summaryrefslogtreecommitdiff
path: root/scripts/package-build
AgeCommit message (Collapse)Author
7 daysMerge pull request #1238 from c-po/kernel-update-6.18.38rollingChristian Breunig
Kernel: T9067: Update Linux Kernel to 6.18.38
7 daysKernel: T9067: Update Linux Kernel to 6.18.38Christian Breunig
8 daysbuild: T9058: add a script for building Squid from sourceDaniil Baturin
10 dayskernel: T8940: disable HYPERV_VTL_MODE and restore Hyper-V vPCI driverAlex Kudentsov
12 daysMerge pull request #1233 from sever-sever/T8508-currViacheslav Hletenko
T9040: Build FIPS-provider OpenSSL version
12 daysT9040: Build FIPS-compliant OpenSSL versionViacheslav Hletenko
Build FIPS-compatible OpenSSL binaries The FIPS provider does not get built and installed automatically. To enable it, you need to configure OpenSSL using the `enable-fips` option.
14 daysaccel-ppp-ng: T9039: update the commit hashDaniil Baturin
for the fix for legacy hash algorithm loading to make MS-CHAP work correctly again
2026-07-01Merge pull request #1228 from c-po/podman-updateDaniil Baturin
podman: T9024: package upgrade from v4.9.5 to v5.8.4
2026-06-30podman: T9024: package upgrade from v4.9.5 to v5.8.4Christian Breunig
This updates the used Podman version from 4.9.5 to 5.8.4 which is a major bump. For this update to work on Vyos we also do need to switch from crun to runc, as the Debian Bookworm provided version of crun is not working with podman 5.8.4. Building crun from Debian trixie package sources does not work due to missing build time dependencies.
2026-06-26Merge pull request #1227 from c-po/bnx2-patchViacheslav Hletenko
Kernel: T8914: add support for 2.5G pluggables on BCM57810S
2026-06-26Merge pull request #1189 from c-po/l2tpv3Daniil Baturin
Kernel: T8605: net/l2tp: allow unmanaged tunnel setup without route to peer
2026-06-25Kernel: T8914: add support for 2.5G pluggables on BCM57810SChristian Breunig
Add the well-known JAMESMTL kernel module patch for bnx2x to advertise 2.5Gbit/s capabilities on Broadcom NetXtreme2-X cards with BCM57810S chipset. This is useful for ISP GPON access networks that use 2.5Gbit/s pluggables and need the NIC to negotiate beyond 1000baseT/Full, avoiding the 940Mbit/s practical cap on overprovisioned 1G services. References: * https://hack-gpon.org/broadcom-57810s/ * https://github.com/JAMESMTL/snippets/blob/dceb2fee74d80c66d/bnx2x/patches/bnx2x_warpcore_8727_2_5g_sgmii_txfault.patch
2026-06-25Kernel: T9010: update existing patches to remove "hunk off" noticesChristian Breunig
2026-06-25Merge pull request #1225 from natali-rs1985/T9013Viacheslav Hletenko
T9013: Add FRR patch to fix BMP connect source-interface deletion
2026-06-24Merge pull request #1224 from c-po/kernel-update-6.18Christian Breunig
T9010: Update Linux Kernel to 6.18.36 and re-fresh Intel OOT driver versions
2026-06-24T9013: Add FRR patch to fix BMP connect source-interface deletionNataliia Solomko
2026-06-23Merge pull request #1175 from hedrok/T8599-fail-build-on-patch-failViacheslav Hletenko
T8599: Make source packages required and fix them
2026-06-23Kernel: T9010: remove Intel NIC Debian postinstall file after buildChristian Breunig
2026-06-23Kernel: T9010: update Intel OOT module driversChristian Breunig
Update versions: * igb v5.20.28 * ixgbe v6.4.4 * ixgbevf v5.3.36 * i40e v2.30.18 * ice v2.6.6 * iavf v4.13.35
2026-06-19Merge pull request #1222 from vyos/T8099-strongswan-6.0Daniil Baturin
T8099: Update strongswan to 6.0.6
2026-06-19T8599: Use .orig suffix for 3.0 source format onlyKyrylo Yatsenko
1.0 source format version needs tarball without '.orig' suffix as described in https://www.man7.org/linux/man-pages/man1/dpkg-source.1.html. Only if debian/source/format exists and contains 3.0, use '.orig'
2026-06-18T8599: dropbear binary-only packageKyrylo Yatsenko
Patch modifies debian/control and debian/rules, there is no easy way to fix source package creation in such case. As quick solution disable source package build for this package (previously it failed silently)
2026-06-18T8599: Don't ignore other build.py failuresKyrylo Yatsenko
Exit with error for other failures: * Creating/installing dependency package should be error: e.g. debugging why strongswan cannot find systemd could be easier if build.py failed when it couldn't install systemd and not when `configure` couldn't find it. * Creating tarball * pre_hook run
2026-06-18T8599: Make source packages required and fix themKyrylo Yatsenko
A lot of packages failed to build source package. Stop ignoring source package build errors and fix it. To fix source packages: * Use <source_package>_<upstream_version>.orig.tar.gz naming for source archive. * Get `source_package` and `upstream_version` from changelog using dpkg-parsechangelog utility * Clean build-deps after usage or dpkg-source sees these files as changes relative to upstream. * Add '.github' to --diff-ignore source option
2026-06-15T861: add secure boot support. Build shim-signed packageasklymenko
2026-06-12T861: add secure boot support. Build shim-signed packageasklymenko
2026-06-10Merge pull request #1221 from c-po/salt-removalViacheslav Hletenko
salt: T8973: remove package build due to feature removal
2026-06-10T8099: Update strongswan to 6.0.6Kyrylo Yatsenko
* Upgrade to 6.0.6 * Update 30-strongswan-configs.chroot to not change /etc/strongswan.d/charon.conf as the file is part of package strongswan-charon that should not be installed * Rebase all patches * Enable ML-KEM for Post Quantum
2026-06-10T8099: Fix strongswan buildKyrylo Yatsenko
* Remove systemd-dev from dependencies * Add `set -e` to build_cmd. Strongswan depends on `systemd` and `systemd-dev`, installing both fails with: ``` The following packages have unmet dependencies: systemd-dev : Breaks: systemd (< 253-2~) but 252.39-1~deb12u2 is to be installed E: Unable to correct problems, you have held broken packages. ``` `systemd-dev` contains pkg-config files for systemd and udev, but current `systemd` package installs identical `/usr/share/pkgconfig/systemd.pc` - maybe that's why packages cannot be installed simultaneously. So remove it from dependencies. Though the package failed to build, `./build.py` returned 0 as `build_cmd` has two build commands one after another without any checks of exit value of first one that builds strongswan. Added `set -e` so that any failure in any of commands results to build failure.
2026-06-10Merge pull request #1199 from hedrok/T8426-evpn-anycast-arpChristian Breunig
T8426: FRR support for EVPN Anycast
2026-06-09salt: T8973: remove package build due to feature removalChristian Breunig
As salt has been marked deprecated via T8056 and is thus deprecated in VyOS 1.5 and VyOS 1.4 it is time to remove it from the rolling release.
2026-06-08T8969: vyos-build failing to build, missing dependencies. Modify gitignore fileasklymenko
2026-06-08T8969: vyos-build failing to build, missing dependencies. Add build scriptsasklymenko
2026-05-30T8943: scripts/package-build: migrate broken commit_id refs after 1c renameYuriy Andamasov
PR #1204 ("ci: T8943: migrate branch-name refs current->rolling (rollout 1c)") covered .github/workflows/ only and missed seven commit_id values in scripts/package-build/ that referenced the pre-1c default-branch names of vyos-owned repos. The GitHub branch-rename redirect works for the REST API and web UI, not for git refs in a fresh clone — scripts/package-build/build.py clones the upstream and `git checkout <commit_id>`, which fails after the source repo was renamed. Updated: libnss-mapuser/package.toml current -> rolling libpam-radius-auth/package.toml current -> rolling vpp/package.toml (vyos-vpp-patches) current -> rolling vyos-1x/package.toml current -> rolling tacacs/package.toml (libtacplus-map) master -> rolling tacacs/package.toml (libpam-tacplus) master -> rolling tacacs/package.toml (libnss-tacplus) master -> rolling Verified post-rename defaults via `gh api repos/vyos/<r> --jq .default_branch` for all seven; verified the failure mode via a fresh `git clone https://github.com/vyos/vyos-1x.git` + `git checkout current` which errors with "pathspec 'current' did not match any file(s) known to git". LTS branches (sagitta/circinus/equuleus) were scanned and require no changes — only third-party `evgeny-gridasov/openvpn-otp` master appears there, unaffected by 1c. 🤖 Generated by [robots](https://vyos.io)
2026-05-28Kernel: T8938: consolidate build time options for amd64 and arm64 WWANChristian Breunig
2026-05-27T8426: FRR support for EVPN AnycastKyrylo Yatsenko
Add FRR patch for better MACVLAN support in FRR code.
2026-05-23Kernel: T8919: Update Linux Kernel to 6.18.33Christian Breunig
The Kernel 6.18.33 now has an upstream fix for the fragnesia vulnerability
2026-05-18Merge pull request #1194 from c-po/kernel-sourceAndrii Klymenko
Kernel: T8880: reduce size of Kernel source TAR
2026-05-18Kernel: T8879: add missing Hyper-V drivers after 6.18 upgrade (#1193)Christian Breunig
* Kernel: T8846: consolidate config for CPU/Task time and stats accounting * Kernel: T8879: add config section for hypervisor Virtual Socket Protocol * Kernel: T8879: add missing Hyper-V drivers after 6.18 upgrade Add drivers for Hyper-V hypervisor which got lost in transition from 6.6 to 6.18 Kernel upgrade.
2026-05-17Kernel: T8880: reduce size of Kernel source TARChristian Breunig
Enable "make mrproper" before packaging kernel source tarball. After enabling PWRU support in T8496, the auto-generated kernel source tarball grew from under 1 GB to ~4 GB, largely due to intermediate build artifacts (for example, vmlinuz.o growing from 54 MB to 618 MB with additional debug symbols). Since the tarball is intended to contain kernel sources and custom patches and not intermediate objects, we now clean the tree with "make mrproper" before creating the tarball. This keeps package size down while preserving rebuildability.
2026-05-15Kernel: T8871: Update Linux Kernel to 6.18.31Christian Breunig
This fixes the LPE https://github.com/0xdeadbeefnetwork/ssh-keysign-pwn
2026-05-15kernel: T8871: add a patch for the ptrace vulnerabilityDaniil Baturin
that allows unprivileged users to read files owned by any other user
2026-05-14Kernel: T8864: add patch for "fragnesia" local privilege escalationChristian Breunig
Fragnesia is a universal Linux local privilege escalation exploit, discovered with V12 by William Bowling with the V12 team. Fragnesia is a member of the Dirty Frag vulnerability class. This is a separate bug in the ESP/XFRM from dirtyfrag which has received its own patch. However, it is in the same surface and the mitigation is the same as for dirtyfrag. It abuses a logic bug in the Linux XFRM ESP-in-TCP subsystem to achieve arbitrary byte writes into the kernel page cache of read-only files, without requiring any race condition. The technique extends the page-cache write bug class that includes Dirty Pipe: when a TCP socket transitions to espintcp ULP mode after data has already been spliced from a file into the receive queue, the kernel processes the queued file pages as ESP ciphertext. The AES-GCM keystream byte at counter block position 2, byte 0 is XORed directly into the cached file page. By selecting the IV nonce to produce a desired keystream byte, any target byte in the file can be set to any value — one byte per trigger invocation. From: https://github.com/v12-security/pocs/blob/532994fc003a7/fragnesia/README.md
2026-05-13Merge pull request #1178 from SuperQ/superq/psiDaniil Baturin
kernel: T8847: Enable PSI metric data
2026-05-12Merge pull request #1185 from c-po/intel-ootChristian Breunig
Kernel: T6847: update Intel Out-Of-Tree drivers for IGB, IXGBE, I40e, ICE and IAVF
2026-05-11Enable PSI metric dataSuperQ
Enable the kernel [Pressure Stall Information][PSI] accounting feature. This allows users to gather data on CPU and memory starvation. It's very useful to help find cases where the system performance is impacted by overloaded CPUs. [PSI]: https://docs.kernel.org/accounting/psi.html Signed-off-by: SuperQ <superq@gmail.com>
2026-05-08Kernel: T8605: net/l2tp: allow unmanaged tunnel setup without route to peerChristian Breunig
Kernel-created L2TPv3 tunnels (genetlink L2TP_CMD_TUNNEL_CREATE without L2TP_ATTR_FD) used udp_sock_create() and kernel_connect(), which invoke __ip4_datagram_connect() / __ip6_datagram_connect(). Those paths insist on a successful FIB lookup at connect time. If no route to the configured remote existed yet, tunnel and interface creation failed. The data path already resolves routes on transmit (e.g. __ip_queue_xmit(), inet6_csk_route_socket()). This change defers requiring a route until packets are sent. Details: - UDP encapsulation: bind with udp_sock_create() after zeroing peer_udp_port, then l2tp_udp_sk_set_peer() sets daddr/dport and socket "connected" state without caching sk_dst from connect. - IPv4 L2TP/IP (l2tp_ip): on -ENETUNREACH / -EHOSTUNREACH from __ip4_datagram_connect(), l2tp_ip_connect_deferred() installs peer and bind-table updates without a connect-time route. - IPv6 L2TP/IP (l2tp_ip6): same for __ip6_datagram_connect(), including IPv4-mapped peers and scope / bound-device checks aligned with the normal connect path. Forwarding still only happens once the FIB can reach the peer. Until then outgoing packets follow the existing no-route drop path. Assisted-by: Cursor:claude-4.6-opus Signed-off-by: Christian Breunig <christian@breunig.cc>
2026-05-08Kernel: T6847: add Intel IAVF out-of-tree Kernel driver with custom patchesChristian Breunig
The Intel iavf driver (formerly i40evf) is the Linux virtual function driver for modern Intel Ethernet adapters supporting SR-IOV, including the X700/E800 series. Renamed to iavf to support future devices, it replaced i40evf entirely by 2019. The driver facilitates high-performance networking in virtualized environments. This commit contains custom patches to make the driver build.
2026-05-08Kernel: T6847: use common build_intel_nic helper functionChristian Breunig
Instead of one build function per driver (ixgbe, i40, ice) which will anyways result in the same Python code path to be executed - use one common helper name: build_intel_nic
2026-05-08Kernel: T6847: add Intel ICE out-of-tree Kernel driver with custom patchesChristian Breunig
The current version of the Intel ice driver does not compile with a recent LTS Kernel due to missing internal Kernel API adjustments in the Intel driver. This commit contains custom patches to make the driver build.