gkreidl
Posts: 6086
Joined: Thu Jan 26, 2012 1:07 pm
Location: Germany

Re: New Raspbian release "2016-11-25"

Wed Nov 30, 2016 1:05 pm

ShiftPlusOne wrote:
Nor does it claim to be, but now you need physical access.
No, any kind or exploit will give the intruder full root access. That's the real security problem, not SSH: 95% of all users are behind a router's firewall and ssh will not be accessible without port forwarding.
Minimal Kiosk Browser (kweb)
Slim, fast webkit browser with support for audio+video+playlists+youtube+pdf+download
Optional fullscreen kiosk mode and command interface for embedded applications
Includes omxplayerGUI, an X front end for omxplayer

ShiftPlusOne
Raspberry Pi Engineer & Forum Moderator
Raspberry Pi Engineer & Forum Moderator
Posts: 5949
Joined: Fri Jul 29, 2011 5:36 pm
Location: The unfashionable end of the western spiral arm of the Galaxy

Re: New Raspbian release "2016-11-25"

Wed Nov 30, 2016 1:13 pm

B.Goode wrote:It's an old and tatty carol sheet I am singing from, but to repeat a couple of points I have made before but thus far without being heard.

1. Easily referenced documentation - more than a collection of potentially unrelated points swept up into a blog post - would make it easier to refer forum users to solutions when they ask "What broke my system?" Having that documentation available when a new OS release is made, rather than some time later, would be good.

2. There is a relatively small number of regular volunteer helpers who contribute advice in these forums. Maybe no more than a couple of dozen. Would it be so painful for the RPF to take that group of users into their confidence, on an NDA basis if needed, when changes that impact user experience/expectations are being considered, to get their polite and well considered feedback before release not after.
The release notes are there to make people aware of such things and can be easily referenced.

Most of the development happens on github, so the fact that SSH would be disabled did not go unnoticed. No NDA required. https://github.com/RPi-Distro/pi-gen/co ... c20c40d2a9

ShiftPlusOne
Raspberry Pi Engineer & Forum Moderator
Raspberry Pi Engineer & Forum Moderator
Posts: 5949
Joined: Fri Jul 29, 2011 5:36 pm
Location: The unfashionable end of the western spiral arm of the Galaxy

Re: New Raspbian release "2016-11-25"

Wed Nov 30, 2016 1:17 pm

gkreidl wrote:
ShiftPlusOne wrote:
Nor does it claim to be, but now you need physical access.
No, any kind or exploit will give the intruder full root access. That's the real security problem, not SSH: 95% of all users are behind a router's firewall and ssh will not be accessible without port forwarding.
Sure, there have been plenty of exploits in the past to escalate to root. Most of the remote execution exploits I've seen have come from various web services/servers, which aren't installed by default. We can't really account for all the potential future exploits which might exist.

User avatar
dasmanul
Posts: 502
Joined: Wed Sep 30, 2015 10:20 am
Location: Frankfurt, Germany

Re: New Raspbian release "2016-11-25"

Wed Nov 30, 2016 1:28 pm

ShiftPlusOne wrote:
dasmanul wrote:This might be more than an inconvenience: Together with
http://downloads.raspberrypi.org/raspbian/release_notes.txt wrote:Prompt for password change at boot when SSH enabled with default password unchanged
this could prevent headless setups completely - or am I missing something?
I don't follow how it would prevent headless setups.
I was reading this as prompt as in "waits-for-user-input-and-stops-boot-process-until-received". @spl23 has cleared this up.

As already commented on github, I'm not too happy with the way this is implemented in /etc/profile.d/sshpasswd.sh - this script calls sudo on all logins which raises security alerts for accounts not authorized for passwordless sudo.

ShiftPlusOne
Raspberry Pi Engineer & Forum Moderator
Raspberry Pi Engineer & Forum Moderator
Posts: 5949
Joined: Fri Jul 29, 2011 5:36 pm
Location: The unfashionable end of the western spiral arm of the Galaxy

Re: New Raspbian release "2016-11-25"

Wed Nov 30, 2016 1:29 pm

dasmanul wrote: As already commented on github, I'm not too happy with the way this is implemented in /etc/profile.d/sshpasswd.sh - this script calls sudo on all logins which raises security alerts for accounts not authorized for passwordless sudo.
I've raised the same concern while we were implementing the change, but I couldn't come up with any way around that. Any ideas?

User avatar
dasmanul
Posts: 502
Joined: Wed Sep 30, 2015 10:20 am
Location: Frankfurt, Germany

Re: New Raspbian release "2016-11-25"

Wed Nov 30, 2016 1:44 pm

Unfortunately not. My first thought was piping the standard password (which is well-known anyway) into "su -c /bin/true" or something similar and checking for success but su refuses to run without a terminal attached.

How about checking for the unchanged password in /lib/systemd/system/sshswitch.service (which I assume runs with root privileges) and setting a flag somewhere?

ShiftPlusOne
Raspberry Pi Engineer & Forum Moderator
Raspberry Pi Engineer & Forum Moderator
Posts: 5949
Joined: Fri Jul 29, 2011 5:36 pm
Location: The unfashionable end of the western spiral arm of the Galaxy

Re: New Raspbian release "2016-11-25"

Wed Nov 30, 2016 1:46 pm

dasmanul wrote:Unfortunately not. My first thought was piping the standard password (which is well-known anyway) into "su -c /bin/true" or something similar and checking for success but su refuses to run without a terminal attached.

How about checking for the unchanged password in /lib/systemd/system/sshswitch.service (which I assume runs with root privileges) and setting a flag somewhere?
Then if you change the password, you will continue to see the message until you reboot.

Martin Frezman
Posts: 1020
Joined: Mon Oct 31, 2016 10:05 am

Re: New Raspbian release "2016-11-25"

Wed Nov 30, 2016 2:03 pm

dasmanul wrote:Unfortunately not. My first thought was piping the standard password (which is well-known anyway) into "su -c /bin/true" or something similar and checking for success but su refuses to run without a terminal attached.

How about checking for the unchanged password in /lib/systemd/system/sshswitch.service (which I assume runs with root privileges) and setting a flag somewhere?
I just want to clear this up before I make a fool of myself or answer the wrong question, but is it the case that we are looking here for a good way to check to see if the password for user 'pi' is (still) 'raspberry'?

If so, I have a couple of good ways to do it. Let me know.
If this post appears in the wrong forums category, my apologies.

spl23
Raspberry Pi Engineer & Forum Moderator
Raspberry Pi Engineer & Forum Moderator
Posts: 376
Joined: Fri Dec 26, 2014 11:02 am

Re: New Raspbian release "2016-11-25"

Wed Nov 30, 2016 2:04 pm

Martin Frezman wrote:I just want to clear this up before I make a fool of myself or answer the wrong question, but is it the case that we are looking here for a good way to check to see if the password for user 'pi' is (still) 'raspberry'?
Yes, exactly.
Martin Frezman wrote:If so, I have a couple of good ways to do it. Let me know.
Please offer your suggestions - we're keen to hear them.

ShiftPlusOne
Raspberry Pi Engineer & Forum Moderator
Raspberry Pi Engineer & Forum Moderator
Posts: 5949
Joined: Fri Jul 29, 2011 5:36 pm
Location: The unfashionable end of the western spiral arm of the Galaxy

Re: New Raspbian release "2016-11-25"

Wed Nov 30, 2016 2:05 pm

Martin Frezman wrote:
dasmanul wrote:Unfortunately not. My first thought was piping the standard password (which is well-known anyway) into "su -c /bin/true" or something similar and checking for success but su refuses to run without a terminal attached.

How about checking for the unchanged password in /lib/systemd/system/sshswitch.service (which I assume runs with root privileges) and setting a flag somewhere?
I just want to clear this up before I make a fool of myself or answer the wrong question, but is it the case that we are looking here for a good way to check to see if the password for user 'pi' is (still) 'raspberry'?

If so, I have a couple of good ways to do it. Let me know.
Yes, without requiring the use of sudo.

User avatar
dasmanul
Posts: 502
Joined: Wed Sep 30, 2015 10:20 am
Location: Frankfurt, Germany

Re: New Raspbian release "2016-11-25"

Wed Nov 30, 2016 2:08 pm

ShiftPlusOne wrote: Then if you change the password, you will continue to see the message until you reboot.
True. /etc/profile.d/sshpasswd.sh could remove the flag once it has displayed the message, but that would of course mean the message gets displayed only once per system session.

User avatar
jojopi
Posts: 3084
Joined: Tue Oct 11, 2011 8:38 pm

Re: New Raspbian release "2016-11-25"

Wed Nov 30, 2016 2:33 pm

PhilE wrote:We have a responsibility to protect our users, and the combination of a known password and an open SSH port is an accident waiting to happen. The majority of Pi users won't even know what SSH is, so disabling it by default is reasonable - can you think of another OS for non-Power Users which enables SSH by default? With a fixed password?
Okay, you have convinced me. Having a default password is dangerous and completely unnecessary. It only ever existed for the benefit of SSH users.

You have had auto-login on at least the first boot for 4+ years, and neither agetty nor lightdm require a password to be set for the auto-login user.

You should now delete the default password from your images. (Nobody can spell it anyway.)

To support those of us with more Pies than displays, what is really needed is a way to drop a password hash or SSH key into /boot, rather than to enable or disable services.

mikerr
Posts: 2778
Joined: Thu Jan 12, 2012 12:46 pm
Location: UK
Contact: Website

Re: New Raspbian release "2016-11-25"

Wed Nov 30, 2016 2:50 pm

Blog post on this is up now

https://www.raspberrypi.org/blog/a-secu ... ian-pixel/

With all the talk of botnets- isn't it missing the point that for ssh to be internet accessible the user has to open up a port on their router & setup port forwarding.
If they are going to the trouble of doing that, they can change the user/password at the same time.

Changing from the default password is the main issue from a security standpoint - which is bizarre when you consider raspbian's desktop "auto-login" without any passowrd needed.....

What this change does is hamper those using ssh on their internal LANs - adding an extra step for a headless setup.
Admittedly adding a file called "ssh" on the boot partition isn't much trouble - but suddenly means you can't rely on access to any given raspbian system.

So I see the reasons for doing this I think the botnet thing is overblown - most pi aren't externally internet accessible by default - due to closed ports on all routers.
The Mirai bot net is from ip webcams which are by default internet accessible.
Android app - Raspi Card Imager - download and image SD cards - No PC required !

jdb
Raspberry Pi Engineer & Forum Moderator
Raspberry Pi Engineer & Forum Moderator
Posts: 2089
Joined: Thu Jul 11, 2013 2:37 pm

Re: New Raspbian release "2016-11-25"

Wed Nov 30, 2016 3:10 pm

mikerr wrote:Blog post on this is up now

https://www.raspberrypi.org/blog/a-secu ... ian-pixel/

With all the talk of botnets- isn't it missing the point that for ssh to be internet accessible the user has to open up a port on their router & setup port forwarding.
If they are going to the trouble of doing that, they can change the user/password at the same time.

Changing from the default password is the main issue from a security standpoint - which is bizarre when you consider raspbian's desktop "auto-login" without any passowrd needed.....

What this change does is hamper those using ssh on their internal LANs - adding an extra step for a headless setup.
Admittedly adding a file called "ssh" on the boot partition isn't much trouble - but suddenly means you can't rely on access to any given raspbian system.

So I see the reasons for doing this I think the botnet thing is overblown - most pi aren't externally internet accessible by default - due to closed ports on all routers.
The Mirai bot net is from ip webcams which are by default internet accessible.
Relying on NAT to default-deny outside access presumes that there isn't a large application area (read: commercial/industrial uses) that don't follow the typical NATed router setup. Predicating security on a common but not ubiquitous setup basically exports the responsibility for plugging the hole elsewhere.
Rockets are loud.
https://astro-pi.org

User avatar
pi-anazazi
Posts: 543
Joined: Fri Feb 13, 2015 9:22 pm
Location: EU

Re: New Raspbian release "2016-11-25"

Wed Nov 30, 2016 3:13 pm

Why doesn't the first boot ALWAYS end in raspi-config and requests MANDATORY password to be set for pi AND root? No password-less sudo, of course!

Real security, or? And thousands of How-to's trashed, the same time...
Kind regards

anazazi

mikerr
Posts: 2778
Joined: Thu Jan 12, 2012 12:46 pm
Location: UK
Contact: Website

Re: New Raspbian release "2016-11-25"

Wed Nov 30, 2016 3:16 pm

jdb wrote:Relying on NAT to default-deny outside access presumes that there isn't a large application area (read: commercial/industrial uses) that don't follow the typical NATed router setup.
I'd hope "commercial/industrial" users wouldn't be using an unaltered desktop raspbian image anyway....

Enforced password change at first boot (even gui boot) would be nice.
How many million Pi are still running the default pi/raspberry credentials ?
Android app - Raspi Card Imager - download and image SD cards - No PC required !

User avatar
bensimmo
Posts: 4172
Joined: Sun Dec 28, 2014 3:02 pm
Location: East Yorkshire

Re: New Raspbian release "2016-11-25"

Wed Nov 30, 2016 3:37 pm

For me if the changes and the information for their tutorials and web pages is updated to include changes, for example on the Raspian page, a link to the change log and links to their own blog post explaining these.

I have noticed they have been nicely and quickly updated for Pixel pictures and send what and gpiozero updates have altered some.
But the downloads have never had any link to what's been introduced, so you have to ask on search and trawl through why things don't work.
Like new setting in raspi-config, the uart Pi3 fun, that people may need to add a file to enable SSH...
https://www.raspberrypi.org/downloads/noobs/
So please add a link on Noobs to updates and bolg announcements (or for noobs to blog posts if you want to keep Raspian, though for many Noobs is the way to install Raspian.)
And keep the old links, as it's quite easy to go a lot of month never seeing the blog updates.

mikerr
Posts: 2778
Joined: Thu Jan 12, 2012 12:46 pm
Location: UK
Contact: Website

Re: New Raspbian release "2016-11-25"

Wed Nov 30, 2016 3:45 pm

It would be better if the main downloads page (http://raspberrypi.org/downloads) linked to, or included the release notes:

Code: Select all

2016-11-25:
  * SSH disabled by default; can be enabled by creating a file with name "ssh" in boot partition
  * Prompt for password change at boot when SSH enabled with default password unchanged
  * Adobe Flash Player included
  * Updates to hardware video acceleration in Chromium browser
  * Greeter now uses background image from last set in Appearance Settings rather than pi user
  * Updated version of Scratch
  * Rastrack option removed from raspi-config and Raspberry Pi Configuration
  * Ability to disable graphical boot splash screen added to raspi-config and Raspberry Pi Configuration
  * Appearance Settings dialog made tabbed to work better on small screens
  * Raspberry Pi Configuration now requires current password to change password
  * Various small bug fixes
  * Updated firmware and kernel
2016-09-23:
  * New PIXEL desktop environment - new icon set, window design, desktop images, splash screen and greeter
  * Chromium web browser included
  * Infinality font rendering patches included
  * RealVNC server and viewer included
  * SenseHAT emulator included
  * Rfkill entries added to Wifi and Bluetooth panel plugins
  * Updates to various standard applications, including Scratch and NodeRED
  * Various bug fixes, tweaks and translation updates
  * Updated firmware and kernel (https://github.com/raspberrypi/firmware/commit/ad8608c08b122b2c228dba0ff5070d6e9519faf5)
2016-05-27:
  * Fixed crash of lxpanel when D-bus not accessible
  * Fixed permissions for D-bus Bluetooth access
  * Removed sudo from shutdown options
  * Appearance of tooltips updated in theme
  * Fixed ejecter plugin grabbing focus
  * raspi-config command line and GUI apps tidied; unnecessary reboots removed
  * More error detection in piclone; copying of volume names and IDs added
  * Updated translation files
2016-05-10:
  * New version of Scratch, which no longer requires sudo
  * New version of BlueJ
  * New version of NodeRED
  * New version of pypy
  * pigpio included
  * geany editor included
  * SD Card Copier added (can be used to duplicate or back up the Pi)
  * Bluetooth plugin added to taskbar
  * Volume control on taskbar now compatible with Bluetooth devices
  * New shutdown helper application
  * Mouse double-click speed setting added to mouse and keyboard preference application
  * Option to enable / disable 1-wire interface and remote access to pigpio added to Raspberry Pi config application
  * File system automatically expanded on first boot
  * Empty Wastebasket option added to right-click menu 
  * Ctrl-Alt-T can be used to open a terminal window
  * Various small bug fixes and appearance tweaks 
  * Updated firmware and kernel (https://github.com/raspberrypi/firmware/commit/cc6d7bf8b4c03a2a660ff9fdf4083fc165620866)
2016-03-18:
  * updated firmware and kernel (https://github.com/raspberrypi/firmware/commit/951799bbcd795ddf27769d14acf4813fdcbe53dc)
  * use serial0 in cmdline.txt
  * wpa_supplicant.conf country default to GB (allows use of channels 12 and 13)
2016-02-26:
  * Support added for Pi 3, including Wifi and Bluetooth
  * Option to set wifi country code added to raspi-config
2016-02-09:
  * dtb that uses mmc sdcard driver (fixes problems experienced with certain SD cards)
2016-02-03:
  * new version of Sonic Pi (2.9)
  * new version of Scratch (15/1/16)
  * new version of Node-Red (2.5)
  * new version of Wolfram (10.3)
  * optional experimental GL desktop driver (can be enabled using advanced options in command-line raspi-config)
  * new version of Java (1.8.0_65)
  * new version of WiringPi
  * raspi-gpio included
  * ping no longer requires sudo (except NOOBS installs)
  * support for more USB audio devices in lxpanel
  * bug fix for creation of new menus in Alacarte
  * various changes to raspi-config and GUI to tidy up board support and fix bugs, and updated translations
  * small tweaks to theme to support GL driver
2015-11-21:
  * Included IBM Node-RED IoT application
  * Included graphical package manager
  * Included accelerated pixman library
  * Updated Epiphany browser to improve video compatibility
  * Updated Scratch with performance improvements and bug fixes
  * Updated Raspberry Pi configuration to allow boot to pause while
    network is established
  * Various minor bug fixes
2015-09-25:
  * Based on Debian Jessie
  * Upgraded applications - Epiphany browser, Scratch and Sonic Pi
  * Included applications - LibreOffice, Claws Mail, Greenfoot, BlueJ
  * Included utilities - Alacarte menu editor, Lxkeymap, scrot, tree, pip
  * New GUI-based Raspberry Pi Configuration application
  * GPIO control now possible without need for sudo
  * Web link to Magpi magazine included
  * New taskbar plugin to eject mounted USB drives
  * Default boot is now to GUI not desktop
  * Look and feel now based on GTK+3 default theme
  * Print screen key launches scrot to produce screenshot
  * Common keyboards autodetected by GUI and drivers loaded accordingly
  * Numerous small tweaks and bugfixes
2015-05-05:
  * Updated UI changes
  * Updated firmware
  * Install raspberrypi-net-mods
  * Install avahi-daemon
  * Add user pi to new i2c and spi groups
  * Modified udev rules for i2c and spi devices
2015-02-16:
  * Newer firmware with various fixes
  * New Sonic Pi release
  * Pi2 compatible RPi.GPIO
  * Updated Wolfram Mathematica
2015-01-31:
  * Support for Pi2
  * Newer firmware
  * New Sonic Pi release
  * Updated Scratch
  * New Wolfram Mathematica release
  * Updated Epiphany
2014-12-24:
  * Fix regression with omission of python-pygame
2014-12-22:
  * New firmware with variosu fixes and improvements
  * New UI configuration for lxde
  * Various package updates
  * python3-pygame preinstalled
  * 'nuscratch', scratch running on the Cog StackVM
  * Misc other changes
2014-09-09:
  * New firmware with various fixes and improvements
  * Minecraft Pi pre-installed
  * Sonic Pi upgraded to 2.0
  * Include Epiphany browser work from Collabora
  * Switch to Java 8 from Java 7
  * Updated Mathematica
  * Misc minor configuration changes
2014-06-20:
  * New firmware with various fixes, and kernel bugfix
2014-06-02:
  * Many, many firmware updates with major USB improvements
  * pyserial installed by default
  * picamera installed by default
2014-01-07:
  * Firmware updated
  * Some space saved on the root filesystem
2013-12-20:
  * Firmware updated, includes V4L2 fixes
  * Update omxplayer
2013-12-18:
  * Firmware updated and now using kernel 3.10. Many, many improvements
  * fbturbo XOrg driver is now included and enabled by default. Thanks to 
    ssvb https://github.com/ssvb/xf86-video-fbturbo
  * Update Scratch image with further bug fixes
  * Include Wolfram Mathematica
  * Update to PyPy 2.2
  * Update omxplayer
  * Include v4l-utils for use with experimental V4L2 Raspberry Pi camera driver
  * Update squeak-vm to fix issues with loading JPEGs
2013-09-25:
  * Update Scratch image for further performance improvements
  * Include Oracle JDK
  * At least a 4GiB SD card is now required (see above)
  * Include PyPy 2.1
  * Include base piface packages
  * Update raspi-config to include bugfix for inheriting language settings
    from NOOBS
2013-09-10:
  * Updated to current top of tree firmware
  * Update squeak-vm, including fastblit optimised for the Raspbery Pi 
  * Include Sonic Pi and a fixed jackd2 package
  * Support boot to Scratch
  * Inherit keyboard and language settings from NOOBS
http://downloads.raspberrypi.org/raspbi ... _notes.txt


The info is all there - but not immediately discoverable by the casual user.
Android app - Raspi Card Imager - download and image SD cards - No PC required !

wagner4362
Posts: 1
Joined: Wed Nov 30, 2016 4:01 pm

Re: New Raspbian release "2016-11-25"

Wed Nov 30, 2016 4:18 pm

I know these changes are to improve security so it just create a file called "ssh" without extensions and put on boot partition, nothing else?

User avatar
bensimmo
Posts: 4172
Joined: Sun Dec 28, 2014 3:02 pm
Location: East Yorkshire

Re: New Raspbian release "2016-11-25"

Wed Nov 30, 2016 4:23 pm

mikerr wrote:It would be better if the main downloads page (http://raspberrypi.org/downloads) linked to, or included the release notes:

Code: Select all

2016-11-25:
  * SSH disabled by default; can be enabled by creating a file with name "ssh" in boot partition
  * Prompt for password change at boot when SSH enabled with default password unchanged
  * Adobe Flash Player included
  * Updates to hardware video acceleration in Chromium browser
  * Greeter now uses background image from last set in Appearance Settings rather than pi user
  * Updated version of Scratch
  * Rastrack option removed from raspi-config and Raspberry Pi Configuration
  * Ability to disable graphical boot splash screen added to raspi-config and Raspberry Pi Configuration
  * Appearance Settings dialog made tabbed to work better on small screens
  * Raspberry Pi Configuration now requires current password to change password
  * Various small bug fixes
  * Updated firmware and kernel
2016-09-23:
  * New PIXEL desktop environment - new icon set, window design, desktop images, splash screen and greeter
  * Chromium web browser included
  * Infinality font rendering patches included
  * RealVNC server and viewer included
  * SenseHAT emulator included
  * Rfkill entries added to Wifi and Bluetooth panel plugins
  * Updates to various standard applications, including Scratch and NodeRED
  * Various bug fixes, tweaks and translation updates
  * Updated firmware and kernel (https://github.com/raspberrypi/firmware/commit/ad8608c08b122b2c228dba0ff5070d6e9519faf5)
2016-05-27:
  * Fixed crash of lxpanel when D-bus not accessible
  * Fixed permissions for D-bus Bluetooth access
  * Removed sudo from shutdown options
  * Appearance of tooltips updated in theme
  * Fixed ejecter plugin grabbing focus
  * raspi-config command line and GUI apps tidied; unnecessary reboots removed
  * More error detection in piclone; copying of volume names and IDs added
  * Updated translation files
2016-05-10:
  * New version of Scratch, which no longer requires sudo
  * New version of BlueJ
  * New version of NodeRED
  * New version of pypy
  * pigpio included
  * geany editor included
  * SD Card Copier added (can be used to duplicate or back up the Pi)
  * Bluetooth plugin added to taskbar
  * Volume control on taskbar now compatible with Bluetooth devices
  * New shutdown helper application
  * Mouse double-click speed setting added to mouse and keyboard preference application
  * Option to enable / disable 1-wire interface and remote access to pigpio added to Raspberry Pi config application
  * File system automatically expanded on first boot
  * Empty Wastebasket option added to right-click menu 
  * Ctrl-Alt-T can be used to open a terminal window
  * Various small bug fixes and appearance tweaks 
  * Updated firmware and kernel (https://github.com/raspberrypi/firmware/commit/cc6d7bf8b4c03a2a660ff9fdf4083fc165620866)
2016-03-18:
  * updated firmware and kernel (https://github.com/raspberrypi/firmware/commit/951799bbcd795ddf27769d14acf4813fdcbe53dc)
  * use serial0 in cmdline.txt
  * wpa_supplicant.conf country default to GB (allows use of channels 12 and 13)
2016-02-26:
  * Support added for Pi 3, including Wifi and Bluetooth
  * Option to set wifi country code added to raspi-config
2016-02-09:
  * dtb that uses mmc sdcard driver (fixes problems experienced with certain SD cards)
2016-02-03:
  * new version of Sonic Pi (2.9)
  * new version of Scratch (15/1/16)
  * new version of Node-Red (2.5)
  * new version of Wolfram (10.3)
  * optional experimental GL desktop driver (can be enabled using advanced options in command-line raspi-config)
  * new version of Java (1.8.0_65)
  * new version of WiringPi
  * raspi-gpio included
  * ping no longer requires sudo (except NOOBS installs)
  * support for more USB audio devices in lxpanel
  * bug fix for creation of new menus in Alacarte
  * various changes to raspi-config and GUI to tidy up board support and fix bugs, and updated translations
  * small tweaks to theme to support GL driver
2015-11-21:
  * Included IBM Node-RED IoT application
  * Included graphical package manager
  * Included accelerated pixman library
  * Updated Epiphany browser to improve video compatibility
  * Updated Scratch with performance improvements and bug fixes
  * Updated Raspberry Pi configuration to allow boot to pause while
    network is established
  * Various minor bug fixes
2015-09-25:
  * Based on Debian Jessie
  * Upgraded applications - Epiphany browser, Scratch and Sonic Pi
  * Included applications - LibreOffice, Claws Mail, Greenfoot, BlueJ
  * Included utilities - Alacarte menu editor, Lxkeymap, scrot, tree, pip
  * New GUI-based Raspberry Pi Configuration application
  * GPIO control now possible without need for sudo
  * Web link to Magpi magazine included
  * New taskbar plugin to eject mounted USB drives
  * Default boot is now to GUI not desktop
  * Look and feel now based on GTK+3 default theme
  * Print screen key launches scrot to produce screenshot
  * Common keyboards autodetected by GUI and drivers loaded accordingly
  * Numerous small tweaks and bugfixes
2015-05-05:
  * Updated UI changes
  * Updated firmware
  * Install raspberrypi-net-mods
  * Install avahi-daemon
  * Add user pi to new i2c and spi groups
  * Modified udev rules for i2c and spi devices
2015-02-16:
  * Newer firmware with various fixes
  * New Sonic Pi release
  * Pi2 compatible RPi.GPIO
  * Updated Wolfram Mathematica
2015-01-31:
  * Support for Pi2
  * Newer firmware
  * New Sonic Pi release
  * Updated Scratch
  * New Wolfram Mathematica release
  * Updated Epiphany
2014-12-24:
  * Fix regression with omission of python-pygame
2014-12-22:
  * New firmware with variosu fixes and improvements
  * New UI configuration for lxde
  * Various package updates
  * python3-pygame preinstalled
  * 'nuscratch', scratch running on the Cog StackVM
  * Misc other changes
2014-09-09:
  * New firmware with various fixes and improvements
  * Minecraft Pi pre-installed
  * Sonic Pi upgraded to 2.0
  * Include Epiphany browser work from Collabora
  * Switch to Java 8 from Java 7
  * Updated Mathematica
  * Misc minor configuration changes
2014-06-20:
  * New firmware with various fixes, and kernel bugfix
2014-06-02:
  * Many, many firmware updates with major USB improvements
  * pyserial installed by default
  * picamera installed by default
2014-01-07:
  * Firmware updated
  * Some space saved on the root filesystem
2013-12-20:
  * Firmware updated, includes V4L2 fixes
  * Update omxplayer
2013-12-18:
  * Firmware updated and now using kernel 3.10. Many, many improvements
  * fbturbo XOrg driver is now included and enabled by default. Thanks to 
    ssvb https://github.com/ssvb/xf86-video-fbturbo
  * Update Scratch image with further bug fixes
  * Include Wolfram Mathematica
  * Update to PyPy 2.2
  * Update omxplayer
  * Include v4l-utils for use with experimental V4L2 Raspberry Pi camera driver
  * Update squeak-vm to fix issues with loading JPEGs
2013-09-25:
  * Update Scratch image for further performance improvements
  * Include Oracle JDK
  * At least a 4GiB SD card is now required (see above)
  * Include PyPy 2.1
  * Include base piface packages
  * Update raspi-config to include bugfix for inheriting language settings
    from NOOBS
2013-09-10:
  * Updated to current top of tree firmware
  * Update squeak-vm, including fastblit optimised for the Raspbery Pi 
  * Include Sonic Pi and a fixed jackd2 package
  * Support boot to Scratch
  * Inherit keyboard and language settings from NOOBS
http://downloads.raspberrypi.org/raspbi ... _notes.txt


The info is all there - but not immediately discoverable by the casual user.
It should be noted the Raspian downloads do have the link, but not the Noobs.
Still neither have the important and often most informative link to any blog announcements.

User avatar
pi-anazazi
Posts: 543
Joined: Fri Feb 13, 2015 9:22 pm
Location: EU

Re: New Raspbian release "2016-11-25"

Wed Nov 30, 2016 4:36 pm

OMG!

Adobe Trash Player included but ssh disabled for security? This can't be true, we are in Nov 2016, everybody should abandon this garbage right now.
Kind regards

anazazi

Martin Frezman
Posts: 1020
Joined: Mon Oct 31, 2016 10:05 am

Re: New Raspbian release "2016-11-25"

Wed Nov 30, 2016 4:44 pm

pi-anazazi wrote:OMG!

Adobe Trash Player included but ssh disabled for security? This can't be true, we are in Nov 2016, everybody should abandon this garbage right now.
I get your surprise.

I, too, was surprised to see Flash player listed there. I thought all these years we had been told that there was and never would be Flash on ARM. Did Adobe have a change of heart?

Does this mean YouTube vids should "just work" in the browser, like they do on X86?
If this post appears in the wrong forums category, my apologies.

gkreidl
Posts: 6086
Joined: Thu Jan 26, 2012 1:07 pm
Location: Germany

Re: New Raspbian release "2016-11-25"

Wed Nov 30, 2016 4:49 pm

Martin Frezman wrote:
pi-anazazi wrote:OMG!

Adobe Trash Player included but ssh disabled for security? This can't be true, we are in Nov 2016, everybody should abandon this garbage right now.
I get your surprise.

I, too, was surprised to see Flash player listed there. I thought all these years we had been told that there was and never would be Flash on ARM. Did Adobe have a change of heart?

Does this mean YouTube vids should "just work" in the browser, like they do on X86?
You seem to have missed a lot. A flash player for chromium browser has been available for quite some time now. And no, it cannot be used to play video (in real time). But chromium has HW acceleration now for HTML5 video (similar to epiphany).
Minimal Kiosk Browser (kweb)
Slim, fast webkit browser with support for audio+video+playlists+youtube+pdf+download
Optional fullscreen kiosk mode and command interface for embedded applications
Includes omxplayerGUI, an X front end for omxplayer

Martin Frezman
Posts: 1020
Joined: Mon Oct 31, 2016 10:05 am

Re: New Raspbian release "2016-11-25"

Wed Nov 30, 2016 4:56 pm

You have just said "No. Nothing new here".
If this post appears in the wrong forums category, my apologies.

User avatar
Paul Webster
Posts: 801
Joined: Sat Jul 30, 2011 4:49 am
Location: London, UK
Contact: Twitter

Re: New Raspbian release "2016-11-25"

Wed Nov 30, 2016 4:56 pm

jdb wrote:
mikerr wrote: So I see the reasons for doing this I think the botnet thing is overblown - most pi aren't externally internet accessible by default - due to closed ports on all routers.
The Mirai bot net is from ip webcams which are by default internet accessible.
Relying on NAT to default-deny outside access presumes that there isn't a large application area (read: commercial/industrial uses) that don't follow the typical NATed router setup. Predicating security on a common but not ubiquitous setup basically exports the responsibility for plugging the hole elsewhere.
I think it is sensible because getting inside a NAT protected network is not as hard as you might think.
A webcam/CCTV system that a user wants to view while out might well use UPNP to tell the broadband router to punch a hole to allow access ... then if that CCTV system has a security issue (not uncommon) then someone managing to run a script within that box would be inside the NAT environment and could SSH to RPi etc.

My guess is that UPNP is enabled by default on many domestic routers and people who do not change default password on RPi also do not disable UPNP on their router and as a gadget person (who bought RPi) may well also buy Webcam/CCTV kit.

Return to “Raspbian”