Explain that the LICENSE set in a recipe does not apply to the recipe
file itself, but to the underlying software. The license of the recipe
file is the license provided in the layer itself. Give OpenEmbedded-Core
as an example for this.
Fixes [YOCTO #14410]
(From yocto-docs rev: 9d586f22b04528a12e71ee4fa794d8130320515b)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
(cherry picked from commit b8a56b8b2e8c0417b2f7204f80c79b05d95e9ce4)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Added by commit 35d7fe73bba1 ("ccache.bbclass: Make it can be shared
between different builds") in OE-Core.
Fixes [YOCTO #16052]
(From yocto-docs rev: 32818c927bde8014e855b10b1d78d3f09beec024)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
(cherry picked from commit 550ef8340b550f8d4e9c3d0672190dc09592c621)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Based on diagrams/poky-buildprocess/Pokyarch_diag.svg, replace the PNG
graphic for the YP flow to an SVG graphic.
(From yocto-docs rev: ae424ae6d382b83312fa401122bb81e6ad49cf73)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
(cherry picked from commit d2aaf54bee49295bdf81021648cb27499930edc6)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The YP generates an SDK by default, which can be meta-toolchain, an
image-specific one, or an extensible SDK (eSDK). Don't be specific in
this bullet list.
(From yocto-docs rev: 0f4df623bff6c3c46b4649b8237dd0e417e0f86f)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
(cherry picked from commit f02c64286504353e97c7e5fe5c0d193776469ad1)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Add a new section to release-process.rst to document the development
cycle of each release and namely the milestones and feature freeze
occuring after M3.
Fixes [YOCTO #15979]
(From yocto-docs rev: 1cc5321c162ce36079d661ea1d35c2694c20ed9b)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
(cherry picked from commit 77c04cc5944acda7575546a7434e014e4a75ba58)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
A ptest must emit at least one test result on the console, as this is
required by the testimage class (which ignores the exit code).
ptest-runner on the other hand, ignore the output and only cares about
the exit code.
Add these two items as requirements for a ptest to be valid.
Fixes [YOCTO #15832]
Reviewed-by: Yoann Congal <yoann.congal@smile.fr>
(From yocto-docs rev: 35ee82bca41b83b39131cfa88ddbb2d472418d00)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
(cherry picked from commit 9292f61d7ba89598c89033ea7ee3b11a20d873f3)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Add documentation for the image-container class, which is a simple class
to generate an image suitable for creating a container.
This answers in part to questions asked in [YOCTO #14368].
It also adds documentation for IMAGE_CONTAINER_NO_DUMMY, which was added
in OE-Core with commit f0645e172bb8 ("image-container.bbclass: Error if
not using linux-dummy").
Reviewed-by: Quentin Schulz <quentin.schulz@cherry.de>
(From yocto-docs rev: 85fb6e4a964ea2dea9c3083ba2c4ceb336f34b1a)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
(cherry picked from commit 6ce00e5875eb3469fefd55cc22acaaeaf620053a)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The current security-related documentation is a bit hard to find and
hidden within the development manual. However these are processes that
are not part of a development task but is rather a vulnerability
reporting process.
Create a new "Security" section in the documentation to gather this
information. This will be directly visible in the sidebar when opening
the documentation.
Split the previous security-subjects.rst document into 2 documents:
- security-team.rst: defines the roles of the security teams and its
members.
- reporting-vulnerabilities.rst: guide to report vulnerabilities to the
security team.
The plan is to backport these documents to active releases. As a
consequence, this section should be free of instructions and information
that only make sense for a specific release. It should _not_ contain
documents on how to enable security features with Yocto on target
devices, this is unrelated and can be left in the development manual
(for example: dev-manual/vulnerabilities.rst to deal with CVEs).
(From yocto-docs rev: 80556704f8b60b5bf903da497909cfda7dd1b28b)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
(cherry picked from commit 81e14ca2d5cff9e2104c556655144b069633790c)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
On some versions of rsvg-convert, capitalized formats are unknown.
For example on CentOS Stream 9:
$ rsvg-convert --format=Png --output=ref-manual/svg/releases.png ref-manual/svg/releases.svg
Unknown output format.
While the same command with "png" runs fine.
On Ubuntu 22.04, both are accepted.
Switch to the un-capitalized options, compatible with all versions.
Reviewed-by: Quentin Schulz <quentin.schulz@cherry.de>
(From yocto-docs rev: 8e3e562179d47553268970f49a98817abfb32df6)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
(cherry picked from commit cb60df269ef6329372f2676ab705134bbf2490eb)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The Upstream-Status tag is not used for patches sent on mailing lists,
but for patches to be applied to recipes. To avoid confusion in this
Contributor Guide, remove the mention of this tag as part of the
Patchtest examples as it can be misinterpreted as something to include
in a regular patch.
Reviewed-by: Quentin Schulz <quentin.schulz@cherry.de>
(From yocto-docs rev: fe77998ea1ee29e162feaf32b46a0dc0a375b548)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
(cherry picked from commit 23098728b57520d1d8e417500009279226ce8080)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Whinlatter is the new current Yocto Project release, mark it as an
active one. Move it as released in December 2025.
(From yocto-docs rev: b0ae6483dd916eea3d144466e597a8e86187d9f7)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
(cherry picked from commit 6f8e97c6e529f3c47f45f34d9e04e3ad7bddd587)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Walnascar has stopped being updated a while ago, and Styhead is EOL
since May 2025.
Reviewed-by: Quentin Schulz <quentin.schulz@cherry.de>
(From yocto-docs rev: 71b03c21dc9d8a9fd0b5cc92808a7944f6c7fe28)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
(cherry picked from commit 834de77b543de43ee3c1c12ca1d6277e67e126de)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Instead of a fixed list of commercial vendors, link to existing lists on
the YP website.
Reported-by: Robert P. J. Day <rpjday@crashcourse.ca>
(From yocto-docs rev: 924405ec43c8edc941200c281b20beac99098d13)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
(cherry picked from commit 9d394db4f88b66500e4d5a2a518d25f08a0c9472)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The ABOUT tab is where the members/participants are listed now.
Reported-by: Robert P. J. Day <rpjday@crashcourse.ca>
(From yocto-docs rev: c1d32e61bf3c5518a9e4f1da5b25369e1b15b983)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
(cherry picked from commit a8a8d810f0505529aaaa90678e03152c8ac0c00b)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Fix the definition of WORKDIR to match OE-Core.
Rename the Source Directory to "project" as part of the transition to
bitbake-setup and the removal of Poky as in "the Poky repository".
Reported-by: Robert P. J. Day <rpjday@crashcourse.ca>
(From yocto-docs rev: c1db422b9cba0bc475295bf1c2d72bcb2a6beed9)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
(cherry picked from commit 9cb0e8a94590563491e210b403519ccfbde866e9)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Similar to what native and staging is doing since:
https://git.openembedded.org/openembedded-core/commit/meta/classes/native.bbclass?id=d6c7b9f4f0e61fa6546d3644e27abe3e96f597e2https://git.openembedded.org/openembedded-core/commit/meta/classes/staging.bbclass?id=1cf62882bbac543960e4815d117ffce0e53bda07
Cross task outputs can call native dependencies and even when cross
recipe output doesn't change it might produce different results when
the called native dependency is changed, e.g. clang-cross-${TARGET_ARCH}
contains symlink to clang binary from clang-native, but when clang-native
outhash is changed, clang-cross-${TARGET_ARCH} will still be considered
equivalent and target recipes aren't rebuilt with new clang binary, see
work around in https://github.com/kraj/meta-clang/pull/1140 to make target
recipes to depend directly not only on clang-cross-${TARGET_ARCH} but
clang-native as well.
I have added a small testcase in meta-selftest which demostrates this issue.
Not included in this change, but will send it if useful.
openembedded-core $ ls -1 meta-selftest/recipes-devtools/hashequiv-test/
print-datetime-link-cross.bb
print-datetime-link-native.bb
print-datetime-native.bb
print-datetime-usecross.bb
print-datetime-usenative.bb
print-datetime-native provides script which prints defined PRINT_DATETIME variable.
print-datetime-link-native and print-datetime-link-cross both provide a symlink to
the script from print-datetime-native.
print-datetime-usenative and print-datetime-usecross are target recipes using the
native and cross versions of print-datetime-link-* recipe.
# clean build all is rebuilt:
$ bitbake -k print-datetime-usenative print-datetime-usecross
WARNING: print-datetime-native-1.0-r0 do_install: print-datetime-native current DATETIME in script is 2025-11-13_20_05
WARNING: print-datetime-link-native-1.0-r0 do_install: print-datetime-link-native current DATETIME in symlink is 2025-11-13_20_05
WARNING: print-datetime-link-cross-x86_64-1.0-r0 do_install: print-datetime-link-cross-x86_64 current DATETIME in symlink is 2025-11-13_20_05
WARNING: print-datetime-usenative-1.0-r0 do_install: print-datetime-usenative current DATETIME from print-datetime-link is 2025-11-13_20_05
WARNING: print-datetime-usecross-1.0-r0 do_install: print-datetime-usecross current DATETIME from print-datetime-link is 2025-11-13_20_05
# keep sstate-cache and hashserv.db:
# print-datetime-usenative is correctly rebuilt, because print-datetime-link-native has different hash (because print-datetime-native hash changed)
# print-datetime-usecross wasn't rebuilt, because print-datetime-link-cross-x86_64 doesn't include the changed hash of print-datetime-native
$ bitbake -k print-datetime-usenative print-datetime-usecross
WARNING: print-datetime-native-1.0-r0 do_install: print-datetime-native current DATETIME in script is 2025-11-13_20_07
WARNING: print-datetime-link-native-1.0-r0 do_install: print-datetime-link-native current DATETIME in symlink is 2025-11-13_20_07
WARNING: print-datetime-link-cross-x86_64-1.0-r0 do_install: print-datetime-link-cross-x86_64 current DATETIME in symlink is 2025-11-13_20_07
WARNING: print-datetime-usenative-1.0-r0 do_install: print-datetime-usenative current DATETIME from print-datetime-link is 2025-11-13_20_07
It's because print-datetime-link-cross-x86_64 depsig doesn't include print-datetime-native signature:
$ cat tmp/work/x86_64-linux/print-datetime-link-cross-x86_64/1.0/temp/depsig.do_populate_sysroot
OEOuthashBasic
18
SSTATE_PKGSPEC=sstate:print-datetime-link-cross-x86_64:x86_64-oe-linux:1.0:r0:x86_64:14:
task=populate_sysroot
drwx .
drwx ./recipe-sysroot-native
drwx ./recipe-sysroot-native/sysroot-providers
-rw- 32 19fbeb373f781c2504453c1ca04dab018a7bc8388c87f4bbc59589df31523d07 ./recipe-sysroot-native/sysroot-providers/print-datetime-link-cross-x86_64
drwx ./recipe-sysroot-native/usr
drwx ./recipe-sysroot-native/usr/bin
drwx ./recipe-sysroot-native/usr/bin/x86_64-oe-linux
lrwx ./recipe-sysroot-native/usr/bin/x86_64-oe-linux/print-datetime-link -> ../print-datetime
While print-datetime-link-native doesn't have this issue, because print-datetime-native signature is there:
$ cat tmp/work/x86_64-linux/print-datetime-link-native/1.0/temp/depsig.do_populate_sysroot
OEOuthashBasic
18
print-datetime-native: 60f2734a63d708489570ca719413b4662f8368abc9f4760a279a0a5481e4a17b
quilt-native: 65d78a7a5b5cbbf0969798efe558ca28e7ef058f4232fcff266912d16f67a8b8
SSTATE_PKGSPEC=sstate:print-datetime-link-native:x86_64-linux:1.0:r0:x86_64:14:
task=populate_sysroot
drwx .
drwx ./recipe-sysroot-native
drwx ./recipe-sysroot-native/sysroot-providers
-rw- 26 3d5458be834b2d0e4c65466b9b877d6028ae2210a56399284a23144818666f10 ./recipe-sysroot-native/sysroot-providers/print-datetime-link-native
drwx ./recipe-sysroot-native/usr
drwx ./recipe-sysroot-native/usr/bin
lrwx ./recipe-sysroot-native/usr/bin/print-datetime-link -> print-datetime
With the cross.bbclass fix the link-cross recipe has a checksum from native recipe as well:
$ cat tmp/work/x86_64-linux/print-datetime-link-cross-x86_64/1.0/temp/depsig.do_populate_sysroot
OEOuthashBasic
18
print-datetime-native: 9ceb6c27342eae6b8da86c84685af38fb8927ccc19979aae75b8b1e444b11c5c
quilt-native: 65d78a7a5b5cbbf0969798efe558ca28e7ef058f4232fcff266912d16f67a8b8
SSTATE_PKGSPEC=sstate:print-datetime-link-cross-x86_64:x86_64-oe-linux:1.0:r0:x86_64:14:
task=populate_sysroot
drwx .
drwx ./recipe-sysroot-native
drwx ./recipe-sysroot-native/sysroot-providers
-rw- 32 19fbeb373f781c2504453c1ca04dab018a7bc8388c87f4bbc59589df31523d07 ./recipe-sysroot-native/sysroot-providers/print-datetime-link-cross-x86_64
drwx ./recipe-sysroot-native/usr
drwx ./recipe-sysroot-native/usr/bin
drwx ./recipe-sysroot-native/usr/bin/x86_64-oe-linux
lrwx ./recipe-sysroot-native/usr/bin/x86_64-oe-linux/print-datetime-link -> ../print-datetime
And print-datetime-usecross is correctly rebuilt whenever print-datetime-native output is different.
(From OE-Core rev: dccb7a185fe58a97f33e219b4db283ff4a2071d7)
Signed-off-by: Martin Jansa <martin.jansa@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
The class called 'make menuconfig' without any of the make variables and
options set in EXTRA_OEMAKE, resulting in a quite different build
environment than actually intended.
For the kernel.bbclass this was fixed in commit 8c616bc0 ("kernel: Use
consistent make flags for menuconfig") by appending ${EXTRA_OEMAKE} to
KCONFIG_CONFIG_COMMAND.
Instead of fixing this individually for additional recipes, we simply
include ${EXTRA_OEMAKE} in KCONFIG_CONFIG_COMMAND by default.
For most class users, this change is directly visible in the generated
.config file:
* For barebox and u-boot, the CONFIG_GCC_VERSION erroneously reflected
the host GCC version before where it now correctly reflects the target
toolchain's GCC.
* For u-boot, also the "Compiler: " line at the beginning of the .config
now prints the target toolchain instead of the host ones.
* The kernel had this already set.
* busybox did not produce any difference.
Note that these projects might base some compile-time decisions on e.g.
the actual compiler version used. Having the wrong one in the
menuconfig-generated .config affects at least the visibility and
consistency.
Reported-by: Ulrich Ölmann <u.oelmann@pengutronix.de>
(From OE-Core rev: a7dd1c221e42fd8df1d6f1c76c6a5ab7a3e19542)
Signed-off-by: Enrico Jörns <ejo@pengutronix.de>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 1b6ddd452837e67b500a84455a234f5edc8250a9)
Signed-off-by: Enrico Jörns <ejo@pengutronix.de>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Introduce the SPDX_INCLUDE_PACKAGECONFIG variable, which when enabled causes
PACKAGECONFIG features to be recorded in the SPDX document as build parameters.
Each feature is recorded as a DictionaryEntry with key PACKAGECONFIG:<feature>
and value enabled or disabled, depending on whether the feature is active in
the current build.
This makes the build-time configuration more transparent in SPDX output and
improves reproducibility tracking.
This makes the build-time configuration more transparent in SPDX output and
improves reproducibility tracking. In particular, it allows consumers of the
SBOM to identify enabled/disabled features that may affect security posture
or feature set.
Reviewed-by: Joshua Watt <JPEWhacker@gmail.com>
(From OE-Core rev: 5cfd0690f819379d9f97c86d2078c3e529efe385)
Signed-off-by: Kamel Bouhara (Schneider Electric) <kamel.bouhara@bootlin.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 7ec61ac40345a5c0ef1ce20513a4596989c91ef4)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Introduce a new bitbake task do_create_kernel_config_spdx that extracts
the kernel configuration from ${B}/.config and exports it into the
recipe's SPDX document as a separate build_Build object.
The kernel config parameters are stored as SPDX DictionaryEntry objects
and linked to the main kernel build using an ancestorOf relationship.
This enables the kernel build's configuration to be explicitly captured
in the SPDX document for compliance, auditing, and reproducibility.
The task is gated by SPDX_INCLUDE_KERNEL_CONFIG (default = "0").
Reviewed-by: Joshua Watt <JPEWhacker@gmail.com>
(From OE-Core rev: 1fff29a0428778929ffa530482ebf7db95f1e0ae)
Signed-off-by: Kamel Bouhara (Schneider Electric) <kamel.bouhara@bootlin.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 228a968e7c47d811c06143279bdb0f9c5f374bef)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Update to the 5.0.14 release of the 5.0 series for buildtools
(From OE-Core rev: 4c85440cd95d9cd007ef4346ecc9580806526c96)
Signed-off-by: Aleksandar Nikolic <aleksandar.nikolic@zeiss.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Per ruby maintenance policy [1], the 3.3.x branch should be still in normal
maintenance, so upgrade to the latest version 3.3.10 to fix many security
issues and bugs.
Remove the fix for CVE-2025-27219, CVE-2025-27220 and CVE-2025-27221 as
these fixes have been included in the new version.
[1] https://www.ruby-lang.org/en/downloads/branches/
(From OE-Core rev: bad372ad8ec33334c6a74c077bf975851c1e59d2)
Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Fix an out-of-bounds read triggered by a malicious rsync client
acting as a receiver. The issue can be exploited with read access
to an rsync module.
CVE: CVE-2025-10158
(From OE-Core rev: 110933506d7a1177d1a074866d08fe0b0da612d7)
Signed-off-by: Adarsh Jagadish Kamini <adarsh.jagadish.kamini@est.tech>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
This reverts commit e6de433ccb2784581d6c775cce97f414ef9334b1.
This introduced a breaking change which is not suitable for backport to
stable LTS branches.
(From OE-Core rev: 2b3d2b671a149cbeea2bdc9ba42192da2015c3b7)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
