luci-app-attendedsysupgrade and owut by default?
Hauke Mehrtens
hauke at hauke-m.de
Sun Nov 9 15:20:43 PST 2025
On 9/27/25 19:40, Daniel Golle wrote:
> On Sat, Sep 27, 2025 at 07:16:33PM +0200, Hauke Mehrtens wrote:
>> How well can we integrate DNS into the LuCI web interface?
>
> Very good question. I'm not into that whole web side of things at all.
>
>> DNS is also not authenticated, it should be fine if the attacker could only
>> prevent the UI from showing an update notification, but it should not be
>> able to tell the user where to get the update.
>
> That's what I thought: Only indicate the presence of a newer release,
> not where to get it.
>
>> I think we would get some negative feedback from users when we remove apk
>> from the default images. We could offer an option in the ASU web interface
>> to remove APK.
>> If we have a button to generate a default image without apk in the firmware
>> selector UI it would be sufficient:
>> https://firmware-selector.openwrt.org/?version=24.10.3&target=mediatek%2Fmt7622&id=linksys_e8450
>> Removing it manually from the list is a bit complicated for the novice user.
>
> On many devices the only possible outcome of trying to use the package
> manager is a brick because rootfs_overlay got only 1 or 2 JFFS2 blocks
> total. So even **deleting** a package would result in a brick as the
> list of installed packages would be copied to the rootfs_overlay as a
> consequence of *any* change...
>
> Apart from just not installing the package manager, I believe we should
> also not install 'ca-bundle' on SMALL_FLASH devices, and also select
> CONFIG_CLEAN_IPKG=y by default. Together with an easy to use way to
> generate and install custom ASU-generated images for such a devices the
> outcome would be something much more intuitive and user-friendly than
> an anyway broken package manager (opkg or apk are equally affected by
> this problem, obviously).
>
>>>> Do we have to install luci-app-attendedsysupgrade and owut for this or is it
>>>> possible with less?
>>>
>>> Either of the two packages is sufficient, we don't need both of them.
>>>
>>>>
>>>> Should we add luci-app-attendedsysupgrade as a dependency to
>>>> luci/collections/luci/Makefile ?
>>>
>>> I'd say yes, but that's just my opinion.
>>
>> I think this is a good option.
>>
>>>> Should we move utils/attendedsysupgrade-common from the package feed to the
>>>> main repository?
>>>
>>> I suggest to merge the content of the utils/attendedsysuprade-common
>>> package into base-files, as the packaging overhead is bigger than the
>>> actual content (a single UCI configuration file).
>>
>> I agree with you.
>>
>> Maybe we should handle the ASU signing key a bit special.
>> This key is not as good protected as the other keys.
>> Maybe store it in /etc/opkg/asu-key/ and use this key for signature checks
>> initialized by the tools using ASU intentionally only.
>
> +1 makes a lot of sense!
>
>> So to summarize:
>> * Add luci-app-attendedsysupgrade as a dependency to the LuCI default
>> collections for all builds with use LuCI.
>> * Add OWUT for !SMALL_FLASH
>> * The automatic checks for updates should be opt in, we can keep it like it
>> is for now and improve later.
>
> +1
LuCi installs luci-app-attendedsysupgrade by default now, see:
https://github.com/openwrt/luci/pull/8080
Hauke
More information about the openwrt-devel
mailing list