An automated conversion using scripts/contrib/convert-spdx-licenses.py to
convert to use the standard SPDX license identifiers. Two recipes in meta-selftest
were not converted as they're that way specifically for testing. A change in
linux-firmware was also skipped and may need a more manual tweak.
(From OE-Core rev: ceda3238cdbf1beb216ae9ddb242470d5dfc25e0)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
There is uncertainty about the default branch name in git going forward.
To try and cover the different possible outcomes, add branch names to all
git:// and gitsm:// SRC_URI entries.
This update was made with the script added to contrib in this patch which
aims to help others convert other layers.
(From OE-Core rev: b51c405faf6f8c0365f7533bfaf470d79152a463)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This is the result of automated script conversion:
scripts/contrib/convert-overrides.py <oe-core directory>
converting the metadata to use ":" as the override character instead of "_".
(From OE-Core rev: 42344347be29f0997cc2f7636d9603b1fe1875ae)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
With commit dc778c70449ee5401b5a24ad18b22b88338c47c5, dependency was
moved to openssl-bin which in itself was a fine change, but dropping
dependency on openssl too should have been kept along, dropping this
meant that openssl binary wont be able to validate secure connections as
the CApath files wont be installed, which infact are required for
openssl bins to work, following call e.g. fails
$ openssl s_client -connect google.com:443
....
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 256 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 20 (unable to get local issuer certificate)
....
The local issuer certs are not found in default location
/usr/lib/ssh-1.1/certs, this dir and its content is installed by openssl package
therefore re-add the dependency on openssl
(From OE-Core rev: eaf377315efc73d6ffe361372a873918b3bb3bf5)
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Cc: Andrei Gherzan <andrei@gherzan.ro>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
0001-certdata2pem.py-use-python3.patch
removed since it is included in 20210119
(From OE-Core rev: afd86357e07f69090eaff4c5db2c517867dd4ccf)
Signed-off-by: Zheng Ruoqin <zhengrq.fnst@cn.fujitsu.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This command was dependent on the order of files on the disk and for multilib builds
could result in:
Error: Transaction check error:
file /etc/ca-certificates.conf conflicts between attempted installs of ca-certificates-20190110-r0.core2_32 and lib64-ca-certificates-20190110-r0.x86_64
Sorting the file makes things deterministic.
(From OE-Core rev: c8f329fc562c9eecdcc1cb10d2c7661f44110fb4)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Since yocto thud, and more specifically since poky switched to
openssl 1.1 line, the openssl binary is provided by 'openssl-bin'. This
impacts the native and nativesdk recipe variants as well.
(From OE-Core rev: dc778c70449ee5401b5a24ad18b22b88338c47c5)
Signed-off-by: Andrei Gherzan <andrei@gherzan.ro>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
We had a c_rehash shell re-implementation being used for the native
package however the ca-certificates now uses the openssl rehash
internal application so there is no use for the c_rehash anymore.
(From OE-Core rev: 672b076158247f823a518b7c33b50c82272d6388)
Signed-off-by: Otavio Salvador <otavio@ossystems.com.br>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Using += with an over-ride can be a source of confusion so try to
avoid the construct in core recipes.
In this case, the commit which added the over-ride seems to have been
buggy - the commit message mentions "add to SYSROOT_DIRS" rather than
a correct description of what the change actually did, ie "over-ride
SYSROOT_DIRS":
http://git.openembedded.org/openembedded-core/commit/?id=355e49e19abb3e729c82a6de46ada8da8a257f58
The commit also appears to have been unnecessary as ${sysconfdir} is
appended to SYSROOT_DIRS for -native recipes by default from within
staging.bbclass.
To workaround the bug introduced by the first commit, a subsequent
commit later added ${datadir}/ca-certificates to the over-ride value
(which would not normally be necessary as ${datadir} is included in
the default value of SYSROOT_DIRS - ie the value which was lost due
to being over-ridden):
http://git.openembedded.org/openembedded-core/commit/?id=09bb7718d74573be9a5db4d0737fb14126f6489c
Therefore the fix seem to be to remove the SYSROOT_DIRS over-ride
entirely - the default value of SYSROOT_DIRS set by staging.bbclass
includes both ${datadir} and ${sysconfdir} when building for -native.
(From OE-Core rev: c1f18efda0280644b4a4ce6f2988fb7ada71faf6)
Signed-off-by: Andre McCurdy <armccurdy@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
update-ca-certificates symlinks (trusted) certificates
from $CERTSDIR or $LOCALCERTSDIR into $ETCCERTSDIR.
update-ca-certificates can call hook scripts installed
into /etc/ca-certificates/update.d. Those scripts are
passed the pem file in /etc/ssl/certs/ that was added or
removed in this run and those pem files are absolute
symlinks into $CERTSDIR or $LOCALCERTSDIR at the moment.
When running update-ca-certificates during image build
time, they thusly all point into the host's file system,
not into the $SYSROOT. This means:
* the host's file system layout must match the one
produced by OE, and
* it also means that the host must have installed the same
(or more) certificates as the target in $CERTSDIR and
$LOCALCERTSDIR
This is a problem when wanting to execute hook scripts,
because they all need to be taught about $SYSROOT, and
behave differently depending on whether they're called
at image build time, or on the target, as otherwise they
will be trying to actually read the host's certificates
from $CERTSDIR or $LOCALCERTSDIR.
This also is a problem when running anything else during
image build time that depends on the trusted CA
certificates.
Changing the symlink to be relative solves all of these
problems. At the same time, we have to make sure to add
$CERTSDIR to SYSROOT_DIRS, so that the symlinks are still
valid when somebody DEPENDS on ca-certificates-native. As
a side-effect, this also fixes a problem in meta-java,
where some recipes (e.g. openjdk-8-native) try to access
certificates from $CERTSDIR to generate the java trustStore
at build time.
Do so.
Upstream-Status: Inappropriate [OE-specific]
(From OE-Core rev: 09bb7718d74573be9a5db4d0737fb14126f6489c)
Signed-off-by: André Draszik <andre.draszik@jci.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Debian anonscm service in Alioth is shutdown and thus
fetching ca-certificates sources fails.
https://wiki.debian.org/Alioth
"Alioth is broken, and there is nobody around to fix it. Don't ask the remaining people who give it life support to implement fixes and changes. It is being replaced by a cocktail of ?GitLab (see Salsa), read-only repos and keep-alive mechanisms. See below for more information."
(From OE-Core rev: fc20ff2003cee7ee3b78ba3bc236a60a8caabc35)
Signed-off-by: Mikko Rapeli <mikko.rapeli@bmw.de>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Nativesdk package has a special arrangement where the same thing is done
in do_install(). It was assumed (in the comment) that postinsts don't run when
installing nativesdk packages, but this was incorrect: they are run, but
any failures were previously silently ignored. Now this missing failure reporting has
been fixed, and so we get to see the failures.
(From OE-Core rev: 8ebb695c1429f8d57d655072a362a4f176258699)
Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
For recipes that depend on native ca-certificates.crt, /etc should be
added to the list of directories that automatically populate the
sysroot, otherwise the file may not be there.
(From OE-Core rev: 355e49e19abb3e729c82a6de46ada8da8a257f58)
Signed-off-by: Patrick Vacek <patrick@advancedtelematic.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This is actually the same version as previously; upstream didn't have
a tag for it before and now it does, so we can reduce confusion. The SRCREV
change is due to a few added commits which modify upstream's debian
packaging (not used by us).
(From OE-Core rev: 8359730165908025b0762eaa25569e2fdcd9d086)
Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
We were relying on running ca-certificates from the -native version. This
meant the host and target path layouts had to match which might not be true,
it certainly isn't true for the sdk builds.
There was a dependency on run-parts which wasn't represented (we can get it
from busybox or debianutils).
Since this is an allarch script, call the script directly, making sure debianutils
and openssl are available as postinst rootfs time to resolve the issues.
(From OE-Core rev: d9575e05f2cb8bf293534c036ddc0d0336701256)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Replace some "+=/=+" with "=" when setting BBCLASSEXTEND, they are
redundant and inconsistent with the same setting in other recipes.
(From OE-Core rev: 09266d6c91acd8ba4df6e8242aa44d9ba41e9cee)
Signed-off-by: Ming Liu <peter.x.liu@external.atlascopco.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The postinstall needs ca-certificates-native, mark the dependency
(From OE-Core rev: 723a924adf0661167690987acfc4213803ec3305)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Options and directory separator -- slipped past the patch removing
Debianims, thus resulting in failures on hosts running Fedora.
(From OE-Core rev: a8431689983f5860173548acd899e6806906e4d1)
Signed-off-by: Maciej Borzecki <maciej.borzecki@rndity.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
When running update-ca-certificates on the build host, as we do during
do_install for ca-certificates-native (and nativesdk-ca-certificates),
as of OE-Core commit cea46e7b8d9463306779301fa97f651d750f380f we now
need openssl-native so it can run c_rehash.
(From OE-Core rev: 523c99a2f12c20ce7bfa7755609f2c860dda6717)
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The update-ca-certificates script uses the c_rehash utility which is
installed by openssl. Add openssl as a runtime dependency to fulfill
the utility requirement.
(From OE-Core rev: a90ba07812444ebac93cd535d11dd54994897bfd)
Signed-off-by: Otavio Salvador <otavio@ossystems.com.br>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
As now the c_rehash utility is available, we can use it. This removes
the patch to disable its usage allowing for a standard SSL behaviour.
(From OE-Core rev: cea46e7b8d9463306779301fa97f651d750f380f)
Signed-off-by: Otavio Salvador <otavio@ossystems.com.br>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
"mktemp -t" is deprecated and does not work when using Toybox. Replace
with something that works also with Toybox.
(From OE-Core rev: 8d47d075ca02612fe16e403be1aa2079edc3ef5f)
Signed-off-by: Patrick Ohly <patrick.ohly@intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
LICENSE checksum changed due to an updated file listing in debian/copyright
(From OE-Core rev: 1b9e9e5086998fdd0ef92e300148234cd99c5f42)
Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Older SRCREV was not fetchable which triggered this upgrade
Change-Id: I85d028294ff0018f4c81c6bb81ae262b18af7a87
(From OE-Core rev: 39c759cd43f4e4371ef9654bf4d821436a5eaebf)
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
ca-certificates comes from Debian but not all distros (i.e. Fedora) have a
leaner run-parts that doesn't support the -- separator between options and
paths, which causes this error:
| Running hooks in [...]/rootfs/etc/ca-certificates/update.d...
| [...]/usr/sbin/update-ca-certificates: line 194: Not: command not found
(From OE-Core rev: db2116e7a06c6a35d1d24d9f28ec60926d59b9d7)
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Otherwise the script which converts mozilla certificates extracts
each certificate twice.
(From OE-Core rev: 3aae6a3c2786713115451f6b6fe151ba69369c1d)
Signed-off-by: Andreas Oberritter <obi@opendreambox.org>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Rebase default-sysroot patch
Remove backported Mozilla certdata patch
License has not changed, just wording.
(From OE-Core rev: 33222af134c465791ed84eccd61bbc2b69ad81f1)
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Changes to debian/copyright:
Update to "Copyright: Mozilla Contributors" for mozilla/{certdata.txt,nssckbi.h}
Backported on additional patch from ca-certificates tree
[YOCTO #6454]
(From OE-Core rev: 3af33d60f03afb19543247b5350137ff3a7ee7e0)
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Git-replacement-native needs the generated files in place for https:// URIs:
WARNING: Failed to fetch URL git://github.com/kernelslacker/trinity.git;protocol=https, attempting MIRRORS if available
ERROR: Fetcher failure: Fetch command failed with exit code 128, output:
Cloning into bare repository '/build/linaro/build/build/downloads/git2/github.com.kernelslacker.trinity.git'...
fatal: unable to access 'https://github.com/kernelslacker/trinity.git/': error setting certificate verify locations:
CAfile: /build/linaro/build/build/tmp-eglibc/sysroots/x86_64-linux/etc/ssl/certs/ca-certificates.crt
CApath: none
ERROR: Function failed: Fetcher failure for URL: 'git://github.com/kernelslacker/trinity.git;protocol=https'. Unable to fetch URL from any source.
ERROR: Logfile of failure stored in: /build/linaro/build/build/tmp-eglibc/work/aarch64-oe-linux/trinity/1.3-r0/temp/log.do_fetch.7843
ERROR: Task 1378 (/build/linaro/build/meta-linaro/meta-linaro/recipes-extra/trinity/trinity_1.3.bb, do_fetch) failed with exit code '1'
(From OE-Core rev: 74a772727cbf4d76d2ef314041acafb3086e4ff9)
Signed-off-by: Koen Kooi <koen.kooi@linaro.org>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
As postinsts aren't run for nativesdk packages when populating an SDK, we need
to prepopulate up-front.
(From OE-Core rev: 09e768b68b3605e897d422c9c7b3815f3b994d31)
Signed-off-by: Christopher Larson <chris_larson@mentor.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
We need this for certain nativesdk recipes, as we can't rely on the
certificate path or bundle path being the same across distros, and it's useful
in many cases on the target as well.
This is based on the 20130119 recipe from meta-oe, with the following changes:
- use the debian git repository to avoid vanishing sources
- obey our target paths
- default to a sysroot relative to the script location (make relocatable)
- define SUMMARY
- don't inherit autotools, this isn't an autotools package
- add MPL-2.0 to LICENSE, as that's the license of the certdata
- install the script man page
- use a native rather than cross recipe, as it's not bound in any way to the
target system
- add nativesdk to bbclassextend, for use in SDKs
(From OE-Core rev: ad2851cf0abc2ab35e0f60c96d3142c29a07c8fc)
Signed-off-by: Christopher Larson <chris_larson@mentor.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
