Commit 6c2ae2346db0 (kern-tools: depend on git-replacement-native)
broke our kernel builds. For saving space and time, we have a DL_DIR
shared between multiple users/buildbots, not all of which run with the
same uid (and with appropriate sticky bits set so that files
downloaded by one user become owned by a common group and are readable
by others). This works fine also for git sources because the docker
images we use all have a /etc/gitconfig with
[safe]
directory = *
But with the mentioned commit, the host's git is no longer used for
do_unpack (nor for do_fetch if re-building and sysroot has already
been populated by a previous build), causing spurious "fatal: detected
dubious ownership..." failures.
Currently, the path where the git-native binary searches for system
gitconfig is the sysroot from it was built, which obviously doesn't
contain a /etc/gitconfig. As for the nativesdk variant, respect the
host's /etc/gitconfig if present.
(From OE-Core rev: a3f5ac9f9fee2c8e10fec7c3f758e49513fef724)
Signed-off-by: Rasmus Villemoes <rasmus.villemoes@prevas.dk>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 572f511f7ff02fb559ac42d2d5dbd09fec478d97)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
git is delegating webacces for URLs using TLS to libcurl.
However our native libcurl build does not find a ca-certificate.crt
unless its curl-native work dir still exists and thus git will
fail.
If a recipe uses AUTOREV with a git repo using https as its protocol
parsing of that recipe will fail fetching the latest HEAD.
Fix that by depending on ca-certificate and give its location
to libcurl via git's envrironment variable GIT_SSL_CAINFO.
(From OE-Core rev: 2e99ffda70fd95b5eab3de47048032349cd66f4b)
Signed-off-by: Max Krummenacher <max.krummenacher@toradex.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This minor point release fixes CVE-2023-25652 and CVE-2023-29007.
(From OE-Core rev: 469c28924ab9debe810e3277b27ad936781e7ce5)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This is specific to Git-for-Windows.
(From OE-Core rev: c8849af809e0213d43e18e5d01067eeeb61b330d)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This fixes CVE-2022-41903 and CVE-2022-23521.
(From OE-Core rev: 8395d2512c5335635fff3ce2043ac71fe1948c42)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Fixes CVE-2022-39260
Git v2.38.1 Release Notes
=========================
This release merges the security fix that appears in v2.30.6; see
the release notes for that version for details.
Excerpt from 2.30.6 release notes:
* CVE-2022-39260:
An overly-long command string given to `git shell` can result in
overflow in `split_cmdline()`, leading to arbitrary heap writes and
remote code execution when `git shell` is exposed and the directory
`$HOME/git-shell-commands` exists.
`git shell` is taught to refuse interactive commands that are
longer than 4MiB in size. `split_cmdline()` is hardened to reject
inputs larger than 2GiB.
Credit for finding CVE-2022-39260 goes to Kevin Backhouse of GitHub.
The fix was authored by Kevin Backhouse, Jeff King, and Taylor Blau.
For 2.38.0 changes, see:
https://github.com/git/git/blob/master/Documentation/RelNotes/2.38.0.txt
(From OE-Core rev: b304768711374066db320fe87960be81f54a8424)
Signed-off-by: Tim Orling <tim.orling@konsulko.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
by default git pulls in several code fragments not being licensed
under just GPL-2.0-only.
obstack and poll are licensed under GPL-2.0-or-later
reftable being BSD-3-Clause
sha1dc and inet_ntop being MIT
netmalloc being Bosst-1.0 aka BSL-1.0
regex being LGPL-2.1-or-later
(From OE-Core rev: 5184e651651ed949d198882a10f406cef5939b7b)
Signed-off-by: Konrad Weihmann <kweihmann@outlook.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This includes a fix for CVE-2022-24765
(From OE-Core rev: a17dc42d82b12d7f891c903a02a0302b31829c88)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Everyone I've talked to doesn't see this as a major issue. The CVE
asks for a documentation improvement on the --mirror option to
git clone as deleted content could be leaked into a mirror. For OE's
general users/use cases, we wouldn't build or ship docs so this wouldn't
affect us.
(From OE-Core rev: 5dfe2dd5482c9a446f8e722fe51903d205e6770d)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
It can be useful to use git on target (e.g. with some wrapper like
etckeeper for keeping track of changes to /etc), and for such cases,
it is likely one has no need for pulling from/pushing to http[s]
repositories. From the INSTALL file:
- "libcurl" library ... If you do not use http:// or https://
repositories, and do not want to put patches into an IMAP
mailbox, you do not have to have them (use NO_CURL).
- "expat" library; git-http-push uses it for remote lock
management over DAV. Similar to "curl" above, this is
optional (with NO_EXPAT).
Setting --without-expat and --without-curl reduces the size of the
installed "git" package from 18M to 12M, in addition to avoiding
pulling those libraries into the rootfs.
(From OE-Core rev: 49f81198c5d233a9a2612c3b8366681dd85bea59)
Signed-off-by: Rasmus Villemoes <rasmus.villemoes@prevas.dk>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
An automated conversion using scripts/contrib/convert-spdx-licenses.py to
convert to use the standard SPDX license identifiers. Two recipes in meta-selftest
were not converted as they're that way specifically for testing. A change in
linux-firmware was also skipped and may need a more manual tweak.
(From OE-Core rev: ceda3238cdbf1beb216ae9ddb242470d5dfc25e0)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This allows automated updates, and better aligns with how
documentation is handled in oe-core.
(From OE-Core rev: 22b267724148144d919b7281cf2250fc2e35a092)
Signed-off-by: Alexander Kanavin <alex@linutronix.de>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This is the result of automated script conversion:
scripts/contrib/convert-overrides.py <oe-core directory>
converting the metadata to use ":" as the override character instead of "_".
(From OE-Core rev: 42344347be29f0997cc2f7636d9603b1fe1875ae)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
checkout: fix bug that makes checkout follow symlinks in leading path
Upstream-Status: Acepted [684dd4c2b4]
CVE: CVE-2021-21300
(From OE-Core rev: 1b680f6aca14c92d03d32c4974292788140d7a65)
Signed-off-by: Minjae Kim <flowergom@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Added HOMEPAGE and DESCRIPTION for recipes with missing decriptions or homepage
[YOCTO #13471]
(From OE-Core rev: bb05814335e7101bfd8df0a11dc18a044e867bed)
Signed-off-by: Dorinda Bassey <dorindabassey@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Disable iconv, as configure.ac attempts to run a
cross-compiled test program otherwise.
(From OE-Core rev: 6b18acfbe61aef449743f5ce0dfd77f83f5cb2a5)
Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
On a system with selinux turned on, trying to access a directory
that is in a tree that doesn't exist returns the error permission
denined rather then no such file or directory, which causes git
to die.
git clone git://git.yoctoproject.org/poky
Cloning into 'poky'...
fatal: unable to access '/opt/poky/3.0+snapshot/sysroots/x86_64-pokysdk-linux/etc/gitconfig': Permission denied
Switch to using the system gitconfig of the host.
(From OE-Core rev: 5e44fb4dd106e3c4b9f072b25a93e54fa7bb1bce)
Signed-off-by: Jeremy Puhlman <jpuhlman@mvista.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
