LVFS Releases

1.4.0 (2022-05-24)

This release adds the following features:
  • Add a progress indicator to the Yara scan
  • Add ‘fwupd friendly firmware’ certification
  • Add information about what models are EOL
  • Add new categories of X-Mouse and X-BaseboardManagementController
  • Add support for asynchronous uploads
  • Add support for external uSWID+CoSWID sections
  • Add the concept of vendor subgroups
  • Add device icons of usb-hub and usb-receiver
  • Add XLIFF v2 import and export for translation
  • Allow auto-moving firmware on defined dates
  • Allow creating a GUID from an instance ID
  • Allow creating a uSWID blob from form data
  • Allow firmware to have multiple ODMs
  • Allow importing, exporting and modifying localized update release notes
  • Allow marking firmware revisions as immutable
  • Allow updates to specify a level of device integrity
  • Allow uploading firmware using a username and token
  • Analyse Intel microcode versions
  • Build metadata into a firmware transparency log
  • Export the LVFS component ID into the AppStream metadata
  • Get the CVE descriptions description from VINCE and NIST NVD
  • Show the metadata upload failures in the UI
  • Use name_variant_suffix in the public metadata
  • Use signed reports for firmware QA
  • Use the CDN to distribute firmware
This release fixes the following bugs:
  • Add client requirements to the metadata
  • Add more JCat blob kinds
  • Allow modifications in the testing target
  • Allow OAuth users to modify subgroup and notification settings
  • Allow QA users to delete limits
  • Allow security researchers to run UEFI R2 scripts
  • Allow specifying file:// images that are copied from the archive
  • Allow users to share the [possibly private] signed report data
  • Check for the duplicate remote before checking problems
  • Detect more vendors pasting in Intel SA issues
  • Do no merge component with different self requirements
  • Do not allow an unsigned report to adjust the output of a signed one
  • Do not allow some name_variant_suffix content
  • Do not backtrace when trying to compare UTF-8 and UTF-16 text
  • Do not export optional component data XML
  • Do not force ‘number’ verfmts to hex in the metainfo
  • Do not show test passes in uefi_scanner
  • Do not split search terms on the hyphen
  • Do not use Google Fonts
  • Fix a crash when a component description was not set
  • Fix crash when old stable firmware has no update description
  • Fix runtime exception when checking inactive users
  • Ignore markdown elements with control chars
  • Make autoimporting issues CSRF-safe
  • Make Claim.allow_embargo per-instance, not per-class
  • Make the license have an optional clickable URL
  • Make the recovery email case insensitive
  • Make the update useful word requirement lower
  • Move some upload issues to runtime component problems
  • Never include ampersands in the revision filename
  • Never try to escape missing paragraph text
  • No longer detect Intel BIOSGuard
  • Remove parsing the developer_name tag
  • Remove the vendor description
  • Save non-empty UEFI padding sections as shards
  • Set a max-age when sending chunked files
  • Show a notification if unable to change component values
  • Show a warning when a security update is detected without any issues
  • Show better verified report output
  • Use a bubble graph for the CVE timeline
  • Use a volume guids to make UEFI R2 queries much, much faster
  • Use the AppStream ID when deduping uploaded firmware
  • Use the mirrored release image in more cases
  • Verify the AppStream ID was valid if modified

1.3.2 (2021-06-22)

This release adds the following features:

  • Add an optional PSIRT URL for each vendor
  • Add a plugin which uses uefi_r2 to add shard attributes
  • Add support for component soft-requirements
  • Allow exporting the embargoed firmware using PULP_MANIFEST
  • Allow searching for files by checksum on the internal dashboard
  • Allow vendor managers to purge firmware without asking an admin
  • Do not overwrite when resigning and use unique filenames for each revision

This release fixes the following bugs:

  • Be more helpful when failing to load invalid XML
  • Dedupe the component requirements where allowed
  • Do not allow the update description to contain the firmware name
  • Do not autodecode content when mirroring using sync-pulp.py
  • Explicitly set the CDN Cache-Control to be 4 hours by default
  • Ask vendors to provide 10 useful release description words
  • Include the update images in the PULP_MANIFEST file
  • Resign any files that do not include the PKCS#7 certificate

1.3.1 (2021-04-06)

This release adds the following features:

  • Add a firmware timestamp that specifies the CVE embargo date
  • Add a LVFS component problem if the version format is inconsistent
  • Hard require the version format to allow pushing to stable
  • Record the reason for moving a firmware to a new remote
  • Record the user and when a component issue was added
  • Support VINCE security advisory IDs

This release fixes the following bugs:

  • Allow setting a vendor default for the .inf firmware parsing
  • Allow uploading files with all issue types
  • Fix some checksum confusion for duplicate firmware
  • Fix unpinning files using Pinata
  • Fix warnings with new SQLAchemy versions
  • Never include generic components in the mdsync data
  • Return JSON for robot uploaders
  • Store the old remote ID in the FirmwareEvent
  • Use the remote name, not the icon name for mdsync export
  • Write the <issue> tags into the AppStream metadata

1.3.0 (2021-02-08)

This release adds the following features:

  • Add new page for the latest devices supported
  • Add support for the <artifact> AppStream tag
  • Add support for the Intel technical advisory issue tags
  • Allow adding optional default icons to categories and protocols
  • Allow components to specify an optional branch
  • Allow exporting the component back to MetaInfo XML format
  • Assign a release tag style for specific vendor per-category
  • Mirror non-export-controlled public firmware to IPFS
  • Provide a healthcheck endpoint
  • Send a monthly email about firmware left in embargo or testing
  • Show a device status page showing all the versions in all remotes

This release fixes the following bugs:

  • Add missing support for LVFS::UpdateImage and Verfmt('number')
  • Add some documentation on adding screenshots and using the LVFS offline
  • Allow adding and removing component GUIDs on the web UI
  • Allow a <project_license> of BSD
  • Allow changing firmware licenses without re-uploading firmware
  • Allow non-admin users to resign firmware
  • Allow QA users to change the component name, ID and summary
  • Allow searching by filename, requirement or CVE when logged in
  • Allow supplying a generic ‘overview’ component for composite devices
  • Allow vendors to specify client requirements
  • Change the dropped-GUID from an upload flash() to a waivable test
  • Check for more sneaky CVEs in update descriptions
  • De-duplicate the requirements where appropriate
  • Do not allow the vendor name “BIOS”, “fwupd” or “LVFS” in the firmware <name>
  • Do not do the GUID check against firmware uploaded to private
  • Do not ever store the client hashed IP address in the database
  • Do not use send_from_directory() to send large files
  • Fix all CSRF issues after some security review
  • Fix performance issue when getting recent firmware downloads
  • Include the copyright information for MIT licenses
  • Increase the upload timeout to 10 minutes
  • Move the disable 2FA slider to a button
  • Parse the AMI FPAT firmware prior to scanning with UEFIExtract
  • Provide a nudge when editing a component if required values are unset
  • Purge firmware that is deleted after just 30 days
  • Record the client country code for analytics
  • Reduce the number of buttons on the component overview
  • Regenerate embargo remotes when modifying restrictions
  • Run any pending tests every 60 minutes
  • Update the bundled version of Chart.js
  • Update the README.txt file during package signing
  • Use a non-predictable vendor icon filename
  • Use PyGnuTLS rather than using certtool when signing files
  • Use python-cabarchive rather than GCab for parsing
  • Use the CDN to serve public static files
  • Write the PULP_MANIFEST with a predicatable order

1.2.0 (2020-06-09)

This release adds the following features:

  • Add a filter view for user uploaded firmware
  • Add a plugin to identify old microcode versions
  • Add cached public stats of useful metrics
  • Add support for LVFS::UpdateMessage
  • Allow clients to upload anonymous HSI attrs
  • Allow re-signing binaries
  • Create Jcat files in archives and for metadata
  • Delete firmware in embargo with newer public versions
  • Disable unused user accounts for GDPR compliance
  • Export the success confidence to the mdsync vendor
  • Include LVFS::UpdateProtocol in the metadata
  • Rewrite the AppStream screenshot URL to use the server CDN
  • Rewrite the metainfo when signing the firmware
  • Save metadata about Intel microcode blobs
  • Support Lenovo, Dell and Intel specific security tags
  • Use celery to process async operations

This release fixes the following bugs:

  • Allow all users to view the profile page
  • Allow a protocol to have no defined version format
  • Allow QA users to see all ODM firmware uploaded
  • Allow setting the category to ‘Unknown’
  • Allow specifying firmware versions when using the advanced requires editor
  • Do not allow component modification when in testing and stable
  • Do not backtrace if a component does not have a <name>
  • Do not include a CSRF for public search queries
  • Do not include the VersionFormat fallbacks if the fw requires a new enough fwupd
  • Do not make the database server explode with a query like ‘value=+foo’
  • Do not save duplicate <requires>vendor-id</> tags to the metadata
  • Ensure firmware again when it changes state
  • Fix a regression when component claims were not being added
  • Fix regression when getting security level of component
  • Improve the report query speed by several orders of magnitude
  • Include the vendor tag in the rewritten metainfo and AppStream XML
  • Invalidate ODM remotes when a firmware is demoted back to private
  • List <id> requires first in the metadata
  • Make it more obvious that the firmware is waiting to be signed
  • Make the LVFS username case insensitive
  • Make the markdown to root function more robust
  • Parse the <metadata_license> even when not in strict mode
  • Set the SHA256 content checksum in the metadata
  • Show a disabled button when the user has no ACL to move the firmware

1.1.6 (2020-01-28)

This release adds the following features:

  • Add a atom feed to public device page
  • Add a claim for systems supporting Intel BiosGuard and BootGuard
  • Add a dell-bios version format
  • Add a page to list consultants that can work on the LVFS
  • Add a plugin to add component claims for specific shard GUIDs
  • Add a release tag to store the vendor-specific firmware identifier
  • Allow adding component claims based on the hash of a shard
  • Allow syncing with other firmware databases
  • Move the formal documentation to Sphinx

This release fixes the following bugs:

  • Add many more database indexes to improve performance
  • Add some missing vendor checks when proxying to the user ACL
  • Allow vendor managers to see a read-only view of the restrictions page
  • Always use the vendor-id restrictions of the ODM, not the OEM
  • Fix support for multiple LVFS::VersionFormat tags
  • Include a vendor ID by default for testing accounts
  • Make more queries compatible with PostgreSQL
  • Never include firmware in private in any embargo remote
  • Only show vendors with LVFS users on the vendorlist
  • Reduce the memory consumption when running cron and doing yara queries
  • Update the firmware report count at upload time
  • Use SHA256 when storing the upload checksum
  • Use the correct filename for a PKCS-7 payload signature
  • Use UEFIExtract rather than chipsec to extract shards

1.1.5 (2019-11-15)

This release adds the following features:

  • Add support for matching firmware requirements on device parents
  • Allow researchers to run YARA queries on the public firmware
  • Allow the blocklist plugin to add persistent claims
  • Use PSPTool to parse the AMD PSP section

This release fixes the following bugs:

  • Add the Dell PFS as a component shard
  • Allow the owner of the firmware to always change update details
  • Convert to Blueprints to improve page loading time
  • Do not hardcode the list of version formats in various places
  • Do not share the shard name between GUIDs
  • Only auto-demote stable-to-testing, not testing-to-embargo or stable-to-embargo
  • Show the version format versions with no trailing zeros

1.1.4 (2019-09-26)

This release adds the following features:

  • Add component issues such as CVEs in a structured way
  • Add more OEM notification emails for ODM actions
  • Add support for name variant suffixes
  • Add vendor namespaces to enforce ODM relationships
  • Allow searching for CVEs when logged in
  • Allow the OEM to better control what the ODM is able to do

This release fixes the following bugs:

  • Allow vendors to optionally disable the inf parsing
  • Blacklist generic GUIDs like ‘main-system-firmware’
  • Check the source and release URLs are valid if provided
  • Do not show deleted firmware on the recent list on the dashboard
  • Don’t auto-demote firmware because of old reports
  • Enforce the VersionFormat if the version is an integer
  • Fix a crash if uploading a file with a missing metadata_license tag
  • Provide a way to un-disable users as a vendor manager
  • Regenerate embargo remotes ever 5 minutes
  • Use a sane error message on upload when a component drops a GUID

1.1.3 (2019-08-06)

This release adds the following features:

  • Show a nag message for admin or manager account without 2FA
  • Do not use AppStream-glib to parse the metainfo file
  • Automatically demote firmware with more than 5 failures and a success rate of %lt;70%
  • Allow firmware or vendors to enable DoNotTrack functionality
  • Show the user capabilities in the headerbar
  • Protect all forms against CSRF

This release fixes the following bugs:

  • Retry all existing tests if the category or protocol is changed
  • Do not allow forward slashes in AppStream ID values
  • Use a proper AppStream ID for the CHIPSEC shards
  • Show flashed messages on the landing page
  • Better support firmware requires without conditions or versions
  • Do not allow AppStream markup in non description elements

1.1.2 (2019-05-28)

This release adds the following features:

  • Add a new plugin to check portable executable files
  • Save the shards in an on-disk cache which allows re-running tests
  • Add a failure for any firmware that is signed with a 3-year expired certificate
  • Add shard certificates to the database and show them in the component view

This release fixes the following bugs:

  • Make it easier to enter multiline text as plugin settings

1.1.1 (2019-05-21)

This release adds the following features:

  • Allow managers to edit their own list of embargoed countries
  • Record the size and entropy of the component shards when parsing
  • Analyze Intel ME firmware when it is uploaded

This release fixes the following bugs:

  • Do not expect device checksums for ME or EC firmware

1.1.0 (2019-05-14)

This release adds the following features:

  • Run CHIPSEC on all UEFI firmware files
  • Show details of UEFI firmware volumes for capsule updates
  • Show differences between public revisions of firmware
  • Provide some extra information about detected firmware shards

This release fixes the following bugs:

  • Only decompress the firmware once when running tests
  • Make the component detail page a bit less monolithic
  • Never leave tests in the running state if a plugin crashes

1.0.0 (2019-05-02)

This release adds the following features:

  • Allow the admin to change the AppStream ID or name of components

This release fixes the following bugs:

  • Do not allow the telemetry card title to overflow
  • Ensure the firmware-flashed value is a valid lowercase GUID
  • Make the component requirements page easier to use
  • Do not add duplicate <hardware> values
  • Remove the hard-to-use breadcrumb and use a single back button