git.99rst.org Git - openwrt-packages.git/log

checksec: mark version check override as executable

Mark version check override as executable and add explicit package checks.

Signed-off-by: George Sapkin <redacted>

libcap-ng-bin: add test-version.sh to skip version check

captest, filecap, netcap and pscap (libcap-ng-bin) do not print the
package version string (0.8.4), causing generic version check failures
in CI.

Signed-off-by: Alexandru Ardelean <redacted>

fatresize: add test-version.sh to skip git-snapshot version check

The binary does not report the OpenWrt package version (2023.06.11~ab78c48f);
override the generic version check with test-version.sh.

Signed-off-by: Alexandru Ardelean <redacted>

fatresize: fix PKG_MIRROR_HASH after .gitattributes change

The git archive hash changed due to .gitattributes normalization in the
upstream repository. Update PKG_MIRROR_HASH to the current value.

Signed-off-by: Alexandru Ardelean <redacted>

syncthing: bump to 2.1.0

Changes: https://github.com/syncthing/syncthing/releases/tag/v2.1.0
Signed-off-by: George Sapkin <redacted>

openvpn: add kmod-ovpn-backports dependency

With openwrt/openwrt@f7d6e73 and openwrt/packages@974c2be, kmod-ovpn-backports can now be built and run correctly.
add this dependency enables DCO.

Link: openwrt/packages@01fafd69e

Test on: Mediatek Filogic GL-MT3000 (with kmod-crypto-hw-safexcel)

Signed-off-by: Andy Chiang <redacted>

django: bump to version 6.0.5

Fix CVE-2026-5766, CVE-2026-35192, and CVE-2026-6907.

Full release notes:
https://docs.djangoproject.com/en/6.0/releases/6.0.5/

Signed-off-by: Wei-Ting Yang <redacted>

python-pytz: bump to 2026.2

Update timezone data to 2026.2 release.

Signed-off-by: Wei-Ting Yang <redacted>

minidlna: fix creation of /var/etc on start

When dnsmasq is disabled, /var/etc doesn't exist. minidlna start was then failing. Partially reverted commit 733aae9 which broke this.

Signed-off-by: Peter Maivald <redacted>

python-installer: bump to 1.0.1

1.0.1 fixes a false-positive path-traversal check in destinations.py:
the 1.0.0 code used Path.resolve() to validate that each installed file
stays within the --destdir, but Path.resolve() follows symlinks.
OpenWrt's staging dir and toolchain directories contain many symlinks,
so resolved paths could escape the destdir comparison and trigger:

ValueError: Attempting to write <file> outside of the target directory

1.0.1 replaces Path.resolve() with os.path.abspath(), which normalises
the path without following symlinks, eliminating the false positive.

Signed-off-by: Alexandru Ardelean <redacted>

cni-plugins: update to 1.9.1

Major version jump from 1.1.1 covering the 1.2.x - 1.9.x series.
Highlights:
- portmap: implement netfilter (nft) backend; bandwidth: optimization
- bridge: support "vlanTrunk" property and DAD/PVID support
- macvlan: support "linkInContainer" mode
- ipvlan: support "linkInContainer" mode
- dhcp: support DHCP option 121 classless static routes
- host-local: handle ranges with single IP
- firewall: support "ingressPolicy" with iptables and nftables
- tuning: allow specifying tx queue length
- Go module bumps including security fixes
- Minimum Go version: 1.23

Link: https://github.com/containernetworking/plugins/releases/tag/v1.9.1
Link: https://github.com/containernetworking/plugins/blob/v1.9.1/CHANGELOG.md
Signed-off-by: Daniel Golle <redacted>

cni: update to 1.3.0

Major version jump from 1.1.2 covering the 1.2.x series and 1.3.0:
- libcni: support DEL --force option (CNI 1.2)
- GC: support --valid-attachments option (CNI 1.2)
- cnitool: bug fixes and minor improvements
- Drop support for old plugin API versions (<0.4.0)
- Various Go module updates and CVE fixes
- Minimum Go version: 1.21

Link: https://github.com/containernetworking/cni/releases/tag/v1.3.0
Link: https://github.com/containernetworking/cni/releases/tag/v1.2.0
Signed-off-by: Daniel Golle <redacted>

gnunet-fuse: update to 0.26.0

Update for compatibility with gnunet 0.26+/0.27+ API changes.
The package version tracks the latest gnunet release the
sources build against.

Link: https://git.gnunet.org/gnunet-fuse.git/log/?h=v0.26.0
Signed-off-by: Daniel Golle <redacted>

gnunet: update to 0.27.0

Changes since 0.25.1:

0.27.0:
* util: Removed GNUNET_CRYPTO_symmetric_derive_iv API
* util: Deprecate GNUNET_CRYPTO_symmetric_* APIs
* util: Revise GNUNET_CRYPTO_hkdf_* APIs for safe variadic
arguments. Fixes #10898

0.26.x:
* util: Revise crypto API to prevent misuse of key material
* util: Add various TIME related helper APIs
* pils: Ship missing header
* pq: fix NULL reporting in arrays
* pq: fix consistency check errors
* util: fix UTF-8 uppercase/lowercase conversion API insanity

0.25.2:
* build: Various build system and detection logic improvements
* reintroduce some flat file storages

Drop patches that have been merged upstream:
- 0001-meson-convert-SQLite-version-detection-to-compile-time
- 0002-meson-convert-cURL-version-detection-to-compile-time
- 0003-meson-convert-libsodium-version-detection-to-compile
- 0004-meson-convert-cURL-SSL-library-detection-to-compile
- 0007-namecache-install-sql-files
- 0008-namecache-build-flat-namecache-plugin

Refresh 0005-meson-detect-libcurl-gnutls.patch for the upstream
switch from cc.compiles to cc.run for the cURL SSL backend check.

Link: https://git.gnunet.org/gnunet.git/tree/NEWS?h=v0.27.0
Signed-off-by: Daniel Golle <redacted>

udp-broadcast-relay-redux: remove package

Upstream repository has been archived by the owner, so
this software is no longer maintained.
No packages depends on this.

Signed-off-by: Yanase Yuki <redacted>

kcptun: remove package

It seems this software is no longer maintained, because
upstream repository has been deleted.
No packages depends on this.

Signed-off-by: Yanase Yuki <redacted>

bsbf-resources: update to GIT HEAD of 2026-05-14

Update bsbf-resources to the GIT HEAD of 2026-05-14.

- Improve bsbf-bonding --uninstall logic.

Signed-off-by: Chester A. Unal <redacted>

acme-acmsh: bump acme.sh to 3.1.3

update acme.sh version to 3.1.3

Signed-off-by: Seo Suchan <redacted>

acme: make 'acme' keyword actually virtual

before acme is an empty package that depend either acme-acmesh or uacme.
but this boolean logic in depend ignored by apk itself.
let's make a virtual keyword
witch both acme.sh and uacme provides.
acme.sh is explicit default.

Signed-off-by: Seo Suchan <redacted>

telegraf: update to 1.38.4

- Update Telegraf to v1.38.4

Signed-off-by: Niklas Thorild <redacted>

oci-runtime-tools: update to GIT HEAD of 2026-03-16

Update PKG_SOURCE_VERSION to 8a4db579f5c88af5a0d036fad34bddc9c1f703f3
(latest upstream main).

oci-runtime-tools is a rolling release without versioned upstream
releases. The new commit brings updated runtime-spec dependencies
and bug fixes accumulated since November 2024.

Link: https://github.com/opencontainers/runtime-tools/compare/f7e3563b...8a4db579
Signed-off-by: Daniel Golle <redacted>

opentracker: update to GIT HEAD of 2026-04-13

opentracker is an open and free bittorrent tracker without
versioned releases. Bumping PKG_SOURCE_VERSION to upstream
HEAD as of 2026-04-13 to pick up accumulated fixes since
the 2025-04-25 snapshot.

Link: https://erdgeist.org/gitweb/opentracker/log/?id=716dcfbbed55cc8b9896d05e58f8958869078dd7
Signed-off-by: Daniel Golle <redacted>

libcurl-gnutls: update to 8.20.0

Tracks upstream curl 8.20.0 (April 2026 release).

Changes since 8.14.1 cover six upstream releases (8.15.0 - 8.20.0).
Highlights:
* async-thrdd: use thread queue for resolving
* build: make NTLM disabled by default
* lib: add thread pool and queue
* lib: drop support for < c-ares 1.16.0
* lib: make SMB support opt-in
* multi.h: add CURLMNWC_CLEAR_ALL
* rtmp: drop support
* cmake: drop support for CMake 3.17 and older
* Various TLS, HTTP/3, altsvc and resolver bug fixes.

Link: https://curl.se/changes.html#8_20_0
Link: https://github.com/curl/curl/blob/curl-8_20_0/RELEASE-NOTES
Signed-off-by: Daniel Golle <redacted>

debootstrap: update to 1.0.143

Update to latest upstream release.

Highlights of changes since 1.0.128:
* Added support for Debian 13 (trixie)
* Added support for many new Ubuntu releases (jammy through plucky)
* Improvements to keyring handling
* Various bug fixes and cleanups

Drop PKG_REAL_VERSION and the now-redundant PKG_BUILD_DIR override:
upstream and downstream versions match, so use PKG_VERSION directly
in PKG_SOURCE.

Link: https://salsa.debian.org/installer-team/debootstrap/-/blob/1.0.143/debian/changelog
Signed-off-by: Daniel Golle <redacted>

debian-archive-keyring: update to 2025.1

Changes since 2023.4:
* Add automatic signing keys for trixie
* Add Debian Stable Release Key (13/trixie) (ID: 762F67A0B2C39DE4)
* Clean up maintscript removal of ancient archive certificates
* Get rid of team-members/ and signature verification
* Remove buster keys
* Rename keyrings from .gpg to .pgp
* Use OpenPGP instead of GnuPG when referring to the specification

Link: https://salsa.debian.org/release-team/debian-archive-keyring/-/blob/debian/2025.1/debian/changelog
Signed-off-by: Daniel Golle <redacted>

exim: update to 4.99.3 (security release)

4.99.3 (security release):
* Addresses EXIM-Security-2026-05-01.1: a remotely reachable
   Use-After-Free vulnerability in Exim's BDAT (binary data
   transmission) body parsing path when using the GnuTLS
   backend. This can lead to heap corruption and potential code
   execution. Affects 4.97 through 4.99.x when built with GnuTLS
   support AND with STARTTLS and CHUNKING advertised.
   Reported by xbow security.

Previous security releases folded into this bump:

4.99.2 (security release):
* Addresses Exim-Security-2026-04.1, covering 4 CVEs:
   - CVE-2026-40684: Possible crash with malicious DNS data (musl libc)
   - CVE-2026-40685: Possible OOB read/write on corrupt JSON in header
   - CVE-2026-40686: Possible OOB read with large UTF8 trailing characters
   - CVE-2026-40687: Possible OOB read/write with SPA authenticator

4.99.1 (security release):
* Re-incarnation of CVE-2025-26794, ports fixes from 4.98.1/4.98.2.

Link: https://exim.org/static/doc/security/EXIM-Security-2026-05-01.1/
Link: https://git.exim.org/exim.git/blob/refs/tags/exim-4.99.3:/doc/doc-txt/ChangeLog
Signed-off-by: Daniel Golle <redacted>

gstreamer1: add libatomic dependency for 32-bit arm targets

arm926ej-s (ARMv5) does not have native lock-free atomics and the
toolchain inserts calls to libatomic.so.1 for atomic operations.
The libgstreamer1 DEPENDS only listed armeb, powerpc, mips and mipsel
as needing libatomic, missing plain arm (little-endian 32-bit ARM).

Extend the condition to include arm so the package is properly
declared on all 32-bit ARM targets that require libatomic.

Signed-off-by: Alexandru Ardelean <redacted>

perl: add test-version.sh to skip version check

perlbase-archive, perlbase-pod, and perlbase-test install Perl script
wrappers (ptar, pod2man, prove, etc.) that do not output the OpenWrt
package version string (5.40.0), causing generic version check failures
in CI.

Signed-off-by: Alexandru Ardelean <redacted>

privoxy: update to 4.1.0

Changes since 4.0.0:
- Add Zstandard decompression support for compressed web content
- Improve WolfSSL compatibility and SSL host name validation
- Improve IPv6 address support and Connection header handling
- Drop legacy pcre1 support; PCRE2 is now required
- Fix multiple memory leaks and socket leaks

Signed-off-by: Alexandru Ardelean <redacted>

ngircd: update to 27

Changes since 26.1:
- Add SSL/TLS certificate validation for server-server links by default
(new SSLVerify option to disable)
- Add systemd sd_notify protocol support
- Add Autojoin option for automatic channel joining on connect
- Automatically maximize file descriptor limit at startup
- Add Docker/container documentation and Dockerfile

Signed-off-by: Alexandru Ardelean <redacted>

radsecproxy: update to 1.11.2

Changes since 1.9.1:
- Add TLS-PSK support and SSLKEYLOGFILE mechanism (1.11.0)
- Add options to require Message-Authenticator attribute (1.11.0)
- Add native dynamic discovery for NAPTR and SRV records (1.10.0)
- Add SNI support for outgoing TLS connections (1.10.0)
- Multiple TCP/TLS connection stability bug fixes (1.10.x)
- Reload complete TLS context on SIGHUP (1.11.0)
- Fix Message-Authenticator validation for Accounting-Response (1.11.2)

Update patch 200-logdest-on-foreground.patch for new code positions.

Signed-off-by: Alexandru Ardelean <redacted>

miniupnpc: update to 2.3.3

Changes since 2.2.8:
- Fix crash related to FD_SET and socket timeout handling
- Fix build_absolute_url when if_indextoname() returns NULL
- Add support for C23 and glibc 2.43 string function signatures
- Improve poll() usage and C++ compiler compatibility

Signed-off-by: Alexandru Ardelean <redacted>

git-lfs: update to 3.7.1

Fixes symlink traversal vulnerability (CVE-2025-26625) that allowed
writing files outside the repository on checkout/pull.

Other changes since 3.5.1:
- Add --refetch option to force re-download of LFS objects
- Add --json and --dry-run options for fetch operations
- Improve .netrc handling on Windows and macOS root CA support
- Upgrade to Go 1.25 (requires Linux kernel 3.2+)

Signed-off-by: Alexandru Ardelean <redacted>

libedit: update to version 20260512-3.1

changelog at https://thrysoee.dk/editline/

Signed-off-by: Jan Hák <redacted>

golang: add version check override script

Only check versin for the compielr package.

Signed-off-by: George Sapkin <redacted>

golang: add a simple compilation test

Add a simple CI compilation test to ensure that the Go toolchain is
functional.

Signed-off-by: George Sapkin <redacted>

golang: bump 1.26 to 1.26.3

Fixes: CVE-2026-27142
Fixes: CVE-2026-39836
Fixes: CVE-2026-42501
Changes: https://github.com/golang/go/issues?q=milestone%3AGo1.26.3+label%3ACherryPickApproved
Signed-off-by: George Sapkin <redacted>

python-platformio: fix host build

Fix bottle dependency.

Fixes: e15bac97 ("python-platformio: add target package")
Signed-off-by: George Sapkin <redacted>

python-wsproto: fix host build

Add missing includes.

Fixes: b12e18eb ("python-wsproto: add host package")
Signed-off-by: George Sapkin <redacted>

python-h11: fix host build

Add missing includes.

Fixes: 0a75ad1e ("python-h11: add host package")
Signed-off-by: George Sapkin <redacted>

python3-bottle: fix host build

Add missing includes.

Fixes: 9ff014b4 ("python3-bottle: add host package")
Signed-off-by: George Sapkin <redacted>

python-protobuf: add new package

Add Protobuf Python package.

Signed-off-by: George Sapkin <redacted>

spoofer: bump to 1.4.13

Remove nonexistent configure arguments.

Signed-off-by: George Sapkin <redacted>

spoofer: use protobuf-compat instead of protobuf

The package is not actively-maintained and doesn't compile with modern
Protobuf. Switch it to compat version.

Signed-off-by: George Sapkin <redacted>

pdns: update config arguments

Remove old and add updated configuration arguments.

Signed-off-by: George Sapkin <redacted>

ola: use protobuf-compat instead of protobuf

The package is not actively-maintained and doesn't compile with modern
Protobuf. Switch it to compat version.

Signed-off-by: George Sapkin <redacted>

mosh: fix compilation with new Protobuf

Switch mosh to -std=c++17 to fix compilation with newer Protobuf.

Link with libatomic necessary for MIPS and PowerPC.

Signed-off-by: George Sapkin <redacted>

protobuf: add version 29.5

Add new version of protobuf as a separate package.

Signed-off-by: George Sapkin <redacted>

protobuf: move existing package to protobuf-compat

Move existing protobuf package to protobuf-compat to support packages that
don't work with modern version of Protobuf.

Install headers and libraries into /usr/protobuf-compat so as not to
confuse other packages with duplicate headers, and to prevent paths
conflicts with non-compat Protobuf.

Install link protoc as protoc-compat.

Signed-off-by: George Sapkin <redacted>

zabbix: prevent invalid package selection

zabbix-sender and zabbix-get are only build if agentd is built.
Therefore do not allow selection them if the full agentd is not
being built.

Signed-off-by: Daniel F. Dickinson <redacted>

zabbix: bump version

Update to version 7.0.26 (latest LTS).

Signed-off-by: Daniel F. Dickinson <redacted>

fish: updated to 4.7.1

Update the build flags to the new spelling required by fish.

The groff directory no longer exists, and the manual pages are never
built, so there's no need to remove them.

The MIPS patch was cherry-picked from upstream and can be dropped.

Signed-off-by: David Adam <redacted>

fontconfig: fix build with SDK producing -dD style output

Some SDK/host GCC configurations, when meson invokes cc.preprocess() to
expand fcobjshash.gperf.h, produce output that includes predefined macro
dumps (e.g. #define __STDC__ 1) alongside linemarker lines. The upstream
cutout.py script, which strips CUT_OUT_BEGIN/END-delimited sections from
the preprocessed output before feeding it to gperf, passes these lines
through verbatim into fcobjshash.gperf.

gperf then copies them into the declarations section of fcobjshash.h.
When fcobjs.c includes fcobjshash.h, the compiler encounters #define
redefinitions and stray # tokens, causing a build failure.

Fix cutout.py to skip any line starting with # (C preprocessor
linemarkers and predefined macro definitions) before writing to the
output gperf file.

Signed-off-by: Alexandru Ardelean <redacted>

exfatprogs: update to 1.3.2

1.3.2 (2026-03-09):
* fsck.exfat: add an option to show a progress bar
* mkfs.exfat: discard blocks prior to write outs by default
* mkfs.exfat: add a read-after-write verification for the VBR
* exfatprogs: adjust utility exit codes
* dump.exfat: handle paths including '.', '..', and repeated '/'
* fsck.exfat: convert 0x80 entries into deleted file entries

1.3.1 (2025-12-15):
* fsck.exfat: support repairing the allocation bitmap size
* exfatprogs: temporarily disable building defrag.exfat (data loss)
* libexfat: fix a NULL pointer dereference in read_file_dentry_set()

1.3.0 (2025-10-15):
* defrag.exfat: new tool to defragment an exFAT filesystem
* mkfs.exfat: minimize zero-out initialization in quick format mode
* fsck.exfat: set the entry after an unused entry as unused
* Various bug fixes

Link: https://github.com/exfatprogs/exfatprogs/blob/1.3.2/NEWS
Signed-off-by: Daniel Golle <redacted>

gpgme: update to 2.0.1

Major version update from 1.24.2 to 2.0.1.

Major change: the C++ bindings (libgpgmepp), Qt bindings, and
Python bindings have been split off into separate packages
upstream. The libgpgmepp subpackage is dropped here too; consumers
that need C++ bindings will have to be ported once gpgme++ is
packaged separately.

Changes from 1.24.x -> 2.0.x:
* New gpgme_op_random_bytes / gpgme_op_random_value functions
   to get cryptographically strong random data from gpg.
* New decrypt flag to skip actual decryption so that
   information about recipients can be retrieved.
* New flag for key generation to mark a (sub)key as group owned.
* gpgme_signers_add: when key was retrieved with fingerprint!'!'
   suffix, the requested subkey is used for signing.
* timestamp/expires fields changed from signed long to unsigned
   long for better 32bit time_t support.
* Removed long-deprecated gpgme_attr_t enums and functions.
* Removed never-implemented GPGME_EXPORT_MODE_NOUID flag.
* Removed entire trustlist feature.

2.0.1:
* Adjust for changes to the posix test(1) command.
* Extend internal gpgsm_assuan_simple_command to consume diag
   output (fixes possible lockup).

Drop --enable-languages=cpp from configure args (no longer
supported), Build/InstallDev no longer copies the C++ headers,
cmake bits or libgpgmepp shared library, and remove the
libgpgmepp Package definition.

Link: https://dev.gnupg.org/source/gpgme/browse/master/NEWS
Signed-off-by: Daniel Golle <redacted>

gnupg2: update to 2.5.19

Update GnuPG to the current upstream stable release. As listed at
https://gnupg.org/download/, the 2.5.x series is currently 'stable'
while 2.4.x is 'oldstable' (LTS).

Highlights of changes since 2.4.8:
* New OpenPGP key formats: Curve25519 and Curve448 (RFC9580)
* SHA3 family signature support
* Kyber post-quantum hybrid keys
* KEM (Key Encapsulation Mechanism) operations
* dirmngr: improved LDAP and HTTP keyserver support
* scdaemon: better support for new smartcard tokens
* Many bug fixes and security improvements

Link: https://dev.gnupg.org/source/gnupg/browse/master/NEWS
Link: https://gnupg.org/download/release_notes.html
Signed-off-by: Daniel Golle <redacted>

libksba: update to 1.6.8

Changes since 1.6.7:
* Fix double increment in DN parser while counting hexdigits.
* Fix a memory leak in the BER decoder's error handling.
* Fix an assertion failure in the OCSP code.
* Support SHA256 based CertIDs in OCSP.
* Use nonstring attribute for gcc-15.
* Remove remaining WindowsCE support.

Link: https://dev.gnupg.org/source/libksba/browse/master/NEWS
Signed-off-by: Daniel Golle <redacted>

pcsc-tools: update to 1.7.4

1.7.4 (13 February 2026):
- pcsc_scan: use different variables for spin running and state
- pcsc_scan: give some time to the spinner thread in spin_start()
- Various ga workflow improvements (Windows artifact upload, etc.)

Link: https://pcsc-tools.apdu.fr/
Signed-off-by: Daniel Golle <redacted>

pcsc-lite: update to 2.4.1

2.4.1 (1 January 2026):
- Add backward version support on the client side
- Add backward version support on the server side
- hotplug libudev: rescan the USB bus with "pcscd --hotplug"
- fix a value in pcscd.service systemd file
- meson: install systemd files even if libsystemd is not used

2.4.0 (19 October 2025):
- Run pcscd under a pcscd user instead of root when using systemd
- Set PIDFile in systemd service file
- Protect contextMapList modifications using a mutex
- meson: fix libpcsclite.pc, respect default_library option

Link: https://pcsclite.apdu.fr/files/ChangeLog
Signed-off-by: Daniel Golle <redacted>

opensc: update to 0.27.1

0.27.0 includes a number of CVE fixes and many improvements:

Security fixes (0.27.0):
* CVE-2025-13763: Uninitialized memory uses detected by fuzzers
* CVE-2025-49010: Write beyond buffer bounds in GET RESPONSE APDU
* CVE-2025-66215: Write beyond buffer bounds in oberthur driver
* CVE-2025-66038: Read beyond buffer bounds in PIV historical bytes
* CVE-2025-66037: Buffer overrun while parsing SPKI

General improvements:
* Added support for PKCS#11 3.2 in tools and pkcs11-spy/p11test
* Added support for Ed448, X448 mechanisms; improved Edwards and
Montgomery key support.
* Support CKA_PUBKEY_KEY_INFO PKCS#11 attribute.
* Remove obsolete tokend support.
* Correctly detect OS-level FIPS mode in OpenSSL automatically.
* Added support for Brainpool twisted curves.
* EsteID: EstEID 2025, FinEID 4.0/4.1, Latvian IDEMIA Cosmo X & 8.2.
* D-Trust Card 5.1 & 5.4 with PIN change/unblock.
* Belpic: support for belpic applet version 1.8.
* Many other card-specific improvements (OpenPGP, PIV, ...).

0.27.1 is a bug-fix release for infrastructure issues.

Link: https://github.com/OpenSC/OpenSC/blob/0.27.1/NEWS
Signed-off-by: Daniel Golle <redacted>

ccid: update to 1.7.1

1.7.1 (4 February 2026):
- Add support of: ACS APG8201-B2, BUDGET E-ID BUD001, CHERRY Smart
   Board 1150, CryptnoxCR CryptnoxCR, Diebold Nixdorf PN7362au CCID,
   FT BioPass FIDO2 Pro, Nitrokey Nitrokey Passkey
- Add SCARD_CTL_CODE(3601): USB path of the reader
- Some other minor improvements

1.7.0 (2 October 2025):
- Add support of: GIGA-TMS NFC CCID Reader, Identiv SmartOS Reader,
   SEC1210URT, TOKEN2 FIDO2 Security Key (multiple variants),
   TOKEN2 Molto2 (older version), VIX TECHNOLOGY SECURE READER
- Remove support of SIMHUB pcsc reader
- Give pcscd group permission to CCID devices in udev rule
- Avoid a timeout issue with the Thales Fusion NFC reader
- Provide the option to synchronize the 2 interfaces of a SEC1210
- Some other minor improvements

Link: https://ccid.apdu.fr/files/ChangeLog
Signed-off-by: Daniel Golle <redacted>

fluidsynth: update to 2.5.4

Update spans 2.4.7 -> 2.5.4. Highlights:
* 2.5.x: Major version with API additions for handling sequencer
   client unregistration, MIDI file reading flexibility, soundfont
   selectors and sample tuning improvements.
* Various bug fixes for SF3 voice handling, reverb engine
   stability, GM/GS/XT mode reset behaviour and audio drivers
   (PortAudio, SDL2, Pulseaudio, JACK, OPL).
* Build system fixes including CMake updates and new toolchain
   compatibility.

fluidsynth >= 2.5 requires GCEM (a header-only constexpr math
library) at build time. Build-depend on the new 'gcem' package,
which installs the headers and CMake config files into staging
where find_package(GCEM REQUIRED) picks them up. This replaces
upstream's git-submodule / CMake-time-download fallback, neither
of which is acceptable in OpenWrt's offline build model.

gcem is header-only (INTERFACE-only CMake target), so there is
no shared library to link against; the dependency exists at
build time only, expressed as PKG_BUILD_DEPENDS:=gcem.

Link: https://github.com/FluidSynth/fluidsynth/releases/tag/v2.5.4
Link: https://github.com/FluidSynth/fluidsynth/wiki/ReleaseNotes
Signed-off-by: Daniel Golle <redacted>

gcem: new package

GCE-Math (Generalized Constant Expression Math) is a templated C++
library enabling compile-time computation of mathematical functions.
It is a header-only library, so this package is BUILDONLY:=1; the
headers and CMake config files land in staging_dir for consumers to
pick up via find_package(GCEM).

Needed as a build dependency for fluidsynth >= 2.5, whose upstream
build expects gcem at configure time and (absent a system copy)
falls back to a CMake-time download from GitHub - which breaks in
offline / restricted-network build environments such as the OpenWrt
CI.

Pinned to commit 012ae73c (2024-04-28), the revision referenced by
fluidsynth 2.5.x's bundled FindGCEM.cmake / git submodule.

CMAKE_POLICY_VERSION_MINIMUM=3.5 is set because upstream's
CMakeLists.txt declares cmake_minimum_required(VERSION 3.1), which
trips current CMake's deprecated-policy guard.

Link: https://github.com/kthohr/gcem
Signed-off-by: Daniel Golle <redacted>

libinput: update to 1.31.1

Update from 1.28.1, spanning the 1.29.x, 1.30.x and 1.31.x release
series.

Highlights:
* 1.31.0: New 'high-resolution scroll' API and per-device button
   debouncing improvements; tablet pad mode support reworked.
* 1.30.0: Added support for new touchpad and tablet device quirks;
   improved gesture detection on multi-touch devices.
* 1.29.0: New configuration knobs for trackpoint acceleration and
   improved palm detection.
* Continuous bug fixes and updated device quirks throughout.

Link: https://gitlab.freedesktop.org/libinput/libinput/-/tags/1.31.1
Link: https://wayland.freedesktop.org/libinput/doc/latest/
Signed-off-by: Daniel Golle <redacted>

libmanette: update to 0.2.13

Changes since 0.2.12:
- Update controller mappings

Link: https://gitlab.gnome.org/GNOME/libmanette/-/blob/0.2.13/NEWS
Signed-off-by: Daniel Golle <redacted>

libwacom: update to 2.18.0

Changes since 2.16.1:

2.18.0:
- New Devices:
   - XP-Pen Deco MW (bluetooth), Deco02
   - Huion Kamvas Pro 19
   - Lenovo ThinkVision M14t Gen 2
- New API: libwacom_stylus_is_generic() returns true for generic
   styli that are added by libwacom.

2.17.0:
- New Devices:
   - Dell Inspiron 14 7445 2-in-1
   - Wacom One 14
   - Huion Kamvas 13 (Gen 3), Kamvas 16 (Gen 3)
   - Waltop Batteryless Tablet
   - XP-Pen Deco Pro LW (Gen 2)
   - Wacom styli IDs updated and aliased in preparation for
     upcoming kernel changes.

Link: https://github.com/linuxwacom/libwacom/blob/libwacom-2.18.0/NEWS
Signed-off-by: Daniel Golle <redacted>

Revert "ci: cancel in-progress Test and Build runs on PR update"

The previous commit broke the CI/CD pipeline, which now fails with the following error:
```
Canceling since a deadlock was detected for concurrency group: 'Test and Build-refs/pull/foo/merge' between a top level workflow and 'Feeds Package Test Build'
```

This likely occurs because the reusable workflow [1] already defines its own concurrency group.

[1] https://github.com/openwrt/actions-shared-workflows/blame/7325a2849900f35af61a08ccd7311b0c8d439246/.github/workflows/multi-arch-test-build.yml#L13

This reverts commit 753e26a1312b5b318ae8bb976e1443428afda21a.

Signed-off-by: Josef Schlehofer <redacted>

python-platformio: add target package

Remove host-only build and add source package.

Adding missing ajsonrpc dependency to PlatformIO.

Link: https://github.com/search?q=repo%3Aplatformio%2Fplatformio-core%20ajsonrpc&type=code
Signed-off-by: George Sapkin <redacted>

python-wsproto: add host package

Add host package necessary for python-platformio/host.

Signed-off-by: George Sapkin <redacted>

python-uvicorn: add new package

Uvicorn is an ASGI web server implementation for Python.

Signed-off-by: George Sapkin <redacted>

python-starlette: add new package

Starlette is a lightweight ASGI framework/toolkit, which is ideal for
building async web services in Python.

Signed-off-by: George Sapkin <redacted>

python-semantic-version: add target package

Remove host-only build.

Signed-off-by: George Sapkin <redacted>

python-marshmallow: add new package

A lightweight library for converting complex datatypes to and from native
Python datatypes.

Signed-off-by: George Sapkin <redacted>

python-h11: add host package

Add host package necessary for python-uvicorn/host.

Signed-off-by: George Sapkin <redacted>

python3-bottle: add host package

Add host package necessary for python-platformio/host.

Signed-off-by: George Sapkin <redacted>

python-anyio: add new package

High-level concurrency and networking framework on top of asyncio or Trio.

Signed-off-by: George Sapkin <redacted>

python-ajsonrpc: add new package

Lightweight JSON-RPC 2.0 protocol implementation and asynchronous server
powered by asyncio. This library is a successor of json-rpc and written
by the same team.

Signed-off-by: George Sapkin <redacted>

bsbf-resources: update to GIT HEAD of 2026-05-11

Update bsbf-resources to the GIT HEAD of 2026-05-11.

- Do not add more than 8 WANs with files/etc/uci-defaults/99-bsbf-bonding.
- resources-client/bsbf_bonding.nft now destroys the bsbf_bonding table
before adding it. Therefore, no need to delete the table anymore. And use
the destroy command to successfully exit even when the table doesn't exist.

Signed-off-by: Chester A. Unal <redacted>

bsbf-openwrt-resources: add network to firewall wan zone

Add the network entries that bsbf-autoconf-cellular and bsbf-autoconf-dhcp
create, to the firewall wan zone.

Signed-off-by: Chester A. Unal <redacted>

coreutils: update to 9.11

Release notes:
https://lists.gnu.org/archive/html/coreutils-announce/2026-02/msg00000.html
https://lists.gnu.org/archive/html/coreutils-announce/2026-04/msg00000.html

- Add --enable-install-program=kill,uptime
since 9.10 these programs are no longer built by default.
- Drop upstream backported patch and refresh remaining patches.

Signed-off-by: Wei-Ting Yang <redacted>

adblock: update 4.5.5-3

- added 4 missing hagezi categories
- added 2 missing ipfire dbl categories
- fixed 2 stevenblack categories
- minor code improvements and fixes

Signed-off-by: Dirk Brenken <redacted>

jsoncpp: build with C++17 to enable string_view API

jsoncpp 1.9.7 added std::string_view overloads for Value::get() and
Value::operator[], but these are only compiled when C++17 is active.
Building with the default C++11 standard leaves those symbols out of
the library, causing link failures for consumers that include the
headers with C++17 enabled (e.g. upmpdcli 1.9.17, domoticz 2025.2).

Add -Dcpp_std=c++17 to the meson args so the string_view API is
available in the installed library.

Signed-off-by: Alexandru Ardelean <redacted>

scons: recent update failed to update a patch

The recent commit 048a5088c515f737fecfd797807c9dfa6302fc0f updated
scons to 4.10.1, but neglected to correct a version related path in
a patch. This fixes that oversight, so that scons hostpkg builds
again. Also, fix up fuzz in the patches.

Signed-off-by: Russell Senior <redacted>

boost: updates package to version 1.91.0

This commit updates boost to version 1.91.0

New libraries in this release:
* Decimal [2]: An implementation of IEEE754 Decimal Floating Point Numbers,
from Matt Borland and Christopher Kormanyos.

More info about Boost 1.91.0 can be found at the usual place [1].

[1]: https://www.boost.org/users/history/version_1_91_0.html
[2]: https://www.boost.org/libs/decimal

Signed-off-by: Carlos Miguel Ferreira <redacted>

micropython-lib: update to 1.28.0, add test.sh

micropython-lib is a companion repository to micropython, versioned in
lockstep. Both are now at 1.28.0 (released 2026-04-06).

The 001-build-unix-ffi.patch remains needed as the upstream has not yet
incorporated the --unix-ffi argument into the tools/build.py script.

test.sh:
- micropython-lib: verify stdlib-replacement modules (collections,
functools, base64) can be imported via the /usr/lib/micropython path
- micropython-lib-unix: verify the micropython-unix wrapper script exists
and that sqlite3/select are importable via the unix-ffi path

Signed-off-by: Alexandru Ardelean <redacted>

micropython: update to 1.28.0

Changes since 1.27.0:
- New machine.CAN class with bindings for the stm32 port; support across
  all ports to follow
- machine.PWM support added to stm32 and alif ports, completing coverage
  of all Tier 1/2 MCU-based ports
- Template strings (t-strings, PEP 750) added at the "full feature" level
- weakref module added with weakref.ref and weakref.finalize classes
- f-strings now support nested f-strings within expressions
- Optimisations to native emitter; new RISC-V Zcmp arch flag for RV32
- extmod.mk: add extmod/machine_can.c (shifts the mbedtls hunk by 1 line;
  update 040-extmod-use-external-mbedtls.patch accordingly)

micropython-lib is updated in lockstep in a separate commit.

Ref: https://github.com/micropython/micropython/releases/tag/v1.28.0
Signed-off-by: Alexandru Ardelean <redacted>

lua-eco: update to 4.0.0

changelog: https://github.com/zhaojh329/lua-eco/releases/tag/v4.0.0

Signed-off-by: Jianhui Zhao <redacted>

onigumura: fix library installation

Commit 537c2a631 ("treewide: avoid deref symlinks when installing .so")
intended to avoid duplicating .so* files, but this package actually
relies on install dereferencing the file that matches the SONAME
version, to avoid installing unnecessary symlinks.

Fixes: https://github.com/openwrt/packages/issues/29387
Fixes: 537c2a631 ("treewide: avoid deref symlinks when installing .so")
Signed-off-by: Eneas U de Queiroz <redacted>

ci: cancel in-progress Test and Build runs on PR update

When a contributor pushes a new commit to an open PR, the previous
Test and Build run is no longer informative and only consumes a
runner slot that the new run could use. Add a concurrency group
keyed on the workflow name and ref so a fresh push cancels the
prior in-progress run for the same PR.

Since this workflow only triggers on pull_request, the ref is
always refs/pull/<num>/merge (unique per PR), so cancel-in-progress
can be set unconditionally.

Co-Authored-By: Claude Opus 4.7 (1M context) <redacted>
Signed-off-by: Hauke Mehrtens <redacted>

haveged: update to 1.9.20

Update to version 1.9.20.

Signed-off-by: Hannu Nyman <redacted>

transmission: update to 4.1.1

Bug-fix release. Fixes 20+ bugs and includes some performance
improvements. All users are encouraged to upgrade.

Highlights (all platforms):
* Fixed a 4.1.0 bug that failed to report some filesystem errors
   to RPC clients querying free space.
* Fixed a 4.1.0 bug that kept a torrent's updated queue position
   from being shown.
* Fixed a 4.1.0 bug that caused torrents' queuing order to
   sometimes be lost between sessions.
* Hardened .torrent parsing by exiting sooner if 'pieces' has
   an invalid size.
* Reverted a 4.1.0 RPC change that broke some 3rd party code by
   returning floats rather than integers for speed limit fields.
* Fixed crash when pausing a torrent and editing its tracker
   list at the same time.
* Fixed 4.1.0 crash on arm32 by switching crc32 libraries to
   Mark Adler's crcany.
* Require UTF-8 filenames in .torrent files (per BitTorrent spec).
* Fixed crash when parsing a .torrent file with a bad 'pieces' key.
* Fixed potential fd leak when launching scripts on POSIX systems.
* Changed network traffic algorithm to spread bandwidth more
   evenly amongst peers.

Link: https://github.com/transmission/transmission/releases/tag/4.1.1
Signed-off-by: Daniel Golle <redacted>

libb64: update to 2.0.0.1

Patch release fixing build system issues with the 2.0.0 release.
2.0.0 introduced API changes including:
* Version macros for detection of incompatible API / version
* size_t as argument to allow longer base64 encoded strings
* Configurable line break functionality
* Flags field for encoder
* Helpers to calculate required output buffer maximum lengths
* Switched in-/out-pointers to void*

Link: https://github.com/libb64/libb64/blob/v2.0.0.1/CHANGELOG.md
Signed-off-by: Daniel Golle <redacted>

glib2: update to 2.88.1

Bump from 2.82.0 to the current upstream stable. Required by GTK
4.22 and other recent GNOME-stack consumers (gtk 4.22 requires
glib >= 2.84).

Refresh 006-c99.patch for upstream context shift; the patch
forces HAVE_C99_SNPRINTF/VSNPRINTF and HAVE_UNIX98_PRINTF to
true when cross-compiling, since upstream now only does that
implicitly for the darwin/iOS/tvOS triplet.

Link: https://gitlab.gnome.org/GNOME/glib/-/tags/2.88.1
Signed-off-by: Daniel Golle <redacted>

flup: remove the package

Flup was heavily used in downstream distribution (Turris OS)
for their Web UI - reForis. Since there are no other
dependent packages in this repository, Flup is no longer needed.

The package appears to be abandoned and is no longer maintained
The latest version dates back to 2009.

It was previously required for Seafile.

Signed-off-by: Josef Schlehofer <redacted>

coreutils: add generic version check override

Override generic version checks to skip them for some of the tools that
don't report their versions.

Signed-off-by: George Sapkin <redacted>

lksctp-tools: add generic version check override

Override generic version checks to skip them altogether because none of the
tools report their versions.

Signed-off-by: George Sapkin <redacted>

checksec: update to 3.1.0

The upstream repository was renamed from checksec.sh to checksec and the
main script was renamed from checksec to checksec.bash (still installed as
/usr/bin/checksec). The checksec_automator subpackage was removed upstream,
so drop it. Update PKG_NAME accordingly and adjust the install rule.

Changelog: https://github.com/slimm609/checksec/releases/tag/3.1.0

Co-authored-by: George Sapkin <redacted>
Signed-off-by: Alexandru Ardelean <redacted>

sispmctl: update to 4.12

Command-line tool for controlling GEMBIRD SiS-PM USB-controlled power strips.

Changelog: https://sourceforge.net/p/sispmctl/news/

Signed-off-by: Alexandru Ardelean <redacted>

stress-ng: update to 0.21.00

Spans two minor release cycles (0.19.04 to 0.21.00), adding new stressors,
improved architecture support, and various bug fixes.

Changelog: https://github.com/ColinIanKing/stress-ng/blob/V0.21.00/CHANGES

Signed-off-by: Alexandru Ardelean <redacted>

less: update to 692

Update test.sh to use $2 (positional version argument) instead of the
$PKG_VERSION environment variable, and add a check that the alternative
binary /usr/libexec/less-gnu is present.

Changelog: https://www.greenwoodsoftware.com/less/news.692.html

Signed-off-by: Alexandru Ardelean <redacted>