Occasional updates about DivestOS project.
February 12th 2021 Update¶
- February ASB builds were released between the 6th and 8th.
- Over 30 CVE patches for 3.10 were added. import and update
- There have been many new kernel CVE patches as usual.
- [upstream] Updated to February ASB.
- [upstream] Updated WebView to Chromium 88.0.4324.152, has many security fixes. commit
- starlte and star2lte have been dropped due to being broken.
- Hypatia was translated into German by Petra Mirelli. link
- Mull saw 85.1.2 release.
- Petra Mirelli also made an F-Droid banner graphic for Hypatia. link
- F-Droid banner graphics were also created for Mull and Extirpater.
- F-Droid screenshots were added for Mull, Hypatia, and Extirpater.
January 26th 2021 Update¶
- January ASB builds were released between the 10th and 14th.
- Rebuilds were published on the 24th thru 26th primarily for CVE patcher updates.
- IMS/VoLTE was made working on supported devices. image
- CNE was removed after being briefly included in the Dec/Jan builds. This removal breaks Wi-Fi calling, but is likely worth the security benefits.
- The deblobber received tweaks to better handle more property edits. commit
- Part two of the Debian/retired Linux CVE import was completed. Linux 3.0, 3.4, and 3.10 devices benefit the most from this, averaging between 10 and 90 added CVE patches. import and update
- The exec-based spawning feature from GrapheneOS was disabled. We likely failed to port it over correctly and the result is many subtle breakages.
- All versions now include the LineageOS 17.1 APN list for better cell carrier compatibility. commit
- All versions were mostly patched against the old CVE-2019-2306. commit
- umask is now explicitly set in the build scripts and many files had their permissions corrected. This fixes many subtle issues.
- [upstream] Updated to January ASB.
- [upstream] Updated WebView to Chromium 88.0.4324.93, has many security fixes. commit
- mata has long-standing audio issues, Lineage team has been trying to fix them. Currently the earpiece speaker works on calls, but the loud speaker cannot have its volume adjusted.
- The microphone issue on shamu was resolved, was caused by our removal of some voice recognition blobs (which are required for adspd bring-up). commit
- bullhead now installs (and works) after removing the firmware images to workaround the missing proprietary additions needed for their flashing. related
- mako was re-enabled for 16.0 for users who do not want to re-partition their device.
- flo was re-enabled for 15.1, for users who do not want to re-partition their device.
- mako was re-enabled for 15.1 for testing purposes.
- hammerhead was re-enabled for 15.1 due to Bluetooth issues in 16.0.
- ether and shamu were re-enabled for 15.1 as they are the last versions with working IMS.
- star2lte was added to 17.1 and was tested broken, likely due to its usage of stock vendor.img.
- Mull saw 84.1.2, 84.1.4 and 85.1.0 releases.
- Hypatia had some commits forward-ported from the stable branch to the unfinished dev branch. git log
- The PrebuiltApps repository saw a handful of app updates. git log
- The device downloads page now supports serving multiple build versions per device. commit
- A 'news' page was added for changelogs and project history. commit
- A 'network connections' page was added for documenting connections made by the system. commit
- Pages with tables were fixed up for mobile.
- The 'recommended apps' page had some additions. commit
- The 'messengers' page received some needed updates.
- The credits and legal notices section of the 'about' page was updated.
- Some typos were fixed. commit
- An XMPP public chat room (muc) was created! There have been a very small handful of users, please feel free to join at firstname.lastname@example.org.
December 16th 2020 Update¶
- November and December ASB builds have been released.
- Mull is now on its 3rd Fenix based release, with the latest 84.1.0. Huge thanks to @relan for their build scripts. repo link
- Hypatia has been updated to show database release/update dates in addition to a multi-threading fix.
- Etar is now used for the calendar app across all versions.
- A handful of more proprietary blob variants have been removed.
- Vendor build fingerprints are now all replaced.
- Lots of miscellaneous fixes and cleanup.
- All 15.1 builds and higher are now fully dexpreopted, this allows for reduced memory usage and also decreased boot times on FDE devices.
- TCP SACK is no longer disabled. SACK PANIC has now been patched on nearly all kernels supported. It has valuable bandwidth saving benefits.
- There have been many new CVE patches, especially for 3.18 kernels.
- clark has been updated from 14.1 to 17.1 (potential modem issues). In-place upgrade has been tested to work, but your mileage may vary.
- flo has been updated from 15.1 to 17.1, but requires re-partitioning.
- cheeseburger/dumpling are compiling for 17.1, but not booting.
- coral and flame 17.1 builds are available (untested).
- rs988 and h990 17.1 builds are available (untested).
- yellowstone 16.0 builds are available (untested).
- h870 15.1 builds are available (untested).
- Paragraphs now have links for easy saving/sharing.
- Browser, recommended apps, and functionality tables have all been updated.
- A handful of credit updates.
- There is a new vanity onion address divestoseb5nncsydt7zzf5hrfg44md4bxqjs5ifcv4t7gt7u6ohjyyd.onion. The old address also still works. tool used
- Most pages are now cached by the browser.
- Most text based content served up will now be compressed either by deflate or brotli.
- Old DivestOS patches have been used to remove AmbientSDK from Replicant. git tag
- 3G is starting to be rapidly phased out, meaning calls with most carriers will not be possible unless IMS/VoLTE works on your device.
- Heads up: LineageOS will most likely be dropping official 16.0 builds once 18.0/18.1 is released.
Test how much breakage the deblobber is causing to the IMS stack, or if that is upstream. Finish importing this
- Add back AOSP patching support to the CVE patcher. It is undecided how to best implement it.
October 10th 2020 Update¶
- Most 3.4 devices should expect 40-100 more kernel CVE patches. git commit
- Most 3.18 devices should expect 10-40 more kernel CVE patches. git commit
- A handful of other kernel CVE patches are available for all other devices as per usual.
- Lots of work has been done on making the CVE patcher easier for other projects to use. repo link
- Mull is now severely out of date. There hasn't been the time to rebase it. It is strongly suggested to use Bromite or the new Fennec F-Droid until then. Bromite repo is already included in DivestOS F-Droid.
- victara build failed last month due to recovery image being too large, however it is now once again available.
- h850 and zenfone3 builds have been pulled as they were last updated in 2018 and 2019 respectively.
- [upstream] Updated to October security bulletin.
- [upstream] Updated WebView to Chromium 86.0.4240.75, has many security fixes.
- 11/R builds will likely not be available until March with most devices hopefully being updated by May.
September 1st 2020 Update¶
- The CVE patch database now has many more patches thanks to importing data from the Civil Infrastructure Platform CVE tracker.
- The CVE patcher has had some minor fixes to improve output reliability.
- There have been some GPS fixes for all branches, will be available in the next rebuilds.
- Many new (untested) devices: pro1, enchilada, fajita, guacamole, guacamoleb, and broken beryllium.
- Mull is likely on its last release due to ESR 68 branch being closed off.
- Hypatia now supports an extra malware hash database from ESET.
- Credits and screenshots on the website have been updated.
- 2021/02/03: Added many Linux 3.10 CVE patches thanks to @cygwin.
- 2021/02/02: Hypatia was translated into German thanks to Petra Mirelli.
- 2021/01/24: Many Linux CVE patches were imported as part two of the Debian retired tracker import.
- 2020/12/24: The website gained support for serving multiple builds versions for a device.
- 2020/12/21: VoLTE support was unbroken.
- 2020/12/21: The umask for the build scripts was adjusted, fixing many small issues.
- 2020/12/11: All non-LTS Linux CVE patches were dropped from the repository.
- 2020/11/06: Added many missing Linux CVE patches missed by the CIP scripts from Debian retired tracker.
- 2020/10/22: Mull was rebased onto Fenix, based on top of much effort from Relan.
- 2020/10/15: A critical issue was identified and resolved that affected many devices. It caused slow performance and boot issues. Originally introduced 2018/10/01.
- 2020/10/11: Initial inclusion of Etar for Calendar.
- 2020/10/06: Added many Linux 3.4 CVE patches thanks to @haggertk.
- 2020/09/18: Added many Linux 3.18 CVE patches from the AOSP 3.18 branch using the CIP scripts.
- 2020/08/07: Initial import of Linux CVE patches from the Civil Infrastructure Platform tracker.
- 2020/06/17: The start of providing GPG signatures for all builds.
- 2020/06/14: The CodeAurora CVE patch list was created.
- 2020/06/12: DivestOS is publicly released, initially on the F-Droid Forum.
- 2020/06/07: The AOSP CVE patch list was created.
- 2020/04/14: Initial support for building on top of LineageOS 17.1.
- 2019/10/18: Automated kernel hardening via command line arguments was introduced.
- 2019/10/04: Initial import of Linux CVE patches from the Google Project Zero tracker.
- 2019/09/25: Most signing keys were switched to RSA-4096.
- 2019/09/13: Per-device signing keys were introduced.
- 2019/08/28: Delta OTA support was introduced.
- 2019/08/27: Image signing was overhauled.
- 2019/08/05: Initial inclusion of OpenCamera and Simple Gallery.
- 2019/07/05: IPv6 privacy extensions were enabled on all devices.
- 2019/06/02: First versions to stop sending the IMSI to the SUPL, discovered by @MSe
- 2019/05/23: The .org was obtained.
- 2019/05/13: Initial import of many Linux CVE patches from the Red Hat CVE tracker.
- 2019/05/08: Initial work on restoring verified boot support in LineageOS began.
- 2019/04/04: The GrapheneOS hardened memory allocator was included for use on supported devices.
- 2019/03/12: PicoTTS was first patched to make it functional again.
- 2019/03/04: Initial support for building on top of LineageOS 16.0.
- 2019/03/04: Initial support for WireGuard was added.
- 2019/02/02: The website is overhauled onto SBNR.
- 2019/01/31: The Static But Not Really (SBNR) project is born out of the DivestOS website as a standalone minimal website framework.
- 2018/12/18: Support for building on top of LineageOS 11.0 was restored and rebased.
- 2018/10/20: Tor support was added to the OTA updater.
- 2018/09/11: Filesystem discards were enabled on /data.
- 2018/08/08: A-GPS MSA was disabled across all devices for increased privacy.
- 2018/07/13: The vendor overlay was created for more easily applying select changes.
- 2018/06/24: DivestOS finally received its own boot animation.
- 2018/06/17: The provisioner repository was created for quickly installing recommended apps via F-Droid.
- 2018/05/29: Initial import of Linux CVE patches from the Syzkaller tracker.
- 2018/05/21: Analytics libraries were degraded by injecting AndroidManifest overrides.
- 2018/05/13: The website is overhauled to use mini.css.
- 2018/05/11: Malware scanning via ClamAV support was added to the build scripts.
- 2018/04/28: Initial patches to support DNS66 loading defaults from system.
- 2018/04/01: The proprietary LOSCoins malware was removed before ever being included in DivestOS.
- 2018/03/13: The PrebuiltApps repo was created for including official/F-Droid builds of apps.
- 2018/03/08: F-Droid signed-off on the inclusion of F-Droid into the system.
- 2018/03/04: LineageOS signed-off on the re-branding being sufficient.
- 2018/02/13: Initial support for building on top of LineageOS 15.1
- 2018/01/04: Very basic Spectre mitigations were automatically applied to 3.10 kernels.
- 2018/01/03: Very basic Spectre mitigations were applied to Mull.
- 2017/12/25: Mull came into existence.
- 2017/12/13: Veritas, now called Hypatia, was created as the first FOSS real-time malware scanner for Android systems.
- 2017/12/09: Automatic kernel hardening via defconfig overrides was introduced.
- 2017/11/21: Initial work on building Firefox for Android without blobs began.
- 2017/11/11: A script for deblobbing separate /firmware partitions was created.
- 2017/11/10: Initial automatic applying of Linux incrementals.
- 2017/11/07: Creation of our initial original Linux CVE patch list.
- 2017/11/02: Initial versioning of CVE patches to reduce breakage.
- 2017/10/30: Utilizing the new CVE patcher, all devices were mitigated against KRACK.
- 2017/10/29: Introduction of automatic kernel CVE patching for all devices.
- 2017/10/29: The CVE downloader/patcher project was created.
- 2017/10/14: The repositories were re-licensed to GPLv3.
- 2017/09/10: Extirpater saw its initial port to Android.
- 2017/08/01: A commit references a patch made four years earlier? Not too sure about this one.
- 2017/06/15: Silence was included in the images.
- 2017/06/04: Start of work on automated kernel CVE patching.
- 2017/06/04: The project was re-branded into DivestOS.
- 2017/05/30: OTA updates became supported.
- 2017/02/25: The dedicated website was created.
- 2017/01/25: The first revision of our automated deblobber was created.
- 2017/01/04: Public images were discontinued again.
- 2016/12/27: Work starts on rebasing onto LineageOS from CyanogenMod.
- 2016/12/21: The monorepo for what is now called DivestOS was created.
- 2016/07/10: Earliest recorded date of removing the proprietary AmbientSDK malware from our CyanogenMod 13.0 builds.
- 2016/04/26: The recommended apps lists was released as a Gist on GitHub.
- 2016/03/19: Public images return, supporting 8 devices.
- 2016/03/03: Earliest recorded date of our UnifiedNLP backend, MergedWiFiNLP, utilizing simple CSV files.
- 2016/01/01: Public images were discontinued.
- 2015/11/20: First builds signed using proper release-keys.
- 2015/11/19: A PaX enabled kernel is successfully booted on bacon, based on work and with help from Daniel Micay.
- 2015/04/01: Our first CyanogenMod 12.1 based images made available.
- 2014/12/31: The earliest recorded date of publicly offering custom images. They were based off of CyanogenMod 12 and available for five devices.