Use cpio --no-absolute-filenames when unpacking RPM and SRPM archives so
absolute paths and parent-directory components in cpio member names are
extracted relative to the intended unpack directory.
(Bitbake rev: 37beb06ba9329cd16976273efbb341f781d4e749)
Signed-off-by: Anders Heimer <anders.heimer@est.tech>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 1b1a71586aa93678c1d9ca40ef2c6fa518f89356)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
BB_GIT_SHALLOW_EXTRA_REFS can include wildcard entries. Matching refs
advertised by the remote are later passed to git fetch and update-ref
while creating shallow tarballs.
Quote the generated command arguments and pass the fetched ref after --
so shell metacharacters and option-like ref names are not interpreted as
command syntax or git fetch options.
(Bitbake rev: 6d3f8bd4ddc955b49eaa124e0724ea589da30646)
Signed-off-by: Anders Heimer <anders.heimer@est.tech>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit e9a06f79d9ec767c9d95470be78b006d6fd0d59c)
[YC: Only the quote part of the master patch applies.
The "--" part does not. This part is handled by bin/git-make-shallow
which only pass arguments to git rev-list and rev-parse through arrays]
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
The striplevel URL parameter is appended to tar_cmd, which is later run
through the shell. Validate it as a decimal count before using it in the
tar arguments.
(Bitbake rev: 3a8937cc4b6513f9ed54fee0b0347589a892c8d7)
Signed-off-by: Anders Heimer <anders.heimer@est.tech>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 934fe718bfe29c7ec921e6b598d81ec2ebe8f7c7)
[YC: Removed the striplevel="1\n" subtest case. The URL-decoding regex
in decodeurl uses `.*` without `re.DOTALL`, causing literal newlines in
parameters to be silently truncated during parsing.]
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
The deb/ipk unpack path selects a data archive member from 'ar -t'
output and then passes that member name to a shell command. Previously,
any member beginning with data.tar. was selected.
Only select known deb/ipk data archive member names when datafile is
created. Quote the package path used in the shell command as it can come
from the local fetch path.
Add local fetcher regression coverage for quoted package filenames,
valid compressed data members, and unsupported or unsafe data member
names.
(Bitbake rev: a32064d0f10b9f5a163a25f410a4e39dccf9cb93)
Signed-off-by: Anders Heimer <anders.heimer@est.tech>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 73ae3a2447ec93df39bc66cf3d8f9b2ea1bfe3bf)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Correct "maintainance" typo in recipe-style-guide.rst.
(From yocto-docs rev: f39ba5141cd518f08d491b2255a4acd74442e87b)
Signed-off-by: Robert P. J. Day <rpjday@crashcourse.ca>
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
(cherry picked from commit d7376cca64a0784e59d4fd60b9baefb4da2ce289)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
Signed-off-by: Paul Barker <paul@pbarker.dev>
As with "setup" versus "set up", the pedants at grammarist.com explain
that "checkout" is used as a noun or adjective, while the
corresponding verb is two words, "check out."
https://grammarist.com/spelling/checkout-check-out/
(From yocto-docs rev: 85852e0a1e5ddf034cff979329591af786967beb)
Signed-off-by: Robert P. J. Day <rpjday@crashcourse.ca>
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
(cherry picked from commit 1d5f0fea4e150be0ef9b10d5733eeaba06c78e6f)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Tweaks:
- Update "Software Overview" link to go to "Technical Overview"
- use proper capitalization for "Git" when referring to the product
- numerous grammar adjustments to basic skills list
(From yocto-docs rev: 9b440c5116828f131a304b77f5da8c98c0d27c62)
Signed-off-by: Robert P. J. Day <rpjday@crashcourse.ca>
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
(cherry picked from commit ffd69f11172c2b0d8f52bd967c7983220d133e0d)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Tweaks:
- grammer adjustments
- hyphenation
- monospace font for layer and file names
(From yocto-docs rev: 8e98a7264bf9d0d975b5c8fb2062ed907273ff5c)
Signed-off-by: Robert P. J. Day <rpjday@crashcourse.ca>
Reviewed-by: Quentin Schulz <quentin.schulz@cherry.de>
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
(cherry picked from commit 801f719458d0d9670debad4ddc379e3ade4d85f9)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Delete inconsistent periods in software versions list so it doesn't
look weird.
(From yocto-docs rev: a106dea889259a872fdbe69215fe4de740bc49f4)
Signed-off-by: Robert P. J. Day <rpjday@crashcourse.ca>
Reviewed-by: Quentin Schulz <quentin.schulz@cherry.de>
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
(cherry picked from commit 94ebe744d0e95672456b8157daf0ffba333397bd)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
Signed-off-by: Paul Barker <paul@pbarker.dev>
When referring to buildbot, add a link to its home page.
(From yocto-docs rev: 40b6f86daea61e545d94e92b8eed11c8038573ad)
Signed-off-by: Robert P. J. Day <rpjday@crashcourse.ca>
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
(cherry picked from commit 7a9247175e1afc74371708d4bad629941477eb57)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
Signed-off-by: Paul Barker <paul@pbarker.dev>
There seems to be be little value in continuing to point readers to
two references, one almost a decade old, the other almost 15 years
old, especially in the middle of a guide that ostensibly is part of
the introductory material.
(From yocto-docs rev: eb92a7cc3fe7772f202e9955974d79b359a257d7)
Signed-off-by: Robert P. J. Day <robday@acresecurity.com>
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
(cherry picked from commit 5b4ffc020a9b0c7a877c119058cd43a51f91687f)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Fix the title and link so it goes directly to the
Technical Overview.
(From yocto-docs rev: 1ba3a389b47188b6c664ae3a0bee7ca70e462650)
Signed-off-by: Robert P. J. Day <rpjday@crashcourse.ca>
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
(cherry picked from commit 0143b586572e15cac438f0fa6f3c1e7446597020)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Two of the tests were still using git protocol to access git services.
For the submodule test, the upstream repo has been updated.
In the other case, we need to pass the correct command to the manual
git commandline, we can't use a recipe url that previously just happened
to work.
(Bitbake rev: 82abbfcdbda949851a03bb2cb2049ea689564ad6)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 5d722b5d65e4eef7befe6376983385421e993f86)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
We create a temporary directory for holding a clone but we never clean it
up. Fix this by using a context manager areound the temporary directory.
This resolves a buildup of tmp directories in DL_DIR in builds.
(Bitbake rev: 1a62878a790ed9630d5ca2fa099d1604540e153a)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Fixes [YOCTO #16265]
The glibc recipe is supposed to be building with
--enable-stack-protector=strong, but some CACHED_CONFIGVARS values are
actually breaking this, causing glibc to be built with no stack
protector at all.
Remove these CACHED_CONFIGVARS values so that stack protector support is
detected properly in do_configure and then enabled properly during
do_compile.
Full details are here:
https://bugzilla.yoctoproject.org/show_bug.cgi?id=16265
(From OE-Core rev: 7952d214393b6c5230ba115f63b6f6d245a728bc)
Signed-off-by: Ivan Nestlerode <ivan.nestlerode@sonos.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 43f0602ede37428f3c35cf665bba934b84355240)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
This stops 'devtool modify foo' from failing with an error message like
ERROR: Execution of 'git -c user.name=\"OpenEmbedded\" -c
user.email=\"oe.patch@oe\" commit -q -m "Initial commit from upstream at
version 1.90.0"' failed with exit code 128:
error: cannot run ssh-keygen: No such file or directory
error:
fatal: failed to write commit object
when GPG signing is enabled in the git configuration.
(cherry picked from commit b5c84b07b87eafb4f68f7662b6cf26d8b73e3247)
(From OE-Core rev: bbe0df71933174d8becc52184cd235277f10a141)
Signed-off-by: Moritz Haase <Moritz.Haase@bmw.de>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
This removes rust uutils coreutils CVEs from reports.
Comparing sbom-cve-check shows that only
CVE-2026-35338..CVE-2026-35381 are removed and all of them contained
reference to uutils.
(From OE-Core rev: 348391ccf91ac474252f75a5679fc42505faa54d)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(From OE-Core rev: 5c39687f62e5864ea783cbed497c2eb5387dcf96)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
[ Upstream commit 42b530581f7246b3143ee50e3c6f981dcbb1dc74 ]
Grub would report an error message in boot stage as below:
"error: no such device: ((hd0,gpt1)/EFI/BOOT)/EFI/BOOT/grub.cfg"
Consequently, the root variable is not set, and the intended protection
against cross-device configuration loading (the purpose of the original 2014 commit)
is lost.
The most robust fix is to use the --hint parameter.
This separates the search target from the device hint, avoiding
fragile string concatenation and supporting both prefixed and
non-prefixed $cmdpath formats.
Fixes: 5ce73b6055ac ("grub: add cmdpath to grub configuration file")
(From OE-Core rev: 2f509e353e2fc04923fc742312c81ed69b419643)
Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
The code defines a custom 'bool' type (as an 'int'), which is incompatible
with C23 in which bool is a keyword, and trying to use <stdbool.h> fails
because 'int' and 'bool' are used interchangeably in the code.
Add the flag to CC variable, since CFLAGS is used by both c and c++ compilers
and clang++ is less forgiving when C compiler only option is used on its
cmdline so it complains about -std=gnu17 and bails out.
(From OE-Core rev: 0647201fb4729be3b10b3da2b19645c59147b40a)
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(From OE-Core rev: 49657089ef215824f8f79a81deb7baf4f27d0030)
Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
Signed-off-by: Fabien Thomas <fabien.thomas@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
- Keep both the older deprecated debian:apt alias and the active
debian:advanced_package_tool identity in CVE_PRODUCT.
- This preserves completeness and avoids missing CVEs in case older
aliases are still used in NVD records.
(From OE-Core rev: 28d3ab81b9386bda16e196ed2934967843413186)
Signed-off-by: Himanshu Jadon <hjadon@cisco.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 4c777220ee5740b800f4128da79c24f7e42c7b88)
Signed-off-by: Himanshu Jadon <hjadon@cisco.com>
[FT: Rebase onto scarthgap-next]
Signed-off-by: Fabien Thomas <fabien.thomas@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
According to [1],
EDK2 contains a vulnerability in BIOS where an attacker may cause “Exposure of
Sensitive Information to an Unauthorized Actor” by local access. Successful
exploitation of this vulnerability will lead to possible information disclosure
or escalation of privilege and impact Confidentiality.
Backport a patch [2] from upstream to fix CVE-2024-38798
[1] https://nvd.nist.gov/vuln/detail/CVE-2024-38798
[2] 0cad130cb4
(From OE-Core rev: ed444adf325d3a985ed8f9ae0a009ecbaf67c3fd)
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Fabien Thomas <fabien.thomas@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
According to [1], EDK2 contains a vulnerability in BIOS where an attacker may
cause “ Improper Input Validation” by local access. Successful exploitation of
this vulnerability could alter control flow in unexpected ways, potentially
allowing arbitrary command execution and impacting Confidentiality, Integrity,
and Availability.
Backport patches from upstream [2] to fix CVE-2025-2296
Note: backport 0001-AmdSev-Halt-on-failed-blob-allocation.patch to apply
the CVE patches without confliction
[1] https://nvd.nist.gov/vuln/detail/CVE-2025-2296
[2] https://github.com/tianocore/edk2/pull/10628
(From OE-Core rev: 09be6658833e7ac4143eeb26bdaf67c6c94e260a)
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Fabien Thomas <fabien.thomas@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
According to [1], Improper access control for volatile memory containing boot
code in Universal Boot Loader (U-Boot) before 2017.11 and Qualcomm chips IPQ4019,
IPQ5018, IPQ5322, IPQ6018, IPQ8064, IPQ8074, and IPQ9574 could allow an attacker
to execute arbitrary code.
Backport a patch [2] from upstream to fix CVE-2025-24857
[1] https://nvd.nist.gov/vuln/detail/CVE-2025-24857
[2] 87d85139a9
(From OE-Core rev: 6f69c878896b536f5f7b16c566d420e188c82c7f)
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Fabien Thomas <fabien.thomas@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
On scarthgap images built without systemd in DISTRO_FEATURES, dbus
still shipped dbus.socket and dbus.service under
${systemd_user_unitdir} (/usr/lib/systemd/user), because the
'user-session' PACKAGECONFIG was always enabled and passed
--enable-user-session --with-systemduserunitdir=... to configure.
In dbus-1.14.10 the user-session autoconf option (configure.ac and
bus/Makefile.am 'if DBUS_ENABLE_USER_SESSION') only installs systemd
user units; it has no non-systemd effect. Enabling it on a sysvinit
image has no benefit and produces the stale unit files.
Make user-session a systemd-gated PACKAGECONFIG by using
bb.utils.contains in the default, so it is enabled when systemd is
in DISTRO_FEATURES and disabled otherwise. No changes to the
PACKAGECONFIG[user-session] or PACKAGECONFIG[systemd] entries are
needed: --disable-user-session is passed on sysvinit builds, which
prevents the configure/Makefile machinery from ever setting up the
user-unit install step.
This is the scarthgap equivalent of master commit a296b0623eb2
("dbus: use the systemd class to handle the unit files"), adapted
to the autotools 1.14.10 recipe. The master fix was broader because
the meson 1.16.2 build handles unit-file install differently, which
let that commit drop the manual do_install unit block, the
systemctl mask postinst, and PACKAGE_WRITE_DEPS. On 1.14.10 those
pieces are still needed; the minimal correct gate here is the
user-session default.
Fixes [YOCTO #15779]
(From OE-Core rev: 5550d6eadb2fea1ecb13e035a04a57450510441f)
Signed-off-by: Jhonata Poma-Hansen <jhonata.poma@gmail.com>
Signed-off-by: Fabien Thomas <fabien.thomas@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
