Ukwehluleka kumaseva e-OpenWrt ASU kuvumela izithombe eziguquliwe ukuthi zisatshalaliswe

Darkcrizt

Imizuzu ye-4

I-ASU-Igqekeziwe

Imininingwane mayelana ne- Ubungozi ezimeni ze-ASU (Uye kwi-SysUpgrade) ngu-OpenWrt. Kutholwe ubungozi vumela abahlaseli ukuthi bafake engcupheni ama-artifact ukwakha amakhodi asakazwa ngamaseva e-sysupgrade.openwrt.org noma amaseva ezinkampani zangaphandle ze-ASU, okusiza ukufakwa kwe-firmware eyingozi kumadivayisi wezisulu.

Isevisi ye-ASU iyithuluzi elibalulekile elivumela abasebenzisi be-OpenWrt ukuthi bakhiqize izibuyekezo ze-firmware ezifanelana nezinhlelo zabo ngaphandle kokulahlekelwa ukucupha okufakiwe noma amaphakheji. Abasebenzisi bangenza lezi zibuyekezo ngokusebenzisa isixhumi esibonakalayo sewebhu noma ithuluzi lomugqa womyalo, okwenza inqubo ifinyeleleke futhi isebenze kahle. Kodwa-ke, lokhu kufinyeleleka nakho kwethula izingozi, njengoba ukungabikho kwezindlela zokuqinisekisa ezicelweni eziya kuseva kushiya umnyango uvulekile ukuze abahlaseli baxhaphaze isistimu.

Kushiwo ukuthi ingxenye esengozini, i-ASU Server, inesibopho sokuphatha izicelo, iqala inqubo yokuhlanganisa izithombe ezizenzakalelayo isebenzisa i-ImageBuilder, kanye nokugcina lezi zithombe kunqolobane ukuze ziphinde zisetshenziswe. Ukusetshenziswa kwenqolobane, nakuba kusebenza kahle, kuwukhiye wenkinga, njengoba ubuqotho noma umsuka wezithombe ezigciniwe awuqinisekisiwe.

El ukuhlasela kuxhaphaza ukusebenza okubalulekile kwesevisi ye-ASU, ukuthi ivumela abasebenzisi ukuthi benze izithombe ze-firmware zangokwezifiso ngezicelo ezithunyelwe ngaphandle kokuqinisekisa. Umhlaseli angakwazi ukukhohlisa lezi zicelo ngokwethula uhlu lwephakheji oluklanywe ngokukhethekile ukuze lumiselele izithombe ezisemthethweni ezicelwe abanye abasebenzisi ngezinguqulo ezinonya ezakhiwe kusengaphambili. Lokhu kungenzeka ngenxa yokuthi iseva ye-ASU iphatha kanjani inqubo yokukhiqiza izithombe kanye nenqolobane.

Kusebenza kanjani lokhu kuhlasela?

  • Umhlaseli uthumela isicelo kuseva ye-ASU, engadingi ukuqinisekiswa.
  • Ikhohlisa uhlu lwephakeji ukuze ifake izithombe ezinonya esezikhiqizwe kakade ohlelweni.
  • Uma omunye umsebenzisi enza isicelo esisemthethweni sesithombe esifanayo, iseva, esikhundleni sokukhiqiza isithombe esisha, iletha inguqulo enonya kunqolobane yayo.

Mayelana nokuhlasela, kuthiwa kwenziwe ngenxa yoshintsho olwenziwa ngoJulayi 8 futhi lwaxazululwa ngoDisemba 4. Ukuze kuncishiswe umthelela futhi kuvikeleke isevisi ye-ASU, i-OpenWrt yasebenzisa amaseva ahlukene, ahlukene nezinhlelo zephrojekthi eziyinhloko, ngaphandle kokufinyelela kuzinsiza ezibucayi njengokhiye be-SSH nezitifiketi ezisetshenziselwa ukusayina izithombe ngokwedijithali.

El ukuhlaselwa kungenzeka ngenxa yobuthakathaka obubili :

  • Ukuba sengozini esicelweni isibambi build_reques.py:iphi ivumele umhlaseli ukuthi akhiphe imiyalo yenqubo yokwakha uma udlulisa amagama ephakheji afomethwe ngokukhethekile. Ukwehluleka ukuqinisekisa kahle izinhlamvu ezikhethekile emagameni ephakeji ngaphambi kokuzisebenzisa njengezimpikiswano zokwenziwa kuvumele abahlaseli ukuthi bafake imiyalo enonya phakathi nenqubo yokudala isithombe se-firmware. Ngenxa yalokho, umhlaseli angakwazi ukukhiqiza izithombe ezinonya kuseva, ezisayinwe ngokhiye olungile wokuhlanganisa.
  • Ukuba sengozini kulabhulali ye-util.py okuhlobene ne-SHA-256 hashi: Kulokhu, i Amahashi angu-SHA-256 asetshenziselwa ukuqinisekisa izithombe izinhlu ze-firmware kunqolobane zehliswe zaba izinhlamvu eziyi-12 kuphela, okwenza izinga le-entropy libe phansi kakhulu. Lokhu kwehliswa kuvumele umhlaseli ukuthi asebenzise amasu okukhetha ukushayisana ukuze enze isithombe esinonya ihashi laso elifane ngokusemthethweni nesithombe esivumelekile. Lokhu, kuhlangene nokuba sengozini kwe-Imagebuilder, kuvumele umhlaseli ukuthi "angcolise" inqolobane yeseva ye-ASU futhi abuyisele izithombe ezinonya kubasebenzisi abavamile abenza izicelo ezisemthethweni.

Ekugcineni, kushiwo ukuthi, nakuba i Onjiniyela be-OpenWrt babheka lokho la amathuba ukuthi lobu buthakathaka busetshenziswe ngempumelelo isondele ku-zero, kuyanconywa ukuthi abasebenzisi be-ASU buyisela i-firmware ye-OpenWrt kumadivayisi akho anenguqulo efanayo, njengesexwayiso.

Uma unjalo unentshisekelo yokwazi okwengeziwe ngayo, ungabheka imininingwane kufayela le- isixhumanisi esilandelayo.