This adds support for the Nanbield (4.3) release and update the
current dev branch to Scarthgap.
(From yocto-docs rev: cfbb2cda2c3d221f944ae610c05039c9d12093bc)
Signed-off-by: Michael Halstead <mhalstead@linuxfoundation.org>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
libgs is eg. needed to build ghostscript support for gimp
also install the data target
(From OE-Core rev: cedd211d8b73076d1ef6f32af1c59e87a436d637)
Signed-off-by: Markus Volk <f_l_k@t-online.de>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The vast majority of gnome recipes uses meson. Set it as default
and override the few recipes that still use autotools.
This way we can remove a lot of lines in meta-oe and more important
it would not be needed to explicitly set GNOMEBASEBUILDCLASS = "meson" for newly
created gnome recipe anymore.
(From OE-Core rev: 8b061ea36f8b94b482c5867fe2ba7213288a5aa3)
Signed-off-by: Markus Volk <f_l_k@t-online.de>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Changelog:
===========
1.9.15p2:
- Fixed a bug on BSD systems where sudo would not restore the
terminal settings on exit if the terminal had parity enabled.
1.9.15p1:
- Fixed a bug introduced in sudo 1.9.15 that prevented LDAP-based
sudoers from being able to read the ldap.conf file.
1.9.15:
- Fixed an undefined symbol problem on older versions of macOS
when "intercept" or "log_subcmds" are enabled in sudoers.
- Fixed "make check" failure related to getpwent(3) wrapping
on NetBSD.
- Fixed the warning message for "sudo -l command" when the command
is not permitted. There was a missing space between "list" and
the actual command due to changes in sudo 1.9.14.
- Fixed a bug where output could go to the wrong terminal if
"use_pty" is enabled (the default) and the standard input, output
or error is redirected to a different terminal. Bug #1056.
- The visudo utility will no longer create an empty file when the
specified sudoers file does not exist and the user exits the
editor without making any changes. GitHub issue #294.
- The AIX and Solaris sudo packages on www.sudo.ws now support
"log_subcmds" and "intercept" with both 32-bit and 64-bit
binaries. Previously, they only worked when running binaries
with the same word size as the sudo binary. GitHub issue #289.
- The sudoers source is now logged in the JSON event log. This
makes it possible to tell which rule resulted in a match.
Running "sudo -ll command" now produces verbose output that
includes matching rule as well as the path to the sudoers file
the matching rule came from. For LDAP sudoers, the name of the
matching sudoRole is printed instead.
- The embedded copy of zlib has been updated to version 1.3.
- The sudoers plugin has been modified to make it more resilient
to ROWHAMMER attacks on authentication and policy matching.
This addresses CVE-2023-42465.
- The sudoers plugin now constructs the user time stamp file path
name using the user-ID instead of the user name. This avoids a
potential problem with user names that contain a path separator
('/') being interpreted as part of the path name. A similar
issue in sudo-rs has been assigned CVE-2023-42456.
- A path separator ('/') in a user, group or host name is now
replaced with an underbar character ('_') when expanding escapes
in @include and @includedir directives as well as the "iolog_file"
and "iolog_dir" sudoers Default settings.
- The "intercept_verify" sudoers option is now only applied when
the "intercept" option is set in sudoers. Previously, it was
also applied when "log_subcmds" was enabled. Sudo 1.9.14
contained an incorrect fix for this. Bug #1058.
- Changes to terminal settings are now performed atomically, where
possible. If the command is being run in a pseudo-terminal and
the user's terminal is already in raw mode, sudo will not change
the user's terminal settings. This prevents concurrent sudo
processes from restoring the terminal settings to the wrong values.
GitHub issue #312.
- Reverted a change from sudo 1.9.4 that resulted in PAM session
modules being called with the environment of the command to be
run instead of the environment of the invoking user.
GitHub issue #318.
- New Indonesian translation from translationproject.org.
- The sudo_logsrvd server will now raise its open file descriptor
limit to the maximum allowed value when it starts up. Each
connection can require up to nine open file descriptors so the
default soft limit may be too low.
- Better log message when rejecting a command if the "intercept"
option is enabled and the "intercept_allow_setid" option is
disabled. Previously, "command not allowed" would be logged and
the user had no way of knowing what the actual problem was.
- Sudo will now log the invoking user's environment as "submitenv"
in the JSON logs. The command's environment ("runenv") is no
longer logged for commands rejected by the sudoers file or an
approval plugin.
(From OE-Core rev: 5ea298680a8f17d3b808a2c43b0182e9c391f663)
Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The current code in ssh.py is terminating the ssh process that
does not finish its computation in a given timeout (when timeout
is passed), the SSHCall function is returning the process error
code.
The Openssl ssh before version 8.6_p1 is returning 0 when it is
terminated, from commit 8a9520836e71830f4fccca066dba73fea3d16bda
onwards (version >= 8.6_p1) ssh is returning 255 instead.
So for version of ssh older than 8.6_p1 when the SSHCall time out,
the return code will be 0, meaning success, which is wrong.
Fix this issue checking if the process has timeout (hence it's been
terminated) and checking if the returned code is 0, in that case
set it to 255 to advertise that an error occurred.
Add a test case excercising the timeout in the SSHTest, test_ssh
test function.
(From OE-Core rev: 948fecca1db4c7a30fcca5fcf5eef95cd12efb00)
Signed-off-by: Luca Fancellu <luca.fancellu@arm.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
automatic detection could result in inconsistent host dependencies
since it will be enabled for libarchive-native if the build host has
libb2 installed and this can then fail on hosts which do not have
this library installed
Fixes errors like
recipe-sysroot-native/usr/bin/opkg: error while loading shared libraries: libb2.so.1: cannot open shared object file: No such file or directory
(From OE-Core rev: 5356afef9f0ee70fb804ff9fc8746bcaa47c02ba)
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Check if the filesystem is supported by the kernel before trying to
mount it. Systemd-mount will mount the directories asynchronously
resulting in stale directories if the devices filesystem is not
supported.
(From OE-Core rev: 695e0a41e3c1cb47484605934a57e7df591bd19f)
Signed-off-by: Lukas Funke <lukas.funke@weidmueller.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This reverts commit 99305c25fafa61064a1bb0849616e4627e3453d7.
After discussion we found various versions of selenium don't work
with this change.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
If a user is authenticated with the server, report them as the owner of
a report
(Bitbake rev: a9fd4a45bb6e5ac9832835897f594f3bbf67e1aa)
Signed-off-by: Joshua Watt <JPEWhacker@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Allows users to self-service deletion of their own user accounts
(meaning, they can delete their own accounts without special
permissions).
(Bitbake rev: 2d4439948a5328a9768bca9eaec221eb82af3cb2)
Signed-off-by: Joshua Watt <JPEWhacker@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
If BB_TEST_HASHSERV_USERNAME and BB_TEST_HASHSERV_PASSWORD are provided
for a server admin user, the authentication tests for the external
hashserver will run. In addition, any users that get created will now be
deleted when the test finishes.
(Bitbake rev: 0e945d3dec02479df1157f48fd44223c2bfb34a3)
Signed-off-by: Joshua Watt <JPEWhacker@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Space separation is more natural when setting the value from an
environment variable, so allow that here for convenience.
(Bitbake rev: 07eb9176f8a7449c1d2cbfff072fa0873e97a336)
Signed-off-by: Joshua Watt <JPEWhacker@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Outputting the stats in JSON format makes more sense as it's easier for
a downstream tool to parse if desired.
(Bitbake rev: 3a18066e479ab06bdb08e258fc4aacad5e73222e)
Signed-off-by: Joshua Watt <JPEWhacker@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The bitbake-hashclient command-line tool now has a lot more features
which should be tested, so add some tests for them.
(Bitbake rev: 178cf99673d7ddf8e0bb63a5a43331a18f3286d5)
Signed-off-by: Joshua Watt <JPEWhacker@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Adds an API to retrieve the columns that can be queried on from the
database backend. This prevents front end applications from needing to
hardcode the query columns
(Bitbake rev: abfce2b68bdab02ea2e9a63fbb3b9e270428a0a6)
Signed-off-by: Joshua Watt <JPEWhacker@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Adds an API to query the server for the usage of the database (e.g. how
many rows are present in each table)
(Bitbake rev: c9c1224447e147e0de92953bc85cea75670b898c)
Signed-off-by: Joshua Watt <JPEWhacker@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Adds API that allows a user admin to impersonate another user in the
system. This makes it easier to write external services that have
external authentication, since they can use a common user account to
access the server, then impersonate the logged in user.
(Bitbake rev: 71e2f5b52b686f34df364ae1f2fc058f45cd5e18)
Signed-off-by: Joshua Watt <JPEWhacker@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Adds support for the hashserver to have per-user permissions. User
management is done via a new "auth" RPC API where a client can
authenticate itself with the server using a randomly generated token.
The user can then be given permissions to read, report, manage the
database, or manage other users.
In addition to explicit user logins, the server supports anonymous users
which is what all users start as before they make the "auth" RPC call.
Anonymous users can be assigned a set of permissions by the server,
making it unnecessary for users to authenticate to use the server. The
set of Anonymous permissions defines the default behavior of the server,
for example if set to "@read", Anonymous users are unable to report
equivalent hashes with authenticating. Similarly, setting the Anonymous
permissions to "@none" would require authentication for users to perform
any action.
User creation and management is entirely manual (although
bitbake-hashclient is very useful as a front end). There are many
different mechanisms that could be implemented to allow user
self-registration (e.g. OAuth, LDAP, etc.), and implementing these is
outside the scope of the server. Instead, it is recommended to
implement a registration service that validates users against the
necessary service, then adds them as a user in the hash equivalence
server.
(Bitbake rev: 69e5417413ee2414fffaa7dd38057573bac56e35)
Signed-off-by: Joshua Watt <JPEWhacker@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Adds an API to explicitly disconnect a client. This can be useful for
testing the auto-reconnect behavior of clients
(Bitbake rev: cb2fec7eaca20608faf4b8ff11ec8590ac7f2229)
Signed-off-by: Joshua Watt <JPEWhacker@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Invalidate the loop in the client close() call so that it is not closed
twice (which is an error in the asyncio code)
(Bitbake rev: ef22f8ee82c242383625f078baafb629e45dad7e)
Signed-off-by: Joshua Watt <JPEWhacker@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Adds support for Invocation Errors (that is, errors raised by the actual
RPC call instead of at the protocol level) to propagate across the
connection. If a server RPC call raises an InvokeError, it will be sent
across the connection and then raised on the client side also. The
connection is still terminated on this error.
(Bitbake rev: 50ee68175e7cf20a32bfbb176db2c47d7859da04)
Signed-off-by: Joshua Watt <JPEWhacker@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
When the hash equivalence server is in read-only mode, it should still
return a unihash for a given "report" call if there is one.
(Bitbake rev: d0bbb98553f5f3451606bd5f089b36cfe4219dc2)
Signed-off-by: Joshua Watt <JPEWhacker@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Adds an SQLAlchemy backend to the server. While this database backend is
slower than the more direct sqlite backend, it easily supports just
about any SQL server, which is useful for large scale deployments.
(Bitbake rev: e0b73466dd7478c77c82f46879246c1b68b228c0)
Signed-off-by: Joshua Watt <JPEWhacker@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Abstracts the way the database backend is accessed by the hash
equivalence server to make it possible to use other backends
(Bitbake rev: 04b53deacf857488408bc82b9890b1e19874b5f1)
Signed-off-by: Joshua Watt <JPEWhacker@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Allows the arguments to the bitbake-hashserv command to be specified in
environment variables. This is a very common idiom when running services
in containers as it allows the arguments to be specified from different
sources as desired by the service administrator
(Bitbake rev: f65c87fab07a730f2f4588764cb64508c2149b40)
Signed-off-by: Joshua Watt <JPEWhacker@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Adds a logging adaptor to the asyncrpc clients that prefixes log
messages with the client remote address to aid in debugging
(Bitbake rev: f4d64ce73c2449c008ff5d9b32376a2893ef7195)
Signed-off-by: Joshua Watt <JPEWhacker@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Adds support for running the hash equivalence test suite against an
external hash equivalence implementation.
(Bitbake rev: c1fbc3f68b94905d19ffcf4a6da5b27f0bf14599)
Signed-off-by: Joshua Watt <JPEWhacker@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Adds context manager API for the asyncrcp client class which allow
writing code that will automatically close the connection like so:
with hashserv.create_client(address) as client:
...
Rework the bitbake-hashclient tool and PR server to use this new API to
fix warnings about unclosed event loops when exiting
(Bitbake rev: d01d684a0f6398270fe35ed59b7d28f3fd9b7e41)
Signed-off-by: Joshua Watt <JPEWhacker@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Adds support to the hash equivalence client and server to communicate
over websockets. Since websockets are message orientated instead of
stream orientated, and new connection class is needed to handle them.
Note that websocket support does require the 3rd party websockets python
module be installed on the host, but it should not be required unless
websockets are actually being used.
(Bitbake rev: 56dd2fdbfb6350a9eef43a12aa529c8637887a7e)
Signed-off-by: Joshua Watt <JPEWhacker@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Rewrites the asyncrpc client and server code to make it possible to have
other transport backends that are not stream based (e.g. websockets
which are message based). The connection handling classes are now shared
between both the client and server to make it easier to implement new
transport mechanisms
(Bitbake rev: 2aaeae53696e4c2f13a169830c3b7089cbad6eca)
Signed-off-by: Joshua Watt <JPEWhacker@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Test that the followings link are visible and clickable:
- OpenEmbedded
- BitBake
- Yocto Project
- Read the Toaster manual
- Contribute to Toaster
- Fixed typo: using instead of usign line:97
- Remove whitespace
(Bitbake rev: d4c35eaff3c152ee864a886aac8ad5476f7f29f7)
Signed-off-by: Alassane Yattara <alassane.yattara@savoirfairelinux.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
- check that the documentation link is visible
- check browser open new tab toaster manual when clicking on the documentation link
(Bitbake rev: befe970fcc7742cf266e03849be36c733bb09de6)
Signed-off-by: Alassane Yattara <alassane.yattara@savoirfairelinux.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Check the information icon is visible and clickable
Also if popup appearing when clicked and contain "Toaster version information"
(Bitbake rev: 0508fd74ebd43359473a9718edf0d146002041ad)
Signed-off-by: Alassane Yattara <alassane.yattara@savoirfairelinux.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
