luci-app-attendedsysupgrade and owut by default?

Sat Sep 27 10:40:41 PDT 2025

On Sat, Sep 27, 2025 at 07:16:33PM +0200, Hauke Mehrtens wrote:
> How well can we integrate DNS into the LuCI web interface?

Very good question. I'm not into that whole web side of things at all.

> DNS is also not authenticated, it should be fine if the attacker could only
> prevent the UI from showing an update notification, but it should not be
> able to tell the user where to get the update.

That's what I thought: Only indicate the presence of a newer release,
not where to get it.

> I think we would get some negative feedback from users when we remove apk
> from the default images. We could offer an option in the ASU web interface
> to remove APK.
> If we have a button to generate a default image without apk in the firmware
> selector UI it would be sufficient:
> https://firmware-selector.openwrt.org/?version=24.10.3&target=mediatek%2Fmt7622&id=linksys_e8450
> Removing it manually from the list is a bit complicated for the novice user.

On many devices the only possible outcome of trying to use the package
manager is a brick because rootfs_overlay got only 1 or 2 JFFS2 blocks
total. So even **deleting** a package would result in a brick as the
list of installed packages would be copied to the rootfs_overlay as a
consequence of *any* change...

Apart from just not installing the package manager, I believe we should
also not install 'ca-bundle' on SMALL_FLASH devices, and also select
CONFIG_CLEAN_IPKG=y by default. Together with an easy to use way to
generate and install custom ASU-generated images for such a devices the
outcome would be something much more intuitive and user-friendly than
an anyway broken package manager (opkg or apk are equally affected by
this problem, obviously).

> > > Do we have to install luci-app-attendedsysupgrade and owut for this or is it
> > > possible with less?
> > 
> > Either of the two packages is sufficient, we don't need both of them.
> > 
> > > 
> > > Should we add luci-app-attendedsysupgrade as a dependency to
> > > luci/collections/luci/Makefile ?
> > 
> > I'd say yes, but that's just my opinion.
> 
> I think this is a good option.
> 
> > > Should we move utils/attendedsysupgrade-common from the package feed to the
> > > main repository?
> > 
> > I suggest to merge the content of the utils/attendedsysuprade-common
> > package into base-files, as the packaging overhead is bigger than the
> > actual content (a single UCI configuration file).
> 
> I agree with you.
> 
> Maybe we should handle the ASU signing key a bit special.
> This key is not as good protected as the other keys.
> Maybe store it in /etc/opkg/asu-key/ and use this key for signature checks
> initialized by the tools using ASU intentionally only.

+1 makes a lot of sense!

> So to summarize:
>  * Add luci-app-attendedsysupgrade as a dependency to the LuCI default
> collections for all builds with use LuCI.
>  * Add OWUT for !SMALL_FLASH
>  * The automatic checks for updates should be opt in, we can keep it like it
> is for now and improve later.

+1

> 
> I would keep apk for now, but make it easy for users to generate images
> without apk in the firmware selector UI.

Ok, but lets somehow expose CONFIG_CLEAN_IPKG as an option to the IB and
ASU as well. That, together with dropping libuclient, ca-bundle and
owut can be a good option for SMALL_FLASH devices which are then still
suitable for running LuCI and offer a good overall UIX.