Many changes

- Missing credit in LICENSE
- Update TODO
- hardenLocationConf: don't change version
- hardenDefconfig: Fix reboot on shutdown
- changeDefaultDNS: replace a level3 dns straggler for tethering config
- Don't remove CompanionDeviceManager if microG is included
- Update cherry picks
- init.sh: update comment wording

LICENSE

@@ -7,7 +7,7 @@ Misc - GPLv3
 Patches/
 	Common/
 		android_vendor_divested - GPLv3
-			default_wallpaper.png - Unsplash
+			default_wallpaper.png - Unsplash, Pawel Czerwinski
 		[Everything Else] - Apache-2.0
 	LineageOS-*/
 		android_kernel_* - GPLv2

Scripts/Common/Deblob.sh

@@ -69,7 +69,8 @@ echo "Deblobbing...";
 	#AudioFX (Audio Effects)
 	if [ "$DOS_DEBLOBBER_REMOVE_AUDIOFX" = true ]; then
 		blobs=$blobs"|fmas_eq.dat";
-		blobs=$blobs"|libasphere.so|libdownmix.so|libeffectproxy.so|libfmas.so|libldnhncr.so|libmmieffectswrapper.so|libreverbwrapper.so|libshoebox.so|libspeakerbundle.so|libvisualizer.so|libvolumelistener.so|libLifevibes_lvverx.so|libhwdap.so";
+		blobs=$blobs"|libasphere.so|libdownmix.so|libeffectproxy.so|libfmas.so|libldnhncr.so|libmmieffectswrapper.so|libreverbwrapper.so|libshoebox.so|libvisualizer.so|libvolumelistener.so|libLifevibes_lvverx.so|libhwdap.so";
+		#blobs=$blobs"|libspeakerbundle.so|libmotaudioutils.so"; #XXX: Breaks audio on Motorola devices (?)
 		blobs=$blobs"|libqcbassboost.so|libqcreverb.so|libqcvirt.so"; #Qualcomm
 		#blobs=$blobs"|libbundlewrapper.so|libqcompostprocbundle.so|libqcomvoiceprocessing.so|libqcomvisualizer.so";
 		blobs=$blobs"|libhwdap.*.so|libswdap.*.so|lib_dlb_msd.so"; #Dolby
@@ -328,7 +329,6 @@ echo "Deblobbing...";
 	blobs=$blobs"|com.motorola.motosignature.jar|com.motorola.motosignature.xml|MotoSignatureApp.apk";
 	blobs=$blobs"|TriggerEnroll.apk|TriggerTrainingService.apk|com.motorola.triggerenroll.xml";
 	blobs=$blobs"|audio.motvr.default.so";
-	#blobs=$blobs"|libmotaudioutils.so"; #breaks phone call audio (?)
 	blobs=$blobs"|libcce-socketjni.so|libmotocare.so";
 	#blobs=$blobs"|qmi_motext_hook|libmdmcutback.so|libqmimotext.so|libmotext_inf.so"; #necessary for radio
 	makes=$makes"|com.motorola.cameraone.xml";

Scripts/Common/Functions.sh

@@ -296,6 +296,7 @@ pushToServer() {
 export -f pushToServer;
 
 removeBuildFingerprint() {
+	#Removes the vendor fingerprint, allowing one to be generated instead
 	awk -i inplace '!/BUILD_FINGERPRINT/' lineage*.mk;
 }
 export -f removeBuildFingerprint;
@@ -371,7 +372,7 @@ hardenLocationConf() {
 	else
 		local deviceDir=$(dirname "$gpsConfig");
 	fi;
-	#Debugging (adb logcat | grep -i -e locsvc -e izat -e gps -e gnss -e location)
+	#Debugging: adb logcat | grep -i -e locsvc -e izat -e gps -e gnss -e location -e xtra
 	#sed -i 's|DEBUG_LEVEL = .|DEBUG_LEVEL = 4|' "$gpsConfig" &> /dev/null || true;
 	#Enable GLONASS
 	if [ "$DOS_GPS_GLONASS_FORCED" = true ]; then
@@ -403,24 +404,27 @@ hardenLocationConf() {
 	sed -i 's|http://xtrapath|https://xtrapath|' "$gpsConfig" &>/dev/null || true;
 	#sed -i 's|http://gllto|https://gllto|' "$gpsConfig" &>/dev/null || true; XXX: GLPals has an invaid certificate
 	#XTRA: Use format version 3 if possible
-	if grep -sq "XTRA_VERSION_CHECK" "$gpsConfig"; then #Using hardware/qcom/gps OR precompiled blob OR device specific implementation
-		sed -i 's|XTRA_VERSION_CHECK=0|XTRA_VERSION_CHECK=1|' "$gpsConfig" &>/dev/null || true;
-		sed -i 's|xtra2.bin|xtra3grc.bin|' "$gpsConfig" &>/dev/null || true;
-	elif grep -sq "BOARD_VENDOR_QCOM_LOC_PDK_FEATURE_SET := true" "$deviceDir"BoardConfig.mk "$deviceDir"boards/*gps.mk; then
-		if ! grep -sq "USE_DEVICE_SPECIFIC_LOC_API := true" "$deviceDir"BoardConfig.mk "$deviceDir"boards/*gps.mk; then
-			if ! grep -sq "libloc" ./"$deviceDir"/*proprietary*.txt; then #Using hardware/qcom/gps
-				sed -i 's|xtra2.bin|xtra3grc.bin|' "$gpsConfig" &>/dev/null || true;
-			fi;
-		fi;
-	fi;
+	#if grep -sq "XTRA_VERSION_CHECK" "$gpsConfig"; then #Using hardware/qcom/gps OR precompiled blob OR device specific implementation
+	#	sed -i 's|XTRA_VERSION_CHECK=0|XTRA_VERSION_CHECK=1|' "$gpsConfig" &>/dev/null || true;
+	#	sed -i 's|xtra2.bin|xtra3grc.bin|' "$gpsConfig" &>/dev/null || true;
+	#elif grep -sq "BOARD_VENDOR_QCOM_LOC_PDK_FEATURE_SET := true" "$deviceDir"BoardConfig.mk "$deviceDir"boards/*gps.mk; then
+	#	if ! grep -sq "USE_DEVICE_SPECIFIC_LOC_API := true" "$deviceDir"BoardConfig.mk "$deviceDir"boards/*gps.mk; then
+	#		if ! grep -sq "libloc" ./"$deviceDir"/*proprietary*.txt; then #Using hardware/qcom/gps
+	#			sed -i 's|xtra2.bin|xtra3grc.bin|' "$gpsConfig" &>/dev/null || true;
+	#		fi;
+	#	fi;
+	#fi;
+	#if [[ "$gpsConfig" = *"gps_debug.conf" ]]; then
+	#	echo "XTRA_SERVER_1=https://xtrapath4.izatcloud.net/xtra2.bin" >> "$gpsConfig";
+	#	echo "XTRA_SERVER_2=https://xtrapath5.izatcloud.net/xtra2.bin" >> "$gpsConfig";
+	#	echo "XTRA_SERVER_3=https://xtrapath6.izatcloud.net/xtra2.bin" >> "$gpsConfig";
+	#fi;
 	echo "Enhanced location services for $gpsConfig";
 }
 export -f hardenLocationConf;
 
 hardenLocationFWB() {
 	local dir=$1;
-	#Debugging (adb logcat | grep -i -e locsvc -e izat -e gps -e gnss -e location)
-	#sed -i 's|DEBUG_LEVEL = .|DEBUG_LEVEL = 4|' "$gpsConfig" &> /dev/null || true;
 	#Enable GLONASS
 	if [ "$DOS_GPS_GLONASS_FORCED" = true ]; then
 	sed -i 's|A_GLONASS_POS_PROTOCOL_SELECT=0.*</item>|A_GLONASS_POS_PROTOCOL_SELECT=15</item>|' "$dir"/frameworks/base/core/res/res/values*/*.xml &>/dev/null || true;
@@ -475,7 +479,7 @@ export -f hardenUserdata;
 hardenBootArgs() {
 	cd "$DOS_BUILD_BASE$1";
 	if [[ "$1" != *"device/samsung/klte"* ]] && [[ "$1" != *"device/samsung/msm8974-common"* ]]; then
-		sed -i 's/BOARD_KERNEL_CMDLINE := /BOARD_KERNEL_CMDLINE := page_poison=1 slab_nomerge slub_debug=FZP kpti=on pti=on page_alloc.shuffle=1 init_on_alloc=1 init_on_free=1 lockdown=confidentiality /' BoardConfig*.mk */BoardConfig*.mk &>/dev/null || true;
+		sed -i 's/BOARD_KERNEL_CMDLINE := /BOARD_KERNEL_CMDLINE := slab_nomerge slub_debug=FZP page_poison=1 kpti=on pti=on page_alloc.shuffle=1 init_on_alloc=1 init_on_free=1 lockdown=confidentiality /' BoardConfig*.mk */BoardConfig*.mk &>/dev/null || true;
 	fi;
 	echo "Hardened kernel command line arguments for $1";
 	cd "$DOS_BUILD_BASE";
@@ -592,6 +596,7 @@ changeDefaultDNS() {
 	sed -i "s/8\.8\.8\.8/$dnsPrimary/" $files &>/dev/null || true;
 	sed -i "s/2001:4860:4860::8888/$dnsPrimaryV6/" $files &>/dev/null || true;
 	sed -i "s/8\.8\.4\.4/$dnsSecondary/" $files &>/dev/null || true;
+	sed -i "s/4\.4\.4\.4/$dnsSecondary/" $files &>/dev/null || true;
 	sed -i "s/2001:4860:4860::8844/$dnsSecondaryV6/" $files &>/dev/null || true;
 }
 export -f changeDefaultDNS;
@@ -640,7 +645,7 @@ hardenDefconfig() {
 		fi;
 	done
 	#Disable supported options
-	#Disabled: MSM_SMP2P_TEST, MAGIC_SYSRQ (breaks compile on many kernels), KALLSYMS (breaks boot on select devices), IKCONFIG (breaks recovery)
+	#Disabled: MSM_SMP2P_TEST, MAGIC_SYSRQ (breaks compile), KALLSYMS (breaks boot on select devices), IKCONFIG (breaks recovery), MSM_DLOAD_MODE (breaks compile)
 	declare -a optionsNo=("ACPI_APEI_EINJ" "ACPI_CUSTOM_METHOD" "ACPI_TABLE_UPGRADE" "BINFMT_AOUT" "BINFMT_MISC" "CHECKPOINT_RESTORE" "COMPAT_BRK" "COMPAT_VDSO" "CP_ACCESS64" "DEBUG_KMEMLEAK" "DEVKMEM" "DEVMEM" "DEVPORT" "EARJACK_DEBUGGER" "GCC_PLUGIN_RANDSTRUCT_PERFORMANCE" "HARDENED_USERCOPY_FALLBACK" "HIBERNATION" "HWPOISON_INJECT" "IA32_EMULATION" "IOMMU_NON_SECURE" "INPUT_EVBUG" "IP_DCCP" "IP_SCTP" "KEXEC" "KEXEC_FILE" "KSM" "LDISC_AUTOLOAD" "LEGACY_PTYS" "LIVEPATCH" "MEM_SOFT_DIRTY" "MMIOTRACE" "MMIOTRACE_TEST" "MODIFY_LDT_SYSCALL" "MSM_BUSPM_DEV" "NEEDS_SYSCALL_FOR_CMPXCHG" "NOTIFIER_ERROR_INJECTION" "OABI_COMPAT" "PAGE_OWNER" "PROC_KCORE" "PROC_PAGE_MONITOR" "PROC_VMCORE" "RDS" "RDS_TCP" "SECURITY_SELINUX_DISABLE" "SECURITY_WRITABLE_HOOKS" "SLAB_MERGE_DEFAULT" "STACKLEAK_METRICS" "STACKLEAK_RUNTIME_DISABLE" "TIMER_STATS" "TSC" "TSPP2" "UKSM" "UPROBES" "USELIB" "USERFAULTFD" "VIDEO_VIVID" "WLAN_FEATURE_MEMDUMP" "X86_IOPL_IOPERM" "X86_PTDUMP" "X86_VSYSCALL_EMULATION" "ZSMALLOC_STAT");
 	#if [[ "$1" != *"kernel/htc/msm8994"* ]] && [[ "$1" != *"kernel/samsung/smdk4412"* ]] && [[ "$1" != *"kernel/htc/flounder"* ]] && [[ "$1" != *"kernel/amazon/hdx-common"* ]] && [[ "$1" != *"msm899"* ]] && [[ "$1" != *"sdm8"* ]] && [[ "$1" != *"sdm6"* ]]; then
 		#optionsNo+=("DIAG_CHAR" "DIAG_OVER_USB" "USB_QCOM_DIAG_BRIDGE" "DIAGFWD_BRIDGE_CODE" "DIAG_SDIO_PIPE" "DIAG_HSIC_PIPE");
@@ -667,6 +672,10 @@ hardenDefconfig() {
 	sed -i 's/^\treturn VERITY_STATE_DISABLE;//' drivers/md/dm-android-verity.c &>/dev/null || true;
 	#sed -i 's/#if 0/#if 1/' drivers/power/reset/msm-poweroff.c &>/dev/null || true;
 
+	#Workaround broken MSM_DLOAD_MODE=y+PANIC_ON_OOPS=y for devices that oops on shutdown
+	#MSM_DLOAD_MODE can't be disabled as it breaks compile
+	sed -i 's/set_dload_mode(in_panic)/set_dload_mode(0)/' arch/arm/mach-msm/restart.c &>/dev/null || true;
+
 	editKernelLocalversion "-dos";
 
 	echo "Hardened defconfig for $1";

Scripts/LineageOS-15.1/Functions.sh

@@ -108,7 +108,6 @@ patchWorkspace() {
 
 	source build/envsetup.sh;
 	repopick -i 288970; #update webview
-	repopick -it O_asb_2020-10;
 
 	export DOS_GRAPHENE_MALLOC=false; #patches apply, compile fails
 

Scripts/LineageOS-15.1/Patch.sh

@@ -99,7 +99,7 @@ patch -p1 < "$DOS_PATCHES/android_frameworks_base/0006-Disable_Analytics.patch";
 patch -p1 < "$DOS_PATCHES_COMMON/android_frameworks_base/0001-Browser_No_Location.patch"; #don't grant location permission to system browsers (GrapheneOS)
 patch -p1 < "$DOS_PATCHES_COMMON/android_frameworks_base/0003-SUPL_No_IMSI.patch"; #don't send IMSI to SUPL (MSe)
 patch -p1 < "$DOS_PATCHES_COMMON/android_frameworks_base/0004-Fingerprint_Lockout.patch"; #enable fingerprint failed lockout after 5 attempts (GrapheneOS)
-rm -rf packages/CompanionDeviceManager; #Used to support Android Wear (which hard depends on GMS)
+if [ "$DOS_MICROG_INCLUDED" != "FULL" ]; then rm -rf packages/CompanionDeviceManager; fi; #Used to support Android Wear (which hard depends on GMS)
 rm -rf packages/Osu packages/Osu2; #Automatic Wi-Fi connection non-sense
 rm -rf packages/PrintRecommendationService; #Creates popups to install proprietary print apps
 

Scripts/LineageOS-16.0/Functions.sh

@@ -133,7 +133,6 @@ patchWorkspace() {
 	repopick -it hh-p-sepolicy;
 	repopick -i 232948; #wahoo: liblight: close fd
 	repopick -i 288970; #update webview
-	repopick -it P_asb-2020-10;
 
 	source "$DOS_SCRIPTS/Patch.sh";
 	source "$DOS_SCRIPTS_COMMON/Copy_Keys.sh";

Scripts/LineageOS-16.0/Patch.sh

@@ -106,7 +106,7 @@ if [ "$DOS_GRAPHENE_EXEC" = true ]; then patch -p1 < "$DOS_PATCHES/android_frame
 patch -p1 < "$DOS_PATCHES_COMMON/android_frameworks_base/0003-SUPL_No_IMSI.patch"; #don't send IMSI to SUPL (MSe)
 patch -p1 < "$DOS_PATCHES_COMMON/android_frameworks_base/0004-Fingerprint_Lockout.patch"; #enable fingerprint failed lockout after 5 attempts (GrapheneOS)
 sed -i '301i\        if(packageList.length() > 0) { packageList += ","; } packageList += "net.sourceforge.opencamera";' core/java/android/hardware/Camera.java; #add Open Camera to aux camera whitelist
-rm -rf packages/CompanionDeviceManager; #Used to support Android Wear (which hard depends on GMS)
+if [ "$DOS_MICROG_INCLUDED" != "FULL" ]; then rm -rf packages/CompanionDeviceManager; fi; #Used to support Android Wear (which hard depends on GMS)
 rm -rf packages/PrintRecommendationService; #Creates popups to install proprietary print apps
 
 if [ "$DOS_DEBLOBBER_REMOVE_IMS" = true ]; then

Scripts/LineageOS-17.1/CVE_Patchers/android_kernel_oppo_msm8974.sh

@@ -73,7 +73,6 @@ git apply $DOS_PATCHES_LINUX_CVES/CVE-2017-11090/ANY/0001.patch
 git apply $DOS_PATCHES_LINUX_CVES/CVE-2017-11473/^4.12.2/0001.patch
 git apply $DOS_PATCHES_LINUX_CVES/CVE-2017-12153/^4.13.3/0001.patch
 git apply $DOS_PATCHES_LINUX_CVES/CVE-2017-12762/^4.12/0001.patch
-git apply $DOS_PATCHES_LINUX_CVES/CVE-2017-13080/3.4/0009.patch
 git apply $DOS_PATCHES_LINUX_CVES/CVE-2017-13695/^4.12.9/0001.patch
 git apply $DOS_PATCHES_LINUX_CVES/CVE-2017-14489/^4.13.2/0001.patch
 git apply $DOS_PATCHES_LINUX_CVES/CVE-2017-16526/^4.13.6/0001.patch
@@ -133,5 +132,5 @@ git apply $DOS_PATCHES_LINUX_CVES/CVE-2020-15393/^5.7.6/0001.patch
 git apply $DOS_PATCHES_LINUX_CVES/CVE-2020-25643/^5.9/0001.patch
 git apply $DOS_PATCHES_LINUX_CVES/Untracked-02/ANY/kernel.msm.git-9f34c6ebc016cd061ae5ec901221d15fa3d67e49.patch
 git apply $DOS_PATCHES_LINUX_CVES/CVE-2019-19051/^5.3.11/0001.patch
-editKernelLocalversion "-dos.p133"
+editKernelLocalversion "-dos.p132"
 cd "$DOS_BUILD_BASE"

Scripts/LineageOS-17.1/Patch.sh

@@ -85,6 +85,7 @@ if [ "$DOS_GRAPHENE_MALLOC" = true ]; then patch -p1 < "$DOS_PATCHES/android_fra
 
 enterAndClear "frameworks/base";
 hardenLocationFWB "$DOS_BUILD_BASE"; #XXX 17REBASE
+hardenLocationConf services/core/java/com/android/server/location/gps_debug.conf;
 sed -i 's/DEFAULT_MAX_FILES = 1000;/DEFAULT_MAX_FILES = 0;/' services/core/java/com/android/server/DropBoxManagerService.java; #Disable DropBox
 sed -i 's/DEFAULT_MAX_FILES_LOWRAM = 300;/DEFAULT_MAX_FILES_LOWRAM = 0;/' services/core/java/com/android/server/DropBoxManagerService.java; #Disable DropBox
 sed -i 's/(notif.needNotify)/(true)/' location/java/com/android/internal/location/GpsNetInitiatedHandler.java; #Notify user when location is requested via SUPL
@@ -101,7 +102,7 @@ patch -p1 < "$DOS_PATCHES/android_frameworks_base/0009-SystemUI_No_Permission_Re
 if [ "$DOS_GRAPHENE_EXEC" = true ]; then patch -p1 < "$DOS_PATCHES/android_frameworks_base/0010-Exec_Based_Spawning.patch"; fi; #add exec-based spawning support (GrapheneOS)
 patch -p1 < "$DOS_PATCHES/android_frameworks_base/0003-SUPL_No_IMSI.patch"; #don't send IMSI to SUPL (MSe)
 patch -p1 < "$DOS_PATCHES/android_frameworks_base/0004-Fingerprint_Lockout.patch"; #enable fingerprint failed lockout after 5 attempts (GrapheneOS)
-rm -rf packages/CompanionDeviceManager; #Used to support Android Wear (which hard depends on GMS)
+if [ "$DOS_MICROG_INCLUDED" != "FULL" ]; then rm -rf packages/CompanionDeviceManager; fi; #Used to support Android Wear (which hard depends on GMS)
 rm -rf packages/OsuLogin; #Automatic Wi-Fi connection non-sense
 rm -rf packages/PrintRecommendationService; #Creates popups to install proprietary print apps
 

Scripts/init.sh

@@ -37,7 +37,7 @@ export DOS_MALWARE_SCAN_ENABLED=true; #Set true to perform a fast scan on patchW
 export DOS_MALWARE_SCAN_SETTING="quick"; #buildAll() scan speed. Options: quick, extra, slow, full
 
 #Deblobber
-export DOS_DEBLOBBER_REMOVE_ACCESSORIES=true; #Set false to allow use of external accessories
+export DOS_DEBLOBBER_REMOVE_ACCESSORIES=true; #Set false to allow use of external accessories that depend on blobs
 export DOS_DEBLOBBER_REMOVE_AUDIOFX=true; #Set true to remove AudioFX
 export DOS_DEBLOBBER_REMOVE_GRAPHICS=false; #Set true to remove all graphics blobs and use SwiftShader CPU renderer #TODO: Needs work
 export DOS_DEBLOBBER_REMOVE_RENDERSCRIPT=false; #Set true to remove RenderScript blobs
@@ -51,16 +51,16 @@ export DOS_DEBLOBBER_REPLACE_TIME=false; #Set true to replace Qualcomm Time Serv
 export DOS_GPS_GLONASS_FORCED=false; #Enables GLONASS on all devices
 export DOS_GRAPHENE_MALLOC=true; #Enables use of GrapheneOS' hardened memory allocator on 64-bit platforms
 export DOS_GRAPHENE_EXEC=true; #Enables use of GrapheneOS' exec spawning feature
-export DOS_HOSTS_BLOCKING=true; #Switch to false to prevent inclusion of our HOSTS file
+export DOS_HOSTS_BLOCKING=true; #Set false to prevent inclusion of a HOSTS file
 export DOS_HOSTS_BLOCKING_APP="DNS66"; #App installed when built-in blocking is disabled. Options: DNS66
 export DOS_HOSTS_BLOCKING_LIST="https://divestos.org/hosts"; #Must be in the format "127.0.0.1 bad.domain.tld"
-export DOS_LOWRAM_ENABLED=false; #Switch to true to enable low_ram on all devices
+export DOS_LOWRAM_ENABLED=false; #Set true to enable low_ram on all devices
 export DOS_MICROG_INCLUDED="NLP"; #Determines inclusion of microG. Options: NONE, NLP, FULL
-export DOS_NON_COMMERCIAL_USE_PATCHES=false; #Switch to false to prevent inclusion of non-commercial use patches XXX: Unused, see 1dc9247
+export DOS_NON_COMMERCIAL_USE_PATCHES=false; #Set true to allow inclusion of non-commercial use patches XXX: Unused, see 1dc9247
 export DOS_OPTIMIZE_IMAGES=false; #Set true to apply lossless optimizations to image resources
-export DOS_OVERCLOCKS_ENABLED=false; #Switch to true to enable overclocks #XXX: Most devices have their processors directly under their RAM, heatsinking is mostly into the ground plane, potentially inflicting damage to RAM and the processor itself
-export DOS_STRONG_ENCRYPTION_ENABLED=false; #Switch to true to enable AES-256bit FDE encryption on 14.1+15.1 XXX: THIS WILL **DESTROY** EXISTING INSTALLS!
-export DOS_WIREGUARD_INCLUDED=false; #Switch to true to enable WireGuard kernel module inclusion
+export DOS_OVERCLOCKS_ENABLED=false; #Set true to enable overclocks #XXX: Most devices have their processors directly under their RAM, heatsinking is mostly into the ground plane, potentially inflicting damage to RAM and the processor itself
+export DOS_STRONG_ENCRYPTION_ENABLED=false; #Set true to enable AES 256-bit FDE encryption on 14.1+15.1 XXX: THIS WILL **DESTROY** EXISTING INSTALLS!
+export DOS_WIREGUARD_INCLUDED=false; #Set true to enable WireGuard kernel module inclusion for devices with kernel 3.10+
 
 #Servers
 export DOS_DEFAULT_DNS_PRESET="Cloudflare-BL"; #Sets default DNS. Options: See changeDefaultDNS() in Scripts/Common/Functions.sh

TODO

@@ -1,20 +1,8 @@
-Last updated: 2019-10-07
+Last updated: 2020-10-12
 
-High Priority (Release blockers)
-	Project
-		- GPG all the things!
-		- Create cryptocurrency addresses
-		- Setup Stripe
-	Servers
-		- Gitea/GitLab on a Kimsufi dedicated (KS-3C: $14 setup + $22/mo)
-		- Apache on an OVH VPS (SSD1: $4.50/mo)
-		- Mirrorbits on an OVH VPS (SSD1: $4.50/mo)
-		- 2x Mirror slaves on an OVH VPS (SSD2: 2x$7.80 = $15.60/mo)
-		- 1x Mirror slave on a 1/10Gbps server for high-speed incrementals
+High Priority
 	Website
-		- Switch from Shadow to Piwik and update Privacy Policy
 		- mod_removeip for GDPR and update Privacy Policy
-		- Update cryptocurrency addresses
 
 Medium Priority
 	Build
@@ -26,9 +14,13 @@ Medium Priority
 		- Various other branding (logo, snazzy bootanimation, setupwizard, etc.)
 	Project
 		- Create various XMPP conference rooms
+		- Database verification in Hypatia
+		- More cryptocurrency addresses
 	Servers
-		- Dedicated build servers
-		- Ejabberd on an OVH VPS (SSD1: $4.50/mo)
+		- Dedicated build server
+		- ejabberd for a chat room
+	Website
+		- Update cryptocurrency addresses
 
 Low Priority
 	Build
@@ -48,13 +40,13 @@ Longterm
 		- Switch to AOSP and create clean trees for all of the major devices
 	Linux Patches
 		- Automate pulling of CVE patches from Android and Qualcomm bulletins
-		- Get more CVE patches, especially for 3.4
+		- Get more CVE patches
 		- Investigate rebasing kernel trees on newer CAF ones
 		- Proper backports of CVE patches
 		- Proper backports of security features
 	Project
 		- Create an Mobile Device Manager solution
-		- Create our own device (free hardware, isolated modem, kernel 5.0+, etc.)
+		- Create our own device (free hardware, isolated modem, kernel 5.4+, etc.)
 		- General auditing of everything
 		- Partner with various projects
 		- Purchase one of each supported device
@@ -63,7 +55,7 @@ Longterm
 
 Contributions to other projects (via labor or funding)
 	Add Tor support: Materialistic, microG, Slide, Transistor, Wikipedia
-	Resurrect: Blockinger, microG, Pandoroid
+	Resurrect: Blockinger, Pandoroid
 	Amexia
 		- More icons
 	Conversations