Happy New Year to everyone!
New versions of the skarnet.org packages are available.
This is a major release. The skalibs major version number has been
bumped, which means that compatibility with previous versions is not
ensured. Other packages have been updated to build against the new
skalibs. If they only had their patch number increased, that's all
the modifications they had (save for possible bugfixes); but some
packages also received significant changes and underwent either a major
(compatibility not ensured) or minor (simple additions) release.
Support for the 2.9.* branch of skalibs, and associated versions of
the other packages, is still ensured for a while, but users are always
strongly encouraged to upgrade.
- Some rarely-triggered build bugs have been fixed.
- -fno-stack-protector is not part of the default CFLAGS anymore;
stack protector policy now defaults to the compiler's settings.
- Significant code cleanup.
- New sysdep: chroot.
- Lots of new functions, mostly to optimize the number of needed
fcntl() calls at open() time. Traces should generally be marginally
shorter than they were before.
- Removal of the DJBUNIX_FLAG_NB and DJBUNIX_FLAG_COE macros, replaced
by the POSIX O_NONBLOCK and O_CLOEXEC macros wherever they were used.
- Removal of the skalibs/webipc.h header, and better header separation.
- Complete revamping of the pathexec functions, now separated into
exec_* (simple execution) and mexec_* (execution with merging of the
environment first). In true skalibs fashion, there is a little code,
and 3 pages of convenience macros (the exec.h header).
- Complete rewrite of the locking functions, with a change of
underlying mechanisms. The skalibs locking primitives are now named
fd_lock(), fd_unlock() and fd_islocked().
The Unix locks primitive space is a horror show. flock() is not
POSIX and does not have a way to test for a lock without taking it.
The POSIX lockf() only has exclusive locks, not shared ones. The least
bad option is fcntl(), which has shared and exclusive locks *and* a way
to check for a lock without taking it, but does not allow taking a
shared lock via a O_WRONLY file descriptor. Of all inconveniences this
is the most minor one, so now skalibs uses fcntl().
- New --enable-libc-includes configure option. Without this option,
the pwd.h, grp.h and shadow.h headers are not installed anymore, so
by default installing nsss on a FHS system does not overwrite the
- New --enable-libc-includes configure option. Without this option,
the utmpx.h header is not installed anymore, so by default installing
utmps on a FHS system does not overwrite the libc headers.
- The trap program has changed. The "timeout" directive has been
removed; a "default" directive has been added, to handle all signals
for which a specific directive has not been given. Subprograms are
now run with the SIGNAL environment variable set to the signal number
(in addition to ! always being set to the application's pid).
- The forstdin program has changed. It now exits 0 if it has read at
least one line, and 1 otherwise.
- The default list of delimiters for backtick, withstdinas, forstdin
and forbacktickx has been set to "\n", so by default those programs
will read and/or split on lines and only lines.
- The backtick, withstdinas, forstdin, forbacktickx, forx, getpid
and getcwd programs now have a -E option to activate autoimport.
(This saves the user from manually adding "importas var var" after
every use of these programs.)
It is imperative to restart your supervision trees, by rebooting if
necessary, after upgrading s6 to the new version. Otherwise, new s6
binaries interacting with service directories maintained by old
s6-supervise binaries may not work.
If you are using s6-linux-init, it is necessary to upgrade to the
latest version of s6-linux-init at the same time as s6.
- Significant code refactoring.
- The internal locking system of service directories has changed,
allowing for a cleaner permissions model and official support of
- New binary to implement those relaxed permissions: s6-svperms.
- The "nosetsid" file is not supported anymore in service directories.
Services are now always started in a new session.
- s6-supervise now traps SIGINT: before dying, it sends a SIGINT to its
service's process group. This allows correct transmission of ^C when a
supervision tree is running in a terminal, even though every service
runs in its own session.
- s6-svc -X doesn't exist anymore. s6-supervise now always closes stdin
and stdout on the last execution of the service.
- The semantics of SIGHUP and SIGQUIT have changed for s6-supervise.
- The set of commands sent by s6-svscanctl and received by s6-svscan
has been cleaned up and made more logical.
- When told to exit normally (typically via s6-svscanctl -t), s6-svscan
now first waits for the whole supervision tree to die. The
.s6-svscan/finish script can now assume that all services are completely
down. (s6-svscanctl -b is an exception; it should not be used in normal
- The -s and -S options to s6-svscan are not supported anymore. Signal
management in s6-svscan has been streamlined: signals have a default
handler that can be overridden by a corresponding executable
- Default signal handlers for s6-svscan have more intuitive semantics.
- New binary to help with management of user-owned supervision trees:
s6 now has man pages! Thanks to flexibeast for performing the
work. Please allow some time for the man pages to be updated to reflect
the current HTML documentation. The repository can be found here:
It *is necessary* to upgrade s6-linux-init at the same time as s6.
It *is recommended*, although not strictly necessary, to create your
run-image directory again via a s6-linux-init-maker invocation. Old
images will still boot, as long as you are using an upgraded version
of s6-linux-init; but they may incorrectly handle signals sent to init,
so for instance Ctrl-Alt-Del may not work anymore, until you run
- New internal binary: s6-linux-init-nuke. This program is not meant
to be invoked by users directly: it simply removes a dependency to the
'kill' program in a rare case involving containers.
- New library function: s6dns_message_parse_question().
- Important refactoring of the tls code. The crypto tunnel now runs
as a child of the application, instead of the other way around. It is
now isolated in a s6-tls[cd]-io binary; s6-tlsc is now a simple wrapper
around s6-tlsc-io, and s6-tlsd is a simple wrapper around s6-tlsd-io.
- New binaries: s6-ucspitlsc and s6-ucspitlsd. Those implement
opportunistic TLS via the UCSPI-TLS protocol.
- The -K option to the tls binaries has changed semantics: it now
enforces a timeout for the handshake instead of dropping the connection
after some inactivity. Note that this option is only useful with the
bearssl backend: the libtls backend always performs a synchronous
handshake, with no way of interrupting it after a timeout expires.
- The execline dependency is now optional. Disabling execline, however,
changes the behaviour of s6-tcpserver-access (which cannot support
exec files without it).
It is now possible to build the s6-networking package against OpenSSL
instead of LibreSSL, thanks to the libretls project:
- New -C option to the mdevd program. This option makes mdevd
automatically spawn a mdevd-coldplug program when it's ready, allowing
mdevd to be used as a drop-in mdev -d replacement. (Note that the
coldplug is also performed if mdevd restarts after being killed, so
this feature should not be used in place of a proper service startup
sequence with a mdevd-coldplug oneshot depending on the mdevd longrun.
It has only been added for convenience.)
* Other packages
The following packages have received an update so they build with the
latest version of skalibs and other dependencies, but nothing has
except possibly some bugfixes, and hopefully not too many bug additions.
- s6-rc-0.5.2.1. (It is not necessary to recompile your service
database. However, it is necessary to upgrade s6-rc along with s6, and
to reboot the system ASAP after upgrading.)