Noteworthy changes in version 2.5.4 (2025-02-12)
------------------------------------------------
* gpg: New option --disable-pqc-encryption. [rG00c31f8b04]
* gpg: Fix --quick-add-key for Weierstrass ECC with usage given.[T7506]
* gpg: Fix handling with no CRC armor. [T7071]
* gpg: New private Kyber keys are now cross-referenced using a new
Link attribute. [T6638]
* gpg: Fix an import problem with keys having another primary key as
a subkey. [T7527]
* gpgsm: Allow unattended PKCS#12 export without passphrase.
[rG159e801043]
* gpgsm: Allow CSR generation with an unprotected key.
[rG89055f24f4]
* agent: New option --change-std-env-name. [T7522]
* agent: Fix ssh-agent's request_identities for skipped Brainpool
keys. [rG2469dc5aae]
* Do not package zlib and bzip2 object files in a speedo release
build. [T7442]
See-also: gnupg-announce/2025q1/000490.html
Release-info: https://dev.gnupg.org/T7480https://dev.gnupg.org/source/gnupg/browse/master/NEWS
(From OE-Core rev: 59f26c7311ae3d5596f517b739e7c3435db070a3)
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The environment variable SETUPTOOLS_SCM_SUBPROCESS_TIMEOUT allows to override
the subprocess timeout. The default is 40 seconds and should work for most
needs.[1] However, it was not enough while using git shallow tarball and starting
multiple Yocto world builds in one host.
| File "tmp/work/x86_64-linux/python3-scancode-native/32.1.0/recipe-sysroot-
native/usr/lib/python3.13/subprocess.py", line 1263, in _check_timeout
| raise TimeoutExpired(
| ...<2 lines>...
| stderr=b''.join(stderr_seq) if stderr_seq else None)
| subprocess.TimeoutExpired: Command '['git', '--git-dir', 'tmp/work/x86_64-
linux/python3-scancode-native/32.1.0/git/.git', 'status', '--porcelain',
'--untracked-files=no']' timed out after 40 seconds
Explicitly set variable SETUPTOOLS_SCM_SUBPROCESS_TIMEOUT to 600s in bbclass,
and we could override it in local.conf
[1] https://github.com/pypa/setuptools-scm/blob/main/docs/overrides.md
(From OE-Core rev: a3a2edbf7139b7f8c665c2b0b13e094a334e4441)
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
According to Yocto reference manual, in description of the
IMAGE_LINK_NAME variable, it is said that
It is possible to set this to "" to disable symlink creation,
however, you also need to set :term:`IMAGE_NAME` to still have
a reasonable value e.g.::
IMAGE_LINK_NAME = ""
IMAGE_NAME = "${IMAGE_BASENAME}${IMAGE_MACHINE_SUFFIX}${IMAGE_VERSION_SUFFIX}"
However, when using following additions in local.conf file:
INHERIT += "cve-check"
IMAGE_LINK_NAME = ""
IMAGE_NAME = "${IMAGE_BASENAME}${IMAGE_MACHINE_SUFFIX}${IMAGE_VERSION_SUFFIX}"
the implicit symlink creation in cve_check_write_rootfs_manifest leads
to following build failure
$ bitbake core-image-minimal core-image-base
...
ERROR: core-image-base-1.0-r0 do_image_complete: Recipe core-image-base is trying to install files into a shared area when those files already exist. The files and the manifests listing them are:
/home/poky/build/tmp/deploy/images/qemux86-64/.json
(matched in manifest-qemux86_64-core-image-minimal.image_complete)
Please adjust the recipes so only one recipe provides a given file.
Mitigate the issue by creating the symlink only in case IMAGE_LINK_NAME
has not been set to empty string.
(From OE-Core rev: 64bfec359bd909761ce0a6a716286d938ed162d1)
Signed-off-by: Niko Mauno <niko.mauno@vaisala.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The following patch dropped because it is in the new version:
- 0001-autotools-fix-securedir-and-pam_lastlog2-install.patch
libfdisk-cfdisk-and-sfdisk-sector-size-improvements.patch is replaced
by two new patches:
- 0001-cfdisk-add-sector-size-commanand-line-option.patch
- 0002-sfdisk-add-sector-size-commanand-line-option.patch
This is because the original patch is a squash of four patches and
two of them are in the new version. So extract the remaining two
that are not in the current version and make them separate patches
for better tracking.
(From OE-Core rev: e87b9bccc52bfba0c48db4920c0996d7dd6a0866)
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This is a stable bugfix release, with the following changes:
Improved XInput controller detection on Windows
Added support for the 8BitDo Ultimate 2C Wireless in Bluetooth mode
Fixed Steam Deck controller not being visible to games running on
Proton 9 and older
Fixed a crash when hot-plugging keyboards and mice on Linux
Fixed a crash when disconnecting a Bluetooth audio device on macOS
Fixed building with Xcode using older Apple SDKs
Fixed a crash when disconnecting an external display on iOS
Fixed detection of function keys on Emscripten
(From OE-Core rev: 01a8dba6281ad1f026ab6d42a5d509207789b04f)
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Includes fix for CVE-2025-24143, CVE-2025-24150, CVE-2025-24158 and
CVE-2025-24162
Drop 0001-Support-ICU-76.1-build.patch fix is part of upgrade.
Changelog:
==========
- Fix a crash when enabling Skia CPU rendering.
- Fix several crashes and rendering issues.
(From OE-Core rev: 289e09c1a090d06146406886d4763dd22203c231)
Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
When enabling multilib for qemuarm64, populate_sdk would fail with
the following error:
Error: Transaction test error: file /usr/include/bits/indirect-return.h
conflicts between installs of lib32-libc6-dev-2.41 and libc6-dev-2.41+
The problem could be reproduced by adding the following lines in
local.conf and then run 'bitbake core-image-minimal -c populate_sdk':
MACHINE ?= "qemuarm64"
require conf/multilib.conf
MULTILIBS ?= "multilib:lib32"
DEFAULTTUNE:virtclass-multilib-lib32 ?= "armv7athf-neon"
Use oe_multilib_header to handle bits/indrect-return.h to fix this
issue.
(From OE-Core rev: e13d464db8db4e0fdec6c076aecff5284a27c510)
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
psplash-start.service expected to find /dev/fb0 and failed
if device was not found. This failure breaks systemd
oeqa runtime test with "runqemu nographic". Starting
psplash based on detected framebuffer device fixes systemd
boot status and systemd oeqa runtime tests for qemu
boots with and without graphics support.
Note that psplash-systemd.service still depends on /dev/fb0
so startup with multiple framebuffer devices may not work
correctly. I don't have devices with multiple framebuffer
devices to test with.
On qemu machine with graphics, psplash displays yocto
logo correctly and boot progress bar as well. Once boot completes
to systemd "running" state, the logo is replaced by login prompt.
On qemu machine without graphics, boot completes without psplash
or failures and login over serial console works normally.
Tested with genericarm64 machine poky-altcfg distro and core-image-base
image on qemu. AMD kv260 tested as well but graphics stack is not yet
working there so boot is similar to qemu without graphics.
(From OE-Core rev: 3820f6f342c2309ba7d51d3c08b3a951c2c17781)
Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
With all the pieces in place, the self test can be re-enabled.
(From OE-Core rev: 46e8b94582ea9734117d20cd62c39fb4450c00c4)
Signed-off-by: Zoltán Böszörményi <zboszor@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Point to the crypto policy file so dnf can work with signed packages.
(From OE-Core rev: 7067d469742f0be4dd2b9ea3953fb039a4410085)
Signed-off-by: Zoltán Böszörményi <zboszor@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Point to the crypto policy file so RPM signing may work.
(From OE-Core rev: 23083b72e3e6587dca9ca5a16762676e981b4a3b)
Signed-off-by: Zoltán Böszörményi <zboszor@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
rpm 4.20 removed the built-in code to handle signed packages
and uses rpm-sequoia as a more feature complete library.
Runtime-depend on rpm-sequoia-crypto-policy.
(From OE-Core rev: d8b01b436d37f4deb2de5d234e8f04c957719ca3)
Signed-off-by: Zoltán Böszörményi <zboszor@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This ships a crypto policy file for rpm-sequoia.
(From OE-Core rev: 8e499cefab6bfb40b40ae3eb811ca3eb51a7d4bc)
Signed-off-by: Zoltán Böszörményi <zboszor@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Upgrade coreutils from 9.5 to 9.6.
License-Update: Update copyright year (2024 -> 2025).
Fix do_install_ptest for new version to avoid buildpath QA issue.
(From OE-Core rev: b3de417033fda92956db093cf17a0b5134bd2f88)
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Upgrade shadow from 4.17.1 to 4.17.2.
0001-lib-attr.h-use-C23-attributes-only-with-gcc-10.patch is dropped
because it has been merged.
(From OE-Core rev: 6170d60175237dd4a0471d6f88cee2db4a37b7c4)
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Allow choice of one of three feeds and update task dependencies
accordingly. All feeds contain data from NVD and are stored in
different files.
Set the NVD_DB_VERSION variable to choose feed:
NVD2 (default) - the NVD feed with API version 2
NVD1 - the NVD JSON feed (deprecated)
FKIE - the FKIE-CAD feed reconstruction
In case of malformed database feed name, we default to NVD2 and show
an error.
(From OE-Core rev: f265812bfb6797aee10e7be42865736c9ff3478f)
Signed-off-by: Marta Rybczynska <marta.rybczynska@ygreky.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Update the database structure and tasks to fit the current YP master.
This means:
- add the unpack task
- update the database structure (CVSS, vector string)
- use the temporary database in the same directory as the download
However, the old feed does not include CVSS4
(From OE-Core rev: dd249921a5d6b8e472242b57415de3f210dc81f1)
Signed-off-by: Marta Rybczynska <marta.rybczynska@ygreky.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Restore cve-update-db from kirkstone
Use cve-update-db-native.bb from OE 8c10f4a4dc12f65212576e6e568fa4369014aaa0
(From OE-Core rev: c84e19edc15b622bfe4d7e268ca5cb18312f09d6)
Signed-off-by: Marta Rybczynska <marta.rybczynska@ygreky.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Rewrite the nfs sysvinit scripts to start the services required
by nfsv4: gssd, idmapd, and statd.
(From OE-Core rev: 2cca2dfb6acc25f1a6a25dc60423708a78cef85d)
Signed-off-by: Daniel McGregor <daniel.mcgregor@vecima.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Add support for the nfsv4 user ID mapping daemon, configured with
a sensible default, and add a packageconfig for Kerberos support.
This is reasonably tested in production in our environment, but only
systemd support. There'll be some more work to do to get GSSAPI and
NFS idmapd support integreated into that.
(From OE-Core rev: a7ea135108e445197a58b19601d77eb9d287af69)
Signed-off-by: Daniel McGregor <daniel.mcgregor@vecima.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Reduce diffs against upstream by using the service files provided
by them. This reduces our dependence on patches that simply change
the names of a service.
This also changes the way some nfs options get set for systemd, it
introduces the nfs.conf file for configuration, which all daemons
already support.
(From OE-Core rev: eeab3fa1423d499f9b39fda7a7514e619a3ac010)
Signed-off-by: Daniel McGregor <daniel.mcgregor@vecima.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Change the sysvinit script to start at the S runlevel, this matches
Debian, and prevents systemd from generating a unit file for it.
Also have the nfsd systemd service request the nfsd kernel filesystem
mountpoint. This avoids startup failures in unpriviled containers
or other setups that don't support the filesystem.
(From OE-Core rev: 6110687d199bf390380fe84c330858e3b03f681d)
Signed-off-by: Daniel McGregor <daniel.mcgregor@vecima.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This recipe was overriding do_install_ptest which is provided by the
ptest-python-pytest class, so there was no tests or run-ptest installed.
Use an append override, and minimise the installed files: use a symlink
so that scancode-licensedb-index.json is found and install setup.cfg.
(From OE-Core rev: 164876d33af9edaac37a686726727d3bc3d10aa9)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
There have been errors seen when assembling root file system SPDX
documents where they will references files that don't exist in the
package SPDX.
The speculation is that this is caused by os.walk() ignoring errors when
walking, causing files to be omitted. Improve the code by adding an
error handler to os.walk() to report errors when they occur.
In addition, sort the files and directories while walking to ensure
consistent ordering of the file SPDX IDs.
(From OE-Core rev: 86b581e80637cd8136ce7a7e95db94d9553d2f60)
Signed-off-by: Joshua Watt <JPEWhacker@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Fixes https://bugzilla.yoctoproject.org/show_bug.cgi?id=15740
python3-setuptools-scm was ignoring GIT_CEILING_DIRECTORIES which is set by poky,
and it was thus finding a wrong value of "toplevel" in ./src/setuptools_scm/_file_finders/git.py
The code is supposed to generate the list of files contained in python3-setuptools-scm, but it was
instead running "git archive" on whatever git repository was above the build directory, because the
tarball containing the sources of python3-setuptools-scm does not contain a .git directory.
This is barely noticeable when building as a subdirectory of poky which is only 48MB, but this was
causing serious slowdowns of python3-setuptools-scm:do_compile when building
inside a big git repository with files tracked using git-lfs (50 minutes in my use-case).
Reported upstream as https://github.com/pypa/setuptools-scm/issues/1103
(From OE-Core rev: 4ebe72477484cf68165b6f736ce10373e97d0e6d)
Signed-off-by: Etienne Cordonnier <ecordonnier@snap.com>
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The feature is available since meson 0.60.0. You can specify
comma-separated list of install tags (not targets).
(From OE-Core rev: a61ec67cb6f240c7593c9dd1b9a1ef5fff87c855)
Signed-off-by: Vyacheslav Yurkov <uvv.mail@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The setting of want_xterm_kbs is as following:
case $host_os in
(*linux-gnu|*cygwin|*mingw32|*msys)
want_xterm_kbs=DEL
;;
(*)
want_xterm_kbs=BS
;;
esac
The host_os when enable multilib is as folloing:
host_os of aarch64 : linux-gnu
host_os of aarch32 : linux-gnueabi
So in lib64 package, want_xterm_kbs=DEL, and in lib32 package, want_xterm_kbs=BS.
It results the differences in the terminfo files between lib32 and lib64 packages.
Using --with-xterm-kbs=del to unify the packages of lib32 and lib64 into "want_xterm_kbs=DEL".
(From OE-Core rev: 3868ae96ff32e8335e539ce62f51b7a223547c48)
Signed-off-by: Lei Maohui <leimaohui@fujitsu.com>
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
MAIL: wangmy@fujitsu.com
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
In case the initramfs image is bundled into the kernel there's no need to
specify a dependeny on the do_image_complete task of the initramfs image
from the do_assemble_fitimage_initramfs task since the task won't access
the image.
(From OE-Core rev: af6cde746f72be761550ee28b017719fba26ea65)
Signed-off-by: Weisser, Pascal <pascal.weisser.ext@karlstorz.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
When specifying the dependencies of do_assemble_fitimage_initramfs the
initramfs image might be built with another multiconfig. This needs to be
taken into account.
The path of the initramfs image also needs to be adapted to handle the
case when it's built with another multiconfig.
(From OE-Core rev: 891d58e9dc00e52f17ddecd4f12fc81c8a3c1bce)
Signed-off-by: Weisser, Pascal <pascal.weisser.ext@karlstorz.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
While nativesdk support multilib, there are two dynamic loaders,
$OECORE_NATIVE_SYSROOT/lib64/ld-linux-x86-64.so.2
$OECORE_NATIVE_SYSROOT/lib/ld-linux.so.2
Search them with wildcard and call relocate_sdk.py separately
[ YOCTO #15722 ]
(From OE-Core rev: 703187755244b1a45dd9f90aeaf620d4c92a6757)
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
If networking fails, we can get useful informaiton over the serial connection. Add
this fallback code so that any issues can be more easily debugged by showing the
host and target networking states.
(From OE-Core rev: 3291f9d07ecfe7d3301dc914f5e6a80577cf1d5d)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Use the class available for bash compleition to simplify the recipe.
(From OE-Core rev: d29577ef719d76d445c88255c4a6dfe61456c3c2)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Upgrade per AUH failed as with 0.21.6 libsecret now also comes with
bash-completions. Put those to an additional package, as systems might
come without bash, so not everyone might want them.
Changelog
---------
0.21.6
* meson: Make dbus-run-session optional [!157]
* meson: Actually include bash-completion subdir [!158]
0.21.5
* session: Tolerate non-approved DH parameter usage in FIPS mode [!145]
* Add some missing GIR annotations [!140]
* meson: Create default test setup with D-Bus [!115]
* meson: Use env.prepend() for test environment setup [!141]
* meson: Fix license field [!139]
* build: Remove self-inclusion from secret-item.h [!149]
* build: Fix compiler warnings in Vala tests [!153]
* tests: Fix "\|" used in test-secret-tool.sh not portable [!150]
* Fix typo in D-Bus XML [!152]
* docs: Fix minor gi-docgen reference [!142]
* docs: Fix Python example [!144]
* docs: Mention file backend [!146]
* docs: Fix link in README [!147]
* Several CI-related updates
* Updated translations
(From OE-Core rev: 1be1cf128ba04ea1399c43a369e909a2a5a16bc4)
Signed-off-by: Simone Weiß <simone.p.weiss@posteo.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The kernel-fitimage.bbclass evaluates the UBOOT_ENV variable from the
u-boot recipe. Based on this variable an u-boot script might be added to
the fitImage. However, the UBOOT_ENV variable is also used to install
the script as an old u-boot image, usually named boot.scr into the /boot
directory of the target device. This dual usage of one variable leads to
several strange side effects. Some examples:
- If UBOOT_ENV_SUFFIX is set to the default value scr, the boot.cmd
script gets added as a legacy uImage to the fitImage. That does not
look useful.
- If the UBOOT_ENV_SUFFIX is set to e.g. txt the script is not converted
into a legacy uImage and a usable plain text script gets added to the
fitImage. But the same script ends up redundant in /boot.
Another strange detail is that the UBOOT_ENV_BINARY gets set to e.g.
boot.txt for this configuration.
- Appending the script to the u-boot recipe and then hand it over to the
kernel recipe via the staged /boot directory looks like over
complicated. Such kind of over complications and u-boot kernel
inter-dependencies lead to an almost unmaintainable
kernel-fitimage.bbclass.
- A single variable does not allow you to add a text file to the fitImage
and at the same time place boot.scr file in the /boot directory of the
target device.
- It is not documented or obvious how the UBOOT_ENV variable should be
used together with the kernel-fitimage.bbclass.
The commit which introduced this feature (among other features...) is:
https://git.yoctoproject.org/poky/commit/?id=8a2f4e143b52109fbd0ee8d792e327d460b8c1e6
This commit is going to remove the u-boot script part of it.
The removal of this function requires a note in the migration guide.
The migration should be straightforward: If UBOOT_ENV and the
kernel-fitimage.bbclass are used, the u-boot script must now be appended
to the kernel recipe and the new FIT_UBOOT_ENV variable must be used.
(From OE-Core rev: ab7f0b5e3d3612c43f9aab9ea2b7bd554d02859d)
Signed-off-by: Adrian Freihofer <adrian.freihofer@siemens.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
