Pick fix commit from PR linked in NVD report.
(From OE-Core rev: e3c0ac137e50d35e83e8e4ed2c4e09f2eb9d3bca)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Pick patch for this CVE merged into 3.10 branch.
(From OE-Core rev: 8888cd14eb102574d530b6c683ce5beaad1aaa39)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Pick patch from 3.12 branch per NVD report.
(From OE-Core rev: cfbac1d5edae4b0204ec4c01b5f710d100ceb2ad)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
This is CVE for example tool contrib/untgz.
This is not compiled in Yocto zlib recipe.
This CVE has controversial CVSS3 score of 9.8.
(From OE-Core rev: 1bdcd62d34b0b060b0e1e5142c5f3e7075f21cc2)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
The example recipe taken above is hello-world on version 1.0 (because
PV equals "1.0+git". Fix this issue.
(From yocto-docs rev: a48ab61034d50be1026b939112f4a5c58bed7b88)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
(cherry picked from commit 411122812ced4ec32127a823896a73aacf6eb97c)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
When we don't have a PR server enabled, we don't have leading ".0" to
the PKGR variable, as this is added by the PR server.
(From yocto-docs rev: 4c64db73fa68b6dbc11fe4b64452b0d6b7ee0280)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
(cherry picked from commit 7a0324b6a10e64ee250945747db10ca88040b1ce)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The current example of the SRCREV change triggering a gitX bump is
wrong, as both gitX and r0.X get incremented.
Why this is happening is explained in bug 15729, which I copy here:
> +gitX+ is indeed related to changes in the source code.
>
> r0.X is bumped each time the checksum of the do_package task of the
> simple-hello-world-git recipe changes. This happens here:
> https://git.openembedded.org/openembedded-core/tree/meta/classes-global/package.bbclass?id=235e6d49e5888ad04416219e10b6df91a738661a#n306
>
> This line sets the value of PRAUTO and represents the number X found in
> r0.X. It will in the end make it into EXTENDPRAUTO, which itself makes
> to PKGR == r0.X.
>
> This line calls getPR(version, pkgarch, checksum). Between test case 5
> and 6, only the checksum changes. This checksum is the checksum of the
> do_package task (gotten from get_do_package_hash() above).
>
> Now, let's dump what changed with regards to this task between two
> consecutive runs, using the sigdata file in build/tmp/stamps/:
>
> ```
> [...]
> Variable fetcher_hashes_dummyfunc value changed from '2650ad6714c3f3248abfe9d3daf1196f307ed494' to '4af682a50174f5deb0397847da97d7cdba4ad067'
> ```
>
> The last line shows that the value of fetcher_hashes_dummyfunc changed
> from '2650ad6714c3f3248abfe9d3daf1196f307ed494' to
> '4af682a50174f5deb0397847da97d7cdba4ad067'. Those are the commit hashes
> in the git history of the simple-hello-world-git repository.
>
> Now you can see why this 0.X gets bumped, is because of the SRCREV change.
Fix the example, and detail what gets changed and why.
[YOCTO #15729]
Cc: Robert Berger <pokylinux@reliableembeddedsystems.com>
(From yocto-docs rev: 8d7b549d095c2ca04d4c7ff5a92f6de9fceb8496)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
(cherry picked from commit 09f0430bc69024b9854c31ba6783ddd807aa4f19)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Explain that the LICENSE set in a recipe does not apply to the recipe
file itself, but to the underlying software. The license of the recipe
file is the license provided in the layer itself. Give OpenEmbedded-Core
as an example for this.
Fixes [YOCTO #14410]
(From yocto-docs rev: 6799b1be5d48f4bf5dcd0b16c2dbc2e297d4ecd9)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
(cherry picked from commit b8a56b8b2e8c0417b2f7204f80c79b05d95e9ce4)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Added by commit 35d7fe73bba1 ("ccache.bbclass: Make it can be shared
between different builds") in OE-Core.
Fixes [YOCTO #16052]
(From yocto-docs rev: e4f5ba7bb34586cd7bee7f0fe69c39b36dabb357)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
(cherry picked from commit 550ef8340b550f8d4e9c3d0672190dc09592c621)
Fix conflicts: CCLD variable in master not on kirkstone.
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Based on diagrams/poky-buildprocess/Pokyarch_diag.svg, replace the PNG
graphic for the YP flow to an SVG graphic.
(From yocto-docs rev: 2983418bec7a2faeaae4e831b8f642ff0cd95980)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
(cherry picked from commit d2aaf54bee49295bdf81021648cb27499930edc6)
Fix conflicts (different alignment on master, keep one from kirkstone)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The YP generates an SDK by default, which can be meta-toolchain, an
image-specific one, or an extensible SDK (eSDK). Don't be specific in
this bullet list.
(From yocto-docs rev: 3c455c5a2892611d2323610170f9600ceb953f6c)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
(cherry picked from commit f02c64286504353e97c7e5fe5c0d193776469ad1)
Fix conflict (#. on master, 7. on kirkstone)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Add a new section to release-process.rst to document the development
cycle of each release and namely the milestones and feature freeze
occuring after M3.
Fixes [YOCTO #15979]
(From yocto-docs rev: f7888e3c3267ec7c39374f694f86088598bea649)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
(cherry picked from commit 77c04cc5944acda7575546a7434e014e4a75ba58)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
A ptest must emit at least one test result on the console, as this is
required by the testimage class (which ignores the exit code).
ptest-runner on the other hand, ignore the output and only cares about
the exit code.
Add these two items as requirements for a ptest to be valid.
Fixes [YOCTO #15832]
Reviewed-by: Yoann Congal <yoann.congal@smile.fr>
(From yocto-docs rev: 916be11467d87d39e4ad5ea218237258523f3953)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
(cherry picked from commit 9292f61d7ba89598c89033ea7ee3b11a20d873f3)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Add documentation for the image-container class, which is a simple class
to generate an image suitable for creating a container.
This answers in part to questions asked in [YOCTO #14368].
It also adds documentation for IMAGE_CONTAINER_NO_DUMMY, which was added
in OE-Core with commit f0645e172bb8 ("image-container.bbclass: Error if
not using linux-dummy").
Reviewed-by: Quentin Schulz <quentin.schulz@cherry.de>
(From yocto-docs rev: cebe8ff0508e0fc2de8378a1cf93eb8054e12699)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
(cherry picked from commit 6ce00e5875eb3469fefd55cc22acaaeaf620053a)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The current security-related documentation is a bit hard to find and
hidden within the development manual. However these are processes that
are not part of a development task but is rather a vulnerability
reporting process.
Create a new "Security" section in the documentation to gather this
information. This will be directly visible in the sidebar when opening
the documentation.
Split the previous security-subjects.rst document into 2 documents:
- security-team.rst: defines the roles of the security teams and its
members.
- reporting-vulnerabilities.rst: guide to report vulnerabilities to the
security team.
The plan is to backport these documents to active releases. As a
consequence, this section should be free of instructions and information
that only make sense for a specific release. It should _not_ contain
documents on how to enable security features with Yocto on target
devices, this is unrelated and can be left in the development manual
(for example: dev-manual/vulnerabilities.rst to deal with CVEs).
(From yocto-docs rev: 3fd0f37d708d88534dd6dbb51dc264911c349352)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
(cherry picked from commit 81e14ca2d5cff9e2104c556655144b069633790c)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Whinlatter is the new current Yocto Project release, mark it as an
active one. Move it as released in December 2025.
(From yocto-docs rev: 7f6dff5c3d549cbd5040c15261bdb38a54dbd69e)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
(cherry picked from commit 6f8e97c6e529f3c47f45f34d9e04e3ad7bddd587)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Walnascar has stopped being updated a while ago, and Styhead is EOL
since May 2025.
Reviewed-by: Quentin Schulz <quentin.schulz@cherry.de>
(From yocto-docs rev: 2425f0cf64c35b9f7d0676dd31c2ea94fcdb3a31)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
(cherry picked from commit 834de77b543de43ee3c1c12ca1d6277e67e126de)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Instead of a fixed list of commercial vendors, link to existing lists on
the YP website.
Reported-by: Robert P. J. Day <rpjday@crashcourse.ca>
(From yocto-docs rev: 69ad32040baf8ca7c79265fd83041b3241353e2d)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
(cherry picked from commit 9d394db4f88b66500e4d5a2a518d25f08a0c9472)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The ABOUT tab is where the members/participants are listed now.
Reported-by: Robert P. J. Day <rpjday@crashcourse.ca>
(From yocto-docs rev: 8e216cd6e17fe4bc367c11d2ad3e3d7a29701af8)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
(cherry picked from commit a8a8d810f0505529aaaa90678e03152c8ac0c00b)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2.13 may not be buildable with latest compilers without patching
(From OE-Core rev: 64d56cf416b31ae92438deefe4028402120ed998)
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 406a33f896accc35a9cb6ab156f1e0f42dda67d8)
Backport: Fix [YOCTO #16137] by using the same archive as the cpio
recipe, ensuring the archive is in DL_DIR and so, avoiding reaching
unreliable upstream server.
This upgrade is safe to do because this archive is only use to test that
it compiles.
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The pseudo update was causing hangs in builds, pull in the fix.
(From OE-Core rev: e514b1ac74ae8a69b15e3459cb3b327a35cabff8)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 8acdbefd0a148c8b7713f46066ae8489984c5d2d)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Pulls in the following fixes:
* makewrappers: Enable a new efault option
* ports/linux/openat2: Add dummy wrapper
* test-syscall: Add a syscall test
* ports/linux/pseudo_wrappers: Avoid openat2 usage via syscall
which should fix issues with the tar CVE fix on Centos/Alma/Rocky 9 distros
that uses openat2 as well as the efault issue breaking rust based uutils.
(From OE-Core rev: edc8c8e0ae511b03cb9d0501d472bb42fbea2c8b)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 51f1388dd1679a28ec3ca468cf16aa0ea32bccf9)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Where a task (such as do_package) runs under fakeroot, the corresponding
setscene task (do_package_setscene) will also run under fakeroot when
restoring from sstate. Assuming pseudo is used as the fakeroot
implementation, we need pseudo-native and all its runtime dependencies
to be available in the sysroot before running any setscene tasks under
fakeroot.
We already add a hard dependency from all do_package_setscene tasks to
virtual/fakeroot-native:do_populate_sysroot in base.bbclass, but this
does not cover transitive dependencies. So, extend the dependencies of
pseudo-native:do_populate_sysroot_setscene to ensure that the sqlite3
library is also available in the sysroot before running fakeroot
setscene tasks.
[YOCTO #15963]
(From OE-Core rev: e3c07672d22343cd7ac68cb84716b05ec7cd438b)
Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 2c146ca657440550e00bc5e53d13502ef7aa945b)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Patch for CVE-2025-61915 by mistake causes fatal error on unknown
directives in configuration files.
The default configuration already contains unknown directive in
non-systemd setups:
Unknown directive IdleExitTimeout on line 32 of /etc/cups/cupsd.conf
Backport fix for this from 2.4.x branch which reverts this behavior.
(From OE-Core rev: 6faf1266813efa21503511834cbb12f0d63c82fe)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
