Well if OSMC with Kodi would be exposed to the Internet than Kernel bugs is the lowest of your concerns.
2 Likes
4.9.269 is the last upstream AOSP that we took. We have been back porting since then, as have AML.
If you need the latest kernel, you can run that today.
As @fzinken says, Kodi is for sure a larger and more practical attack vector than the kernel.
This is a terrible statement and border line offensive. We have not chosen functionality over security. As stated previously, we continue to maintain and support the 4.9 kernel in an LTS manner. The fact that it is not the latest is neither here nor there. This is not atypical in the appliance world. Look at an IP camera; Synology NAS or other embedded device. It wonât be running yesterdayâs kernel.
We take security very seriously.
Sam, we are friends here. I sincerely appreciate your work. If I came across as âoffensiveâ, I apologize.
I myself have said that Kodi and add-ons are the biggest attack surface for many vulnerabilities. But please donât disregard that the system environment including the kernel are also part of the attack surface and potential chains.
If you can say how many of the 594 CVEs in Linux in 2022 and 2023 were backported to OSMC 4.9.269, I would be very interested in that number.
Unfortunately some folks do this in a very unsecure manner with their setups. Sometimes in a pull method by accessing sties and content that has questionable cybersecurity practices and in worse scenarios sharing their Kodi media directly to the Internet with less than adequate security.
To Samâs point, Iâd be far more concerned about the numerous insecure IoT devices and deployments sitting on peopleâs home networks. I have over 30 years of cybersecurity experience with some of the largest enterprise networks in the world and work with almost al of the major cybersecurity vendors. I often say in those conversations that the world will understand IoT one day when people are hauling their broken refrigerators, TV sets, thermostats and other IoT devices to the curb for trash pickup because they no longer work. That day is coming.
Thanks,
Jeff
.
The CVE link you have provided is for Debian, so it will be appropriate to Debian releases.
As youâve said, youâre not comfortable with vendors maintaining any kernels (ie Debian, Red Hat etc) and want to run a âpureâ upstream kernel.
Any network CVEs will be back ported
Obviously some CVEs just donât apply, for example X64 vulnerabilities, drivers that we donât use (eg a vulnerability in a WiFi adapter thatâs PCI-E and canât even be connected).
We promised five years of support from Veroâs launch in 2017 but we have extended that and will continue to support the device for some time. Logically it does not make sense for us to even attempt to update the kernel.
I saw on Twitter the other day that someone has a WiFi connected washing machine. I donât get the concept because you need to physically load/unload it, but anywayâŠ
It was using 3.6GB of data a day.
1 Like
All I can say is that it is worse than people realize on many fronts. Donât get me started on various home automation devices and mobile apps to control home IoT devices. My wife and I bought a new coffee maker for Christmas. It has WiFi connectivity for a mobile app. My wife looked at me and knew the answer to the question before even asking. Use the coffee maker but ignore the WiFi connectivity.
Jeff
But why? You have to bring the cup to the machine, so you might as well flick it manually while standing there.
I donât understand what convenience it provides.
Weâre way off topic here but to answer your question I think this is to connect to a mobile scheduling app to start the coffee brewing at a certain time. Probably easier and cheaper for the manufacturer than building that hardware and software into the device like they used to.
For me, my coffee only takes a couple of minutes to brew. I think I can wait.
Jeff
This link was just for a general ballpark. The official CVE database lists at least 556 CVEs for âlinux kernelâ in 2022 and 2023: https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=âlinux+kernelâ
I never said that. I am very comfortable with Debian maintaining kernels I use. Debian publishes detailed security information and a FAQ, and it has a solid track record.
Thatâs (part of) the reason I chose OSMC, because itâs based on Debian. But I discovered OSMC doesnât use Debian (or Raspian) kernels, after I bought it.
I just canât say I am comfortable with the way AMLogic maintains a 4.9 kernel. I miss good information to assess the security implications of their design decisions and practice. Thatâs especially true for a kernel thatâs officially EOL and unsupported by the upstream developers.
I understand AMLogic and OSMC have to make a trade-off. And I understand why you chose the way you do. I am in no position to demand that you should do anything differently.
Itâs hard to be satisfied with âwe take security very seriouslyâ and âweâre secure, trust usâ. Best practice is âtrust, but verifyâ.
A number of CVEs you back-ported from those 500+ would help me a lot. I am unable to find it myself.
The last commit in the vero-linux repo containing âCVEâ is from 2015: Commit search results · GitHub
Honestly, this is on Kodi, not Sam (I say that with some authority since Iâm both on the Kodi dev team and the maintainer of the TV Show scraper). The newer scrapers are written in Python but still using a framework originally created for the old XML scrapers. That means the scraper gets called multiple times to scrape one thing (less true for movies, very true for TV Shows), and that creates a great deal of overhead, as Python stuff is created and destroyed on every call.
The long term plan is to change the framework to allow batch updates to the database when scraping, but the team had to EOL the XML scrapers before that work could begin. So itâll be Kodi 22 or 23 at the earliest.
Having said all that, scraping my library on the Vero V was maybe 30% faster than with the Vero 4K+ using the default scrapers.
Well, I specifically reinstalled one of my 4k±es from scratch with a fresh new image and re-scraped everything into a SQLite DB, and I still have sad-face on that device when I try to scan library. So I decided to go back to basics and defaults even more and tried to use the scraper you include in the default install and also get rid of the nfs:// rewrite I was using previously just in case.
These are the reasons why I decided to re-scan and scrape everything once again.
Thanks @pkscout , it took a few times 24h put I am past the re-scanning and -scraping. I am more uncomfortable with the seemingly random errors scanning/scraping international characters in the titles (Eastern European, Cyrillic, Korean, Chinese etc.)
May or may not be related the Date/Time errors popping up with the Kodi default interface, hence I also reverted to the OSMC default even though I do miss the wide selection of possibilities: the OSMC skin looks empty and bare to me. But at least it does not pop an Embuary python error every once in a while. (any ideas welcome how to fill it with more than the single line of a few movie posters when it boots up 
)
I remember to have tracked it down in the forums / bug trackers of OSMC â Kodi â we will not fix it, python should fix it or something similar 
If you have a complete library scan that you have already worked through any problematic titles and fixed those in Kodiâs database then you might consider exporting your Kodi library to individual files. This would place nfo and artwork files next to your media that Kodi would then use instead of trying to scrape online.
If there is for some reason some title that are problematic or such that you want them tweaked you could also use a media manager like Tiny Media Manager to create and/or edit these files instead of working through the issue inside every Kodi instance your running.
MariaDB (or MySQL) is an excellent approach if you use more than one device that you run kodi on (2 TVs, or a TV and a Tablet or computer, etc). It does take a bit of effort to initially set up (install, set up permissions for incoming connections, create user), and depends on you having some device that you keep running 24/7 (a server, desktop, Nas, or something similar, noting that the more horsepower you have, the better your performance will be) However, It works quite well once it it set up, and works miracles on the scanning issue (only need to scan media once and itâs available on all devices, and things like your watched status magically shows up on all devices, etc)
Personally, I serve my media files off a home server with a TV tuner card where I also run hts (tvheadend) for my DVR, as well as several docker-based apps. Itâs also useful i that I can simply run a kodi instance on the server to do all the scanning â it has local access to the files, and is vastly more powerful than any TV set-top box is likely to ever be, so itâs faster to just use the server to maintain my kodi library.
MaiaDB and MySQL are just different Kodi sharing mechanisms but still leverage the existing Kodi scrapers, which I think was a question. There are other Kodi sharing solutions which have built-in non-Kodi scrapers and Kodi has a forum for third party scrapers including TMM (Tiny Media manager), Ember and more.
Note that a couple of potential downsides of centralized databases like MariaDB and MySQL are that you manage your library from Kodi and without proper controls any user can change your library, whether you want or not, and second they require all clients to be on the same version of Kodi library (typically tied to the Kodi version) in order to share amongst the clients. Some of the other Kodi solutions donât have these limitations and provide a scraper alternative.
Thanks,
Jeff
Just curious Sam why thatâs the case? Is it that youâre going to stop doing any updates for the 4K+ at all⊠full stop. Or is there some extreme difficulty in adding the newer kernel to the 4K?
Will Debian package updates still continue to install? even if there are no OSMC updates? or will they need to be done manually by apt.
From what I get from the side line ⊠it is extremely difficult, it toke quite a time for development and testing to move to 4.9 kernel.
As long as Debian updates the current branch we are on, you will get updates.
It could even be that Sam changes to a newer branch which would mean even longer updates from Debian.