On Sat, Sep 27, 2025 at 07:16:33PM +0200, Hauke Mehrtens wrote: > How well can we integrate DNS into the LuCI web interface?
Very good question. I'm not into that whole web side of things at all. > DNS is also not authenticated, it should be fine if the attacker could only > prevent the UI from showing an update notification, but it should not be > able to tell the user where to get the update. That's what I thought: Only indicate the presence of a newer release, not where to get it. > I think we would get some negative feedback from users when we remove apk > from the default images. We could offer an option in the ASU web interface > to remove APK. > If we have a button to generate a default image without apk in the firmware > selector UI it would be sufficient: > https://firmware-selector.openwrt.org/?version=24.10.3&target=mediatek%2Fmt7622&id=linksys_e8450 > Removing it manually from the list is a bit complicated for the novice user. On many devices the only possible outcome of trying to use the package manager is a brick because rootfs_overlay got only 1 or 2 JFFS2 blocks total. So even **deleting** a package would result in a brick as the list of installed packages would be copied to the rootfs_overlay as a consequence of *any* change... Apart from just not installing the package manager, I believe we should also not install 'ca-bundle' on SMALL_FLASH devices, and also select CONFIG_CLEAN_IPKG=y by default. Together with an easy to use way to generate and install custom ASU-generated images for such a devices the outcome would be something much more intuitive and user-friendly than an anyway broken package manager (opkg or apk are equally affected by this problem, obviously). > > > Do we have to install luci-app-attendedsysupgrade and owut for this or is > > > it > > > possible with less? > > > > Either of the two packages is sufficient, we don't need both of them. > > > > > > > > Should we add luci-app-attendedsysupgrade as a dependency to > > > luci/collections/luci/Makefile ? > > > > I'd say yes, but that's just my opinion. > > I think this is a good option. > > > > Should we move utils/attendedsysupgrade-common from the package feed to > > > the > > > main repository? > > > > I suggest to merge the content of the utils/attendedsysuprade-common > > package into base-files, as the packaging overhead is bigger than the > > actual content (a single UCI configuration file). > > I agree with you. > > Maybe we should handle the ASU signing key a bit special. > This key is not as good protected as the other keys. > Maybe store it in /etc/opkg/asu-key/ and use this key for signature checks > initialized by the tools using ASU intentionally only. +1 makes a lot of sense! > So to summarize: > * Add luci-app-attendedsysupgrade as a dependency to the LuCI default > collections for all builds with use LuCI. > * Add OWUT for !SMALL_FLASH > * The automatic checks for updates should be opt in, we can keep it like it > is for now and improve later. +1 > > I would keep apk for now, but make it easy for users to generate images > without apk in the firmware selector UI. Ok, but lets somehow expose CONFIG_CLEAN_IPKG as an option to the IB and ASU as well. That, together with dropping libuclient, ca-bundle and owut can be a good option for SMALL_FLASH devices which are then still suitable for running LuCI and offer a good overall UIX. _______________________________________________ openwrt-devel mailing list [email protected] https://lists.openwrt.org/mailman/listinfo/openwrt-devel
