SIX months since Merlin included updated Asus GPL - what's cooking at Asus ???

[kernol]

Anyone know what's cooking [or not] with Asus not releasing GPL's for 6 months for Merlin to work on?
It really seems strange that so many new Asus stock firmware versions have been released since 2 April 2021 - several of them including a pile of "patches and bug fixes" - yet nothing for the Maestro to work on ???
For e.g. ...

Spoiler: AX86U 3.0.0.4.386.45375 - end August ...

2021/08/31 74.93 MBytes
ASUS RT-AX86 Series(RT-AX86U/RT-AX86S) Firmware version 3.0.0.4.386.45375
This version includes several vulnerability patches.
BusyBox
- CVE-2016-2148
- CVE-2016-6301
- CVE-2018- 1000517

cURL
- CVE-2020-8169
- CVE-2019-5481
- CVE-2019-5482
- CVE-2018-1000120
- CVE-2018- 1000300
- CVE-2018-16839

Lighttpd
- CVE-2018-19052

Linux
- CVE-2020-14305
- CVE-2020-25643
- CVE-2019-19052

lldpd
- CVE-2020-27827

Avahi
- CVE-2017-6519

hostapd
- CVE-2021-30004
- CVE-2019-16275

OpenVPN
- CVE-2020-11810
- CVE-2020-15078

wpa
- CVE-2021-30004
- CVE-2021-27803
- CVE-2019-11555
- CVE-2019-9499
- CVE-2019-9498
- CVE-2019-9497
- CVE-2019-9496
- CVE-2019-9495
- CVE-2019-9494
- CVE-2017-13086
- CVE-2017-13084
- CVE-2017-13082
- CVE-2016-4476
- CVE-2015-8041

Fixed DoS vulnerability from spoofed sae authentication frame. Thanks to Efstratios Chatzoglou, University of the Aegean, Georgios Kambourakis, European Commission at the European Joint Research Centre, and Constantinos Kolias, University of Idaho.

Fixed envrams exposed issue. Thanks to Quentin Kaiser from IoT Inspector Research Lab contribution.

I'm sure that Merlin has enjoyed the break - [longest inactivity on his GitHub code base since 2016 - 18 days].

 

[L&LD]

RMerlin already has stated he doesn't want to get into the reasons why.

But, they should be gearing up again soon.

 

[shabbs]

I'm sure that Merlin has enjoyed the break - [longest inactivity on his GitHub code base since 2016 - 18 days].

I hope he truly has been able to enjoy a break of some sort.

 

[kernol]

RMerlin already has stated he doesn't want to get into the reasons why.

But, they should be gearing up again soon.

I hear you - but a lack of transparency does not sit well in the market place.
It leads to conjecture - which is often far more harmful than the truth!

Three months back we heard ... "should be gearing up soon" - since then nothing ???

 

[L&LD]

My paraphrasing of what RMerlin stated above was from just a few weeks ago.

Asus isn't more (or less) transparent than any other company. I'm sure if pressed, their reasons would be 'Covid' related, with most not requiring any further clarification.

 

[dave14305]

Merlin apparently has at least a single GPL for the AX86U.

GitHub - RMerl/asuswrt-merlin.ng at 45581

Third party firmware for Asus routers (newer codebase) - GitHub - RMerl/asuswrt-merlin.ng at 45581

github.com

While I’m not a conspiracy theorist, it is disappointing that this project might be going more and more closed source (rather, it’s impacted by the increasing reliance upstream on closed sourced components). Users can’t build their own fully functional firmware anymore. Upstream doesn’t release GPLs as often as they used to.

Seems like Broadcom and/or Trend Micro must have had a fit about something or other for Asus to be where they are with GPLs. Even Merlin had to “reset” his github repo a little while back because it likely included some secret sauce from upstream.

 

[joegreat]

Anyone know what's cooking [or not] with Asus...

My theory is like "Cold Brew Coffee" - GPL needs time in cold water and can then be enjoyed for weeks!
We simply need to wait and enjoy the waiting time!

 

[DJones]

Merlin apparently has at least a single GPL for the AX86U.

GitHub - RMerl/asuswrt-merlin.ng at 45581

Third party firmware for Asus routers (newer codebase) - GitHub - RMerl/asuswrt-merlin.ng at 45581

github.com

While I’m not a conspiracy theorist, it is disappointing that this project might be going more and more closed source (rather, it’s impacted by the increasing reliance upstream on closed sourced components). Users can’t build their own fully functional firmware anymore. Upstream doesn’t release GPLs as often as they used to.

Seems like Broadcom and/or Trend Micro must have had a fit about something or other for Asus to be where they are with GPLs. Even Merlin had to “reset” his github repo a little while back because it likely included some secret sauce from upstream.

Isn’t router firmware legally supposed to be locked down in the US?, well that’s not really the case outside of US model routers for manufacturers I think that could lead to more closed source firmwares in other countries as a consequence even if their is nothing legally persuading them to do so.

 

[john9527]

it is disappointing that this project might be going more and more closed source (rather, it’s impacted by the increasing reliance upstream on closed sourced components). Users can’t build their own fully functional firmware anymore.

Yes, it's unfortunate....even if understandable given how some folks were porting ASUS licensed code to non-ASUS routers.

For me, it's why I haven't moved to do a follow on LTS fork or purchased a new ASUS HND based router. Instead, looking at other avenues to play with based on an fully open source x86 solution....

Spoiler

*** 13:54 - Start building orion/openwrt...
--- 13:54 - Updating/Installing feeds
--- 13:54 - Restoring build config
dev-21.275.75291-a0d6ce6

--- 13:55 - Starting make
*** 14:26 - Done building orion/openwrt! Elapsed time 32 Minutes 3 Seconds

=== 14:26 - All done!

 

[kernol]

.... I'm sure if pressed, their reasons would be 'Covid' related, with most not requiring any further clarification.

I for one would not "buy" Covid as an excuse - given that Asus has been releasing LOTS of stock firmware updates in the Covid era for most supported models - just withholding open source GPL's for the past 6 months. As far as I can tell - they are TOTALLY withholding GPL's for the RT-AX86U for Joe Public as the Asus support sites I am able to access do not list "Other" as an operating software drop down choice so that the GPL can be displayed.

Anyway - point made when you see stalwarts like @john9527 starting to play in new places.

The ONLY reason why I have Asus routers is because of the Magic of Merlin and the extensions his firmware has enabled for the many coders that empower us non-coders to improve performance and keep out the baddies. I am sure there are tens of thousands of others like me who enjoy Merlinware - but may be forced to look elsewhere if necessary security upgrades and bug fixes in the closed source sections are not made available in good time to Eric.

He has my full support and of late ... my sympathies because of the "lifetime" he has expended since 2012 in fixing and extending AsusWrt - but now hamstrung by their delays!

 

[L&LD]

RMerlin, not Merlin.

Doesn't matter if we 'buy' their excuses or not (and I'm with you on that, I wouldn't), yet we must still live with their decisions. It's manpower-related, I'm edu-guessing here.

 

[kernol]

it is disappointing that this project might be going more and more closed source (rather, it’s impacted by the increasing reliance upstream on closed sourced components). Users can’t build their own fully functional firmware anymore. Upstream doesn’t release GPLs as often as they used to.

Seems like Broadcom and/or Trend Micro must have had a fit about something or other ...

Yes, it's unfortunate....even if understandable given how some folks were porting ASUS licensed code to non-ASUS routers.

It really would be helpful if Asus at least confirmed that the delayed release of GPL Source code was caused entirely by those who abused the privilege of their licensed code [from Trend Micro?] on non-Asus routers. As can be seen from the blog link below - the Trend Micro addition is a very material money saver for those buying Asus Routers ...
https://dongknows.com/trend-micro-home-network-security-review/

That "saving" is of course only relevant if you actually use Trend Micro [and I don't] - so compiling firmware without it being available would be fully fine with me. Sadly however - self compile without Trend Micro is presently broken ... at least using the add-on provided by @Adamm no longer works!

Could the answer lie in Asus itself opening up JFFS custom script use in its own firmware [equivalent "System" Tab to Merlin's?] and no longer releasing GPL's. I'm showing my coding ignorance I know ... so feel free to crush the concept .
As an "update junkie" I just want a fully security patched / bug fixed Router to keep me and my family as safe as possible..

 

[Simon W]

It really would be helpful if Asus at least confirmed that the delayed release of GPL Source code was caused entirely by those who abused the privilege of their licensed code [from Trend Micro?] on non-Asus routers.

Informative - yes - though not sure how helpful as we'd still be no closer to another GPL code release and still the uncertainty of their stance/willingness/ability to do this moving forward.

compile without Trend Micro

Potentially could be the direction we are heading, though would need thought from both Asus and @RMerlin - some additional work from both parties - also changes the stance of this project slightly (ie. firmware would be missing features vs. oem).

Could the answer lie in Asus itself opening up JFFS custom script use in its own firmware [equivalent "System" Tab to Merlin's?] and no longer releasing GPL's. I'm showing my coding ignorance I know ... so feel free to crush the concept .

@RMerlin doesn't just extend / add customisations to the firmware (indeed this projects stance is to minimise this), it's more about bug fixing and enhancing core functionality.. doing so in a more hands-on and timely fashion than Asus.. though some of which does seemingly find its way back upstream them (either literally or in concept) and no doubt why they appreciate his hard work.

 

[RMerlin]

It really would be helpful if Asus at least confirmed that the delayed release of GPL Source code was caused entirely by those who abused the privilege of their licensed code [from Trend Micro?] on non-Asus routers.

I know the exact reason why the current situation is what it is, they haven't hid anything there.

 

[jsbeddow]

I know the exact reason why the current situation is what it is, they haven't hid anything there.

Can you elaborate on those reasons?
Or does that fall under proprietary/confidential/trade-secret/NDA?
I don't claim any sort of "right to know", but I have to admit to being curious about what brought us here. TIA.

 

[RMerlin]

Can you elaborate on those reasons?
Or does that fall under proprietary/confidential/trade-secret/NDA?
I don't claim any sort of "right to know", but I have to admit to being curious about what brought us here. TIA.

It's not something I want to discuss publicly since it's an internal Asus matter, sorry.

 

[Simon W]

Fully respecting this @RMerlin , changing the angle slightly, are you able/willing to give us a view on <whatever> being resolvable at some point (hopefully soon!) and things returning to business-as-usual in terms of the conveyer belt of bits & bobs you need from Asus being started back up again? Even if speculation on your part, as I’d be much more interested in your view being the one with more information than most! Thanks.

(apologies if this has already been asked/discussed)

 

[RMerlin]

They are supposedly close to a final resolution, but since all previous ETA/deadlines were missed, I stopped having any expectation as to when things will return to normal. It will happen whenever it happens.

 

[shabbs]

In the meantime... let those uptime's roll!

 

[Simon W]

Good to hear, thanks. I for one am reading this as a positive - while of course anything could always happen.. definitely sounds like a “pause” as opposed to the plug being potentially pulled. I’ll be impatiently (though quietly) watching this space!