image and die if no args (8388ad14) simplify and use what kernel-install gives us (d4015538) iscsi: do not add host's runtime iscsi configure files in initrd (292e79e8) man: further clarify live-image overlay types & RAM usage (5fa405dd) memstrack: move the console warning to be a comment (ee1c37e3) multipath: explicitly check if hostonly_cmdline is yes (c262ec6d) numlock: use the same shebang as other dracut modules (67987959) use the same shebang as other dracut modules (efa02688) nvmf: move /etc/nvme/host{nqn,id} requirement to hostonly (54cd6479) release: dracut --> dracut-ng for NEWS.md (6fb8fc8b) systemd: explicitly install some libs that will not be statically included (04b362d7, closes #2642) systemd-ask-password: no graphical output in aarch64 (4cc962aa) resolve regression (25c5cfa2) systemd-cryptsetup: add potentially needed modules to generic initrd (9179ade8) systemd-initrd: systemd based initrd needs journald and tmpfiles (860b35c3) only included if another module depends on it (6d3e69ac) add systemd-udevd dependency (8910f8bb) systemd-journald: add systemd dependency (06e4a854) systemd-networkd: drop networkctl as it has a dependency on dbus (7a1519bf) dbus is not a mandatory dependency (6f764a1d) systemd-sysext: handle confexts and correct extensions search path (30da2173) systemd-udevd: add systemd-sysctl dependency (2c866733) test: add support for thin volumes in the Gentoo container (6fc87f5c) fixup Gentoo CI (8bcd077d) remove ib700wdt kernel module from tests (2526a92e) do not omit dracut modules for initramfs.testing (5cb42481) fixup Gentoo CI (3b9054a4) znet: append to udev rules so each rd.znet_ifname is effective (22f51730) Features 90dm: close crypt devices using cryptsetup (fba8622f, closes #204) 90systemd-cryptsetup: socket key files (80480a73) dasd: minimize dasd handling consolidated in s390-tools (36e1f884) dasd_mod: minimize dasd handling consolidated in s390-tools (2397c479) dasd_rules: remove dasd handling consolidated in s390-tools (72c945ca) dracut.sh: make initramfs-${kernel}.img filename configurable (28820e20) ifcfg: minimize s390-specific network configuration aspects (457e66e6) lsinitrd.sh: print stored dracut cmdline (d10455ad) enable unpacking files from squash-root.img (9b12ef98) numlock: add module to turn Num Lock on (60b44261) pcmcia: factor out pcmcia support into its own module (4b21d5f7) qeth_rules: remove qeth handling consolidated in 95znet (198a86c2) systemd-bsod: dracut module for systemd-bsod (d7ab919e) systemd-cryptsetup: new module for systemd-cryptsetup (649e37bc) systemd-pcrphase: include systemd-pcrphase if dependencies are met (c5cbdaf3) tpm2-tss: add tpm2.target and systemd-tpm2-generator (edd870ed) zfcp: minimize zfcp handling consolidated in s390-tools (7745a81a) zfcp_rules: remove zfcp handling consolidated in s390-tools (b5a35f9d) znet: use zdev for consolidated device configuration (658a21ac) 101 Release 101 resolves a regression introduced by release 100 - #130 . Bug Fixes dracut.sh: revert: "do not add device if find_block_device returns" (0885d6b2) dmsquash-live: update documentation (d2d41a36) dracut-install: continue parsing if ldd prints "cannot be preloaded" (ace9e1b5) dracut-systemd: replace rd.udev.log-priority with rd.udev.log_level (c1275d87) dracut.sh: omit compressed kernel modules from find searching exec files (ad36b61e) improve Gentoo container (76963537) 100 Release 100 of dracut-ng serves as a drop-in replacement for the original\ dracut project. This release marks a significant milestone in our commitment to providing an alternative, community-driven solution for creating an initramfs image. The original dracut project is no longer actively maintained (its last tagged release dates back to 2022). Forking allows the community to take ownership of the project and address maintenance issues independently. This release includes fixes for compatibility with the latest Linux kernel (v6.8), Linux firmware, and systemd (v255). A new dracut module named net-lib has been added to enhance networking support. Support for new Linux kernel modules have been added to support new devices, including the Surface Laptop 4 and MacBook Pro. Bug Fixes wait 12 hours before halt on media check fail (faa3db78) do not use modprobe --all (5850486f) 45ifcfg: mark as deprecated and strictly opt-in (79e1def5) 90kernel-modules: add surface_aggregator_registry for Surface Laptop 4 (8cc89664) add intel_lpss_pci for MacBook Pro 2017 (f0526fde) 90multipath: drop unneeded dependencies from configure service (9ac195c1) Makefile: release is now just made out of a git sha (71109aed) TEST-62-SKIPCPIO: test always skipped due to buggy test_check (5b5d395a) base: correct handling of quiet in loginit (49b9c219) caps: return 1 if binary requirements are not met (243be951) check_live_ram: increase /run tmpfs size, if needed (e12ad733) configure: misleading error if C compiler is not installed (4980bad3) dmsquash-live: use the overlay size with thin provisioning (2e025eb2) handle relative pathspec (0c6d257f) dracut: correct regression with multiple rd.break= options (3d727a7d) dracut-init.sh: do not print by default if a modules is not installed (d73cc24e) dracut-initramfs-restore.sh: do not set selinux labels if disabled (4d594210) dracut-install: file created without restricting permissions (3439d139) dracut-lib: use poweroff instead of halt (0ca14da6) dracut-systemd: use DRACUT_VERSION instead of VERSION (a2c64222) dracut-util: do not call strcmp if the value argument is NULL (b5fb6e04) dracut.sh: recognize kernel file in /boot named vmlinux too (f2dfc257) do not add device if find_block_device returns an error (18abcc53, closes #2592) skip README for AMD microcode generation (9df35524, closes #2541) github: update format of labeler (de8ac630) i18n: silence spurious setfont stderr warning (27f31c03) handle symlinked keymap (1f73bc8b) install: handle new -Walloc-size for GCC 14 (23b9ec22) livenet: split imgsize calculation to avoid misleading error message (4649b4c6) check also content-length from live image header (6289d5f4) propagate error code (61a00cf8) man: rd.break parameter can be specified multiple times (5a99e671) net-lib: add a new dracut module called net-lib (5e1fec16) overlayfs: to allow overlay on top of network device (nfs) (bedde0f1) allow hostonly (929e3160) split overlayfs mount in two steps (bddffeda) pcsc: add --disable-polkit to pcscd.service (2689123c) add opensc load module file (882e9335) pkcs11: delete trailing dot on libcryptsetup-token-systemd-pkcs11.so (1c762c0d) plymouth: return 1 if binary requirements are not met (edb14009) release: maintain dracut.html in the source tree (7b05aa8b) dracutdevs/dracut --> dracut-ng/dracut-ng (8906474b) resume: include in hostonly mode if resume= on cmdline (d2ff89e2) add new systemd-hibernate-resume.service (b73b5e0f, closes #2513) rootfs-block: remove support for [no]readonlyroot and fastboot (469935fc) systemd-255: handle systemd-pcr{phase -> extend} rename (b63e90ab) systemd-journald: add systemd-sysusers dependency (4971f443) systemd-repart: correct undefined $libdir (1586af09) test: running tests no longer requires to be root (3dad8237) udev-rules: remove legacy persistent network device name rule (898ce135) zfcp_rules: correct shellcheck regression when parsing ccw args (5d2bda46) Features dracut.sh: protect push_host_devs function (7b54d2fb) kernel-modules: Install SPMI modules on ARM/RISC-V (9491c285) add Qualcomm IPC router to enable USB (dd9a4bc1) network: include 98-default-mac-none.link if it exists (b7f09500) 060 Performance dracut-install: don't strdup() environment block (efd4ca27) don't reallocate {src,dst}path in hmac_install() (77226cb4) don't strdup() excessively for dracut_install() (a20556f0) stat() w/unused buf -> access(F_OK) in dracut-install (e7ed8337) multiple single-character strstr()s -> strpbrk() (751a110f) Bug Fixes codespell (ddf63231) make iso-scan trigger udev events (7b530f26, closes #2183) shellcheck 0.8.0 (88fe9205) shellcheck 0.8.0 (08b63a25) 99base: adjust to allow mksh as initrd shell (a0d14d3b) Makefile: remove leftover rpm build rules (f5cc202e) no longer upload to kernel.org (ffc766d2) execute command -v instead of which (4235c035) base: do not quote $CLINE in the set command (8b951d20) bluetooth: make bluetooth rules more strict (dfa408c9) add missing files (e84d65c5) include it if Appearance matches the value assigned for keyboard (8079ceaf) warn user instead of including it by default (0ecb0388) btrfs: do not require module via cmdline when --no-kernel (7ed765dd) add missing cmdline function (2b47a2ef) crypt: add missing libraries (c5dca3d6) crypt-gpg: do not use always --card-status (e3e8108e) dmsquash-live: allow other fstypes (4000a1ec) restore compatibility with earlier releases (0e780720) live:/dev/* (93339444) dmsquash-live-autooverlay: specify filesystemtype when it is already known (179e1a99) dracut-functions: avoid calling grep with PCRE (-P) (67591e88) dracut-functions.sh: convert mmcblk to the real kernel module name (a62e895d) dracut-init.sh: module_check method ignores forced option (6c9f403f) use the local _ret variable (1b53bb62) correct check in is_qemu_virtualized function (3e2f685e) correct typo in comment (1aafcab9) dracut-initramfs-restore.sh: handle /etc/machine-id empty or uninitialized (260883d9) dracut-install: protect against broken links pointing to themselves (32f6f364) prevent possible infinite recursion with suppliers (131822e2) continue parsing if ldd prints "cannot execute binary file" (9a531ca0) dracut-lib.sh: remove successful finished initqueue scripts (07af8d58) dracut-systemd: rootfs-generator cannot write outside of generator dir (86c8a5a7) check and create generator dir outside of inner function (acfa793b) do not hardcode the systemd generator directory (a7c04716) remove unused argument (eb75861c) dracut.sh: remove microcode check based on CONFIG_MICROCODE_[AMD|INTEL] (6c80408c) exit if resolving executable dependencies fails (b2c6b584) shellcheck warning SC1004 (dbdab2d8) use gawk for strtonum (33a66ed0) also prevent fsfreeze for tmpfs (09d3ec16) correct path for UEFI stub on split-usr systems (c1588995) silence the output of hardlinking files by default (2a26eec5) handle imagebase for uefi (6178a9d8) handle /etc/machine-id empty or uninitialized (97fe0976) use dynamically uefi's sections offset (f32e95bc) kmoddir does not handle trailing / (1ddcb137) handle sbsign errors for UEFI builds (a6dd5bfb) handle out of space error for UEFI builds (8602df70) --sysroot option broken if global variables not set in conf (6f4a5c90) correct --help and --version exit codes (cda6b00a) fido2: libfido2.so depends on libz.so (15970768) fips: move fips-boot script to pre-pivot (d777dd3d) only unmount /boot if it was mounted by the fips module (ab26ad2c) do not blindly remove /boot (1fabbb64) fs-lib: remove quoting form the first argument of the e2fsck call (9aa332ca) github: exempt issues in a milestone (c8a703aa) install: do not undef _FILE_OFFSET_BITS (70aeb4c1) install.d: do not create initramfs if the supplied image is UKI (b2af8c8b) respect even more kernel-install vars, plus style fixes (17b8649e) respect more kernel-install env variables (a037634a) integrity: do not require ls (a804945f) iscsi: prefix syntax for static iBFT IPv6 addresses (c3b65a49) install 8021q module unconditionally (aa5d9526) kernel-modules: add interconnect drivers (afb5717e) add UFS drivers (89269d23) use modalias info in get_dev_module() (87a76dbb) load_fstype: avoid false positive searchs (10cf8e46) lsinitrd.sh: handle /etc/machine-id empty or uninitialized (971b302d) handle filenames with special characters (1f84ff88) lvmthinpool-monitor: activate lvm thin pool before extend its size (e9b47742) man: add missing initrd-root-device.target to flow chart (f11e8fff) remove duplicate entry (6af3fcfd) modsign: load keys to correct keyring (b7ef1302) multipath: remove dependency on multipathd.socket (297525c5) network: IPv6: don't wait for RA for static IPv6 assignments (726d56ca) don't assume prefix length 64 by default (7ff255a4) network,dbus: improve dependency checking (3f8f115a) network-legacy: typo (e2f961a2) always include af_packet (b074216b) network-manager: add "After" dependency on dbus.service (d8a9a73d) nvmf: support /etc/nvme/config.json (f07117d6) install 8021q module unconditionally (902f3a8f) plymouth: remove /etc/system-release dependency (d6cef3f2) release: maintain dracut-version.sh in the source tree (b4e23ce4) resolve-deps: check the existing file—not the source (5ac581ef) systemd: add new systemd-tmpfiles-setup-dev-early.service (7528d84d) do not include systemd-random-seed.service (925febf8) systemd-ac-power: correct systemd-ac-power binary path (df2458a6) systemd-journald: do not include systemd-journal-flush.service (eff2a939) systemd-networkd: correct typos in override paths (f0dc7ec9) add missing conf files and services (71e391eb) systemd-pcrphase: only include systemd-pcrphase-initrd.service (cd6f683d) systemd-resolved: correct typo in override path (2d083021) systemd-timedated: correct typo in override path (765e69ce) systemd-tmpfiles: do not include systemd-tmpfiles-clean.timer (1ef00735) systemd-udevd: add missing override paths (570b9d40) test: only use QEMU machine q35 on x86 (f29e428b) use bash for jobs -r parameter (9a18f133) rename test 60 (3d7c0ffb) improve test 60 (5e846cb1) remove leftover link file from server rootfs (8f44740f) assign fixed address to bridge (9fb64d96) bump DHCP timeout to 30 seconds (462d9b92) remove check on dhclient support for --timeout (da959483) adapt multinic test for new NetworkManager versions (d3993c7d) udev-rules: remove firmware.rules (7310a641) remove old eudev specific rule (6d554d9b) remove old redhat specific rule (d648bf80) remove old edd_id extra rules (6a33e677) remove old debian specific rules (1edc41af) url-lib.sh: nfs_already_mounted() with trailing slash in nfs path (966b6cec) virtiofs: add virtio_pci kernel module to virtiofs (07b49a3e) Features Makefile: allow setting dracut version via environment variables (31c4d284) dracut: add --sbat option to add sbat policy to UKI (fffeaded) use log level indicator in console output (ae88e029) dracut-init.sh: do not print by default if an udev rule is skipped (aa20bbb5) specify if a module cannot be found or cannot be installed (a10078a5) dracut-install: add fw_devlink suppliers as module dependencies (3de4c731) fips: add progress messages (68d0653e) install.d: allow using dracut in combination with ukify (16645633) kernel-modules: driver support for macbook keyboards (df381b7e) livenet: add memory size check depending on live image size (52351cfa) lsinitrd: notify user on missing compressor (1300a930) lvm: always include all drivers that LVM can use (a109c612) network-wicked: remove module (9dbbebb1) nvmf: add code for parsing the NBFT (b490f6f7) resume: also consider resume= in the cmdline as enabling hibernation (e3a7112b, closes [#924](https://github.com/dracutdevs/dracut/issu systemd: install systemd-executor (bee1c482) systemd-creds: introducing the systemd-creds module (48c2cb45) systemd-rfkill: remove module (c4e6eaf9) test: nfs_fetch_url test into nfs test (8f9ad068) 059 Bug Fixes NEWS.md: add missing entries (794ce5e3) 058 Bug Fixes 90kernel-modules: MMC and NVMe on kernels 6.0+ (e0d57a8f) add (nonstandard) NVMe drivers (415e5519) 90multipath: use RemainAfterExit=yes for multipathd-configure.service (2334031a) create /etc/multipath only (0940be90) Makefile: reduce the number of shell invocations (ad7d5bc8) base: do not require chroot inside initramfs (51813371) remove grep dependency (240a1d34) dbus-broker: add missing sockets.target.wants/dbus.socket (7ed04618) dmsquash-live: add support for NFS (8caaad4f) check kernel for built-in squashfs drivers (922c9e28) run checkisomd5 on correct device (c8f819e6) dmsquash-live-ntfs: remove unnecessary command (e78f71b9) dmsquash-live-root: check kernel for built-in overlay drivers (d0cd7cd3) dracut: allow to set persistent policy based on /dev/mapper device names (9cc7ceec) shellcheck regression in DRACUT_INSTALL calls (097dd367) replace invalid lzo command with lzop for LZO compression (b2d7561b) typo error 'aggresive' -> 'aggressive' (e4f1dbcc) dracut-functions.sh: check_kernel_module should follow dracutsysrootdir (6c42d378) suppress findmnt error msg if /etc/fstab not exist (e9ed44c8) dracut-init: make require_kernel_modules ignore no kernel build (d460941b) dracut-init.sh: instmods: wrong variable name (b12ee558) add missing hostonly code in the inst_multiple function (e2fdb30b) correct dracut-install source path (72b700e3) propagate the result code returned by dracut-install (d2f6f445) dracut-initramfs-restore.sh: initramfs detection not working (481b87fa) hide unpack errors (4f20ae26) dracut-install: use stripped kernel module path as hash key (2f791b40) do not try to copy files from the root directory (ebbcf97d) correctly waitpid() for cp (13736c50) convert_abs_rel: return valid path on error (06d31617) dracut-logger.sh: this fixes the dlog_init check for /dev/log (6b592f58) dracut-systemd: run systemctl daemon-reload after remove_hostonly_files (e1058b07) dracut.sh: split drivers_dir check (d32d221e) use DRACUT_ARCH instead of uname -m (a86aea65) make omit-drivers option do exact match for names (444944ab) correct wrong systemd variable paths (b9dc999f) remove duplicate "dracut:" string in logger functions (8410ee22) do not fail on irregular files (b72d0d7f) dracut.spec: tpm2-tools is required for crypt module to work (8abffe7c) drm: add video drivers needed on hyper-v and similar (85149b85) github: yml syntax and commit message for dependabot (32f6dd1d) i18n: do not fail if FONT in /etc/vconsole.conf has the file extension (e1de5bd2) add required includes for keymaps (fe8fa2b0) install.d: add --verbose if KERNEL_INSTALL_VERBOSE=1 (846a8453) integrity: do not enable EVM if there is no key (90585c62) remove unused variable (9d1004a4) iscsi: don't install the module if kernel doesn't support iscsi (7917d797) kernel-modules: add sysctl to initramfs to handle modprobe files (33679fff) always include nvmem driver on nvmem_on_arm (bc965cd8) load_fstype: use $1 if $2 is missing (401158e5) lsinitrd.sh: add a missing path to image (e877be69) correct skipcpio source path (5eb996a9) lvm: drop dm-eventd binary and libs from initramfs (7d3184e4) man: correct typo (699e3945) dracut.cmdline.7: clarify "rd.nvmf.discover=fc,auto" (a90efdd7) dracut.cmdline(7): correct syntax for rd.nonvmf (4b69e63b) point man pages to github.com instead of kernel.org (d6d55584) correct typo (7fa0094c) multipath: install multipathd.socket (02e646fc) network: check if ip command fails (52d14607) two bugs which cause minutes long boot times (1d6f42c8) avoid double brackets around IPv6 address (2c26b703) don't use same ifname multiple times (f4e9ea87) network-legacy: check if dhclient has --timeout option (23654c50) correct wrong local network configuration path (2eb733cc) network-manager: always install the library plugins directory (429f9de1) correct wrong local network configuration path (744c6de5) nfs,virtiofs: check kernel for builtin fs drivers (78cafe46) nvmf: run cmdline hook before parse-ip-opts.sh (a65fab69) avoid calling "exit" in a cmdline hook (a93968b0) make sure "rd.nvmf.discover=fc,auto" takes precedence (556ef46a) don't use "finished" queue for autoconnect (e93e4652) don't create did-setup file (03921ec0) no need to load the nvme module (a3cf4ec9) don't try to validate network connections in cmdline hook (b3ff3f3f) nvme list-subsys prints the address using commas as separator (9664e98b) shell-completion: add missing -p and --parallel options (b30a00c2) skipcpio: ignore broken pipe (aa0369a4) squash: build ld cache for squash loader (bc1b23c2) systemd: add missing modprobe@.service (928252a1) set right permissions for the machine-id file (da55e266) systemd-coredump: correct systemd-coredump binary path (4b931bfb) systemd-hostnamed: add missing dbus-org.freedesktop.hostname1.service (4fca292b) correct sysusers configuration (a540c95b) systemd-networkd: typo in systemd-networkd.socket local conf path (d4732be8) systemd-timedated: add missing dbus-org.freedesktop.timedate1.service (b3d219b4) systemd-timesyncd: typo in systemd-time-wait-sync.service local conf path (e3ec51e1) test: remove unnecessary setup steps (22ab7979) virtiofs: make shebangs work on split-usr systems (27b316df) ismounted has a dependency on the base module (c73e7b99) zipl: remove trailing spaces from zipl boot device name (b4de9ee1) Features dmsquash-live: add support for dash (862ba526) add new dmsquash-live-autooverlay module (a3c67d27) dracut-init.sh: introduce a new helper require_kernel_modules (d3a5e631) add inst_libdir_dir() helper (cc669250) dracut-install: convert_abs_rel: canonicalise parent of from, too (53dd6a9b, closes #1781) dracut.sh: populate uefi_cmdline if no other cmdline is given (1157143d) pass engine flag to sbsign allowing use with hardware devices (897e5eff) fs-lib: fsck_single can now handle PARTLABEL and PARTUUID (d40617f7) github: automating dependency updates (bdddfd56) kernel-modules: exclude USB drivers in strict hostonly mode (7debf540) multipath: install tmpfiles.d config file (cf31fcf8) nvmf: set rd.neednet=1 if tcp records encountered (cf8986af) overlayfs: add new overlayfs module to dracut.spec (b55563f6) add a new module called overlayfs (40dd5c90) qemu: add efi_secret driver (8194f72a) squash: use require_kernel_modules for better module checking (d4a9d6b4) systemd: install systemd-sysroot-fstab-check (23684e4a) systemd-pcrphase: introducing the systemd-pcrphase module (d345ca2e) systemd-portabled: introducing the systemd-portabled module (03babd95) systemd-pstore: introducing the systemd-pstore module (758f2e69) test: add new module to share code between tests (f5689b42) test-makeroot: add new module to share code between tests (54b963ca) test-root: add new module to share code between tests (b17a3103) Performance 90kernel-modules: use awk instead of shell monster (77ac95d9) dracut-install: convert_abs_rel: don't allocate target parent realpath (d2648f6d) strdup()+[dirlen]=0 => strndup (e7d6a1e3) dracut.sh: do not mkdir $initdir/lib/dracut within a loop (8d46cc01) 057 Bug Fixes 10i18n: stop leaking shell options (f3441cc7) stop leaking shell options (35064768) Makefile: use of potentially unset variable (1354d633) bluetooth: accept compressed firmwares in inst_multiple (09a1e5af) nullglob should not be needed (36aaa74f) make $dbussystem/bluetooth.conf optional (a38d9ec0) configure: check for SYS-gettid during configure (0ef40d88) connman: copy netroot.sh from the network module and install it (f6d83f9f) crypt: add missing is_keysource parameter to cryptroot-ask (6c11a8fc) dmsquash-live: mount live device with the correct type (08ed7b2d) permanent overlay on the same drive as LiveCD .iso (9a884b3a) dracut: default to correct firmware search paths (95aeed89) dracut-functions.sh: correct wrong comment (0afa840e) dracut-initramfs-restore.sh: unpack uncompressed initrd as last option (46886956) check if SELINUXTYPE is set (24d8f35b) dracut-install: copy files preserving ownership attributes (9ef73b6a) do not fail when SOURCE is optional and missing (bd1a5ca9) dracut-systemd: drop misleading man page reference (77c28b30) correct service dependencies (85fdff12) dracut.cmdline.7: {=> must} also be specified (27071e9a) dracut.sh: format usage and add missing options (9bef7109) always check that MACHINE_ID is not empty (527fdfa1) avoid calling dfatal before dracut-logger is sourced (012d7db2) add missing default output file paths (28ef3bc6) add missing --libdirs usage (352e5917) drop restorecon call (33859892) error exporting sysctl variables (4c355d05) dracut.spec: add connman module (d0c6ab21) fedora.conf: vi binary is missing (48541362) github: remove packit (8fd37d20) ifcfg: avoid calling unavailable dracut-logger functions (7103c4bc) install: restore musl support (ce55a85e) integrity: do not display any error if there is no IMA certificate (f63f411d) iscsi: do not exit in handle_netroot() if discovery failed (319dc7fe) remove unneeded iscsi NOP-disable code (a33a8df4) kernel-network-modules: allow specifying empty --hostonly-nics (ab6f5733) lsinitrd.sh: always check that MACHINE_ID is not empty (d6343146) add missing default paths (49ea6c42) lvm: add missing grep requirement (79f9d9e1) ignore expected error message from lvm config (7e03d81f) man: add missing default paths (ffc1985c) add missing --libdirs section (a90dbd95) network-manager: avoid calling unavailable dracut-logger functions (b7059aef) nfs: give /run/rpcbind ownership to rpc user (d6159343) require and install needed binaries (0e4df7a3) nvmf: deprecate old nvmf cmdline options (e405501e) set executable bit on nvmf-autoconnect.sh (25a92885) plymouth: hide dpkg-architecture stderr messages (42e9d188) resume: correct call to block_is_netdevice function (a7a4b76c) shell-completion: add missing options (1199f990) systemd-coredump: add systemd-sysusers dependency (ce82e969) systemd-journald: remove duplicate entry in inst_multiple (d3ab2061) systemd-timesyncd: add systemd-sysusers dependency (28b6adcb) test: dmsquash-live test without an iso (6ee2baf3) remove stale comments (b3ab3037) add support for dpkg to pass the test on debian (a7dfdf6a) nullglob should not be needed (c7b3ac2b) udev-rules: add cdrom udev rules by default (aebeb2ec) Features add aarch64 uefi support (8391a993) connman: introduce connman support module (f30d0351) dracut: support parallel execution with --parallel (6d923262) add zfs detection (9582f027) dracut-install: support ZSTD-compressed firmware with .zst suffix ([9d8387e](https://github.com/dracutdevs/dracut/commit/ 9d8387e)) dracut-systemd: use Documentation= to point to man page ([42e8f17](https://github.com/dracutdevs/dracut/commit/ 42e8f17)) gensplash: remove module (1befc641) lvm: add new module lvmthinpool-monitor (d9812fc4) man: add documentation for rd.luks.key.tout (65e41b54) squash: add shell completion for --squash-compressor option (e2aee2d4) update the manual page for --squash-compressor (3693bfef) decouple the compressor for dracut and dracut-squash (90d9ae8c) url-lib.sh: add --retry-connrefused to default curl arguments ([90032a4](https://github.com/dracutdevs/dracut/commit/ 90032a4)) virtiofs: virtiofs root filesystem support (4632f799) Tested-by: Adolf Belka Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 6ac20c9fb638a1fc4d21fab55d08e1cdce9e8adc Author: Michael Tremer Date: Thu Sep 18 15:54:49 2025 +0000 Start Core Update 199 Signed-off-by: Michael Tremer commit cc67c087c843438b5402c9443fb471d3faa60d98 Author: Adolf Belka Date: Wed Sep 17 13:09:40 2025 +0200 nfs: Update to version 2.8.4 - Update from version 2.8.3 to 2.8.4 - Update of rootfile not required - Changelog is just a list of the commits. The details can be found in the changelog at https://sourceforge.net/projects/nfs/files/nfs-utils/2.8.4/ Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 86aeb7aa208dd2cd303c3b6f496ad9df00413786 Author: Adolf Belka Date: Wed Sep 17 13:09:34 2025 +0200 core198: Ship lzip Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 725ef361d21b56c2943b61dc3fdb522f9286f968 Author: Adolf Belka Date: Wed Sep 17 13:09:39 2025 +0200 lzip: Update to version 1.25 - Update from version 1.24.1 to 1.25 - Update of rootfile not required - Changelog 1.25 lzip now exits with error status 2 if any empty member is found in a multimember file. lzip now exits with error status 2 if the first byte of the LZMA stream is not 0. Options '--empty-error' and '--marking-error' have been removed. The chapter 'Syntax of command-line arguments' has been added to the manual. Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 020d01e9adb87fcbd19b71b90c278f9727f31178 Author: Adolf Belka Date: Wed Sep 17 13:09:38 2025 +0200 libvirt: Update to version 11.7.0 - Update from version 11.4.0 to 11.7.0 - Update of rootfile - Changelog 11.7.0 New features * Allow setting the log level of Cloud Hypervisor Users can now configure the verbosity of Cloud Hypervisor by setting the "log_level" option in ch.conf * bhyve: experimental NAT networking support The bhyve driver now has experimental NAT networking support using the Packet Filter (pf) firewall. * bhyve: domain statistics reporting The bhyve driver now supports querying domain block, interface, and memory statistics. Not all statistics fields are supported though. Improvements * bhyve: improve 'efi' configuration autofill When a domain is configured with ````, NVRAM configuration is now autofilled. 11.6.0 New features * Introduce VIR_CONNECT_BASELINE_CPU_IGNORE_HOST flag This new flag for virConnectBaselineHypervisorCPU can be used for computing a baseline CPU on any host. Without the VIR_CONNECT_BASELINE_CPU_IGNORE_HOST flag the baseline API would return reasonable output only when run on one of the hosts that the input CPU definitions were collected from. * Allow control over QEMU TLS priority strings The qemu.conf file now has multiple settings allowing control over the QEMU TLS priority strings, for the different subsystems in QEMU that can support TLS. This can be used to workaround a current bug in GNUTLS that is liable to cause crashes of the source QEMU when performing long running live migration operations with TLS enabled. * Add support for disabling deprecated CPU model features by default for s390 domains. Starting an s390 domain with host-model will now default to setting the ``deprecated_features`` attribute to ``off``, ensuring the domain starts with a migration-compatible CPU model to newer systems. This behavior can be modified by setting the ``default_cpu_deprecated_features`` option in the qemu.conf file. * bhyve: Add TCP console support TCP serial devices can now be configured with ````:: Additionally, number of supported consoles increased to 4. * qemu: Add support for RBD namespaces Allow specifying the 'namespace' within a RBD image pool. Improvements * qemu: Change default SCSI controller model to ``virtio-scsi`` for ARM and RISC-V The previous default of ``lsilogic`` is unsupported by modern operating systems. ``virtio-scsi`` is a more suitable default for ARM and RISC-V ``virt`` machine types. * Clarify documentation of virConnectBaselineHypervisorCPU The documentation makes it clear virConnectBaselineHypervisorCPU is supposed to be called on one of the hosts represented in the input CPU definitions. Otherwise the API will give unexpected results. * Allow specifying zero discard granularity for block devices This can be used to tell some guest operating systems (notably Windows) to not trim the disk. * bhyve: Add timeout handling for bhyveload It is now possible to run ``bhyveload`` with the ``timeout`` tool, which can send ``SIGTERM`` and ``SIGKILL`` signals when timeout is reached. Timeout values are set using the ``bhyveload_timeout`` and ``bhyveload_timeout_kill`` configuration options in ``bhyve.conf``. * nss: Improve debugging Debugging messages from NSS modules can be now enabled by setting the ``LIBVIRT_NSS_DEBUG`` environment variable. So far, there is no special meaning to its value. * rpc: Removed requirement for TLS certificates to support 'key encipherment' With TLS 1.3, key encipherment is not required even for RSA keys. Other key types didn't even support it so they were wrongly refused even in cases when they would work with libvirt. The TLS certificate validation now no longer requires 'key encipherment' to be enabled. Bug fixes * bhyve: Fix resetting of the autostart flag of the domain on destroy. * The nwfilter driver no longer recreates the base iptable/ip6tables chains The nwfilter driver had a impl mistake causing it to recreate the base chains for iptables/ip6tables every time a VM was started. This allowed a small window where traffic might not be fully filtered. It now handles iptables/ip6tables the same way as ebtables, creating the base chains only if they did not already exist. * Fix systemd unit ordering for auto-shutdown of domains via the daemon The ordering of systemd units created by libvirt for individual machines needed to be adapted when the shutdown of VMs on host shutdown is done via the virt daemon itself (rather than ``libvirt-guests.service``) to ensure that the VMs are not terminated before the virt daemon can deal with them. 11.5.0 Removed features * qemu: Don't accept VIR_DUMP_LIVE flag in virDomainCoreDumpWithFormat() Unfortunately, QEMU always pauses vCPUs when doing a core dump. Therefore, there is no way for Libvirt to honor VIR_DUMP_LIVE flag semantics. Instead of silently pretending the flag works, an appropriate error is now reported. New features * vmx: Add support for reporting NVMe disks in the domain XML * qemu: Add support for NVMe disks NVMe disks can now be emulated by using an ``nvme`` bus, but require a serial due to the hypervisor:: qwertyuiop Multiple disks can be represented as different namespaces on the same controller, but they cannot have a different serial number due to the fact that it is the controller which ultimately has the serial number attached to it, but for ease of use it is automatically copied from the disk serial. * esx: Add support for specifying alternative CA bundle for remote peer verification. Users can now use ``cacert`` parameter in the URI to specify a file path with CA certificate(s) that will be used for remote peer certificate validation. * qemu: add support for AMD IOMMU device The ``amd`` model for the ```` device is now supported. New attributes ``passtrhough`` and ``xtsup`` are also supported for this model. Improvements * Include supported console types in domain capabilities Domain capabilities now include information about supported console types, such as:: pty tcp * virsh: Add waiting for domain state via ``virsh await`` The new helper command ``virsh await`` simplifies waiting on domain state which is normally announced via events. Currently two waiting conditions are implemented: ``domain-inactive``, and ``guest-agent-available``. Bug fixes * qemu: Be more forgiving when acquiring QUERY job when formatting domain XML Since ``libvirt-11.0.0`` the ``virDomainGetXMLDesc()`` API used to format domain XML acquires QUERY job. But this caused a regression when the API might timeout for incoming migration. This is now fixed. * qemu: Fix shared filesystem detection on nonexistent paths Since ``libvirt-11.1.0`` nonexistent paths within directories marked as shared filesystem (via the ``shared_filesystems`` option in ``qemu.conf`` would not be properly detected as being on a shared filesystem. * qemu: Properly emulate USB cdrom device CD-ROM devices on USB bus are now properly emulated as such which was not the case since libvirt switched to the modern qemu commandline syntax for storage backends. Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 94ae888ff8756f32de33b446c4d597d21ff13156 Author: Adolf Belka Date: Wed Sep 17 13:09:33 2025 +0200 core198: Ship less Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 6f6fd5bec198071d3a89118a5315361a54058ab1 Author: Adolf Belka Date: Wed Sep 17 13:09:37 2025 +0200 less: Update to version 679 - Update from version 678 to 679 - Update of rootfile not required - Changelog 679 Fix bad parsing of lesskey file an env var is a prefix of another env var (github #626). Fix unexpected exit using -K if a key press is received while reading the input file (github #628). Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 7adb7c43b8b4ab7b79879f1fd181b897526fe653 Author: Adolf Belka Date: Wed Sep 17 13:09:32 2025 +0200 core198: Ship expat Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 59b4901d426b0f8f3747712d3f52002149822e86 Author: Adolf Belka Date: Wed Sep 17 13:09:36 2025 +0200 expat: Update to version 2.7.2 - Update from version 2.7.1 to 2.7.2 - Update of rootfile - CVE fix - Changelog 2.7.2 Security fixes: CVE-2025-59375 -- Disallow use of disproportional amounts of dynamic memory from within an Expat parser (e.g. previously a ~250 KiB sized document was able to cause allocation of ~800 MiB from the heap, i.e. an "amplification" of factor ~3,300); once a threshold (that defaults to 64 MiB) is reached, a maximum amplification factor (that defaults to 100.0) is enforced, and violating documents are rejected with an out-of-memory error. There are two new API functions to fine-tune this new behavior: - XML_SetAllocTrackerActivationThreshold - XML_SetAllocTrackerMaximumAmplification . If you ever need to increase these defaults for non-attack XML payload, please file a bug report with libexpat. There is also a new environment variable EXPAT_MALLOC_DEBUG=(0|1|2) to control the verbosity of allocations debugging at runtime, disabled by default. Known impact is (reliable and easy) denial of service: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:H/RL:O/RC:C (Base Score: 7.5, Temporal Score: 7.2) Please note that a layer of compression around XML can significantly reduce the minimum attack payload size. Distributors intending to backport (or cherry-pick) the fix need to copy 99% of the related pull request, not just the "lib: Implement tracking of dynamic memory allocations" commit, to not end up with a state that literally does both too much and too little at the same time. Appending ".diff" to the pull request URL could be of help. Other changes: Autotools: Sync CMake templates with CMake 3.31 for macOS CMake: Drop support for CMake <3.15 CMake: Fix off_t detection for -Werror CMake|Windows: Fix -DEXPAT_MSVC_STATIC_CRT=ON Windows: Drop support for Visual Studio <=16.0/2019 xmlwf: Mention supported environment variables in --help output xmlwf: Fix (internal) help generator docs: Promote the contract to call function XML_FreeContentModel when registering a custom element declaration handler (via a call to function XML_SetElementDeclHandler) docs: Add missing

..

wrap docs: Drop AppVeyor badge tests: Fix portable_strndup Drop casts around malloc/free/realloc that C99 does not need Replace empty for-loops with while loops Add const with internal XmlInitUnknownEncodingNS Drop an OpenVMS support leftover Address more clang-tidy warnings Version info bumped from 11:2:10 (libexpat*.so.1.10.2) to 12:0:11 (libexpat*.so.1.11.0); see https://verbump.de/ for what these numbers do Infrastructure: CI: Cover compilation on FreeBSD CI: Upgrade Clang from 19 to 21 CI: Make calling Cppcheck without --suppress=objectIndex and --suppress=unknownMacro possible CI|Windows: Get off of deprecated image "windows-2019" CI: Adapt to breaking changes in GitHub Actions Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 451c78516344734b7307caab5e0a0ba8101e5978 Author: Adolf Belka Date: Wed Sep 17 13:09:31 2025 +0200 core198: Ship ed Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit af52039b00d8e472a3775118fd8d2940e5778a65 Author: Adolf Belka Date: Wed Sep 17 13:09:35 2025 +0200 ed: Update to version 1.22.2 - Update from version 1.20.2 to 1.22.2 - Update of rootfile not required - Changelog 1.22.2 * Newline characters are no longer allowed in file names even when '--unsafe-names' is specified. * The file name is now printed escaped also when replaced into a shell command. 1.22.1 * Ed now departs from POSIX and ignores SIGPIPE to prevent commands like 'w !:' or ',!:' from terminating ed. A broken pipe is now detected as any other write error. (Reported by Sergei Trofimovich). 1.22 * An ex(1) style filter has been implemented; the shell escape command (!) now accepts line addresses to filter the addressed lines through a shell command. (Suggested by Shawn Wagner, Andrew L. Moore, and John Cowan). 1.21.1 * Fixed a compilation failure caused by the inclusion of the unused and obsolete header . (Reported by Michael Mikonos). * Ed now reads the initial window size for the z command from the environment variable LINES. (Suggested by Artyom Bologov). 1.21 * 'r !command' and 'w !command' ignore again the exit status of 'command'. Bug introduced in version 1.6. (Reported by Andrew L. Moore). * Include 'stdbool.h' instead of defining 'bool' to fix compilation in C23. (Reported by Alexander Jones). * The messages "Newline inserted" and "Newline appended" are now suppressed in scripted mode (-s). (Reported by Artyom Bologov). * The chapter 'Syntax of command-line arguments' has been added to the manual. Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit ece2ba69eeead4743e9b41b5011f8aa8a8658e90 Author: Matthias Fischer Date: Tue Sep 16 23:47:05 2025 +0200 suricata: Update to 8.0.1 Excerpt from changelog: "8.0.1 -- 2025-09-15 Security #7881: detect/tls: keyword tls.subjectaltname leads to NULL Deref if tls.subjectaltname contains zero(HIGH - CVE 2025-59150) Security #7861: detect: Dynamic-stack-buffer-overflow in ShortenString(HIGH - CVE 2025-59149) Security #7838: detect/entropy: segfault when not anchored to a sticky buffer(HIGH - CVE 2025-59148) Security #7657: tcp: syn resend with different seq leads to detection bypasss(HIGH - CVE 2025-59147) Bug #7891: unix-socket: memory leak when client disconnects during rule reload Bug #7877: rust: build with RUSTC and CARGO variables fails Bug #7865: detect/integers: u8 prefilter does not support all modes Bug #7859: doc/userguide: build failure with read the docs theme Bug #7843: http: dissection anomaly on `Content-Encoding: identity` Bug #7836: util-byte: bad usage of StringParse function return codes Bug #7828: util/hash: unexpected remove behavior Bug #7827: app-layer: ippair.memcap counter shows memuse Bug #7824: hyperscan: caching results in segfault with link time optimization (-flto=auto, etc) Bug #7822: engine-analysis: SEGV on rule failure without rules-fast-pattern enabled Bug #7821: engine-analysis: no report for failed rules without fast pattern Bug #7820: app-layer/snmp: internal error if app-layer is disabled Bug #7815: unix-socket: segfault in "pcap-file-list" command Bug #7813: cppcheck: warnings in counters.c Bug #7804: util-lua-sandbox.c undeclared identifier error for Suricata 8.0.0 Bug #7803: http: use transactions right get function Bug #7802: detect/dsize: uninitialized value from SigParseRequiredContentSize Bug #7741: http2: events can contain an empty response object Bug #7740: doh2: events are always dns even if there is no DNS info (pure HTTP2 settings) Bug #7651: decoder/pppoe: valid packets are getting dropped as decoder.ppp.unsup_proto Bug #7636: tcp: assertion triggered in StreamTcpReassembleAppLayer Bug #7611: eve: segv in stats.totals output Bug #5689: eve: community id computed wrong for tcp and ipv4 when src_ip == dest_ip Bug #4702: tcp: SYN/ACK dropped when client does not support timestamps Bug #4178: alert-debug: DNS Query triggers alert but no output in alert-debug.log Bug #3844: tcp: possible bypass with TCP ssn reuse Optimization #7769: detect/file: remove redundant de_ctx->rule_file != NULL check Feature #7869: detect/integers: support units like kib Task #7857: schema/arp: fix invalid pkt event output Task #7834: detect: remove unused non-pf stats counters Documentation #7890: detect: tls.cert_subject incorrectly claims to support multi-buffer Documentation #7867: detect/multi-buffers: complete list in userguide page on multi-buffer-matching Documentation #7854: doc/lualib: fix flow timestamps() return value order Documentation #7795: eve/schema: document stats.detect counters Documentation #7794: eve/schema: document stats.flow counters Documentation #7728: lua: fix all Lua documentation examples for new library format Documentation #7648: rtd: set "latest" to last stable release starting with 8.0.0 Documentation #7639: dpdk: update Connect-X4 recommended fallback tx-descriptor count Documentation #7631: userguide: document lua lib suricata.dnp3 Documentation #7190: detect/integers: document usage of units Documentation #7081: userguide: add unix socket option to retrieve flow info Documentation #6840: devguide/app-layer: section with conceptualized steps for adding parser Documentation #6284: userguide: document what's the impact of `stream.inline` Documentation #6270: userguide: document usage of Suricata as a firewall Documentation #5690: userguide: document the differences between IPS and IDS mode Documentation #5513: userguide: add a chapter for IPS mode Documentation #5139: userguide: add a section for netflow event type Documentation #5078: doc/userguide: improve rule reload documentation Documentation #4351: doc: explain the engine logic to trigger inspection of TCP data" Signed-off-by: Matthias Fischer Signed-off-by: Michael Tremer commit c5f7ae87f65cb31fdfa3a88cb160acd9878a7829 Author: Michael Tremer Date: Wed Sep 17 08:49:35 2025 +0000 libhtp: Drop package This is no longer required in the distribution as Suricata has switched to htp-rs now. I am not aware of any other users. Signed-off-by: Michael Tremer commit 0bd55dcef4b1666c48a58a0eb462573f263347d0 Author: Michael Tremer Date: Wed Sep 17 08:48:07 2025 +0000 libhtp: Update to 0.5.52 Signed-off-by: Michael Tremer commit 8e9dd5d165b1cbb6b9ebd6d1e4bd0a7a2af0a3dd Author: Michael Tremer Date: Tue Sep 16 10:01:32 2025 +0000 python3: Don't try to remove setuptools outside the toolchain stage Signed-off-by: Michael Tremer commit d3725fecec79b5d2c807e9830d983a1804b14616 Author: Adolf Belka Date: Mon Sep 15 19:40:55 2025 +0200 core198: Ship collectd due to sobump in nut update Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 7ab09188f9f292f42f10b2f51923625ec72a8a0e Author: Adolf Belka Date: Mon Sep 15 19:40:54 2025 +0200 nut: Update to version 2.8.4 - Update from version 2.8.3 to 2.8.4 - Update of rootfile - sobump requires shipping of collectd - Changelog 2.8.4 - Bug fixes for fallout possible due to "fightwarn" effort in 2.8.0+: * In `usbhid-ups` sources, introduced optional `HU_FLAG_PARAM_REQUIRED` for `setvar()` or `instcmd()` handling (and a `HU_TYPE_CMD_PARAM_REQUIRED` shortcut) for setting in the mapping table flags, to specify variables or instant commands that require an argument (either from caller or a non-`NULL` default in the run-time table after device data discovery); if the flag is not set, a zero value is assumed. Incomplete code was a regression of NUT v2.8.3 causing some instant commands to fail. [#2860, #2955] - Fix fallout of development in NUT v2.8.0 and/or v2.8.1 and/or v2.8.2 and/or v2.8.3: * Fixed a regression in recipes of NUT v2.8.3 release (as compared to v2.8.2), where `configure --with-docs=all` no longer failed a run of the `configure` script when some of the required rendering tools were not in fact available. [#2842, fixed by #2921] * Some recipe improvements in earlier releases led to `make check` always running a spelling check (if tools are available), even if the explicit `configure --disable-spellcheck` option was used. Now it would not run if disabled (e.g. to speed up CI builds in scenarios that focus on other aspects of the code base), although developers can still use the explicit `make spellcheck*` goals, when tools are in fact available. [#2973] * A change in `Makefile.am` recipes to evaluate some driver names in the `DRIVERLIST` variables inspected by `configure` script, rather than having all their names hard-coded like before, led to inability to `configure --with-drivers=dummy-ups`. [#2825, #2927, fixed by PR #2929] * A problem noted with `upsdrvquery` (since NUT v2.8.1) message logging at high debug verbosity levels (5+) with very large blocks of content has exposed a deficiency in variable-argument handling, and specifically adaptive resizing of the output buffer or truncation of logged inputs (which is something NUT code tried to do since the beginning of time), and could lead to "segmentation fault" crashes on some platforms. [issue #2948, PR #2963] * Documentation build recipes overly zealously pre-processed source files, which was not applicable for each and every document type we have (e.g. binary images for illustrations); this caused grief with some toolkits. [issue #2989] - common code: * Revised common `writepid()` to use `altpidpath()` as location for the PID file creation, if the default `rootpidpath()` is not accessible (e.g. daemon was not initially started as `root`). Likewise updated short PID file based signal sending to consult both locations. [#1717] * Linux may report a `/proc/X/exe` symlink with an embedded "(deleted)" suffix, if the binary was removed (or replaced) since the running process started. This confused our code which verifies that when it is sending a signal to a PID, that PID does reflect the expected NUT program. [#3021] * Refactored NUT "common" sources to reference `nut_version.h` macros from a smaller C source file, to minimize the compilation unit size impacted by development iterations. [issue #2097] * Common code hardening: added sanity-checking for dynamically constructed or selected formatting strings with variable-argument list methods (typically used with log printing, `dstate` setting, etc.) [#2450, #3016] - Warn if `%n` formatting string is used -- it is deprecated in some newer distros due to security concerns. * Refactored repetitive implementations of `inet_ntopSS()` (nee `inet_ntopW()` in `upsd.c`) and `inet_ntopAI()` methods into `common.c`, so now they can be re-used or expanded more easily. [#2916] - `upsd` updates: * Fixed two bugs about printing the "further (ignored) addresses resolved for this name": the way to extract IP address string was not portable and misfired on some platforms, and the way to print had a theoretical potential for buffer overflow. [#2915] * Print arguments of a processed command into the debug log, to help track down what unsupported queries are about, etc. (but only endeavor to spend time, RAM and CPU on this if debug verbosity is high enough). Hide the sensitive commands' parameters unless verbosity is unusually high. [#3023] - `upsdrvquery` API updates [#2969]: * Added `upsdrvquery_oneshot_conn()` for issuing one-shot queries using an existing `udq_pipe_conn_t *` connection. The caller manages the connection's lifecycle, and the function includes a best-effort call to restore broadcast mode after the query to return the connection as it was. * Added `upsdrvquery_oneshot_sockfn()` for initiating one-shot queries using a socket filename. Shares internal logic with the existing `upsdrvquery_oneshot()`, which uses a UPS and driver name, respectively. * Introduced `upsdrvquery_restore_broadcast()` to explicitly restore broadcast mode (`BROADCAST 1`) on a connection, helping return it to a consistent and talkative state. * Revised connection ownership handling: internal functions like `upsdrvquery_prepare()` and `upsdrvquery_request()` no longer close connections they do not own. Responsibility for cleanup is now delegated to the caller to avoid unintended side effects and better align with expected usage patterns. - common driver code: * Update reports of failed socket file creation, to help troubleshooting some error cases in the field. [#2959] * Removed workarounds trying to migrate legacy driver raised `ALARM` status tokens into modern `alarm_*` function logic. Rather, we keep supporting them as separate from the modern logic, seeing as `upsmon` does not care where the token itself was raised for its notifications. Driver-code related test-cases were updated to reflect these changes. [issue #2928, PRs #2931 and #2934] * Introduced some macros in `drivers/upshandler.h` for common syslog level definitions and message wording for beginning and failing `instcmd()` or `setvar()` operations consistently in different drivers. As a related change, operations that intend to turn off or restart the load, or can do that by side effect (e.g. calibration if batteries are old or dead), would explicitly `upslogx(LOG_CRIT,...)` by default before commencing. [#2957] * Fixed a couple of ancient memory leaks: one "shared" during driver program initialization, and one specific to `dummy-ups` wind-down. [#2972] * Added a `suggest_NDE_conflict()` method so drivers which lack access to the expected device can consistently suggest that this may be because of running both an NDE-wrapped service unit and a manually launched driver program at the same time. Currently added to `libusb{0,1}.c` code, but may later be expanded to e.g. serial drivers and other media, when their behavior in such situations gets identified. [follow-up to issue #477, PR #3041] - `apc_modbus` driver updates: * The time stamp and inter-frame delay accounting was fixed, alleviating one of the problems reported in issue #2609. [PR #2982] * Fix missing variables due to mismatching format string. [PR #3013] - `bcmxcp` driver updates: * The latching on to a previous replace battery status was fixed, with its alarm state variable now correctly being reset; previously a factually replaced battery did not clear the alarm and the whole driver needed to be restarted. [issue #2999, PR #3002] - `clone`, `clone-outlet`, `nhs_ser` driver and `nutdrv_qx_ablerex` subdriver updates: * Refactored to follow modern handling of status and alarm conditions, aligning with current driver design practices. This includes fixing copy-paste related issues in alarm reporting and removing some alarm messages that should instead be reflected as status flags. [#2936] - `dummy-ups` driver updates: * A new instruction `ALARM` was added for the `Dummy Mode` operation of the driver, enabling simulation of UPS alarm states more closely in line with modern, real-world UPS driver implementations. This follows the updated principle of keeping alarm states decoupled from the `ups.status` variable, with alarms now raised via common alarm functions rather than direct manipulation. [issue #2928, PR #2936] - `nutdrv_qx` driver updates: * Added support for "preprocess"/"process" methods called from mapping tables to report back to the driver that an argument value was not supported, so `setvar()` or `instcmd()` can not proceed safely and should return `STAT_SET_CONVERSION_FAILED` or `STAT_INSTCMD_CONVERSION_FAILED`. [#3017] * Introduced `innovart33` protocol support for Ippon Innova RT 3/3 topology UPSes. [#2938] * Updated `megatec` protocol for more detailed responses to `I` query which may return `ups.serial` (after a shorter `device.mfr`) and the `battery.runtime` (after a shorter `device.model`). Note that the expected response is shorter than in other dialects (38 vs. 39 bytes), so if this change breaks anything for your UPS that reported the values above correctly (e.g. the `ups.firmware` version becomes shorter or none of these are reported), please let NUT developers know. [#2980] * Revised `voltronic` protocol to suppress alarm "UPS is in ECO Mode", using "buzzword mode" settings more correctly than in the previous iteration, shipped in NUT v2.8.3 release (as PR #2750 for issue #2708). [issue #2494] * Introduced a `voltronic-axpert` subdriver for Voltronic Axpert inverters which speak the P30 protocol, currently in a highly experimental state: with initial support for query commands, but most values are "hidden" from default NUT builds by being defined in `experimental.*` namespace, and should also be enabled by `configure --with-unmapped-data-points`. Development was based on work done in the Voltronic Sunny subdriver in https://github.com/nickma82/nut/tree/nutdrv_qx_voltronic-sunny_rebased%2Bcommand [#1407] - `phoenixcontact_modbus` driver updates: * Added more settings that can be tuned -- support for shutdown variables, UPS mode selector, PC reset delay after main power recovers, and automatic switch to battery mode (and back) if main power is below or above a defined threshold (see the new "Configurable Values" section in the man page). They can be configured via `default.*` values in `ups.conf`. [#2986] - `pijuice` driver updates: * Converted to NUT standard use of `status_set()` with single-token values. [issue #2708] - `snmp-ups` driver updates: * Added support for "fun"/"nuf" methods called from mapping tables to report back to the driver that an argument value was not supported, so `setvar()` or `instcmd()` can not proceed safely and should return `STAT_SET_CONVERSION_FAILED` or `STAT_INSTCMD_CONVERSION_FAILED`. [#3017] * Fixed `ups.test.date` to be semi-static in `apc-mib` mapping, so it would be queried more than once per driver up-time. [issue #3011] * Fixed debug-logging around `SU_FLAG_STATIC` entries to clarify when they get skipped. [issue #3011] - `usbhid-ups` driver updates: * Added support for "fun"/"nuf" methods called from mapping tables to report back to the driver that an argument value was not supported, so `setvar()` or `instcmd()` can not proceed safely and should return `STAT_SET_CONVERSION_FAILED` or `STAT_INSTCMD_CONVERSION_FAILED`. [#3017] * `hid_ups_walk(HU_WALKMODE_INIT)`: report if exactly one of "fun" or "nuf" dynamic value mapping methods is defined in a one-line table, and this may preclude reads/writes of that variable. [#2956] * The `cps-hid` subdriver's existing mechanism for fixing broken report descriptors was extended to cover a newly reported case of nominal UPS power being incorrectly reported due to an unrealistically low maximum threshold, as seen with a EC850LCD device. [issue #2917, PR #2919] * Further revision of "ECO mode" related code in `mge-hid` subdriver, following up from work started for NUT v2.8.3 release. [PR #2956] * Added APC BVKxxxM2 and BKxxxM2-CH to list of devices where `lbrb_log_delay_sec=N` may be necessary to address spurious LOWBATT and REPLACEBATT events. [PR #2942, PR #3007, issue #2347, issue #3006] - New NUT drivers: * Introduced a `ve-direct` driver for Victron Energy UPS/solar panels monitoring. Most specific reported values are in an `experimental.*` namespace, as a community we need to come up with standard naming for those via `docs/nut-names.txt`. [#440] * Introduced a `nutdrv_hashx` driver for numerous devices from Ablerex, Atlantis Land, Epyc, Infosec, ION, PowerWalker, Right Power Technology, Salicru, UPS Solutions and other vendors (originally shipped with a "PowerMaster+", "PowerMaster" or "PowerGuide" software companion suite). This seems to be a protocol developed by Cyber Energy for serial-port devices, subsequently used by different vendors in their own products or re-branded Cyber Energy creations. [#2940] * Introduced a `failover` driver for monitoring multiple UPS driver sockets and seamless switching out of UPS data in a failover situation, includes support for end-to-end tracked instant commands and also variable updating. [#2962] * Introduced USB (`powervar_cx_usb`) and Serial (`powervar_cx_ser`) drivers for Powervar CUSPP protocol, tested with GTS (USB) and UPM (USB, Serial) models. [#2988] - The `nut-driver-enumerator.sh` script (NDE) updates: * Now NDE internally tracks dependency of one driver on another one that should be locally running to serve the "original" data points (`clone`, `clone-outlet`, `dummy-ups`, `failover`). It should create "soft" dependencies between respective service instances to order their start-up sequence. [#2962] * Fixed NDE to not consider "masked" systemd units as non-existent or as syntactically failed instantiated unit names. [#3033] - NUT Monitor GUI: * Ported Python 3 version to Qt6, now shipped alongside Qt5 for systems with either or both, maximizing compatibility with old and new setups. [#2946] - `upsmon` client: * Clearer debug logging of `SHUTDOWNCMD` and `NOTIFYCMD` that would be used (or warnings that none was set); flush output buffers after these messages and after each main loop cycle, so any emitted text is seen in a timely manner. [issue #3003, PR #3008] - The `nutshutdown` script (end-game integration for UPS power-off in case of FSD initiated by `upsmon`) was updated to consider `MODE=none` set in `nut.conf` and bail out quietly. [issue #2935, PR #3008] - Manual page recipes and contents: * Introduced handling (possibly rewriting) for man page section "Overviews, conventions, and miscellaneous" (commonly number 7), to deliver support for `man nut` queries (NUT overview manual page also created). [#2945] * A new `configure --with-docs-man-dir-as-base` option was introduced so that directories for man page sections can now be automatically named as either "base" number of the section (e.g. `man1`) or by full section name (`man1m`), as different OS distributions have different preferences in this regard. [#2950] * Option to `configure --enable-docs-man-for-progs-built-only` was added, to differentiate NUT builds that deliver man pages for only built programs (legacy default) or for all of them (as needed for docs sites). [#2976] * Option to `configure --enable-docs-changelog` was added, specifically to allow developer iterations to not waste CPU time rebuilding the huge `ChangeLog*` files whenever their Git index changes. [#3019] * Options to `configure --with-docs-changelog-start` and/or `configure --with-docs-changelog-end` were added to allow developers to customize the size of `ChangeLog*` files when they are generated. Default starting value is `auto` which applies the legacy default `v2.6.0` to release/pre-release builds, or when local Git version info could not be retrieved, and the most-recent release tag (or `master` as fallback) for usual build iterations. Default ending value is `HEAD` for the current git commit at the moment the ChangeLog is (re-)generated. Balancing against the option to not build `ChangeLog*` files at all, this couple allows quicker builds that exercise all relevant recipe code paths. [#3019] - Extended the `gitlog2changelog.py` helper script to report start/end commits actually used, and to allow callers to tweak them better (not only `HEAD` for the end of range); this may be of interest to other projects which use this script. Allow `configure` to disable generation of either certain `ChangeLog*` rendering formats or completely, to speed up developer iterations (much time is wasted when dev-testing new code, due to git index changes if NUT was configured to build with documentation). [#3019] - The `BUILD_TYPE=default-all-errors ci_build.sh` script handling was revised to simplify code, and to default in CI builds to a quicker mode which randomly mixes the selected SSL, USB and UNMAPPED variants (and relies on the dozens of NUT CI farm runs per iteration to likely cover all possible combinations), which should roughly halve the CI build times. Default activity for developer builds should remain as it was -- to try each such "axis" sequentially. [#2973] - Revised generation of links to external manual pages in HTML rendering of NUT manual pages (previous recipe iterations left DocBook XML `ulink` tag "as is", which was not understood by web browsers). [follow-up to PR #2797] - Made the distro-dependent URL template for man pages configurable. [follow-up to PR #2797] - Revised `make install-as-root` to fall back to legacy ways of enabling services, if `systemctl preset-all` fails (assumed due to a systemd 252 bug). [#3022] - Added a `make check-parallel-builds` recipe to help troubleshoot recipes in sub-directories, and improved build-ability of existing NUT sources starting from scratch there. This is a workflow useful for NUT development (e.g. to focus only on drivers, or tests, or nut-scanner) but not so much for end-user packaging where everything builds from the root directory. [PR #3030, follows up from PR #2825, highlights why issue #2584 better be solved] - Revised `appveyor.yml` to run CI builds faster (forfeit MSYS2 ecosystem updates and some other steps) and more likely fit in one-hour allocation. Also have it install `mingw-w64-x86_64-python-pyqt6` so the `NUT-Monitor` application can get packaged (would need a capable Python run-time though). [#3046] Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 6d332fdc0c3c24eaff4492f020cc617cb726d4de Author: Adolf Belka Date: Mon Sep 15 19:46:22 2025 +0200 core198: Ship p11-kit Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 31c5b4b03598793dec01ff6cf91465ca9f432786 Author: Adolf Belka Date: Mon Sep 15 19:46:30 2025 +0200 p11-kit: Update to version 0.25.8 - Update from version 0.25.5 to 0.25.8 - Update of rootfile - Changelog 0.25.8 * rpc: Unbreak protocol compatibility by reverting "rpc: Correctly map Mozilla certificate distrust attributes" [PR#716] 0.25.7 * Build fixes from tarball with Meson [PR#714] 0.25.6 * rpc: Add module configuration option to specify server address [PR#707] * rpc: Correctly map Mozilla certificate distrust attributes [PR#705] * rpc: Fix empty array attribute handling [PR#704] * server: Remove libsystemd dependency for socket activation [PR#685] * Avoid segfault if p11_library_init_impl/p11_library_uninit are called multiple times [PR#682] * Add zsh completions [PR#674] * pkcs11: Update pkcs11.h to version 3.1 [PR#671] * pkcs11: Add IBM specific mechanisms [PR#669] * server: check SHELL if (and only if) neither --sh nor --csh is specified [PR#661] * trust: don't create file names longer then 255 [PR#659] * trust: sort paths for reproducible extract [PR#656] * Build and test fixes [PR#647, PR#653, PR#654, PR#657, PR#660, PR#667, PR#673, PR#681, PR#683, PR#688, PR#694] * Update translations [PR#663, PR#701] Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 932c1a82183897e27b54bf2ea5987f1d03eca7eb Author: Adolf Belka Date: Mon Sep 15 19:46:21 2025 +0200 core198: Ship lvm2 Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit c785cc3c45f5a33e87c09a487306e8c56b13d613 Author: Adolf Belka Date: Mon Sep 15 19:46:29 2025 +0200 lvm2: Update to version 2.03.35 - Update from version 2.03.33 to 2.03.35 - Update of rootfile - Changelog 2.03.35 Fix unlocking devices file only after all PVs are processed. Avoid creating system.devices when deleting entries. Fix existing issues with persistent reservations. Fix possible report output format inconsistencies while processing PVs. Allow report options for pv/vg/lvdisplay only if used with -C|--columns. Fix vgsplit failing to split a VG with RAID+integrity or cache with cachevol. Fix --lockopt handling in lvmlockd when --nolocking is used. Optimize dmeventd when remonitoring active devices. 2.03.34 Support dmeventd restart when there are no monitored devices. Dmeventd no longer calls 'action commands' on removed devices. Fix reader of VDO metadata on 32bit architecture. Fix lvmdevices --deldev/--delpvid to error out if devices file not writeable. Fix lvresize corruption in LV->crypt->FS stack if near crypt min size limit. Enhanced lvresize -r support for btrfs. Use glibc standard functions htoX, Xtoh functions for endian conversion. Fix structure copying within sanlock's release_rename(). Fix autoactivation on top of loop dev PVs to trigger once for change uevents. Add lvmlockd --lockopt repair to reinitialize corrupted sanlock leases. Fix support for lvcreate -T --setautoactivation. Add lvm.conf global/lvresize_fs_helper_executable. Enable lvm to use persistent reservations on a VG. Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 9acb4b08cb2fa38c591c270d75f3d823243232d8 Author: Adolf Belka Date: Mon Sep 15 19:46:20 2025 +0200 core198: Ship libxml2 Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 798fa55f0d58f3bfcad9a26f3b579daba2a92bfe Author: Adolf Belka Date: Mon Sep 15 19:46:28 2025 +0200 libxml2: Update to version 2.14.6 - Update from version 2.14.4 to 2.14.6 - Update of rootfile - 5 CVE fixes in version 2.14.5 - Changelog 2.14.6 Regressions valid: Don't add ids when validating entity content Fix initGenericErrorDefaultFunc(NULL) (Samuel Thibault) valid: Undeprecate xmlAdd*Decl globals: Include HTMLparser.h, fixing Windows build io: Fix reading from pipes like stdin on Windows Security regexp: Avoid integer overflow and OOB array access tree: Guard against atype corruption Improvements parser: Fix xmlSaturatedAddSizeT argument type 2.14.5 Regressions valid: Don't add ids when validating entity content io: Fix reading from pipes like stdin on Windows parser: Fix handling of invalid char refs in recovery mode Security regexp: Avoid integer overflow and OOB array access tree: Guard against atype corruption [CVE-2025-49794] [CVE-2025-49796] schematron: Fix xmlSchematronReportOutput [CVE-2025-49795] schematron: Fix null pointer dereference leading to DoS (Michael Mann) [CVE-2025-6170] Fix potential buffer overflows of interactive shell (Michael Mann) [CVE-2025-6021] tree: Fix integer overflow in xmlBuildQName Bug fixes save: Fix serialization of attribute defaults containing < Improvements parser: Fix xmlSaturatedAddSizeT argument type Build systems and portability meson: Add libxml2 part of include dir to pc file (Heiko Becker) cmake: Fix installation directories in libxml2-config.cmake io: Fix linkage of __xml*BufferCreateFilename functions Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 199dc49ad07635013f639107f269d5059219c147 Author: Adolf Belka Date: Mon Sep 15 19:46:19 2025 +0200 core198: Ship libssh Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 2b4ca744b03f828297bde50e43f40abbf146b64f Author: Adolf Belka Date: Mon Sep 15 19:46:27 2025 +0200 libssh: Update to version 0.11.3 - Update from version 0.11.2 to 0.11.3 - Update of rootfile - Changelog 0.11.3 * Security: * CVE-2025-8114: Fix NULL pointer dereference after allocation failure * CVE-2025-8277: Fix memory leak of ephemeral key pair during repeated wrong KEX * Potential UAF when send() fails during key exchange * Fix possible timeout during KEX if client sends authentication too early (#311) * Cleanup OpenSSL PKCS#11 provider when loaded * Zeroize buffers containing private key blobs during export Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 3063559e4fa15e3058f2e62d8df617fae4a92e69 Author: Adolf Belka Date: Mon Sep 15 19:46:18 2025 +0200 core198: Ship libffi Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit c9ff62f3d28bf9c95de5889b02f9b13a3be8726d Author: Adolf Belka Date: Mon Sep 15 19:46:26 2025 +0200 libffi: Update to version 3.5.2 - Update from version 3.5.1 to 3.5.2 - Update of rootfile not required - Changelog 3.5.2 fix: enable FFI_MMAP_EXEC_WRIT for DragonFly BSD by @liweitianux in #930 Emscripten: Add wasm64 target by @ktock in #927 fix: Ensure trampoline file descriptors are closed on exec. Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 1345abf18b964289bbc37033eb8d7500cd97a15f Author: Adolf Belka Date: Mon Sep 15 19:46:25 2025 +0200 haproxy: Update to version 3.2.4 - Update from version 3.2.2 to 3.2.4 - Update of rootfile not required - Changelog 3.2.4 - DOC: deviceatlas build clarifications - BUG/MEDIUM: ssl/clienthello: ECDSA with ssl-max-ver TLSv1.2 and no ECDSA ciphers - BUG/MEDIUM: acme: use POST-as-GET instead of GET for resources - MINOR: acme: remove acme_req_auth() and use acme_post_as_get() instead - BUG/MINOR: acme: allow "processing" in challenge requests - CLEANUP: acme: fix wrong spelling of "resources" - MINOR: acme: add ACME to the haproxy -vv feature list - MINOR: acme: implement traces - BUG/MINOR: hlua: Skip headers when a receive is performed on an HTTP applet - BUG/MEDIUM: hlua: Report to SC when data were consumed on a lua socket - BUG/MEDIUM: hlua: Report to SC when output data are blocked on a lua socket - BUG/MEDIUM: dns: Reset reconnect tempo when connection is finally established - BUG/MEDIUM: logs: fix sess_build_logline_orig() recursion with options - BUG/MINOR: hlua: take default-path into account with lua-load-per-thread - BUG/MEDIUM: mux-quic: ensure Early-data header is set - CLEANUP: ssl: Rename ssl_trace-t.h to ssl_trace.h - BUILD: acme: avoid declaring TRACE_SOURCE in acme-t.h - BUG/MEDIUM: hlua_fcn: ensure systematic watcher cleanup for server list iterator - MINOR: acme: emit a log for DNS-01 challenge response - MINOR: acme: emit the DNS-01 challenge details on the dpapi sink - MEDIUM: acme: allow to wait and restart the task for DNS-01 - MINOR: acme: update the log for DNS-01 - BUG/MINOR: acme: possible integer underflow in acme_txt_record() - MEDIUM: acme: use lowercase for challenge names in configuration - DOC: management: clarify usage of -V with -c - MEDIUM: ssl/cli: relax crt insertion in crt-list of type directory - BUG/MINOR: listener: really assign distinct IDs to shards - MINOR: quic: Prevent QUIC build with OpenSSL 3.5 new QUIC API version < 3.5.1 - BUG/MEDIUM: quic: Crash after QUIC server callbacks restoration (OpenSSL 3.5) - BUG/MEDIUM: http-client: Don't wake http-client applet if nothing was xferred - BUG/MEDIUM: http-client: Properly inc input data when HTX blocks are xferred - BUG/MEDIUM: http-client: Ask for more room when request data cannot be xferred - BUG/MINOR: http-client: Ignore 1XX interim responses in non-HTX mode - BUG/MINOR: http-client: Reject any 101-switching-protocols response - BUG/MEDIUM: http-client: Drain the request if an early response is received - BUG/MEDIUM: http-client: Notify applet has more data to deliver until the EOM - MINOR: h1-htx: Add function to format an HTX message in its H1 representation - BUG/MINOR: mux-h1: Use configured error files if possible for early H1 errors - BUG/MINOR: h1-htx: Don't forget to init flags in h1_format_htx_msg function - BUG/MEDIUM: h3: do not overwrite interim with final response - BUG/MINOR: h3: properly realloc buffer after interim response encoding - BUG/MINOR: h3: ensure that invalid status code are not encoded (FE side) - MINOR: qmux: change API for snd_buf FIN transmission - BUG/MEDIUM: h3: handle interim response properly on FE side - BUG/MINOR: quic: Wrong source address use on FreeBSD - MINOR: h3: remove unused outbuf in h3_resp_headers_send() - BUG/MINOR: applet: Don't trigger BUG_ON if the tid is not on appctx init - BUG/MINOR: halog: exit with error when some output filters are set simultaneosly - BUG/MEDIUM: threads: Disable the workaround to load libgcc_s on macOS - BUG/MINOR: logs: fix log-steps extra log origins selection - BUG/MINOR: hq-interop: fix FIN transmission - BUG/MINOR mux-quic: apply correctly timeout on output pending data - BUG/MINOR: mux-quic: ensure close-spread-time is properly applied - CLEANUP: http-client: Remove useless indentation when sending request body - DOC: list missing global QUIC settings - BUILD: compat: provide relaxed versions of the MIN/MAX macros - BUILD: compat: always set _POSIX_VERSION to ease comparisons - BUG/MINOR: stick-table: cap sticky counter idx with tune.nb_stk_ctr instead of MAX_SESS_STKCTR - MINOR: sock: update broken accept4 detection for older hardwares. - BUG/MEDIUM: ssl: Fix 0rtt to the server - BUG/MEDIUM: ssl: fix build with AWS-LC - BUG/MINOR: init: Initialize random seed earlier in the init process - DOC: management: fix typo in commit f4f93c56 - DOC: config: recommend single quoting passwords - BUG/MEDIUM: mux-quic: adjust wakeup behavior - BUG/MEDIUM: http-client: Test HTX_FL_EOM flag before commiting the HTX buffer 3.2.3 - CI: enable USE_QUIC=1 for OpenSSL versions >= 3.5.0 - CI: github: add an OpenSSL 3.5.0 job - CI: github: update the stable CI to ubuntu-24.04 - BUILD: quic: QUIC build against OpenSSL 3.5 broken - BUG/MEDIUM: quic: SSL/TCP handshake failures with OpenSSL 3.5 - CI: github: update to OpenSSL 3.5.1 - BUG/MINOR: quic: Missing TLS 1.3 QUIC cipher suites and groups inits (OpenSSL 3.5 QUIC API) - BUG/MINOR: ssl/ocsp: fix definition discrepancies with ocsp_update_init() - BUG/MINOR: ssl: crash in ssl_sock_io_cb() with SSL traces and idle connections - BUG/MINOR: http-act: Fix parsing of the expression argument for pause action - BUILD/MEDIUM: deviceatlas: fix when installed in custom locations. Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 36110b3f109fa60308a790aee1875e4816521f9f Author: Adolf Belka Date: Mon Sep 15 19:46:17 2025 +0200 core198: Ship freetype Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit b07d7b7c66f75ac05491b3fee9cab812b20d88fe Author: Adolf Belka Date: Mon Sep 15 19:46:24 2025 +0200 freetype: Update to version 2.14.1 - Update from version 2.13.3 to 2.14.1 - Update of rootfile - Changelog 2.14.1 This is an emergency release that fixes a couple of severe bugs introduced in version 2.14.0 and discovered right after the release; see issues #1349, #1353, #1354, #1355, and #1356. 2.14.0 IMPORTANT CHANGES - A new configuration macro `FT_CONFIG_OPTION_USE_HARFBUZZ_DYNAMIC` is available to load the HarfBuzz library dynamically (in addition to the standard static and dynamic linking modes); cmake, meson, and autotools support have been updated accordingly. Using this new feature makes it possible to avoid the circular dependency between HarfBuzz and FreeType. A side effect of this change is that FreeType no longer uses HarfBuzz header files (if HarfBuzz support is activated). This code was contributed by Behdad Esfahbod. - The auto-hinter got new abilities. . It can now better separate diacritic glyphs from base glyphs at small sizes by artificially moving diacritics up (or down) if necessary. . Tilde accent glyphs get vertically stretched at small sizes so that they don't degenerate to horizontal lines. . Diacritics directly attached to a base glyph (like the ogonek in character 'ę') no longer distort the shape of the base glyph. These features use a database (which currently has entries for Unicode characters up to U+FFFF, based on Unicode 17.0), handling scripts like Latin, Cyrillic, or Greek, but not Arabic or Indic scripts. FreeType needs to access a proper Unicode character map (or must be able to construct such a cmap) of a given font to make this work. The central algorithm and the foundation of this feature was Craig White's GSoC 2023 project. - Bitmap-only TrueType fonts now ignore the `FT_LOAD_NO_BITMAP` flag and proceed loading bitmaps instead of giving an error. This behavior is documented and implemented for other bitmap-only fonts. The flag was always meant to suppress the bitmap strikes in favor of outlines, not to ban them completely. IMPORTANT BUG FIXES - Users of the `TT_CONFIG_OPTION_GPOS_KERNING` configuration option should update; the 'GPOS' table wasn't correctly validated before access, which could lead to crashes with malformed font files. MISCELLANEOUS - `FT_Set_Var_Design_Coordinates` and `FT_Set_MM_Blend_Coordinates` now set the `FT_FACE_FLAG_VARIATION` bit in the `face_flag` field of `FT_Face` (i.e., the macro `FT_IS_VARIATION` returns true) also if any of the provided coordinates is different from the face's default value for the corresponding axis, that is, the set up face is not at its default position. - `FT_Load_Sfnt_Table` can now also load a font's table directory. - The TrueType instruction interpreter was optimized to produce a 15% gain in the glyph loading speed. - Handling of Variation Fonts is now considerably faster, thanks to contributions by Behdad Esfahbod. - TrueType and CFF glyph loading speed has been improved by 5-10% on modern 64-bit platforms as a result of better handling of fixed- point multiplication. - The BDF driver now loads fonts 75% faster. - 'GPOS' kern table handling (if the `TT_CONFIG_OPTION_GPOS_KERNING` configuration option is active) is now about 3.5 times faster than before. - Support for the (currently undocumented) 'flip' graphic type in the 'sbix' SFNT table as used in the `Apple Color Emoji.ttc` font (code provided by Andrew Murray). - `ftmulti` can now scroll through named instances and gracefully show static fonts. - The build file on OpenVMS now also creates a 32-bit version of the library. Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 5c3108043280aabd6821b988dbde720be4bd92ef Author: Adolf Belka Date: Mon Sep 15 19:46:16 2025 +0200 core198: Ship ethtool Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 4740d7ccb17db0e8c697630b72934ba8f1809bfc Author: Adolf Belka Date: Mon Sep 15 19:46:23 2025 +0200 ethtool: Update to version 6.15 - Update from version 6.9 to 6.15 - Update of rootfile - Changelog 6.15 * Feature: support OR-XOR symmetric RSS hash type (-x/-X) * Feature: dump registers for hibmcge driver (-d) * Feature: configure header-data split threshold (-g/-G) * Feature: dump registers for fbnic driver (-d) * Feature: JSON output for channels info (-l) * Fix: incorrect data in appstream metainfo XML * Fix: prevent potential null pointer dereferences * Fix: more consistent and better parseable per lane signal info (-d) 6.14 * Feature: list PHYs (--show-phys) * Feature: target a specific PHY with some commands (--phy) * Feature: more attributes for C33 PSE (--show-pse, --set-pse) * Feature: source information for cable tests (--cable-test[-tdr]) * Feature: JSON output for module info (-m) * Feature: misc RSS hash info improvements (-x) * Feature: tsinfo hwtstamp provider (--{get,set}-hwtimestamp-cfg) * Fix: fix wrong auto-negotiation state (no option) * Fix: more explicit RSS context action (-n) * Fix: print PHY address as decimal (no option) * Fix: fix return value on flow hashing error (-N) * Fix: fix JSON output for IRQ coalescing * Fix: fix MDI-X info output (no option) * Misc: code cleanup in module parsers * Misc: provide module_info JSON schema * Misc: add '-j' alias for --json * Misc: provide AppStream metainfo XML * Misc: update message descriptions for debugging output 6.11 * Feature: cmis: print active and inactive firmware versions * Feature: flash transceiver module firmware (--flash-module-firmware) * Feature: add T1BRR 10Mb/s mode to link mode tables * Feature: support for disabling netlink from command line * Fix: fix lanes parameter format specifier * Fix: add missing clause 33 PSE manual description * Fix: qsf: Better handling of Page A2h netlink read failure * Fix: rss: retrieve ring count using ETHTOOL_GRXRINGS ioctl (-x) * Misc: man page formatting fix 6.10 * Feature: suport for PoE in PSE (--show-pse and --set-pse) * Feature: add statistics support to tsinfo (-T) * Feature: add JSON output to base command (no option) * Feature: add JSON output to EEE info (--show-eee) * Fix: qsfp: better handling on page 03h read failure (-m) * Fix: handle zero arguments for module eeprom dump (-m) * Fix: check for missing arguments in do_srxfh() (-X) * Misc: compiler warnings in "make check" * Misc: more descriptive error when JSON output is not available Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 0fb06f864f987396be173350362b35f1ebe1fd17 Author: Adolf Belka Date: Mon Sep 15 17:47:27 2025 +0200 cmake: Add patch to avoid using undocumented type for CURLOPT_PROXYTYPE values - Update of rootfile - With the new update of curl changes were made to CURLOPT which resulted in cmake using an undocumented type. - This patch has been merged in the cmake git repo and will become available in version cmake-4.1.2 so the patch will be able to be removed when that version is released and updated in IPFire. Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 3bbca7da627e8ea29fff9fe377f6fc1b970892ab Author: Adolf Belka Date: Mon Sep 15 17:47:26 2025 +0200 core198: Ship curl Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 1ff80986d5200d9cdb19458f53b6a611bd8219a5 Author: Adolf Belka Date: Mon Sep 15 17:47:25 2025 +0200 curl: Update to version 8.16.0 - Update from version 8.15.0 to 8.16.0 - Update of rootfile - Changelog 8.16.0 changes: o build: bump minimum required mingw-w64 to v3.0 (from v1.0) [33] o curl: add --follow [129] o curl: add --out-null [101] o curl: add --parallel-max-host to limit concurrent connections per host [81] o curl: make --retry-delay and --retry-max-time accept decimal seconds [112] o hostip: cache negative name resolves [175] o ip happy eyeballing: keep attempts running [80] o mbedtls: bump minimum version required to 3.2.0 [180] o multi: add curl_multi_get_offt [56] o multi: add CURLMOPT_NETWORK_CHANGED to signal network changed [84] o netrc: use the NETRC environment variable (first) if set [70] o smtp: allow suffix behind a mail address for RFC 3461 [127] o tls: make default TLS version be minimum 1.2 [71] o tool_getparam: add support for `--longopt=value` [69] o vquic: drop msh3 [8] o websocket: support CURLOPT_READFUNCTION [193] o writeout: add %time{} [74] bugfixes: o _PROTOCOLS.md: mention file:// is only for absolute paths [102] o acinclude: --with-ca-fallback only works with OpenSSL [217] o alpn: query filter [104] o ares: destroy channel on shutdown [178] o ares: use `ares_strerror()` to retrieve error messages [236] o asyn-thrdd: fix --disable-socketpair builds [235] o asyn-thrdd: fix Curl_async_pollset without socketpair [205] o asyn-thrdd: fix no `HAVE_GETADDRINFO` builds [214] o asyn-thrdd: manage DEFERRED and locks better [228] o autotools: make curl-config executable [253] o aws-lc: do not use large buffer [250] o BINDINGS.md: add LibQurl [156] o bufq: add integer overflow checks before chunk allocations [108] o bufq: removed "Useless Assignment" [188] o bufq: simplify condition [207] o build: allow libtests/clients to use libcurl dependencies directly [87] o build: disable `TCP_NODELAY` for emscripten [176] o build: enable _GNU_SOURCE on GNU/Hurd [27] o build: extend GNU C guards to clang where applicable, fix fallouts [61] o build: fix build errors/warnings in rare configurations [7] o build: fix disable-verbose [48] o build: fix mingw-w64 version guard for mingw32ce [124] o build: if no perl, fix to use the pre-built hugehelp, if present [144] o build: link to Apple frameworks required by static wolfSSL [40] o build: support LibreSSL native crypto lib with ngtcp2 1.15.0+ [209] o build: tidy up compiler definition for tests [37] o cf-https-connect: delete unused declaration [15] o clang-tidy: disable `clang-analyzer-security.ArrayBound` [265] o cmake: `CURL_CA_FALLBACK` only works with OpenSSL [215] o cmake: capitalize 'Rustls' in the config summary o cmake: defer building `unitprotos.h` till a test target needs it [75] o cmake: define `WIN32_LEAN_AND_MEAN` for examples [159] o cmake: drop redundant unity mode for `curlinfo` [155] o cmake: enable `-Wall` for MSVC 1944 [128] o cmake: fix `ENABLE_UNIX_SOCKETS=OFF` with pre-fill enabled on unix o cmake: fix setting LTO properties on the wrong targets [258] o cmake: fix to disable Schannel and SSPI for non-Windows targets o cmake: fix to restrict `SystemConfiguration` to macOS [139] o cmake: honor `CMAKE_C_FLAGS` in test 1119 and 1167 [206] o cmake: improve error message for invalid HTTP/3 MultiSSL configs [187] o cmake: keep websockets disabled if HTTP is disabled o cmake: make `runtests` targets build the curl tool [32] o cmake: make the ExternalProject test work [183] o cmake: omit linking duplicate/unnecessary libs to tests & examples [45] o cmake: re-add simple test target, and name it `tests` [142] o cmake: set `CURL_DIRSUFFIX` automatically in multi-config builds [154] o CODE_STYLE: sync with recent `checksrc.pl` updates [49] o config-win32.h: do not use winsock2 `inet_ntop()`/`inet_pton()` [58] o configure: if no perl, disable unity and shell completion, related tidy ups [137] o configure: tidy up internal names in ngtcp2 ossl detection logic [212] o connectdata: remove primary+secondary ip_quadruple [126] o connection: terminate after goaway [62] o contrithanks: fix for BSD `sed` tool [98] o cookie: don't treat the leading slash as trailing [185] o cookie: remove expired cookies before listing [158] o curl-config: remove X prefix use [138] o curl/system.h: fix for GCC 3.3.x and older [38] o curl: make the URL indexes 64 bit [117] o curl: tool_read_cb fix of segfault [18] o curl_addrinfo: drop workaround for old-mingw [14] o curl_easy_ssls_export: make the example more clear [78] o curl_fnmatch, servers: drop local macros in favour of `sizeof()` [21] o curl_mime_data_cb.md: mention what datasize is for [107] o curl_ossl: extend callback table for nghttp3 1.11.0 [46] o curl_setup.h: include `stdint.h` earlier [260] o curl_setup.h: move UWP detection after `config-win32.h` (revert) [51] o curl_setup.h: move UWP detection after `config-win32.h` [23] o CURLINFO_FILETIME*.md: correct the examples [242] o CURLOPT: bump `CURL_REDIR_*` macros to `long` [110] o CURLOPT: bump `CURL_SSLVERSION_*` macros to `long` [149] o CURLOPT: bump `CURLALTSVC_*` macros to `long` [96] o CURLOPT: bump `CURLFTP*` enums to `long`, drop casts [54] o CURLOPT: bump `CURLHEADER_*` macros to `long`, drop casts [94] o CURLOPT: bump `CURLPROTO_*` macros to `long` [148] o CURLOPT: bump `CURLPROXY_*` enums to `long`, drop casts [95] o CURLOPT: bump `CURLWS_NOAUTOPONG`, `CURLWS_RAW_MODE` macros to `long` [150] o CURLOPT: bump remaining macros to `long` [147] o CURLOPT: drop redundant `long` casts [55] o CURLOPT: replace `(long)` cast with `L` suffix for `CURLHSTS_*` macros o CURLOPT_HTTP_VERSION: mention new default value [179] o CURLOPT_SSL_CTX_*: replace the base64 with XXXX [171] o delta: fix warnings, fix for non-GNU `date` tool [99] o DEPRECATE.md: drop old OpenSSL versions [266] o DEPRECATE.md: drop support for c-ares versions before 1.16.0 [191] o DEPRECATE.md: drop support for Windows XP/2003 [31] o DEPRECATE.md: remove leftover "nothing" [57] o DISTROS.md: add Haiku [39] o docs/cmdline-opts: the auth types are not mutually exclusive [103] o docs: add CURLOPT type change history, drop casts where present [143] o docs: add major incident section to vuln disclosure policy [271] o docs: fix link CONTRIBUTE.md link [192] o docs: fix name in curl_easy_ssls_export man page [12] o docs: fix typo (staring -> starting) [211] o docs: point two broken links to archive.org [134] o docs: put `<>` within backticks in titles [261] o doh: rename symbols to avoid collision with mingw-w64 headers [66] o easy handle: check validity on external calls [28] o examples: drop long cast for `CURLALTSVC_*` o examples: make `CURLPIPE_MULTIPLEX` fallback `long` [233] o examples: remove base64 encoded chunks from examples [189] o examples: remove href_extractor.c [186] o ftp: store dir components as start+len instead of memdup'ing [198] o ftp: use 'conn' instead of 'data->conn' [208] o gnutls: fix building with older supported GnuTLS versions [241] o gnutls: some small cleanups [41] o hmac: return error if init fails [2] o hostip: do DNS cache pruning in milliseconds [132] o HTTP3.md: avoid `configure` issue for ngtcp2 1.14.0+ compatibility [182] o http: const up readonly H2_NON_FIELD [10] o http: do the cookie list access under lock [270] o http: silence `-Warray-bounds` with gcc 13+ [44] o idn: reject conversions that end up as a zero length hostname [273] o inet_pton, inet_ntop: drop declarations when unused [59] o lib1560: fix memory leak when run without UTF-8 support [17] o lib1560: replace an `int` with `bool` [97] o lib2700: use `testnum` [151] o lib517: use `LL` 64-bit literals & re-enable a test case (`time_t`) [100] o lib: drop `UNUSED_PARAM` macro [259] o libcurl: reset rewind flag in curl_easy_reset() [184] o libssh: Use sftp_aio instead of sftp_async for sftp_recv [92] o libtests: update format strings to avoid casts, drop some macros [109] o libtests: use `FMT_SOCKET_T`, drop more casts [136] o managen: reset text mode at end of table marker [145] o mbedtls: check for feature macros instead of version [166] o mdlinkcheck: handle links with a leading slash properly [195] o memanalyze: fix warnings [22] o memory: make function overrides work reliably in unity builds [93] o multi event: remove only announced [25] o multi: don't insert a node into the splay tree twice [68] o multi: fix assert in multi_getsock() [53] o multi: fix bad splay management [133] o multi: process pending, one by one [90] o multi: replace remaining EXPIRE_RUN_NOW [67] o multissl: initialize when requesting a random number [30] o ngtcp2: extend callback tables for nghttp3 1.11.0 and ngtcp2 1.14.0 [47] o ngtcp2: handshake timeout should be equal to --connect-timeout [262] o ngtcp2: use custom mem funcs [204] o openldap: fix `-Wtentative-definition-compat` [268] o openssl: add and use `HAVE_BORINGSSL_LIKE` internal macro [222] o openssl: add and use `HAVE_OPENSSL3` internal macro [223] o openssl: assume `OPENSSL_VERSION_NUMBER` [181] o openssl: auto-pause on verify callback retry [167] o openssl: check SSL_write() length on retries [152] o openssl: clear errors after a failed `d2i_X509()` [161] o openssl: drop more legacy cruft [224] o openssl: drop redundant `HAVE_OPENSSL_VERSION` macro [221] o openssl: drop redundant version check [246] o openssl: drop single-use interim macro `USE_OPENSSL_SRP` [201] o openssl: enable `HAVE_KEYLOG_CALLBACK` for AWS-LC [220] o openssl: merge two `#if` blocks [218] o openssl: output unescaped utf8 x509 issuer/subject DNs [169] o openssl: remove legacy cruft, document macro guards [231] o openssl: save and restore OpenSSL error queue in two functions [172] o openssl: some small cleanups [42] o openssl: split cert_stuff into smaller sub functions [72] o openssl: sync an AWS-LC guard with BoringSSL [199] o openssl: use `RSA_flags()` again with BoringSSL [219] o parallel-max: bump the max value to 65535 [86] o parsedate: make Curl_getdate_capped able to return epoch [229] o processhelp.pm: fix to use the correct null device on Windows [164] o processhelp.pm: use `Win32::Process*` perl modules if available [200] o projects: drop unused logic from `generate.bat` [157] o projects: fix Windows project 'clean' function [203] o pytest: add SOCKS tests and scoring [9] o pytest: fix test_17_09_ssl_min_max for BoringSSL [197] o pytest: increase server KeepAliveTimeout [26] o pytest: relax error check on test_07_22 [16] o resolving: dns error tracing [196] o runtests: assume `Time::HiRes`, drop Perl Win32 dependency [163] o runtests: remove warning message [230] o runtests: replace `--ci` with `--buidinfo`, show OS/Perl version again [247] o runtests: show still running tests when nothing has happened for a while [227] o schannel: add an error message for client cert not found [165] o schannel: assume `CERT_CHAIN_REVOCATION_CHECK_CHAIN` [114] o schannel: drop fallbacks for 4 macros [121] o schannel: drop fallbacks for unused `BCRYPT_*` macros [122] o schannel: drop old-mingw special case [77] o schannel: fix recent update for mingw32ce [123] o schannel: fix renegotiation [202] o schannel: improve handshake procedure [239] o schannel: not supported with UWP, drop redundant code [105] o schannel: use if(result) like the code style says [125] o scripts: enable strict warnings in Perl where missing, fix fallouts [63] o scripts: fix two Perl uninitialized value warnings [60] o sendf: getting less data than "max allowed" is okay [170] o servers: convert two macros to scoped static const strings [89] o setopt: refactor out the booleans from setopt_long to setopt_bool [83] o setopt: split out cookielist() and cookiefile() [130] o socks: do_SOCKS5: Fix invalid buffer content on short send [43] o socks_sspi: simplify, clean up Curl_SOCKS5_gssapi_negotiate [237] o spacecheck.pl: when detecting unicode, mention line number [85] o spacecheck: warn for 3+ empty lines in a row, fix fallouts [240] o spelling: file system [232] o test1148: drop redundant `LC_NUMBER=` env setting [13] o test1557: pass `long` type to `multi_setopt()` [234] o test1560: set locale/codeset with `LC_ALL` (was: `LANG`), test in CI [19] o test1560: skip some URLs if UTF-8 is not supported [34] o test1: raise alloc limits [11] o test428: re-enable for Windows [5] o test436: fix running on Windows with `_curlrc` present [153] o test: add `cygwin` feature and use it (test 1056, 1517) [249] o tests/ech_tests.sh: indent, if/for style, inline ifs [131] o tests: constify command-line arguments [82] o tests: delete unused commands [177] o tests: drop unused `BLANK` envs, unset `CURL_NOT_SET` [248] o tests: drop unused `CURL_FORCEHOST` envs [36] o tests: fix perl warnings in http2-server, http3-server [119] o tests: fix prechecks to call the bundle libtest tool [120] o tests: fix UTF-8 detection, per-test `LC_*` settings, CI coverage [6] o tests: merge clients into libtests, drop duplicate code [76] o tests: remove the QUIT filters [210] o tests: set `CURL_ENTROPY` per test, not globally [35] o tests: unset some envs instead of blanking them [4] o threaded-resolver: fix shutdown [252] o tidy-up: `Curl_thread_create()` callback return type [20] o tidy-up: move literal to the right side of comparisons [65] o tidy-up: prefer `ifdef`/`ifndef` for single checks [64] o tls: CURLINFO_TLS_SSL_PTR testing [79] o TODO: remove session export item [194] o TODO: remove the expand ~ idea [216] o tool_cb_wrt: stop alloc/free for every chunk windows console output [140] o tool_filetime: accept setting negative filetime [256] o tool_getparam: let --trace-config override -v [238] o tool_getparam: warn on more unicode prefixes [275] o tool_operate: avoid superfluous strdup'ing output [1] o tool_operate: use stricter curl_multi_setopt() arguments [225] o tool_operate: use the correct config pointer [115] o tool_paramhlp: fix secs2ms() [116] o tool_parsecfg: use dynbuf for quoted arguments [162] o tool_urlglob: add integer overflow protection [244] o tool_urlglob: polish, cleanups, improvements [141] o typecheck-gcc: add type checks for curl_multi_setopt() [226] o unit-tests: build the unitprotos.h from here [73] o unit2604: avoid `UNCONST()` [135] o URL-SYNTAX.md: drop link to codepoints.net to pass linkcheck [190] o urlapi: allow more path characters "raw" when asked to URL encode [146] o urldata: reduce two long struct fields to unsigned short [174] o urlglob: only accept 255 globs o vquic-tls: fix SSL backend type for QUIC connections using gnutls [29] o vquic: replace assert [254] o vquic: use curl_getenv [168] o vtls: set seen http version on successful ALPN [160] o websocket example: cast print values to unsigned int [251] o websocket: handling of PONG frames [213] o websocket: improve handling of 0-len frames [269] o websocket: reset upload_done when sending data [245] o windows: assume `ADDRESS_FAMILY`, drop feature checks [88] o windows: document toolchain support for `CERT_NAME_SEARCH_ALL_NAMES_FLAG` o windows: document toolchain support for some macros (cont.) [111] o windows: document toolchain support for some macros [113] o windows: drop `CRYPT_E_*` macro fallbacks, limit one to mingw32ce [118] o windows: drop two interim, single-use macros [106] o windows: drop unused `curlx/version_win32.h` includes [52] o windows: fix `if_nametoindex()` detection with autotools, improve with cmake [24] o windows: include `wincrypt.h` before `iphlpapi.h` for mingw-w64 <6 [50] o windows: target version macro tidy-ups [3] o wolfssl: rename ML-KEM hybrids to match IETF draft [173] o write-out.md: header_json is not included the json object [243] o ws: avoid NULL pointer deref in curl_ws_recv [91] o ws: get a new mask for each new outgoing frame [255] Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 87d7fa42e36d11e0f3c9920abb41db7740b849db Merge: bed0f29da d6ec7e0bf Author: Michael Tremer Date: Mon Sep 15 10:20:35 2025 +0000 Merge branch 'master' into next commit d6ec7e0bf08a00c734c9e7b5f7c517ef82029afe Author: Michael Tremer Date: Mon Sep 15 12:17:01 2025 +0200 ovpnmain.cgi: Never write ncp-disable This was some compatibility code which was supposed to help us with the transition towards NCP. Since we are now on OpenVPN 2.6, this version no longer supports the "ncp-disable" switch and we cannot write it to the configuration any more. There should always be a default value for data ciphers. Signed-off-by: Michael Tremer commit bed0f29daf89b5813137d6e4b0656f690ae392c5 Author: Adolf Belka Date: Mon Sep 15 10:56:40 2025 +0200 python3-pyparsing: Update of rootfile due to bundled setuptools removal Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 3825dec163eabb70af464c01f22bb6cd05d76dbb Author: Adolf Belka Date: Mon Sep 15 10:56:39 2025 +0200 python3-packaging: Update of rootfile due to bundled setuptools removal Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit ee729f2470de5c2fdf8aa6ad9c45ca91afd7b191 Author: Adolf Belka Date: Mon Sep 15 10:56:38 2025 +0200 python3-setuptools-rust: Update of rootfile due to bundled setuptools removal Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit f5f2c430575e22c53788884b82f5d77c3c9144f8 Author: Adolf Belka Date: Mon Sep 15 10:56:37 2025 +0200 python3-setuptools: Update of rootfile due to bundled setuptools removal Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 5982c84b3f26a5bd42adbb7a6c66a5525ec3dda6 Author: Adolf Belka Date: Mon Sep 15 10:56:36 2025 +0200 python3-MarkupSafe: Update of rootfile due to bundled setuptools removal Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 123c1fa3247a876ce26d41b7a01061af24dfc6e0 Author: Adolf Belka Date: Mon Sep 15 10:56:35 2025 +0200 python3-Jinja2: Update of rootfile due to bundled setuptools removal Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit e153297eccc92042633f5af85c641726fc053d34 Author: Adolf Belka Date: Mon Sep 15 10:56:34 2025 +0200 make.sh: Move setuptools module earlier in install order - The installed version of setuptools had to be moved earlier for a couple of other python modules that needed setuptools in place to build. Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 35dbd453bf6844ba177849bd6bbf3b00f846aab5 Author: Adolf Belka Date: Mon Sep 15 10:56:33 2025 +0200 python3: Remove bundled setuptools - python3-pillow was finding the bundled setuptools version 63.2.0 and not the installed version of 80.9.0 and the bundled version failed the pillow requirement of >=77 - The bundled version install can not be disabled so this patch removes all the setuptools directories at the end of the python3 install so that only the IPFire installed version of setuptools will be available. - This resolved the problem of python3-pillow failing to build - The bundled setuptools has been removed in python-3.12 so when that version is released in IPFire the removal lines added in this patch will be able to be removed. - The removal of the bundled version of setuptools also caused changes in the rootfiles of 6 other python modules, so it looks like those were also building with the older bundled version but had no version requirement failure. This patch set also includes the changed rootfiles for each of those packages. Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 78194fc50a82f8284122bf4c83cae51ffb25b9e1 Author: Michael Tremer Date: Sun Sep 14 13:39:32 2025 +0000 suricata-reporter: Update to 0.3 Signed-off-by: Michael Tremer