Skip to content


Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Commits on Oct 9, 2013
  1. @tjmcs

    Merge pull request #79 from alexkonradi/enhancement/multiple-deb-pack…

    tjmcs authored
    Extend .deb package importing to support multiple sources
Commits on Aug 23, 2013
  1. Make bin/ more robust

    Alex Konradi authored
    This fixes some variable name confusion in and improves the handling
    of more complicated packages (those with startup scripts).
  2. Support multiple .deb package source URLs

    Alex Konradi authored
    The official Debian packages are already broken up into "main", "contrib", and
    "non-free" groups, which means that there is no single source of even
    'official' packages. This patch adds support for using multiple package lists
    in place of a single one.
    Note: the order in which lists are specified DOES MATTER. If the same package
    is available in multiple repositories, the repository listed first will take
Commits on Jul 25, 2013
  1. @daniel-pittman

    Merge pull request #77 from alexkonradi/add-import-deb-packages

    daniel-pittman authored
    Add ability to import deb packages while building the image
  2. @daniel-pittman

    Merge pull request #76 from alexkonradi/fix_mirror-gem_ruby_2.0_compa…

    daniel-pittman authored
    Make mirror-gem Ruby 2.0 compatible
Commits on Jul 24, 2013
  1. Add lshw.deb to builtin-extensions.lst

    Alex Konradi authored
    This is both a simple test case of .deb to .tcz importing and a replacement for
    the lshw-B.02.15 included in TCL4, which doesn't play nice with TCL5-alpha4.
  2. Use bin/ and company to install .debs

    Alex Konradi authored
    Debian packages can be added to the same mirror-extensions.lst and
    builtin-extensions.lst, and are identified by a .deb extension. They are then
    downloaded by bin/download-deb-pkg and converted by bin/ In the case
    of builtin extensions, the name is appended to onboot.lst.
  3. Add bin/download-deb-pkg script

    Alex Konradi authored
    Downloads .deb package files from a debian mirror of your choice given the
    package name and the file list downloaded by download-deb-pkg-list.
    The parameters are listed in the file, but there is no help text for manual
    usage (since this is supposed to be invoked by
  4. Download a debian package list and simplify it

    Alex Konradi authored
    This script downloads a gzip-ed debian package list; default is from TC5:
    The list is downloaded and gunzip-ed, then stripped of everything except
    package names and download paths. The resulting output file looks something
    like this:
        libaac-tactics-ocaml pool/main/a/aac-tactics/libaac-tactics-ocaml_0.2.pl2-7_i386.deb
        libaac-tactics-ocaml-dev pool/main/a/aac-tactics/libaac-tactics-ocaml-dev_0.2.pl2-7_i386.deb
        python-aafigure pool/main/a/aafigure/python-aafigure_0.5-3_all.deb
        libaa-bin pool/main/a/aalib/libaa-bin_1.4p5-40_i386.deb
        libaa1 pool/main/a/aalib/libaa1_1.4p5-40_i386.deb
    Each package name is followed by a space, then a relative path for a debian
    mirror server. The resulting file can be quickly searched by grep.
  5. Move cd-s to allow relative path parameters

    Alex Konradi authored
    All paths are now treated as relative to the working directory ($HERE)
    when the script is called.
Commits on Jul 23, 2013
  1. Modify to work on distros not TC

    Alex Konradi authored now works with Bash, and doesn't use hard-coded paths
  2. Import Tiny Core's deb2tcz script

    Alex Konradi authored
    This script can be used by Tiny Core to unpack .deb files and repackage them
    as .tcz extensions. Once made to work with Bash, it would allow converting .deb
    files and bundling them with the ISO.
Commits on Jul 22, 2013
  1. Make mirror-gem Ruby 2.0 compatible

    Alex Konradi authored
    This adds checks before making Gem::SpecFinder calls to prevent errors while
    using Ruby 2.0. Gem::SpecFetcher#fetch_with_errors has been replaced by
    Gem::SpecFetcher#spec_for_dependency. Additionally, #spec_for_dependency
    returns a Gem::Source object where #fetch_with_errors returned a String.
Commits on Jul 15, 2013
  1. @daniel-pittman

    Import "The road forward for Razor" as the primary readme

    daniel-pittman authored
    This brings information about what is going on with Razor into the forefront
    of visibility.  Old information is still preserved in a separate file.
    Signed-off-by: Daniel Pittman <>
Commits on Feb 26, 2013
  1. @daniel-pittman

    Merge pull request #69 from daniel-pittman/feature/master/68-move-ope…

    daniel-pittman authored
    (#68) Move open-vm-tools binary package to
  2. @daniel-pittman

    (#68) Move open-vm-tools binary package to

    daniel-pittman authored
    This updates the default location for the OpenVM tools binary package to, reflecting the move away from the (now removed)
    GitHub downloads feature.
    Signed-off-by: Daniel Pittman <>
Commits on Feb 22, 2013
  1. @daniel-pittman

    Merge pull request #66 from daniel-pittman/feature/master/65-remove-u…

    daniel-pittman authored
    The stomp gem was only used to support MCollective
Commits on Feb 20, 2013
  1. @daniel-pittman

    Remove the dangerous "reuse previous download" option

    daniel-pittman authored
    The script that collected data together for the Microkernel image had a "reuse
    previous download" option that triggered a particularly dangerous set of
    When enabled it assumed that it should simply use the existing build directory
    as-is, and should avoid fetching content that already existed in
    that directory.
    This seems innocuous enough - an optimization you might choose to use during
    development - but actually masks a dangerous failure mode.  If we eliminate
    something from the build, like we did the stomp gem, it may still be built
    into the final image when reusing the downloaded content, because it happens
    to sit in the build directory.
    A correct version of this would use a cache that sits aside from the build
    directory, and only put in place files that would actually be used.
    That is more complex to develop, and doesn't really add value compared to
    using a simple squid proxy server to cache the downloaded files, so I have
    simply expunged the reuse facility.
    Signed-off-by: Daniel Pittman <>
  2. @daniel-pittman

    The stomp gem was only used to support MCollective

    daniel-pittman authored
    We only included the stomp gem in the system to support MCollective, which is
    now gone from the Microkernel.  This removes the gem as well, for a marginal
    reduction in size, and less things to care about when figuring out what works
    or not in the MK image.
    This closes #65.
    Signed-off-by: Daniel Pittman <>
Commits on Feb 15, 2013
  1. @daniel-pittman

    Merge pull request #64 from daniel-pittman/bug/master/63-set-defaut-p…

    daniel-pittman authored
    The build process expects a default password, but does not bother to set...
  2. @daniel-pittman

    The build process expects a default password, but does not bother to …

    daniel-pittman authored
    …set it
    The build process expects a fixed default password in the development and
    debug builds, but does not bother to set that. This leads to users, and our CI
    system, unexpectedly building ISO images that don't allow login as expected.
    Since this is a fixed, documented, default password there is no more security
    exposure to be putting it in as the default in the scripts than it does to
    manually enter it on every automated, central build.
    Ultimately this should probably be eliminated entirely, because it has zero
    security value: any attacker can simply read our documentation, and any
    automated tool can add whatever password we pick, but for now this improves
    utility without surprising our existing users.
    This closes #63.
    Signed-off-by: Daniel Pittman <>
  3. @daniel-pittman

    Merge pull request #62 from tjmcs/tb/fix-gem-list-parse-error

    daniel-pittman authored
    Modified gem controller to support new gem.list file format (Fixes #61)
Commits on Feb 14, 2013
  1. modified gem controller to parse new format for gem.list file correctly

    Tom McSweeney authored
    (it now takes the first field from each line as the gem name and ignores
    any extra fields that may appear in the gem.list file after that gem name)
Commits on Feb 12, 2013
  1. @daniel-pittman

    Merge pull request #60 from daniel-pittman/feature/master/59-version-…

    daniel-pittman authored
    version specification for gem mirroring
  2. @daniel-pittman

    CVE-2013-0269 Denial of Service and Unsafe Object Creation Vulnerabil…

    daniel-pittman authored
    …ity in JSON
    Ruby JSON parsing gems were vulnerable to denial of service and unsafe object
    creation attacks when used on user controlled data.  These could be used to
    create objects in unexpected ways, as well as to consume memory through
    persistent object creation.
    This updates our JSON gem to version 1.7.7, a version that is no longer
    vulnerable to those attacks, mitigating this risk in the Microkernel.
    This is the only mitigation required, as the Microkernel already correctly
    uses `JSON.parse` - a safe API for untrusted input - rather than `JSON.load`
    or other vulnerable inputs.
    Signed-off-by: Daniel Pittman <>
  3. @daniel-pittman

    Allow reading gem list from a file during mirroring

    daniel-pittman authored
    This extends the gem mirroring script to support reading from a file, as well
    as the command line, to find out which set of gems to mirror.
    This allows an extended input format in the file, where we specify version
    constraints, which resolves #59, a need to specify version constraints.
    Now we have a clean mechanism for specifying them.
    Signed-off-by: Daniel Pittman <>
Commits on Feb 8, 2013
  1. Merge pull request #58 from tjmcs/tb/fix-default-version-format

    tjmcs authored
    (#57) Strips leading `v` from generated version numbers
  2. Fixes issue #57 (generated version numbers have wrong format); with t…

    Tom McSweeney authored
    …he change in this commit the script constructs a shell that parses the git version numbers a bit differently so that auto-generated version numbers for the Microkernel ISO are more consistent with the version numbers that were used in numbering our Razor Microkernel ISOs previously (versions like "" instead of "v0.9.3.0").
Commits on Feb 7, 2013
  1. @daniel-pittman

    Merge pull request #55 from daniel-pittman/feature/master/better-fake…

    daniel-pittman authored
    Inform users and abort when we can't unpack the ISO image
Commits on Feb 6, 2013
  1. @thallgren @daniel-pittman

    Limits the services on port 2156 and 2157 to localhost.

    thallgren authored daniel-pittman committed
    The Microkernel exposes two services on ports 2156 and 2157
    as part of Tiny Core Linux. The service available on port 2156
    handles configuration of the running Microkernel image. It is
    unauthenticated, and allows users to load kernel modules and add
    new extensions to TCL. The service on 2157 provides information
    about the running system.
    This commit limits those services to localhost, thus preventing
    anyone from accessing them remotely.
  2. @thallgren @daniel-pittman

    Adds built artifacts to the .gitignore

    thallgren authored daniel-pittman committed
    Some folders are created during a build. This commit adds
    then to the .gitignore to ensure that they are not commited
    by mistake.
  3. @thallgren @daniel-pittman

    Removes MCollective from the Razor Micro Kernel

    thallgren authored daniel-pittman committed
    MCollective was running as an external service. It used a
    static configuration accessible to anyone who accessed
    the source, and which could connect to an external master.
    This was considered a security threat in the security
    This commit removes MCollective completely. The impact of
    doing this should be zero since it wasn't currently used.
Commits on Jan 25, 2013
  1. @daniel-pittman

    Merge pull request #56 from tjmcs/tb/fixes_razor_issue_297

    daniel-pittman authored
    Fixes Razor issue 297; MK now uses 'lshw -disable dmi' under kvm
Commits on Jan 23, 2013
  1. This change should fix issue 297 on the Razor issue list

    Tom McSweeney authored
Commits on Jan 17, 2013
  1. @daniel-pittman

    Explain why a subset of util-linux is extracted

    daniel-pittman authored
    This adds a copy of the explanation from TJMCS about why only a
    subset of the `util-linux` package is installed, as per #45, so that
    the next engineer along doesn't wonder at that.
Something went wrong with that request. Please try again.