Ignored CVEs aren't patched, but do not apply in our configuration
for some reason. Up till now they were only partially supported
and reported as "Patched".
This patch adds separate reporting of Ignored CVEs. The variable
CVE_CHECK_REPORT_PATCHED now manages reporting of both patched
and ignored CVEs.
(From OE-Core rev: d76957e4257a3bf934bdb94d65aa43267b8d9766)
Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit c773102d4828fc4ddd1024f6115d577e23f1afe4)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
When using multiconfig with the same TMP folder we can have
races because the shared recipes like gcc-source run twice.
ARCHIVER_OUTDIR = ${ARCHIVER_TOPDIR}/${TARGET_SYS}/${PF}/
which includes TARGET_SYS and between the two different MACHINE values,
this changes from 'arm-poky-linux-gnueabi' to 'aarch64-poky-linux'.
This leads to the task running twice, once for each multiconfig.
To solve this we need to store the shared output in a common place
for all machines and in this way the stamps will be the same for each
machine so the gcc-source will on run once regardless of the machine used.
(From OE-Core rev: 6fa49ffcf2d77aaae5c348b6eb1f0117aa93eeaf)
Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 5abe497aad39a6ce8d72556fcdda1938a0f8c1bc)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
We can't build glibc without make 4.0 and we don't work on older distros with
older versions of make without buildtools tarball so increase the minimum
version to 4.0.
(From OE-Core rev: 4b694ded86877cce06af65a0f542027d7408c111)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit e9a449aeec72a698206323c3471c9268f949b1ae)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Ensure that begin_idx (i.e., beginline - 1) and end_idx (i.e.,
endline) are positive numbers in copy_license_files(). This makes sure
the same lines are copied as populate_lic_qa_checksum() uses when it
calculates the checksum. Before, beginline=0 would typically lead to
that no lines were copied at all.
(From OE-Core rev: 3001199ca8da38208649e8016e77880690835706)
Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit ab3cc3651d08d226675c461da760cda0bb6c0ce0)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Several tasks deactivate exiting on non-zero return codes via set +e because
they run subcommands that have legitimate non-zero return codes. However when
appending to those tasks, this behavior is not expected and can lead to builds
silently proceeding in case of an error. Therefore reset the default behavior
at the end of the respective tasks via set -e.
(From OE-Core rev: 45b4597db37e3ad50ff84cda39fd14a25d6d2680)
Signed-off-by: Stefan Wiehler <stefan.wiehler@nokia.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 83a6f28d2e464f00202090e998a63045adba9e4e)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
In the cve-check text mode output, we didn't write fragment
files if there are no CVEs (if CVE_CHECK_REPORT_PATCHED is 1),
or no unpached CVEs otherwise.
However, in a system after multiple builds,
cve_check_write_rootfs_manifest might find older files and use
them as current, what leads to incorrect reporting.
Fix it by always writing a fragment file, even if empty.
(From OE-Core rev: 79c02facd3f248122b4b7a6bd00192151e4a6406)
Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit f1b7877acd0f6e3626faa57d9f89809cfcdfd0f1)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Building with MACHINE=qemuarm and MACHINE=qemux86-64 causes rust-native
to rebuild. The reason is all the ingredients into the RUST_*_SYS
variables are being tracked but that doesn't really make sense in this
case:
$ bitbake-diffsigs tmp/stamps/x86_64-linux/rust-native/1.60.0-r0.do_rust_gen_targets.sigdata.63* tmp/stamps/x86_64-linux/rust-native/1.60.0-r0.do_rust_gen_targets.sigdata.34*
NOTE: Starting bitbake server...
basehash changed from 860b8f11b10182dc5b2737f62cdb697477f714adb63eeb4d4b932d67cac8eec2 to 9379e8b9df9696e8056fec7d1534661f34dda073f6d816e241b09a2dff76ae2d
Variable rust_base_triple value changed:
@@ -36,4 +36,4 @@
# In some cases uname and the toolchain differ on their idea of the arch name
-TUNE_FEATURES{callconvention-hard} = Set
+TUNE_FEATURES{callconvention-hard} = Unset
Switch to using the final variable value for sstate signature purposes
which avoids this issue.
(From OE-Core rev: 424b81ae680057a8c285157ea081f167381b6c62)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 38b61aeaf877f6a34c3c0060c175119975ebd782)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* this doesn't fix any issue (at least AFAIK),
just keeps the log files more deterministic to avoid unnecessary churn like in:
--- /OE/build/oe-core/tmp-glibc/work/qemux86_64-oe-linux/keymaps/1.0-r31/temp/log.do_patch.2213051 2022-05-26 11:35:44.110063749 +0200
+++ /OE/build/oe-core/tmp-glibc/work/qemux86_64-oe-linux/keymaps/1.0-r31/temp/log.do_patch.2213372 2022-05-26 11:35:54.553062630 +0200
@@ -1,7 +1,7 @@
DEBUG: Executing python function extend_recipe_sysroot
-NOTE: Direct dependencies are ['virtual:native:/OE/build/oe-core/openembedded-core/meta/recipes-devtools/patch/patch_2.7.6.bb:do_populate_sysroot', '/OE/build/oe-core/openembedded-core/meta/recipes-devtools/quilt/quilt-native_0.67.bb:do_populate_sysroot']
+NOTE: Direct dependencies are ['/OE/build/oe-core/openembedded-core/meta/recipes-devtools/quilt/quilt-native_0.67.bb:do_populate_sysroot', 'virtual:native:/OE/build/oe-core/openembedded-core/meta/recipes-devtools/patch/patch_2.7.6.bb:do_populate_sysroot']
NOTE: Installed into sysroot: []
-NOTE: Skipping as already exists in sysroot: ['patch-native', 'quilt-native', 'attr-native', 'libtool-native', 'gettext-minimal-native', 'texinfo-dummy-native']
+NOTE: Skipping as already exists in sysroot: ['quilt-native', 'patch-native', 'attr-native', 'libtool-native', 'gettext-minimal-native', 'texinfo-dummy-native']
DEBUG: Python function extend_recipe_sysroot finished
DEBUG: Executing python function do_patch
DEBUG: Executing python function patch_do_patch
(From OE-Core rev: bd72b15e9a4c9bb4f155d19c84bcf20d788bd568)
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit d3ebb37b97da15166d452bf51f5f7e0c312ae42e)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
When running CVE checks in CI we're usually not interested in warnings on the
console for any CVEs present. Add a configuration option CVE_CHECK_SHOW_WARNINGS
to allow this to be disabled (it is left enabled by default).
(From OE-Core rev: 8fd6a9f521ea6b1e10c80fe33968943db30991ba)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 1054d3366ba528f2ad52585cf951e508958c5c68)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Before this the rootfs manifest and the summary were identical.
We should separate the summary and rootfs manifest more clearly,
now the summary is for all CVEs and the rootfs manifest is only for
things in that image. This is even more useful if you build multiple
images.
(From OE-Core rev: 65498411d73e8008d5550c2d0a1148f990717587)
Signed-off-by: Ernst Sjöstrand <ernstp@gmail.com>
Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 3b8cc6fc45f0ea5677729ee2b1819bdc7a441ab1)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
As product, sdk should do cve check as well as rootfs.
(From OE-Core rev: 637d6ff44bc17565edae5466addbbe251f0cdadc)
Signed-off-by: Lei Maohui <leimaohui@fujitsu.com>
Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
(cherry picked from commit cc17753935c5f9e08aaa6c5886f059303147c07b)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
If, e.g., license-file-missing is added to ERROR_QA, then the build
should fail if any licenses are missing.
(From OE-Core rev: 72aa42425e456ab0210129df01d829465acadb6d)
Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit dd91c4bec8335cab2bbd0b33caf50d314ca72bdc)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
We've seen failures on the autobuilder in oe-selftest where things which should
be in the sysroot aren't. The exact steps to reproduce the exact failure are
elusive and probably hash equivalance dependency but this set of steps does
reproduce corruption which is probably of the same origin:
Add DISTRO_FEATURES += "systemd"
bitbake dbus
Remove DISTRO_FEATURES += "systemd"
bitbake dbus
bitbake dbus -c clean
bitbake dbus -c configure
Add DISTRO_FEATURES += "systemd"
bitbake quilt-native
bitbake dbus -c populate_sysroot
Remove DISTRO_FEATURES += "systemd"
bitbake dbus -c compile
Where dbus will now fail as the compiler was no longer in the sysroot.
This works by clearing x11 and other values out of DISTRO_FEATURES so the x11
dependencies are removed from the sysroot. The configure stamp remains valid so
when the original configuration is restored, it becomes valid again but a load
of the sysroot disappeared and build failures result.
Fix this by removing stamps when we remove things from the sysroot.
Depends on a change to bitbake build.py to add the clean_stamp API.
[YOCTO #14790]
(From OE-Core rev: 927837e29a1e79e8eeecaacc6de6b8f9e6aa6f70)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit f4b1cecc82435b71135d7b65f6ea67be0e4f8c66)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The overlayfs_qa_check checks if the current root file system has a
mount configured for each overlayfs, when the overlayfs class is used.
However there are certain instances where this mount point is created at
runtime and not static in a fstab entry or systemd mount unit.
One such case would be if overlayfs-etc is used, where the device is
mounted in the preinit script and not via a mount unit or fstab entry.
However there are other possibilities for this as well, like startup
scripts that support a dynamic partition layout. For instance when
systemd-repart is used.
This adds the `OVERLAYFS_QA_SKIP` variable, which allows to define QA
skips via its flags. In principle it supports multiple QA skip flags
separated by whitespace, but only one (`mount-configured`) is
implemented here. To skip this QA check simply add `mount-configured` to
the flag of `OVERLAYFS_QA_SKIP` with the same name. For instance if a
overlayfs is configured as:
OVERLAYFS_MOUNT_POINT[data] = "/data"
Skipping this QA check can be done by setting:
OVERLAYFS_QA_SKIP[data] = "mount-configured"
Also add a testcase and fix a typo (fstat -> fstab).
(From OE-Core rev: 34b6d6b5f078c6948e53815af3c7b61de43d851c)
Signed-off-by: Claudius Heine <ch@denx.de>
Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 2ce9173169a2a86392c4a85fe9be7fbbd7353b7f)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The addition of summary output caused two issues: error when building
an image and the fact that JSON output was generated even when
CVE_CHECK_FORMAT_JSON.
When generating an image it caused an error like:
ERROR: core-image-minimal-1.0-r0 do_rootfs: Error executing a python function in exec_func_python() autogenerated:
The stack trace of python calls that resulted in this exception/failure was:
File: 'exec_func_python() autogenerated', lineno: 2, function: <module>
0001:
*** 0002:cve_check_write_rootfs_manifest(d)
0003:
File: '/home/alexk/poky/meta/classes/cve-check.bbclass', lineno: 213, function: cve_check_write_rootfs_manifest
0209:
0210: link_path = os.path.join(deploy_dir, "%s.json" % link_name)
0211: manifest_path = d.getVar("CVE_CHECK_MANIFEST_JSON")
0212: bb.note("Generating JSON CVE manifest")
*** 0213: generate_json_report(json_summary_name, json_summary_link_name)
0214: bb.plain("Image CVE JSON report stored in: %s" % link_path)
0215:}
0216:
0217:ROOTFS_POSTPROCESS_COMMAND:prepend = "${@'cve_check_write_rootfs_manifest; ' if d.getVar('CVE_CHECK_CREATE_MANIFEST') == '1' else ''}"
Exception: NameError: name 'json_summary_name' is not defined
The fix is to pass the d variable to the pure python function generate_json_report
to get correct values of variables and add conditions for the JSON
output where needed.
In addition clarify the message presenting the summary JSON file,
which isn't related to an image.
Uses partial fixes from Alex Kiernan, Ernst Sjöstrand (ernstp),
and Davide Gardenal.
Fixes: f2987891d315 ("cve-check: add JSON format to summary output")
(From OE-Core rev: 2fcc696e27d7f8c70ba60f5c7de8c48030a938d3)
Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 9015dec93233c7d45fd0c9885ff5d4ec23ad377d)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Since the commit fe26b2379ecd ("image.bbclass: Depend on
virtual/kernel:do_deploy"), the image.bbclass made building images
depend on virtual/kernel. For some images, including small initramfs,
this is not the case. Allow overriding this dependency in case
developers knows what they are doing.
(From OE-Core rev: 4caf244256e150fea19cd4f2ca04c13d95d49fee)
Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 55875f68212657167ac6dc26f5fd93eac24b098e)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Add some documentation about skipping the QA check related to missing
fstab entries or mount units for base mount points where the overlayfs
is mounted from.
Also add a short paragraph about adding a systemd unit dependency to
services in recipes, so that they are started only after the overlayfs
is mounted and ready.
No functional change.
(From OE-Core rev: 4611cbab3e9593937b64b6db48ef269de37c74db)
Signed-off-by: Claudius Heine <ch@denx.de>
Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 7adc49fa6fdbdf118f74e95193e80ae7ef019e27)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The CVE product name for PyPI packages is (usually) the same as the PyPI
package name (and not our recipe name), so use that as the default.
(From OE-Core rev: 80a1de36bc86a864d52292ef9770b77480f3c67b)
Signed-off-by: Alex Kiernan <alexk@zuma.ai>
Signed-off-by: Alex Kiernan <alex.kiernan@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 61f6b0ad09bf87cdc2d3f08770b7c44cad1d0e58)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The autobuilder sstate was corrupted via incorrect equiavlences caused by
the security fix to git and the poor interaction that had with SCM version
checks under fakeroot/pseudo. Bump the versions to enable a clean slate
to work off.
(From OE-Core rev: 69f2d0822462e77d09b4781dcec41a0747e4d387)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 3b6672730372e130d4d72b683fc3150911964745)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Currently the signatures for do_packagedata don't reflect whether PRServ
was active or not. This means that if you have mxiing of PRServ usage and
non PRServ usage against the same sstate cache it can rarely become
corrupted with one referencing the other.
This likely doesn't happen in general but does on the autobuilder as PRServ
is tested. Add in some variables to ensure the binary state of PRServ being
enabled or disabled is tracked (but not the server value). We continue to
assume one PRServ is used per sstate cache.
(From OE-Core rev: 4c2f429d6876c29b17931daa039c4899aacd7234)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit dd660e5c3fb74f7c4b7b8e863f7143066ae22813)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
We'd like to intercept git calls but we don't want circular references
and HOSTTOOLS currently sets them up. Tweak to avoid them.
(From OE-Core rev: 9f4acb8d8b47349e7a4adbb25842a94c0947469a)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 52c37e133fa55846aca2248ffcf3a10648dbb8d7)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
When creating the manifest and the testdata.json links, if the link
name is equal to the output name the link is not created, otherwise
it is. This prevents a link-to-self in the first case.
(From OE-Core rev: e69a1533dfb8ceb5b91610f2ab8b3da575fcc36e)
Signed-off-by: Davide Gardenal <davide.gardenal@huawei.com>
Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit bed63756c56f296ff3d5a7eef66e978bd19f1008)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
An if statement now checks if the link and output path are
the same, if they are then the link is not created,
otherwise it is.
(From OE-Core rev: 2fd7f3b7dc964b59b268dd4a34761f9f71f61c25)
Signed-off-by: Davide Gardenal <davide.gardenal@huawei.com>
Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
(cherry picked from commit 2f024c0236c4806f0e59e4ce51a42f6b80fdf1b3)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Create generate_json_report including all the code used to generate the JSON
manifest file.
Add to cve_save_summary_handler the ability to create the summary in JSON format.
(From OE-Core rev: 8a79c476706b25e5c707c65b4e46b6e940874bd6)
Signed-off-by: Davide Gardenal <davide.gardenal@huawei.com>
Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
(cherry picked from commit f2987891d315466b7ef180ecce81d15320ce8487)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The only part of the cve-check task which needs files is the patch
examination, and typically these patches are local so fetch isn't needed.
(From OE-Core rev: a76b642736d78cd4dec0ae264da6d0ffd4e9aaf7)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 2c9b3186d3b7c18cbea239ab9b06e85b7c243b54)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Adding a dependency on ourselves in this function doesn't make sense, the hash
may change after hash equivalence is applied. Other code using BB_TASKDEPDATA does
handle the self reference correctly (which is there for a reason), update this
code to do likewise.
(From OE-Core rev: a1eba0f2d36f3bb03323a65c66dd2a83c5dd2c05)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit d98b06c9c6f480de1e5167bfe8392e39300fc02c)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
We're going to use the environment approach for solving this issue.
(From OE-Core rev: 1b807a0ad9cf5acdbe7fce588544f7eb8cbbd80d)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 0982977dc052ad4e65608f6853f930121d08837a)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
In a devshell, recent versions of git will complain if the repo is owned
by someone other than the current UID - consider this example:
------
bitbake -c devshell linux-yocto
[...]
kernel-source#git branch
fatal: unsafe repository ('/home/paul/poky/build-qemuarm64/tmp/work-shared/qemuarm64/kernel-source' is owned by someone else)
To add an exception for this directory, call:
git config --global --add safe.directory /home/paul/poky/build-qemuarm64/tmp/work-shared/qemuarm64/kernel-source
kernel-source#
------
Of course the devshell has UID zero and the "real" UID is for "paul" in
this case. And so recent git versions complain.
As the whole purpose of the devshell is to invoke a shell where development
can take place, having a non-functional git is clearly unacceptable.
Richard suggested we could use PSEUDO_UNLOAD=1 to evade this issue, and I
suggested we probably will see other similar instances like this and should
make use of PATH to intercept via devshell wrappers - conveniently we already
have examples of this.
Here, we copy the existing "ar" example and tune it to the needs of git to
combine Richard's suggestion and mine.
As such we now also can store commit logs and use send-email with our user
specific settings, instead of "root", so in additon to fixing basic
commands like "git branch" it should also increase general usefulness.
RP: Tweaked the patch so the PATH change only applies to the devshell task
and is a generic git intercept rather than devshell specific.
RP: Also apply the PATH change to do_install tasks since that also runs under
fakeroot and several software projects inject "git describe" output into
their binaries (systemd, iputils, llvm, ipt-gpu-tools at least) causing
reproducibility issues from systems with different git versions.
(From OE-Core rev: 3a320c1555bf39b2d3c218ffc36827d9dda60fe1)
Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 3266c327dfa186791e0f1e2ad63c6f5d39714814)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
We need to disable the use the default configuration file. This is
to ensure that user settings do not mess things up when building go
recipes.
For example, if I set 'GOBIN=./relative/path' in $HOME/.config/go/env,
then go-runtime fails to build with error like below:
cannot install, GOBIN must be an absolute path
According to `go help environment',
"""
Setting GOENV=off in the environment disables the use of the default
configuration file.
"""
We can explicitly disable the configuration file by setting GOENV to off.
(From OE-Core rev: 00f794aeaaa660851f3a8464ee89c553195dd3dd)
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 711b41744ab08ee62c71cdccca335a7828ec0ba1)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
When building FreeRTOS this dependency generates an error because
bitbake cannot find any provider for "virtual/kernel".
>From a dependency analysis the task is executed independently from
this so it can be safely removed.
This patch has been discussed in this ML thread:
https://lists.openembedded.org/g/openembedded-core/topic/90602531
(From OE-Core rev: ec31ce4751e45e98730165d64eb74fc98eab8c85)
Signed-off-by: Davide Gardenal <davide.gardenal@huawei.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 1c02b768a71ec88bfe1cc0c4443683de8b66056e)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Otherwise it will fail if using OE_TERMINAL = "xterm" with the not so
helpful error:
xterm: Xt error: Can't open display: localhost:0.0
(From OE-Core rev: 147d4cc12cd0ac2680bffa4112cef2d2447d34e1)
Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com>
Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit ba53fc3bcecfe32401471dc1008c7ead96504150)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Some recipes are marked machine specific which need qemu usermode during
build eg. if they use meson build system, which means they wont get
right -cpu settings to run qemu-ppc/qemu-ppc64 and build fails, this
ensures that we set the right options when PACKAGE_ARCH is set to
MACHINE_ARCH on ppc/ppc64 qemu
(From OE-Core rev: 05caadbfb940e236dcdc41620cf20de5809e8f40)
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 9f71bbe65a458f08cd8ede6522c8b988603202a0)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The do_kernel_configcheck task requires a meta directory, normally
set by ${KMETA}. The meta directory is taken as a relative path
from ${S}:
outfile = "{}/{}/cfg/mismatch.txt".format( s, kmeta )
However, when checking for the presence of ${KMETA} the current
working directory is searched. This will almost always fail and
"kgit --meta" is used instead. If the user does have a path in
their current working directory that matches the ${KMETA}
variable but the path is not present within the kernel source
directory, the build will fail if it tries to write config errors/
warnings to that path.
If ${KMETA} is not set, the same problem exists with the hard-coded
"meta" directory.
Fix these issues by checking for ${KMETA} within ${S} rather than
the current working directory. Additionally, drop the hardcoded
backup directory "meta" as it hasn't been functioning and
probably has no users
(From OE-Core rev: c322272a51d923cda9b0e5e388e32b7dd3a6bd22)
Signed-off-by: Russ Dill <russ.dill@nikolamotor.com>
Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
(cherry picked from commit f4a3e80a4a6f4f709d09940dcaf45b2b00654496)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The files in /sysroot-only are intended to make it into the
recipes sysroot output, but not into the package. However, if
do_package is run before do_populate_sysroot, the files are
removed.
Use a smaller hammer to avoid copying the files into the package so
they are still around when do_populate_sysroot runs.
(From OE-Core rev: acc0a31305cb1f799e8a6b3ea2d2c5ac5a9f67ee)
Signed-off-by: Russ Dill <russ.dill@nikolamotor.com>
Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
(cherry picked from commit 493145c6f1bc92ab2b7a23e181641b09df87c9ff)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
If IMAGE_NAME and IMAGE_LINK_NAME are the same an
exception is raised in image_combine_spdx because
it cannot create a symlink with the same exact
path of the original file. In that case there is
no point in creating a link in the first place.
Refactor image_combine_spdx to avoid code duplication
(From OE-Core rev: dfb49be6b586e3901a4398b46c914d80dcdd029b)
Signed-off-by: Davide Gardenal <davide.gardenal@huawei.com>
Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 88f76bba705007a7fcda506c79f743060d8f2e52)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
When signing the deb package feed gpg tools are a soft requirement. If gnupg-native
is not declared a dependancy the version from hosttools is used. Unfortunately the
gpg-agent version from Ubuntu 16.04 on the autobuilders is incompatible with the package_index task
and fails during oe-selftest. Fix by making gnupg-native a dependency.
Fixes: 0b4231b5 "package_manager: sign DEB package feeds"
Reported-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Suggested-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(From OE-Core rev: 74725c9f7e7ed4172781891001e85b64bfb206b8)
Signed-off-by: Ferry Toth <ftoth@exalondelft.nl>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit c063b658e30a24be9214abc23cd2a16c0260e93e)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
We keep seeing hangs on the autobuilder with make 4.2.1 on Centos8, Alma8
and OpenSuse workers. The hang occurs in perl and kernel builds in particular.
The issue is fixed in 4.3 and has been patched on Ubuntu systems:
https://git.savannah.gnu.org/cgit/make.git/commit/?id=78b5fec6898c26956d00548427cda1101cb80f8ahttps://savannah.gnu.org/bugs/?51400
Add a sanity test for make 4.2.1 and error for non-ubuntu systems. We're
making a buildtools-make-tarball available which can be used to
allow systems with the broken version to use the project.
(From OE-Core rev: ad5829aa1f8a7369509542b913bfd8d21d1b1bc3)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
