Apertis v2020.0 Release
Apertis is a Debian derivative distribution geared towards the creation of product-specific images for ARM (both the 32bit ARMv7 and 64-bit ARMv8 versions using the hardfloat ABI) and Intel x86-64 (64-bit) systems.
Apertis v2020.0 is the first stable release of the LTS Apertis v2020 release flow. Apertis is committed to maintaining the v2020 release stream until September 2021.
This Apertis release is built on top of Debian Buster with several customisations.
Test results for the v2020.0 release are available in the following test reports:
Point releases including all the security fixes accumulated will be published quarterly, up to v2020.7.
- 2019 Q3: v2020dev0
- 2019 Q4: v2020pre
- 2020 Q1: v2020.0
- 2020 Q2: v2020.1
- 2020 Q3: v2020.2
- 2020 Q4: v2020.3
- 2021 Q1: v2020.4
- 2021 Q2: v2020.5
- 2021 Q3: v2020.6
- 2021 Q4: v2020.7
|Apertis v2020.0 images|
|Intel 64-bit||minimal||target||base SDK||SDK|
|ARM 32-bit (U-Boot)||minimal||target|
|ARM 64-bit (U-Boot)||minimal|
Apertis v2020.0 repositories
deb https://repositories.apertis.org/apertis/ v2020 target development sdk hmi deb https://repositories.apertis.org/apertis/ v2020-security target development sdk hmi
Mainline graphics stack support on ARM target images
Target images for the i.MX6 SabreLite boards with graphics support using the mainline stack and the open source etnaviv driver are now available.
Just like the amd64
target images, the
armhf ones for the SabreLite board
now boot into the full HMI out-of-the-box.
System update authentication checks using Ed25519 signatures
The OSTree updates in this release are now signed to prove their trusted provenance. The updater on the devices now checks for the signature against its configurable set of trusted keys before processing the updates, refusing to install anything that comes from untrusted sources.
While this is usually done with OpenPGP keys and signatures, such approach is not suitable for Apertis since modern versions of GnuPG switched to the GPL-3 license which conflicts with the Apertis Open Source license expectations.
In addition, the use of OpenPGP is suboptimal for OSTree: the OpenPGP standard is large and leads to complex implementations, covering features that address use-cases like the web of trust that are not relevant for the system update verification use-case.
To address that, the upstream OSTree code has now been reworked to optionally drop its reliance on GnuPG, with work being in progress to land the modularization of the signature verification mechanism with an alternative backend based on the Ed25519 cryptosystem with the libsodium implementation, which brings the following benefits:
- State-of-the-art security
- Much simpler implementation than GnuPG
- Small signatures
- Small keys
- Fast signature verification
- Very fast signing
As a technology preview, the Ed25519 backend is already available and enabled in Apertis showcasing the whole workflow by signing updates during the image building pipeline on the Apertis server and verifying those signatures on target device.
Linux kernel 5.4
Released upstream on the 2019-11-24, the latest LTS version of the Linux kernel is now included in this release. With a minimum projected end-of-life in December 2021, the 5.4 series better suits the v2020 release cycle, which would reach its own end-of-life at roughly the same time (2021 Q3).
Persistent kernel panic storage
This release introduces initial support for pstore in the U-Boot bootloader and the Linux kernel to debug hard crashes by providing a way to store logs for postmortem analysis (specifically next boot) even if the crash makes the main persistent storage no longer available or unsafe to access.
A new document guides developers through the steps needed to use pstore on the i.MX6 Sabrelite boards.
hawkBit integration proof-of-concept
Eclipse hawkBit™ is a back-end framework for deploying software updates over the Internet, providing advanced phased rollout management.
A proof-of-concept hawkBit server instance has been deployed for Apertis and the image building pipelines now automatically push updates to it as OSTree static bundles.
The Apertis v2020 OSTree images now ship the Apertis hawkBit agent component by default, which can be enabled to let developers control updates using the hawkBit server instance.
The Deployment management document describes how the updates can be modeled on the hawkBit server and how to set up agents to connect to it and deploy the updates on the device.
Build and integration
GitLab-to-OBS workflow enhancements
The tools around the workflow used to manage package sources in GitLab and push them to OBS saw several improvements during the v2020 release cycle.
For instance, the GitLab pipeline can now easily target
-updates repositories and prevents MRs from targeting the main branches on
Automatic license scans on upstream pull
When pulling updates from upstream distributions like Debian, the package sources are now automatically scanned to identify code released under problematic licenses as early as possible.
More details on how the scan works and how developers can control it are available in the GitLab-to-OBS pipeline documentation.
Deprecations and ABI/API breaks
During this release cycle no new deprecations have been issued. Obsolete or problematic APIs are marked with the ABI break tag as a way to clear technical debt in future.
Removal of packages with problematic licenses
A few package got moved away from the
target component of the distribution
since they didn’t meet the Apertis license
and thus were not suitable for installation in final products.
Downstreams will need to check the following packages:
- dictionaries-common (T6711)
- iptables-persistent (T6712)
- btrfs-progs (T6710)
- libpipeline (T6713)
- quvi and libquvi-scripts (T6714)
- libunistring (T6715)
Apertis Docker registry
The Apertis Docker registry stores Docker images in order to provide a unified and easily reproducible build environment for developers and services.
As of today, this includes the
Apertis infrastructure tools
The Apertis v2020 infrastructure
provides packages for the required versions of
ostree for Debian Buster:
deb https://repositories.apertis.org/infrastructure-v2020/ buster infrastructure
Image daily builds, as well as release builds can be found at:
Image build tools can be found in the Apertis tools repositories.
The Image build infrastructure document provides an overview of the image building process and the involved services.