Handles CVE-2025-47203
SHA1 algorithms were removed by default, so patch for disabling it was
removed together with its package option. Doing it with conditional
patch was anyway a bad design. If someone still needs it, it should be
done via sed command on the config file.
Refreshed remaining patches.
Added patch to fix regression of the CVE fix.
(From OE-Core rev: c01205e7a4816d78e99d01f86a396ab23d9bde34)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Main download page is currently unavailable, switch to mirror listed in
README file of the dropbear repository and release tarballs.
(From OE-Core rev: 49e1947dfcb24afe6ffca129ce38602d3d6a6a64)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The patch is used for fixing:
| Makefile:3418: *** Recursive variable 'INSTALL' references itself (eventually). Stop.
Now the code and check and set that correctly:
if CROSS_COMPILING
cu_install_program = @INSTALL@
else
cu_install_program = src/ginstall
endif
So just drop the patch.
And also remove the ginstall hack to fix ptest case failure when single-binary
is enabled, I can't find the reason on why it was needed from git log.
Fixed:
install: missing file operand
Try 'install --help' for more information.
* Reproducer:
DISTRO_FEATURES:append = " ptest"
EXTRA_IMAGE_FEATURES:append = " ptest-pkgs"
IMAGE_INSTALL:append = " coreutils"
PACKAGECONFIG:append:pn-coreutils = " single-binary"
$ bitbake core-image-sato
$ runqemu tmp/deploy/images/qemux86-64/ nographic kvm
On target:
$ cd /usr/lib/coreutils/ptest
$ ./run-ptest
============================================================================
Testsuite summary for GNU coreutils 9.6
============================================================================
TOTAL: 655
PASS: 529
SKIP: 126
XFAIL: 0
FAIL: 0
XPASS: 0
ERROR: 0
============================================================================
make[1]: Leaving directory '/usr/lib/coreutils/ptest'
(From OE-Core rev: 8728815f74f73723e86ba25b56a66b3fb46d6596)
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
0001-include-Makefile-install-systemd.h-by-default.patch
removed since it's included in 3.2.0
(From OE-Core rev: 38f3346423fe7362d901d8f78e61aa96a67db867)
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Currently, pseudo tracks all files referenced within its presence unless
they're listed in an exclusion list. The exclusion list has grown to be
fairly unwieldy.
This patch swaps PSEUDO_IGNORE_PATHS for PSEUDO_INCLUDE_PATHS which in
theory should be easier and more explicit to maintain.
This change does drop many directories from pseudo coverage including
/home and /tmp. There may be adapatations needed for recipes/classes
using pseudo in specific ways.
(From OE-Core rev: 2502da81709f25de499277b28d33c915638c45f6)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Backport patch to fix CVE-2023-39810.
Note that the patch adds a config option which is disabled by
default. So users wanting this feature needs to enable that option.
(From OE-Core rev: b16c9a295d5d2c5d2100bce11fffeae6beb766c5)
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This is meant to be a list of strings not a single string. For example,
this is overwriting the default in OESDKTestContextExecutor which is:
default_cases = [os.path.join(os.path.abspath(os.path.dirname(__file__)), 'cases')]
(From OE-Core rev: 867e0a9c571b7bc9a37e6d893f7d75e03fa218a5)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
openssl has some assembler code that has PAC and BTI hints but not GCS. The
systemd recipe then links to libcrypto from openssl with GCS enabled (as
that is a distro-wide setting) and it - correctly - warns that it is being
told to use GCS but one of the inputs does not have GCS. This would not
be a problem but systemd also links with —fatal-warnings, so the build
explodes.
libcrypto.so: warning: GCS is required by -z gcs, but this shared library lacks the necessary property note. The dynamic loader might not enable GCS or refuse to load the program unless all the shared library dependencies have the GCS marking.
| collect2: error: ld returned 1 exit status
(From OE-Core rev: 295e30eac69e152778246c7271b72f7e8498a40a)
Signed-off-by: Trevor Woerner <twoerner@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Below commits on glibc-2.41 stable branch are updated.
5cb575ca9a elf: tst-audit10: split AVX512F code into dedicated functions [BZ #32882]
046b33800c x86: Detect Intel Diamond Rapids
a53e764657 x86: Handle unknown Intel processor with default tuning
aca31d2712 x86: Add ARL/PTL/CWF model detection support
f68b407d4b x86: Optimize xstate size calculation
d6d56af6e7 elf: Fix arm-linux-gnueabihf build break from b861755a84
b861755a84 elf: Extend glibc.rtld.execstack tunable to force executable stack (BZ 32653)
200d20123c x86: Link tst-gnu2-tls2-x86-noxsave{,c,xsavec} with libpthread
80cd656649 x86: Use separate variable for TLSDESC XSAVE/XSAVEC state size (bug 32810)
a282e2c0ae x86: Skip XSAVE state size reset if ISA level requires XSAVE
bcd4cf9d5f x86_64: Add atanh with FMA
7e72fa7577 x86_64: Add sinh with FMA
6a3a4a5e58 x86_64: Add tanh with FMA
ce9b765522 nptl: Check if thread is already terminated in sigcancel_handler (BZ 32782)
98c712855d nptl: PTHREAD_COND_INITIALIZER compatibility with pre-2.41 versions (bug 32786)
e22c132484 nptl: clear the whole rseq area before registration
33bfd9020f Linux: Remove attribute access from sched_getattr (bug 32781)
66fc3bd758 math: Remove an extra semicolon in math function declarations
1a3083b999 posix: Move environ helper variables next to environ definition (bug 32541)
91f8cff2c4 configure: Fix spelling of -Wl,--no-error-execstack option
fd202462c5 elf: Check if __attribute__ ((aligned (65536))) is supported
746ef8e939 static-pie: Skip the empty PT_LOAD segment at offset 0 [BZ #32763]
56609f8df1 Pass -Wl,--no-error-execstack for tests where -Wl,-z,execstack is used [PR32717]
89be78704e AArch64: Use prefer_sve_ifuncs for SVE memset
c47c3890f1 AArch64: Add SVE memset
e0bc5f64ea math: Improve layout of exp/exp10 data
009c5a2dca aarch64: Add GCS test with signal handler
8d98ee8d70 aarch64: Add GCS tests for dlopen
61ba3cdfa9 aarch64: Add GCS tests for transitive dependencies
fda5730898 aarch64: Add tests for Guarded Control Stack
6d1f97bb06 aarch64: Add configure checks for GCS support
7774a9d07a AArch64: Improve codegen for SVE powf
2025e27a81 AArch64: Improve codegen for SVE pow
f3d9c116cb AArch64: Improve codegen for SVE erfcf
94859e8680 Aarch64: Improve codegen in SVE exp and users, and update expf_inline
7c9a086807 Aarch64: Improve codegen in SVE asinh
30992cb5e9 RISC-V: Fix IFUNC resolver cannot access gp pointer
07288c7445 math: Add optimization barrier to ensure a1 + u.d is not reused [BZ #30664]
2cb04444b9 math: Fix `unknown type name '__float128'` for clang 3.4 to 3.8.1 (bug 32694)
a900dbaf70 x86 (__HAVE_FLOAT128): Defined to 0 for Intel SYCL compiler [BZ #32723]
1e0e33e1b1 Fix tst-aarch64-pkey to handle ENOSPC as not supported
69fda28279 assert: Add test for CVE-2025-0395
cf88351b68 math: Fix tanf for some inputs (BZ 32630)
cb7f206537 nptl: Correct stack size attribute when stack grows up [BZ #32574]
d85a771953 math: Fix sinhf for some inputs (BZ 32627)
bdccbfbc52 math: Fix log10p1f internal table value (BZ 32626)
Testresults:
Before update |After update |Difference
PASS: 5816 |PASS: 5826 |PASS: +10
FAIL: 239 |FAIL: 239 |FAIL: 0
XPASS: 4 |XPASS: 4 |XPASS: 0
XFAIL: 16 |XFAIL: 16 |XFAIL: 0
UNSUPPORTED: 164|UNSUPPORTED: 164|UNSUPPORTED: 0
(From OE-Core rev: 3151f2469b9997c2e3d689dcee14fedd137ea44b)
Signed-off-by: Deepesh Varatharajan <Deepesh.Varatharajan@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
- remove backport patch
Overview of changes in GLib 2.84.1, 2025-04-03
==============================================
* Fix test failure when building against gobject-introspection ≥1.83.4 (#3634,
work by Philip Withnall)
* Bugs fixed:
- #3630 2.84.0 build failure on Linux: ../gio/gnetworkmonitornetlink.c:47:10:
fatal error: netlink/netlink_route.h: No such file or directory (Philip
Withnall)
- #3634 test failure with gobject-introspection 1.83.4: warning: element
doc:format from state 3 is unknown, ignoring (Philip Withnall)
- #3636 gio/trash does not handle special characters well
- #3642 `g_cancellable_connect()` documentation incorrect (Marco Trevisan
(Treviño))
- #3643 g_cancellable_connect(): is it safe to unref cancellable from
callback? (Marco Trevisan (Treviño))
- #3649 Crash with some registry key values in GWin32AppInfo (Philip Withnall)
- !4484 Memory sanitizer fixes
- !4489 gobject: Be consistent in using atomic logic to handle the
GParamSpecPool
- !4541 gsettings: Port docs to gi-docgen format, add missing annotations and
make various improvements
- !4544 tests: Don't install runner scripts without installed_tests
- !4545 Update French translation
- !4547 Update Catalan translation
- !4548 Update Turkish translation
- !4551 Updated Danish translation
- !4552 Update Persian translation
- !4553 docs: Document GSignalFlags members added after 2.0
- !4554 Update Indonesian translation
- !4555 tests: Add a test for g_object_freeze_notify() being called too often
- !4557 gfileinfo: Slightly expand docs for
g_file_info_get_attribute_as_string()
- !4558 gi: Dynamically set doc-format
- !4561 tests: Various fixes to create temporary files in /tmp rather than the
build directory
- !4562 gdbusnameowning: Convert docs to gi-docgen linking syntax
- !4563 giounix-private: Fix macro for checking for epoll_create1()
- !4565 Fix LGPL in header
- !4567 gutils: make documentation of g_set_prgname() clearer
- !4568 docs: Add some detail
- !4569 Update Romanian translation
- !4570 gspawn-win32: Fix potential integer overflows in argv handling
- !4571 gvarianttype: Improve docs on type validation
* Translation updates:
- Catalan (Jordi Mas)
- Danish (Ask Hjorth Larsen)
- French (Vincent Chatelain)
- Indonesian (Andika Triwidada)
- Persian (Danial Behzadi)
- Romanian (Antonio Marin)
- Turkish (Sabri Ünal)
(From OE-Core rev: 676b9acbe94f055a351da3bdcfbe457411e1877c)
Signed-off-by: Markus Volk <f_l_k@t-online.de>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
They do not pass with GCC-15, ignore them for now
[RP: Fix formatting of exclude to be whitespace separated]
(From OE-Core rev: dc989569d3528d999f2a1f4363a9ef8325e09600)
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This recipe takes longer time >20min when bitbake for package
write stage. When cross-verified for longer time duration, found
that do_check() stage taking 20min while other stages completes
before 6min.
This recipe gives only below two test binaries in the packages to
test (ptest: glibc-y2038-tests):
io/ftwtest
io/ftwtest-time64
The above test binaries are already included for testing in recipe
glibc-testsuite_2.41.bb.
It is by now well established that glibc itself works as it should,
that all affected 32 bit targets are configured to use 64 bit time_t,
and that any lingering y2038 issues are in components other than the c
library, and usually come from C programming mistakes (e.g. storing
timestamps in long). Maybe we can simply remove the recipe?
Review comments for fixing above longer time duration ended up in
removing this recipe as a proposal is below
https://lists.openembedded.org/g/openembedded-core/topic/112188476#msg214636
Removed lines having reference to glibc-y2038-tests in the files.
(From OE-Core rev: fbe3679ba3c12c52a502511f5dde91fb4de7a6b6)
Signed-off-by: rajmohan r <semc.2042@gmail.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Fix the numpy ptests by doing the following:
- Add meson to ptest RDEPENDS in the recipe;
- Add python3-unittest-automake-output as a ptest RDEPENDS;
- Convert run-ptest to a shell script that sets PYTEST_DEBUG_TEMPROOT to
a directory inside the same path that contains the script, create that
directory, and then invoke the tests with `pytest --automake` pointed
at the numpy path in site-packages (copying the tests into the normal
PTEST_DIRECTORY seems to cause module import breakages in some tests).
This also includes skipping two problematic tests which require a C
compiler and use up a lot of space, respectively;
- Set 'IMAGE_ROOTFS_EXTRA_SPACE = "3048576"' for python3-numpy in
core-image-ptest.bb;
- Also set 'QB_MEM:virtclass-mcextend-python3-numpy = "-m 4096"' in
core-image-ptest.bb;
- Move python3-numpy from the PTESTS_PROBLEMS list to the PTESTS_SLOW
one.
Results on qemux86-64:
Testsuite summary
DURATION: 87
END: /usr/lib/python3-numpy/ptest
2025-04-29T17:35
STOP: ptest-runner
TOTAL: 1 FAIL: 0
Note that many of the skipped tests are due to the absence of
python3-mypy (which is currently in meta-python) and of a Fortran
compiler.
(From OE-Core rev: 7f0b5e8faa1b246531ac425c99a629eb344b21e2)
Signed-off-by: Trevor Gamblin <tgamblin@baylibre.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
If extra-utils package is not included in the image, you'll always see a
warning that password agent is missing whenever you start/stop a service:
Failed to execute /usr/bin/systemd-tty-ask-password-agent: No such file or directory
(From OE-Core rev: a87d523ab24e4ea87d1b19ea3a0c515cc47db1b6)
Signed-off-by: Vyacheslav Yurkov <uvv.mail@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Since runtime dependencies to the old 'dbus-x11' compatibility label
are now no longer used in either poky or meta-openembedded provided
layers, we can remove it.
(From OE-Core rev: 2639ab4fd8855ada4ae8e2093868d7978220e783)
Signed-off-by: Niko Mauno <niko.mauno@vaisala.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
We may set the PATH variable such as in /etc/environment for ssh session,
so make PATH retain the previous existing value to fix the gap.
(From OE-Core rev: 4340cd7da25c69424915f29c2bb9531fc33617e6)
Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
To adapt user network enviroment, buildtools should first try to use
the user configured envs like SSL_CERT_FILE/CURL_CA_BUNDLE/..., if these
envs is not set, then use the auto-detected ca file and ca path, and
finally use the CA certificates in buildtools.
nativesdk-openssl set OPENSSLDIR as "/not/builtin", need set SSL_CERT_FILE/SSL_CERT_DIR to work
nativesdk-curl don't set default ca file, need
SSL_CERT_FILE/SSL_CERT_DIR or CURL_CA_BUNDLE/CURL_CA_PATH to work
nativesdk-git actually use libcurl, and GIT_SSL_CAPATH/GIT_SSL_CAINFO
also works
nativesdk-python3-requests will use cacert.pem under python module certifi by
default, need to set REQUESTS_CA_BUNDLE
(From OE-Core rev: 8a7ec52e9b35654bee48cd948c6c34c63db3e265)
Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The systemd-serialgetty recipe generates explicit units for consoles
that are defined in SERIAL_CONSOLES, and if that variable is not defined
then just produces an empty package.
Even when systemd has been configured to use the getty generator, if
there are explicit consoles defined then we should respect them. Don't
conditionalise the dependency on systemd-serialgetty so that we always
pull in the explicit consoles.
(From OE-Core rev: a7036173acdb84d516f17257e02a936f04c584d8)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Until recently, even when the getty generator was disabled in the
systemd recipe it was actually still active. This was because the old
behaviour was to delete the serial-getty template unit if the generator
was disabled, but the systemd-serialgetty package shipped then shipped
the same files so the generator continued to run. This was a bug in the
original commit[1] so this behaviour has been present since 2016.
My recent fixes[2] changed this: if the getty generator was disabled
then the generator itself is deleted. This makes the actual behaviour
match the intention, but the consequence was to demonstrate that some
modern platforms were relying on this unexpected behaviour: specifically
the genericarm64 BSP which intends to support a number of virtual and
physical boards with a number of serial console ports that are not
really suitable to be hardcoded into SERIAL_CONSOLES:
- ttyS0
- ttyAMA0 (AMBA PL011 uart)
- ttyS2 (BeagleBone Play, S0 and S1 are internal)
- hvc0 (KVM)
- ttyPS1 (AMD KV260)
- And most likely more
Restore the existing behaviour by explicitly enabling the serial getty
generator: this means that systemd will automatically bring up a getty
on the first serial console it finds.
In the future we should extend some level of dynamic console-finding to
sysvinit-based systems by searching for a console device in inittab, but
for now this reverts the unintentional regression.
[1] oe-core 2a8d0df47c9 ("systemd: make systemd-serialgetty optional")
[2] oe-core 2beb3170af6 ("systemd: if getty generator is disabled remove
the generator, not the units")
(From OE-Core rev: af15f9d1609708443ed036fdb611cea92f566620)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
These classes/recipes inherit qemu.bbclass but do not use anything from it.
What they use is qemuwrapper-cross, which is needed at do_rootfs time and
needs to be pulled-in by PACKAGE_WRITE_DEPS.
Also, in meta/conf/layer.conf, exclude qemuwrapper-cross deps for all arch
recipes that depend on it. This it ensure allarch recipes have the same
signature across different machines.
(From OE-Core rev: 6f3ce94f4c03e7b26f1fcdf78ea969f57717ec56)
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The tmpfiles config for systemd-resolve has been split out [1],
so correct tmpfile.d file for resolv.conf in our recipe accordingly.
[ YOCTO # 15768]
[1] b15f6eae42
(From OE-Core rev: a3020c11c91304b7400bc19f80e44e7d3720281d)
Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* make git,curl,python3-requests align with openssl, move the setting of
envvars into respective envfile
* for environment.d-openssl.sh, also check if ca-certificates.crt exist
before export envvars
(From OE-Core rev: 9d8ebfcd55ad274e79cb81f162397c8f39f4287b)
Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
In 'finish'script the Switch_root command with option -c is busybox specific.
When package-core-base-utils is selected the boot is breaking with message
"Switch_root: invalid option — ‘c’.It was reproduced using qemu.
Remove -c option to make it compatible with both providers.
It is tested using qemu with busybox and package-core-base-utils. In both cases
qemu boots successfully and filesystem is accessible.
Fixes [YOCTO #15716]
CC: Yoann Congal <yoann.congal@smile.fr>
CC: Randy MacLeod <randy.macleod@windriver.com>
CC: jbk <jbk@mm-software.com>
CC: Raj Khem <raj.khem@gmail.com>
CC: Adrian Freihofer <adrian.freihofer@gmail.com>
(From OE-Core rev: 0f745024fd40518f98390008b4f613d5641df416)
Signed-off-by: Christos Gavros <gavrosc@yahoo.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
There could be several more nativesdk perl packages generated
based on flags and dependencies that should not be installed
into the SDK when "dummy-sdk-package" facility is used. Add
them to the exclusion list here.
[YOCTO #15552]
(From OE-Core rev: 2b1ec442cf8c0d5753376e52bca5f8da5350848c)
Signed-off-by: Denys Dmytriyenko <denys@konsulko.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
NVD responses changed to an invalid json between:
* April 5, 2025 at 3:03:44 AM GMT+2
* April 5, 2025 at 4:19:48 AM GMT+2
The last response is since then in format
{
"resultsPerPage": 625,
"startIndex": 288000,
"totalResults": 288625,
"format": "NVD_CVE",
"version": "2.0",
"timestamp": "2025-04-07T07:17:17.534",
"vulnerabilities": [
{...},
...
{...},
]
}
Json does not allow trailing , in responses, that is json5 format.
So cve-update-nvd2-native do_Fetch task fails with log backtrace ending:
...
File: '/builds/ccp/meta-siemens/projects/ccp/../../poky/meta/recipes-core/meta/cve-update-nvd2-native.bb', lineno: 234, function: update_db_file
0230: if raw_data is None:
0231: # We haven't managed to download data
0232: return False
0233:
*** 0234: data = json.loads(raw_data)
0235:
0236: index = data["startIndex"]
0237: total = data["totalResults"]
0238: per_page = data["resultsPerPage"]
...
File: '/usr/lib/python3.11/json/decoder.py', lineno: 355, function: raw_decode
0351: """
0352: try:
0353: obj, end = self.scan_once(s, idx)
0354: except StopIteration as err:
*** 0355: raise JSONDecodeError("Expecting value", s, err.value) from None
0356: return obj, end
Exception: json.decoder.JSONDecodeError: Expecting value: line 1 column 1442633 (char 1442632)
...
There was no announcement about json format of API v2.0 by nvd.
Also this happens only if whole database is queried (database update is
fine, even when multiple pages as queried).
And lastly it's only the cve list, all other lists inside are fine.
So this looks like a bug in NVD 2.0 introduced with some update.
Patch this with simple character deletion for now and let's monitor the
situation and possibly switch to json5 in the future.
Note that there is no native json5 support in python, we'd have to use
one of external libraries for it.
(From OE-Core rev: 6e526327f5c9e739ac7981e4a43a4ce53a908945)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Just like the "init" version this script, pass $DROPBEAR_RSAKEY_ARGS to the
'dropbearkey' program when generating a host key.
This allows to speed up SSH connections on read-only root systems by adding
the line DROPBEAR_RSAKEY_ARGS="-s 1024" into /etc/default/dropbear.
See also: c0efbcb47ab3 ("dropbear/init: Allow extra arguments for key generation")
(From OE-Core rev: 3ae2c70fe83bc242b7a13655bc38431c81033c66)
Signed-off-by: Mike Looijmans <mike.looijmans@topic.nl>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
We encountered a newgrp regression in shadow 4.17.3:
root@qemux86-64:~# groupadd g1
root@qemux86-64:~# useradd t1
root@qemux86-64:~# gpasswd g1
Changing the password for group g1
New Password:
Re-enter new password:
root@qemux86-64:~# sudo -u t1 newgrp g1
Password:
Invalid password.
root@qemux86-64:~#
In versions prior to shadow 4.17.3, shadow used an internal
implementation to support shadow group because it could not correctly
detect whether glibc supports shadow group in a cross-compilation
environment. In 4.17.3, it can correctly check whether glibc supports
shadow group even in a cross-compilation environment[1]. If supported,
shadow will use it instead of its own internal implementation.
Shadow group support in glibc requires adding a gshadow entry in
nsswitch.conf.
After the patch:
root@qemux86-64:~# groupadd g1
root@qemux86-64:~# useradd t1
root@qemux86-64:~# gpasswd g1
Changing the password for group g1
New Password:
Re-enter new password:
root@qemux86-64:~# sudo -u t1 newgrp g1
Password:
t1@qemux86-64:/home/root$
[1] da6b9cff02
(From OE-Core rev: 0cb122f17cf264ef904880351db1c0bb325fe5a6)
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Since this recipe has 'dbus' in DEPENDS, assigning dbus-glib-tests
runtime dependency to '${PN}' instead of 'dbus' will induce pulling
the preferred runtime D-Bus package to rootfs, thanks to libdbus'
runtime recommendation of ${VIRTUAL-RUNTIME_dbus}.
Suggested-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(From OE-Core rev: cd74093b8aaedb6086247e5562433c2218fc6455)
Signed-off-by: Niko Mauno <niko.mauno@vaisala.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
In order to facilitate oe-core users who wish to use e.g. dbus-broker
as their runtime D-Bus implementation, change the Freedesktop.org
specific D-Bus runtime dependency to honor the new VIRTUAL-RUNTIME_dbus
variable.
(From OE-Core rev: c0c874c577910833a7dd90122b22c20fe33bf681)
Signed-off-by: Niko Mauno <niko.mauno@vaisala.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
In order to facilitate oe-core users who wish to use e.g. dbus-broker
as their runtime D-Bus implementation, change the Freedesktop.org
specific D-Bus runtime dependency to honor the new VIRTUAL-RUNTIME_dbus
variable.
(From OE-Core rev: f9a41652f7b40edf84278c0f3922321a613297f7)
Signed-off-by: Niko Mauno <niko.mauno@vaisala.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
In order to facilitate oe-core users who wish to use e.g. dbus-broker
as their runtime D-Bus implementation, declare the target specific
dbus-lib runtime recommendation so that it will honor the new
VIRTUAL-RUNTIME_dbus variable.
(From OE-Core rev: 1d26191c71d4b19fe45ced52698d4130e8d8305e)
Signed-off-by: Niko Mauno <niko.mauno@vaisala.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
There is no reason to use EXTRA_OEMESON:append when += will do.
(From OE-Core rev: 2ebd45d351dbf801a5aef0cc4a0a1c684e544412)
Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
