omnipkg v2.0.4 — Filelock CVE-2025-68146 Closed · ARM32 + ARM64 Verified · 23+ Platforms

[1minds3t]

This is a landmark release for omnipkg, focused on hardening security, achieving near-universal platform verification, and implementing a robust, automated CI/CD pipeline. Version 2.0.4 introduces critical security patches, adds complete ARM64 and ARM32 test coverage, and brings native support for Apple Silicon.

🌟 Major Highlights

• 🔒 Security Hardening (CVE-2025-68146): Patched a critical file-locking vulnerability by vendoring a patched version of filelock, ensuring users on all Python versions are protected out-of-the-box.
• 🚀 Complete ARM Architecture Verification: Introduced an exhaustive testing suite for both ARM64 and ARM32 architectures.
  • ARM64 (aarch64): Now verified across 6 major Linux distributions using a powerful QEMU emulation pipeline.
  • ARM32 (armv7): Now automatically verified by scraping build results from the trusted piwheels.org repository.
• 🍏 Native Apple Silicon (macOS ARM64) CI: Added a dedicated job using GitHub's macos-14 native M-series runners, ensuring flawless performance on modern Macs.
• 🤖 Bulletproof Release Pipeline: The PyPI publishing process is now gated, and will not run until all critical cross-platform and ARM64 verification tests have passed successfully.
• 📝 Major Documentation Overhaul: The README.md has been massively updated with detailed, auto-generated platform support matrices, reflecting the live results of our new CI pipelines.

---

Detailed Changes

1. Security Enhancements

• Vendored filelock for CVE-2025-68146: To protect users on older Python versions (< 3.10) from a symlink-based vulnerability in filelock, we have vendored a patched version of the library directly into omnipkg. This provides an immediate, seamless fix without requiring users to manage complex dependencies. Python 3.10+ will continue to use the latest secure version from PyPI.
• Upgraded Security Scanners: The dependency logic in pyproject.toml has been refined to use the latest safety for supported Python versions and pip-audit as a fallback, ensuring continuous security scanning across our entire Python version range (3.7-3.14).

2. Massive CI/CD Expansion

• ARM64 Verification via QEMU: A new workflow (arm64-verification.yml) now runs on every tag and release, testing omnipkg inside Podman containers on emulated ARM64 environments for Debian, Ubuntu, Fedora, Rocky Linux, and Alpine.
• Native Apple Silicon Testing: The primary build verification workflow now includes a macos-14 runner, adding native ARM64 testing on Apple's M-series hardware to our matrix.
• Automated ARM32 (Raspberry Pi) Verification: A new workflow (piwheels-arm32-verification.yml) runs on a schedule and after releases to scrape piwheels.org, confirming that builds for Raspberry Pi are available and updating the README with the results.
• Gated PyPI Publishing: The publish.yml workflow now explicitly waits for the main cross-platform and ARM64 tests to complete successfully before allowing a package to be published. This prevents accidental releases of broken code.
• Automated Branch Syncing: New workflows (sync-main.yml, auto-merge-to-main.yml) have been implemented to keep the development and main branches synchronized, improving development velocity and stability.
• Multi-Arch Docker Builds: The Docker build process (docker-ci-ghcr.yml) is now more robust, building and pushing multi-architecture images (amd64, arm64) to both Docker Hub and GitHub Container Registry.

3. Bug Fixes and Refinements

• Fixed KB Initialization Deadlock: Resolved a NoneType error in the package_meta_builder that could occur during the very first knowledge base build when trying to run a security scan before the bubble manager was fully initialized.
• Dockerfile Simplification: Removed the Redis server from the official Docker image. omnipkg's automatic fallback to a built-in SQLite database makes this unnecessary for most users and results in a lighter, more secure container.

This release represents a huge leap forward in the reliability, security, and professional-grade quality assurance of omnipkg.

---

This discussion was created from the release omnipkg v2.0.4 — Filelock CVE-2025-68146 Closed · ARM32 + ARM64 Verified · 23+ Platforms.