by default git pulls in several code fragments not being licensed
under just GPL-2.0-only.
obstack and poll are licensed under GPL-2.0-or-later
reftable being BSD-3-Clause
sha1dc and inet_ntop being MIT
netmalloc being Bosst-1.0 aka BSL-1.0
regex being LGPL-2.1-or-later
(From OE-Core rev: d12513f066baca13a5be0c00792b1bd7d8b07c17)
Signed-off-by: Konrad Weihmann <kweihmann@outlook.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 5184e651651ed949d198882a10f406cef5939b7b)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
When signing the deb package feed gpg tools are a soft requirement. If gnupg-native
is not declared a dependancy the version from hosttools is used. Unfortunately the
gpg-agent version from Ubuntu 16.04 on the autobuilders is incompatible with the package_index task
and fails during oe-selftest. Fix by making gnupg-native a dependency.
Fixes: 0b4231b5 "package_manager: sign DEB package feeds"
Reported-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Suggested-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(From OE-Core rev: 74725c9f7e7ed4172781891001e85b64bfb206b8)
Signed-off-by: Ferry Toth <ftoth@exalondelft.nl>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit c063b658e30a24be9214abc23cd2a16c0260e93e)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Since Gatesgarth apt (1.8.2) has become more strict and doesn’t allow unsigned repositories by default.
Currently when building images this requirement is worked around by using [allow-insecure=yes] and
equivalently when performing selftest.
Patches "gpg-sign: Add parameters to gpg signature function" and "package_manager: sign DEB package feeds"
enable signed DEB package feeds. This patch adds a runtime test for apt derived from the test_testimage_dnf
test. It creates a signed deb package feed, runs a qemu image to install the key and performs some package
management. To be able to install the key the gnupg package is added to the testimage.
(From OE-Core rev: 10fd76e6dfd97b57a9e2f592677c7e47b622e6b5)
Signed-off-by: Ferry Toth <ftoth@exalondelft.nl>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 3ec30490d09d6639eea2638cf12a323948f221cc)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
These settings are good for developers/maintainers but for distributions
generally disabling them turns out to be better especially when there is
a knob to do so. This fixes build with gcc-12 which find additional
warnings
inlined from 'bt_ctf_object_set_parent' at ../../../git/src/ctf-writer/object.h:120:6,
inlined from 'bt_ctf_trace_common_add_stream_class' at ../../../git/src/ctf-writer/trace.c:1243:3:
../../../git/src/ctf-writer/object.h:141:26: error: null pointer dereference [-Werror=null-dereference]
141 | if (child->parent) {
| ~~~~~^~~~~~~~
../../../git/src/ctf-writer/object.h:141:26: error: null pointer dereference [-Werror=null-dereference]
cc1: all warnings being treated as errors
(From OE-Core rev: bdf428b3b91d43eb61a6a4b83fc0f108745d45b7)
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 1898d10dd4d4372823e6c8b8c4ed28604e692365)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Users may or may not include the certificates in buildtools. Only set the
appropriate variables if they're present.
(From OE-Core rev: f3b1699afcd35494e972e7b5b575c318a196909f)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 0945a2a5d7c41af22e222a116aafacb4beee54d2)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
A fix is being added to bitbake to correctly handle spaces inside
checksum filenames. Add a test to oe-selftest to ensure this is
tested and doesn't regress in future.
(From OE-Core rev: 4146d30d06233c299b280d0e99ac5f51aab63ad4)
Signed-off-by: Paulo Neves <ptsneves@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 324109f034f069ee3e91a1a705b3449911a448de)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The virtio PCI devices seemed to be required for this machine for some
versions of qemu (based on errors from running qemu saying that the
devices don't exist). Changes to the entries here is all that is needed
to get it working.
(From OE-Core rev: 291940f12c319e74351ff97811919c8c03477c27)
Signed-off-by: Jon Mason <jdmason@kudzu.us>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 217deeb43036d1a046d6c5ea2c1ccdb94d3d605a)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
If I am not mistaken, the only kernel recipe to have a new PACKAGECONFIG
option is linux-yocto-dev, in commit 1bac831fba
"linux-yocto-dev: introduce dt-validation PACKAGECONFIG".
Therefore, let's replace (kernel) by the one kernel recipe that has this
change.
Cc: Quentin Schulz <foss+yocto@0leil.net>
(From yocto-docs rev: 1882954924cef9f17caad0f83973afe08f4db764)
Signed-off-by: Quentin Schulz <quentin.schulz@theobroma-systems.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Plaintext/clear passwords are not supported anymore but hashed passwords
still are. Mention that in the migration guide and point to the
appropriate location of documentation.
Cc: Quentin Schulz <foss+yocto@0leil.net>
(From yocto-docs rev: f8b9697ec7bcc188db5ce9e5067bc82c023b79d9)
Signed-off-by: Quentin Schulz <quentin.schulz@theobroma-systems.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
extlinks captions support using %s substitution but only from sphinx 4.0
onwards.
c.f. https://www.sphinx-doc.org/en/master/usage/extensions/extlinks.html#confval-extlinks
Weirdly enough, on older sphinx versions, the caption is just a prefix
to the actual text passed to the extlink. Therefore, in that specific
case, CVE- or CVE-%s are identical in meaning for sphinx >=4.0 and since
only CVE- caption works on sphinx <4.0, let's go with CVE- caption
prefix.
Fixes: b311070d866cf "manuals: add 3.4 and 3.4.1 release notes after migration information"
Cc: Quentin Schulz <foss+yocto@0leil.net>
(From yocto-docs rev: c9922076f5c1285d9cfd6aff8ce5b6635d88222f)
Signed-off-by: Quentin Schulz <quentin.schulz@theobroma-systems.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
XZ_THREADS and XZ_MEMLIMIT were introduced in dunfell.
[RP improved an original patch from Paul]
(From yocto-docs rev: 96defb66b775093b5270bd1ebad0461c2bba1e5b)
Signed-off-by: Paul Eggleton <paul.eggleton@microsoft.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Generated from commits in the kirkstone branch, as well as a few entries
from the migration guide.
(Note that the "Repositories / Downloads" section still needs to be
filled in.)
(From yocto-docs rev: 0c66638e61d3e16ac8d4b7ebc4ec6fb35625bf4f)
Signed-off-by: Paul Eggleton <paul.eggleton@microsoft.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* Make some corrections to preliminary set of entries
* Move out entries that were more appropriate for the release notes
(i.e. that are more additions rather than changes that require the
user to make changes)
* Add new entries based on commits in the kirkstone branch
(From yocto-docs rev: bea2da80e7c5338dc5abefe95ce27b80ed4ee98a)
Signed-off-by: Paul Eggleton <paul.eggleton@microsoft.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Add this since the INCOMPATIBLE_LICENSE wildcard support has changed in
the 4.0 release.
(From yocto-docs rev: c7946863e5a9d62a49131b92cc9549da9b799bbd)
Signed-off-by: Paul Eggleton <paul.eggleton@microsoft.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
It seems prudent to point out that hard-coding passwords in the manner
detailed in the example is not a good idea in production. This type of
mistake has unfortunately been made by many device vendors (outside of
the Yocto Project context) leading to security vulnerabilities.
(From yocto-docs rev: 1d07dba9423ae0a841eccb58c297e31b63c3965d)
Signed-off-by: Paul Eggleton <paul.eggleton@microsoft.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
We missed noting this in 3.4 but I noticed the documentation was
recently updated, so note the removal.
(From yocto-docs rev: f661e62d6faf48dbb6c6fd9a61a6448ec339d2bf)
Signed-off-by: Paul Eggleton <paul.eggleton@microsoft.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The switcher expects URL subpath to match the "release" used by sphinx
to build the documentation. Branches, however, are put in a subpath
after their name (e.g. dunfell) while sphinx sets the "release" to
X.Y.999. This means the switcher cannot replace correctly the path to
switch between releases/versions.
Let set_versions.py inject the list of release names into the
switchers.js.in file so it can check whether the subpath is one of the
release names in which case it needs to be stripped.
Cc: Quentin Schulz <foss+yocto@0leil.net>
(From yocto-docs rev: 5ef3d129b8d0d8ae98a694103930988a46285525)
Signed-off-by: Quentin Schulz <quentin.schulz@theobroma-systems.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This array only contains versions that can be selected through the
dropdown menu for switching between supported versions.
Therefore, let's rename it to switcher_versions to make its usecase
clearer.
Cc: Quentin Schulz <foss+yocto@0leil.net>
(From yocto-docs rev: 5c3d67751bf3f572a0788d3a4734b80e3453d084)
Signed-off-by: Quentin Schulz <quentin.schulz@theobroma-systems.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Branches are identified by their .999 version suffix which means they
will never be matched in the forloop above this git context. Therefore,
branches will match the condition. However, branches are not necessarily
obsolete (e.g. dunfell, honister and kirkstone today), so let's mark as
obsolete the branches which are from obsolete releases.
Old tags of currently supported releases are not defined as obsolete but
outdated, therefore using the series to which they belong like it is
done for branches is enough for obsolescence detection.
Cc: Quentin Schulz <foss+yocto@0leil.net>
(From yocto-docs rev: 7181a432da18b47608784363d243ea39b80be1ed)
Signed-off-by: Quentin Schulz <quentin.schulz@theobroma-systems.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
master branch of Bitbake is now located at docs.yoctoproject.org/dev
instead of docs.yoctoproject.org so let's update the switchers and
set_versions.py to reflect that change.
Cc: Quentin Schulz <foss+yocto@0leil.net>
(From yocto-docs rev: 18338292d99ed236e2bac6e73a5152ef11c4a9e5)
Signed-off-by: Quentin Schulz <quentin.schulz@theobroma-systems.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
ourseries can be an active release and therefore shouldn't be marked as
obsolete. By adding ourseries to activereleases, it is impossible to
know if ourseries is actually an active release or not. Instead let's
loop on the active releases with ourseries too (only if it's not active
release, otherwise it'd appear twice).
Fixes: 6f40ef56054ec "docs: set_versions.py: add information about obsolescence of a release"
Cc: Quentin Schulz <foss+yocto@0leil.net>
(From yocto-docs rev: f16b633211b97b2cdf2c65d83c99cd3853d2bb5c)
Signed-off-by: Quentin Schulz <quentin.schulz@theobroma-systems.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
versions array is supposed to store the latest version of all active
releases. However, in the loop it is reassigned and therefore, the check
on whether our version is already in the versions array will always
return false (except for the latest version of the last active release)
and write our version again in the list.
By using a local variable for the logic instead of versions array, the
check now works properly.
Fixes: f2b069be8c307 "set_versions: Various improvements"
Cc: Quentin Schulz <foss+yocto@0leil.net>
(From yocto-docs rev: 36a088c8c99dd37f5ca07ec8f90f2c51ef8b36f2)
Signed-off-by: Quentin Schulz <quentin.schulz@theobroma-systems.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
singlevar in lparser.c in Lua through 5.4.4 lacks a certain luaK_exp2anyregup
call, leading to a heap-based buffer over-read that might affect a system that
compiles untrusted Lua code.
https://nvd.nist.gov/vuln/detail/CVE-2022-28805
(From OE-Core rev: d2ba3b8850d461bc7b773240cdf15b22b31a3f9e)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
BusyBox through 1.35.0 allows remote attackers to execute arbitrary code
if netstat is used to print a DNS PTR record's value to a VT compatible
terminal. Alternatively, the attacker could choose to change the terminal's colors.
https://nvd.nist.gov/vuln/detail/CVE-2022-28391
(From OE-Core rev: 3e17df4cd17c132dc7732ebd3d1c80c81c85bcc4)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Based on additional information per release, specifically with the
obsolescence status of a release, the obsolescence detection can now be
much smarter than just checking if the release is older than dunfell.
This is required because with LTS (dunfell for example) releases, it is
now possible to have LTS releases that are older than obsolete releases.
This means obsolete releases need to be tracked and only the release
version cannot be used as an indicator of obsolescence.
Let's use the obsolete field of the per-release data in the all_versions
dictionary to display correct warning messages.
The warning message is first about outdated version if there's a newer
one available (*even* if it is for an obsolete release, e.g. 3.0.1 will
say it's outdated and should select 3.0.4 version instead), then if the
version is the last of the release, show a warning message if the
release is obsolete.
Cc: Quentin Schulz <foss+yocto@0leil.net>
(From yocto-docs rev: 6986baa0d3b544bbad8a7e23ee447abc6f2769f6)
Signed-off-by: Quentin Schulz <quentin.schulz@theobroma-systems.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This adds support for marking releases as obsolete to make the
detection algorithm smarter (in a later commit) than just checking if
it's older than dunfell.
Cc: Quentin Schulz <foss+yocto@0leil.net>
(From yocto-docs rev: 6f40ef56054ecbd3d8b7310d748c1af78a689add)
Signed-off-by: Quentin Schulz <quentin.schulz@theobroma-systems.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Since commit f2b069be8c307 "set_versions: Various improvements", an
outdated version will always appear in all_versions, meaning there'll
always be an exact match in the loop (just above the git context of this
patch) so there's no need to add the current_version to the dropdown
menu manually.
This issue showed up only for outdated versions of obsolete releases,
e.g. 3.2.3. In that case, 3.2.4 (latest version of the obsolete release)
will appear in the all_versions array in addition to 3.2.3, which means
the check on release series (3.2) will be matched twice, and 3.2.3 will
be printed once in the 3.2.4 loop because version != current_version and
once in the 3.2.3 because it is an exact match to an entry in
all_versions.
Cc: Quentin Schulz <foss+yocto@0leil.net>
(From yocto-docs rev: 05065fa1f3855e8b7d9e8af0502b4ae402273400)
Signed-off-by: Quentin Schulz <quentin.schulz@theobroma-systems.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This includes a fix for CVE-2022-24765
(From OE-Core rev: a17dc42d82b12d7f891c903a02a0302b31829c88)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Some of the flags listed here do change the output and hence do need to
be included in task checksums.
This means we start including the following flags in function/task/variable
checksums:
type, func, export, unexport, noexec, dirs, cleandirs
(From OE-Core rev: 54e8b744bb7e7aa03277a42b0c5cf707440f8b8a)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
