- ST-announce - System Transparency mailing lists

stprov-v0.3.5 release
by Rasmus Dahlberg 03 May '24

03 May '24

The ST team is happy to announce a new release of the stprov software, tag v0.3.5, which succeeds the previous release at tag v0.2.1. The source code for this release is available from the git repository: git clone -b v0.3.5 https://git.glasklar.is/system-transparency/core/stprov.git Authoritative ST release signing keys are published at https://www.system-transparency.org/keys/ and the tag signature can be verified using the command git -c gpg.format=ssh \ -c gpg.ssh.allowedSignersFile=allowed-ST-release-signers \ tag --verify v0.3.5 The expectations and intended use of the stprov software is documented in the repository's RELEASES file. This RELEASES file also contains more information concerning the overall release process, see: https://git.glasklar.is/system-transparency/core/stprov/-/blob/v0.3.5/RELEA… Learn about what's new in a release from the repository's NEWS file. An excerpt from the latest NEWS-file entry is listed below for convenience. If you find any bugs, please report them on the System Transparency discuss list or open an issue on GitLab in the stprov repository: https://lists.system-transparency.org/mailman3/postorius/lists/st-discuss.l… https://git.glasklar.is/system-transparency/core/stprov/-/issues system-transparency-core-stprov-issues(a)incoming.glasklar.is Cheers, The ST team NEWS for stprov v0.3.5 This release mainly improves documentation, test coverage, and fixes bugs. There are a few minor features added relating to the stprov command-line UI, and a little bit of clean-up as summarized in the miscellaneous section. Incompatible changes * The -b option no longer accepts interface names that contain comma. Security fixes: * The -a option in stprov remote-run accepts addresses in CIDR notation, but falls back on /32 if an address omits the subnet mask. The same subnet mask was used for IPv6, resulting in a much larger subnet. This issue has been fixed, such that the default IPv6 subnet-mask is /128. Bug fixes * Produce host configurations that are compatible with stboot (stprov and stboot diverged on how to handle empty values, which has now been fixed). * Correctly set the host configuration fields "bonding_mode" and "bond_name". The bonded interface name is always set to "bond0". * Add a Makefile option for setting custom OS-package URLs. The built-in default used to be hardcoded without a good way of changing it. * Read TLS roots from a location that is consistent with stboot. The consulted location is "/etc/trust_policy/tls_roots.pem". * Several nits and confusions in the stprov usage message were fixed. New features: * Options with multiple values can be specified as a comma-separated list (-e val,val) and/or by repeating the option (-e val -e val). This makes the UX consistent for the -a, -b, and other multi-value options. * The -r option can accept multiple OS-package URLs. * The -d option can accept multiple DNS servers. The built-in default has as a result also been updated to include Quad9's secondary server. New documentation: * System documentation has been added, see docs/stprov-system.md. * Usage manual has been added, see docs/stprov-manual.md. Miscellaneous: * The OS package URL (-r) and user/password (-u/-p) options are no longer mutually exclusive. The user and password options are instead silently ignored for OS package URLs without the "user:password" pattern. * The host configuration fields "authentication" and "identity" were removed. So, the dummy "foo" and "bar" values are no longer written. Note that stprov never supported any real use of the removed fields. * The host configuration field "timestamp" was removed. In other words, the platform's host configuration no longer indicates a provisioning date. * Failing HEAD requests on OS package URLs are treated as errors rather than warnings. This behavior can be overridden with the force flag (-f). * Major improvements to the QEMU test coverage, see integration/qemu.sh. This release implements the following specifications: * The system documentation in this repository (docs/stprov-system.md) * https://git.glasklar.is/system-transparency/project/docs/-/blob/v0.2.0/cont… * https://git.glasklar.is/system-transparency/project/docs/-/blob/v0.2.0/cont… * https://git.glasklar.is/system-transparency/project/docs/-/blob/v0.2.0/cont… This release has been tested to work with: * stboot's provision mode, release tag v0.3.6: https://git.glasklar.is/system-transparency/core/stboot/-/tree/v0.3.6 * ISO building using stmgr, pre-release tag v0.3.2: https://git.glasklar.is/system-transparency/core/stmgr/-/tree/v0.3.2

1 0

ANNOUNCE: stboot-v0.3.6 release
by Niels Möller 30 Apr '24

30 Apr '24

The ST team is happy to announce a new release of the stboot bootloader, tag v0.3.6, which succeeds the previous release at tag v0.2.2. The source code for this release is available from the git repository: git clone -b v0.3.6 https://git.glasklar.is/system-transparency/core/stboot.git Authoritative ST release signing keys are published at https://www.system-transparency.org/keys, and the tag signature can be verified using the command git -c gpg.format=ssh -c gpg.ssh.allowedSignersFile=allowed-ST-release-signers \ tag --verify v0.3.6 The expectations and intended use of the stboot bootloader is documented in the repository's RELEASES file. This RELEASES file also contains more information concerning the overall release process, see: https://git.glasklar.is/system-transparency/core/stboot/-/blob/main/RELEASE… Learn about what's new in a release from the repository's NEWS file. An excerpt from the latest NEWS-file entry is listed below for convenience. If you find any bugs, please report them on the System Transparency discuss list or open an issue on GitLab in the stboot repository: https://lists.system-transparency.org/mailman3/postorius/lists/st-discuss.l… https://git.glasklar.is/system-transparency/core/stboot/-/issues Cheers, The ST team NEWS for stboot v0.3.6 This stboot release is intended as a stable "status quo" release. There are few new features. Compatibility with existing deployments has been improved, and both documentation and testing has been improved compared to previous releases. When upgrading, the intention is that this release should be compatible with host config files as used by stboot v0.2.2, as well as with host config files for even older stboot versions deployed by early adopters. However, deployment processes and scripts will need updates. E.g., the initramfs where you install stboot needs to have the tls root certificates in a new location (see below), and you may want to arrange so that stboot is the system's init process. Security fixes: * The threshold signature logic has been updated to require distinct public keys (the SubjectPublicKeyInfo field in the x509 certificate) in order to consider two certificates as distinct. Previously, multiple signatures by the same key could count as distinct, e.g., if there are multiple certificates for that key, with overlapping vality periods. Incompatible changes: * The location where stboot reads the https root certificates has been moved, from /etc/ssl/certs/isrgrootx1.pem to /etc/trust_policy/tls_roots.pem. See https://git.glasklar.is/system-transparency/project/documentation/-/blob/ma… for details. * Delete the feature of "$ID" and "$AUTH" substitution in the host config's os_pkg_pointer value. We are not aware of anyone ever using this feature. Constructing the url or filename by substituting host specific settings in a template is useful, but better left to the provisioning tools that create the host config. * Network configuration in stboot has been fixed to respect the order of interfaces in the host config's network_interfaces list; previously, it would prefer the last rather than the first listed interface. New stboot features and improvements: * The tls root certificate file is required only for network boot, for initramfs boot that file can now be omitted. * Add backwards compatibility to parsing of the host config. Stboot now recognizes old ways of using the json keys "dns", "network_interfaces", and adds fallbacks for recognizing the obsolete json keys "provisioning_urls" and "network_interface" (singular). * Relax parsing of host config and other json data to treat missing keys in the same way as keys explicitly set to null. * Add informative logging when starting file downloads. * Documentation updates, including a new file docs/stboot-system.md and specifications at https://docs.system-transparency.org. * Support for running stboot as the system's init (pid 1) process. Previously, it was recommended to use u-root as the init process, and let u-root spawn stboot as a regular process. Go library changes (no expected stability between stboot releases): * Delete the sterror package. * Change method OSPackage.Sign to use crypto.Signer for the private key. Delete the ospkg.Signer interface, in favor of crypto.Signer. * Delete lots of unused code, including various exported functions. Miscellaneous: * Improved test coverage, both unit tests and integration tests. This release has been tested to work with: * Artifacts produced by stmgr v0.3.2 (pre-release version). https://git.glasklar.is/system-transparency/core/stmgr/-/tree/v0.3.2 * Provisioning using stprov v0.3.3 (pre-release version) https://git.glasklar.is/system-transparency/core/stprov/-/tree/v0.3.3 This release implements the specifications at https://git.glasklar.is/system-transparency/project/docs/-/tree/96fe394b162…

1 0

docs v0.1.0
by Philipp Deppenwiese 27 Nov '23

27 Nov '23

The ST team is happy to announce a new release of the ST documentation, tag v0.1.0, which is the first release. The documentation is available as git repository: https://git.glasklar.is/system-transparency/project/docs and as a deployed homepage at: https://docs.system-transparency.org/ The expectations and intended use of the st docs is documented in the repository's RELEASES file. This RELEASES file also contains more information concerning the overall release process, see: https://git.glasklar.is/system-transparency/project/docs/-/blob/main/RELEAS… Learn about what's new in a release from the repository's NEWS file. An excerpt from the latest NEWS-file entry is listed below for convenience. https://git.glasklar.is/system-transparency/project/docs/-/blob/main/NEWS.md If you find any issues, please open an issue or MR at the documentation repository. Cheers, The ST team NEWS for docs v0.1.0 We are excited to announce the initial release of ST Documentation, version v0.1.0. This release marks a significant milestone in our journey to provide comprehensive and user-friendly documentation for the ST ecosystem. It's important to note that this version is the first step in our ongoing effort to develop and refine our documentation. It is an early release that sets the foundation for future improvements and expansions. ### Key Highlights of v0.1.0 - Quickstart Guide: To help new users get up and running, we've included a Quickstart Guide. This guide is designed to provide a straightforward introduction to the ST ecosystem, making it easier for newcomers to start their journey. - Interface Documentation: We've meticulously documented the interfaces within the ST ecosystem. This includes detailed descriptions of functions, classes, and modules, providing a valuable resource for both developers and users seeking a deeper understanding of the system's internals. Still some interfaces might be missing and added lat - Learn More Resources: For those who wish to dive deeper, we've added a "Learn More" section. Here, you'll find resources and materials that cover various aspects of the ST ecosystem in more detail, perfect for users who wish to expand their knowledge and skills. ## A Note on Stability Please note that v0.1.0 is not meant to be a stable release. It's the beginning of a iterative process, and as such, we expect to make frequent updates and improvements. Users should be prepared for changes and enhancements in subsequent releases. We're committed to rapidly evolving and updating our documentation to meet the needs of our community. ### Future Plans - Regular Updates: We will be regularly releasing updates to improve and expand our documentation. - Community Feedback: We strongly encourage feedback from our users. Your insights are invaluable in helping us refine and enhance our documentation. - Expanding Content: Expect to see more tutorials, in-depth guides, and comprehensive reference materials in future releases. ## Getting Involved The ST Documentation is a community-driven project, and we welcome contributions from everyone. Whether it's providing feedback, reporting issues, or contributing content, your involvement is what makes this project grow and improve. ### Stay Updated To keep abreast of the latest developments and upcoming releases, please follow our project's channels and stay connected with the community. We thank you for your support and interest in ST Documentation. Let's make it a robust and valuable resource together!

1 0

stboot v0.2.2
by Jens Drenhaus 15 Nov '23

15 Nov '23

The ST team is happy to announce a new release of the stboot bootloader, tag v0.2.2, which succeeds the previous release at tag v0.2.1. The source code is available as an archive on our GitLab's release page: https://git.glasklar.is/system-transparency/core/stboot/-/releases Alternatively, you can checkout the git-repository: git clone -b v0.2.2 https://git.glasklar.is/system-transparency/core/stboot.git The expectations and intended use of the stboot bootloader is documented in the repository's RELEASES file. This RELEASES file also contains more information concerning the overall release process, see: https://git.glasklar.is/system-transparency/core/stboot/-/blob/main/RELEASE… Learn about what's new in a release from the repository's NEWS file. An excerpt from the latest NEWS-file entry is listed below for convenience. If you find any bugs, please report them on the System Transparency discuss list or open an issue on GitLab in the stboot repository: https://lists.system-transparency.org/mailman3/postorius/lists/st-discuss.l… https://git.glasklar.is/system-transparency/core/stboot/-/issues Cheers, The ST team NEWS for stboot v0.2.2 First advertised release following the common System Transparency release policy. The previous release v0.2.1 [1] was a random snapshot of the repository with a tag and dump of the recent commit messages as release info. Changed since v0.2.1: * Change the order of Host Configuration auto-detect order to prefer loading from initrams over loading from EFI-NVRAM. This release has been tested to work with: * Artifacts being produced by stmgr v0.2.1 [2] This release implements the specifications at [3]. [1] https://git.glasklar.is/system-transparency/core/stboot/-/releases/v0.2.1 [2] https://git.glasklar.is/system-transparency/core/stmgr/-/tree/v0.2.1 [3] https://git.glasklar.is/system-transparency/project/documentation/-/tree/dd…

1 0

stmgr v0.2.2
by Jens Drenhaus 15 Nov '23

15 Nov '23

The ST team is happy to announce a new release of the stmgr program, tag v0.2.2, which succeeds the previous release at tag v0.2.1. The source code is available as an archive on our GitLab's release page: https://git.glasklar.is/system-transparency/core/stmgr/-/releases Alternatively, you can checkout the git-repository: git clone -b v0.2.2 https://git.glasklar.is/system-transparency/core/stmgr.git Or install using Go's tooling: go install system-transparency.org/stmgr@v0.2.2 The expectations and intended use of the stmgr program is documented in the repository's RELEASES file. This RELEASES file also contains more information concerning the overall release process, see: https://git.glasklar.is/system-transparency/core/stmgr/-/blob/main/RELEASES… Learn about what's new in a release from the repository's NEWS file. An excerpt from the latest NEWS-file entry is listed below for convenience. If you find any bugs, please report them on the System Transparency discuss list or open an issue on GitLab in the stmgr repository: https://lists.system-transparency.org/mailman3/postorius/lists/st-discuss.l… https://git.glasklar.is/system-transparency/core/stmgr/-/issues Cheers, The ST team NEWS for stmgr v0.2.2 First advertised release following the common System Transparency release policy. The previous v0.2.1 release [1] was a random snapshot of the repository with a tag and dump of the recent commit messages as release info. Changed since v0.2.1: New features: * None Enhancements: * Improved log messages * Clean up temporary files when generating ISO Bug fixes: * None Breaking changes: * The command line flags '-validFrom' and '-validUntil' for the subcommand 'stmgr keygen certificate' now expect a date formatted as RFC3339 instead of RFC822. This release has been tested to work with: * stboot v0.2.1 [2] This release implements the following specifications: * OS package [3] * Host Configuration [4] * Trust Policy [5] [1] https://git.glasklar.is/system-transparency/core/stmgr/-/releases/v0.2.1 [2] https://git.glasklar.is/system-transparency/core/stboot/-/tree/v0.2.1 [3] https://git.glasklar.is/system-transparency/project/documentation/-/blob/dd… [4] https://git.glasklar.is/system-transparency/project/documentation/-/blob/dd… [5] https://git.glasklar.is/system-transparency/project/documentation/-/blob/dd…

1 0

stprov v0.2.1
by Rasmus Dahlberg 13 Nov '23

13 Nov '23

The ST team is happy to announce a new release of the stprov software, tag v0.2.1, which succeeds the previous release at tag v0.1.1. The source code is available as an archive on our GitLab's release page: https://git.glasklar.is/system-transparency/core/stprov/-/releases Alternatively, you can checkout the git-repository: git clone -b v0.2.1 https://git.glasklar.is/system-transparency/core/stprov.git Or install using Go's tooling: go install system-transparency.org/stprov/cmd/stprov@v0.2.1 The expectations and intended use of the stprov software is documented in the repository's RELEASES file. This RELEASES file also contains more information concerning the overall release process, see: https://git.glasklar.is/system-transparency/core/stprov/-/blob/main/RELEASE… Learn about what's new in a release from the repository's NEWS file. An excerpt from the latest NEWS-file entry is listed below for convenience. If you find any bugs, please report them on the System Transparency discuss list or open an issue on GitLab in the stprov repository: https://lists.system-transparency.org/mailman3/postorius/lists/st-discuss.l… https://git.glasklar.is/system-transparency/core/stprov/-/issues Cheers, The ST team NEWS for stprov v0.2.1 Other than improved documentation and testing, this release brings a few user-experience improvements such as santity-checking OS package URLs. New features: * Make a HEAD request on the specified OS package URL to see if it works Enhancements: * More intuitive hostname default value (no longer a domain name) * Add qemu-based integration test * Run tests and commitlint in CI for every commit * Add documentation, including MAINTAINERS, README, RELEASES, and NEWS * Minor internal refactoring Bug fixes: * Fix default bonding mode name * Fix broken and racy unit tests * Fix license copyright and list of authors Breaking changes: * None This release has been tested to work with: * stboot in provison mode (trust policy fetch-method set to "network") https://git.glasklar.is/system-transparency/core/stboot/, tag v0.2.1 Use the following reference specifications to be interoperable with stprov: * EFI-NVRAM host configuration https://git.glasklar.is/system-transparency/project/docs/-/blob/main/conten…, commit-id 3f46dd067931b9023984052cc5b98ff6d0ed0a28 We list additional reference specifications here as they become available.

1 0

2025

2024

2023

ST-announce

2025

2024

2023

ST-announce ----- 2025 ----- May 2025 April 2025 March 2025 February 2025 January 2025 ----- 2024 ----- December 2024 November 2024 October 2024 September 2024 August 2024 July 2024 June 2024 May 2024 April 2024 March 2024 February 2024 January 2024 ----- 2023 ----- December 2023 November 2023

ST-announce