If you check the GPL code for the gen2 versions V2.10.310,V2.11.133,V2.11.140,V2.21.111,V2.21.119,V2.21.126 and V2.30.165
The toolchain is exactly the same in all 7 version. The same goes for the kernel. The file samba-4.0.9.tar.gz
if different in V2.21.119 from V2.10.310. In V2.30.165 is a newer version samba-4.3.11.tar.gz
apr-1.5.1.tar.gz apr-util-1.5.3.tar.gz httpd-2.4.9.tar.gz net-snmp-5.5.tar.gz in V2.21.119 are different from V2.10.310. All other files are exactly the same in each version. So what ever the changes that WD made. They were not in the GPL code in most cases.
This information was derived by running sum -r on the different .gz files.
Those sound like packages that may well have contained remotely exploitable vulnerabilities; Samba, Apache runtime, HTTP daemon and SNMP. All involved with file server, web or network behaviour.
Don’t know how recent the new packages are, or whether they are supposed to fix the raft of vulnerabilities recently revealed.
I’m surprised they even made these changes. I feel they are only interested in there own code. Not sure they
have the knowledge to fix the other code. If you look thru the boot sequence you see several error messages that should be fixed.
They don’t have to fix the other code; that’s done by the package maintenance teams in the open source community. And is usually done pretty quickly in response to a published CVE.
All WD have to do is download the new code, check for, and deal with any API changes in the latest package versions, and build a new firmware (and then run regression testing, of course…).
But it does take knowledge to rebuild and package and regression test the release. They changed the kernel version between the gen1 and gen2. But the gen2 has the same kernel version that it was originally released.
